The Debian-shipped passt AppArmor profile (/etc/apparmor.d/usr.bin.passt)
denies the accesses pasta needs to plumb rootlesskit's netns:
- ptrace_read on the rootlesskit child to enter its user namespace
- read /run/user/<uid>/dockerd-rootless/netns (the netns file)
- read /proc/<pid>/net/{tcp,tcp6,udp,udp6} for implicit port forwarding
Without these the rootless docker daemon fails with:
pasta failed with exit code 1:
Couldn't open user namespace /proc/<pid>/ns/user: Permission denied
scripts/docker/install/rootless/rootless_apparmor.sh:
New installRootlessApparmorForPasta() — idempotent fixup.
1. Adds `include if exists <local/usr.bin.passt>` to the main profile
(one line; re-adding is a no-op via grep).
2. Writes /etc/apparmor.d/local/usr.bin.passt with the four rules
pasta needs. The /local/ pattern is the standard Debian AppArmor
hook for site-managed overrides — survives `apt upgrade passt`
because it's outside the package's managed paths.
3. Reloads via apparmor_parser -r.
Called from installDockerRootless after the override.conf write, gated
on $rootless_net == pasta. slirp4netns installs skip it.
This box was already manually patched while debugging the pasta swap —
the installer-side change makes it idempotent across reinstalls and
applies the same fix on any other host that installs rootless docker
with pasta as the net driver.
Signed-off-by: librelad <librelad@digitalangels.vip>
62 lines
2.4 KiB
Bash
Executable File
62 lines
2.4 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
# This file is auto-generated by generate_arrays.sh
|
|
# Do not edit manually - run './scripts/source/files/generate_arrays.sh run' to regenerate
|
|
|
|
docker_scripts=(
|
|
"docker/app/checks/app_installed.sh"
|
|
"docker/app/checks/container_health_loop.sh"
|
|
"docker/app/checks/container_health.sh"
|
|
"docker/app/compose/down_all.sh"
|
|
"docker/app/compose/down_app.sh"
|
|
"docker/app/compose/up_all.sh"
|
|
"docker/app/compose/up_app.sh"
|
|
"docker/app/compose/up_down_app.sh"
|
|
"docker/app/docker/remove_app.sh"
|
|
"docker/app/docker/restart_app.sh"
|
|
"docker/app/docker/start_all.sh"
|
|
"docker/app/docker/start_app.sh"
|
|
"docker/app/docker/stop_all.sh"
|
|
"docker/app/docker/stop_app.sh"
|
|
"docker/app/functions/function_app_tool.sh"
|
|
"docker/app/functions/function_install_app.sh"
|
|
"docker/app/functions/function_restart_app.sh"
|
|
"docker/app/uninstall/delete_data.sh"
|
|
"docker/app/uninstall/down_remove_app.sh"
|
|
"docker/app/uninstall/remove_images.sh"
|
|
"docker/app/uninstall/uninstall_app.sh"
|
|
"docker/checks/app_health_details.sh"
|
|
"docker/checks/app_health_status.sh"
|
|
"docker/checks/running_for_user.sh"
|
|
"docker/command/docker_run_install.sh"
|
|
"docker/command/docker_run.sh"
|
|
"docker/command/run_privileged.sh"
|
|
"docker/compose/copy_build_context.sh"
|
|
"docker/compose/restart_after_update.sh"
|
|
"docker/compose/setup_compose_yml.sh"
|
|
"docker/compose/update_and_start.sh"
|
|
"docker/compose/update_compose_yml.sh"
|
|
"docker/install/rooted/rooted_docker_check.sh"
|
|
"docker/install/rooted/rooted_docker_compose.sh"
|
|
"docker/install/rooted/rooted_docker.sh"
|
|
"docker/install/rootless/rootless_apparmor.sh"
|
|
"docker/install/rootless/rootless_docker.sh"
|
|
"docker/install/rootless/rootless_start_setup.sh"
|
|
"docker/install/rootless/rootless_uninstall.sh"
|
|
"docker/install/rootless/rootless_user.sh"
|
|
"docker/network/network_prune.sh"
|
|
"docker/network/network_randomize_subnet.sh"
|
|
"docker/network/network_setup.sh"
|
|
"docker/service/start_docker.sh"
|
|
"docker/service/stop_docker.sh"
|
|
"docker/setup_env.sh"
|
|
"docker/type_switcher/scan_container_socket.sh"
|
|
"docker/type_switcher/set_socket_permissions.sh"
|
|
"docker/type_switcher/swap_docker_type.sh"
|
|
"docker/type_switcher/switch_containers_type.sh"
|
|
"docker/update_docker_sudo_pass.sh"
|
|
"docker/update_docker_user_pass.sh"
|
|
"docker/whitelist_port_updater.sh"
|
|
|
|
)
|