1 |
On Fri, Sep 22, 2017 at 7:38 AM, Sergei Trofimovich <slyfox@g.o> wrote: |
2 |
> |
3 |
> Some other distros try harder to isolate build environment either |
4 |
> through chroot and/or private mount/user/network namespace that |
5 |
> contains only explicitly specified files in build environment. |
6 |
> |
7 |
> That would require more cooperation from package manager to fetch |
8 |
> list of all visible depends. |
9 |
> |
10 |
|
11 |
I definitely think this is something that would be VERY useful to |
12 |
have, because it makes build-time dependency issues almost impossible. |
13 |
|
14 |
However, you don't need that complete solution just to have a sandbox. |
15 |
You could simply create a container with the entire contents of the |
16 |
main filesystem, but read-only, with the exception of the build area. |
17 |
That would replicate the functionality of the current sandbox and |
18 |
would be easier than building out just the files specified in the |
19 |
dependencies. |
20 |
|
21 |
The main issue I see with making it dependency aware is performance. |
22 |
You would need to walk all the dependencies and their run-time |
23 |
dependencies, and the system set, and then individually bind-mount the |
24 |
files that belong to them read-only into the container. That isn't |
25 |
necessarily difficult, but I imagine that it would be slow. Walking |
26 |
the dependencies obviously already happens during resolution so that |
27 |
could probably be cached. You could also cache the list of files for |
28 |
the system set, and you could even maintain a snapshot of these that |
29 |
is used as the base of the container (somebody would need to work out |
30 |
the savings of doing this vs the cost of updating it every time a |
31 |
system set package changes). |
32 |
|
33 |
However, the main thing I wanted to point out is that you don't need a |
34 |
dependency-aware solution to just replace the existing sandbox. |
35 |
|
36 |
> I like clear sandbox error reporting. |
37 |
|
38 |
As far as error reporting goes, you would get kernel-level errors like |
39 |
attempting to write to a read-only bind mount, or trying to read a |
40 |
file that doesn't exist. To a portage dev it should be pretty obvious |
41 |
what is going on. You could add canned text to the portage error |
42 |
output at the end. I'm not sure how visible the problems would be to |
43 |
portage except to the degree that the build system makes them visible |
44 |
- it would just see make terminate with a non-zero return. |
45 |
|
46 |
I would think that containers would be almost completely bug-free |
47 |
though. The only thing I could see as an issue is some build system |
48 |
that relies on IPC with the host, network access, etc. Namespaces |
49 |
themselves are very robust, and the kernel already looks at every |
50 |
process as belonging to a set of namespaces even in the default case |
51 |
where you only have one set of namespaces on the system, so they don't |
52 |
involve different code paths/etc. |
53 |
|
54 |
-- |
55 |
Rich |