1 |
On Sun, 11 May 2014 23:42:38 +0200 |
2 |
Michał Górny <mgorny@g.o> wrote: |
3 |
|
4 |
> Hi, everyone. |
5 |
> |
6 |
> Almost 9 months ago I've committed three new FEATURES for portage: |
7 |
> cgroup, ipc-sandbox and network-sandbox. Today I'd like to propose |
8 |
> enabling at least the latter two by default. |
9 |
> |
10 |
> |
11 |
> Firstly, I'd like to shortly remind you what they do: |
12 |
> |
13 |
> 1. cgroup -- puts all processes spawned by ebuild to cgroup, and kills |
14 |
> all of them once phase exits (prevents leaving orphans), |
15 |
> |
16 |
> 2. ipc-sandbox -- puts all processes spawned by ebuild to a separate |
17 |
> IPC namespace, preventing them from interfacing other system services |
18 |
> via IPC (message queues, semaphores, shared memory), |
19 |
> |
20 |
> 3. network-sandbox -- puts all processes spawned by ebuild to |
21 |
> a separate network namespace with a private loopback interface, |
22 |
> preventing them from interfacing other system services, local network |
23 |
> and the Internet. |
24 |
|
25 |
[snip] |
26 |
|
27 |
All three of these require kernel support. It might be a good idea to add |
28 |
the needed options to that Gentoo Linux menu we have in gentoo-sources and |
29 |
enable them by default. I think it would be non-obvious to a new user that |
30 |
they would have to enable network and ipc namespaces for portage to work |
31 |
properly out of the box (and if they disable the latter they get a bunch of |
32 |
cryptic "Unable to unshare: EINVAL" messages every time they build something |
33 |
which isn't very helpful). |
34 |
|
35 |
Do we know of any packages broken by these features? Maybe we can add them to |
36 |
the dev profiles for a while before we dump it on everyone. |
37 |
|
38 |
Otherwise +1. |
39 |
|
40 |
|
41 |
-- |
42 |
Ryan Hill psn: dirtyepic_sk |
43 |
gcc-porting/toolchain/wxwidgets @ gentoo.org |
44 |
|
45 |
47C3 6D62 4864 0E49 8E9E 7F92 ED38 BD49 957A 8463 |