Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 174351 - sandbox violation when using distcc or ccache
Summary: sandbox violation when using distcc or ccache
Status: CONFIRMED
Alias: None
Product: Portage Development
Classification: Unclassified
Component: Core - Ebuild Support (show other bugs)
Hardware: All Linux
: High normal
Assignee: Portage team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: 322939
  Show dependency tree
 
Reported: 2007-04-12 22:32 UTC by Jimmy.Jazz
Modified: 2024-01-16 04:56 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
emerge --info (info.txt,3.82 KB, text/plain)
2007-04-12 22:33 UTC, Jimmy.Jazz
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Jimmy.Jazz 2007-04-12 22:32:31 UTC
Hello,

recently i noticed when i'm using distcc or if i try to set CCACHE_LOGFILE="/var/log/ccache.log", i will be unable to emerge most of the gentoo packages. They end up with a sandbox violation after a successful compilation.

Also FEATURES="-distcc -ccache" doesn't help. distcc stays activated.

distccd is working on an different architecture (x86_64) as the client (i686). So distccd need to cross compile. I don't think that is related with the violation because it still appended when distcc sent the job locally to localhost, no matter the architecture is.


make[1]: quittant le répertoire « /var/tmp/portage/xfce-base/libxfce4util-4.4.1/work/libxfce4util-4.4.1/po »
Making install in xfce4-kiosk-query
make[1]: entrant dans le répertoire « /var/tmp/portage/xfce-base/libxfce4util-4.4.1/work/libxfce4util-4.4.1/xfce4-kiosk-query »
make[2]: entrant dans le répertoire « /var/tmp/portage/xfce-base/libxfce4util-4.4.1/work/libxfce4util-4.4.1/xfce4-kiosk-query »
test -z "/usr/sbin" || mkdir -p -- "/var/tmp/portage/xfce-base/libxfce4util-4.4.1/image//usr/sbin"
make[2]: Rien à faire pour « install-data-am ».
  /bin/sh ../libtool --mode=install /usr/bin/install -c 'xfce4-kiosk-query' '/var/tmp/portage/xfce-base/libxfce4util-4.4.1/image//usr/sbin/xfce4-kiosk-query'
ACCESS DENIED  open_wr:   /var/lib/cache/distcc/lock/cpu_localhost_0
distcc[555] (dcc_open_lockfile) ERROR: failed to creat /var/lib/cache/distcc/lock/cpu_localhost_0: Permission denied
distcc[555] (dcc_lock_one) ERROR: failed to lock
ACCESS DENIED  open_wr:   /var/lib/cache/distcc/state/binstate_555
distcc[555] (dcc_open_state) ERROR: failed to open /var/lib/cache/distcc/state/binstate_555: Permission denied
ACCESS DENIED  unlink:    /var/lib/cache/distcc/state/binstate_555
distcc[555] (dcc_remove_state_file) Warning: failed to unlink /var/lib/cache/distcc/state/binstate_555: Permission denied
ACCESS DENIED  open_wr:   /var/lib/cache/distcc/lock/cpu_localhost_0
distcc[572] (dcc_open_lockfile) ERROR: failed to creat /var/lib/cache/distcc/lock/cpu_localhost_0: Permission denied
distcc[572] (dcc_lock_one) ERROR: failed to lock
ACCESS DENIED  open_wr:   /var/lib/cache/distcc/state/binstate_572
distcc[572] (dcc_open_state) ERROR: failed to open /var/lib/cache/distcc/state/binstate_572: Permission denied
ACCESS DENIED  unlink:    /var/lib/cache/distcc/state/binstate_572
distcc[572] (dcc_remove_state_file) Warning: failed to unlink /var/lib/cache/distcc/state/binstate_572: Permission denied
/usr/bin/install -c .libs/xfce4-kiosk-query /var/tmp/portage/xfce-base/libxfce4util-4.4.1/image//usr/sbin/xfce4-kiosk-query
make[2]: quittant le répertoire « /var/tmp/portage/xfce-base/libxfce4util-4.4.1/work/libxfce4util-4.4.1/xfce4-kiosk-query »
make[1]: quittant le répertoire « /var/tmp/portage/xfce-base/libxfce4util-4.4.1/work/libxfce4util-4.4.1/xfce4-kiosk-query »
make[1]: entrant dans le répertoire « /var/tmp/portage/xfce-base/libxfce4util-4.4.1/work/libxfce4util-4.4.1 »
make[2]: entrant dans le répertoire « /var/tmp/portage/xfce-base/libxfce4util-4.4.1/work/libxfce4util-4.4.1 »
make[2]: Rien à faire pour « install-exec-am ».
make[2]: Rien à faire pour « install-data-am ».
make[2]: quittant le répertoire « /var/tmp/portage/xfce-base/libxfce4util-4.4.1/work/libxfce4util-4.4.1 »
make[1]: quittant le répertoire « /var/tmp/portage/xfce-base/libxfce4util-4.4.1/work/libxfce4util-4.4.1 »
>>> Completed installing libxfce4util-4.4.1 into /var/tmp/portage/xfce-base/libxfce4util-4.4.1/image/

--------------------------- ACCESS VIOLATION SUMMARY ---------------------------
LOG FILE = "/var/log/sandbox/sandbox-xfce-base_-_libxfce4util-4.4.1-31584.log"

open_wr:   /var/lib/cache/distcc/lock/cpu_localhost_0
open_wr:   /var/lib/cache/distcc/state/binstate_32336
unlink:    /var/lib/cache/distcc/state/binstate_32336
open_wr:   /var/lib/cache/distcc/lock/cpu_localhost_0
open_wr:   /var/lib/cache/distcc/state/binstate_32374
unlink:    /var/lib/cache/distcc/state/binstate_32374
open_wr:   /var/lib/cache/distcc/lock/cpu_localhost_0
open_wr:   /var/lib/cache/distcc/state/binstate_555
unlink:    /var/lib/cache/distcc/state/binstate_555
open_wr:   /var/lib/cache/distcc/lock/cpu_localhost_0
open_wr:   /var/lib/cache/distcc/state/binstate_572
unlink:    /var/lib/cache/distcc/state/binstate_572
--------------------------------------------------------------------------------

The LOG_FILE isn't pertinent, it just repeat the above message.

Jj


Reproducible: Always

Steps to Reproduce:
1.emerge -uDvab world
2.
3.

Actual Results:  
It's okay when i apply FEATURES="-sandbox" to emerge but i don't like that kind of alternative.

Also, distcc and ccache are really useful when you have weak computers.

Expected Results:  

It would be great to deny sandbox to control files and/or directories declared in distcc or ccache shell variables.

# cat /etc/env.d/11ccache 
CCACHE_DIR="/var/lib/cache/ccache"
CCACHE_LOGFILE=""
CCACHE_UMASK=002
CCACHE_PREFIX="distcc"
CCACHE_NOLINK=""

# cat /etc/env.d/02distcc 
# This file is managed by distcc-config; use it to change these settings.
DISTCC_LOG=""
DCCC_PATH="/usr/lib/distcc/bin"
DISTCC_VERBOSE="0"
DISTCC_DIR="/var/lib/cache/distcc"

# ls -l /usr/lib/ccache/bin/
total 0
lrwxrwxrwx 1 root root 40 Apr 12 20:42 c++ -> /usr/local/bin/i686-pc-linux-gnu-wrapper
lrwxrwxrwx 1 root root 40 Apr 12 20:42 cc -> /usr/local/bin/i686-pc-linux-gnu-wrapper
lrwxrwxrwx 1 root root 40 Apr 12 20:42 g++ -> /usr/local/bin/i686-pc-linux-gnu-wrapper
lrwxrwxrwx 1 root root 40 Apr 12 20:42 gcc -> /usr/local/bin/i686-pc-linux-gnu-wrapper
lrwxrwxrwx 1 root root 15 Mar 16 22:47 i686-pc-linux-gnu-c++ -> /usr/bin/ccache
lrwxrwxrwx 1 root root 15 Apr 12 20:43 i686-pc-linux-gnu-cc -> /usr/bin/ccache
lrwxrwxrwx 1 root root 15 Mar 16 22:47 i686-pc-linux-gnu-g++ -> /usr/bin/ccache
lrwxrwxrwx 1 root root 15 Mar 16 22:47 i686-pc-linux-gnu-gcc -> /usr/bin/ccache

# cat /etc/env.d/02distcc 
DISTCC_LOG=""
DCCC_PATH="/usr/lib/distcc/bin"
DISTCC_VERBOSE="0"
DISTCC_DIR="/var/lib/cache/distcc"
Comment 1 Jimmy.Jazz 2007-04-12 22:33:23 UTC
Created attachment 116106 [details]
emerge --info
Comment 2 Christoph Mende (RETIRED) gentoo-dev 2007-04-12 22:34:49 UTC
Try without userpriv or chown the files portage complains about to portage:portage
Comment 3 Jimmy.Jazz 2007-04-13 09:12:49 UTC
(In reply to comment #2)
> Try without userpriv or chown the files portage complains about to
> portage:portage
> 

I did it and it doesn't change anything :(

FEATURES="distcc ccache sandbox parallel-fetch userfetch collision-protect"

--------------------------- ACCESS VIOLATION SUMMARY ---------------------------
LOG FILE = "/var/log/sandbox/sandbox-xfce-extra_-_xfce4-mixer-4.4.1-4633.log"

open_wr:   /var/lib/cache/distcc/lock/cpu_localhost_0


# ls -l  /var/lib/cache/distcc/lock/cpu_localhost_0
-rw-rw-r-- 1 portage portage 0 Apr 12 21:31 /var/lib/cache/distcc/lock/cpu_localhost_0
Comment 4 Jimmy.Jazz 2007-04-13 17:11:27 UTC
(In reply to comment #2)

Hello,

I have done some more tests and i noticed after removing distcc from FEATURES in /etc/make.conf ,
FEATURES="ccache userpriv sandbox parallel-fetch userfetch collision-protect", setting the variables to,
CCACHE_LOGFILE=
CCACHE_DIR=/var/lib/cache/ccache
DISTCC_LOG=
CCACHE_UMASK=002
DISTCC_DIR=/var/lib/cache/distcc
CCACHE_NOLINK=
DISTCC_VERBOSE=0
and removing /usr/lib/ccache/bin and /usr/lib/distcc/bin from the PATH, i didn't have the error 111 about distcc loop anymore.

Setting CCACHE_PREFIX="distcc" like the author suggest it in his man page make that even worse.

Anyway, i continue to get a sandbox violation with xfce4 4.4.1 ebuild about distcc files for example.

It is really difficult to deduce something because ebuild processes imbrication is like a black box to me.


Comment 5 Jimmy.Jazz 2007-04-14 18:56:48 UTC
Hello,

It was definitely CCACHE_PREFIX=distcc that made all the trouble.
Comment 6 Jimmy.Jazz 2007-04-14 20:46:55 UTC
(In reply to comment #5)
> Hello,
> 
> It was definitely CCACHE_PREFIX=distcc that made all the trouble.
> 

I need also to set manually 

SANDBOX_WRITE="/var/lib/cache/distcc:${SANDBOX_WRITE}" 

in /etc/portage/profile/profile.bashrc to get rid of the sandbox violation.

It seems like /usr/lib/portage/ebuild.sh never did an addwrite DISTCC_DIR and dyn_compile() (line 1703) was never called or have i missed something ?

You should probably add 
[ ! -z "${DISTCC_DIR}" ] && addwrite "${DISTCC_DIR})"
after line 1413 to correct the problem.

Please, could a dev have a more precise look at ebuild.sh and confirm the problem ?

Thanks,

Jj


Comment 7 Lisa Seelye (RETIRED) gentoo-dev 2007-04-15 21:12:32 UTC
Seems this is a nonissue now.
Comment 8 Jimmy.Jazz 2007-04-17 09:29:15 UTC
(In reply to comment #7)
> Seems this is a nonissue now.
> 
Hello,

[#if u prefer crabby answer]
Why should i always fight so that my bug report will be taken into account. Do you think i report only for the fun or for a silly record ? :(

Anyway, you could give me a better answer as just a closed one. I feel i made some efforts to try to understand a code not well documented. I said "try" because it will be easier to just complain about it and that is not what the gentoo community needs. Even if that is a "none issue" report as you said, other people could have a very similar problem and just reading the report will prevent them to do some "unnecessary" checking.

Also, i don't see why you leave the bug report as invalid.
[#endif crabby answer]

[#elseif constructive reply]
Anyway there are two problems and i cannot believe they depend only from my own "unsupported" configuration. Please read carefully.

1. CCACHE_PREFIX

CCACHE_PREFIX=distcc generates distcc loop errors. ebuild.sh should take account of that, unset the variable or at least warns us about it. 

It appended because ebuild.sh automatically adds /usr/lib/distcc/bin in PATH. You can try the following example. Supposed you didn't initially set /usr/lib/distcc/bin in your path and distcc isn't declared in FEATURES, then ebuild.sh won't make any changes for distcc. distcc will be called directly from ccache and you get rid of the loop warning. Anyway, there will be some conflicts with sandbox. 

A workaround, is to set SANDBOX_WRITE="..." in /etc/portage/profile/profile.bashrc. In that case, you won't get sandbox violations again.

The benefit of CCACHE_PREFIX is to avoid unnecessary calls to distcc if ccache is able to find the code in its cache directly.

If you set manually distcc directory in PATH, you will have a "recursion error" in masquerade mode. distcc is called from ccache directly and will still be found reading PATH.

2. SANDBOX violation

If you won't use CCACHE_PREFIX and preferred to set distcc in FEATURES, ebuild.sh will build distcc environment but will forget to add DISTCC_DIR in SANDBOX_WRITE variable. So, you get a sandbox violation again.

A solution could be the one exposed in comment #6

[#endif constructive reply]

Jj
Comment 9 Roger 2009-12-28 15:47:40 UTC
Wow.  This bug is still open? ;-)

Anyways, I've been seeing this error and just end-up issuing the following at the command line for the problem packages:

# FEATURES="-ccache -distcc" emerge <package name>

I'm using  =sys-apps/portage-2.2_rc61.

Comment 10 Jimmy.Jazz 2009-12-28 16:10:31 UTC
(In reply to comment #9)
> Wow.  This bug is still open? ;-)
> 
> Anyways, I've been seeing this error and just end-up issuing the following at
> the command line for the problem packages:
> 
> # FEATURES="-ccache -distcc" emerge <package name>
> 
> I'm using  =sys-apps/portage-2.2_rc61.
> 
I have given up with the ccache/distcc probing thing. Anyway, with 
FEATURES="-cache distcc"
and
SANDBOX_WRITE="/var/log/ccache.log:/var/lib/cache/ccache:/var/lib/cache/distcc:/var/log/distcc.log:${SANDBOX_WRITE}"
SANDBOX_READ="/var/lib/cache/ccache:${SANDBOX_READ}"
distcc still works, even in pump mode. Not quite so well as it should but it works or it let me think so ;)
Also SANDBOX_WRITE and SANDBOX_READ are certainly not needed anymore because ccache has been deactivated in FEATURES.