public inbox for gentoo-portage-dev@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-portage-dev] [PATCH] Enable cgroup, ipc-sandbox & network-sandbox by default
@ 2015-04-06 12:37 Michał Górny
  2015-04-08 14:03 ` [gentoo-portage-dev] " Martin Vaeth
  0 siblings, 1 reply; 3+ messages in thread
From: Michał Górny @ 2015-04-06 12:37 UTC (permalink / raw
  To: gentoo-portage-dev; +Cc: Michał Górny

All three features should be mature enough to be enabled by default.
CGroups provide better tracking for ebuild processes, while the two
sandboxes improve security through restricting IPC & network access for
build-only phases.

All the features degrade gracefully when the relevant kernel features
are not available.
---
 cnf/make.globals | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/cnf/make.globals b/cnf/make.globals
index dd99618..2d93e9d 100644
--- a/cnf/make.globals
+++ b/cnf/make.globals
@@ -50,9 +50,10 @@ RESUMECOMMAND_SSH=${FETCHCOMMAND_SSH}
 FETCHCOMMAND_SFTP="bash -c \"x=\\\${2#sftp://} ; host=\\\${x%%/*} ; port=\\\${host##*:} ; host=\\\${host%:*} ; [[ \\\${host} = \\\${port} ]] && port=22 ; eval \\\"declare -a ssh_opts=(\\\${3})\\\" ; exec sftp -P \\\${port} \\\"\\\${ssh_opts[@]}\\\" \\\"\\\${host}:/\\\${x#*/}\\\" \\\"\\\$1\\\"\" sftp \"\${DISTDIR}/\${FILE}\" \"\${URI}\" \"\${PORTAGE_SSH_OPTS}\""
 
 # Default user options
-FEATURES="assume-digests binpkg-logs
+FEATURES="assume-digests binpkg-logs cgroup
           config-protect-if-modified distlocks ebuild-locks
-          fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned
+          fixlafiles ipc-sandbox merge-sync network-sandbox
+		  news parallel-fetch preserve-libs protect-owned
           sandbox sfperms strict unknown-features-warn unmerge-logs
           unmerge-orphans userfetch userpriv usersandbox usersync"
 
-- 
2.3.5



^ permalink raw reply related	[flat|nested] 3+ messages in thread

* [gentoo-portage-dev] Re: [PATCH] Enable cgroup, ipc-sandbox & network-sandbox by default
  2015-04-06 12:37 [gentoo-portage-dev] [PATCH] Enable cgroup, ipc-sandbox & network-sandbox by default Michał Górny
@ 2015-04-08 14:03 ` Martin Vaeth
  2015-04-08 15:48   ` Zac Medico
  0 siblings, 1 reply; 3+ messages in thread
From: Martin Vaeth @ 2015-04-08 14:03 UTC (permalink / raw
  To: gentoo-portage-dev

Michał Górny <mgorny@gentoo.org> wrote:
>
> All the features degrade gracefully when the relevant kernel features
> are not available.

In conncetion with some old version of rescuecd, and fetching files,
one can run into troubles with FEATURES=cgroups

https://forums.gentoo.org/viewtopic-t-1009074-start-0-postdays-0-postorder-asc-highlight-.html

(The bad thing was that this error happened, before it was clear
that portage attempted to fetch files)



^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [gentoo-portage-dev] Re: [PATCH] Enable cgroup, ipc-sandbox & network-sandbox by default
  2015-04-08 14:03 ` [gentoo-portage-dev] " Martin Vaeth
@ 2015-04-08 15:48   ` Zac Medico
  0 siblings, 0 replies; 3+ messages in thread
From: Zac Medico @ 2015-04-08 15:48 UTC (permalink / raw
  To: gentoo-portage-dev

On 04/08/2015 07:03 AM, Martin Vaeth wrote:
> Michał Górny <mgorny@gentoo.org> wrote:
>>
>> All the features degrade gracefully when the relevant kernel features
>> are not available.
> 
> In conncetion with some old version of rescuecd, and fetching files,
> one can run into troubles with FEATURES=cgroups
> 
> https://forums.gentoo.org/viewtopic-t-1009074-start-0-postdays-0-postorder-asc-highlight-.html
> 
> (The bad thing was that this error happened, before it was clear
> that portage attempted to fetch files)

"IOError: [Errno 22] Invalid argument" is thrown when writing to
cgroup.procs in portage.process._exec(). We need to detect whatever
conditions cause this inside AbstractEbuildProcess._start(), and disable
the cgroup usage in that case.
-- 
Thanks,
Zac


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2015-04-08 15:48 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-04-06 12:37 [gentoo-portage-dev] [PATCH] Enable cgroup, ipc-sandbox & network-sandbox by default Michał Górny
2015-04-08 14:03 ` [gentoo-portage-dev] " Martin Vaeth
2015-04-08 15:48   ` Zac Medico

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox