ci: restore sockets in i686 no IPC job #35202

pull l0rinc wants to merge 1 commits into bitcoin:master from l0rinc:l0rinc/skip-i686-sock-tests-seccomp changing 1 files +1 −0
  1. l0rinc commented at 2:17 PM on May 3, 2026: contributor

    Fixes #35199.

    Problem

    The i686, no IPC job fails in sock_tests at the first socket(AF_INET, SOCK_STREAM, IPPROTO_TCP) call.

    The failing runner uses Docker 29.4.2, while a comparable passing run used Docker 29.4.1.

    The latest Docker changed the default seccomp profile to block socketcall(2), and the Moby seccomp profile documents the explicit socketcall deny rule as returning ENOSYS.

    A previous push attempted to skip only sock_tests - CI failed in util_tests/test_LockDirectory at socketpair(...), which shows the problem is not isolated to one unit test: https://github.com/bitcoin/bitcoin/actions/runs/25281552739/job/74119501960?pr=35202

    Fix

    Add Docker's documented --security-opt seccomp=unconfined option to the i686, no IPC job through CI_CONTAINER_CAP.

    This is broader than a test skip, but it is limited to the affected CI job and restores socket syscall availability for the full unit and functional test run.

  2. DrahtBot added the label Tests on May 3, 2026
  3. DrahtBot commented at 2:17 PM on May 3, 2026: contributor

    <!--e57a25ab6845829454e8d69fc972939a-->

    The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

    <!--021abf342d371248e50ceaed478a90ca-->

    Reviews

    See the guideline for information on the review process.

    Type Reviewers
    ACK sedited

    If your review is incorrectly listed, please copy-paste <code>&lt;!--meta-tag:bot-skip--&gt;</code> into the comment that the bot should ignore.

    <!--174a7506f384e20aa4161008e828411d-->

    Conflicts

    Reviewers, this pull request conflicts with the following ones:

    • #32162 (depends: Switch from multilib to platform-specific toolchains by hebasto)

    If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.

    <!--5faf32d7da4f0f540f40219e4f7537a3-->

  4. fanquake commented at 3:00 PM on May 3, 2026: member

    https://github.com/bitcoin/bitcoin/actions/runs/25281552739/job/74119501960?pr=35202#step:11:3186:

    [185](https://github.com/bitcoin/bitcoin/actions/runs/25281552739/job/74119501960?pr=35202#step:11:3186)
test/util_tests.cpp(1056): Entering test case "test_LockDirectory"
2026-05-03T14:19:36.387951Z [test] [test/util/random.cpp:48] [SeedRandomStateForTest] Setting random seed for current tests to RANDOM_CTX_SEED=a5c492e3c76974c56055f14fa66232155c87457a6c59966929dd083b118cc117
2026-05-03T14:19:36.388266Z [test] [init/common.cpp:156] [LogPackageVersion] Bitcoin Core version v31.99.0-62f4d348d6d3 (debug build)
2026-05-03T14:19:36.388324Z [test] [init/common.cpp:102] [SetLoggingCategories] Log output may contain privacy-sensitive information. Be cautious when sharing logs.
test/util_tests.cpp(1065): error: in "util_tests/test_LockDirectory": check socketpair(1, SOCK_STREAM, 0, fd) == 0 has failed [-1 != 0]
test/util_tests.cpp(1071): error: in "util_tests/test_LockDirectory": check close(fd[0]) == 0 has failed [-1 != 0]
test/util_tests.cpp(1075): error: in "util_tests/test_LockDirectory": check write(fd[1], &LockCommand, 1) == 1 has failed [-1 != 1]
test/util_tests.cpp(1076): error: in "util_tests/test_LockDirectory": check read(fd[1], &ch, 1) == 1 has failed [-1 != 1]
test/util_tests.cpp(1077): error: in "util_tests/test_LockDirectory": check ch == ResErrorWrite has failed [0 != ]
test/util_tests.cpp(1068): error: in "util_tests/test_LockDirectory": check close(fd[1]) == 0 has failed [-1 != 0]
test_bitcoin: test/util_tests.cpp:1026: void util_tests::TestOtherProcess(fs::path, fs::path, int): Assertion `rv == 1' failed.
test/util_tests.cpp(1100): error: in "util_tests/test_LockDirectory": check write(fd[1], &LockCommand, 1) == 1 has failed [-1 != 1]
test/util_tests.cpp(1101): error: in "util_tests/test_LockDirectory": check read(fd[1], &ch, 1) == 1 has failed [-1 != 1]
test/util_tests.cpp(1102): error: in "util_tests/test_LockDirectory": check ch == ResErrorLock has failed [0 != ]
test/util_tests.cpp(1110): error: in "util_tests/test_LockDirectory": check write(fd[1], &LockCommand, 1) == 1 has failed [-1 != 1]
test/util_tests.cpp(1111): error: in "util_tests/test_LockDirectory": check read(fd[1], &ch, 1) == 1 has failed [-1 != 1]
test/util_tests.cpp(1112): error: in "util_tests/test_LockDirectory": check ch == ResSuccess has failed [0 != ]
test/util_tests.cpp(1115): error: in "util_tests/test_LockDirectory": check util::LockDirectory(dirname, lockname, true) == util::LockResult::ErrorLock has failed [0 != 2]
test/util_tests.cpp(1118): error: in "util_tests/test_LockDirectory": check write(fd[1], &UnlockCommand, 1) == 1 has failed [-1 != 1]
test/util_tests.cpp(1119): error: in "util_tests/test_LockDirectory": check read(fd[1], &ch, 1) == 1 has failed [-1 != 1]
test/util_tests.cpp(1120): error: in "util_tests/test_LockDirectory": check ch == ResUnlockSuccess has failed [0 != ]
test/util_tests.cpp(1129): error: in "util_tests/test_LockDirectory": check write(fd[1], &LockCommand, 1) == 1 has failed [-1 != 1]
test/util_tests.cpp(1133): error: in "util_tests/test_LockDirectory": check write(fd[1], &ExitCommand, 1) == 1 has failed [-1 != 1]
test/util_tests.cpp(1135): error: in "util_tests/test_LockDirectory": check processstatus == 0 has failed [134 != 0]
test/util_tests.cpp(1138): error: in "util_tests/test_LockDirectory": check close(fd[1]) == 0 has failed [-1 != 0]
test/util_tests.cpp(1056): Leaving test case "test_LockDirectory"; testing time: 249386us
  5. DrahtBot added the label CI failed on May 3, 2026
  6. ci: unconfine seccomp for i686 no IPC
    Docker 29.4.2 blocks `socketcall(2)` in the default seccomp profile:
https://docs.docker.com/engine/release-notes/29/#2942
https://github.com/moby/profiles/releases/tag/seccomp%2Fv0.2.2
https://github.com/moby/moby/pull/52501

That affects the `i686, no IPC` job because it runs 32-bit Linux test binaries inside Docker.

Add Docker's documented `--security-opt seccomp=unconfined` workaround to this job's `CI_CONTAINER_CAP` - the hook `ci/test/02_run_container.py` already appends to `docker run`.

This restores socket availability for the 32-bit test binaries throughout the job:
https://docs.docker.com/engine/security/seccomp/#run-without-the-default-seccomp-profile
    11c9ef92a8
  7. l0rinc force-pushed on May 3, 2026
  8. l0rinc renamed this:
    test: skip `sock_tests` when `socketcall` is blocked on x86-32
    ci: restore sockets in i686 no IPC job
    on May 3, 2026
  9. l0rinc commented at 3:28 PM on May 3, 2026: contributor

    test/util_tests.cpp(1065): error: in "util_tests/test_LockDirectory": check socketpair(1, SOCK_STREAM, 0, fd) == 0 has failed [-1 != 0]

    Yeah, the patch did skip sock_tests, but CI then failed later in util_tests at socketpair(). That makes this look like a broader socket availability issue in the 32-bit container, not something worth patching test-by-test.

    I'll try the seccomp=unconfined alternative next.

  10. DrahtBot removed the label CI failed on May 3, 2026
  11. l0rinc marked this as ready for review on May 3, 2026
  12. sedited approved
  13. sedited commented at 9:12 AM on May 4, 2026: contributor

    Nice, ACK 11c9ef92a8daf030f75f88f324396b2248c65a64

Contributors
l0rincDrahtBotfanquakesedited
Labels
Tests
Linked (view graph)
#2942 OpenSSL PRNG having low entropy - of any interest for us?#35199 ci: failure in `sock_tests` in i686 NO IPC
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-05-04 12:12 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me