Observed
prmana-agent/tests/headless_storage.rs::test_headless_fallback_to_keyutils fails intermittently on GitHub Actions ubuntu-latest runners in the integration-docker.yml → Keyutils storage tests job.
Assertion:
expected keyutils fallback when D-Bus is absent, got File
That fires from prmana-agent/tests/headless_storage.rs:38. Same commit, back-to-back runs: one fail, next pass.
First reproduction
Hypothesis
StorageRouter::detect() does a write-probe against keyutils. The keyutils user keyring (@u) is available on the runner (keyctl show @u passes in the preceding step), but the probe write fails intermittently. Plausible causes:
- Runner user-scoped keys quota (
/proc/sys/kernel/keys/maxkeys, maxbytes) — test artefacts from prior runs still linked.
- Concurrent kernel-level resource contention across runner reuse.
- Race between the D-Bus env-var unset and the Secret Service probe fast-fail path.
Mitigation (separate PR)
CI step is retry-wrapped (3 attempts) so one-shot flakes do not fail green builds. Long-term fix requires root-causing the probe write intermittent failure — possibly by adding diagnostic output from StorageRouter::detect() on probe failure and capturing /proc/keys / /proc/sys/kernel/keys/* state at failure time.
Acceptance criteria
References
prmana-agent/tests/headless_storage.rsprmana-agent/src/storage/router.rs.github/workflows/integration-docker.yml
Observed
prmana-agent/tests/headless_storage.rs::test_headless_fallback_to_keyutilsfails intermittently on GitHub Actionsubuntu-latestrunners in theintegration-docker.yml → Keyutils storage testsjob.Assertion:
That fires from
prmana-agent/tests/headless_storage.rs:38. Same commit, back-to-back runs: one fail, next pass.First reproduction
847d2ef(post-squash merge of Interoperability with pam_authnft — per-session kernel-enforced network policy from OIDC claims #14 to main)a653f59on PR Interoperability with pam_authnft — per-session kernel-enforced network policy from OIDC claims #14 also passed the same jobHypothesis
StorageRouter::detect()does a write-probe against keyutils. The keyutils user keyring (@u) is available on the runner (keyctl show @upasses in the preceding step), but the probe write fails intermittently. Plausible causes:/proc/sys/kernel/keys/maxkeys,maxbytes) — test artefacts from prior runs still linked.Mitigation (separate PR)
CI step is retry-wrapped (3 attempts) so one-shot flakes do not fail green builds. Long-term fix requires root-causing the probe write intermittent failure — possibly by adding diagnostic output from
StorageRouter::detect()on probe failure and capturing/proc/keys//proc/sys/kernel/keys/*state at failure time.Acceptance criteria
.github/workflows/integration-docker.ymlReferences
prmana-agent/tests/headless_storage.rsprmana-agent/src/storage/router.rs.github/workflows/integration-docker.yml