Does not work since Ubuntu 25.04 due to AppArmor (`fusermount3: mount failed: Permission denied` even on rootful)

On the following distros, lazy-pulling seems broken and quietly falling back to non-lazy mode:
- Ubuntu 25.04
- Ubuntu 25.10

Works fine on:
- Ubuntu 24.10
- Debian 13
  - `fusermount3` is not installed by default. Tested both without and with `fusermount3`.
- Fedora 42

```bash
limactl start --rosetta --containerd=system template:ubuntu-25.04
limactl shell ubuntu-25.04 sudo nerdctl --snapshotter=stargz run --platform=amd64 ghcr.io/stargz-containers/python:3.13-esgz python3 -c 'print("hi")'
```

- `--rosetta` and `--platform=amd64` are  added just because there is apparently no arm64 support in the esgz image: #2143
- `--containerd=system` is added to confirm that this issue is not relevant to rootless

Logs:
```
Oct 10 22:31:47 lima-ubuntu-25-04 containerd-stargz-grpc[1786]: {"key":"default/1/extract-68477355-Mv3z sha256:3335766b6554297e3a801e93a812b14d5b2f2c91c1f2c4cd8cd0a682328d70b7","level":"info","mountpoint":"/var/lib/containerd-stargz-grpc/snapshotter/snapshots/1/fs","msg":"fusermount detected","parent":"","time":"2025-10-10T22:31:47.938597215+09:00"}
Oct 10 22:31:47 lima-ubuntu-25-04 containerd-stargz-grpc[1977]: /usr/bin/fusermount3: mount failed: Permission denied
Oct 10 22:31:47 lima-ubuntu-25-04 containerd-stargz-grpc[1786]: {"error":"fusermount exited with code 256\n","key":"default/1/extract-68477355-Mv3z sha256:3335766b6554297e3a801e93a812b14d5b2f2c91c1f2c4cd8cd0a682328d70b7","level":"debug","mountpoint":"/var/lib/containerd-stargz-grpc/snapshotter/snapshots/1/fs","msg":"failed to make filesystem server","parent":"","time":"2025-10-10T22:31:47.940387349+09:00"}
```

Version: Lima v2.0.0-alpha.2 (nerdctl v2.1.6, containerd v2.1.4, stargz-snapshotter v0.17.0)

## Workaround
Disable AppArmor for `fusermount3` ([profile](https://git.launchpad.net/ubuntu/+source/apparmor/tree/profiles/apparmor.d/fusermount3?h=applied/4.1.0_beta5-0ubuntu14)):
```
sudo apt-get install apparmor-utils
sudo aa-disable /usr/bin/fusermount3 
```

Or just remove `fusermount3` so that the snapshotter can fallback to a direct mount
```
sudo apt-get remove fuse3
```

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Does not work since Ubuntu 25.04 due to AppArmor (`fusermount3: mount failed: Permission denied` even on rootful) #2144

Workaround

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Does not work since Ubuntu 25.04 due to AppArmor (fusermount3: mount failed: Permission denied even on rootful) #2144

Description

Workaround

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions

Does not work since Ubuntu 25.04 due to AppArmor (`fusermount3: mount failed: Permission denied` even on rootful) #2144