Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-dev

From: "Michał Górny" <mgorny@g.o>
To: gentoo-dev@l.g.o
Cc: zerochaos@g.o
Subject: Re: [gentoo-dev] RFC: enabling ipc-sandbox & network-sandbox by default
Date: Mon, 12 May 2014 17:39:23
Message-Id: 20140512193909.601ec5fc@pomiot.lan
In Reply to: Re: [gentoo-dev] RFC: enabling ipc-sandbox & network-sandbox by default by "Rick \\\"Zero_Chaos\\\" Farina"
1 Dnia 2014-05-12, o godz. 13:22:20
2 "Rick \"Zero_Chaos\" Farina" <zerochaos@g.o> napisał(a):
3
4 > -----BEGIN PGP SIGNED MESSAGE-----
5 > Hash: SHA1
6 >
7 > On 05/12/2014 01:08 PM, Michał Górny wrote:
8 > > Dnia 2014-05-12, o godz. 12:07:11
9 > > "Rick \"Zero_Chaos\" Farina" <zerochaos@g.o> napisał(a):
10 > >
11 > >> What about talking to local network resources? In my metasploit ebuild
12 > >> it has tests available which talk to a local database and are perfectly
13 > >> safe, however, if postgresql is started on the system the tests don't
14 > >> work, the ebuild needs to start it's own postgresql to run the tests.
15 > >
16 > > How can you assume that the tests are perfectly safe? What do the tests
17 > > do exactly?
18 > >
19 >
20 > As stated just below, the tests are not poorly written. All testing is
21 > done in a test DB which is different from the production DB.
22
23 I don't know postgresql well enough but does the test db reside
24 in temporary build directory? That is, can you guarantee that:
25
26 1) it will never ever collide with user's database,
27
28 2) it will be properly cleaned up even if the test suite terminates
29 unexpectedly?
30
31 > > I wouldn't call spawning a daemon that close to insanity. For those who
32 > > haven't seen such a thing yet -- dev-python/pymongo is an example where
33 > > I fixed a similar issue (writing into production database). Though it's
34 > > bit hacky since I needed a way to bind to a random free port -- with
35 > > network namespaces it'd be easier as Rich noted, since the ebuild would
36 > > have all ports free.
37 > >
38 > That would be nice, can we do the network namespaces so that I at least
39 > don't have to bind to a random port? That alone would be a major
40 > improvement in usability.
41
42 FEATURES=network-sandbox == network namespaces.
43
44 I'd say a reasonable assumption would be to Gentoo-reserve a port range
45 for ebuild use, and use a port in that range. When network-sandbox
46 becomes the default, it will be perfectly safe. Before that, it will be
47 reasonably safe :).
48
49 --
50 Best regards,
51 Michał Górny

Attachments

File name MIME type
signature.asc application/pgp-signature

Replies

Subject Author
Re: [gentoo-dev] RFC: enabling ipc-sandbox & network-sandbox by default Luis Ressel <aranea@×××××.de>
Report Message
Find on MARC Find on Google Groups