Podman containers cannot start on ci-runner-x86-02-main: sethostname: Operation not permitted

Summary

I'm doing some Ansible tests through GitLab CI, and the logic is concentrated in this template repository.

Some jobs run tests inside rootless podman containers using the containers.torproject.org/tpo/tpa/base-images/podman:bookworm image.

These tests consistently succeed on ci-runner-x86-10 and fails on ci-runner-x86-02-main with the following error when attempting to bring a container up:

sethostname: Operation not permitted: OCI permission denied

• Example working job (on ci-runner-x86-10 from osuosl): https://gitlab.torproject.org/tpo/onion-services/ansible/ancible/-/jobs/848776
• Example failing job (on ci-runner-x86-02-main from tpa): https://gitlab.torproject.org/tpo/onion-services/ansible/ancible/-/jobs/848892

Attempts to fix

Trying podman with --group-add=keep-groups

Digging into this issue, I've tried to invoke podman run with --group-add=keep-groups (per recommendation), without success.

Trying podman with --cap-add=SYS_ADMIN

Also tried to invoke it with --cap-add=SYS_ADMIN (from this recommendation, but it also failed.

Trying the podman:trixie image

Just to make sure this is not due to outdated podman, I also tried using the provided podman:trixie base image (commits a0cd04 and 0d7662), to no avail.

Initial conclusions

• It seems that ci-runner-x86-02-main cannot run these jobs, while ci-runner-x86-10 can.
• I was unable to come with workarounds.
• I did not test whether all available tpa runners present the same behavior, of if there's any osuosl with similar problems.
• Maybe the failing runner(s) have a more restrictive configuration.

Further testing

I have created a branch test/ci-runners to aid testing.

References

Maybe related or similar:

• Intermittent GitLab CI runner failures: "network already exists" (#41520).
• gitlab-runner errors on some runners (#41354)
• Intermittant docker failure inside of runners (#41295).