Not working on Ubuntu: "operation not permitted"

[afbjorklund]

I'm trying to make a template for Lima, from Ubuntu 24.10

But I am getting errors, even though nerdctl run works OK.

Not sure what the problem is, seems to be about namespaces:

lilipod --log-level=debug run --rm -ti alpine cat /etc/os-release

proc_utils.go:302 [debug] settings uidmap [{0 1 1000} {1000 0 1} {1001 1001 64536}]
proc_utils.go:303 [debug] settings gidmap [{0 1 1000} {1000 0 1} {1001 1001 64536}]
2025/01/26 17:25:00 fork/exec /bin/sh: operation not permitted
2025/01/26 17:25:00 exit status 1
proc_utils.go:79 [debug] error: exit status 1

The other templates are at https://lima-vm.io/docs/templates/

For this debugging I was running the latest version from main.

[afbjorklund]

Added some extra debugging output, it is UntarFile that fails.

I think it is related to AppArmor, missing a /etc/apparmor.d

Workaround:

sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0

[afbjorklund]

Gets a bit further, but fails in setupCgroupfs:

rootfs_utils.go:64 [debug] mounting new tmpfs fs on /sys/fs/cgroup
file_utils.go:330 [debug] ensuring destination point /sys/fs/cgroup exists
file_utils.go:334 [debug] mounting new tmpfs on /sys/fs/cgroup
rootfs_utils.go:74 [debug] mounting new cgroup fs on /sys/fs/cgroup
file_utils.go:284 [debug] ensuring destination point /sys/fs/cgroup exists
rootfs_utils.go:660 [debug] error: mkdir /sys/fs/cgroup/container-ymzqib_pooq5r.scope: permission denied

Needs systemd-run (slice), as a workaround:

• cgroupfs problem #11