[apparmor] Need assistance with DENIED userns_create for non-root podman inside an Incus container

[John Johansen]

On 1/24/26 07:37, Kees Bakker wrote:
> Hi,
> 
> My setup is a Ubuntu24 with an Incus server (6.20).
> One Incus container runs Fedora 43 where I want to run non-root podman.
> 
> Inside the container
> 
> [root at f43 ~]# sudo -u fedora -i
> [fedora at f43 ~]$ podman run -t -i hello-world
> cannot clone: Permission denied
> Error: cannot re-exec process
> 
> On the Ubuntu24 host I see this in journalctl
> 
> jan 24 16:33:41 rapper kernel: audit: type=1400 audit(1769268821.264:1554): apparmor="DENIED" operation="userns_create" class="namespace" info="Userns create restricted - failed to find unprivileged_userns profile" error=-13 namespace="root//incus-f43_<var-lib-incus>" profile="unconfined" pid=2332667 comm="podman" requested="userns_create" denied="userns_create" target="unprivileged_userns"
> 
> My question, what do I have to do on the Ubuntu24 server to allow running non-root podman?
> Any help or suggestion is greatly appreciated.

you are encountering the unprivileged user namespace restriction(1-5).

You either need to confine the container, giving access to user namespaces, or you need to disable the restriction.

to temporarily disable you can do

   sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0

to permanently disable

   sudo bash -c "echo kernel.apparmor_restrict_unprivileged_userns=0 > /etc/sysctl.d/60-apparmor-namespace.conf"



1. https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction
2. https://discourse.ubuntu.com/t/understanding-apparmor-user-namespace-restriction/58007
3. https://discourse.ubuntu.com/t/plucky-puffin-release-notes/48687
4. https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces
5. https://discourse.ubuntu.com/t/spec-unprivileged-user-namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626