* [gentoo-portage-dev] [PATCH] Enable cgroup, ipc-sandbox & network-sandbox by default
@ 2015-04-06 12:37 Michał Górny
2015-04-08 14:03 ` [gentoo-portage-dev] " Martin Vaeth
0 siblings, 1 reply; 3+ messages in thread
From: Michał Górny @ 2015-04-06 12:37 UTC (permalink / raw
To: gentoo-portage-dev; +Cc: Michał Górny
All three features should be mature enough to be enabled by default.
CGroups provide better tracking for ebuild processes, while the two
sandboxes improve security through restricting IPC & network access for
build-only phases.
All the features degrade gracefully when the relevant kernel features
are not available.
---
cnf/make.globals | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/cnf/make.globals b/cnf/make.globals
index dd99618..2d93e9d 100644
--- a/cnf/make.globals
+++ b/cnf/make.globals
@@ -50,9 +50,10 @@ RESUMECOMMAND_SSH=${FETCHCOMMAND_SSH}
FETCHCOMMAND_SFTP="bash -c \"x=\\\${2#sftp://} ; host=\\\${x%%/*} ; port=\\\${host##*:} ; host=\\\${host%:*} ; [[ \\\${host} = \\\${port} ]] && port=22 ; eval \\\"declare -a ssh_opts=(\\\${3})\\\" ; exec sftp -P \\\${port} \\\"\\\${ssh_opts[@]}\\\" \\\"\\\${host}:/\\\${x#*/}\\\" \\\"\\\$1\\\"\" sftp \"\${DISTDIR}/\${FILE}\" \"\${URI}\" \"\${PORTAGE_SSH_OPTS}\""
# Default user options
-FEATURES="assume-digests binpkg-logs
+FEATURES="assume-digests binpkg-logs cgroup
config-protect-if-modified distlocks ebuild-locks
- fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned
+ fixlafiles ipc-sandbox merge-sync network-sandbox
+ news parallel-fetch preserve-libs protect-owned
sandbox sfperms strict unknown-features-warn unmerge-logs
unmerge-orphans userfetch userpriv usersandbox usersync"
--
2.3.5
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [gentoo-portage-dev] Re: [PATCH] Enable cgroup, ipc-sandbox & network-sandbox by default
2015-04-06 12:37 [gentoo-portage-dev] [PATCH] Enable cgroup, ipc-sandbox & network-sandbox by default Michał Górny
@ 2015-04-08 14:03 ` Martin Vaeth
2015-04-08 15:48 ` Zac Medico
0 siblings, 1 reply; 3+ messages in thread
From: Martin Vaeth @ 2015-04-08 14:03 UTC (permalink / raw
To: gentoo-portage-dev
Michał Górny <mgorny@gentoo.org> wrote:
>
> All the features degrade gracefully when the relevant kernel features
> are not available.
In conncetion with some old version of rescuecd, and fetching files,
one can run into troubles with FEATURES=cgroups
https://forums.gentoo.org/viewtopic-t-1009074-start-0-postdays-0-postorder-asc-highlight-.html
(The bad thing was that this error happened, before it was clear
that portage attempted to fetch files)
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [gentoo-portage-dev] Re: [PATCH] Enable cgroup, ipc-sandbox & network-sandbox by default
2015-04-08 14:03 ` [gentoo-portage-dev] " Martin Vaeth
@ 2015-04-08 15:48 ` Zac Medico
0 siblings, 0 replies; 3+ messages in thread
From: Zac Medico @ 2015-04-08 15:48 UTC (permalink / raw
To: gentoo-portage-dev
On 04/08/2015 07:03 AM, Martin Vaeth wrote:
> Michał Górny <mgorny@gentoo.org> wrote:
>>
>> All the features degrade gracefully when the relevant kernel features
>> are not available.
>
> In conncetion with some old version of rescuecd, and fetching files,
> one can run into troubles with FEATURES=cgroups
>
> https://forums.gentoo.org/viewtopic-t-1009074-start-0-postdays-0-postorder-asc-highlight-.html
>
> (The bad thing was that this error happened, before it was clear
> that portage attempted to fetch files)
"IOError: [Errno 22] Invalid argument" is thrown when writing to
cgroup.procs in portage.process._exec(). We need to detect whatever
conditions cause this inside AbstractEbuildProcess._start(), and disable
the cgroup usage in that case.
--
Thanks,
Zac
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2015-04-08 15:48 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-04-06 12:37 [gentoo-portage-dev] [PATCH] Enable cgroup, ipc-sandbox & network-sandbox by default Michał Górny
2015-04-08 14:03 ` [gentoo-portage-dev] " Martin Vaeth
2015-04-08 15:48 ` Zac Medico
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox