1 |
On Fri, Sep 22, 2017 at 5:27 AM, Rich Freeman <rich0@g.o> wrote: |
2 |
>On Fri, Sep 22, 2017 at 7:38 AM, Sergei Trofimovich <slyfox@g.o> wrote: |
3 |
>> |
4 |
>> Some other distros try harder to isolate build environment either |
5 |
>> through chroot and/or private mount/user/network namespace that |
6 |
>> contains only explicitly specified files in build environment. |
7 |
>> |
8 |
>> That would require more cooperation from package manager to fetch |
9 |
>> list of all visible depends. |
10 |
>> |
11 |
> |
12 |
>I definitely think this is something that would be VERY useful to |
13 |
>have, because it makes build-time dependency issues almost impossible. |
14 |
> |
15 |
>However, you don't need that complete solution just to have a sandbox. |
16 |
>You could simply create a container with the entire contents of the |
17 |
>main filesystem, but read-only, with the exception of the build area. |
18 |
>That would replicate the functionality of the current sandbox and |
19 |
>would be easier than building out just the files specified in the |
20 |
>dependencies. |
21 |
> |
22 |
>The main issue I see with making it dependency aware is performance. |
23 |
>You would need to walk all the dependencies and their run-time |
24 |
>dependencies, and the system set, and then individually bind-mount the |
25 |
>files that belong to them read-only into the container. That isn't |
26 |
>necessarily difficult, but I imagine that it would be slow. Walking |
27 |
>the dependencies obviously already happens during resolution so that |
28 |
>could probably be cached. You could also cache the list of files for |
29 |
>the system set, and you could even maintain a snapshot of these that |
30 |
>is used as the base of the container (somebody would need to work out |
31 |
>the savings of doing this vs the cost of updating it every time a |
32 |
>system set package changes). |
33 |
> |
34 |
>However, the main thing I wanted to point out is that you don't need a |
35 |
>dependency-aware solution to just replace the existing sandbox. |
36 |
> |
37 |
>> I like clear sandbox error reporting. |
38 |
> |
39 |
>As far as error reporting goes, you would get kernel-level errors like |
40 |
>attempting to write to a read-only bind mount, or trying to read a |
41 |
>file that doesn't exist. To a portage dev it should be pretty obvious |
42 |
>what is going on. You could add canned text to the portage error |
43 |
>output at the end. I'm not sure how visible the problems would be to |
44 |
>portage except to the degree that the build system makes them visible |
45 |
>- it would just see make terminate with a non-zero return. |
46 |
> |
47 |
>I would think that containers would be almost completely bug-free |
48 |
>though. The only thing I could see as an issue is some build system |
49 |
>that relies on IPC with the host, network access, etc. Namespaces |
50 |
>themselves are very robust, and the kernel already looks at every |
51 |
>process as belonging to a set of namespaces even in the default case |
52 |
>where you only have one set of namespaces on the system, so they don't |
53 |
>involve different code paths/etc. |
54 |
> |
55 |
>-- |
56 |
>Rich |
57 |
|
58 |
Another possibility, could be to have the sandbox be an overlayfs |
59 |
not of the build directory but of the entire system starting at "/" and stick |
60 |
that into the container, only CLONE_NEWNS looks to be needed. |
61 |
|
62 |
A container with all writes going to the upper layer of the overlay could be |
63 |
safe against even #RM -RF / and other disasters, while still tracking what |
64 |
is happening during the build. |
65 |
|
66 |
Should performance be too much of a problem having a bind mount of |
67 |
the build directory on top of the overlay should give normal performance to |
68 |
everything that is obeying good practice. |
69 |
|
70 |
After the build completes the directory that was mounted as upper could |
71 |
be scanned to find any wayward writes that had occurred... |
72 |
|
73 |
This would not require LD_PRELOAD or ptrace eliminating most of the |
74 |
"high magic" currently used. |
75 |
|
76 |
Just yesterday I had a lot of ptrace failures while trying something odd |
77 |
with ROOT= and custom USE |
78 |
|
79 |
Jim McMechan |