View previous topic :: View next topic |
Author |
Message |
stegerpl Apprentice
Joined: 25 Jun 2005 Posts: 185 Location: 48°19'30"N 14°20'18"E
|
Posted: Sat Nov 10, 2007 4:56 pm Post subject: what the hell is FEATURE="-sandbox" ? |
|
|
Hi,
I figured out almost the same issues as described in this thread and found that I may not compile several ebuilds without FEATURES="-sandbox" such as :- nvidia-drivers
- lirc
- subversion
- kde stuff I was looking into the handbook the gentoo-wiki and also here but I could not find an explanation what this feature is and what it is used for and what will be the side-effects when I disable it. However within this forum I could find a lot of threads with the proposal to set FEATURES="-sandbox" as well as the warning that it is not a good idea ...but not why and what it really is... (maybe I have not found the right thread yet).
who can help me - I want to solve my compiling problems and not making workarounds which may not work anymore within some weeks or will give huge side-effects probably damaging my system...
thanks Peter[/list] _________________ [1]... AMD Phenon X4-9950 on asus M3N78-EM with 4 GB of RAM - gentoo 10.1 - kernel 2.6.32 - kde 4.3.4
[2]... AMD Athlon XP 2500+ mobile on ASUS A7N8X with 512 kB RAM and 2xTT S-2300 - vdr-1.6.0 based on gentoo-2008.0 |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54276 Location: 56N 3W
|
Posted: Sat Nov 10, 2007 5:04 pm Post subject: |
|
|
stegerpl,
sandbox is a safety feature of portage. It ensures that all portage processes run at the lowest priviledge levels needed to do the job.
When -sandbox is in effect, everything that portage does is done as root.
Unfortunately sandbox is a little agressive. Particularly when building kernel modules, so you need to turn it off then.
Its a known bug. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
timeBandit Bodhisattva
Joined: 31 Dec 2004 Posts: 2719 Location: here, there or in transit
|
Posted: Sat Nov 10, 2007 5:21 pm Post subject: |
|
|
NeddySeagoon wrote: | Unfortunately sandbox is a little agressive. Particularly when building kernel modules, so you need to turn it off then.
Its a known bug. | Interesting...I've never ever been bitten by this bug, not even on kernel modules such as nVidia and the Cisco VPN client. Is it something that only affects certain (buggy?) ebuilds, KEYWORDs or ARCHes?
I ask as much for my own edification as for stegerpl's benefit...maybe there's a workaround or fix short of -sandbox. Bugzilla reports 46 bugs for "sandbox," which is a bit more than I have time to scan today. Code: | 49 tty0 $ emerge --info | grep sandbox
sys-apps/sandbox: 1.2.17
FEATURES="autoconfig distlocks metadata-transfer parallel-fetch sandbox sfperms strict" |
_________________ Plants are pithy, brooks tend to babble--I'm content to lie between them.
Super-short f.g.o checklist: Search first, strip comments, mark solved, help others. |
|
Back to top |
|
|
loftwyr l33t
Joined: 29 Dec 2004 Posts: 970 Location: 43°38'23.62"N 79°27'8.60"W
|
Posted: Sat Nov 10, 2007 5:30 pm Post subject: |
|
|
The bug has been fixed, you just need the latest testing version of sandbox. _________________ My emerge --info
Have you run revdep-rebuild lately? It's in gentoolkit and it's worth a shot if things don't work well.
Celebrating 5 years of Gentoo-ing. |
|
Back to top |
|
|
stegerpl Apprentice
Joined: 25 Jun 2005 Posts: 185 Location: 48°19'30"N 14°20'18"E
|
Posted: Sat Nov 10, 2007 6:06 pm Post subject: |
|
|
Hi
thanks for the (first) infos....
@neddy: Quote: | sandbox is a safety feature of portage. .... -sandbox.... everything ... is done as root. | Since I am alone on my machine I am using root for all portage things anyway - so that means FEATURES="-sandbox" may not do any harm on my system...
Is there a way to disable it in the /etc/make.conf => does FEATURES="-sandbox" work there ? or is there a better way to do so ?
@loftwyr: loftwyr wrote: | .... latest testing version of sandbox. | ... I had "sys-apps/sandbox-1.2.17" and upgrading to "sys-apps/sandbox-1.2.18.1-r2" worked at least for lirc
I will further test it and give my reports...
Thanks, [/quote]Peter _________________ [1]... AMD Phenon X4-9950 on asus M3N78-EM with 4 GB of RAM - gentoo 10.1 - kernel 2.6.32 - kde 4.3.4
[2]... AMD Athlon XP 2500+ mobile on ASUS A7N8X with 512 kB RAM and 2xTT S-2300 - vdr-1.6.0 based on gentoo-2008.0 |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54276 Location: 56N 3W
|
Posted: Sat Nov 10, 2007 6:41 pm Post subject: |
|
|
stegerpl,
You can set FEATURES= in make.conf. See make.conf.example for a list and to too how to do it. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
i92guboj Bodhisattva
Joined: 30 Nov 2004 Posts: 10315 Location: Córdoba (Spain)
|
Posted: Sat Nov 10, 2007 6:44 pm Post subject: |
|
|
stegerpl wrote: | Hi
thanks for the (first) infos....
@neddy: Quote: | sandbox is a safety feature of portage. .... -sandbox.... everything ... is done as root. | Since I am alone on my machine I am using root for all portage things anyway - so that means FEATURES="-sandbox" may not do any harm on my system...
|
Not a good idea (TM).
That basically means that, if by any chance, a buggy ebuild does something stupid, it will be done with root priviledges, and directly into your filesystem, without any chance to stop it.
Ebuilds are basically just bash scripts, so, a simple typo, a wrong / on the wrong place, a wrong order for a glob (*) on the wrong place, or any other stupid thing, can completely destroy your system.
Not only that, but also note that sometimes, building processes are guided by bash scripts that are bundled with the source itself, making the whole thing even more funny, because any idiotic things or error in one of those scripts have the potential to convert your gentoo installation (not to talk about your precious data) into a bionic omelet.
Usually, this would be done into a "sandbox", which is a virtual environment, not tied to your live system in any way, so, if something is trashed, it is just this sandboxed image which is lost, and nothing more.
Quote: |
Is there a way to disable it in the /etc/make.conf => does FEATURES="-sandbox" work there ? or is there a better way to do so ?
|
Yes, you can do it there... at your own risk, of course. |
|
Back to top |
|
|
stegerpl Apprentice
Joined: 25 Jun 2005 Posts: 185 Location: 48°19'30"N 14°20'18"E
|
Posted: Sun Nov 11, 2007 11:27 am Post subject: |
|
|
Hi, i92guboj wrote: | ....a "sandbox", which is a virtual environment, not tied to your live system in any way, so, if something is trashed, it is just this sandboxed image which is lost, and nothing more... |
OK I understand that the whole emerging/compiling process is done within this virtual environment => where is it located ? I do not use a swap partition since I have build in 2 GB of RAM - works fine now for more than 2 years - maybe the sandbox now runs out of memory ?
Since when is this sandbox activated by default ? With my last system-setups (I am setting up a complete new system approximately every 6-12 months - just for fun and interest) I did not face any problems in respect to the sandbox.
This time I have a lot of problems I am on the way to figure out in more detail now => such like broken system (almost all emerges stop with some stupid errors) since I made a emerge --update system after I installed xorg-x11 base system. But I am still checking what's really going on (misplaced USE, ACCEPT_KEYWORDS, etc.)
In fact the updating of sandbox solved my problems just until I made the system update.
I found also one conflict which appeared during the emerge --update system (after xorg-x11) which confuses me a little: setarch conflicts with some linux-utils...
I will return a little later with more information (just re-setting up)....
Peter _________________ [1]... AMD Phenon X4-9950 on asus M3N78-EM with 4 GB of RAM - gentoo 10.1 - kernel 2.6.32 - kde 4.3.4
[2]... AMD Athlon XP 2500+ mobile on ASUS A7N8X with 512 kB RAM and 2xTT S-2300 - vdr-1.6.0 based on gentoo-2008.0 |
|
Back to top |
|
|
i92guboj Bodhisattva
Joined: 30 Nov 2004 Posts: 10315 Location: Córdoba (Spain)
|
Posted: Sun Nov 11, 2007 1:35 pm Post subject: |
|
|
stegerpl wrote: | Hi, i92guboj wrote: | ....a "sandbox", which is a virtual environment, not tied to your live system in any way, so, if something is trashed, it is just this sandboxed image which is lost, and nothing more... |
OK I understand that the whole emerging/compiling process is done within this virtual environment => where is it located ? I do not use a swap partition since I have build in 2 GB of RAM - works fine now for more than 2 years - maybe the sandbox now runs out of memory ?
|
No, the temporal storage is in hard driver, as far as I know. Just make sure you have lots of space on /var/tmp/portage if you are going to compile any monster like openoffice.
Quote: |
Since when is this sandbox activated by default ? With my last system-setups (I am setting up a complete new system approximately every 6-12 months - just for fun and interest) I did not face any problems in respect to the sandbox.
|
Can't give you a date. I just remember it being there since I started using Gentoo (though I couldn't swear it either). I've been around here for about 4 years.
The sandbox violation errors are not related to lack of storage space. A sandbox violation error is issued when anything that is being made into that sandbox tries to write out of the sandbox. That can be many things, included, but probably not limited to: faulty ebuilds, faulty makefiles, which use absolute paths and faulty installation scripts. It can also happen if there is a bug on the sandbox itself. Which is why...
Quote: | In fact the updating of sandbox solved my problems just until I made the system update. |
Quote: | I found also one conflict which appeared during the emerge --update system (after xorg-x11) which confuses me a little: setarch conflicts with some linux-utils...
I will return a little later with more information (just re-setting up)....
Peter |
That last issue is not related to the sandbox at all. Open a thread for it, it is probably a blockers issue, but I can't help without knowing the concrete problem. |
|
Back to top |
|
|
stegerpl Apprentice
Joined: 25 Jun 2005 Posts: 185 Location: 48°19'30"N 14°20'18"E
|
Posted: Sun Nov 11, 2007 6:49 pm Post subject: |
|
|
Hi,
as promised i made further checks and that's what I came out with:
My troubles after ermerge --update system start after the successful compilation of glibc. After this the update breaks at sys-apps/module-init-tools-3.4 with the remark"sandbox: C'ant resolve getGwd". Also other emerges break from now on, even an emerge sandbox.
But when I do a FEATURES="-sandbox" emerge sandbox everythings works normal again (at least for the 5 emerges I did meanwhile - I will continue with xorg-x11)
My /etc/make.conf includes the following active lines: Quote: |
CFLAGS="-O2 -march=k8 -mmmx -msse2 -msse3 -m3dnow -mfpmath=sse"
CHOST="x86_64-pc-linux-gnu"
CXXFLAGS="${CFLAGS}"
MAKEOPTS="-j3"
ACCEPT_KEYWORDS="amd64"
PORTDIR_OVERLAY="/usr/local/overlays/gentoo-de"
GENTOO_MIRRORS="ftp://194.117.143.70/mirrors/gentoo ftp://mirror.scarlet-internet.nl/pub/gentoo"
FEATURES="parallel-fetch userfetch"
ALSA_CARDS="via82xx"
LINGUAS="de"
VIDEO_CARDS="nvidia"
source /usr/portage/local/layman/make.conf
USE="-arts -gnome -gpm -gstreamer" |
my /etc/make.profiles points to /usr/portage/profiles/default-linux/amd64/2007.0/desktop
Question: should I start a new thread with this item or may we handle it here ? who has some infos ?
Peter[/b] _________________ [1]... AMD Phenon X4-9950 on asus M3N78-EM with 4 GB of RAM - gentoo 10.1 - kernel 2.6.32 - kde 4.3.4
[2]... AMD Athlon XP 2500+ mobile on ASUS A7N8X with 512 kB RAM and 2xTT S-2300 - vdr-1.6.0 based on gentoo-2008.0 |
|
Back to top |
|
|
movrev Tux's lil' helper
Joined: 07 Mar 2004 Posts: 114 Location: Berkeley, CA - USA
|
Posted: Sun Nov 11, 2007 8:08 pm Post subject: |
|
|
Awesome info. I just had a sandbox violation because I'm working with a new ebuild and I must be doing something wrong in the installation script which reads:
Code: | src_install() {
make install
} |
I know this seems trivial, but not doing so happens to not install anything in the system, which makes sense. How can I modify the above to have emerge test the installation in the sandbox first, which I assume is what needs to happen. By the way, I've configured/compiled the program well in and out of portage and have been able to install it out of portage as long as I run:
Code: | su -c "make install" |
Thanks. _________________ Shuttle SN25P - FN25 mobo nForce 4 - AMD Athlon 64 3500+ - nVidia GeForce 6800 - Maxtor 200Gb - 2x1024 Mb Corsair XMS RAM |
|
Back to top |
|
|
i92guboj Bodhisattva
Joined: 30 Nov 2004 Posts: 10315 Location: Córdoba (Spain)
|
Posted: Sun Nov 11, 2007 9:41 pm Post subject: |
|
|
movrev wrote: | Awesome info. I just had a sandbox violation because I'm working with a new ebuild and I must be doing something wrong in the installation script which reads:
Code: | src_install() {
make install
} |
I know this seems trivial, but not doing so happens to not install anything in the system, which makes sense. How can I modify the above to have emerge test the installation in the sandbox first, which I assume is what needs to happen. By the way, I've configured/compiled the program well in and out of portage and have been able to install it out of portage as long as I run:
Code: | su -c "make install" |
Thanks. |
Look at the error message, it will give you an some more info about what's happening.
The bug is not necessarily in the ebuild. It can be a defective makefile or install script. In that case, you might need to make a patch to solve it, and apply it via the ebuild. |
|
Back to top |
|
|
movrev Tux's lil' helper
Joined: 07 Mar 2004 Posts: 114 Location: Berkeley, CA - USA
|
Posted: Sun Nov 11, 2007 10:05 pm Post subject: |
|
|
This is the error:
Code: | --------------------------- ACCESS VIOLATION SUMMARY ---------------------------
LOG FILE = "/var/log/sandbox/sandbox-x11-misc_-_fme-1.0.0-7155.log"
open_wr: /usr/share/locale/fr/LC_MESSAGES/fme.mo
open_wr: /usr/bin/fme
--------------------------------------------------------------------------------
|
Which I guess means that the install script is trying to access the true system from the sandbox, right?
Also, the install script that runs when one does make install is ./install-sh, right?
[Edit] This is actually one of the error messages:
Code: | /usr/bin/install -c 'fme' '/usr/bin/fme'
ACCESS DENIED open_wr: /usr/bin/fme
/usr/bin/install: cannot create regular file `/usr/bin/fme': Permission denied
make[2]: *** [install-binPROGRAMS] Error 1
make[2]: Leaving directory `/var/tmp/portage/x11-misc/fme-1.0.0/work/fme-1.0.0/src'
make[1]: *** [install-am] Error 2
make[1]: Leaving directory `/var/tmp/portage/x11-misc/fme-1.0.0/work/fme-1.0.0/src'
make: *** [install-recursive] Error 1
|
[/Edit] _________________ Shuttle SN25P - FN25 mobo nForce 4 - AMD Athlon 64 3500+ - nVidia GeForce 6800 - Maxtor 200Gb - 2x1024 Mb Corsair XMS RAM |
|
Back to top |
|
|
i92guboj Bodhisattva
Joined: 30 Nov 2004 Posts: 10315 Location: Córdoba (Spain)
|
Posted: Sun Nov 11, 2007 10:38 pm Post subject: |
|
|
movrev wrote: | This is the error:
Code: | --------------------------- ACCESS VIOLATION SUMMARY ---------------------------
LOG FILE = "/var/log/sandbox/sandbox-x11-misc_-_fme-1.0.0-7155.log"
open_wr: /usr/share/locale/fr/LC_MESSAGES/fme.mo
open_wr: /usr/bin/fme
--------------------------------------------------------------------------------
|
Which I guess means that the install script is trying to access the true system from the sandbox, right?
|
yes
Quote: |
Also, the install script that runs when one does make install is ./install-sh, right?
[Edit] This is actually one of the error messages:
Code: | /usr/bin/install -c 'fme' '/usr/bin/fme'
ACCESS DENIED open_wr: /usr/bin/fme
/usr/bin/install: cannot create regular file `/usr/bin/fme': Permission denied
make[2]: *** [install-binPROGRAMS] Error 1
make[2]: Leaving directory `/var/tmp/portage/x11-misc/fme-1.0.0/work/fme-1.0.0/src'
make[1]: *** [install-am] Error 2
make[1]: Leaving directory `/var/tmp/portage/x11-misc/fme-1.0.0/work/fme-1.0.0/src'
make: *** [install-recursive] Error 1
|
[/Edit] |
The behaviour of make <whatever> on a given dir comes given by the makefiles on that dir. That said, there's a big chance that the install-sh script is involved in one way or another, but don't blindly assume that. You will need to look at the makefile, and track from there. The paths and errors on the logs will be vital when diagnosing the problem and patching the package in search of a solution. Of course, if you can trust the ebuild, you can also take the short way and just disable the sandbox for that ebuild.
You should also look in google and bugs.gentoo.org if you haven't already. Maybe someone did the job for you. |
|
Back to top |
|
|
movrev Tux's lil' helper
Joined: 07 Mar 2004 Posts: 114 Location: Berkeley, CA - USA
|
Posted: Sun Nov 11, 2007 10:57 pm Post subject: |
|
|
Disabling the sandbox enables me to install the package, logically.
I'm actually helping solve this bug in order to get fme (a graphical menu editor for fluxbox) in portage eventually. I'm not a gentoo devel, but I guess improving the ebuild will eventually raise attention to the program and it gets approved.
I'm currently modifying the ebuild and testing it in a portage overlay. If I get the sandbox issue solved, I'll post to the bug and cross my fingers . _________________ Shuttle SN25P - FN25 mobo nForce 4 - AMD Athlon 64 3500+ - nVidia GeForce 6800 - Maxtor 200Gb - 2x1024 Mb Corsair XMS RAM |
|
Back to top |
|
|
Thymus n00b
Joined: 03 Apr 2005 Posts: 44 Location: Belgium
|
Posted: Mon Nov 12, 2007 8:24 pm Post subject: |
|
|
Hello
I'm the developper of FME.
I don't know how to fix this bug.
I'm using autotools, so I didn't ask to directly write to root fs from sandbox...
How should I do to correct that ?
I'm searching on the net, but...
Thanks for your help !
EDIT :
Solved :
make DESTDIR=${D} install works fine :] |
|
Back to top |
|
|
stegerpl Apprentice
Joined: 25 Jun 2005 Posts: 185 Location: 48°19'30"N 14°20'18"E
|
Posted: Mon Nov 12, 2007 9:11 pm Post subject: |
|
|
Hi,
as promised my report => I could emerge xorg-x11 as well as xfce4 without any further problems...
It seems that my problem was really somehow related to the combination of glibc and sandbox as described above but I can not limit it down in more detail.
Anyway thanks for infos and help...
Peter _________________ [1]... AMD Phenon X4-9950 on asus M3N78-EM with 4 GB of RAM - gentoo 10.1 - kernel 2.6.32 - kde 4.3.4
[2]... AMD Athlon XP 2500+ mobile on ASUS A7N8X with 512 kB RAM and 2xTT S-2300 - vdr-1.6.0 based on gentoo-2008.0 |
|
Back to top |
|
|
|