Rather than reporting a bug I thought I’d mention this here first - partly because I’m not sure what piece of software might have the bug (e.g. incus / Linux kernel / prometheus), or whether it’s a known issue…
When deploying a Debian container (Debian 11, Debian 12, or Debian 13 (testing) container) on an incus server which is running Debian 13 (trixie / testing)…
If you run prometheus (apt install prometheus) directly on the host, it starts and runs correctly.
If you run promtheus inside a container, the prometheus service fails to start with “Failed to set up user namespacing: Permission denied”. This also occurs when the container is run with security.nesting set to true and/or security.privileged is true.
hi,
all of this happens to me on debian/sid following upgrade of apparmor from 3.1.7-4 to current 4.1.0-beta5-4 (with incus 6.0.3-4).
i use /usr/bin/bwrap --ro-bind / / --unshare-user --uid 1000 --gid 1000 /usr/bin/bash
to create unserns_namespace in a container configured with security.nesting: "true",
and it responds with bwrap: Creating new namespace failed: Permission denied
and the host logger cries like this host_x kernel: audit: type=1400 audit(1740158467.887:298): apparmor="DENIED" operation="userns_create" class="namespace" profile="incus-abc_</var/lib/incus>" pid=10974 comm="(d-logind)" requested="userns_create" denied="userns_create" .
Downgrading apparmor back to 3.1.7-4 resolves this issue.