Created attachment 430072 [details] build.log ganeti-2.15.2-r4 I get an error when trying to emerge >=ganeti-2.15.2. It says it cannot preload libsandbox.so but all I've been able to find is that that error message is supposed to be just cosmetic and actually not be an fatal error, but the merge takes it as fatal. I've tried using FEATURES="-sandbox" and FEATURES="user-sandbox" with same results, it errors out on this step: trap 'echo auto-removing man/ganeti-os-interface.7.in; rm man/ganeti-os-interface.7.in' EXIT; \ /usr/bin/pandoc -s -f rst -t man man/ganeti-os-interface.gen man/footer.rst | \ sed -e 's/\\@/@/g' > man/ganeti-os-interface.7.in; \ if test -n "1"; then LC_ALL=en_US.UTF-8 ./autotools/check-man-warnings man/ganeti-os-interface.7.in; fi; \ ./autotools/check-man-dashes man/ganeti-os-interface.7.in; \ trap - EXIT set -o pipefail ; \ /usr/bin/pandoc --toc -s -f rst -t html man/ganeti-os-interface.gen man/footer.rst | \ sed -e 's/\\@/@/g' > man/ganeti-os-interface.html.in sed -f autotools/replace_vars.sed < man/ganeti-os-interface.html.in > man/ganeti-os-interface.html ERROR: ld.so: object 'libsandbox.so' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored. auto-removing man/ganeti-os-interface.7.in Going into the build folder in /var/tmp/portage and executing that command manually, works like it should. This is on a hardened system, but grsec RBAC is turned off and it doesn't use SELinux.
Created attachment 430074 [details] emerge --info
I got the same error when trying on a vanilla system (I cloned the machine, as its a VM, and migrated it to vanilla gentoo and tried the same thing, with same result)
What if you use a sandboxshell to go in to that folder and run that command? +hardened I have never seen this on non-hardened, since this is a hardened system, I am going to refer to hardened.
Yeah, I've spent a lot of time with Zorry to deep-dive into this issue and it definitively is hardened and sandbox related. If I do features="-usersandbox" now, I can get it to compile, but this is after adding append-ldflags -Wl,-z,lazy to the sandbox ebuild, as per Zorry's recommendation. I'm going to test with the sandboxshell and see if I can reproduce it there, probably heck a lot easier to debug that, then the whole emerge process (I tried to strace it, both with -ff and without, with -ff it created ~6k files and without it created a 185k row file...)
I just tried with a sandboxshell and got the exact same error, and it is a lot easier to debug this way, so I'll see what I can find out.
Created attachment 434958 [details, diff] Remove invertor of the last statement in check-man-warnings I managed to zero in to what is the actual cause for tripping this and found that it was a interaction between set -o pipefail -e and autotools/check-man-warnings returning 1 if success, due to the ! at the beginning of the last statement. I added this as a user patch and tried to compile ganeti, which worked. Will try and ask upstream of what the logic behind this was before, the check-man-warnings script was before a script called check-man that incorporated both check-man-warnings and check-man-dashes.
Fixed https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5a9df6a22b2fed43184421965c86a2c207841ae4 Thanks for the patch, strange it only seemed to break on hardened
Yeah, I couldn't really wrap my head around why it was just hardened it affected, but logically it should affect vanilla too, if you enforce the user sandbox feature, but I didn't check. An idea that Zorry had was that it is that we enforce the sandbox/usersandbox in hardened and maybe the hardening in the sandbox, from the toolchain, makes it more picky.
