fix(substrate): bump amd64 runsc default to gVisor nightly 2026-06-02 (#2035)

Matcham89 · EItanya · web-flow · commit e9e4e34d6bd2 · 2026-06-17T18:36:06.000-04:00
Closes #2036 ## Summary kagent's default amd64 runsc (`2026-05-19`) fails to restore node.js OpenClaw/NemoClaw actors with inconsistent private memory files on restore; nightly `2026-06-02` fixes it and still checkpoints (the `2026-06-13` build breaks checkpoint). This PR bumps the **amd64** runsc default to `2026-06-02` so amd64 users get a working checkpoint/restore out of the box. arm64 defaults are left unchanged — the bug reproduces only on the amd64 build of the gVisor runsc nightly. ## Changes - `go/core/pkg/app/app.go` — bump `--substrate-runsc-amd64-url` default to `gs://gvisor/releases/nightly/2026-06-02/x86_64/runsc` and `--substrate-runsc-amd64-sha256` to `efd12935f6654c91a1389710eb8dfa4d12b6b9be00db87526dc2eb584ad00119`. - `helm/kagent/values.yaml` — update the commented `runscAMD64URL` / `runscAMD64SHA256` example to match. - `examples/substrate-openclaw/README.md` — update the amd64 runsc URL/hash in the `AgentHarness` example. The sha256 was computed from the published binary and verified against the convention already in the repo (the existing `2026-05-19` amd64 hash reproduces exactly with `shasum -a 256`). ## Caveat C/R was proven to restore on arm64 (Kind) and fail on amd64 (Talos) with the same code and same runsc date, but the arm64 host ran a different kernel (Docker Desktop VM), so an arch-vs-kernel contribution can't be 100% ruled out. The actionable, provable claim that doesn't depend on settling that is the lead sentence above: 05-19 amd64 fails to restore, 06-02 fixes it and still checkpoints. ## Notes for reviewers The runsc-compatibility coupling is owned by `kagent-dev/substrate` (its C/R is built against a specific runsc version). ## Testing - `go build ./core/pkg/app/` passes. - No unit/E2E tests assert the default runsc value, so none needed to change. --------- Signed-off-by: matcham89 <cjmatcham@hotmail.co.uk> Co-authored-by: Eitan Yarmush <eitan.yarmush@solo.io>
diff --git a/examples/substrate-openclaw/README.md b/examples/substrate-openclaw/README.md
@@ -93,8 +93,8 @@ spec:
   pauseImage: gcr.io/gke-release/pause@sha256:bcbd57ba5653580ec647b16d8163cdd1112df3609129b01f912a8032e48265da
   runsc:
     amd64:
-      url: gs://gvisor/releases/nightly/2026-05-19/x86_64/runsc
-      sha256Hash: a397be1abc2420d26bce6c70e6e2ff96c73aaaab929756c56f5e2089ea842b63
+      url: gs://gvisor/releases/nightly/2026-06-02/x86_64/runsc
+      sha256Hash: efd12935f6654c91a1389710eb8dfa4d12b6b9be00db87526dc2eb584ad00119
     arm64:
       url: gs://gvisor/releases/nightly/2026-05-19/aarch64/runsc
       sha256Hash: 1ba2366ae2efceba166046f51a4104f9261c9cb72c6db8f5b3fe2dc57dea86b9
diff --git a/go/core/pkg/app/app.go b/go/core/pkg/app/app.go
@@ -236,8 +236,9 @@ func (cfg *Config) SetFlags(commandLine *flag.FlagSet) {
 	commandLine.StringVar(&cfg.Substrate.DefaultWorkerPoolNamespace, "substrate-default-workerpool-namespace", kagentNamespace, "Default Agent Substrate WorkerPool namespace when spec.substrate.workerPoolRef is unset.")
 	commandLine.StringVar(&cfg.Substrate.DefaultWorkerPoolName, "substrate-default-workerpool-name", "", "Default Agent Substrate WorkerPool name when spec.substrate.workerPoolRef is unset.")
 	commandLine.StringVar(&cfg.Substrate.PauseImage, "substrate-pause-image", "gcr.io/gke-release/pause@sha256:bcbd57ba5653580ec647b16d8163cdd1112df3609129b01f912a8032e48265da", "Pause image for generated ActorTemplates.")
-	commandLine.StringVar(&cfg.Substrate.RunscAMD64URL, "substrate-runsc-amd64-url", "gs://gvisor/releases/nightly/2026-05-19/x86_64/runsc", "gVisor runsc URL for amd64.")
-	commandLine.StringVar(&cfg.Substrate.RunscAMD64SHA256, "substrate-runsc-amd64-sha256", "a397be1abc2420d26bce6c70e6e2ff96c73aaaab929756c56f5e2089ea842b63", "gVisor runsc sha256 for amd64.")
+	// Please note: the 2026-06-13 nightly breaks checkpoint, so don't jump straight to the latest. See https://github.com/kagent-dev/kagent/pull/2035.
+	commandLine.StringVar(&cfg.Substrate.RunscAMD64URL, "substrate-runsc-amd64-url", "gs://gvisor/releases/nightly/2026-06-02/x86_64/runsc", "gVisor runsc URL for amd64.")
+	commandLine.StringVar(&cfg.Substrate.RunscAMD64SHA256, "substrate-runsc-amd64-sha256", "efd12935f6654c91a1389710eb8dfa4d12b6b9be00db87526dc2eb584ad00119", "gVisor runsc sha256 for amd64.")
 	commandLine.StringVar(&cfg.Substrate.RunscARM64URL, "substrate-runsc-arm64-url", "gs://gvisor/releases/nightly/2026-05-19/aarch64/runsc", "gVisor runsc URL for arm64.")
 	commandLine.StringVar(&cfg.Substrate.RunscARM64SHA256, "substrate-runsc-arm64-sha256", "1ba2366ae2efceba166046f51a4104f9261c9cb72c6db8f5b3fe2dc57dea86b9", "gVisor runsc sha256 for arm64.")
 	commandLine.StringVar(&agent_translator.DefaultServiceAccountName, "default-service-account-name", "", "Global default ServiceAccount name for agent pods. When set, agents without an explicit serviceAccountName will use this instead of creating a per-agent ServiceAccount.")
diff --git a/helm/kagent/values.yaml b/helm/kagent/values.yaml
@@ -276,8 +276,8 @@ controller:
       namespace: ""
       name: ""
     # pauseImage: "gcr.io/gke-release/pause@sha256:bcbd57ba5653580ec647b16d8163cdd1112df3609129b01f912a8032e48265da"
-    # runscAMD64URL: "gs://gvisor/releases/nightly/2026-05-19/x86_64/runsc"
-    # runscAMD64SHA256: "a397be1abc2420d26bce6c70e6e2ff96c73aaaab929756c56f5e2089ea842b63"
+    # runscAMD64URL: "gs://gvisor/releases/nightly/2026-06-02/x86_64/runsc"
+    # runscAMD64SHA256: "efd12935f6654c91a1389710eb8dfa4d12b6b9be00db87526dc2eb584ad00119"
     # runscARM64URL: "gs://gvisor/releases/nightly/2026-05-19/aarch64/runsc"
     # runscARM64SHA256: "1ba2366ae2efceba166046f51a4104f9261c9cb72c6db8f5b3fe2dc57dea86b9"
     # Example when enabled:
