update RootlessKit to 2.0.2

[AkihiroSuda]

- What I did

Fix #47480 (except docs) via:

• Print hints if kernel.apparmor_restrict_unprivileged_userns is set rootless-containers/rootlesskit#421

- How I did it
Updated RootlessKit
rootless-containers/rootlesskit@v2.0.1...v2.0.2

- How to verify it

dockerd-rootless-setuptool.sh will print the following error if the apparmor constraint is not satisfied

WARN[0000] [rootlesskit:parent] This error might have happened because /proc/sys/kernel/apparmor_restrict_unprivileged_userns is set to 1  error="fork/exec /proc/self/exe: permission denied"
WARN[0000] [rootlesskit:parent] Hint: try running the following commands:


########## BEGIN ##########
cat <<EOT | sudo tee "/etc/apparmor.d/home.suda.bin.rootlesskit"
# ref: https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces
abi <abi/4.0>,
include <tunables/global>

/home/suda/bin/rootlesskit flags=(unconfined) {
  userns,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/home.suda.bin.rootlesskit>
}
EOT
sudo systemctl restart apparmor.service
########## END ##########
 
[rootlesskit:parent] error: failed to start the child: fork/exec /proc/self/exe: permission denied

- Description for the changelog

update RootlessKit to [v2.0.2](https://github.com/rootless-containers/rootlesskit/releases/tag/v2.0.2)

- A picture of a cute animal (not mandatory but encouraged)

🐧

[thaJeztah]

Curious;

• should we also consider adding some of these (rootless-specific) checks to contrib/check-config.sh? (if apparmor is available, also check for the apparmor_restrict_unprivileged_userns feature?
• Somewhat orthogonal; I notice the only place we use the rootlesskit vendoring is to include information to docker info, but we also (have to) do a bunch of local work to collect additional information;

  moby/daemon/info_unix.go

  Lines 264 to 313 in 460b4ae

  	switch rlInfo.NetworkDriver.Driver {
  	case "slirp4netns":
  	err = func() error {
  	rv, err := exec.CommandContext(ctx, "slirp4netns", "--version").Output()
  	if err != nil {
  	if errdefs.IsContext(err) {
  	return err
  	}
  	log.G(ctx).WithError(err).Warn("Failed to retrieve slirp4netns version")
  	return nil
  	}
  	_, ver, commit, err := parseRuntimeVersion(string(rv))
  	if err != nil {
  	log.G(ctx).WithError(err).Warn("Failed to parse slirp4netns version")
  	return nil
  	}
  	v.Components = append(v.Components, types.ComponentVersion{
  	Name: "slirp4netns",
  	Version: ver,
  	Details: map[string]string{
  	"GitCommit": commit,
  	},
  	})
  	return nil
  	}()
  	if err != nil {
  	return err
  	}
  	case "vpnkit":
  	err = func() error {
  	out, err := exec.CommandContext(ctx, "vpnkit", "--version").Output()
  	if err != nil {
  	if errdefs.IsContext(err) {
  	return err
  	}
  	log.G(ctx).WithError(err).Warn("Failed to retrieve vpnkit version")
  	return nil
  	}
  	v.Components = append(v.Components, types.ComponentVersion{
  	Name: "vpnkit",
  	Version: strings.TrimSpace(strings.TrimSpace(string(out))),
  	})
  	return nil
  	}()
  	if err != nil {
  	return err
  	}
  	}
  	return nil

  wondering if those are parts that should eventually be handled by rootlesskit (and returned by the Info it returns) 🤔

[thaJeztah]

☝️ TBH; still a bit looking at the best direction to take there; the rootlesskit case is a bit "weird" because it's rootlesskit running the engine, and the engine itself doesn't "call" rootlesskit here. Still somewhat wondering what it would take to integrate the rootlesskit functionality in the daemon itself.

[thaJeztah]

LGTM

[thaJeztah]

cc @vvoland (for back porting); I THINK we only need the last two commits (vendoring changes are effectively a "no-op" from a rootlesskit perspective.

[AkihiroSuda]

should we also consider adding some of these (rootless-specific) checks to contrib/check-config.sh? (if apparmor is available, also check for the apparmor_restrict_unprivileged_userns feature?

Ideally yes, but it could be complicated

Somewhat orthogonal; I notice the only place we use the rootlesskit vendoring is to include information to docker info, but we also (have to) do a bunch of local work to collect additional information;

Yes 👍, eventually

Still somewhat wondering what it would take to integrate the rootlesskit functionality in the daemon itself.

We may consider this, but it may rather result in more complicated code base

I THINK we only need the last two commits (vendoring changes are effectively a "no-op" from a rootlesskit perspective.

Yes

[vvoland]

Opened a v25 backport.
Also wanted to open backports for v23/v24, but they're still on rootlesskit v1.:

moby/Dockerfile

Line 348 in c593074

ARG ROOTLESSKIT_VERSION=v1.1.1

[thaJeztah]

Three's a pending one for v23.0, but it's "on hold";

• [23.0] Vendor rootlesskit v2 #47258