-
Notifications
You must be signed in to change notification settings - Fork 4.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Preserve paths under hermetic /tmp
in the sandbox
#22001
Conversation
/tmp/
implementation with overlayfs/tmp
implementation with overlayfs
e5dbc28
to
aec09a2
Compare
4945777
to
21fcad5
Compare
/tmp
implementation with overlayfs/tmp
in the sandbox
3a641ff
to
9055f00
Compare
@bazel-io fork 7.2.0 |
@@ -309,6 +317,68 @@ EOF | |||
bazel build //pkg:a &>$TEST_log || fail "expected build to succeed" | |||
} | |||
|
|||
# Sets up targets under //test that, when building //test:all, verify that the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I introduced this check instead of checking for whether /tmp
is shared with the host directly. We don't care so much about the latter, so I felt that encoding it in tests would make them more brittle as we explore alternative options.
Thanks a lot for the PR Fabian. #22226 was broken because of hermetic tmp. The error used to be:
Now the error is:
Do you think this is fixable in this PR? |
I extended an existing integration test to cover what I think is the root cause of the issue you linked: Neither the logic on `master` nor the current PR track external roots that only arise as targets of resolved symlink artifacts.
We probably need similar logic to that in fb6658c to handle this. That commit by itself doesn't suffice since it only covers source roots on the package path.
|
5204156
to
9ebdcc2
Compare
Tests are passing 🎉 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Amazing contribution Fabian. A lot of bug fixes with simpler code than before 🥳
LGTM
This is amazing work, Fabian! Thank you. |
Just noticed that the PR description was out of date, I updated it. |
The bind mounting scheme used with the Linux sandbox' hermetic `/tmp` feature is modified to preserve all paths as they are outside the sandbox, which removes the need to rewrite paths when staging inputs into and, crucially, moving outputs out of the sandbox. Source roots and output base paths under `/tmp` are now treated just like any user-specified bind mount under `/tmp`: They are mounted under the hermetic tmp directory with their path relativized against `/tmp` before the hermetic tmp directory is mounted as `/tmp` as the final step. There is one caveat compared to user-specified mounts: Source roots, which may themselves not lie under `/tmp`, can be symlinks to directories under `/tmp` (e.g., when they arise from a `local_repository`). To handle this situation in the common case, all parent directories of package path entries (up to direct children of `/tmp`) are mounted into the sandbox. If users use `local_repository`s with fixed target paths under `/tmp`, they will need to specify `--sandbox_add_mount_pair`. Overlayfs has been considered as an alternative to this approach, but ultimately doesn't seem to work for this use case since its `lowerpath`, which would be `/tmp`, is not allowed to have child mounts from a different user namespace (see https://unix.stackexchange.com/questions/776030/mounting-overlayfs-in-a-user-namespace-with-child-mounts). However, this is exactly the situation created by a Bazel-in-Bazel test and can also arise if the user has existing mounts under `/tmp` when using Bazel (e.g. the JetBrains toolbox on Linux uses such mounts). This replaces and mostly reverts the following commits, but keeps their tests: * bazelbuild@bf6ebe9 * bazelbuild@fb6658c * bazelbuild@bc1d9d3 * bazelbuild@1829883 * bazelbuild@70691f2 * bazelbuild@a556969 * bazelbuild@8e32f44 (had its test lost in an incorrect merge conflict resolution, this PR adds it back) Fixes bazelbuild#20533 Work towards bazelbuild#20753 Fixes bazelbuild#21215 Fixes bazelbuild#22117 Fixes bazelbuild#22226 Fixes bazelbuild#22290 RELNOTES: Paths in the Linux sandbox are now again identical to those outside the sandbox, even with `--incompatible_sandbox_hermetic_tmp`. Closes bazelbuild#22001. PiperOrigin-RevId: 634381503 Change-Id: I9f7f3948c705be120c55c9b0c51204e5bea45f61
The bind mounting scheme used with the Linux sandbox' hermetic `/tmp` feature is modified to preserve all paths as they are outside the sandbox, which removes the need to rewrite paths when staging inputs into and, crucially, moving outputs out of the sandbox. Source roots and output base paths under `/tmp` are now treated just like any user-specified bind mount under `/tmp`: They are mounted under the hermetic tmp directory with their path relativized against `/tmp` before the hermetic tmp directory is mounted as `/tmp` as the final step. There is one caveat compared to user-specified mounts: Source roots, which may themselves not lie under `/tmp`, can be symlinks to directories under `/tmp` (e.g., when they arise from a `local_repository`). To handle this situation in the common case, all parent directories of package path entries (up to direct children of `/tmp`) are mounted into the sandbox. If users use `local_repository`s with fixed target paths under `/tmp`, they will need to specify `--sandbox_add_mount_pair`. Overlayfs has been considered as an alternative to this approach, but ultimately doesn't seem to work for this use case since its `lowerpath`, which would be `/tmp`, is not allowed to have child mounts from a different user namespace (see https://unix.stackexchange.com/questions/776030/mounting-overlayfs-in-a-user-namespace-with-child-mounts). However, this is exactly the situation created by a Bazel-in-Bazel test and can also arise if the user has existing mounts under `/tmp` when using Bazel (e.g. the JetBrains toolbox on Linux uses such mounts). This replaces and mostly reverts the following commits, but keeps their tests: * bf6ebe9 * fb6658c * bc1d9d3 * 1829883 * 70691f2 * a556969 * 8e32f44 (had its test lost in an incorrect merge conflict resolution, this PR adds it back) Fixes #20533 Work towards #20753 Fixes #21215 Fixes #22117 Fixes #22226 Fixes #22290 RELNOTES: Paths in the Linux sandbox are now again identical to those outside the sandbox, even with `--incompatible_sandbox_hermetic_tmp`. Closes #22001. PiperOrigin-RevId: 634381503 Change-Id: I9f7f3948c705be120c55c9b0c51204e5bea45f61 Fixes #22291
This was apparently broken with the Bazel 7 upgrade and bazelbuild/bazel#22001 specifically. If `--test_tmpdir` is set to some directory under `/tmp`, we need to add `/tmp` as a mount pair as well. This cannot be done in remote mode so `doctor` needs to be aware of this. Closes: cockroachdb#128204 Epic: None Release note: None Release justification: Build-only code changes
128207: dev: in `doctor`, add `--sandbox_add_mount_pair` if relevant r=rail a=rickystewart This was apparently broken with the Bazel 7 upgrade and bazelbuild/bazel#22001 specifically. If `--test_tmpdir` is set to some directory under `/tmp`, we need to add `/tmp` as a mount pair as well. This cannot be done in remote mode so `doctor` needs to be aware of this. Closes: #128204 Epic: None Release note: None Release justification: Build-only code changes 128211: dev: refactor prompts for autofix permission r=rail a=rickystewart This code is duplicated in many places, so this refactor saves us some LOC. Epic: none Release note: None Release justification: Build-only code changes Co-authored-by: Ricky Stewart <ricky@cockroachlabs.com>
This was apparently broken with the Bazel 7 upgrade and bazelbuild/bazel#22001 specifically. If `--test_tmpdir` is set to some directory under `/tmp`, we need to add `/tmp` as a mount pair as well. This cannot be done in remote mode so `doctor` needs to be aware of this. Closes: #128204 Epic: None Release note: None Release justification: Build-only code changes
This was apparently broken with the Bazel 7 upgrade and bazelbuild/bazel#22001 specifically. If `--test_tmpdir` is set to some directory under `/tmp`, we need to add `/tmp` as a mount pair as well. This cannot be done in remote mode so `doctor` needs to be aware of this. Closes: #128204 Epic: None Release note: None Release justification: Build-only code changes
The bind mounting scheme used with the Linux sandbox' hermetic
/tmp
feature is modified to preserve all paths as they are outside the sandbox, which removes the need to rewrite paths when staging inputs into and, crucially, moving outputs out of the sandbox.Source roots and output base paths under
/tmp
are now treated just like any user-specified bind mount under/tmp
: They are mounted under the hermetic tmp directory with their path relativized against/tmp
before the hermetic tmp directory is mounted as/tmp
as the final step.There is one caveat compared to user-specified mounts: Source roots, which may themselves not lie under
/tmp
, can be symlinks to directories under/tmp
(e.g., when they arise from alocal_repository
). To handle this situation in the common case, all parent directories of package path entries (up to direct children of/tmp
) are mounted into the sandbox. If users uselocal_repository
s with fixed target paths under/tmp
, they will need to specify--sandbox_add_mount_pair
.Overlayfs has been considered as an alternative to this approach, but ultimately doesn't seem to work for this use case since its
lowerpath
, which would be/tmp
, is not allowed to have child mounts from a different user namespace (see https://unix.stackexchange.com/questions/776030/mounting-overlayfs-in-a-user-namespace-with-child-mounts). However, this is exactly the situation created by a Bazel-in-Bazel test and can also arise if the user has existing mounts under/tmp
when using Bazel (e.g. the JetBrains toolbox on Linux uses such mounts).This replaces and mostly reverts the following commits, but keeps their tests:
Fixes #20533
Work towards #20753
Fixes #21215
Fixes #22117
Fixes #22226
Fixes #22290
RELNOTES: Paths in the Linux sandbox are now again identical to those outside the sandbox, even with
--incompatible_sandbox_hermetic_tmp
.