Update CI builds to Debian Bullseye, fix associated compatibility bugs
This is a change intended for 0.4.7 maintenance as well as main.
The CI builds use Debian Buster which is now end of life, and I was experiencing inconsistent CI failures with accessing its security update server. I wanted to update CI to a distro that isn't EOL, and Bullseye is the current stable release of Debian.
This opened up a small can of worms that this commit also deals with. In particular there's a docker engine bug that we work around by removing the docker-specific apt cleanup script if it exists, and there's a new incompatibility between tracing and sandbox support.
The tracing/sandbox incompatibility itself had two parts:
-
The membarrier() syscall is used to deliver inter-processor synchronization events, and the external "userspace-rcu" data structure library would make assumptions that if membarrier is available at initialization it always will be. This caused segfaults in some cases when running trace + sandbox. Resolved this by allowing membarrier entirely, in the sandbox.
-
userspace-rcu also assumes it can block signals, and fails hard if this can't be done. We already include a similar carveout to allow this in the sandbox for fragile-hardening, so I extended that to cover tracing as well.
Addresses issue #40799 (closed)