diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 740a5b7b..ceadf80b 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -22,9 +22,14 @@ jobs:
       - run: su tester -c 'meson test -C release-build/ --print-errorlogs'
 
   ubuntu-24:
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-latest
+    container:
+      image: ubuntu:24.04
+      options: --security-opt seccomp=unconfined --privileged --security-opt systempaths=unconfined # needed to make clone3() work in the container, and mount cgroup2 read-write, and /proc mountable
     steps:
+      - run: mount -t cgroup2 -o nsdelegate,remount none /sys/fs/cgroup
       - run: useradd tester
+      - run: chown -R tester:tester /sys/fs/cgroup
       - run: apt-get update
       - run: env DEBIAN_FRONTEND=noninteractive apt-get install -y git
       - uses: actions/checkout@v4
@@ -111,9 +116,14 @@ jobs:
       - run: su tester -c 'meson test -C release-build/ --print-errorlogs'
 
   ubuntu-24-with-sanitizers:
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-latest
+    container:
+      image: ubuntu:24.04
+      options: --security-opt seccomp=unconfined --privileged --security-opt systempaths=unconfined # needed to make clone3() work in the container, and mount cgroup2 read-write, and /proc mountable
     steps:
+      - run: mount -t cgroup2 -o nsdelegate,remount none /sys/fs/cgroup
       - run: useradd tester
+      - run: chown -R tester:tester /sys/fs/cgroup
       - run: apt-get update
       - run: env DEBIAN_FRONTEND=noninteractive apt-get install -y git
       - uses: actions/checkout@v4