fixes

Signed-off-by: fahed dorgaa <[email protected]>
containerd · Jan 15, 2025 · 2f127d6 · 2f127d6
1 parent d9e3658
commit 2f127d6
Showing 1 changed file with 31 additions and 30 deletions.
diff --git a/extras/rootless/containerd-rootless-setuptool.sh b/extras/rootless/containerd-rootless-setuptool.sh
@@ -252,39 +252,40 @@ cmd_entrypoint_install() {
 	systemctl --user daemon-reload
 	INFO "To run \"${SYSTEMD_CONTAINERD_UNIT}\" on system startup automatically, run: \`sudo loginctl enable-linger $(id -un)\`"
 
-	if [ ! -e "/etc/apparmor.d/usr.local.bin.rootlesskit" ]; then
-		if [ -e "/etc/apparmor.d/abi/4.0" ] && [ -e "/proc/sys/kernel/apparmor_restrict_unprivileged_userns" ]; then
-			cat >"/etc/apparmor.d/usr.local.bin.rootlesskit" <<-EOF
-				    # Ubuntu 23.10 introduced kernel.apparmor_restrict_unprivileged_userns
-				    # to restrict unsharing user namespaces:
-				    # https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces
-				    #
-				    # kernel.apparmor_restrict_unprivileged_userns is still opt-in in Ubuntu 23.10,
-				    # but it is expected to be enabled in future releases of Ubuntu.
-				    abi <abi/4.0>,
-				    include <tunables/global>
-
-				    /usr/local/bin/rootlesskit flags=(unconfined) {
-				      userns,
-
-				      # Site-specific additions and overrides. See local/README for details.
-				      include if exists <local/usr.local.bin.rootlesskit>
-				    }
-			EOF
-		else
-			# shellcheck disable=SC2072
-			if [ "$(grep 'ID' /etc/os-release | cut -d'=' -f2 | tr -d '"')" = "ubuntu" ] && [ "$(grep 'VERSION_ID' /etc/os-release | cut -d'=' -f2 | tr -d '"')" -gt 23.10 ]; then
-				ERROR "The files \"/etc/apparmor.d/abi/4.0\" and \"/proc/sys/kernel/apparmor_restrict_unprivileged_userns\" should be present. Note: AppArmor restriction for unprivileged_userns is no longer opt-in and is enabled by default."
+	# shellcheck disable=SC2072
+	if [ "$(grep 'ID' /etc/os-release | cut -d'=' -f2 | tr -d '"')" = "ubuntu" ] && [ "$(grep 'VERSION_ID' /etc/os-release | cut -d'=' -f2 | tr -d '"')" -gt 23.10 ]; then
+		if [ ! -e "/etc/apparmor.d/usr.local.bin.rootlesskit" ]; then
+			if [ -e "/etc/apparmor.d/abi/4.0" ] && [ -e "/proc/sys/kernel/apparmor_restrict_unprivileged_userns" ]; then
+				cat >"/etc/apparmor.d/usr.local.bin.rootlesskit" <<-EOF
+					    # Ubuntu 23.10 introduced kernel.apparmor_restrict_unprivileged_userns
+					    # to restrict unsharing user namespaces:
+					    # https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces
+					    #
+					    # kernel.apparmor_restrict_unprivileged_userns is still opt-in in Ubuntu 23.10,
+					    # but it is expected to be enabled in future releases of Ubuntu.
+					    abi <abi/4.0>,
+					    include <tunables/global>
+
+					    /usr/local/bin/rootlesskit flags=(unconfined) {
+					      userns,
+
+					      # Site-specific additions and overrides. See local/README for details.
+					      include if exists <local/usr.local.bin.rootlesskit>
+					    }
+				EOF
+				sudo systemctl restart apparmor.service
 			else
-				INFO "The files \"/etc/apparmor.d/abi/4.0\" and \"/proc/sys/kernel/apparmor_restrict_unprivileged_userns\" are not required for this OS version."
+				ERROR "The files \"/etc/apparmor.d/abi/4.0\" and \"/proc/sys/kernel/apparmor_restrict_unprivileged_userns\" should be present. Note: AppArmor restriction for unprivileged_userns is no longer opt-in and is enabled by default."
+				ERROR "Before retrying installation, you might need to uninstall the current setup: \`$0 uninstall -f ; ${BIN}/rootlesskit rm -rf ${HOME}/.local/share/containerd\`"
+				exit 1
 			fi
+		else
+			ERROR "AppArmor profile for rootlesskit already exists."
+			ERROR "Before retrying installation, you might need to uninstall the current setup: \`$0 uninstall -f ; ${BIN}/rootlesskit rm -rf ${HOME}/.local/share/containerd\`"
+			exit 1
 		fi
-		systemctl --user restart apparmor.service
-	else
-		ERROR "AppArmor profile for rootlesskit already exists."
-		ERROR "Before retrying installation, you might need to uninstall the current setup: \`$0 uninstall -f ; ${BIN}/rootlesskit rm -rf ${HOME}/.local/share/containerd\`"
-		exit 1
 	fi
+
 	INFO "------------------------------------------------------------------------------------------"
 	INFO "Use \`nerdctl\` to connect to the rootless containerd."
 	INFO "You do NOT need to specify \$CONTAINERD_ADDRESS explicitly."
@@ -556,7 +557,7 @@ cmd_entrypoint_uninstall() {
 	# We need to clean the current installation for proper configuration of AppArmor for the next installation.
 	if [ -e "/etc/apparmor.d/usr.local.bin.rootlesskit" ]; then
 		INFO "Removing existing AppArmor profile for rootlesskit."
-		systemctl --user stop apparmor.service
+		sudo systemctl stop apparmor.service
 		rm -f "/etc/apparmor.d/usr.local.bin.rootlesskit"
 	fi