Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
what the hell is FEATURE="-sandbox" ?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Gentoo on AMD64
View previous topic :: View next topic  
Author Message
stegerpl
Apprentice
Apprentice


Joined: 25 Jun 2005
Posts: 185
Location: 48°19'30"N 14°20'18"E

PostPosted: Sat Nov 10, 2007 4:56 pm    Post subject: what the hell is FEATURE="-sandbox" ? Reply with quote

Hi,

I figured out almost the same issues as described in this thread and found that I may not compile several ebuilds without FEATURES="-sandbox" such as :
    - nvidia-drivers
    - lirc
    - subversion
    - kde stuff
I was looking into the handbook the gentoo-wiki and also here but I could not find an explanation what this feature is and what it is used for and what will be the side-effects when I disable it. However within this forum I could find a lot of threads with the proposal to set FEATURES="-sandbox" as well as the warning that it is not a good idea ...but not why and what it really is... (maybe I have not found the right thread yet).

who can help me - I want to solve my compiling problems and not making workarounds which may not work anymore within some weeks or will give huge side-effects probably damaging my system...

thanks Peter[/list]
_________________
[1]... AMD Phenon X4-9950 on asus M3N78-EM with 4 GB of RAM - gentoo 10.1 - kernel 2.6.32 - kde 4.3.4
[2]... AMD Athlon XP 2500+ mobile on ASUS A7N8X with 512 kB RAM and 2xTT S-2300 - vdr-1.6.0 based on gentoo-2008.0
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 54097
Location: 56N 3W

PostPosted: Sat Nov 10, 2007 5:04 pm    Post subject: Reply with quote

stegerpl,

sandbox is a safety feature of portage. It ensures that all portage processes run at the lowest priviledge levels needed to do the job.
When -sandbox is in effect, everything that portage does is done as root.

Unfortunately sandbox is a little agressive. Particularly when building kernel modules, so you need to turn it off then.
Its a known bug.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
timeBandit
Bodhisattva
Bodhisattva


Joined: 31 Dec 2004
Posts: 2719
Location: here, there or in transit

PostPosted: Sat Nov 10, 2007 5:21 pm    Post subject: Reply with quote

NeddySeagoon wrote:
Unfortunately sandbox is a little agressive. Particularly when building kernel modules, so you need to turn it off then.
Its a known bug.
Interesting...I've never ever been bitten by this bug, not even on kernel modules such as nVidia and the Cisco VPN client. :o Is it something that only affects certain (buggy?) ebuilds, KEYWORDs or ARCHes?

I ask as much for my own edification as for stegerpl's benefit...maybe there's a workaround or fix short of -sandbox. Bugzilla reports 46 bugs for "sandbox," which is a bit more than I have time to scan today. :wink:
Code:
49 tty0 $ emerge --info | grep sandbox
sys-apps/sandbox:    1.2.17
FEATURES="autoconfig distlocks metadata-transfer parallel-fetch sandbox sfperms strict"

_________________
Plants are pithy, brooks tend to babble--I'm content to lie between them.
Super-short f.g.o checklist: Search first, strip comments, mark solved, help others.
Back to top
View user's profile Send private message
loftwyr
l33t
l33t


Joined: 29 Dec 2004
Posts: 970
Location: 43°38'23.62"N 79°27'8.60"W

PostPosted: Sat Nov 10, 2007 5:30 pm    Post subject: Reply with quote

The bug has been fixed, you just need the latest testing version of sandbox.
_________________
My emerge --info
Have you run revdep-rebuild lately? It's in gentoolkit and it's worth a shot if things don't work well.
Celebrating 5 years of Gentoo-ing.
Back to top
View user's profile Send private message
stegerpl
Apprentice
Apprentice


Joined: 25 Jun 2005
Posts: 185
Location: 48°19'30"N 14°20'18"E

PostPosted: Sat Nov 10, 2007 6:06 pm    Post subject: Reply with quote

Hi

thanks for the (first) infos....

@neddy:
Quote:
sandbox is a safety feature of portage. .... -sandbox.... everything ... is done as root.
Since I am alone on my machine I am using root for all portage things anyway - so that means FEATURES="-sandbox" may not do any harm on my system...

Is there a way to disable it in the /etc/make.conf => does FEATURES="-sandbox" work there ? or is there a better way to do so ?

@loftwyr:
loftwyr wrote:
.... latest testing version of sandbox.
... I had "sys-apps/sandbox-1.2.17" and upgrading to "sys-apps/sandbox-1.2.18.1-r2" worked at least for lirc

I will further test it and give my reports...

Thanks, [/quote]Peter
_________________
[1]... AMD Phenon X4-9950 on asus M3N78-EM with 4 GB of RAM - gentoo 10.1 - kernel 2.6.32 - kde 4.3.4
[2]... AMD Athlon XP 2500+ mobile on ASUS A7N8X with 512 kB RAM and 2xTT S-2300 - vdr-1.6.0 based on gentoo-2008.0
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 54097
Location: 56N 3W

PostPosted: Sat Nov 10, 2007 6:41 pm    Post subject: Reply with quote

stegerpl,

You can set FEATURES= in make.conf. See make.conf.example for a list and to too how to do it.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
i92guboj
Bodhisattva
Bodhisattva


Joined: 30 Nov 2004
Posts: 10315
Location: Córdoba (Spain)

PostPosted: Sat Nov 10, 2007 6:44 pm    Post subject: Reply with quote

stegerpl wrote:
Hi

thanks for the (first) infos....

@neddy:
Quote:
sandbox is a safety feature of portage. .... -sandbox.... everything ... is done as root.
Since I am alone on my machine I am using root for all portage things anyway - so that means FEATURES="-sandbox" may not do any harm on my system...


Not a good idea (TM).

That basically means that, if by any chance, a buggy ebuild does something stupid, it will be done with root priviledges, and directly into your filesystem, without any chance to stop it.

Ebuilds are basically just bash scripts, so, a simple typo, a wrong / on the wrong place, a wrong order for a glob (*) on the wrong place, or any other stupid thing, can completely destroy your system.

Not only that, but also note that sometimes, building processes are guided by bash scripts that are bundled with the source itself, making the whole thing even more funny, because any idiotic things or error in one of those scripts have the potential to convert your gentoo installation (not to talk about your precious data) into a bionic omelet.

Usually, this would be done into a "sandbox", which is a virtual environment, not tied to your live system in any way, so, if something is trashed, it is just this sandboxed image which is lost, and nothing more.

Quote:

Is there a way to disable it in the /etc/make.conf => does FEATURES="-sandbox" work there ? or is there a better way to do so ?


Yes, you can do it there... at your own risk, of course.
Back to top
View user's profile Send private message
stegerpl
Apprentice
Apprentice


Joined: 25 Jun 2005
Posts: 185
Location: 48°19'30"N 14°20'18"E

PostPosted: Sun Nov 11, 2007 11:27 am    Post subject: Reply with quote

Hi,
i92guboj wrote:
....a "sandbox", which is a virtual environment, not tied to your live system in any way, so, if something is trashed, it is just this sandboxed image which is lost, and nothing more...

OK I understand that the whole emerging/compiling process is done within this virtual environment => where is it located ? I do not use a swap partition since I have build in 2 GB of RAM - works fine now for more than 2 years - maybe the sandbox now runs out of memory ?

Since when is this sandbox activated by default ? With my last system-setups (I am setting up a complete new system approximately every 6-12 months - just for fun and interest) I did not face any problems in respect to the sandbox.

This time I have a lot of problems I am on the way to figure out in more detail now => such like broken system (almost all emerges stop with some stupid errors) since I made a emerge --update system after I installed xorg-x11 base system. But I am still checking what's really going on (misplaced USE, ACCEPT_KEYWORDS, etc.)

In fact the updating of sandbox solved my problems just until I made the system update. :x

I found also one conflict which appeared during the emerge --update system (after xorg-x11) which confuses me a little: setarch conflicts with some linux-utils...

I will return a little later with more information (just re-setting up)....

Peter
_________________
[1]... AMD Phenon X4-9950 on asus M3N78-EM with 4 GB of RAM - gentoo 10.1 - kernel 2.6.32 - kde 4.3.4
[2]... AMD Athlon XP 2500+ mobile on ASUS A7N8X with 512 kB RAM and 2xTT S-2300 - vdr-1.6.0 based on gentoo-2008.0
Back to top
View user's profile Send private message
i92guboj
Bodhisattva
Bodhisattva


Joined: 30 Nov 2004
Posts: 10315
Location: Córdoba (Spain)

PostPosted: Sun Nov 11, 2007 1:35 pm    Post subject: Reply with quote

stegerpl wrote:
Hi,
i92guboj wrote:
....a "sandbox", which is a virtual environment, not tied to your live system in any way, so, if something is trashed, it is just this sandboxed image which is lost, and nothing more...

OK I understand that the whole emerging/compiling process is done within this virtual environment => where is it located ? I do not use a swap partition since I have build in 2 GB of RAM - works fine now for more than 2 years - maybe the sandbox now runs out of memory ?


No, the temporal storage is in hard driver, as far as I know. Just make sure you have lots of space on /var/tmp/portage if you are going to compile any monster like openoffice.

Quote:

Since when is this sandbox activated by default ? With my last system-setups (I am setting up a complete new system approximately every 6-12 months - just for fun and interest) I did not face any problems in respect to the sandbox.


Can't give you a date. I just remember it being there since I started using Gentoo (though I couldn't swear it either). I've been around here for about 4 years.

The sandbox violation errors are not related to lack of storage space. A sandbox violation error is issued when anything that is being made into that sandbox tries to write out of the sandbox. That can be many things, included, but probably not limited to: faulty ebuilds, faulty makefiles, which use absolute paths and faulty installation scripts. It can also happen if there is a bug on the sandbox itself. Which is why...

Quote:
In fact the updating of sandbox solved my problems just until I made the system update. :x





Quote:
I found also one conflict which appeared during the emerge --update system (after xorg-x11) which confuses me a little: setarch conflicts with some linux-utils...

I will return a little later with more information (just re-setting up)....

Peter


That last issue is not related to the sandbox at all. Open a thread for it, it is probably a blockers issue, but I can't help without knowing the concrete problem.
Back to top
View user's profile Send private message
stegerpl
Apprentice
Apprentice


Joined: 25 Jun 2005
Posts: 185
Location: 48°19'30"N 14°20'18"E

PostPosted: Sun Nov 11, 2007 6:49 pm    Post subject: Reply with quote

Hi,

as promised i made further checks and that's what I came out with:

My troubles after ermerge --update system start after the successful compilation of glibc. After this the update breaks at sys-apps/module-init-tools-3.4 with the remark"sandbox: C'ant resolve getGwd". Also other emerges break from now on, even an emerge sandbox.

But when I do a FEATURES="-sandbox" emerge sandbox everythings works normal again (at least for the 5 emerges I did meanwhile - I will continue with xorg-x11)

My /etc/make.conf includes the following active lines:
Quote:

CFLAGS="-O2 -march=k8 -mmmx -msse2 -msse3 -m3dnow -mfpmath=sse"
CHOST="x86_64-pc-linux-gnu"
CXXFLAGS="${CFLAGS}"
MAKEOPTS="-j3"
ACCEPT_KEYWORDS="amd64"
PORTDIR_OVERLAY="/usr/local/overlays/gentoo-de"
GENTOO_MIRRORS="ftp://194.117.143.70/mirrors/gentoo ftp://mirror.scarlet-internet.nl/pub/gentoo"
FEATURES="parallel-fetch userfetch"
ALSA_CARDS="via82xx"
LINGUAS="de"
VIDEO_CARDS="nvidia"
source /usr/portage/local/layman/make.conf
USE="-arts -gnome -gpm -gstreamer"

my /etc/make.profiles points to /usr/portage/profiles/default-linux/amd64/2007.0/desktop

Question: should I start a new thread with this item or may we handle it here ? who has some infos ?

Peter[/b]
_________________
[1]... AMD Phenon X4-9950 on asus M3N78-EM with 4 GB of RAM - gentoo 10.1 - kernel 2.6.32 - kde 4.3.4
[2]... AMD Athlon XP 2500+ mobile on ASUS A7N8X with 512 kB RAM and 2xTT S-2300 - vdr-1.6.0 based on gentoo-2008.0
Back to top
View user's profile Send private message
movrev
Tux's lil' helper
Tux's lil' helper


Joined: 07 Mar 2004
Posts: 114
Location: Berkeley, CA - USA

PostPosted: Sun Nov 11, 2007 8:08 pm    Post subject: Reply with quote

Awesome info. I just had a sandbox violation because I'm working with a new ebuild and I must be doing something wrong in the installation script which reads:

Code:
src_install() {
    make install
}


I know this seems trivial, but not doing so happens to not install anything in the system, which makes sense. How can I modify the above to have emerge test the installation in the sandbox first, which I assume is what needs to happen. By the way, I've configured/compiled the program well in and out of portage and have been able to install it out of portage as long as I run:

Code:
su -c "make install"


Thanks.
_________________
Shuttle SN25P - FN25 mobo nForce 4 - AMD Athlon 64 3500+ - nVidia GeForce 6800 - Maxtor 200Gb - 2x1024 Mb Corsair XMS RAM
Back to top
View user's profile Send private message
i92guboj
Bodhisattva
Bodhisattva


Joined: 30 Nov 2004
Posts: 10315
Location: Córdoba (Spain)

PostPosted: Sun Nov 11, 2007 9:41 pm    Post subject: Reply with quote

movrev wrote:
Awesome info. I just had a sandbox violation because I'm working with a new ebuild and I must be doing something wrong in the installation script which reads:

Code:
src_install() {
    make install
}


I know this seems trivial, but not doing so happens to not install anything in the system, which makes sense. How can I modify the above to have emerge test the installation in the sandbox first, which I assume is what needs to happen. By the way, I've configured/compiled the program well in and out of portage and have been able to install it out of portage as long as I run:

Code:
su -c "make install"


Thanks.


Look at the error message, it will give you an some more info about what's happening.

The bug is not necessarily in the ebuild. It can be a defective makefile or install script. In that case, you might need to make a patch to solve it, and apply it via the ebuild.
Back to top
View user's profile Send private message
movrev
Tux's lil' helper
Tux's lil' helper


Joined: 07 Mar 2004
Posts: 114
Location: Berkeley, CA - USA

PostPosted: Sun Nov 11, 2007 10:05 pm    Post subject: Reply with quote

This is the error:

Code:
--------------------------- ACCESS VIOLATION SUMMARY ---------------------------
LOG FILE = "/var/log/sandbox/sandbox-x11-misc_-_fme-1.0.0-7155.log"

open_wr:   /usr/share/locale/fr/LC_MESSAGES/fme.mo
open_wr:   /usr/bin/fme
--------------------------------------------------------------------------------


Which I guess means that the install script is trying to access the true system from the sandbox, right?

Also, the install script that runs when one does make install is ./install-sh, right?

[Edit] This is actually one of the error messages:

Code:
  /usr/bin/install -c 'fme' '/usr/bin/fme'
ACCESS DENIED  open_wr:   /usr/bin/fme
/usr/bin/install: cannot create regular file `/usr/bin/fme': Permission denied
make[2]: *** [install-binPROGRAMS] Error 1
make[2]: Leaving directory `/var/tmp/portage/x11-misc/fme-1.0.0/work/fme-1.0.0/src'
make[1]: *** [install-am] Error 2
make[1]: Leaving directory `/var/tmp/portage/x11-misc/fme-1.0.0/work/fme-1.0.0/src'
make: *** [install-recursive] Error 1

[/Edit]
_________________
Shuttle SN25P - FN25 mobo nForce 4 - AMD Athlon 64 3500+ - nVidia GeForce 6800 - Maxtor 200Gb - 2x1024 Mb Corsair XMS RAM
Back to top
View user's profile Send private message
i92guboj
Bodhisattva
Bodhisattva


Joined: 30 Nov 2004
Posts: 10315
Location: Córdoba (Spain)

PostPosted: Sun Nov 11, 2007 10:38 pm    Post subject: Reply with quote

movrev wrote:
This is the error:

Code:
--------------------------- ACCESS VIOLATION SUMMARY ---------------------------
LOG FILE = "/var/log/sandbox/sandbox-x11-misc_-_fme-1.0.0-7155.log"

open_wr:   /usr/share/locale/fr/LC_MESSAGES/fme.mo
open_wr:   /usr/bin/fme
--------------------------------------------------------------------------------


Which I guess means that the install script is trying to access the true system from the sandbox, right?


yes

Quote:

Also, the install script that runs when one does make install is ./install-sh, right?

[Edit] This is actually one of the error messages:

Code:
  /usr/bin/install -c 'fme' '/usr/bin/fme'
ACCESS DENIED  open_wr:   /usr/bin/fme
/usr/bin/install: cannot create regular file `/usr/bin/fme': Permission denied
make[2]: *** [install-binPROGRAMS] Error 1
make[2]: Leaving directory `/var/tmp/portage/x11-misc/fme-1.0.0/work/fme-1.0.0/src'
make[1]: *** [install-am] Error 2
make[1]: Leaving directory `/var/tmp/portage/x11-misc/fme-1.0.0/work/fme-1.0.0/src'
make: *** [install-recursive] Error 1

[/Edit]


The behaviour of make <whatever> on a given dir comes given by the makefiles on that dir. That said, there's a big chance that the install-sh script is involved in one way or another, but don't blindly assume that. You will need to look at the makefile, and track from there. The paths and errors on the logs will be vital when diagnosing the problem and patching the package in search of a solution. Of course, if you can trust the ebuild, you can also take the short way and just disable the sandbox for that ebuild.

You should also look in google and bugs.gentoo.org if you haven't already. Maybe someone did the job for you.
Back to top
View user's profile Send private message
movrev
Tux's lil' helper
Tux's lil' helper


Joined: 07 Mar 2004
Posts: 114
Location: Berkeley, CA - USA

PostPosted: Sun Nov 11, 2007 10:57 pm    Post subject: Reply with quote

Disabling the sandbox enables me to install the package, logically.

I'm actually helping solve this bug in order to get fme (a graphical menu editor for fluxbox) in portage eventually. I'm not a gentoo devel, but I guess improving the ebuild will eventually raise attention to the program and it gets approved.

I'm currently modifying the ebuild and testing it in a portage overlay. If I get the sandbox issue solved, I'll post to the bug and cross my fingers ;).
_________________
Shuttle SN25P - FN25 mobo nForce 4 - AMD Athlon 64 3500+ - nVidia GeForce 6800 - Maxtor 200Gb - 2x1024 Mb Corsair XMS RAM
Back to top
View user's profile Send private message
Thymus
n00b
n00b


Joined: 03 Apr 2005
Posts: 44
Location: Belgium

PostPosted: Mon Nov 12, 2007 8:24 pm    Post subject: Reply with quote

Hello

I'm the developper of FME.
I don't know how to fix this bug.
I'm using autotools, so I didn't ask to directly write to root fs from sandbox...

How should I do to correct that ?

I'm searching on the net, but...

Thanks for your help !

EDIT :
Solved :
make DESTDIR=${D} install works fine :]
Back to top
View user's profile Send private message
stegerpl
Apprentice
Apprentice


Joined: 25 Jun 2005
Posts: 185
Location: 48°19'30"N 14°20'18"E

PostPosted: Mon Nov 12, 2007 9:11 pm    Post subject: Reply with quote

Hi,

as promised my report => I could emerge xorg-x11 as well as xfce4 without any further problems...

It seems that my problem was really somehow related to the combination of glibc and sandbox as described above but I can not limit it down in more detail.

Anyway thanks for infos and help...

Peter
_________________
[1]... AMD Phenon X4-9950 on asus M3N78-EM with 4 GB of RAM - gentoo 10.1 - kernel 2.6.32 - kde 4.3.4
[2]... AMD Athlon XP 2500+ mobile on ASUS A7N8X with 512 kB RAM and 2xTT S-2300 - vdr-1.6.0 based on gentoo-2008.0
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Gentoo on AMD64 All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum