Closed kolyshkin closed 4 weeks ago
root integration tests have 2 failures, reproduced locally:
scheduler.bats
✓ scheduler is applied
✗ scheduler vs cpus
(in test file tests/integration/scheduler.bats, line 33)
`[ "$status" -eq 1 ]' failed
runc spec (status=0):
runc run -d --console-socket /tmp/bats-run-X1CKVR/runc.ewU637/tty/sock test_scheduler (status=0):
and
no_pivot.bats
✗ runc run --no-pivot must not expose bare /proc
(in test file tests/integration/no_pivot.bats, line 22)
`[[ "$output" == *"mount: permission denied"* ]]' failed
runc spec (status=0):
runc run --no-pivot test_no_pivot (status=1):
unshare: can't open '/proc/self/setgroups': Permission denied
root integration tests have 2 failures, reproduced locally:
scheduler.bats ✓ scheduler is applied ✗ scheduler vs cpus (in test file tests/integration/scheduler.bats, line 33) `[ "$status" -eq 1 ]' failed runc spec (status=0): runc run -d --console-socket /tmp/bats-run-X1CKVR/runc.ewU637/tty/sock test_scheduler (status=0):
This was a mistake, it only failed locally and only because I ran a UP (not SMP) VM. Should be fixed by #4298.
no_pivot.bats ✗ runc run --no-pivot must not expose bare /proc (in test file tests/integration/no_pivot.bats, line 22) `[[ "$output" == *"mount: permission denied"* ]]' failed runc spec (status=0): runc run --no-pivot test_no_pivot (status=1): unshare: can't open '/proc/self/setgroups': Permission denied
This is caused by Ubuntu 24.04 default apparmor profile restricting user namespaces (https://discourse.ubuntu.com/t/ubuntu-24-04-lts-noble-numbat-release-notes/39890). The fix is to add a profile for the binary being tested (can copy that from /etc/apparmor.d/runc
, changing the path to binary (s|/usr/sbin/runc|$PWD/runc|
) and loading the new profile).
No longer a draft; PTAL @opencontainers/runc-maintainers
Never mind
we'll have to adjust the list of required checks; perhaps to transition we should temporarily not mark 22.04 as "required" (otherwise existing PRs would never finish 🤔)
Yes, I always take care of it once a PR (such as this one) is merged.
Let's replace ubuntu-22.04 with ubuntu-24.04 where we can, and keep ubuntu-20.04 to test cgroup v1 stuff.
Leave ubuntu-22.04 for these jobs only:
validate/codespell (pip install won't work)UPDATE: fixedThese issues can be addressed separately later.
The only kludge we have to add is enable userns for runc binary being tested (as userns is disabled by apparmor system-wide by default now, see [1]).
[1] https://discourse.ubuntu.com/t/ubuntu-24-04-lts-noble-numbat-release-notes/39890#unprivileged-user-namespace-restrictions-15