CI: update Ubuntu to 24.04

Signed-off-by: Akihiro Suda <[email protected]>
rootless-containers · Aug 14, 2024 · 61b7116 · 61b7116
1 parent 3e7219c
commit 61b7116
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 7 deletions.
diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
@@ -7,7 +7,7 @@ env:
 jobs:
   single-node:
     name: "Single node"
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     timeout-minutes: 40
     strategy:
       fail-fast: false
@@ -41,9 +41,8 @@ jobs:
         if: ${{ matrix.engine == 'podman' }}
         run: |
           set -eux -o pipefail
-          # Preinstalled Podman is too old (v3.4.4)
-          sudo apt-get remove podman*
-          sudo ./init-host/init-host.root.d/install-podman.sh
+          sudo apt-get update
+          sudo apt-get install -y podman-compose
           podman info
       - run: make up
       - run: sleep 5
@@ -61,13 +60,13 @@ jobs:
 
   multi-node:
     name: "Multi node (emulated using LXD)"
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     timeout-minutes: 30
     strategy:
       fail-fast: false
       matrix:
         include:
-          - lxc-image: ubuntu:22.04
+          - lxc-image: ubuntu:24.04
             engine: docker
 # LXD is now banned from pulling images:fedora from https://images.linuxcontainers.org/
 # TODO: switch away from LXD to Incus: https://github.com/rootless-containers/usernetes/pull/332

diff --git a/hack/create-hosts-lxd.sh b/hack/create-hosts-lxd.sh
@@ -8,7 +8,7 @@ dir=$1
 shift
 names=$*
 
-: "${LXC_IMAGE:="ubuntu:22.04"}"
+: "${LXC_IMAGE:="ubuntu:24.04"}"
 LXC="sudo lxc"
 
 echo "USER=${USER}"
@@ -47,6 +47,18 @@ for name in ${names}; do
 	${LXC} config device add "${name}" bind-boot disk source=/boot path=/boot readonly=true
 	${LXC} config set "${name}" user.user-data - <"${userdata}"
 	${LXC} start "${name}"
+
+	# Apply fixes for AppArmor (apparantely only needed on LXD)
+	# `slirp4netns --enable-sandbox` inside LXD (Ubuntu 24.04) requires amending the AppArmor rule.
+	# https://github.com/rootless-containers/slirp4netns/issues/348#issuecomment-2288124206
+	${LXC} shell "${name}" -- bash -c 'echo "pivot_root," >>/etc/apparmor.d/local/slirp4netns'
+	# runc requires pivot_root:
+	# > runc run failed: unable to start container process: error during container init: error jailing process inside rootfs: pivot_root .: permission denied
+	${LXC} shell "${name}" -- bash -c 'echo "pivot_root," >>/etc/apparmor.d/local/runc'
+	# Propagate the profile for /usr/sbin/runc (Canonical's package) to /usr/bin/runc (Docker's package)
+	${LXC} shell "${name}" -- bash -c 'sed -e s@/usr/sbin/runc@/usr/bin/runc@g /etc/apparmor.d/runc > /etc/apparmor.d/usr.bin.runc'
+	${LXC} shell "${name}" -- bash -c 'systemctl restart apparmor'
+
 	sleep 10
 	ip="$(${LXC} exec "${name}" -- ip --json route get 1 | jq -r .[0].prefsrc)"
 	echo "Host ${name}" >>"${ssh_config}"