Skip to content

--worker_sandboxing works incorrectly #6111

Closed as not planned
Closed as not planned
--worker_sandboxing works incorrectly#6111
Labels
P2We'll consider working on this in future. (Assignee optional)staleIssues or PRs that are stale (no activity for 30 days)team-Local-ExecIssues and PRs for the Execution (Local) teamtype: feature request
@pauldraper

Description

@pauldraper
pauldraper
opened on Sep 9, 2018

To be fair, with so little documentation it's hard to say conclusively what is "incorrect", but certainly --worker_sandboxing differs signficantly from --spawn_strategy=sandboxed.

WORKSPACE

rule.bzl

def _example(ctx):
    script = ctx.actions.declare_file('script')
    script_content = """#!/bin/sh
    pwd
    > /home/paul/example
    """
    ctx.actions.write(script, script_content, is_executable = True)

    output = ctx.outputs.example

    args = ctx.actions.args()
    args.use_param_file("@%s", use_always = True)

    execution_requirements = {
        "supports-workers": "1",
    }
    if ctx.attr.no_sandbox:
        execution_requirements["no-sandbox"] = "1"
    ctx.actions.run(
        arguments = [args],
        executable = script,
        execution_requirements = execution_requirements,
        mnemonic = "Script",
        outputs = [output],
    )

    return DefaultInfo(files = depset([output]))

example = rule(
    attrs = {
        "no_sandbox": attr.bool(),
    },
    implementation = _example,
    outputs = {
        "example": "%{name}.txt"
    }
)

BUILD

load(":rule.bzl", "example")

config_setting(
    name = "no-sandbox",
    values = {
        "define": "example_sandbox=false"
    }
)

example(
    name = "example",
    no_sandbox = select({
        ":no-sandbox": True,
        "//conditions:default": False,
    })
)

Ubuntu 18.04. Bazel 0.16.1.

# (Note that all of these commands fail. It's only the side effects that are interesting.)

bazel build --strategy=Script=local --spawn_strategy=standalone :example
# prints /home/paul/.cache/.../execroot/__main__
# updates /home/paul/example

bazel build --strategy=Script=local --spawn_strategy=sandboxed :example
# prints /home/paul/.cache/.../sandbox/linux-sandbox/1/execroot/__main__
# does not update /home/paul/example

bazel build --define=example_sandbox=false --strategy=Script=local --spawn_strategy=sandboxed :example
# prints /home/paul/.cache/.../execroot/__main__
# updates /home/paul/example

bazel build --strategy=Script=worker --noworker_sandboxing :example
# prints /home/paul/.cache/.../execroot/__main__
# updates /home/paul/example

bazel build --strategy=Script=worker --worker_sandboxing :example
# prints /home/paul/.cache/.../bazel-workers/worker-1-Script/__main__
# updates /home/paul/example

bazel build --define=example_sandbox=false --strategy=Script=worker --worker_sandboxing :example
# prints /home/paul/.cache/.../bazel-workers/worker-1-Script/__main__
# updates /home/paul/example

So in summary

Local strategy Worker strategy
No sandbox free write, shared root free write, shared root
Sandbox restricted write, unique root free write, unique root
Sandbox + no-sandbox free write, shared root free write, unique root

Worker and non-worker strategies only have the same behavior in the "No sandbox" case. I assume the rest are bugged states?

Metadata

Metadata

Assignees

No one assigned

    Labels

    P2We'll consider working on this in future. (Assignee optional)staleIssues or PRs that are stale (no activity for 30 days)team-Local-ExecIssues and PRs for the Execution (Local) teamtype: feature request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions