ci: unconfine seccomp for i686 no IPC

Docker 29.4.2 blocks `socketcall(2)` in the default seccomp profile: https://docs.docker.com/engine/release-notes/29/#2942 https://github.com/moby/profiles/releases/tag/seccomp%2Fv0.2.2 https://github.com/moby/moby/pull/52501 That affects the `i686, no IPC` job because it runs 32-bit Linux test binaries inside Docker. Add Docker's documented `--security-opt seccomp=unconfined` workaround to this job's `CI_CONTAINER_CAP` - the hook `ci/test/02_run_container.py` already appends to `docker run`. This restores socket availability for the 32-bit test binaries throughout the job: https://docs.docker.com/engine/security/seccomp/#run-without-the-default-seccomp-profile Github-Pull: #35202 Rebased-From: 11c9ef92a8
2026-06-10 06:39:15 +02:00 · 2026-05-03 15:36:47 +02:00
parent b110304705
commit 2d3edd9640
3 changed files with 3 additions and 0 deletions
--- a/ci/test/00_setup_env_i686_centos.sh
+++ b/ci/test/00_setup_env_i686_centos.sh
@@ -9,6 +9,7 @@ export LC_ALL=C.UTF-8
 export HOST=i686-pc-linux-gnu
 export CONTAINER_NAME=ci_i686_centos
 export CI_IMAGE_NAME_TAG="quay.io/centos/amd64:stream9"
+export CI_CONTAINER_CAP="--security-opt seccomp=unconfined"
 export CI_BASE_PACKAGES="gcc-c++ glibc-devel.x86_64 libstdc++-devel.x86_64 glibc-devel.i686 libstdc++-devel.i686 ccache libtool make git python3 python3-pip which patch lbzip2 xz procps-ng dash rsync coreutils bison util-linux e2fsprogs cmake"
 export PIP_PACKAGES="pyzmq"
 export GOAL="install"
--- a/ci/test/00_setup_env_i686_multiprocess.sh
+++ b/ci/test/00_setup_env_i686_multiprocess.sh
@@ -9,6 +9,7 @@ export LC_ALL=C.UTF-8
 export HOST=i686-pc-linux-gnu
 export CONTAINER_NAME=ci_i686_multiprocess
 export CI_IMAGE_NAME_TAG="docker.io/amd64/ubuntu:24.04"
+export CI_CONTAINER_CAP="--security-opt seccomp=unconfined"
 export PACKAGES="llvm clang g++-multilib"
 export DEP_OPTS="DEBUG=1 MULTIPROCESS=1"
 export GOAL="install"
--- a/ci/test/00_setup_env_win64.sh
+++ b/ci/test/00_setup_env_win64.sh
@@ -8,6 +8,7 @@ export LC_ALL=C.UTF-8

 export CONTAINER_NAME=ci_win64
 export CI_IMAGE_NAME_TAG="docker.io/amd64/debian:bookworm"  # Check that https://packages.debian.org/bookworm/g++-mingw-w64-x86-64-posix (version 12.2, similar to guix) can cross-compile
+export CI_CONTAINER_CAP="--security-opt seccomp=unconfined"
 export HOST=x86_64-w64-mingw32
 export DPKG_ADD_ARCH="i386"
 export PACKAGES="nsis g++-mingw-w64-x86-64-posix wine-binfmt wine64 wine32 file"