| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA1 |
| 3 |
|
| 4 |
On 08/20/2013 06:26 AM, Michał Górny wrote: |
| 5 |
> Hello, fellow developers. |
| 6 |
> |
| 7 |
> I've added a few new fancy features for Gentoo developers to portage |
| 8 |
> git. Sadly, since Zac isn't planning another release until 2.2.0 goes |
| 9 |
> stable, you need to switch to -9999 to use them. But I say to you, it's |
| 10 |
> worth the hassle. |
| 11 |
|
| 12 |
Any idea on an eta for that? |
| 13 |
|
| 14 |
This is some fantastic looking stuff. I'm really looking forward to |
| 15 |
using these features. |
| 16 |
|
| 17 |
Thanks, |
| 18 |
Zero |
| 19 |
> |
| 20 |
> The features are off by default since they need proper testing and can |
| 21 |
> break a lot of ebuilds. And FEATURES=network-sandbox does. |
| 22 |
> |
| 23 |
> It should be noted that all of the features follow the systemd idea of |
| 24 |
> supporting Linux only and require fancy kernel features. |
| 25 |
> |
| 26 |
> |
| 27 |
> The following new FEATURES have been added: |
| 28 |
> |
| 29 |
> 1. FEATURES=cgroup |
| 30 |
> |
| 31 |
> Requires: CONFIG_CGROUPS |
| 32 |
> |
| 33 |
> Applies to: all src_* phases |
| 34 |
> |
| 35 |
> Enables long-awaited cgroup support in portage. Each ebuild is confined |
| 36 |
> within a control group and all spawned processes are tracked. Once |
| 37 |
> the phase exits, all remaining orphans are killed. |
| 38 |
> |
| 39 |
> This helps especially with multiprocessing/multibuild stuff and some |
| 40 |
> test phases that need to spawn servers. It ensures that portage does |
| 41 |
> not leave any orphans that would otherwise need to be separately |
| 42 |
> tracked and killed. |
| 43 |
> |
| 44 |
> Control groups are applied to src_* phases only, since we expect that |
| 45 |
> pkg_postinst() may restart external daemons, and those could end up |
| 46 |
> being attached to the cgroup. |
| 47 |
> |
| 48 |
> I doubt this could break something. |
| 49 |
> |
| 50 |
> |
| 51 |
> 2. FEATURES=network-sandbox |
| 52 |
> |
| 53 |
> Requires: CONFIG_NAMESPACES, CONFIG_NET_NS |
| 54 |
> |
| 55 |
> Applies to: src_* except for src_unpack |
| 56 |
> |
| 57 |
> This one uses the unshare() syscall to detach the build process from |
| 58 |
> host's network stack. This effectively means that each of the listed |
| 59 |
> phases will be able only to access a detached, 'local' loopback |
| 60 |
> interface and nothing else. |
| 61 |
> |
| 62 |
> This has a few implications. First of all, ebuilds that used to access |
| 63 |
> the Internet won't be able to do that anymore. In the Python world, |
| 64 |
> this would mean that some packages will start to fail properly instead |
| 65 |
> of downloading missing dependencies. It will also break or skip all |
| 66 |
> the tests that rely on the network being available. |
| 67 |
> |
| 68 |
> Secondly, this will prevent any kind of communication between host |
| 69 |
> network and ebuild, including services running on 127.0.0.1. That is, |
| 70 |
> ebuild will no longer be able to access production services running |
| 71 |
> on the host. This affects e.g. old mongodb frontend ebuilds which used |
| 72 |
> to run tests on the live database server (yep, create and delete |
| 73 |
> databases there). |
| 74 |
> |
| 75 |
> Thirdly, this will prevent the daemons spawned within ebuild from being |
| 76 |
> publicly accessible. That is, if test phase spawns some kind of TCP/IP |
| 77 |
> server, even local users won't be able to connect to it (outside of |
| 78 |
> the namespace). This should improve the security. |
| 79 |
> |
| 80 |
> This does not apply to pkg_* phases where networking may be needed for |
| 81 |
> some kind of IPC, and src_unpack where it is used for VCS fetching. If |
| 82 |
> we introduce separate src_fetch in a future EAPI, the exclude will |
| 83 |
> move there. |
| 84 |
> |
| 85 |
> This one's going to trigger a lot of breakage in ebuilds. Therefore, |
| 86 |
> I'd appreciate if developers started using it early and fixing |
| 87 |
> the ebuilds. |
| 88 |
> |
| 89 |
> |
| 90 |
> 3. FEATURES=ipc-sandbox |
| 91 |
> |
| 92 |
> Requires: CONFIG_NAMESPACES, CONFIG_IPC_NS |
| 93 |
> |
| 94 |
> Applies to: src_* |
| 95 |
> |
| 96 |
> This one separates the ebuild's *nix IPC stuff from host. This includes |
| 97 |
> semaphores, shared memory etc. Similarly to network-sandbox, this could |
| 98 |
> prevent ebuilds from communicating with some production servers. |
| 99 |
> |
| 100 |
> But honestly, I have no idea if anything really does it or relies on it. |
| 101 |
> I doubt this could break something but it's worth testing. |
| 102 |
> |
| 103 |
> |
| 104 |
> I'd really appreciate some testing and feedback. Thanks. |
| 105 |
> |
| 106 |
|
| 107 |
-----BEGIN PGP SIGNATURE----- |
| 108 |
Version: GnuPG v2.0.20 (GNU/Linux) |
| 109 |
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ |
| 110 |
|
| 111 |
iQIcBAEBAgAGBQJSE4Q3AAoJEKXdFCfdEflKB+wP/3ZYGqcdOz+ojIx5+7DT+OBY |
| 112 |
qJEz8oIDI73P/Bn6VsLAeq2bO5RaLLB1rIqB4cxbIncxLb/Vwsuk6VgryPNxaH7C |
| 113 |
+2ctSZEaUSo+2Kg2sVrHxd+n0kC19GrZOXr9y5HvKSWofMYP2My67xAoRrg0/qe8 |
| 114 |
7A1jjMKbh29L+rt8krnSNYHt9EoUe7soeNEcCcVYkyRUkoQnkOy0qqBBvAUB8Ggy |
| 115 |
Gt0M3zZ9aHYTCcFbVv/JW7kntMt601AMMfsz/zK2dcBu2nyPCz1oOFgsfz23qPTw |
| 116 |
GYh2iJxMekWihxU/fJHGJIlXnNxhRHxCB7tKojgYiREqbVcBEWSr9S7QoNKL9Lts |
| 117 |
ZZ2ubSXuwjpcyGn4ih2lWdBFb7vvG5lKVoFpQimG1/sNLTgtLCejZ05IFvd08zyo |
| 118 |
UNpp2/lZpJuBsGi8zXVhUlDz8Fe4itNBHjXq90LqWDsQlp3h4BmYjxdrygG5LPMt |
| 119 |
+S/6hK24muE27FDEFLGEMNl71DZykETPq6YYFgqvQpmhgTVtDBUHCQ8L1UpQwBIE |
| 120 |
PMwEnwTJtezsfKhPR+OTNBRTAVHRL4/MF7lL3wVrLHJ3wpyFVEec2ixJ3vK5ap6Q |
| 121 |
TgPzMm2QhYS1ncCNCt4Gwxs0DyHuZrSrkWKLlWW8o6A2qWp3TxCeaEfkfca5nn/e |
| 122 |
9IzX5hSKEbHlyHBmm467 |
| 123 |
=4jTs |
| 124 |
-----END PGP SIGNATURE----- |
Archives