Since ebuilds are not supposed to access network directly, except for very special cases, let's ensure they don't.
I'm attaching a patch that uses Linux's unshare() syscall to detach phases other than pkg_*() and src_unpack() from host networking.
What still needs to be done:
1. Some FEATURES key should be added for it. So we could start testing and deploying it without causing world-spread breakage.
2. 'ifconfig lo up' or equivalent should be put somewhere. unshare() creates a new, local loopback that needs to be up'ed to let apps use it.
1. We no longer have to wait for Diego to point out that tests use network :).
2. The ugly things like setuptools fetching itself are caught before they do damage.
3. Tests no longer can interfere with host's daemons -- like mongodb front-end tests writing to the production database running on the host (not that mongodb is suitable for anything production).
4. Daemons spawned during tests can not be accessed outside of the namespace. That is, random broken tests don't spawn security holes.
Created attachment 356282 [details, diff]
Unshare networking in ebuilds
Created attachment 356320 [details, diff]
2. Add FEATURES=network-sandbox
Created attachment 356322 [details, diff]
3. Cache libc find_library()
Created attachment 356324 [details, diff]
4. Enable loopback after unshare()
Thanks, this is in git:
This is fixed in 2.2.1.