[apparmor] Need assistance with DENIED userns_create for non-root podman inside an Incus container
Kees Bakker
kees at ijzerbout.nl
Sun Jan 25 14:23:39 UTC 2026
Op 25-01-2026 om 04:44 schreef John Johansen:
> On 1/24/26 07:37, Kees Bakker wrote:
>> Hi,
>>
>> My setup is a Ubuntu24 with an Incus server (6.20).
>> One Incus container runs Fedora 43 where I want to run non-root podman.
>>
>> Inside the container
>>
>> [root at f43 ~]# sudo -u fedora -i
>> [fedora at f43 ~]$ podman run -t -i hello-world
>> cannot clone: Permission denied
>> Error: cannot re-exec process
>>
>> On the Ubuntu24 host I see this in journalctl
>>
>> jan 24 16:33:41 rapper kernel: audit: type=1400
>> audit(1769268821.264:1554): apparmor="DENIED"
>> operation="userns_create" class="namespace" info="Userns create
>> restricted - failed to find unprivileged_userns profile" error=-13
>> namespace="root//incus-f43_<var-lib-incus>" profile="unconfined"
>> pid=2332667 comm="podman" requested="userns_create"
>> denied="userns_create" target="unprivileged_userns"
>>
>> My question, what do I have to do on the Ubuntu24 server to allow
>> running non-root podman?
>> Any help or suggestion is greatly appreciated.
>
> you are encountering the unprivileged user namespace restriction(1-5).
>
> You either need to confine the container, giving access to user
> namespaces, or you need to disable the restriction.
>
> to temporarily disable you can do
>
> sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
>
> to permanently disable
>
> sudo bash -c "echo kernel.apparmor_restrict_unprivileged_userns=0 >
> /etc/sysctl.d/60-apparmor-namespace.conf"
>
>
>
> 1.
> https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction
> 2.
> https://discourse.ubuntu.com/t/understanding-apparmor-user-namespace-restriction/58007
> 3. https://discourse.ubuntu.com/t/plucky-puffin-release-notes/48687
> 4.
> https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces
> 5.
> https://discourse.ubuntu.com/t/spec-unprivileged-user-namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626
A few months ago there was a discussion [1] about an identical problem.
Two suggested solutions were:
# Manually create the unprivileged_userns profile, by using AppArmor on
the host. Something like
|sudo apparmor_parser -n 'incus-mycontainer_<var-lib-incus>' -r
/etc/apparmor.d/unprivileged_userns|
# Use your own AppArmor profile, with |raw.apparmor = profile|
So far I don't quite understand how to do either of the two.
Perhaps the above apparmor_parser isn't quite correct.
Also, when I create an Incus container with Ubuntu24 AND if I then
install apparmor I can
run rootless podman.
On the host, in the output of "aa-status --filter.mode=unconfined" there is
:incus-dawarich_<var-lib-incus>:podman
:incus-forgejo-runner_<var-lib-incus>:podman
BTW In apparmor documentation I couldn't find what the meaning of the
":" is.
The thing is, I want Fedora43 in the Incus container to run podman.
Fedora has no apparmor.
[1] https://discuss.linuxcontainers.org/t/error-with-rootless-podman/24250/9
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20260125/469de2f5/attachment.html>
More information about the AppArmor
mailing list