ci: unconfine seccomp for i686 no IPC

Docker 29.4.2 blocks `socketcall(2)` in the default seccomp profile: https://docs.docker.com/engine/release-notes/29/#2942 https://github.com/moby/profiles/releases/tag/seccomp%2Fv0.2.2 https://github.com/moby/moby/pull/52501 That affects the `i686, no IPC` job because it runs 32-bit Linux test binaries inside Docker. Add Docker's documented `--security-opt seccomp=unconfined` workaround to this job's `CI_CONTAINER_CAP` - the hook `ci/test/02_run_container.py` already appends to `docker run`. This restores socket availability for the 32-bit test binaries throughout the job: https://docs.docker.com/engine/security/seccomp/#run-without-the-default-seccomp-profile
2026-05-12 23:13:25 +02:00 · 2026-05-03 15:36:47 +02:00
parent 8f4a3ba897
commit 11c9ef92a8
1 changed files with 1 additions and 0 deletions
--- a/ci/test/00_setup_env_i686_no_ipc.sh
+++ b/ci/test/00_setup_env_i686_no_ipc.sh
@@ -10,6 +10,7 @@ export HOST=i686-pc-linux-gnu
 export CONTAINER_NAME=ci_i686_no_multiprocess
 export CI_IMAGE_NAME_TAG="mirror.gcr.io/debian:trixie"
 export CI_IMAGE_PLATFORM="linux/amd64"
+export CI_CONTAINER_CAP="--security-opt seccomp=unconfined"
 export PACKAGES="llvm clang g++-multilib"
 export DEP_OPTS="DEBUG=1 NO_IPC=1"
 export GOAL="install"