Re: Bug#1070411: containerd fails to build as a normal user due to sysctl

[Sebastian Ramacher <sramacher@debian.org>]

Hi

On 2024-06-11 10:18:14 +0200, Jochen Sprickerhof wrote:
> Hi Reinhard,
> 
> * Reinhard Tartler <siretart@tauware.de> [2024-06-10 22:26]:
> > Are you sure that the test is actually executing a sysctl(2) command?
> > Looking at the code, it seems to me that this is code is assembling a
> > runtime spec that the CRI implementation will then carry out.
> > Forthermore, the output above indicates that the assertion on line 123
> > actually holds, but the one on line 124 does not:
> > 
> > https://sources.debian.org/src/containerd/1.6.24~ds1-1/pkg/cri/server/sandbox_run_linux_test.go/#L124
> > 
> > The cause for this is most likely in https://sources.debian.org/src/containerd/1.6.24~ds1-1/pkg/cri/server/sandbox_run_linux.go/#L147. Here the code is explicitly checking whether it is running in in a usernamespace, which is exactly what 'unshare' is doing.
> 
> That makes more sense, thanks for looking into it.
> 
> > Can you please help me understand whether, and if so since when, we have
> > the requirement that all packages must be buildable inside a
> > usernamespace and where was this announced to be release-critical?
> > (CC'ed debian-release for input).
> 
> Afaik the buildd team started deploying The sbuild unshare setup in April:
> 
> https://salsa.debian.org/dsa-team/mirror/dsa-puppet/-/commit/6a050f889
> 
> So unrelated to the severity discussion you may want to look into fixing
> this bug so that the package continues to build.

This change makes those bugs automatically RC:

    Packages must autobuild without failure on all architectures on
    which they are supported.

(from https://release.debian.org/testing/rc_policy.txt, 4. Autobuilding)

Cheers
-- 
Sebastian Ramacher