Hi Reinhard, * Reinhard Tartler <siret...@tauware.de> [2024-06-10 22:26]:
Are you sure that the test is actually executing a sysctl(2) command? Looking at the code, it seems to me that this is code is assembling a runtime spec that the CRI implementation will then carry out. Forthermore, the output above indicates that the assertion on line 123 actually holds, but the one on line 124 does not:https://sources.debian.org/src/containerd/1.6.24~ds1-1/pkg/cri/server/sandbox_run_linux_test.go/#L124 The cause for this is most likely in https://sources.debian.org/src/containerd/1.6.24~ds1-1/pkg/cri/server/sandbox_run_linux.go/#L147. Here the code is explicitly checking whether it is running in in a usernamespace, which is exactly what 'unshare' is doing.
That makes more sense, thanks for looking into it.
Can you please help me understand whether, and if so since when, we have the requirement that all packages must be buildable inside a usernamespace and where was this announced to be release-critical? (CC'ed debian-release for input).
Afaik the buildd team started deploying The sbuild unshare setup in April:
https://salsa.debian.org/dsa-team/mirror/dsa-puppet/-/commit/6a050f889So unrelated to the severity discussion you may want to look into fixing this bug so that the package continues to build.
Cheers Jochen
signature.asc
Description: PGP signature
