| 1 |
On Mon, 12 May 2014 00:47:17 -0600 |
| 2 |
Ryan Hill <rhill@g.o> wrote: |
| 3 |
|
| 4 |
> > 1. cgroup -- puts all processes spawned by ebuild to cgroup, and |
| 5 |
> > kills all of them once phase exits (prevents leaving orphans), |
| 6 |
> > |
| 7 |
> > 2. ipc-sandbox -- puts all processes spawned by ebuild to a separate |
| 8 |
> > IPC namespace, preventing them from interfacing other system |
| 9 |
> > services via IPC (message queues, semaphores, shared memory), |
| 10 |
> > |
| 11 |
> > 3. network-sandbox -- puts all processes spawned by ebuild to |
| 12 |
> > a separate network namespace with a private loopback interface, |
| 13 |
> > preventing them from interfacing other system services, local |
| 14 |
> > network and the Internet. |
| 15 |
> |
| 16 |
> All three of these require kernel support. It might be a good idea |
| 17 |
> to add the needed options to that Gentoo Linux menu we have in |
| 18 |
> gentoo-sources and enable them by default. |
| 19 |
|
| 20 |
Right, this skipped my mind when I enabled them yesterday; this should |
| 21 |
be documented, as well as have Portage check for missing support and |
| 22 |
test it and bail out with a proper error message if it doesn't already. |
| 23 |
|
| 24 |
Which options are these in particular? I'll cook a patch with them. |
| 25 |
|
| 26 |
-- |
| 27 |
With kind regards, |
| 28 |
|
| 29 |
Tom Wijsman (TomWij) |
| 30 |
Gentoo Developer |
| 31 |
|
| 32 |
E-mail address : TomWij@g.o |
| 33 |
GPG Public Key : 6D34E57D |
| 34 |
GPG Fingerprint : C165 AF18 AB4C 400B C3D2 ABF0 95B2 1FCD 6D34 E57D |
Archives