From a2512d259bb03500124926724c8320cf31b1a65f Mon Sep 17 00:00:00 2001 From: Akihiro Suda Date: Sun, 15 Mar 2026 04:06:16 +0900 Subject: [PATCH 1/2] CI: teardown AppArmor before running pasta Signed-off-by: Akihiro Suda --- .github/workflows/main.yaml | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index 6db0e651..4666ac45 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -267,16 +267,21 @@ jobs: docker exec test docker info docker exec test ./integration-docker.sh docker rm -f test - - name: "Docker Integration test: net=pasta, port-driver=implicit" + - name: "Docker Integration test: net=gvisor-tap-vsock, port-driver=builtin" run: | - docker run -d --name test --network custom --privileged -e DOCKERD_ROOTLESS_ROOTLESSKIT_NET=pasta -e DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER=implicit rootlesskit:test-integration-docker + docker run -d --name test --network custom --privileged -e DOCKERD_ROOTLESS_ROOTLESSKIT_NET=gvisor-tap-vsock -e DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER=builtin rootlesskit:test-integration-docker sleep 2 docker exec test docker info docker exec test ./integration-docker.sh docker rm -f test - - name: "Docker Integration test: net=gvisor-tap-vsock, port-driver=builtin" + - name: "Teardown AppArmor before running pasta tests" run: | - docker run -d --name test --network custom --privileged -e DOCKERD_ROOTLESS_ROOTLESSKIT_NET=gvisor-tap-vsock -e DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER=builtin rootlesskit:test-integration-docker + sudo aa-teardown || true + sudo systemctl stop apparmor + sudo systemctl restart docker + - name: "Docker Integration test: net=pasta, port-driver=implicit" + run: | + docker run -d --name test --network custom --privileged -e DOCKERD_ROOTLESS_ROOTLESSKIT_NET=pasta -e DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER=implicit rootlesskit:test-integration-docker sleep 2 docker exec test docker info docker exec test ./integration-docker.sh From 967eeea0d88b20110f1af878445dced04a1dadbb Mon Sep 17 00:00:00 2001 From: Akihiro Suda Date: Sun, 15 Mar 2026 03:57:58 +0900 Subject: [PATCH 2/2] hack/integration-docker.sh: increase sleep Signed-off-by: Akihiro Suda --- hack/integration-docker.sh | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/hack/integration-docker.sh b/hack/integration-docker.sh index 23cdc449..ef58f0f1 100755 --- a/hack/integration-docker.sh +++ b/hack/integration-docker.sh @@ -3,19 +3,23 @@ source $(realpath $(dirname $0))/common.inc.sh nonloopback="$(hostname -I | awk '{print $1}')" + +SLEEP_SECS=2 +[ "$DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER" = "implicit" ] && SLEEP_SECS=10 + docker rm -f nginx >/dev/null 2>&1 || true CURL="curl -fsSL" set -x docker run -d --name=nginx -p 8080:80 nginx:alpine -sleep 2 +sleep "$SLEEP_SECS" $CURL "http://127.0.0.1:8080" $CURL "http://${nonloopback}:8080" docker rm -f nginx docker run -d --name=nginx -p 127.0.0.1:8080:80 nginx:alpine -sleep 2 +sleep "$SLEEP_SECS" $CURL "http://127.0.0.1:8080" $CURL "http://${nonloopback}:8080" && ( ERROR "should fail"; exit 1 ) docker rm -f nginx @@ -24,7 +28,7 @@ docker rm -f nginx # "Error starting userland proxy: listen tcp4 172.18.0.2:8080: bind: cannot assign requested address." if [ "$DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER" != "implicit" ]; then docker run -d --name=nginx -p "${nonloopback}:8080:80" nginx:alpine - sleep 2 + sleep "$SLEEP_SECS" $CURL "http://127.0.0.1:8080" && ( ERROR "should fail"; exit 1 ) $CURL "http://${nonloopback}:8080" docker rm -f nginx