ci: temporarily disable seccomp for Docker containers #244
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Current Docker version on Ubuntu 20.04 used by GH Actions suffers from
an incompatibility with newer glibc [0] used by Fedora Rawhide, causing
Rawhide containers in CI to fail with:
glibc 2.34 and later tries to use the clone3 syscall (for
hardware-assisted security hardening on x86_64), and falls back to clone2
on ENOSYS. However, with the current seccomp profile Docker returns EPERM
instead, which is considered a "hard" fail.
A fix [1] has been merged in upstream, but until then let's run the CI Docker
containers without any seccomp profiles to allow Rawhide jobs to to their job.
(I tried to disable seccomp only for the Rawhide jobs, but I couldn't procure
any solution which wouldn't make my eyes bleed...)
[0] moby/moby#42680
[1] moby/moby#42681