ci: Run "Build Integration Test Data" GHA privileged

The glib2 shipping in Fedora 37 is hitting the classic seccomp EPERM vs ENOSYS issue for `close_range` when used via `createrepo_c`. Interestingly, Fedora 36 carried a patch for this: https://src.fedoraproject.org/rpms/glib2/c/a2259ad90593383c5ce982fbb233fd3658c0a7a1?branch=f36 But this patch is not carried in Fedora 37, presumably on the basis that by then hosts should be running a new enough runc to fix opencontainers/runc#2151 But clearly, that hasn't happened yet for whatever version runc that moby-engine uses in `ubuntu-latest`. Hack around this by running the container in privileged mode.
cgwalters · Nov 18, 2022 · 2878692 · 2878692
1 parent 247dc4b
commit 2878692
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -40,7 +40,13 @@ jobs:
   build-tests:
     name: "Build Integration Test Data"
     runs-on: ubuntu-latest
-    container: registry.ci.openshift.org/coreos/fcos-buildroot:testing-devel
+    container:
+      image: registry.ci.openshift.org/coreos/fcos-buildroot:testing-devel
+      # Run privileged to hack around createrepo_c hitting the classic seccomp
+      # broken behaviour of returning EPERM instead of ENOSYS. We should be able
+      # to drop this once `ubuntu-latest` is bumped to include the fix for
+      # https://github.com/opencontainers/runc/issues/2151.
+      options: "--user root --privileged"
     steps:
       - name: Checkout repository
         uses: actions/checkout@v2