From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 59FAD1381F3 for ; Tue, 20 Aug 2013 10:37:26 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id B2354E0C46; Tue, 20 Aug 2013 10:37:22 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 3A5F4E0B52; Tue, 20 Aug 2013 10:32:58 +0000 (UTC) Received: from localhost (77-254-183-247.adsl.inetia.pl [77.254.183.247]) (using SSLv3 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: mgorny) by smtp.gentoo.org (Postfix) with ESMTPSA id 5CCD033EACD; Tue, 20 Aug 2013 10:32:56 +0000 (UTC) Date: Tue, 20 Aug 2013 12:26:03 +0200 From: =?UTF-8?B?TWljaGHFgiBHw7Nybnk=?= To: gentoo-dev-announce@lists.gentoo.org Cc: gentoo-dev@lists.gentoo.org Subject: [gentoo-dev-announce] New developer features in portage: cgroup, network-sandbox, ipc-sandbox Message-ID: <20130820122603.54496cf1@gentoo.org> Reply-To: gentoo-dev@lists.gentoo.org Organization: Gentoo X-Mailer: Claws Mail 3.9.2-dirty (GTK+ 2.24.20; x86_64-pc-linux-gnu) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo development announcement list X-BeenThere: gentoo-dev-announce@lists.gentoo.org Mime-Version: 1.0 Content-Type: multipart/signed; micalg=PGP-SHA512; boundary="Sig_/MeSOldU9iivPZfqL6z2iqPR"; protocol="application/pgp-signature" X-Archives-Salt: 6c75a45e-dd01-442b-a2ff-713b93a57024 X-Archives-Hash: ae687806df9e73e603399898962f4e1a --Sig_/MeSOldU9iivPZfqL6z2iqPR Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hello, fellow developers. I've added a few new fancy features for Gentoo developers to portage git. Sadly, since Zac isn't planning another release until 2.2.0 goes stable, you need to switch to -9999 to use them. But I say to you, it's worth the hassle. The features are off by default since they need proper testing and can break a lot of ebuilds. And FEATURES=3Dnetwork-sandbox does. It should be noted that all of the features follow the systemd idea of supporting Linux only and require fancy kernel features. The following new FEATURES have been added: 1. FEATURES=3Dcgroup Requires: CONFIG_CGROUPS Applies to: all src_* phases Enables long-awaited cgroup support in portage. Each ebuild is confined within a control group and all spawned processes are tracked. Once the phase exits, all remaining orphans are killed. This helps especially with multiprocessing/multibuild stuff and some test phases that need to spawn servers. It ensures that portage does not leave any orphans that would otherwise need to be separately tracked and killed. Control groups are applied to src_* phases only, since we expect that pkg_postinst() may restart external daemons, and those could end up being attached to the cgroup. I doubt this could break something. 2. FEATURES=3Dnetwork-sandbox Requires: CONFIG_NAMESPACES, CONFIG_NET_NS Applies to: src_* except for src_unpack This one uses the unshare() syscall to detach the build process from host's network stack. This effectively means that each of the listed phases will be able only to access a detached, 'local' loopback interface and nothing else. This has a few implications. First of all, ebuilds that used to access the Internet won't be able to do that anymore. In the Python world, this would mean that some packages will start to fail properly instead of downloading missing dependencies. It will also break or skip all the tests that rely on the network being available. Secondly, this will prevent any kind of communication between host network and ebuild, including services running on 127.0.0.1. That is, ebuild will no longer be able to access production services running on the host. This affects e.g. old mongodb frontend ebuilds which used to run tests on the live database server (yep, create and delete databases there). Thirdly, this will prevent the daemons spawned within ebuild from being publicly accessible. That is, if test phase spawns some kind of TCP/IP server, even local users won't be able to connect to it (outside of the namespace). This should improve the security. This does not apply to pkg_* phases where networking may be needed for some kind of IPC, and src_unpack where it is used for VCS fetching. If we introduce separate src_fetch in a future EAPI, the exclude will move there. This one's going to trigger a lot of breakage in ebuilds. Therefore, I'd appreciate if developers started using it early and fixing the ebuilds. 3. FEATURES=3Dipc-sandbox Requires: CONFIG_NAMESPACES, CONFIG_IPC_NS Applies to: src_* This one separates the ebuild's *nix IPC stuff from host. This includes semaphores, shared memory etc. Similarly to network-sandbox, this could prevent ebuilds from communicating with some production servers. But honestly, I have no idea if anything really does it or relies on it. I doubt this could break something but it's worth testing. I'd really appreciate some testing and feedback. Thanks. --=20 Best regards, Micha=C5=82 G=C3=B3rny --Sig_/MeSOldU9iivPZfqL6z2iqPR Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.21 (GNU/Linux) iQJ8BAEBCgBmBQJSE0Q7XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ1RUJGMjBGOTk2RkIzQzIyQ0M2RkNBNDBC QUJGMUQ1RkY4QzgxMTBBAAoJELq/HV/4yBEKrwAQAO/E/1nXdhgvCw+KOgQNwtFk X2ORDMEEPe4ApQdCXVRVpfX+6mNjbo7pN+3RNvFWMlbTYG0otkvZ6+iTEe12Qr+Z GFs5l9sv3OaOOxr2GgsybERxyaIOI5qXGtknT6xIyJTnfy6pVij85Tug+HpJS8ZH TuQxmrD/E303y5Ow3si58H5FYhCtieeV+bgnEZpCaniZKQuteZxjtLs+66aroda/ n+vlJjZia5ULp7kzMJgNF6j7wUl9+oLE9MYmQFakOawMi9shC8y560RxiOFWh9Ms RYX9HQYdDQ7gmB8uxkovE7Lm1eBW84FgNVPNG+Xt9VisZY1TmRAFnAMe3XONb1vl 86QWCeceU1e45X8T0j7o3f3yLjx84w9jrSvsJCnyTLgCpO7quYYj8eSZx/mXcItY rwkxo02SrX8BnefQrD18CU/ReE7QNMhq6KtmeZAwS8mM3UHXhF2TJPR2R0xw4UV8 kYEgB3KvZQoeCv3/zNkQ1amZ8qChGvo2aORgbjG78HfoTYD+En6GJh1p9DVSKIty y8xkyzfwbEWgTwzIETiMcBGS8paZJ2ivSxeRl2qNRkwfFDJI6AVuETowzpntCnWz i/p/xqN4BOJp/BSPnRAf1Qh30/xONcq90BDCeHb52hBhb52qenz//w316eJlmbT0 j2K4MDKonPQRXwNJKLoS =C+TP -----END PGP SIGNATURE----- --Sig_/MeSOldU9iivPZfqL6z2iqPR--