apparmor interfering with rootless k3s

Found an issue with Ubuntu 24.04 while testing with rootless k3s -- if apparmor features are enabled, rootless k3s fails to start:
```
Jan 08 21:58:18 ip-172-31-32-227 k3s[1561]: time="2026-01-08T21:58:18Z" level=fatal msg="failed to start the child: fork/exec /proc/self/exe: operation not permitted"
```
Two solutions:
- Quick fix:
```
$ sudo sysctl -w kernel.apparmor_restrict_unprivileged_unconfined=0
$ sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
```
- Add basic profile:
```
$ cat <<EOT | sudo tee "/etc/apparmor.d/usr.local.bin.k3s"
abi <abi/4.0>,
include <tunables/global>

/usr/local/bin/k3s flags=(unconfined) {
  userns,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/usr.local.bin.k3s>
}
EOT
...
$ sudo systemctl restart apparmor.service
```

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

apparmor interfering with rootless k3s #518

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

apparmor interfering with rootless k3s #518

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions