Opened 21 months ago

Closed 9 months ago

#25623 closed task (fixed)

Disable network during build

Reported by: boklm Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-rbm, TorBrowserTeam201903R
Cc: dcf Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

In order to detect issues such as #25619 where some component is downloading files during its build, we should disable network in the container during the build step.

Child Tickets

Change History (10)

comment:1 Changed 11 months ago by boklm

Cc: dcf added
Keywords: TorBrowserTeam201901 added
Priority: MediumHigh

Yesterday dcf said on IRC:

< dcf1> boklm: I wonder if the obfs4 build is downloading dependencies dynamically at build time.
< dcf1> Because the goxnet project uses a commit from 2015, which is too old to have the x/net/http2 package that obfs4proxy uses.
< dcf1> I noticed this because I just tried building a version of meek that has the same dependency, and it failed.
< dcf1> So I'm not sure where obfs4 is getting its golang.org/x/net/http2 from.

I am increasing the priority of this ticket as it looks like not a lot of work, and should allow to detect such issues.

To do that I think we can add an empty network namespace to projects/common/runc-config.json:
https://github.com/opencontainers/runtime-spec/blob/master/config-linux.md#namespaces

comment:2 Changed 11 months ago by gk

Yes, please! We could probably check with the issue dcf found whether the fix is working.

comment:3 in reply to:  1 ; Changed 11 months ago by gk

Replying to boklm:

Yesterday dcf said on IRC:

< dcf1> boklm: I wonder if the obfs4 build is downloading dependencies dynamically at build time.
< dcf1> Because the goxnet project uses a commit from 2015, which is too old to have the x/net/http2 package that obfs4proxy uses.
< dcf1> I noticed this because I just tried building a version of meek that has the same dependency, and it failed.
< dcf1> So I'm not sure where obfs4 is getting its golang.org/x/net/http2 from.

See: #29193. We suddenly need that package (our nightly builds fail hard now). That might be due to #29178 and might give some clues about the issue dcf had/has.

comment:4 in reply to:  3 Changed 11 months ago by boklm

< dcf1> Because the goxnet project uses a commit from 2015, which is too old to have the x/net/http2 package that obfs4proxy uses.

Actually we were using a commit from 2015 in the alpha builds, but master in the nightly builds, which is why it was working. With #29178 we switched back to the commit from 2015 in the nightly builds, which caused the build to fail.

So it seems there is no dynamic downloading of dependencies. However it would still be good to prevent network access during the build to make sure it's the case.

comment:5 Changed 10 months ago by gk

Keywords: TorBrowserTeam201902 added; TorBrowserTeam201901 removed

Moving tickets to February.

comment:6 Changed 9 months ago by gk

Keywords: TorBrowserTeam201903 added; TorBrowserTeam201902 removed

Moving remaining tickets to March.

comment:7 Changed 9 months ago by boklm

Keywords: TorBrowserTeam201903R added; TorBrowserTeam201903 removed
Status: newneeds_review

There is a patch for review in branch bug_25623_v2:
https://gitweb.torproject.org/user/boklm/tor-browser-build.git/commit/?h=bug_25623_v2&id=5fd7c6cfb8bd6e54e774909d8061de3075485117

I have been able to do a testbuild using this patch without error.

As a test, if I add this line in the torbutton build:

diff --git a/projects/torbutton/build b/projects/torbutton/build
index 38136c4..20540b7 100644
--- a/projects/torbutton/build
+++ b/projects/torbutton/build
@@ -3,6 +3,7 @@
 tar xvf [% project %]-[% c('version') %].tar.gz
 cd [% project %]-[% c('version') %]
 mkdir -p pkg
+wget http://95.216.163.36/
 ./makexpi.sh
 mkdir pkg/tmp
 cd pkg/tmp

Then the build of torbutton now fails with the error:

--2019-03-14 11:25:14--  http://95.216.163.36/
Connecting to 95.216.163.36:80... failed: Network is unreachable.

comment:8 Changed 9 months ago by gk

Keywords: TorBrowserTeam201903 added; TorBrowserTeam201903R removed
Status: needs_reviewneeds_revision

Thanks, the build breaks hard now as well if we don't have all the artifacts for the Android build (which is good!). However, we need to adapt our instructions in projects/common/how-to-create-gradle-dependencies-list.txt as those are broken with the proposed patch.

comment:9 Changed 9 months ago by boklm

Keywords: TorBrowserTeam201903R added; TorBrowserTeam201903 removed
Status: needs_revisionneeds_review

In branch bug_25623_v4 I updated the instructions in how-to-create-gradle-dependencies-list.txt to mention how to enable network access during build:
https://gitweb.torproject.org/user/boklm/tor-browser-build.git/commit/?h=bug_25623_v4&id=56ba67b3b6345fc70d42567d03b0ff841fe38d3e

comment:10 Changed 9 months ago by gk

Resolution: fixed
Status: needs_reviewclosed

Thanks! Merged to master (commit d869dcdece30316dedbb14045d49ec3f9a71b648).

Note: See TracTickets for help on using tickets.