Arvados

I started seeing this test failure after upgrading from debian 11 to 12:

----------------------------------------------------------------------
FAIL: singularity_test.go:39: singularitySuite.TestIPAddress

building singularity image
[singularity build /tmp/crunch-run-singularity-3013312958/image.sif docker-archive:///tmp/crunch-run-singularity-3013312958/image.tar]
INFO:    Starting build...
Getting image source signatures
Copying blob sha256:67f770da229bf16d0c280f232629b0c1f1243a884df09f6b940a1c7288535a6d
Copying config sha256:a11e762410a6fb4e925d1ea535fecc177d983bdf0dba3261d244fb3c7ee18865
Writing manifest to image destination
Storing signatures
2024/05/03 15:06:19  info unpack layer: sha256:378e3b9fb50c743e1daa7a79dc2cf7c18aa0ac8137a1ca0d51a3b909c80e7d48
INFO:    Creating SIF file...
INFO:    Build complete: /tmp/crunch-run-singularity-3013312958/image.sif

singularity_test.go:50:
    s.executorSuite.TestIPAddress(c)
executor_test.go:210:
    c.Assert(err, IsNil)
... value *url.Error = &url.Error{Op:"Brew", URL:"http://10.23.0.2:44679", Err:(*net.OpError)(0xc000d108c0)} ("Brew \"http://10.23.0.2:44679\": dial tcp 10.23.0.2:44679: connect: connection refused")

It seems that --fakeroot is no longer enough to make --net work when invoking singularity as an unprivileged user:

$ /var/lib/arvados/bin/singularity exec --containall --cleanenv --pwd= /tmp/busybox.sif echo OK
OK
$ /var/lib/arvados/bin/singularity exec --containall --cleanenv --pwd= --fakeroot --net /tmp/busybox.sif echo OK
INFO:    Converting SIF file to temporary sandbox...
ERROR:   Network fakeroot is not permitted for unprivileged users.
INFO:    Cleaning up image...
ERROR:   could not delete networks: plugin type="firewall" failed (delete): could not initialize iptables protocol 0: could not get iptables version: exit status 111
FATAL:   container creation failed: plugin type="ptp" failed (add): failed to locate iptables: could not get iptables version: exit status 111