ci: re-enable 6.10 kernel workflow (#2308)

* ci: re-enable 6.10 kernel workflow

* ci: allow unsafe procfs in vm workflow

* ci: try unconfined seccomp profile instead

* fix: try insecure buildx instance

* fix: use docker-cli-buildx package

* fix: pin runc to older version

* fix: try alpine 3.20

* chore: set GO_VERSION in one place

Author: skl

.github/workflows/workflow_integration_tests_vm.yml

@@ -58,9 +58,8 @@ jobs:
         kernel:
           - kernel-version: "5.15.152"
             arch: "x86_64"
-          # 6.10.6 not needed as GitHub runners are already on 6.11
-          # - kernel-version: "6.10.6"
-          #   arch: "x86_64"
+          - kernel-version: "6.10.6"
+            arch: "x86_64"
         test: ${{ fromJson(needs.vm-test-matrix.outputs.matrix).include }}
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

internal/test/vm/Dockerfile

@@ -1,21 +1,37 @@
-FROM golang:1.25.1-alpine@sha256:b6ed3fd0452c0e9bcdef5597f29cc1418f61672e9d3a2f55bf02e7222c014abd
+FROM alpine:3.20
 
 # this is the toplevel Makefile target to be invoked
 # see the contents of 'startup.sh' at the end of this file
 ARG target=run-integration-test-vm
 ARG test_pattern=TestMultiProcess
 ARG run_number=1
-
-RUN apk update && apk add --no-cache \
+ARG GO_VERSION=1.25.1
+
+# Pin Docker/runc to Alpine 3.20 versions (before November 2025 CVE patches)
+# The procfs security checks in newer runc (CVE-2025-52881, CVE-2025-52565,
+# CVE-2025-31133) prevent containers from starting in nested virtualization.
+# Even buildkit containers fail to boot, so insecure buildx approach is not viable.
+RUN apk update && \
+    apk add --no-cache \
     agetty \
     bash \
+    ca-certificates \
     docker \
-    docker-compose \
+    docker-cli-compose \
     git \
     make \
     openrc \
     openssh \
-    shadow
+    shadow \
+    wget
+
+# Install desired Go version
+RUN wget -q https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz && \
+    tar -C /usr/local -xzf go${GO_VERSION}.linux-amd64.tar.gz && \
+    rm go${GO_VERSION}.linux-amd64.tar.gz && \
+    ln -s /usr/local/go/bin/go /usr/bin/go && \
+    ln -s /usr/local/go/bin/gofmt /usr/bin/gofmt && \
+    go version
 
 RUN ssh-keygen -A && \
     echo "root:root" | chpasswd && \
@@ -75,6 +91,12 @@ while ! docker info >/dev/null 2>&1; do
 done
 echo "Docker daemon is ready"
 
+# Verify runc version
+echo "=== Docker/runc versions in VM ==="
+docker version
+runc --version
+echo "=================================="
+
 if [[ -n "$target" ]]; then
     echo "=== Starting test execution ==="
     echo "Current directory: $(pwd)"