@@ -150,10 +150,27 @@ jobs:
150150 run : |
151151 sudo sysctl -w fs.inotify.max_user_instances=512
152152 sudo sysctl -w net.ipv4.ip_unprivileged_port_start=80
153- # Mount BPF filesystem on the host so Cilium's mount-bpf-fs init-container
154- # can detect it as already mounted and skip the privileged mount syscall,
155- # which fails inside rootless Podman-spawned KinD nodes.
156- sudo mount bpffs /sys/fs/bpf -t bpf -o nosuid,nodev,noexec,relatime
153+ # Mount BPF filesystem on the host so Cilium's bpf.autoMount=false works correctly.
154+ sudo mount bpffs /sys/fs/bpf -t bpf -o nosuid,nodev,noexec,relatime || true
155+ # Raise memlock to unlimited system-wide.
156+ # Cilium calls setrlimit(RLIMIT_MEMLOCK, unlimited) inside KinD nodes.
157+ # In rootless Podman the container is --privileged but the rlimit hard cap
158+ # comes from the host; we must raise it here before Podman spawns the nodes.
159+ sudo sh -c 'echo "* soft memlock unlimited" >> /etc/security/limits.conf'
160+ sudo sh -c 'echo "* hard memlock unlimited" >> /etc/security/limits.conf'
161+ sudo sh -c 'echo "runner soft memlock unlimited" >> /etc/security/limits.conf'
162+ sudo sh -c 'echo "runner hard memlock unlimited" >> /etc/security/limits.conf'
163+ # Apply immediately for the current session
164+ sudo prlimit --pid $$ --memlock=unlimited:unlimited
165+ # Allow Podman containers to use CAP_SYS_RESOURCE so Cilium can set memlock rlimit.
166+ mkdir -p ~/.config/containers
167+ cat > ~/.config/containers/containers.conf <<'EOF'
168+ [containers]
169+ default_capabilities = [
170+ "CHOWN", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "NET_BIND_SERVICE",
171+ "SETFCAP", "SETGID", "SETPCAP", "SETUID", "SYS_CHROOT", "SYS_RESOURCE"
172+ ]
173+ EOF
157174name : Install podman-compose
158175 if : steps.check_changes.outputs.skip != 'true'
159176 run : |
0 commit comments