Not sure why youki can't use CRI-O 1.35.1
kubernetes-sigs/kubespray#13076 (comment)
Failed Message: https://gitlab.com/kargo-ci/kubernetes-sigs-kubespray/-/jobs/13736317977#L2163
time="2026-03-07T15:36:04Z" level=warning msg="cgroup_parent is not set. Use runtime-config to get the runtime cgroup driver"
E0307 15:36:05.424665 6241 log.go:32] "RunPodSandbox from runtime service failed" err=<
rpc error: code = Unknown desc = container create failed: libcontainer::seccomp: failed to add seccomp action: Allow. Cmp: ScmpArgCompare(scmp_arg_cmp { arg: 0, op: SCMP_CMP_EQ, datum_a: 16, datum_b: 0 }) Syscall: socket
libcontainer::process::init::process: failed to initialize seccomp err=AddRule { source: Error { kind: Errno(EEXIST), source: None, message: "Failure regarding the existence of argument" } }
libcontainer::process::container_intermediate_process: failed to initialize container process: failed to add rule to seccomp
libcontainer::process::container_main_process: failed to wait for init ready: exec process failed with error error in executing process : failed to add rule to seccomp
libcontainer::container::builder_impl: failed to run container process exec process failed with error error in executing process : failed to add rule to seccomp
youki: error in executing command: failed to create container: exec process failed with error error in executing process : failed to add rule to seccomp
error in executing command: failed to create container: exec process failed with error error in executing process : failed to add rule to seccomp
Error: failed to create container: exec process failed with error error in executing process : failed to add rule to seccomp
I asked an AI and tweaked some JSON, but I'm not sure if this is a youki or a CRI-O issue.
kubernetes-sigs/kubespray#13102
The youki molecule test fails because youki's libseccomp binding treats duplicate seccomp rules as fatal (EEXIST), unlike crun/runc which silently ignore them. CRI-O's default seccomp profile contains duplicate
rules for the socket syscall (AF_NETLINK), triggering this failure.
Work around this by setting seccomp profile_type to Unconfined (1) in the shared sandbox.json.j2 template when youki_enabled is true, so CRI-O skips applying its default seccomp profile for youki test runs.
Not sure why youki can't use CRI-O 1.35.1
kubernetes-sigs/kubespray#13076 (comment)
Failed Message: https://gitlab.com/kargo-ci/kubernetes-sigs-kubespray/-/jobs/13736317977#L2163
I asked an AI and tweaked some JSON, but I'm not sure if this is a youki or a CRI-O issue.
kubernetes-sigs/kubespray#13102