ERROR : Failed to create mount namespace: mount namespace requires privileges, check Apptainer installation on Ubuntu 24 #2360

ERROR : Failed to create mount namespace: mount namespace requires privileges, check Apptainer installation on Ubuntu 24 #2360

https://github.com/apptainer/apptainer/issues/2360

AndrePatri opened on Jul 15, 2024 Version of Apptainer 1.3.2

Expected behaviour When running singularity build –fakeroot my_image.sif my_def.def

Actual behaviour I get ERROR : Failed to create mount namespace: mount namespace requires privileges, check Apptainer installation

What OS/distro are you running “24.04 LTS (Noble Numbat)”

How did you install Apptainer I am running on a system where I don’t have root privileges. Hence, since I was getting permission errors, I installed the setuid version of Apptainer, as recommended here:

sudo apt update sudo apt install -y software-properties-common sudo add-apt-repository -y ppa:apptainer/ppa sudo apt update sudo apt install -y apptainer and then

sudo add-apt-repository -y ppa:apptainer/ppa sudo apt update sudo apt install -y apptainer-suid Activity DrDaveD DrDaveD commented on Jul 16, 2024 DrDaveD on Jul 16, 2024 Contributor I believe this is a result of an unfortunate decision by the Ubuntu maintainers to block use of user namespaces by default. The apptainer-1.3.3 debian packaging has a fix for it for the apptainer in that package. Unfortunately this has apparently not yet been updated in the Ubuntu PPA, but you can install it from the Apptainer 1.3.3 release page or disable the restriction on your machine by following the instructions in INSTALL.md.

When user namespaces are available, you normally should not need the apptainer-suid package, and even with apptainer-suid user namespaces are still needed for –fakeroot.

@panda1100 Does the Ubuntu PPA builds.

AndrePatri AndrePatri commented on Jul 16, 2024 AndrePatri on Jul 16, 2024 Author I’ve just tried the 1.3.3 version (checked on terminal) and I still get the same issue.

DrDaveD DrDaveD commented on Jul 17, 2024 DrDaveD on Jul 17, 2024 · edited by DrDaveD Contributor You’re right. The apparmor support in apptainer-1.3.3 is completely broken.

First, the test that was added for it is insufficient because it only checks suid mode which doesn’t use a user namespace. There should be another test at the end of ci-deb-build-test to try the exec -u option and probably also exec -f which both use user namespaces through two different paths.

Next the /etc/apparmor.d/apptainer file has the wrong path, where /usr/lib/@{multiarch} should instead be /usr/libexec. Finally, the package we build for the release page is built on debian 11 so it has only a placeholder file. Fortunately I found in my testing that if we apply the patch from sylabs/singularity#2999 for older debian versions it happens to also work on Ubuntu 24.04. That is, using abi/3.0 avoids the need of mentioning explicitly “userns”. So it should still work to use a debian 11 package on Ubuntu 24.04.

Assigning to @JasonYangShadow for the 1.3.4 release.

Meanwhile, @AndrePatri, I believe if you change the abi/4.0 in /etc/apparmor.d/apptainer to abi/3.0, change /@{multiarch} to exec, and run systemctl restart apparmor it should start working for you.

DrDaveD assigned JasonYangShadow on Jul 17, 2024

DrDaveD added this to the 1.3.4 milestone on Jul 17, 2024 AndrePatri AndrePatri commented on Jul 17, 2024 AndrePatri on Jul 17, 2024 Author Thanks @DrDaveD . Since I am running on a local workstation, I was able to request the system wide fix for allowing namespaces to the administrator, which for me works just fine. I’ll wait for the next release then. Any idea as to when the fixes will be available in the apt packages?

JasonYangShadow mentioned this on Jul 17, 2024 fix broken apparmor profile and add ci tests #2364 DrDaveD DrDaveD commented on Jul 18, 2024 DrDaveD on Jul 18, 2024 Contributor They’re fixed in #2364 and will be in the 1.3.4 release. I’m not sure when that will be.

DrDaveD closed this as completedin #2364on Jul 18, 2024

JasonYangShadow mentioned this on Jul 18, 2024 fix broken apparmor profile and add ci tests (release-1.3) #2368 prhbrt prhbrt commented on Sep 5, 2024 prhbrt on Sep 5, 2024 Just a quick note, even though it might seem quite obvious, I solved this by installing apptainer-suid instead of apptainer.

It was caught off-guard and tried other things first because because OP mentioned install apptainer-suid didn’t fix it.

DrDaveD DrDaveD commented on Sep 5, 2024 DrDaveD on Sep 5, 2024 Contributor @prhbrt were you trying to do a build or use –fakeroot? Even with apptainer-suid that generally requires user namespaces, although there is a limited form of fakeroot for suid without user namespaces (fakeroot mode 4).

virologist virologist commented on Dec 19, 2024 virologist on Dec 19, 2024 It’s works for me. #1294 (comment) sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0

johnbradley mentioned this on Feb 8 Fix Container Building - Failed to create mount namespace Imageomics/pybioclip#91