-
Notifications
You must be signed in to change notification settings - Fork 4.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bazel 7: --sandbox_add_mount_pair
under /tmp
fails
#20527
Comments
CC @lberki A simple workaround would be to just disable the hermetic diff --git a/src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxedSpawnRunner.java b/src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxedSpawnRunner.java
index 3f6e49c72c..1e9b58ae00 100644
@@ -206,17 +207,21 @@ final class LinuxSandboxedSpawnRunner extends AbstractSandboxSpawnRunner {
return false;
}
- Optional<PathFragment> tmpfsPathUnderTmp =
- getSandboxOptions().sandboxTmpfsPath.stream()
+ Optional<PathFragment> mountUnderTmp =
+ Stream.concat(
+ getSandboxOptions().sandboxTmpfsPath.stream(),
+ getSandboxOptions().sandboxAdditionalMounts.stream()
+ .map(Map.Entry::getKey)
+ .map(PathFragment::create))
.filter(path -> path.startsWith(SLASH_TMP))
.findFirst();
- if (tmpfsPathUnderTmp.isPresent()) {
+ if (mountUnderTmp.isPresent()) {
if (warnedAboutNonHermeticTmp.compareAndSet(false, true)) {
reporter.handle(
Event.warn(
String.format(
- "Falling back to non-hermetic '/tmp' in sandbox due to '%s' being a tmpfs path",
- tmpfsPathUnderTmp.get())));
+ "Falling back to non-hermetic '/tmp' in sandbox due to '%s' being a tmpfs path or mount source.",
+ mountUnderTmp.get())));
}
return false; |
--sandbox_add_mount_pair
with source under /tmp
fails--sandbox_add_mount_pair
under /tmp
fails
Flipping source and target in my example also results in a failure, not sure why I couldn't reproduce this earlier. I have edited the issue description accordingly. |
@bazel-io flag |
@bazel-io fork 7.0.1 |
I have a fix for this one. It's a one-line fix, modulo the test. |
This makes it possible to mount directories under /tmp somewhere else. Before, /tmp was overridden by the implementation of hermetic /tmp. Fixes bazelbuild#20527. RELNOTES: None. PiperOrigin-RevId: 592247867 Change-Id: Ib5b75cd21ffe4fa4c8ee3f75d82894da6dd61f54
Sorry, too late, I already wrote my own :) (very similar to yours, though) |
Mount targets? I seem to remember discussing this with you at some point in time, and IIRC the consensus was that mount targets under |
I would say that's still entirely true, but with the flag flip, the user is no longer the one who specified both |
…20609) This makes it possible to mount directories under /tmp somewhere else. Before, /tmp was overridden by the implementation of hermetic /tmp. Fixes #20527. RELNOTES: None. Commit 3748084 PiperOrigin-RevId: 592247867 Change-Id: Ib5b75cd21ffe4fa4c8ee3f75d82894da6dd61f54 Co-authored-by: Googler <lberki@google.com>
WDYT about emitting a non-confusing error? I agree that the current situation isn't fantastic and technically speaking, allowing mount targets under I also have an ardent desire to delete the old code path so reverting back to it under certain conditions isn't my favorite thing, either. |
This is achieved by rewriting the user-specified mounts to mounts onto subdirectories of the hermetic sandbox tmp directory. Fixes bazelbuild#20527 Closes bazelbuild#20583. PiperOrigin-RevId: 595815029 Change-Id: Ibfe5f67fb8fb59131b6c82a826ed5200f2b10a94
…20749) This is achieved by rewriting the user-specified mounts to mounts onto subdirectories of the hermetic sandbox tmp directory. Fixes #20527 Closes #20583. Commit 5e68afd PiperOrigin-RevId: 595815029 Change-Id: Ibfe5f67fb8fb59131b6c82a826ed5200f2b10a94 Co-authored-by: Fabian Meumertzheim <fabian@meumertzhe.im>
@bazel-io fork 7.1.0 |
This is achieved by rewriting the user-specified mounts to mounts onto subdirectories of the hermetic sandbox tmp directory. Fixes bazelbuild#20527 Closes bazelbuild#20583. PiperOrigin-RevId: 595815029 Change-Id: Ibfe5f67fb8fb59131b6c82a826ed5200f2b10a94
This is achieved by rewriting the user-specified mounts to mounts onto subdirectories of the hermetic sandbox tmp directory. Fixes bazelbuild#20527 Closes bazelbuild#20583. PiperOrigin-RevId: 595815029 Change-Id: Ibfe5f67fb8fb59131b6c82a826ed5200f2b10a94
…20772) This is achieved by rewriting the user-specified mounts to mounts onto subdirectories of the hermetic sandbox tmp directory. Fixes #20527 Closes #20583. Commit 5e68afd PiperOrigin-RevId: 595815029 Change-Id: Ibfe5f67fb8fb59131b6c82a826ed5200f2b10a94 Co-authored-by: Fabian Meumertzheim <fabian@meumertzhe.im> Co-authored-by: lberki <lberki@users.noreply.github.com>
A fix for this issue has been included in Bazel 7.0.1 RC2. Please test out the release candidate and report any issues as soon as possible. Thanks! |
Non-hermetic /tmp disabled until we're on bazel 7.0.1 bazelbuild/bazel#20527 ## Test plan `bazel build //:gazelle-buf`
Description of the bug:
With Bazel 7, but neither Bazel 6.4.0 nor
--noincompatible_sandbox_hermetic_tmp
, builds with--sandbox_add_mount_pair
referencing a path under/tmp
fail since/tmp
has been remounted before the manually specified mount pair is applied.Which category does this issue belong to?
Local Execution
What's the simplest, easiest way to reproduce this bug? Please provide a minimal example if possible.
Then:
Which operating system are you running Bazel on?
Linux
What is the output of
bazel info release
?7.0.0
If
bazel info release
returnsdevelopment version
or(@non-git)
, tell us how you built Bazel.No response
What's the output of
git remote get-url origin; git rev-parse master; git rev-parse HEAD
?No response
Is this a regression? If yes, please try to identify the Bazel commit where the bug was introduced.
No response
Have you found anything relevant by searching the web?
No response
Any other information, logs, or outputs that you want to share?
No response
The text was updated successfully, but these errors were encountered: