티스토리 뷰

Issue

With the adoption of Ubuntu 24.04 (Noble) in modern Kubernetes environments, many users have started encountering failures when running rootless Docker-in-Docker (DinD) containers.

A typical error looks like this:

[rootlesskit:parent] error: failed to start the child:2fork/exec /proc/self/exe: operation not permitted

This post explains the root cause, why it only happens on newer Ubuntu versions, and what actually works in practice.

Background: How Rootless DinD Works

docker:dind-rootless is designed to run Docker without root privileges.
Internally, it relies on:

dockerd-rootless.sh
  → rootlesskit
    → user namespace (userns)
    → mount namespace
    → network namespace
    → re-exec via /proc/self/exe
    → start dockerd

Key requirement:

RootlessKit must create an unprivileged user namespace.

Without this, the Docker daemon never starts.

What Changed in Ubuntu 24.04

Starting from Ubuntu 23.10 and fully enforced in 24.04:

Unprivileged user namespace creation is restricted by AppArmor by default.
https://discourse.ubuntu.com/t/understanding-apparmor-user-namespace-restriction/58007

This behavior is controlled by:

/proc/sys/kernel/apparmor_restrict_unprivileged_userns

When enabled:

  • Non-root processes cannot freely create user namespaces
  • Only processes explicitly allowed by AppArmor profiles can do so

Why this worked on Ubuntu 22.04
Nothing in Kubernetes changed — this is a host OS security change

Failure Mechanism

  1. Rootless DinD starts
  2. RootlessKit tries to: unshare(CLONE_NEWUSER)
  3. Kernel checks AppArmor policy
  4. AppArmor denies userns_create
  5. RootlessKit fails when re-executing: fork/exec /proc/self/exe → EPERM

Why privileged: true Does NOT Fix It

Even ifsecurityContext set "privileged:true", it would be failed.

securityContext: 
  privileged: true

Because

  • privileged: true → grants capabilities
  • RootlessKit → runs as non-root user
  • Ubuntu 24.04 restriction → applies to unprivileged user namespace

How to fix it

1. Use Rootful DinD

apiVersion: v1
kind: Pod
metadata:
  name: dind-rootful
spec:
  containers:
    - name: dind
      image: docker:28.0.1-dind 
      securityContext:
        privileged: true

2. Use Ubuntu 22.04 Node

If you can use Ubuntu 22.04 node, it would be option that you can use DinD rootless.

nodeSelector:
  kubernetes.io/os-image: Ubuntu2204

3. Disable restriont (not recommended)

$ sysctl -w kernel.apparmor_restrict_unprivileged_userns=0

4. Custom AppArmor Profile (Advanced / Not Recommended in Managed K8s)

cat <<EOF > /etc/apparmor.d/rootlesskit
profile rootlesskit /usr/bin/rootlesskit flags=(unconfined) {
  userns,
}
EOF

systemctl restart apparmor

Test Result

I run the DinD rootless container on Ubuntu 22/24 OS.
The result is different.

Ubuntu 22

root@ubuntu22node:/# cat /proc/sys/kernel/unprivileged_userns_clone
1
### by apparmor
root@ubuntu22node:/# cat /proc/sys/kernel/apparmor_restrict_unprivileged_userns
cat: /proc/sys/kernel/apparmor_restrict_unprivileged_userns: No such file or directory

Ubuntu 24

root@ubuntu24node:/# cat /proc/sys/kernel/unprivileged_userns_clone
1
root@ubuntu24node:/# cat /proc/sys/kernel/apparmor_restrict_unprivileged_userns
1
root@ubuntu24node:/# sudo dmesg -T | grep -iE 'apparmor|userns|rootlesskit|DENIED' | tail -n 3
[Fri Jun 26 05:08:49 2026] audit: type=1400 audit(1782450529.255:124): apparmor="DENIED" operation="capable" class="cap" profile="unprivileged_userns" pid=8815 comm="rootlesskit" capability=21  capname="sys_admin"
[Fri Jun 26 05:09:04 2026] audit: type=1400 audit(1782450544.540:125): apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns create - transitioning profile" profile="unconfined" pid=8860 comm="rootlesskit" requested="userns_create" target="unprivileged_userns"
[Fri Jun 26 05:09:29 2026] audit: type=1400 audit(1782450569.900:126): apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns create - transitioning profile" profile="unconfined" pid=9028 comm="rootlesskit" requested="userns_create" target="unprivileged_userns"

Generating Apparmor custom profile

If you want to make custom profile and apply apparmor profile on your pod it would be good option.

References

'Cloud > Kubernetes' 카테고리의 다른 글

AKS Node Disk Usage Analysis  (0) 2026.06.15
InternalTrafficPolicy  (0) 2025.11.25
envoy gateway api controller  (0) 2025.11.17
ingress-nginx  (0) 2025.07.14
fluentbit with azure blob storage  (0) 2024.08.27
댓글
공지사항
최근에 올라온 글
최근에 달린 댓글
Total
Today
Yesterday
링크
«   2026/07   »
1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30 31
글 보관함