1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
On 08/20/2013 06:26 AM, Michał Górny wrote: |
5 |
> Hello, fellow developers. |
6 |
> |
7 |
> I've added a few new fancy features for Gentoo developers to portage |
8 |
> git. Sadly, since Zac isn't planning another release until 2.2.0 goes |
9 |
> stable, you need to switch to -9999 to use them. But I say to you, it's |
10 |
> worth the hassle. |
11 |
|
12 |
Any idea on an eta for that? |
13 |
|
14 |
This is some fantastic looking stuff. I'm really looking forward to |
15 |
using these features. |
16 |
|
17 |
Thanks, |
18 |
Zero |
19 |
> |
20 |
> The features are off by default since they need proper testing and can |
21 |
> break a lot of ebuilds. And FEATURES=network-sandbox does. |
22 |
> |
23 |
> It should be noted that all of the features follow the systemd idea of |
24 |
> supporting Linux only and require fancy kernel features. |
25 |
> |
26 |
> |
27 |
> The following new FEATURES have been added: |
28 |
> |
29 |
> 1. FEATURES=cgroup |
30 |
> |
31 |
> Requires: CONFIG_CGROUPS |
32 |
> |
33 |
> Applies to: all src_* phases |
34 |
> |
35 |
> Enables long-awaited cgroup support in portage. Each ebuild is confined |
36 |
> within a control group and all spawned processes are tracked. Once |
37 |
> the phase exits, all remaining orphans are killed. |
38 |
> |
39 |
> This helps especially with multiprocessing/multibuild stuff and some |
40 |
> test phases that need to spawn servers. It ensures that portage does |
41 |
> not leave any orphans that would otherwise need to be separately |
42 |
> tracked and killed. |
43 |
> |
44 |
> Control groups are applied to src_* phases only, since we expect that |
45 |
> pkg_postinst() may restart external daemons, and those could end up |
46 |
> being attached to the cgroup. |
47 |
> |
48 |
> I doubt this could break something. |
49 |
> |
50 |
> |
51 |
> 2. FEATURES=network-sandbox |
52 |
> |
53 |
> Requires: CONFIG_NAMESPACES, CONFIG_NET_NS |
54 |
> |
55 |
> Applies to: src_* except for src_unpack |
56 |
> |
57 |
> This one uses the unshare() syscall to detach the build process from |
58 |
> host's network stack. This effectively means that each of the listed |
59 |
> phases will be able only to access a detached, 'local' loopback |
60 |
> interface and nothing else. |
61 |
> |
62 |
> This has a few implications. First of all, ebuilds that used to access |
63 |
> the Internet won't be able to do that anymore. In the Python world, |
64 |
> this would mean that some packages will start to fail properly instead |
65 |
> of downloading missing dependencies. It will also break or skip all |
66 |
> the tests that rely on the network being available. |
67 |
> |
68 |
> Secondly, this will prevent any kind of communication between host |
69 |
> network and ebuild, including services running on 127.0.0.1. That is, |
70 |
> ebuild will no longer be able to access production services running |
71 |
> on the host. This affects e.g. old mongodb frontend ebuilds which used |
72 |
> to run tests on the live database server (yep, create and delete |
73 |
> databases there). |
74 |
> |
75 |
> Thirdly, this will prevent the daemons spawned within ebuild from being |
76 |
> publicly accessible. That is, if test phase spawns some kind of TCP/IP |
77 |
> server, even local users won't be able to connect to it (outside of |
78 |
> the namespace). This should improve the security. |
79 |
> |
80 |
> This does not apply to pkg_* phases where networking may be needed for |
81 |
> some kind of IPC, and src_unpack where it is used for VCS fetching. If |
82 |
> we introduce separate src_fetch in a future EAPI, the exclude will |
83 |
> move there. |
84 |
> |
85 |
> This one's going to trigger a lot of breakage in ebuilds. Therefore, |
86 |
> I'd appreciate if developers started using it early and fixing |
87 |
> the ebuilds. |
88 |
> |
89 |
> |
90 |
> 3. FEATURES=ipc-sandbox |
91 |
> |
92 |
> Requires: CONFIG_NAMESPACES, CONFIG_IPC_NS |
93 |
> |
94 |
> Applies to: src_* |
95 |
> |
96 |
> This one separates the ebuild's *nix IPC stuff from host. This includes |
97 |
> semaphores, shared memory etc. Similarly to network-sandbox, this could |
98 |
> prevent ebuilds from communicating with some production servers. |
99 |
> |
100 |
> But honestly, I have no idea if anything really does it or relies on it. |
101 |
> I doubt this could break something but it's worth testing. |
102 |
> |
103 |
> |
104 |
> I'd really appreciate some testing and feedback. Thanks. |
105 |
> |
106 |
|
107 |
-----BEGIN PGP SIGNATURE----- |
108 |
Version: GnuPG v2.0.20 (GNU/Linux) |
109 |
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ |
110 |
|
111 |
iQIcBAEBAgAGBQJSE4Q3AAoJEKXdFCfdEflKB+wP/3ZYGqcdOz+ojIx5+7DT+OBY |
112 |
qJEz8oIDI73P/Bn6VsLAeq2bO5RaLLB1rIqB4cxbIncxLb/Vwsuk6VgryPNxaH7C |
113 |
+2ctSZEaUSo+2Kg2sVrHxd+n0kC19GrZOXr9y5HvKSWofMYP2My67xAoRrg0/qe8 |
114 |
7A1jjMKbh29L+rt8krnSNYHt9EoUe7soeNEcCcVYkyRUkoQnkOy0qqBBvAUB8Ggy |
115 |
Gt0M3zZ9aHYTCcFbVv/JW7kntMt601AMMfsz/zK2dcBu2nyPCz1oOFgsfz23qPTw |
116 |
GYh2iJxMekWihxU/fJHGJIlXnNxhRHxCB7tKojgYiREqbVcBEWSr9S7QoNKL9Lts |
117 |
ZZ2ubSXuwjpcyGn4ih2lWdBFb7vvG5lKVoFpQimG1/sNLTgtLCejZ05IFvd08zyo |
118 |
UNpp2/lZpJuBsGi8zXVhUlDz8Fe4itNBHjXq90LqWDsQlp3h4BmYjxdrygG5LPMt |
119 |
+S/6hK24muE27FDEFLGEMNl71DZykETPq6YYFgqvQpmhgTVtDBUHCQ8L1UpQwBIE |
120 |
PMwEnwTJtezsfKhPR+OTNBRTAVHRL4/MF7lL3wVrLHJ3wpyFVEec2ixJ3vK5ap6Q |
121 |
TgPzMm2QhYS1ncCNCt4Gwxs0DyHuZrSrkWKLlWW8o6A2qWp3TxCeaEfkfca5nn/e |
122 |
9IzX5hSKEbHlyHBmm467 |
123 |
=4jTs |
124 |
-----END PGP SIGNATURE----- |