From 6ba47d563431f49d77efb92ecc12879e8152fe34 Mon Sep 17 00:00:00 2001
From: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Date: Fri, 17 Jan 2025 09:36:48 +0100
Subject: [PATCH] ci: allow unrestricted user namespaces in image builds
 (#3587)

Since Ubuntu 23.10, creating namespaces, e.g. via `unshare`, requires
privileges. Since `unshare` is used by `mkosi` in our image build
pipeline, we need to re-enable them explicitly here before building the
image, aligning with the behavior before Ubuntu 23.10.
---
 .github/workflows/build-os-image.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.github/workflows/build-os-image.yml b/.github/workflows/build-os-image.yml
index f19419ead..f82aa4504 100644
--- a/.github/workflows/build-os-image.yml
+++ b/.github/workflows/build-os-image.yml
@@ -167,6 +167,12 @@ jobs:
         with:
           clouds_yaml: ${{ secrets.STACKIT_IMAGE_UPLOAD_CLOUDS_YAML }}
 
+      - name: Allow unrestricted user namespaces
+        shell: bash
+        run: |
+          sudo sysctl --ignore --write kernel.apparmor_restrict_unprivileged_unconfined=0
+          sudo sysctl --ignore --write kernel.apparmor_restrict_unprivileged_userns=0
+          
       - name: Build and upload
         id: build
         shell: bash