On Sun, 11 May 2014 23:42:38 +0200 Michał Górny <mgo...@gentoo.org> wrote:
> Hi, everyone. > > Almost 9 months ago I've committed three new FEATURES for portage: > cgroup, ipc-sandbox and network-sandbox. Today I'd like to propose > enabling at least the latter two by default. > > > Firstly, I'd like to shortly remind you what they do: > > 1. cgroup -- puts all processes spawned by ebuild to cgroup, and kills > all of them once phase exits (prevents leaving orphans), > > 2. ipc-sandbox -- puts all processes spawned by ebuild to a separate > IPC namespace, preventing them from interfacing other system services > via IPC (message queues, semaphores, shared memory), > > 3. network-sandbox -- puts all processes spawned by ebuild to > a separate network namespace with a private loopback interface, > preventing them from interfacing other system services, local network > and the Internet. [snip] All three of these require kernel support. It might be a good idea to add the needed options to that Gentoo Linux menu we have in gentoo-sources and enable them by default. I think it would be non-obvious to a new user that they would have to enable network and ipc namespaces for portage to work properly out of the box (and if they disable the latter they get a bunch of cryptic "Unable to unshare: EINVAL" messages every time they build something which isn't very helpful). Do we know of any packages broken by these features? Maybe we can add them to the dev profiles for a while before we dump it on everyone. Otherwise +1. -- Ryan Hill psn: dirtyepic_sk gcc-porting/toolchain/wxwidgets @ gentoo.org 47C3 6D62 4864 0E49 8E9E 7F92 ED38 BD49 957A 8463
signature.asc
Description: PGP signature
