From bb4391d083eb47dfa698b881681e6efec066f359 Mon Sep 17 00:00:00 2001
From: Kevin Veen-Birkenbach <kevin@veen.world>
Date: Thu, 4 Dec 2025 02:41:20 +0100
Subject: [PATCH] Fix Docker-in-Docker cgroup isolation issues by adding
 --cgroupns=host

The GitHub Actions DinD environment failed to start inner containers due to
cgroup v2 namespace isolation problems ('cannot enter cgroupv2 ... invalid state').
To resolve this, all docker run calls inside the CI workflow were updated
to include --cgroupns=host, ensuring the inner dockerd inherits the host
cgroup namespace instead of being sandboxed.

This aligns the CI runtime with the expectations of runc and prevents OCI-level
container creation failures.

Details and troubleshooting steps documented here:
https://chatgpt.com/share/6930e285-9604-800f-aad8-7a81c928548c
---
 .github/workflows/test-deploy.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/test-deploy.yml b/.github/workflows/test-deploy.yml
index 4d0c4fdb..6fff98e0 100644
--- a/.github/workflows/test-deploy.yml
+++ b/.github/workflows/test-deploy.yml
@@ -43,7 +43,7 @@ jobs:
       # 1) First deploy: normal + debug (inner dockerd with vfs)
       - name: First deploy (normal + debug)
         run: |
-          docker run --network=host --rm --privileged \
+          docker run --network=host --rm --privileged --cgroupns=host \
             -e EXCLUDED_ROLES="$EXCLUDED_ROLES" \
             infinito:latest \
             /bin/sh -lc '
@@ -93,7 +93,7 @@ jobs:
       # 2) Second deploy: reset + debug (same inner dockerd pattern, also vfs)
       - name: Second deploy (--reset --debug)
         run: |
-          docker run --network=host --rm --privileged \
+          docker run --network=host --rm --privileged --cgroupns=host \
             -e EXCLUDED_ROLES="$EXCLUDED_ROLES" \
             infinito:latest \
             /bin/sh -lc '
@@ -142,7 +142,7 @@ jobs:
       # 3) Third deploy: async (no debug, same inner dockerd, also vfs)
       - name: Third deploy (async deploy – no debug)
         run: |
-          docker run --network=host --rm --privileged \
+          docker run --network=host --rm --privileged --cgroupns=host \
             -e EXCLUDED_ROLES="$EXCLUDED_ROLES" \
             infinito:latest \
             /bin/sh -lc '