Preserve paths under hermetic /tmp in the sandbox#22001
Closed
fmeum wants to merge 32 commits intobazelbuild:masterfrom
Closed
Preserve paths under hermetic /tmp in the sandbox#22001fmeum wants to merge 32 commits intobazelbuild:masterfrom
/tmp in the sandbox#22001fmeum wants to merge 32 commits intobazelbuild:masterfrom
Conversation
/tmp/ implementation with overlayfs/tmp implementation with overlayfs
e5dbc28 to
aec09a2
Compare
4945777 to
21fcad5
Compare
/tmp implementation with overlayfs/tmp in the sandbox
3a641ff to
9055f00
Compare
Collaborator
Author
|
@bazel-io fork 7.2.0 |
fmeum
commented
May 8, 2024
| bazel build //pkg:a &>$TEST_log || fail "expected build to succeed" | ||
| } | ||
|
|
||
| # Sets up targets under //test that, when building //test:all, verify that the |
Collaborator
Author
There was a problem hiding this comment.
I introduced this check instead of checking for whether /tmp is shared with the host directly. We don't care so much about the latter, so I felt that encoding it in tests would make them more brittle as we explore alternative options.
Contributor
|
Thanks a lot for the PR Fabian. #22226 was broken because of hermetic tmp. The error used to be: Now the error is: Do you think this is fixable in this PR? |
Collaborator
Author
|
I extended an existing integration test to cover what I think is the root cause of the issue you linked: Neither the logic on `master` nor the current PR track external roots that only arise as targets of resolved symlink artifacts.
We probably need similar logic to that in fb6658c to handle this. That commit by itself doesn't suffice since it only covers source roots on the package path.
|
5204156 to
9ebdcc2
Compare
Collaborator
Author
|
Tests are passing 🎉 |
oquenchil
approved these changes
May 15, 2024
Contributor
oquenchil
left a comment
There was a problem hiding this comment.
Amazing contribution Fabian. A lot of bug fixes with simpler code than before 🥳
LGTM
Contributor
|
This is amazing work, Fabian! Thank you. |
Collaborator
Author
|
Just noticed that the PR description was out of date, I updated it. |
fmeum
added a commit
to fmeum/bazel
that referenced
this pull request
May 16, 2024
The bind mounting scheme used with the Linux sandbox' hermetic `/tmp` feature is modified to preserve all paths as they are outside the sandbox, which removes the need to rewrite paths when staging inputs into and, crucially, moving outputs out of the sandbox. Source roots and output base paths under `/tmp` are now treated just like any user-specified bind mount under `/tmp`: They are mounted under the hermetic tmp directory with their path relativized against `/tmp` before the hermetic tmp directory is mounted as `/tmp` as the final step. There is one caveat compared to user-specified mounts: Source roots, which may themselves not lie under `/tmp`, can be symlinks to directories under `/tmp` (e.g., when they arise from a `local_repository`). To handle this situation in the common case, all parent directories of package path entries (up to direct children of `/tmp`) are mounted into the sandbox. If users use `local_repository`s with fixed target paths under `/tmp`, they will need to specify `--sandbox_add_mount_pair`. Overlayfs has been considered as an alternative to this approach, but ultimately doesn't seem to work for this use case since its `lowerpath`, which would be `/tmp`, is not allowed to have child mounts from a different user namespace (see https://unix.stackexchange.com/questions/776030/mounting-overlayfs-in-a-user-namespace-with-child-mounts). However, this is exactly the situation created by a Bazel-in-Bazel test and can also arise if the user has existing mounts under `/tmp` when using Bazel (e.g. the JetBrains toolbox on Linux uses such mounts). This replaces and mostly reverts the following commits, but keeps their tests: * bazelbuild@bf6ebe9 * bazelbuild@fb6658c * bazelbuild@bc1d9d3 * bazelbuild@1829883 * bazelbuild@70691f2 * bazelbuild@a556969 * bazelbuild@8e32f44 (had its test lost in an incorrect merge conflict resolution, this PR adds it back) Fixes bazelbuild#20533 Work towards bazelbuild#20753 Fixes bazelbuild#21215 Fixes bazelbuild#22117 Fixes bazelbuild#22226 Fixes bazelbuild#22290 RELNOTES: Paths in the Linux sandbox are now again identical to those outside the sandbox, even with `--incompatible_sandbox_hermetic_tmp`. Closes bazelbuild#22001. PiperOrigin-RevId: 634381503 Change-Id: I9f7f3948c705be120c55c9b0c51204e5bea45f61
github-merge-queue bot
pushed a commit
that referenced
this pull request
May 16, 2024
The bind mounting scheme used with the Linux sandbox' hermetic `/tmp` feature is modified to preserve all paths as they are outside the sandbox, which removes the need to rewrite paths when staging inputs into and, crucially, moving outputs out of the sandbox. Source roots and output base paths under `/tmp` are now treated just like any user-specified bind mount under `/tmp`: They are mounted under the hermetic tmp directory with their path relativized against `/tmp` before the hermetic tmp directory is mounted as `/tmp` as the final step. There is one caveat compared to user-specified mounts: Source roots, which may themselves not lie under `/tmp`, can be symlinks to directories under `/tmp` (e.g., when they arise from a `local_repository`). To handle this situation in the common case, all parent directories of package path entries (up to direct children of `/tmp`) are mounted into the sandbox. If users use `local_repository`s with fixed target paths under `/tmp`, they will need to specify `--sandbox_add_mount_pair`. Overlayfs has been considered as an alternative to this approach, but ultimately doesn't seem to work for this use case since its `lowerpath`, which would be `/tmp`, is not allowed to have child mounts from a different user namespace (see https://unix.stackexchange.com/questions/776030/mounting-overlayfs-in-a-user-namespace-with-child-mounts). However, this is exactly the situation created by a Bazel-in-Bazel test and can also arise if the user has existing mounts under `/tmp` when using Bazel (e.g. the JetBrains toolbox on Linux uses such mounts). This replaces and mostly reverts the following commits, but keeps their tests: * bf6ebe9 * fb6658c * bc1d9d3 * 1829883 * 70691f2 * a556969 * 8e32f44 (had its test lost in an incorrect merge conflict resolution, this PR adds it back) Fixes #20533 Work towards #20753 Fixes #21215 Fixes #22117 Fixes #22226 Fixes #22290 RELNOTES: Paths in the Linux sandbox are now again identical to those outside the sandbox, even with `--incompatible_sandbox_hermetic_tmp`. Closes #22001. PiperOrigin-RevId: 634381503 Change-Id: I9f7f3948c705be120c55c9b0c51204e5bea45f61 Fixes #22291
rickystewart
added a commit
to rickystewart/cockroach
that referenced
this pull request
Aug 2, 2024
This was apparently broken with the Bazel 7 upgrade and bazelbuild/bazel#22001 specifically. If `--test_tmpdir` is set to some directory under `/tmp`, we need to add `/tmp` as a mount pair as well. This cannot be done in remote mode so `doctor` needs to be aware of this. Closes: cockroachdb#128204 Epic: None Release note: None Release justification: Build-only code changes
craig bot
pushed a commit
to cockroachdb/cockroach
that referenced
this pull request
Aug 2, 2024
128207: dev: in `doctor`, add `--sandbox_add_mount_pair` if relevant r=rail a=rickystewart This was apparently broken with the Bazel 7 upgrade and bazelbuild/bazel#22001 specifically. If `--test_tmpdir` is set to some directory under `/tmp`, we need to add `/tmp` as a mount pair as well. This cannot be done in remote mode so `doctor` needs to be aware of this. Closes: #128204 Epic: None Release note: None Release justification: Build-only code changes 128211: dev: refactor prompts for autofix permission r=rail a=rickystewart This code is duplicated in many places, so this refactor saves us some LOC. Epic: none Release note: None Release justification: Build-only code changes Co-authored-by: Ricky Stewart <ricky@cockroachlabs.com>
blathers-crl bot
pushed a commit
to cockroachdb/cockroach
that referenced
this pull request
Aug 2, 2024
This was apparently broken with the Bazel 7 upgrade and bazelbuild/bazel#22001 specifically. If `--test_tmpdir` is set to some directory under `/tmp`, we need to add `/tmp` as a mount pair as well. This cannot be done in remote mode so `doctor` needs to be aware of this. Closes: #128204 Epic: None Release note: None Release justification: Build-only code changes
blathers-crl bot
pushed a commit
to cockroachdb/cockroach
that referenced
this pull request
Aug 2, 2024
This was apparently broken with the Bazel 7 upgrade and bazelbuild/bazel#22001 specifically. If `--test_tmpdir` is set to some directory under `/tmp`, we need to add `/tmp` as a mount pair as well. This cannot be done in remote mode so `doctor` needs to be aware of this. Closes: #128204 Epic: None Release note: None Release justification: Build-only code changes
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The bind mounting scheme used with the Linux sandbox' hermetic
/tmpfeature is modified to preserve all paths as they are outside the sandbox, which removes the need to rewrite paths when staging inputs into and, crucially, moving outputs out of the sandbox.Source roots and output base paths under
/tmpare now treated just like any user-specified bind mount under/tmp: They are mounted under the hermetic tmp directory with their path relativized against/tmpbefore the hermetic tmp directory is mounted as/tmpas the final step.There is one caveat compared to user-specified mounts: Source roots, which may themselves not lie under
/tmp, can be symlinks to directories under/tmp(e.g., when they arise from alocal_repository). To handle this situation in the common case, all parent directories of package path entries (up to direct children of/tmp) are mounted into the sandbox. If users uselocal_repositorys with fixed target paths under/tmp, they will need to specify--sandbox_add_mount_pair.Overlayfs has been considered as an alternative to this approach, but ultimately doesn't seem to work for this use case since its
lowerpath, which would be/tmp, is not allowed to have child mounts from a different user namespace (see https://unix.stackexchange.com/questions/776030/mounting-overlayfs-in-a-user-namespace-with-child-mounts). However, this is exactly the situation created by a Bazel-in-Bazel test and can also arise if the user has existing mounts under/tmpwhen using Bazel (e.g. the JetBrains toolbox on Linux uses such mounts).This replaces and mostly reverts the following commits, but keeps their tests:
Fixes #20533
Work towards #20753
Fixes #21215
Fixes #22117
Fixes #22226
Fixes #22290
RELNOTES: Paths in the Linux sandbox are now again identical to those outside the sandbox, even with
--incompatible_sandbox_hermetic_tmp.