diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
index cddfcebf4..2114cf7f9 100644
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@@ -2,6 +2,8 @@
     "image": "ghcr.io/citusdata/citus-devcontainer:main",
     "runArgs": [
         "--cap-add=SYS_PTRACE",
+        "--cap-add=SYS_NICE",                 // allow NUMA page inquiry
+        "--security-opt=seccomp=unconfined",  // unblocks move_pages() in the container
         "--ulimit=core=-1",
     ],
     "forwardPorts": [
diff --git a/.github/workflows/build_and_test.yml b/.github/workflows/build_and_test.yml
index 5a99abef1..98e012179 100644
--- a/.github/workflows/build_and_test.yml
+++ b/.github/workflows/build_and_test.yml
@@ -225,10 +225,16 @@ jobs:
     runs-on: ubuntu-latest
     container:
       image: "${{ matrix.image_name }}:${{ fromJson(matrix.pg_version).full }}${{ needs.params.outputs.image_suffix }}"
-      options: --user root --dns=8.8.8.8
+      options: >-
+        --user root
+        --dns=8.8.8.8
+        --cap-add=SYS_NICE
+        --security-opt seccomp=unconfined
       # Due to Github creates a default network for each job, we need to use
       # --dns= to have similar DNS settings as our other CI systems or local
       # machines. Otherwise, we may see different results.
+      # and grant caps so PG18's NUMA introspection (pg_shmem_allocations_numa -> move_pages)
+      # doesn't fail with EPERM in CI.
     needs:
     - params
     - build