New issue
Advanced search Search tips

Issue 731905 link

Starred by 1 user
Status: Fixed
Owner:
vapier@chromium.org
Closed: Aug 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 3
Type: Feature

Blocked on:
issue 741791


Sign in to add a comment

disable network access in ebuilds

Project Member Reported by vapier@chromium.org, Jun 9 2017 
we have ebuilds that inadvertently access the network during source phases.  this can lead to flakes when external sites go down/change, slows things down during build, and irreducible builds if they don't pin versions.

portage has FEATURES=network-sandbox which automatically creates network namespaces during src phases which we can enable.

Comment 1 by vapier@chromium.org, Jun 10 2017 

known failures:
- autotest tests make a bunch of network connections
- chrome gclient hooks fetch stuff

might be worth making it a temporary RESTRICT option so we can disable it in most ebuilds while we lock down the few that need it
Project Member

Comment 2 by bugdroid1@chromium.org, Jun 29 2017

Labels: merge-merged-chromeos-2.2.12
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/portage_tool/+/cfde335e54918757430110cba01d7c56f880ef05

commit cfde335e54918757430110cba01d7c56f880ef05
Author: Mike Frysinger <vapier@chromium.org>
Date: Thu Jun 29 04:50:53 2017

ebuild: allow RESTRICT=network-sandbox in ebuilds

Some ebuilds are a bit hard to fix their use of the network in src
phases, so allow them to disable things.  This allows us to turn off
access by default and for the vast majority while we work out how to
fix the few broken packages.

Hopefully we can back this out once all the ebuilds have been updated.

BUG= chromium:731905 
TEST=building an ebuild with RESTRICT=network-sandbox allows network access still

Change-Id: Ibc0430a990b0f6dc728967f3a3414d28263bf397
Reviewed-on: https://chromium-review.googlesource.com/538235
Commit-Ready: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
Reviewed-by: Chirantan Ekbote <chirantan@chromium.org>

[modify] https://crrev.com/cfde335e54918757430110cba01d7c56f880ef05/pym/portage/package/ebuild/doebuild.py
Project Member

Comment 3 by bugdroid1@chromium.org, Jun 29 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/6111900666f5423897d4030f006fab51f4476389

commit 6111900666f5423897d4030f006fab51f4476389
Author: Mike Frysinger <vapier@chromium.org>
Date: Thu Jun 29 10:11:36 2017

autotest/chrome: allow network access in src phases

Until we can sort out how to make these work w/out network access,
allow it.

BUG= chromium:731905 
TEST=building these with FEATURES=network-sandbox still works

Change-Id: I8d811baaae57160faaf1d1ecaa13302ff030d7ec
Reviewed-on: https://chromium-review.googlesource.com/538215
Commit-Ready: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
Reviewed-by: Chirantan Ekbote <chirantan@chromium.org>

[modify] https://crrev.com/6111900666f5423897d4030f006fab51f4476389/chromeos-base/autotest/autotest-9999.ebuild
[modify] https://crrev.com/6111900666f5423897d4030f006fab51f4476389/chromeos-base/chromeos-chrome/chromeos-chrome-9999.ebuild
Project Member

Comment 4 by bugdroid1@chromium.org, Jul 6 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/ec47bfb48f99ee900f1f1642e3a715fc2cbfdd21

commit ec47bfb48f99ee900f1f1642e3a715fc2cbfdd21
Author: Mike Frysinger <vapier@chromium.org>
Date: Thu Jul 06 01:50:24 2017

chromeos-chrome: fix nonetwork setting

BUG= chromium:731905 
TEST=None

Change-Id: If9d1c49cd7d114dcaa8380c189d9465e88e46532
Reviewed-on: https://chromium-review.googlesource.com/558389
Commit-Ready: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
Reviewed-by: Chirantan Ekbote <chirantan@chromium.org>

[modify] https://crrev.com/ec47bfb48f99ee900f1f1642e3a715fc2cbfdd21/chromeos-base/chromeos-chrome/chromeos-chrome-9999.ebuild

Comment 5 by vapier@chromium.org, Jul 12 2017

Blockedon: 741791

Comment 6 by vapier@chromium.org, Aug 4 2017

Status: Fixed (was: Available)
going to close this out as the change seems to have stuck.  autotest's statd logic has been purged, but it still has some `git clone` calls in there.  we'll handle that in  issue 741791 .

i'm going to just give up on chrome for now.
Project Member

Comment 7 by bugdroid1@chromium.org, Dec 13 2017

Labels: merge-merged-chromeos-2.2.28
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/portage_tool/+/8440e0b6d125d6ba152ad0c885b3ba14bb2ad879

commit 8440e0b6d125d6ba152ad0c885b3ba14bb2ad879
Author: Mike Frysinger <vapier@chromium.org>
Date: Wed Dec 13 22:27:38 2017

ebuild: allow RESTRICT=network-sandbox in ebuilds

Some ebuilds are a bit hard to fix their use of the network in src
phases, so allow them to disable things.  This allows us to turn off
access by default and for the vast majority while we work out how to
fix the few broken packages.

Hopefully we can back this out once all the ebuilds have been updated.

BUG= chromium:731905 
TEST=building an ebuild with RESTRICT=network-sandbox allows network access still

https://chromium-review.googlesource.com/538235

Change-Id: Ibc0430a990b0f6dc728967f3a3414d28263bf397
Reviewed-on: https://chromium-review.googlesource.com/815665
Commit-Queue: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
Reviewed-by: Chirantan Ekbote <chirantan@chromium.org>

[modify] https://crrev.com/8440e0b6d125d6ba152ad0c885b3ba14bb2ad879/pym/portage/package/ebuild/doebuild.py

Comment 8 by dchan@chromium.org, Jan 22 2018

Status: Archived (was: Fixed)

Comment 9 by vapier@chromium.org, Jun 21 2018

Status: Fixed (was: Archived)

Sign in to add a comment