Bug#973313: lintian: Salsa CI jobs fail for many sources hosted there
I have a reproduction recipe that doesn't involve Salsa CI:
* Start a clean buster virtual machine. (I used LXD, with "lxc launch
--vm images:debian/buster", but any VM software will probably do.)
* In the VM:
- apt update && apt install -y docker.io man-db
- docker pull debian:unstable
- docker run --rm --privileged debian:unstable /bin/sh -c 'apt-get update && apt-get install -y man-db && LC_ALL=C.UTF-8 man --version'
Installing man-db in the VM alongside Docker is vital, as is using
--privileged. The following message appears in dmesg in the VM:
[ 665.609594] audit: type=1400 audit(1635817161.488:11): apparmor="DENIED" operation="open" info="Failed name lookup - disconnected path" error=-13 profile="/usr/bin/man" name="var/lib/docker/overlay2/3fd16b80cd6bf5eaac5175310673d6d76c288b560b0dd1994908f957825eb8fa/diff/usr/lib/locale/C.UTF-8/LC_MESSAGES" pid=6221 comm="man" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Interestingly, a bullseye VM does *not* exhibit the same issue, which
suggests that it may be possible to track down a change to the kernel,
AppArmor userspace, or Docker that fixed this (I'm guessing as to
plausible packages). I haven't tried that yet since it's 2am here, but
maybe somebody else can run with this.
This seems related to https://github.com/moby/moby/issues/38420, but I'm
not sure it's exactly the same thing as that upstream bug so perhaps
that's a red herring.
--
Colin Watson (he/him) [cjwatson@debian.org]
Reply to: