latest sandbox/portage has terrible performance of compilation. I am using make -j6 & distcc. About 85%, the cpu spends in system, most notably when running cpp preprocessor. strace -cf emerge shows huge number of calls to lstat. FEATURES="-sandbox" has normal performance. emerge --info: --------- Portage 2.0.51.20-r5 (default-linux/amd64/2005.0, gcc-3.4.3-20050110, glibc-2.3.5-r0, 2.6.11-gentoo-r6 x86_64) ================================================================= System uname: 2.6.11-gentoo-r6 x86_64 AMD Athlon(tm) 64 Processor 3200+ Gentoo Base System version 1.6.11 distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled] ccache version 2.4 [disabled] dev-lang/python: 2.3.5 sys-apps/sandbox: 1.2.3 sys-devel/autoconf: 2.13, 2.59-r6 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.5 sys-devel/binutils: 2.15.92.0.2-r8 sys-devel/libtool: 1.5.16 virtual/os-headers: 2.6.11 ACCEPT_KEYWORDS="amd64 ~amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.4/env /usr/kde/3.4/share/config /usr/kde/3.4/shutdown /usr/kde/3/share/config /usr/lib/X11/xkb /usr/lib/mozilla/defaults/pref /usr/share/config /var/bind /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/texmf/web2c /etc/env.d" CXXFLAGS="-O2 -pipe" DISTDIR="/net/brenta/d0/nfs/gentoo/distfiles" FEATURES="autoconfig buildpkg distcc distlocks sandbox strict" GENTOO_MIRRORS="http://ftp.gentoo.skynet.be/pub/gentoo http://gentoo.oregonstate.edu http://www.ibiblio.org/pub/Linux/distributions/gentoo" MAKEOPTS="-j6" PKGDIR="/net/brenta/d0/nfs/gentoo/packages/amd64" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/net/brenta/d0/nfs/gentoo/portage.local" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="amd64 X Xaw3d a52 aac aalib accessibility accounting acl acpi alsa apache2 arts athena atlas bash-completion berkdb bidi bitmap-fonts blas bonobo cdparanoia cdr crypt cups curl dbm dga directfb dts dvd dvdr edl eds emacs emacs-w3 encode esd fam fame fastcgi fbcon festival ffmpeg flac font-server foomaticdb fortran gcj gd gdbm ggi gif gimpprint gmp gnome gnuplot gphoto2 gpm gstreamer gtk gtk2 gtkhtml guile imagemagick imap imlib innodb ipv6 irda ithreads jack java joystick jp2 jpeg junit kde kerberos krb4 ldap libcaca libclamav libwww lirc live lzo lzw lzw-tiff mad matroska mikmod mime motif mozilla mp3 mpeg mule mysql nagios-dns nagios-ntp nagios-ping nas ncurses network nls nptl nvidia objc odbc ogg opengl oss pam pcmcia pcre pda pdflib perl perlsuid php png posix postgres postgresql povray python qt quotas readline rtc samba sasl sdl session slang smime snmp sox speex spell ssl svg tcltk tcpd tetex tga theora threads tiff truetype truetype-fonts type1-fonts usb v4l v4l2 vhosts vorbis webdav xanim xfs xine xinerama xml xml2 xmms xpm xrandr xscreensaver xv xvid zlib userland_GNU kernel_linux libc_glibc" Unset: ASFLAGS, CTARGET, LANG, LC_ALL, LDFLAGS, LINGUAS Reproducible: Always Steps to Reproduce: 1. 2. 3.
this is a known issue and it isnt just version 1.2.3
I can confirm horrible performance. While looking at the code I have found the following: Function before_syscall() is called for every syscall. It parses SANDBOX_SOMETHING environment variables which contains directory names and it is resolving symlinks for each directory name there. That is the cause of zillions lstat() calls. I do not understand why we parse that environment variables with every syscall and not only once. Especially when application running in sandbox can easily change that environment variables and even disable sandbox: jan@x ~ $ sandbox ========================== Gentoo linux path sandbox =========================== Detection of the support files. Verification of the required files. Setting up the required environment variables. The protected environment has been started. -------------------------------------------------------------------------------- Shell being started in forked process. jan@x /var/tmp/portage $ mkdir ~/sandbox-test mkdir: cannot create directory `/home/jan/sandbox-test': Permission denied jan@x /var/tmp/portage $ SANDBOX_ACTIVE= jan@x /var/tmp/portage $ mkdir ~/sandbox-test jan@x /var/tmp/portage $ exit exit Cleaning up sandbox process Cleaning up pids file. ========================== Gentoo linux path sandbox =========================== The protected environment has been shut down. -------------------------------------------------------------------------------- jan@x ~ $ I thought that sandbox should not allow something like that. Do I miss something?
Yes. There are many way to curcumvent sandbox (as its preload based), and its use it to be relative sure some package do not trash /, and that we have all files in a bin package (something do not install out of $D). It is by no means a security method. Anyhow, should be fixed in 1.2.4.