Merge pull request #65 from AkihiroSuda/dev

Add a hint about `[rootlesskit:parent] error: failed to start the child: fork/exec /proc/self/exe: operation not permitted`

content/getting-started/common/_index.md

@@ -10,3 +10,4 @@ may need the root for the initial set-up.
 - [/etc/subuid and /etc/subgid](./subuid)
 - [[Optional] cgroup v2](./cgroup2)
 - [[Optional] Configuring sysctl values](./sysctl)
+- [[Optional] Configuring AppArmor (Ubuntu 24.04 or later)](./apparmor)

content/getting-started/common/apparmor.md

@@ -0,0 +1,32 @@
+---
+title: "[Optional] AppArmor"
+weight: 60
+---
+
+{{< hint info >}}
+**Note**
+
+Configuring AppArmor is needed only on Ubuntu 24.04 or later,
+with RootlessKit installed under a non-standard path.
+{{< /hint>}}
+
+If you face an error like `[rootlesskit:parent] error: failed to start the child: fork/exec /proc/self/exe: operation not permitted`,
+try running the following commands:
+```bash
+cat <<EOT | sudo tee "/etc/apparmor.d/usr.local.bin.rootlesskit"
+abi <abi/4.0>,
+include <tunables/global>
+
+/usr/local/bin/rootlesskit flags=(unconfined) {
+  userns,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/usr.local.bin.rootlesskit>
+}
+EOT
+sudo systemctl restart apparmor.service
+```
+
+The `/usr/local/bin/rootlesskit` string should be changed to the actual path of `rootlesskit`.
+
+This step is *not* needed when `rootlesskit` is installed in the standard path (`/usr/bin/rootlesskit`).