CI: Remove disabling seccomp for a container manager

When glibc-2.34 started to use clone3() syscall, seccomp policy became violated and glib2 fork+exec functions failed. This discrepancy was worked around with passing "--security-opt seccomp=unconfined" option to a container manager. Now when Microsoft fixed the policy in ubuntu-22.04 images (ubuntu-20.04 remains broken) and we moved to ubuntu-22.04, the workaround is not needed. This patch removes it. <actions/runner-images#3812>
ppisar · Mar 28, 2023 · 6f39c11 · 6f39c11
1 parent 3d9a471
commit 6f39c11
Showing 1 changed file with 0 additions and 28 deletions.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -24,10 +24,6 @@ jobs:
         release: ${{ fromJson(needs.get_fedora_releases.outputs.stable) }}
     container:
       image: quay.io/fedora/fedora:${{ matrix.release }}-x86_64
-      # Disable seccomp until a container manager in GitHub recognizes
-      # clone3() syscall,
-      # <https://github.com/actions/virtual-environments/issues/3812>.
-      options: --security-opt seccomp=unconfined
 
     steps:
       - name: Checkout code
@@ -78,10 +74,6 @@ jobs:
         release: ${{ fromJson(needs.get_fedora_releases.outputs.stable) }}
     container:
       image: quay.io/fedora/fedora:${{ matrix.release }}-x86_64
-      # Disable seccomp until a container manager in GitHub recognizes
-      # clone3() syscall,
-      # <https://github.com/actions/virtual-environments/issues/3812>.
-      options: --security-opt seccomp=unconfined
 
     steps:
       - name: Install git
@@ -138,10 +130,6 @@ jobs:
         release: ${{ fromJson(needs.get_fedora_releases.outputs.development) }}
     container:
       image: quay.io/fedora/fedora:${{ matrix.release }}-x86_64
-      # Disable seccomp until a container manager in GitHub recognizes
-      # clone3() syscall,
-      # <https://github.com/actions/virtual-environments/issues/3812>.
-      options: --security-opt seccomp=unconfined
 
     steps:
       - name: Checkout code
@@ -191,10 +179,6 @@ jobs:
         release: ${{ fromJson(needs.get_fedora_releases.outputs.development) }}
     container:
       image: quay.io/fedora/fedora:${{ matrix.release }}-x86_64
-      # Disable seccomp until a container manager in GitHub recognizes
-      # clone3() syscall,
-      # <https://github.com/actions/virtual-environments/issues/3812>.
-      options: --security-opt seccomp=unconfined
 
     steps:
       - name: Install git
@@ -247,10 +231,6 @@ jobs:
     continue-on-error: true
     container:
       image: docker.io/library/archlinux:base
-      # Disable seccomp until a container manager in GitHub recognizes
-      # clone3() syscall,
-      # <https://github.com/actions/virtual-environments/issues/3812>.
-      options: --security-opt seccomp=unconfined
 
     steps:
       - name: Install the standard pacman config
@@ -369,10 +349,6 @@ jobs:
     continue-on-error: true
     container:
       image: registry.opensuse.org/opensuse/tumbleweed
-      # Disable seccomp until a container manager in GitHub recognizes
-      # clone3() syscall,
-      # <https://github.com/actions/virtual-environments/issues/3812>.
-      options: --security-opt seccomp=unconfined
     steps:
       - name: Enable docs in container
         run:
@@ -445,10 +421,6 @@ jobs:
     continue-on-error: true
     container:
       image: docker.io/openmandriva/cooker
-      # Disable seccomp until a container manager in GitHub recognizes
-      # clone3() syscall,
-      # <https://github.com/actions/virtual-environments/issues/3812>.
-      options: --security-opt seccomp=unconfined
     outputs:
       meson_version: ${{ steps.scanbuild.outputs.available }}
     steps: