[Exherbo-dev] Exherbo-dev Digest, Vol 47, Issue 2

Mathias Ruediger ruediger at blueboot.org
Mon Jun 6 12:36:11 BST 2011


On 06/06/11 13:00, exherbo-dev-request at lists.exherbo.org wrote:
> Send Exherbo-dev mailing list submissions to
> 	exherbo-dev at lists.exherbo.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> 	http://lists.exherbo.org/mailman/listinfo/exherbo-dev
> or, via email, send a message with subject or body 'help' to
> 	exherbo-dev-request at lists.exherbo.org
>
> You can reach the person managing the list at
> 	exherbo-dev-owner at lists.exherbo.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Exherbo-dev digest..."
>
>
> Today's Topics:
>
>     1. Re: sandboxing (Ciaran McCreesh)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sun, 5 Jun 2011 19:38:50 +0100
> From: Ciaran McCreesh<ciaran.mccreesh at googlemail.com>
> To: exherbo-dev at lists.exherbo.org
> Subject: Re: [Exherbo-dev] sandboxing
> Message-ID:<20110605193850.16f4c784 at googlemail.com>
> Content-Type: text/plain; charset="us-ascii"
>
> On Sun, 05 Jun 2011 12:55:45 +0000
> Mathias Ruediger<ruediger at blueboot.org>  wrote:
>> Since I upgraded my machine to a Phenom x6, I have some issues
>> regarding sydbox. It runs at 100% and can (afaik) only utilize one
>> core. Therefore it is quite a performance gap, meaning that the other
>> five cores never are fully utilized.
> That's not really very true. It's better to say that sydbox slightly
> increases the amount of time spent invoking the non-parallelisable part
> of a syscall. The question is whether this makes a large enough
> difference that it's worth taking the risk of not doing sandboxing, and
> the answer to that is almost certainly no.
>
>> As I understand, the reason is the kernels pthread implementation
>> which has some shortcomings. As I doubt this problem will be solved
>> anytime soon, it might be a good idea to look for alternative
>> approaches.
> The approaches are LD_PRELOAD-based (which is what Sandbox did, at
> least clasically), or ptrace-based. The LD_PRELOAD approach is horrible
> and doesn't really work.
>
>> Is there a list of features a sandbox has to have to be of any use?
> The big one is that it has to work reliably and consistently and
> without weird side effects.
>
Thanks for the info's Ciaran. I will do some further measurements and 
take a closer look how big sydbox impact is. I know that LD_PRELOAD 
based sandboxes wouldn't work for us, but what do you think of lxc's 
cgroup based approach? Since we need a cgroup capable kernel for systemd 
anyways, it might be worth a try. I just don't really know where sydbox 
hooks into paludis but maybe I should ask zlin in the IRC for further 
information.

so long
Mathias



More information about the Exherbo-dev mailing list