Comment 6 for bug 1713212

For clarification, the environment the containers run with is:

privileged: false,
cap_add: ['SYS_ADMIN'],
security_opts: ['apparmor:unconfined']

(see https://git.launchpad.net/~kubuntu-ci-admins/kubuntu-ci/+git/pangea-tooling/tree/kci/imager.rb)

what's not helpful is that running debootstrap in a container started on the shell with
run --cap-add SYS_ADMIN --privileged=false --security-opt 'apparmor:unconfined'
seems to work fine... (result: artful/etc/resolv.conf -> ../run/systemd/resolve/stub-resolv.conf)

so this might be related to some of the environment setup before live-build starts running - or that fact that it's running headless, but I did not have time to take a closer look at that.

As for touching resolv.conf, live-build does mess with it later on in some way during the chroot build, but that happens far later during the build.