ci: use alpine:3.20 to workaround insecure runc procfs (#870)

skl · web-flow · commit 104fdd0df656 · 2025-11-07T09:14:11.000-08:00
* ci: trigger vm workflows to check runc procfs

* fix: use alpine:3.20

* chore: specify go version in one place
diff --git a/.github/workflows/workflow_integration_tests_vm.yml b/.github/workflows/workflow_integration_tests_vm.yml
@@ -35,7 +35,8 @@ jobs:
       - name: build matrix
         id: build-matrix
         env:
-          # 3 partitions, one for each of: TestMultiProcess, TestMultiProcessAppCP, TestMultiProcessAppCPNoIP
+          # 3 partitions, one for each of:
+          # TestMultiProcess, TestMultiProcessAppCP, TestMultiProcessAppCPNoIP
           PARTITIONS: 3
           TEST_TAGS: integration
         run: |
diff --git a/internal/test/vm/Dockerfile b/internal/test/vm/Dockerfile
@@ -1,21 +1,36 @@
-FROM golang:1.25.3-alpine@sha256:aee43c3ccbf24fdffb7295693b6e33b21e01baec1b2a55acc351fde345e9ec34
+FROM alpine:3.20
 
 # this is the toplevel Makefile target to be invoked
 # see the contents of 'startup.sh' at the end of this file
 ARG target=run-integration-test-vm
 ARG test_pattern=TestMultiProcess
 ARG run_number=1
+ARG GO_VERSION=1.25.1
 
+# Pin Docker/runc to Alpine 3.20 versions (before November 2025 CVE patches)
+# The procfs security checks in newer runc (CVE-2025-52881, CVE-2025-52565,
+# CVE-2025-31133) prevent containers from starting in nested virtualization.
+# Even buildkit containers fail to boot, so insecure buildx approach is not viable.
 RUN apk update && apk add --no-cache \
     agetty \
     bash \
+    ca-certificates \
     docker \
-    docker-compose \
+    docker-cli-compose \
     git \
     make \
     openrc \
     openssh \
-    shadow
+    shadow \
+    wget
+
+# Install desired Go version
+RUN wget -q https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz && \
+    tar -C /usr/local -xzf go${GO_VERSION}.linux-amd64.tar.gz && \
+    rm go${GO_VERSION}.linux-amd64.tar.gz && \
+    ln -s /usr/local/go/bin/go /usr/bin/go && \
+    ln -s /usr/local/go/bin/gofmt /usr/bin/gofmt && \
+    go version
 
 RUN ssh-keygen -A && \
     echo "root:root" | chpasswd && \
@@ -75,6 +90,12 @@ while ! docker info >/dev/null 2>&1; do
 done
 echo "Docker daemon is ready"
 
+# Verify runc version
+echo "=== Docker/runc versions in VM ==="
+docker version
+runc --version
+echo "=================================="
+
 if [[ -n "$target" ]]; then
     echo "=== Starting test execution ==="
     echo "Current directory: $(pwd)"
