diff --git a/meta/main.yml b/meta/main.yml
index b3e318e..0b02a7d 100644
--- a/meta/main.yml
+++ b/meta/main.yml
@@ -19,6 +19,7 @@ galaxy_info:
       versions:
         - focal
         - jammy
+        - noble
   galaxy_tags:
     - almalinux
     - centos
diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml
index f8b4962..09eece4 100644
--- a/molecule/default/molecule.yml
+++ b/molecule/default/molecule.yml
@@ -38,7 +38,16 @@ provisioner:
         docker_user: dockeruser
         docker_user_bashrc: false
         docker_compose: true
-      focal:
+      jammy:
+        docker_add_alias: false
+        docker_allow_ping: false
+        docker_allow_privileged_ports: false
+        docker_rootful: false
+        docker_rootful_enabled: false
+        docker_user: jammyuser
+        docker_user_bashrc: true
+        docker_compose: true
+      noble:
         docker_add_alias: true
         docker_allow_ping: false
         docker_allow_privileged_ports: true
@@ -47,7 +56,7 @@ provisioner:
         docker_user: dockeruser
         docker_user_bashrc: false
         docker_compose: false
-      focalroot:
+      nobleroot:
         docker_add_alias: false
         docker_allow_ping: true
         docker_allow_privileged_ports: false
@@ -56,15 +65,6 @@ provisioner:
         docker_user: dockeruser
         docker_user_bashrc: false
         docker_compose: false
-      jammy:
-        docker_add_alias: false
-        docker_allow_ping: false
-        docker_allow_privileged_ports: false
-        docker_rootful: false
-        docker_rootful_enabled: false
-        docker_user: jammyuser
-        docker_user_bashrc: true
-        docker_compose: true
 platforms:
   - name: bookworm
     box: debian/bookworm64
@@ -93,24 +93,32 @@ platforms:
     instance_raw_config_args:
       - vbguest.auto_update = false
     memory: 1024
-  - name: focal
-    box: bento/ubuntu-20.04
+  - name: jammy
+    box: bento/ubuntu-22.04
     config_options:
       vm.boot_timeout: 600
+      synced_folder: false
+    provider_raw_config_args:
+      - customize ['modifyvm', :id, '--uart1', '0x3F8', '4']
+      - customize ['modifyvm', :id, '--uartmode1', 'file', File::NULL]
     instance_raw_config_args:
       - "vbguest.installer_options = { allow_kernel_upgrade: false }"
       - vbguest.auto_update = false
     memory: 1024
-  - name: focalroot
-    box: bento/ubuntu-20.04
+  - name: noble
+    box: bento/ubuntu-24.04
     config_options:
       vm.boot_timeout: 600
+      synced_folder: false
+    provider_raw_config_args:
+      - customize ['modifyvm', :id, '--uart1', '0x3F8', '4']
+      - customize ['modifyvm', :id, '--uartmode1', 'file', File::NULL]
     instance_raw_config_args:
       - "vbguest.installer_options = { allow_kernel_upgrade: false }"
       - vbguest.auto_update = false
-    memory: 1024
-  - name: jammy
-    box: bento/ubuntu-22.04
+    memory: 2048
+  - name: nobleroot
+    box: bento/ubuntu-24.04
     config_options:
       vm.boot_timeout: 600
       synced_folder: false
@@ -120,7 +128,7 @@ platforms:
     instance_raw_config_args:
       - "vbguest.installer_options = { allow_kernel_upgrade: false }"
       - vbguest.auto_update = false
-    memory: 1024
+    memory: 2048
 verifier:
   name: ansible
 scenario:
diff --git a/tasks/docker_service.yml b/tasks/docker_service.yml
index 8a7efc8..347f1e2 100644
--- a/tasks/docker_service.yml
+++ b/tasks/docker_service.yml
@@ -1,34 +1,71 @@
 ---
-- name: Add Docker systemd service override.conf
-  become: true
-  become_user: "{{ docker_user }}"
-  ansible.builtin.lineinfile:
-    dest: "{{ docker_user_info.home }}/.config/systemd/user/docker.service.d/override.conf"
-    line: "[Service]"
-    create: true
-    mode: "0644"
+- name: Stat AppArmor ABI file
+  ansible.builtin.stat:
+    path: /etc/apparmor.d/abi/4.0
+  register: apparmor_abi
 
-- name: Configure Docker network/port drivers
-  become: true
-  become_user: "{{ docker_user }}"
-  ansible.builtin.lineinfile:
-    dest: "{{ docker_user_info.home }}/.config/systemd/user/docker.service.d/override.conf"
-    insertafter: \[Service\]
-    firstmatch: true
-    regexp: ^Environment="{{ item.key }}=
-    line: Environment="{{ item.key }}={{ item.value }}"
-  loop:
-    - key: DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER
-      value: "{{ docker_driver_port }}"
-    - key: DOCKERD_ROOTLESS_ROOTLESSKIT_NET
-      value: "{{ docker_driver_network }}"
+- name: Get apparmor service
+  ansible.builtin.systemd:
+    name: apparmor
+  register: apparmor_service
+
+- name: Add rootlesskit AppArmor profile
+  when:
+    - apparmor_abi.stat.exists
+    - apparmor_service.status is defined
+    - "'apparmor.service' in apparmor_service.status.FragmentPath"
+    - apparmor_service.status.UnitFileState == "enabled"
+  block:
+    - name: Set rootlesskit path as fact
+      ansible.builtin.set_fact:
+        rootlesskit_path: "{{ docker_user_info.home }}/bin/rootlesskit"
 
-- name: Enable and start Docker
+    - name: Add AppArmor profile for Docker
+      become: true
+      ansible.builtin.template:
+        src: apparmor_rootlesskit.j2
+        dest: /etc/apparmor.d/{{ rootlesskit_path[1:] | regex_replace('/', '.') }}
+        owner: root
+        group: root
+        mode: "0644"
+      register: apparmor_rootlesskit
+
+    - name: Reload AppArmor profiles
+      become: true
+      ansible.builtin.systemd:
+        name: apparmor.service
+        state: reloaded
+      when:
+        - apparmor_rootlesskit.changed
+
+- name: Configure and enable the Docker service
   become: true
   become_user: "{{ docker_user }}"
-  ansible.builtin.systemd:
-    name: docker.service
-    enabled: true
-    state: started
-    scope: user
-    daemon_reload: true
+  block:
+    - name: Add Docker systemd service override.conf
+      ansible.builtin.lineinfile:
+        dest: "{{ docker_user_info.home }}/.config/systemd/user/docker.service.d/override.conf"
+        line: "[Service]"
+        create: true
+        mode: "0644"
+
+    - name: Configure Docker network/port drivers
+      ansible.builtin.lineinfile:
+        dest: "{{ docker_user_info.home }}/.config/systemd/user/docker.service.d/override.conf"
+        insertafter: \[Service\]
+        firstmatch: true
+        regexp: ^Environment="{{ item.key }}=
+        line: Environment="{{ item.key }}={{ item.value }}"
+      loop:
+        - key: DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER
+          value: "{{ docker_driver_port }}"
+        - key: DOCKERD_ROOTLESS_ROOTLESSKIT_NET
+          value: "{{ docker_driver_network }}"
+
+    - name: Enable and start Docker
+      ansible.builtin.systemd:
+        name: docker.service
+        enabled: true
+        state: started
+        scope: user
+        daemon_reload: true
diff --git a/templates/apparmor_rootlesskit.j2 b/templates/apparmor_rootlesskit.j2
new file mode 100644
index 0000000..afde0bc
--- /dev/null
+++ b/templates/apparmor_rootlesskit.j2
@@ -0,0 +1,14 @@
+# {{ ansible_managed }}
+# Generated by Ansible role {{ ansible_role_name }}
+#
+# See https://github.com/containerd/nerdctl/issues/2847
+#
+
+abi <abi/4.0>,
+include <tunables/global>
+
+{{ rootlesskit_path }} flags=(unconfined) {
+  userns,
+
+  include if exists <local/{{ rootlesskit_path[1:] | regex_replace('/', '.') }}>
+}