Disable network during build
In order to detect issues such as #25619 (moved) where some component is downloading files during its build, we should disable network in the container during the build step.
Activity
Yesterday dcf said on IRC:
< dcf1> boklm: I wonder if the obfs4 build is downloading dependencies dynamically at build time. < dcf1> Because the goxnet project uses a commit from 2015, which is too old to have the x/net/http2 package that obfs4proxy uses. < dcf1> I noticed this because I just tried building a version of meek that has the same dependency, and it failed. < dcf1> So I'm not sure where obfs4 is getting its golang.org/x/net/http2 from.I am increasing the priority of this ticket as it looks like not a lot of work, and should allow to detect such issues.
To do that I think we can add an empty network namespace to
projects/common/runc-config.json: https://github.com/opencontainers/runtime-spec/blob/master/config-linux.md#namespacesTrac:
Cc: N/A to dcf
Priority: Medium to High
Keywords: N/A deleted, TorBrowserTeam201901 added
Replying to boklm:
Yesterday dcf said on IRC: {{{ < dcf1> boklm: I wonder if the obfs4 build is downloading dependencies dynamically at build time. < dcf1> Because the goxnet project uses a commit from 2015, which is too old to have the x/net/http2 package that obfs4proxy uses. < dcf1> I noticed this because I just tried building a version of meek that has the same dependency, and it failed. < dcf1> So I'm not sure where obfs4 is getting its golang.org/x/net/http2 from. }}}
See: #29193 (moved). We suddenly need that package (our nightly builds fail hard now). That might be due to #29178 (moved) and might give some clues about the issue dcf had/has.
-
< dcf1> Because the goxnet project uses a commit from 2015, which is too old to have the x/net/http2 package that obfs4proxy uses.
Actually we were using a commit from 2015 in the alpha builds, but master in the nightly builds, which is why it was working. With #29178 (moved) we switched back to the commit from 2015 in the nightly builds, which caused the build to fail.
So it seems there is no dynamic downloading of dependencies. However it would still be good to prevent network access during the build to make sure it's the case.
-
There is a patch for review in branch
bug_25623_v2: https://gitweb.torproject.org/user/boklm/tor-browser-build.git/commit/?h=bug_25623_v2&id=5fd7c6cfb8bd6e54e774909d8061de3075485117I have been able to do a
testbuildusing this patch without error.As a test, if I add this line in the torbutton build:
diff --git a/projects/torbutton/build b/projects/torbutton/build index 38136c4..20540b7 100644 --- a/projects/torbutton/build +++ b/projects/torbutton/build @@ -3,6 +3,7 @@ tar xvf [% project %]-[% c('version') %].tar.gz cd [% project %]-[% c('version') %] mkdir -p pkg +wget http://95.216.163.36/ ./makexpi.sh mkdir pkg/tmp cd pkg/tmpThen the build of torbutton now fails with the error:
--2019-03-14 11:25:14-- http://95.216.163.36/ Connecting to 95.216.163.36:80... failed: Network is unreachable.Trac:
Status: new to needs_review
Keywords: TorBrowserTeam201903 deleted, TorBrowserTeam201903R added -
Thanks, the build breaks hard now as well if we don't have all the artifacts for the Android build (which is good!). However, we need to adapt our instructions in
projects/common/how-to-create-gradle-dependencies-list.txtas those are broken with the proposed patch.Trac:
Status: needs_review to needs_revision
Keywords: TorBrowserTeam201903R deleted, TorBrowserTeam201903 added -
In branch
bug_25623_v4I updated the instructions inhow-to-create-gradle-dependencies-list.txtto mention how to enable network access during build: https://gitweb.torproject.org/user/boklm/tor-browser-build.git/commit/?h=bug_25623_v4&id=56ba67b3b6345fc70d42567d03b0ff841fe38d3eTrac:
Status: needs_revision to needs_review
Keywords: TorBrowserTeam201903 deleted, TorBrowserTeam201903R added mentioned in issue #27977 (moved)
mentioned in issue #31293 (moved)