I've been messing around with namespaces and some of what systemd has been doing with them, and I have an idea for a portage feature.
But before doing a brain dump of ideas, how useful would it be to have a FEATURE for portage to do a limited-visibility build? That is, the build would be run in an environment where the root filesystem appears to contain everything in a DEPEND (including @system currently) and nothing else? It might be useful both in development/testing, and also in production use (not sure how performance would work in the real world - I was able in a script to get it to build an enviornment in a few seconds for a few packages). I really crazy idea would be to try to run packages in a similar environment, but I think that needs better kernel/etc level support since the performance hit would be much more noticeable, except for things like daemons that only start once. Implementing it wouldn't necessarily be hard - just create a tmpfs under /var/tmp/portage, unshare off a new mount namespace, and read-only bind-mount everything needed from the root filesystem (including /var/tmp/portage/...), and chroot into it. When the build is done the process governing it terminates and the kernel wipes out all the mounts and then portage unmounts the tmpfs. You wouldn't need to use a tmpfs for the build - it would actually be zero-size as reported by df since it just contains a bazillion bind mounts, though all those mounts would consume slab memory. Thoughts? Rich
