On Mon, 12 May 2014 11:39:10 +0200 Tom Wijsman <tom...@gentoo.org> wrote:
> On Mon, 12 May 2014 00:47:17 -0600 > Ryan Hill <rh...@gentoo.org> wrote: > > > > 1. cgroup -- puts all processes spawned by ebuild to cgroup, and > > > kills all of them once phase exits (prevents leaving orphans), > > > > > > 2. ipc-sandbox -- puts all processes spawned by ebuild to a separate > > > IPC namespace, preventing them from interfacing other system > > > services via IPC (message queues, semaphores, shared memory), > > > > > > 3. network-sandbox -- puts all processes spawned by ebuild to > > > a separate network namespace with a private loopback interface, > > > preventing them from interfacing other system services, local > > > network and the Internet. > > > > All three of these require kernel support. It might be a good idea > > to add the needed options to that Gentoo Linux menu we have in > > gentoo-sources and enable them by default. > > Right, this skipped my mind when I enabled them yesterday; this should > be documented, as well as have Portage check for missing support and > test it and bail out with a proper error message if it doesn't already. > > Which options are these in particular? I'll cook a patch with them. I believe they are CONFIG_IPC_NS, CONFIG_NET_NS, and CONFIG_CGROUPS. -- Ryan Hill psn: dirtyepic_sk gcc-porting/toolchain/wxwidgets @ gentoo.org 47C3 6D62 4864 0E49 8E9E 7F92 ED38 BD49 957A 8463
signature.asc
Description: PGP signature
