[PSA] new network restrictions in ebuilds
58 views
Skip to first unread message
Mike Frysinger
Jul 8, 2017, 4:09:48 PM7/8/17
to chromium-os-dev
we've turned on network restrictions in ebuilds. this means that, outside of src_unpack, ebuilds won't be able to access the network. so far we've only found two ebuilds that this was an issue for (chrome & autotest). this should hopefully cut down on weird flakes when packages accidentally try to do network things when building -- you can't anymore!
so if you see BuildPackages or UnitTest phases failing with errors like "network unreachable" or similar network failures, it's not because the bot itself is freaking out, but because we've disabled network access in the ebuild.
-mike
Sean Paul
Jul 8, 2017, 9:47:45 PM7/8/17
to Mike Frysinger, chromium-os-dev
On Sat, Jul 8, 2017 at 4:09 PM, Mike Frysinger <vap...@chromium.org> wrote:
> we've turned on network restrictions in ebuilds. this means that, outside
> of src_unpack, ebuilds won't be able to access the network. so far we've
> only found two ebuilds that this was an issue for (chrome & autotest). this
> should hopefully cut down on weird flakes when packages accidentally try to
> do network things when building -- you can't anymore!
The reef pre-cq autotest-tests-cheets packages has been failing all
> we've turned on network restrictions in ebuilds. this means that, outside
> of src_unpack, ebuilds won't be able to access the network. so far we've
> only found two ebuilds that this was an issue for (chrome & autotest). this
> should hopefully cut down on weird flakes when packages accidentally try to
> do network things when building -- you can't anymore!
day with name resolution failures (http://paste.debian.net/975524/).
Is this restriction the cause of these network failures? Can we
rollback the network restriction until someone has a chance to fix the
outstanding ebuilds?
Sean
>
> so if you see BuildPackages or UnitTest phases failing with errors like
> "network unreachable" or similar network failures, it's not because the bot
> itself is freaking out, but because we've disabled network access in the
> ebuild.
> -mike
>
> --
> Chromium OS Developers mailing list: chromiu...@chromium.org
> View archives, change email options, or unsubscribe:
> http://groups.google.com/a/chromium.org/group/chromium-os-dev?hl=en
>
> ---
> You received this message because you are subscribed to the Google Groups
> "Chromium OS dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to chromium-os-d...@chromium.org.
Nicolas Boichat
Jul 9, 2017, 8:12:20 PM7/9/17
to Sean Paul, Chung-yih Wang, Mike Frysinger, chromium-os-dev
+cywang FYI, autotest-tests-cheets failing.
Nicolas Boichat
Jul 9, 2017, 9:33:52 PM7/9/17
to Sean Paul, Chung-yih Wang, Mike Frysinger, chromium-os-dev
Mike Frysinger
Jul 9, 2017, 9:49:10 PM7/9/17
to Sean Paul, chromium-os-dev
On Sat, Jul 8, 2017 at 9:47 PM, Sean Paul <sean...@google.com> wrote:
On Sat, Jul 8, 2017 at 4:09 PM, Mike Frysinger <vap...@chromium.org> wrote:
> we've turned on network restrictions in ebuilds. this means that, outside
> of src_unpack, ebuilds won't be able to access the network. so far we've
> only found two ebuilds that this was an issue for (chrome & autotest). this
> should hopefully cut down on weird flakes when packages accidentally try to
> do network things when building -- you can't anymore!
The reef pre-cq autotest-tests-cheets packages has been failing all
day with name resolution failures (http://paste.debian.net/975524/).
Is this restriction the cause of these network failures? Can we
rollback the network restriction until someone has a chance to fix the
outstanding ebuilds?
there's no need to revert. if the package itself can't be properly fixed, you can temporarily disable for this one package by adding to the ebuild:
RESTRICT="network-sandbox"
but the package itself is broken here, so it'll need to be fixed to not hit the network while compiling.
-mike
Vadim Bendebury
Jul 10, 2017, 2:11:16 PM7/10/17
to Mike Frysinger, chromium-os-dev
when network connection is failing is there any indication in the logs if the connection is allowed or not at the time of failure?
--
Mike Frysinger
Jul 10, 2017, 2:19:46 PM7/10/17
to Vadim Bendebury, chromium-os-dev
there is no daemon sniffing packets and throwing errors if it sees someone trying to make a connection. so any errors you might see is entirely up to the program trying to make the connection. python programs (usually) throw tracebacks as they (usually) aren't written to catch network failure exceptions. but if someone runs `wget https://foo.com/ >&/dev/null`, then you're not going to see anything from wget.
-mike
Vadim Bendebury
Jul 10, 2017, 2:23:20 PM7/10/17
to Mike Frysinger, chromium-os-dev
do I understand it right that there are some explicit commands issued when src_unpack is running to enable/disable network access?
If so - do these commands put something in the log, such that examining the logs one could tell if network connection was supposed to be available during failure?
-v
Mike Frysinger
Jul 10, 2017, 2:28:17 PM7/10/17
to Vadim Bendebury, chromium-os-dev
no, there is nothing logged like that. the logic is all in python and there is no visibility in the ebuild bash environment.
-mike
Reply all
Reply to author
Forward
This conversation is locked
You cannot reply and perform actions on locked conversations.
0 new messages