| 1 |
On Aug 20, 2013 11:20 AM, "Michał Górny" <mgorny@g.o> wrote: |
| 2 |
> |
| 3 |
> Dnia 2013-08-20, o godz. 11:04:35 |
| 4 |
> Alexis Ballier <aballier@g.o> napisał(a): |
| 5 |
> |
| 6 |
> > On Tue, 20 Aug 2013 12:26:03 +0200 |
| 7 |
> > Michał Górny <mgorny@g.o> wrote: |
| 8 |
> > > |
| 9 |
> > > 2. FEATURES=network-sandbox |
| 10 |
> > > |
| 11 |
> > |
| 12 |
> > does distcc work with this ? |
| 13 |
> |
| 14 |
> You could say that. It just can't connect to any other host :). |
| 15 |
> |
| 16 |
> We may try to handle this somehow but I can't immediately think of any |
| 17 |
> sane way of 'escaping' the sandbox. |
| 18 |
|
| 19 |
You could do it the same way as LXC does, with a virtual interface which is |
| 20 |
then NAT-ed to the real network interface, but I'm not sure I'd consider |
| 21 |
this sane. The overhead required to set this up on every execution of gcc, |
| 22 |
let alone the modifications needed for NAT, pretty much makes rules this |
| 23 |
out completely. You might be able to exploit iptables and ip6tables to |
| 24 |
allow only distcc to communicate out, but that's still painful and is a |
| 25 |
hack at best. |
| 26 |
|
| 27 |
-Doug |
Archives