On Tue, Nov 2, 2021 at 10:04 PM Colin Watson <cjwat...@debian.org> wrote: > > On Tue, Nov 02, 2021 at 05:21:12PM +0800, xiao sheng wen(肖盛文) wrote: > > 在 2021/11/2 上午10:01, Colin Watson 写道: > > > Interestingly, a bullseye VM does *not* exhibit the same issue, which > > > suggests that it may be possible to track down a change to the kernel, > > > AppArmor userspace, or Docker that fixed this (I'm guessing as to > > > plausible packages). I haven't tried that yet since it's 2am here, but > > > maybe somebody else can run with this. > > > > It's new version Docker in bullseye that fixed this. > > > > In bullseye, Docker has a docker-default profile for AppArmor[1], but > > this profile don't exist in buster. > > Ah yes, thanks for finding that. So I guess the plausible choices > (without having checked feasibility) are: > > * cherry-pick the docker-default profile into buster's docker.io > package as a stable update > * backport the docker.io package wholesale from bullseye to > buster-backports > * ask Salsa admins to upgrade our runners to bullseye > > Does anyone have opinions on this? I've CCed the docker.io package > maintainers in case they have any preferences. >
For the docker.io package part, I'm not aware that salsa infra is using this package. The shared runners are created by docker-machine and the base vm is also provisioned by docker-machine, which doesn't install the docker.io package. -- Shengjing Zhu
