[GH-ISSUE #1997] KVM based containers #959

New issue

Open

opened 2026-03-01 21:47:44 +03:00 by kerem · 1 comment

kerem commented

2026-03-01 21:47:44 +03:00

Owner

Originally created by @HuJK on GitHub (Sep 11, 2023).
Original GitHub issue: https://github.com/nektos/act/issues/1997

Act version

0.2.50

Feature description

In the github action, we have the full root permissions and kernel capabilities , like /dev/net/tun or mount/umount or load kernel modules in it.

But we can't access these permissions in the act runner because docker engine running codes on the host kernel, all dangerous operaion are blocked because it may crash the host OS.

In my opinion, it would be better if we can support kata container or KubeVirt because kata container/KubeVirt uses QEMU or KVM to virtualize a guest kernel and running codes on it. We can get better isolation and securites, and make it more close to github action.
We can even run a isolated docker engine in the kata container/KubeVirt!

I think this issue is differ from https://github.com/nektos/act/issues/303 because podman is a runC based container and it also blocks dangerous operaion. But we can use custom kernel in kata container and get full kernel capabilities in it. We can even write a action to build and test kernel modules without the risk to crash host system which is impossible in runC based containers.

Originally created by @HuJK on GitHub (Sep 11, 2023). Original GitHub issue: https://github.com/nektos/act/issues/1997 ### Act version 0.2.50 ### Feature description In the github action, we have the full root permissions and kernel capabilities , like /dev/net/tun or mount/umount or load kernel modules in it. But we can't access these permissions in the act runner because docker engine running codes on the host kernel, all dangerous operaion are blocked because it may crash the host OS. In my opinion, it would be better if we can support kata container or KubeVirt because kata container/KubeVirt uses QEMU or KVM to virtualize a guest kernel and running codes on it. We can get better isolation and securites, and make it more close to github action. We can even run a isolated docker engine in the kata container/KubeVirt! I think this issue is differ from https://github.com/nektos/act/issues/303 because podman is a runC based container and it also blocks dangerous operaion. But we can use custom kernel in kata container and get full kernel capabilities in it. We can even write a action to build and test kernel modules without the risk to crash host system which is impossible in runC based containers.

kerem added the

kind/feature-request

label

2026-03-01 21:47:44 +03:00

kerem commented

2026-03-01 21:47:45 +03:00

Author

Owner

@septatrix commented on GitHub (Dec 31, 2024):

This would also be a great addition for those hosting public Forgejo/Gitea instances which use Act for their Actions/CI. With containers there is a higher risk of escaping the sandbox compared to proper VMs

@septatrix commented on GitHub (Dec 31, 2024): This would also be a great addition for those hosting public Forgejo/Gitea instances which use Act for their Actions/CI. With containers there is a higher risk of escaping the sandbox compared to proper VMs

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/act#959

No description provided.

Rows
Columns