Dockerfile: install podman from unstable

Due to the issues in the bug outlined inline, we need a more recent podman for the DIB containerfile element with recent distros like Fedora 35. Install from unstable until these fixes make it into the stable package. Change-Id: I6ce1e9c61c0a38dde667efd1fc1f6ba86dfee6e2
2021-10-28 11:59:00 +11:00 · 2021-10-28 11:59:00 +11:00 · bf112d5522
commit bf112d5522
parent cce7dbc669
1 changed files with 14 additions and 1 deletions
--- a/15
+++ b/15
@ -98,7 +98,20 @@ RUN \
 # hand-wavy motion) but it's not in the container; override to use
 # cgroupfs manager.  Also disable trying to send logs to the journal.
 #
-RUN apt-get install -y --install-recommends podman \
+# The glibc in Fedora >35 uses clone3() which causes seccomp issues.
+# For details see:
+#  https://bugs.debian.org/995777
+# We install podman from unstable until these fixes make it into bullseye
+#
+# For some reason, the unstable podman only suggests iptables (not
+# recommends) so we need to pull that explicitly too.  Unclear if
+# this is a feature or a bug; see:
+#  https://bugs.debian.org/997976
+
+RUN echo "deb http://deb.debian.org/debian unstable main" >> /etc/apt/sources.list \
+  && echo "APT::Default-Release: 'stable';" >> /etc/apt/apt.conf.d/default-release \
+  && apt-get update \
+  && apt-get install -y --install-recommends podman/unstable iptables \
  && printf '[engine]\ncgroup_manager="cgroupfs"\nevents_logger="file"\n' > /etc/containers/containers.conf

 # There is a Debian package in the NEW queue currently for dnf-plugins-core