From d42574d094a5f76c0197328678db9982e41b9550 Mon Sep 17 00:00:00 2001 From: James Le Cuirot Date: Wed, 15 Apr 2026 17:18:20 +0100 Subject: [PATCH] sdk_lib: Don't disable the Portage sandboxes most of the time We have long run with the ipc, network, and pid sandboxes disabled in the belief that these did not work in a container even if it was privileged. I suspect it really did work back then, but it certainly does work now regardless. update_sdk_container_image uses Portage in an unprivileged docker build environment, so it is still necessary to disable these here. However, this can be done more easily through the environment, and the regular sandbox should work fine. Signed-off-by: James Le Cuirot --- sdk_lib/Dockerfile.sdk-import | 5 ----- sdk_lib/Dockerfile.sdk-update | 13 ++----------- 2 files changed, 2 insertions(+), 16 deletions(-) diff --git a/sdk_lib/Dockerfile.sdk-import b/sdk_lib/Dockerfile.sdk-import index 10a625a319..a8e75e5d12 100644 --- a/sdk_lib/Dockerfile.sdk-import +++ b/sdk_lib/Dockerfile.sdk-import @@ -17,11 +17,6 @@ RUN if ! grep -q portage /etc/passwd; then \ echo "portage:x:250:250:portage:/var/tmp/portage:/bin/false" >>/etc/passwd; \ fi -# fix "Unable to unshare: EPERM ..." in containers -# (see https://github.com/gentoo/gentoo-docker-images/issues/81) -RUN echo 'export FEATURES="-ipc-sandbox -network-sandbox -pid-sandbox"' \ - >> /etc/skel/.bashrc - RUN groupadd sdk RUN useradd -g sdk -G portage sdk RUN echo "sdk ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/sdk-user diff --git a/sdk_lib/Dockerfile.sdk-update b/sdk_lib/Dockerfile.sdk-update index a102b656cb..3ddb82d1c8 100644 --- a/sdk_lib/Dockerfile.sdk-update +++ b/sdk_lib/Dockerfile.sdk-update @@ -4,22 +4,13 @@ FROM ${BASE} COPY --chown=sdk:sdk sdk_container/ /mnt/host/source COPY --chown=sdk:sdk . /mnt/host/source/src/scripts -# Disable all sandboxing for SDK updates since some core packages -# (like GO) fail to build from a permission error otherwise. -RUN cp /home/sdk/.bashrc /home/sdk/.bashrc.bak -RUN echo 'export FEATURES="-sandbox -usersandbox -ipc-sandbox -network-sandbox -pid-sandbox"' \ - >> /home/sdk/.bashrc - RUN chown sdk:sdk /mnt/host/source -RUN /home/sdk/sdk_entry.sh ./update_chroot --toolchain_boards="amd64-usr arm64-usr" +RUN FEATURES="-ipc-sandbox -network-sandbox -pid-sandbox" \ + /home/sdk/sdk_entry.sh ./update_chroot --toolchain_boards="amd64-usr arm64-usr" RUN /home/sdk/sdk_entry.sh ./setup_board --board="arm64-usr" --regen_configs RUN /home/sdk/sdk_entry.sh ./setup_board --board="amd64-usr" --regen_configs -# Restore original .bashrc to remove sandbox disablement -RUN mv /home/sdk/.bashrc.bak /home/sdk/.bashrc -RUN chown sdk:sdk /home/sdk/.bashrc - # Clean up ephemeral key directory variables that were added during build RUN sed -i -e '/export MODULE_SIGNING_KEY_DIR=/d' \ -e '/export MODULES_SIGN_KEY=/d' \