ci: crio: Enable default capabilities

We need the default capabilities to be enabled, especially `SYS_CHROOT`, in order to have tests accessing the host to pass. A huge thanks to Greg Kurz for spotting this and suggesting the fix. Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com> Signed-off-by: Greg Kurz <groug@kaod.org> (cherry picked from commit 74c12b2927)
2025-07-31 15:25:26 +00:00 · 2023-09-25 13:35:41 +02:00 · 2023-09-25 13:35:41 +02:00 · 2de1c8bac2
commit 2de1c8bac2
parent d1d3c7cbda
1 changed files with 20 additions and 0 deletions
--- a/tests/gha-run-k8s-common.sh
+++ b/tests/gha-run-k8s-common.sh
@ -225,6 +225,26 @@ function setup_crio() {
 	curl -L https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/${os}/Release.key | sudo apt-key add -
 	sudo apt update
 	sudo apt install -y cri-o cri-o-runc
+
+	# We need to set the default capabilities to ensure our tests will pass
+	# See: https://github.com/kata-containers/kata-containers/issues/8034
+	sudo mkdir -p /etc/crio/crio.conf.d/
+	cat <<EOF | sudo tee /etc/crio/crio.conf.d/00-default-capabilities
+[crio.runtime]
+default_capabilities = [
+       "CHOWN",
+       "DAC_OVERRIDE",
+       "FSETID",
+       "FOWNER",
+       "SETGID",
+       "SETUID",
+       "SETPCAP",
+       "NET_BIND_SERVICE",
+       "KILL",
+       "SYS_CHROOT",
+]
+EOF
+
 	sudo systemctl enable --now crio
 }