티스토리 뷰
Issue
With the adoption of Ubuntu 24.04 (Noble) in modern Kubernetes environments, many users have started encountering failures when running rootless Docker-in-Docker (DinD) containers.
A typical error looks like this:
[rootlesskit:parent] error: failed to start the child:2fork/exec /proc/self/exe: operation not permitted
This post explains the root cause, why it only happens on newer Ubuntu versions, and what actually works in practice.
Background: How Rootless DinD Works
docker:dind-rootless is designed to run Docker without root privileges.
Internally, it relies on:
dockerd-rootless.sh
→ rootlesskit
→ user namespace (userns)
→ mount namespace
→ network namespace
→ re-exec via /proc/self/exe
→ start dockerd
Key requirement:
RootlessKit must create an unprivileged user namespace.
Without this, the Docker daemon never starts.
What Changed in Ubuntu 24.04
Starting from Ubuntu 23.10 and fully enforced in 24.04:
Unprivileged user namespace creation is restricted by AppArmor by default.
https://discourse.ubuntu.com/t/understanding-apparmor-user-namespace-restriction/58007
This behavior is controlled by:
/proc/sys/kernel/apparmor_restrict_unprivileged_userns
When enabled:
- Non-root processes cannot freely create user namespaces
- Only processes explicitly allowed by AppArmor profiles can do so
Why this worked on Ubuntu 22.04
Nothing in Kubernetes changed — this is a host OS security change
Failure Mechanism
- Rootless DinD starts
- RootlessKit tries to:
unshare(CLONE_NEWUSER) - Kernel checks AppArmor policy
- AppArmor denies
userns_create - RootlessKit fails when re-executing:
fork/exec /proc/self/exe → EPERM
Why privileged: true Does NOT Fix It
Even ifsecurityContext set "privileged:true", it would be failed.
securityContext:
privileged: true
Because
- privileged: true → grants capabilities
- RootlessKit → runs as non-root user
- Ubuntu 24.04 restriction → applies to unprivileged user namespace
How to fix it
1. Use Rootful DinD
apiVersion: v1
kind: Pod
metadata:
name: dind-rootful
spec:
containers:
- name: dind
image: docker:28.0.1-dind
securityContext:
privileged: true
2. Use Ubuntu 22.04 Node
If you can use Ubuntu 22.04 node, it would be option that you can use DinD rootless.
nodeSelector:
kubernetes.io/os-image: Ubuntu2204
3. Disable restriont (not recommended)
$ sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
4. Custom AppArmor Profile (Advanced / Not Recommended in Managed K8s)
cat <<EOF > /etc/apparmor.d/rootlesskit
profile rootlesskit /usr/bin/rootlesskit flags=(unconfined) {
userns,
}
EOF
systemctl restart apparmor
Test Result
I run the DinD rootless container on Ubuntu 22/24 OS.
The result is different.
Ubuntu 22
root@ubuntu22node:/# cat /proc/sys/kernel/unprivileged_userns_clone
1
### by apparmor
root@ubuntu22node:/# cat /proc/sys/kernel/apparmor_restrict_unprivileged_userns
cat: /proc/sys/kernel/apparmor_restrict_unprivileged_userns: No such file or directory
Ubuntu 24
root@ubuntu24node:/# cat /proc/sys/kernel/unprivileged_userns_clone
1
root@ubuntu24node:/# cat /proc/sys/kernel/apparmor_restrict_unprivileged_userns
1
root@ubuntu24node:/# sudo dmesg -T | grep -iE 'apparmor|userns|rootlesskit|DENIED' | tail -n 3
[Fri Jun 26 05:08:49 2026] audit: type=1400 audit(1782450529.255:124): apparmor="DENIED" operation="capable" class="cap" profile="unprivileged_userns" pid=8815 comm="rootlesskit" capability=21 capname="sys_admin"
[Fri Jun 26 05:09:04 2026] audit: type=1400 audit(1782450544.540:125): apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns create - transitioning profile" profile="unconfined" pid=8860 comm="rootlesskit" requested="userns_create" target="unprivileged_userns"
[Fri Jun 26 05:09:29 2026] audit: type=1400 audit(1782450569.900:126): apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns create - transitioning profile" profile="unconfined" pid=9028 comm="rootlesskit" requested="userns_create" target="unprivileged_userns"
Generating Apparmor custom profile
If you want to make custom profile and apply apparmor profile on your pod it would be good option.
- https://github.com/kubernetes/kubernetes/tree/v1.36.2/test/images/apparmor-loader
- https://github.com/tuxerrante/kapparmor
References
'Cloud > Kubernetes' 카테고리의 다른 글
| AKS Node Disk Usage Analysis (0) | 2026.06.15 |
|---|---|
| InternalTrafficPolicy (0) | 2025.11.25 |
| envoy gateway api controller (0) | 2025.11.17 |
| ingress-nginx (0) | 2025.07.14 |
| fluentbit with azure blob storage (0) | 2024.08.27 |
- Total
- Today
- Yesterday
- metallb
- K3S
- ansible
- kata container
- openstack backup
- crashloopbackoff
- minio
- macvlan
- Terraform
- kubernetes install
- wsl2
- vmware openstack
- OpenStack
- open policy agent
- aquasecurity
- kubernetes
- boundary ssh
- hashicorp boundary
- socket
- openstacksdk
- mattermost
- DevSecOps
- Helm Chart
- jenkins
- ceph
- minikube
- GateKeeper
- azure policy
- Jenkinsfile
- nginx-ingress
| 일 | 월 | 화 | 수 | 목 | 금 | 토 |
|---|---|---|---|---|---|---|
| 1 | 2 | 3 | 4 | |||
| 5 | 6 | 7 | 8 | 9 | 10 | 11 |
| 12 | 13 | 14 | 15 | 16 | 17 | 18 |
| 19 | 20 | 21 | 22 | 23 | 24 | 25 |
| 26 | 27 | 28 | 29 | 30 | 31 |
