Error: BitBake + AppArmor User Namespace Restriction Fix

Problem Description

When running BitBake on Ubuntu 24.04 or similar systems, you might encounter this error:

ERROR: User namespaces are not usable by BitBake, possibly due to AppArmor.
See https://discourse.ubuntu.com/t/ubuntu-24-04-lts-noble-numbat-release-notes/39890#unprivileged-user-namespace-restrictions for more information.

Summary: There was 1 ERROR message, returning a non-zero exit code.

Background

- BitBake and Yocto use Linux user namespaces to simulate root permissions safely during builds.

- Ubuntu 24.04 disables unprivileged user namespaces by default (kernel.unprivileged_userns_clone=0).

- Even if the kernel setting is enabled, an AppArmor profile named unprivileged_userns further restricts user namespaces.

Temporary Fix

sudo apparmor_parser -R /etc/apparmor.d/unprivileged_userns

What it does:

• This command tells AppArmor to remove (unload) the security profile located at /etc/apparmor.d/unprivileged_userns from the running AppArmor enforcement. When you run this command, you are temporarily disabling this profile, lifting those restrictions immediately until AppArmor reloads or the system reboots.

• Note: This does not delete the profile file itself; it just tells AppArmor to stop enforcing it right now.

Permanent Fix

sudo mv /etc/apparmor.d/unprivileged_userns /etc/apparmor.d/unprivileged_userns.disabled

What it does:

• This command renames the AppArmor profile file from unprivileged_userns to unprivileged_userns.disabled. AppArmor loads profiles by scanning /etc/apparmor.d/. If a profile file is renamed or removed, AppArmor will not load it again on system start or reload. This effectively disables the profile permanently, preventing AppArmor from enforcing the restrictions on unprivileged user namespaces across reboots.

• Important: You still need to reload AppArmor after this to apply the change.

sudo systemctl reload apparmor