Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-dev

From: R0b0t1 <r030t1@×××××.com>
To: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] Functional portage with namespace (Was: Integrating Portage with other package managers)
Date: Fri, 09 Mar 2018 02:11:33
Message-Id: CAAD4mYgy+AvtYdS1WqPQS1_zNYP7MCRLhmWThC4s77TE68WebA@mail.gmail.com
In Reply to: Re: [gentoo-dev] Functional portage with namespace (Was: Integrating Portage with other package managers) by Rich Freeman
1 On Thu, Mar 8, 2018 at 7:06 PM, Rich Freeman <rich0@g.o> wrote:
2 > On Thu, Mar 8, 2018 at 7:46 PM, Benda Xu <heroxbd@g.o> wrote:
3 >> Rich Freeman <rich0@g.o> writes:
4 >>
5 >>> If you have util-linux installed then try running (as any user - you
6 >>> don't have to be root): unshare -i -m -n -p -u -C -f --mount-proc -U
7 >>> -r /bin/bash
8 >>>
9 >>> Congrats. You are now root in a container. You're in the same root
10 >>> filesystem as always. You'll note that you can't actually see
11 >>> anything that you couldn't see before. If you run ps -ea you'll see
12 >>> that you're the only process running on the system. Devices like
13 >>> /dev/sda aren't actually accessible. A lot of container managers
14 >>> would mount a new /dev and just hide most of that stuff. You can
15 >>> probably imagine how something like this could be useful for isolating
16 >>> processes.
17 >>
18 >> Just a side node, this seems to be the ultimate sandbox we (Gentoo and
19 >> portage) are after. With this, we might even be able to have portage
20 >> full functional: a build is completely determined and only determined by
21 >> the dependencies and USE flags.
22 >>
23 >
24 > I'm not sure how well this would perform, but I had given this a bit
25 > of thought a few years ago. There are two obvious ways to go about
26 > this: the sandbox or containers.
27 >
28
29 It may be possible to use fanotify(7) (but this would only catch disk
30 access). There is an extension to fanotify created as someone's thesis
31 (http://lkml.iu.edu/hypermail/linux/kernel/1703.1/05249.html) that
32 allows recursive watches. One of the features of fanotify is that it
33 is possible to deny the events generated. The fanotify API may
34 simplify the application of the generated rules. It was designed to be
35 fast, and most processing is done in the kernel when calls are made.
36
37 Sadly interest in the patches seems to have waned. The functionality
38 is not exactly duplicated in containers, but they do make it easier to
39 find changes.

Replies

Subject Author
Re: [gentoo-dev] Functional portage with namespace (Was: Integrating Portage with other package managers) Rich Freeman <rich0@g.o>
Report Message
Find on MARC Find on Google Groups