Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 407501

Summary: python 3.2.2 sandbox violation, build process appears to be using first mounted tmpfs
Product: Gentoo Linux Reporter: Troy Ablan <tablan>
Component: [OLD] UnspecifiedAssignee: Python Gentoo Team <python>
Status: RESOLVED WORKSFORME    
Severity: minor CC: floppym
Priority: Normal    
Version: unspecified   
Hardware: AMD64   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Attachments: build.log

Description Troy Ablan 2012-03-09 06:27:10 UTC 
We have multiple vserver environments.  Most do not have any tmpfs mounted whatsoever.  All of them were able to install python 3.2.2.  One of ours has several tmpfs mounts, none of which are /dev/shm, or anything else permitted by the sandbox, and it appears to fail after configure when installing python.



Reproducible: Always

Steps to Reproduce:
1. create a vserver or other environment with a static or non-tmpfs /dev, where you do have tmpfs mounts but only outside of what's permitted writes by the sandbox
2. emerge -1 =dev-lang/python-3.2.2
Actual Results:  
sandbox violation after configure phase

Expected Results:  
sucessful build and merge of python-3.2.2

Filesystem     1K-blocks    Used Available Use% Mounted on
rootfs          19238644 7967288  10294212  44% /
/dev/root       19238644 7967288  10294212  44% /
/dev/root       15791308 6775736   8219536  46% /usr/portage
/dev/root       15791308 6775736   8219536  46% /usr/portage/distfiles
/dev/md3       926306600 5119120 911776752   1% /scratch
none             1048576      28   1048548   1% /var/log/goodnet
none             1048576    2124   1046452   1% /var/log/nginx


Portage 2.1.10.44 (default/linux/amd64/10.0, gcc-4.5.3, glibc-2.13-r4, 2.6.35-vs2.3.0.36.32-gentoo x86_64)
=================================================================
System uname: Linux-2.6.35-vs2.3.0.36.32-gentoo-x86_64-Intel-R-_Xeon-R-_CPU_L5410_@_2.33GHz-with-gentoo-2.1
Timestamp of tree: Thu, 08 Mar 2012 15:30:01 +0000
app-shells/bash:          4.1_p9
dev-lang/python:          2.7.2-r3, 3.1.4-r3
dev-util/cmake:           2.8.6-r4
dev-util/pkgconfig:       0.26
sys-apps/baselayout:      2.1
sys-apps/openrc:          0.9.8.4
sys-apps/sandbox:         2.5
sys-devel/autoconf:       2.68
sys-devel/automake:       1.11.1
sys-devel/binutils:       2.21.1-r1
sys-devel/gcc:            4.5.3-r1
sys-devel/gcc-config:     1.5-r2
sys-devel/libtool:        2.4-r1
sys-devel/make:           3.82-r1
sys-kernel/linux-headers: 3.1 (virtual/os-headers)
sys-libs/glibc:           2.13-r4
Repositories: gentoo perl-experimental goodnet
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="* -@EULA"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="assume-digests binpkg-logs distlocks ebuild-locks fixlafiles news parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch"
FFLAGS=""
GENTOO_MIRRORS="http://gentoo.llarian.net/"
LANG="en_US.UTF-8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_EXTRA_OPTS="-6"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/var/lib/layman/perl-experimental /usr/local/portage"
SYNC="rsync://gentoo.llarian.net/gentoo-portage"
USE="acl amd64 apng bash-completion bashlogger berkdb bzip2 cli cracklib crypt cups cxx dirac dri faac fortran gdbm gpm gsm iconv ipv6 mmx modules mp3 mudflap multilib ncurses nls nptl nptlonly openmp pam pcre pppd qt-faststart readline session speex sse sse2 ssl sysfs tcpd theora truetype unicode vim-syntax vorbis vpx x264 xorg xvid zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" NGINX_MODULES_HTTP="access auth_basic autoindex browser charset empty_gif fastcgi geo gzip limit_req limit_zone map memcached proxy referer rewrite scgi split_clients ssi upstream_ip_hash upload userid uwsgi" PHP_TARGETS="php5-3" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga neomagic nouveau nv r128 radeon savage sis tdfx trident vesa via vmware dummy v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, LINGUAS, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS
Comment 1 Troy Ablan 2012-03-09 06:28:19 UTC 
Created attachment 304699 [details]
build.log
Comment 2 Troy Ablan 2012-03-10 23:59:56 UTC 
BTW. my workaround in this vserver was to have a tmpfs mounted in /dev/shm/ and have that be the first tmpfs mount.
Comment 3 Mike Gilbert gentoo-dev 2012-03-12 23:15:18 UTC 
I assume that /var/log/goodnet is a tmpfs?

From the build log:

--------------------------- ACCESS VIOLATION SUMMARY ---------------------------
LOG FILE "/var/log/sandbox/sandbox-15258.log"

VERSION 1.0
FORMAT: F - Function called
FORMAT: S - Access Status
FORMAT: P - Path as passed to function
FORMAT: A - Absolute Path (not canonical)
FORMAT: R - Canonical Path
FORMAT: C - Command Line

F: link
S: deny
P: /var/log/goodnet/sem.autoconf
A: /var/log/goodnet/sem.autoconf
R: /var/log/goodnet/sem.autoconf
C: ./conftest 

F: unlink
S: deny
P: /var/log/goodnet/sem.jCcwUF
A: /var/log/goodnet/sem.jCcwUF
R: /var/log/goodnet/sem.jCcwUF
C: ./conftest 

F: link
S: deny
P: /var/log/goodnet/sem.autocftw
A: /var/log/goodnet/sem.autocftw
R: /var/log/goodnet/sem.autocftw
C: ./conftest 

F: unlink
S: deny
P: /var/log/goodnet/sem.K6rJnL
A: /var/log/goodnet/sem.K6rJnL
R: /var/log/goodnet/sem.K6rJnL
C: ./conftest 
--------------------------------------------------------------------------------
Comment 4 Marien Zwart (RETIRED) gentoo-dev 2012-03-13 16:29:56 UTC 
Python's configure just compiles and runs a small test program that calls sem_open:

  sem_t *a = sem_open("/autoconf", O_CREAT, S_IRUSR|S_IWUSR, 0);

Looking at glibc (I used 2.15) I believe your problem is in nptl/sem_open.c, which does roughly "use /dev/shm if that is on a tmpfs, otherwise find a usable tmpfs mount in /proc/mounts". If my glance at the code is correct /dev being a tmpfs also suffices (the check is "/dev/shm is on a tmpfs", not "a tmpfs is mounted exactly on /dev/shm").

So I believe this is either a system misconfiguration (my system's fstab mentions "glibc 2.2 and above expects tmpfs to be mounted at /dev/shm for POSIX shared memory") or a glibc misfeature (it should just fail sem_open and friends if there is no tmpfs present in the expected place).
Comment 5 Troy Ablan 2012-03-13 21:32:56 UTC 
(In reply to comment #3)
> I assume that /var/log/goodnet is a tmpfs?
> 

It is.  It works fine without any tmpfs, or if /dev or /dev/shm is a tmpfs.  In vserver, /dev is minimal and static, with /dev/pts mounted over it.

Also, partially in reply to marienz:

The default vserver fstab DOES include a tmpfs /tmp of 16 megabytes, I removed that in all cases since it's woefully inadequate.  This would have allowed the merge to succeed (sandbox can write there), but do you guys think the default vserver fstab ought to also mount /dev/shm?  Do you think it's sufficiently misconfigured in the eyes of glibc that it's worth opening a bug with VPS team?
Comment 6 Mike Gilbert gentoo-dev 2012-03-13 23:05:31 UTC 
(In reply to comment #5)

Yeah. As marienz said, glibc expects /dev/shm to be a tmpfs. That's a pretty standard configuration item these days.

The initialization scripts for the virtual environment should take care of setting that up for you. If they don't, I would call it a bug.

Thanks for the report.