diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index eb2eef2..9bdd581 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -7,7 +7,7 @@ env: jobs: single-node: name: "Single node" - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 timeout-minutes: 40 strategy: fail-fast: false @@ -41,9 +41,8 @@ jobs: if: ${{ matrix.engine == 'podman' }} run: | set -eux -o pipefail - # Preinstalled Podman is too old (v3.4.4) - sudo apt-get remove podman* - sudo ./init-host/init-host.root.d/install-podman.sh + sudo apt-get update + sudo apt-get install -y podman-compose podman info - run: make up - run: sleep 5 @@ -61,13 +60,13 @@ jobs: multi-node: name: "Multi node (emulated using LXD)" - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 timeout-minutes: 30 strategy: fail-fast: false matrix: include: - - lxc-image: ubuntu:22.04 + - lxc-image: ubuntu:24.04 engine: docker # LXD is now banned from pulling images:fedora from https://images.linuxcontainers.org/ # TODO: switch away from LXD to Incus: https://github.com/rootless-containers/usernetes/pull/332 diff --git a/hack/create-hosts-lxd.sh b/hack/create-hosts-lxd.sh index a85f1fc..cbab984 100755 --- a/hack/create-hosts-lxd.sh +++ b/hack/create-hosts-lxd.sh @@ -8,7 +8,7 @@ dir=$1 shift names=$* -: "${LXC_IMAGE:="ubuntu:22.04"}" +: "${LXC_IMAGE:="ubuntu:24.04"}" LXC="sudo lxc" echo "USER=${USER}" @@ -47,6 +47,18 @@ for name in ${names}; do ${LXC} config device add "${name}" bind-boot disk source=/boot path=/boot readonly=true ${LXC} config set "${name}" user.user-data - <"${userdata}" ${LXC} start "${name}" + + # Apply fixes for AppArmor (apparantely only needed on LXD) + # `slirp4netns --enable-sandbox` inside LXD (Ubuntu 24.04) requires amending the AppArmor rule. + # https://github.com/rootless-containers/slirp4netns/issues/348#issuecomment-2288124206 + ${LXC} shell "${name}" -- bash -c 'echo "pivot_root," >>/etc/apparmor.d/local/slirp4netns' + # runc requires pivot_root: + # > runc run failed: unable to start container process: error during container init: error jailing process inside rootfs: pivot_root .: permission denied + ${LXC} shell "${name}" -- bash -c 'echo "pivot_root," >>/etc/apparmor.d/local/runc' + # Propagate the profile for /usr/sbin/runc (Canonical's package) to /usr/bin/runc (Docker's package) + ${LXC} shell "${name}" -- bash -c 'sed -e s@/usr/sbin/runc@/usr/bin/runc@g /etc/apparmor.d/runc > /etc/apparmor.d/usr.bin.runc' + ${LXC} shell "${name}" -- bash -c 'systemctl restart apparmor' + sleep 10 ip="$(${LXC} exec "${name}" -- ip --json route get 1 | jq -r .[0].prefsrc)" echo "Host ${name}" >>"${ssh_config}" diff --git a/init-host/init-host.rootless.sh b/init-host/init-host.rootless.sh index 096ede4..1b76e27 100755 --- a/init-host/init-host.rootless.sh +++ b/init-host/init-host.rootless.sh @@ -9,7 +9,7 @@ fi : "${CONTAINER_ENGINE:=docker}" case "${CONTAINER_ENGINE}" in "docker") - dockerd-rootless-setuptool.sh install + dockerd-rootless-setuptool.sh install || (journalctl --user --since "10 min ago"; exit 1) ;; "podman") systemctl --user enable --now podman-restart