Rootless Containers Rootless Containers
Rootless Containers / Getting Started / Common steps (Read first!) / [Optional] AppArmor Edit this page

[Optional] AppArmor

Note

Configuring AppArmor is needed only on Ubuntu 24.04 or later, with RootlessKit installed under a non-standard path.

If you face an error like [rootlesskit:parent] error: failed to start the child: fork/exec /proc/self/exe: operation not permitted, try running the following commands:

cat <<EOT | sudo tee "/etc/apparmor.d/usr.local.bin.rootlesskit"
abi <abi/4.0>,
include <tunables/global>

/usr/local/bin/rootlesskit flags=(unconfined) {
  userns,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/usr.local.bin.rootlesskit>
}
EOT
sudo systemctl restart apparmor.service

The /usr/local/bin/rootlesskit string should be changed to the actual path of rootlesskit.

This step is not needed when rootlesskit is installed in the standard path (/usr/bin/rootlesskit).