Control: tags + confirmed upstream
Control: forwarded https://github.com/firebuild/firebuild/issues/312
Hi Russell,
Russell Coker <russ...@coker.com.au> ezt írta (időpont: 2023. márc.
10., P, 11:02):
>
> The package I was trying to build was "refpolicy", it would be interesting to
> see if you have the same problem when building it.
Yes, I figured that out from the built files, thanks. :-)
The refpolicy package builds fine for me with firebuild in Ubuntu
22.04 and Ubuntu devel LXC containers where seccomp is not enabled.
Firebuild's interception overhead is relatively high building this
package with -j18 due to the many quick commands:
Total time with firebuild (%) in lunar-v0.2.11-16-g0ce0aa8 :
first run second run
real 134.2151 30.64922
user 133.8906 11.90031
sys 142.2342 37.57094
user+sys 134.7790 14.63378
There is test framework that measures firebuild's performance on
Ubuntu packages or upstream git repositories if you are interested:
https://github.com/firebuild/firebuild-infra
The crash you faced seems to be due to man-recode's seccomp() usage.
Firebuild intercepts commands by interposing libc and syscalls, and
reporting them to the firebuild supervisor process over an Unix domain
socket.
The interception thus makes the intercepted processes call functions
they are absolutely not expected to call and that can cause crashes in
enforced sandboxes.
One workaround is listing "man-recode" like "man" on the
"dont_shortcut" in /etc/firebuild.conf.
Another option is disabling man's seccomp sandbox, like:
firebuild env MAN_DISABLE_SECCOMP=1 dpkg-buildpackage -j18
Cheers,
Balint
