I have a reproduction recipe that doesn't involve Salsa CI: * Start a clean buster virtual machine. (I used LXD, with "lxc launch --vm images:debian/buster", but any VM software will probably do.) * In the VM: - apt update && apt install -y docker.io man-db - docker pull debian:unstable - docker run --rm --privileged debian:unstable /bin/sh -c 'apt-get update && apt-get install -y man-db && LC_ALL=C.UTF-8 man --version'
Installing man-db in the VM alongside Docker is vital, as is using --privileged. The following message appears in dmesg in the VM: [ 665.609594] audit: type=1400 audit(1635817161.488:11): apparmor="DENIED" operation="open" info="Failed name lookup - disconnected path" error=-13 profile="/usr/bin/man" name="var/lib/docker/overlay2/3fd16b80cd6bf5eaac5175310673d6d76c288b560b0dd1994908f957825eb8fa/diff/usr/lib/locale/C.UTF-8/LC_MESSAGES" pid=6221 comm="man" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Interestingly, a bullseye VM does *not* exhibit the same issue, which suggests that it may be possible to track down a change to the kernel, AppArmor userspace, or Docker that fixed this (I'm guessing as to plausible packages). I haven't tried that yet since it's 2am here, but maybe somebody else can run with this. This seems related to https://github.com/moby/moby/issues/38420, but I'm not sure it's exactly the same thing as that upstream bug so perhaps that's a red herring. -- Colin Watson (he/him) [cjwat...@debian.org]