diff --git a/.github/workflows/build_and_test.yaml b/.github/workflows/build_and_test.yaml
index 4e29338249a..58d51489c78 100644
--- a/.github/workflows/build_and_test.yaml
+++ b/.github/workflows/build_and_test.yaml
@@ -36,7 +36,7 @@ jobs:
       image-base-name: "dev_image_with_extras"
       ref: ${{ needs.env-protect-setup.outputs.ref }}
   clang-tidy:
-    runs-on: oracle-16cpu-64gb-x86-64
+    runs-on: oracle-vm-16cpu-64gb-x86-64
     needs: [authorize, env-protect-setup, get-dev-image]
     container:
       image: ${{ needs.get-dev-image.outputs.image-with-tag }}
@@ -64,7 +64,7 @@ jobs:
   code-coverage:
     if: github.event_name == 'push'
     needs: [authorize, env-protect-setup, get-dev-image]
-    runs-on: oracle-16cpu-64gb-x86-64
+    runs-on: oracle-vm-16cpu-64gb-x86-64
     container:
       image: ${{ needs.get-dev-image.outputs.image-with-tag }}
     steps:
@@ -88,7 +88,7 @@ jobs:
         ./ci/collect_coverage.sh -u -b main -c "$(git rev-parse HEAD)" -r pixie-io/pixie
   generate-matrix:
     needs: [authorize, env-protect-setup, get-dev-image]
-    runs-on: oracle-16cpu-64gb-x86-64
+    runs-on: oracle-vm-16cpu-64gb-x86-64
     container:
       image: ${{ needs.get-dev-image.outputs.image-with-tag }}
     outputs:
@@ -120,7 +120,7 @@ jobs:
           bazel_tests_*
   build-and-test:
     needs: [authorize, env-protect-setup, get-dev-image, generate-matrix]
-    runs-on: oracle-16cpu-64gb-x86-64
+    runs-on: oracle-vm-16cpu-64gb-x86-64
     permissions:
       contents: read
       actions: read
@@ -160,6 +160,10 @@ jobs:
       run: |
         # Github actions container runner creates a docker network without IPv6 support. We enable it manually.
         sysctl -w net.ipv6.conf.lo.disable_ipv6=0
+
+        # Our qemu builds require unprivileged user namespaces to run.
+        sysctl -w kernel.unprivileged_userns_clone=1
+        sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
         ./scripts/bazel_ignore_codes.sh test ${{ matrix.args }} --target_pattern_file=target_files/${{ matrix.tests }} \
           2> >(tee bazel_stderr)
     - name: Parse junit reports
diff --git a/bazel/toolchain_transitions.bzl b/bazel/toolchain_transitions.bzl
index 65caa6e6c7b..5578af5dada 100644
--- a/bazel/toolchain_transitions.bzl
+++ b/bazel/toolchain_transitions.bzl
@@ -29,6 +29,7 @@ cc_clang_binary = meta.wrap_with_transition(
     native.cc_binary,
     {
         "@//bazel/cc_toolchains:compiler": meta.replace_with("clang"),
+        "@//bazel/cc_toolchains:libc_version": meta.replace_with("glibc2_36"),
     },
     executable = True,
 )
diff --git a/ci/github/bazelrc b/ci/github/bazelrc
index f4b0cdb5ac0..8de37643b0c 100644
--- a/ci/github/bazelrc
+++ b/ci/github/bazelrc
@@ -5,9 +5,6 @@ common --color=yes
 # a given run.
 common --keep_going
 
-# Always use remote exec
-build --config=remote
-
 build --build_metadata=HOST=github-actions
 build --build_metadata=USER=github-actions
 build --build_metadata=REPO_URL=https://github.com/pixie-io/pixie
diff --git a/src/utils/testingutils/docker/elastic.go b/src/utils/testingutils/docker/elastic.go
index a098add6a2d..a90dafef4c2 100644
--- a/src/utils/testingutils/docker/elastic.go
+++ b/src/utils/testingutils/docker/elastic.go
@@ -70,6 +70,7 @@ func SetupElastic() (*elastic.Client, func(), error) {
 				Type:   "tmpfs",
 				TempfsOptions: &docker.TempfsOptions{
 					SizeBytes: 100 * 1024 * 1024,
+					Mode:      0o777,
 				},
 			},
 			{
@@ -77,6 +78,7 @@ func SetupElastic() (*elastic.Client, func(), error) {
 				Type:   "tmpfs",
 				TempfsOptions: &docker.TempfsOptions{
 					SizeBytes: 100 * 1024 * 1024,
+					Mode:      0o777,
 				},
 			},
 			{
@@ -84,6 +86,7 @@ func SetupElastic() (*elastic.Client, func(), error) {
 				Type:   "tmpfs",
 				TempfsOptions: &docker.TempfsOptions{
 					SizeBytes: 100 * 1024 * 1024,
+					Mode:      0o777,
 				},
 			},
 		}