[apparmor] Need assistance with DENIED userns_create for non-root podman inside an Incus container
Kees Bakker
kees at ijzerbout.nl
Sat Jan 24 15:37:34 UTC 2026
Hi,
My setup is a Ubuntu24 with an Incus server (6.20).
One Incus container runs Fedora 43 where I want to run non-root podman.
Inside the container
[root at f43 ~]# sudo -u fedora -i
[fedora at f43 ~]$ podman run -t -i hello-world
cannot clone: Permission denied
Error: cannot re-exec process
On the Ubuntu24 host I see this in journalctl
jan 24 16:33:41 rapper kernel: audit: type=1400
audit(1769268821.264:1554): apparmor="DENIED" operation="userns_create"
class="namespace" info="Userns create restricted - failed to find
unprivileged_userns profile" error=-13
namespace="root//incus-f43_<var-lib-incus>" profile="unconfined"
pid=2332667 comm="podman" requested="userns_create"
denied="userns_create" target="unprivileged_userns"
My question, what do I have to do on the Ubuntu24 server to allow
running non-root podman?
Any help or suggestion is greatly appreciated.
--
Kees
More information about the AppArmor
mailing list