Skip to content

Disable runc integration tests due to AppArmor issue#1942

Merged
k8s-ci-robot merged 1 commit intokubernetes-sigs:masterfrom
saschagrunert:runc
Nov 14, 2025
Merged

Disable runc integration tests due to AppArmor issue#1942
k8s-ci-robot merged 1 commit intokubernetes-sigs:masterfrom
saschagrunert:runc

Conversation

@saschagrunert
Copy link
Copy Markdown
Member

@saschagrunert saschagrunert commented Nov 12, 2025

What type of PR is this?

/kind failing-test

What this PR does / why we need it:

All runc integration tests are failing in CI due to an AppArmor issue in nested environments. The error occurs when runc tries to access /proc/sys/net/ipv4/ip_unprivileged_port_start, which AppArmor incorrectly interprets as trying to access /sys/... in detached mounts.

This is a known issue in runc that affects various container platforms. The maintainers advise against downgrading as the current version fixes multiple container escape vulnerabilities.

Which issue(s) this PR fixes:

None

Special notes for your reviewer:

TODO: Re-enable these tests when a mitigation is found.

Does this PR introduce a user-facing change?

None

@saschagrunert
Disable runc integration tests due to AppArmor issue
314e94c 
All runc integration tests are failing in CI due to an AppArmor issue
in nested environments. The error occurs when runc tries to access
/proc/sys/net/ipv4/ip_unprivileged_port_start, which AppArmor
incorrectly interprets as trying to access /sys/... in detached mounts.

This is a known issue in runc that affects various container platforms.
The maintainers advise against downgrading as the current version fixes
multiple container escape vulnerabilities.

TODO: Re-enable these tests when a mitigation is found.

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
@k8s-ci-robot k8s-ci-robot added the kind/failing-test Categorizes issue or PR as related to a consistently or frequently failing test. label Nov 12, 2025
@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Nov 12, 2025
@k8s-ci-robot k8s-ci-robot added approved Indicates a PR has been approved by an approver from all required OWNERS files. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Nov 12, 2025
@saschagrunert
Copy link
Copy Markdown
Member Author

saschagrunert commented Nov 12, 2025

@kubernetes-sigs/cri-tools-maintainers PTAL

SergeyKanzhelev
SergeyKanzhelev approved these changes Nov 12, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@SergeyKanzhelev SergeyKanzhelev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/hold

holding in case you want more cri-o contributors to review

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Nov 12, 2025
@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Nov 12, 2025
@k8s-ci-robot
Copy link
Copy Markdown
Contributor

k8s-ci-robot commented Nov 12, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: saschagrunert, SergeyKanzhelev

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@saschagrunert
Copy link
Copy Markdown
Member Author

saschagrunert commented Nov 14, 2025

/unhold

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Nov 14, 2025
@k8s-ci-robot k8s-ci-robot merged commit 653586a into kubernetes-sigs:master Nov 14, 2025
45 of 47 checks passed
@saschagrunert saschagrunert deleted the runc branch November 14, 2025 08:12
@ngopalak-redhat
Copy link
Copy Markdown
Contributor

ngopalak-redhat commented Mar 17, 2026

@saschagrunert The linked issues are resolved:

          # See: https://github.com/cri-o/cri-o/issues/9573
          # See: https://github.com/opencontainers/runc/issues/4968

Can we re-enabled this?
Context: I was looking at impact of opencontainers/runc#5103 on the cri-o related repos.

@saschagrunert
Copy link
Copy Markdown
Member Author

saschagrunert commented Mar 17, 2026

@saschagrunert The linked issues are resolved:

          # See: https://github.com/cri-o/cri-o/issues/9573
          # See: https://github.com/opencontainers/runc/issues/4968

Can we re-enabled this? Context: I was looking at impact of opencontainers/runc#5103 on the cri-o related repos.

I think so, are you going to propose a PR for that change?

@ngopalak-redhat
Copy link
Copy Markdown
Contributor

ngopalak-redhat commented Mar 17, 2026

@saschagrunert The linked issues are resolved:

          # See: https://github.com/cri-o/cri-o/issues/9573
          # See: https://github.com/opencontainers/runc/issues/4968

Can we re-enabled this? Context: I was looking at impact of opencontainers/runc#5103 on the cri-o related repos.

I think so, are you going to propose a PR for that change?

Yes, I'll create a PR

@ngopalak-redhat
Copy link
Copy Markdown
Contributor

ngopalak-redhat commented Mar 20, 2026

/revert

@ngopalak-redhat ngopalak-redhat mentioned this pull request Mar 20, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@SergeyKanzhelev SergeyKanzhelev SergeyKanzhelev approved these changes

@derekwaynecarr derekwaynecarr Awaiting requested review from derekwaynecarr

@Random-Liu Random-Liu Awaiting requested review from Random-Liu

Assignees

@SergeyKanzhelev SergeyKanzhelev

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/failing-test Categorizes issue or PR as related to a consistently or frequently failing test. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@saschagrunert @k8s-ci-robot @ngopalak-redhat @SergeyKanzhelev