Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[7.2.0] Preserve paths under hermetic /tmp in the sandbox #22291

Closed
bazel-io opened this issue May 8, 2024 · 2 comments
Closed

[7.2.0] Preserve paths under hermetic /tmp in the sandbox #22291

bazel-io opened this issue May 8, 2024 · 2 comments
Milestone
7.2.0 release blo...

Comments

@bazel-io
Copy link
Member

bazel-io commented May 8, 2024

Forked from #22001
@bazel-io bazel-io added this to the 7.2.0 release blockers milestone May 8, 2024
@bazel-io
Copy link
Member Author

Cherry-pick was attempted but there were merge conflicts in the following file(s). Please resolve manually.

src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxedSpawnRunner.java
src/main/java/com/google/devtools/build/lib/sandbox/SandboxHelpers.java
src/main/java/com/google/devtools/build/lib/skyframe/ActionOutputMetadataStore.java
src/test/java/com/google/devtools/build/lib/worker/WorkerSpawnRunnerTest.java

cc: @bazelbuild/triage

@fmeum fmeum mentioned this issue May 16, 2024
Merged
github-merge-queue bot pushed a commit that referenced this issue May 16, 2024
@fmeum
[7.2.0] Preserve paths under hermetic /tmp in the sandbox (#22407)
d98b02e 
The bind mounting scheme used with the Linux sandbox' hermetic `/tmp`
feature is modified to preserve all paths as they are outside the
sandbox, which removes the need to rewrite paths when staging inputs
into and, crucially, moving outputs out of the sandbox.

Source roots and output base paths under `/tmp` are now treated just
like any user-specified bind mount under `/tmp`: They are mounted under
the hermetic tmp directory with their path relativized against `/tmp`
before the hermetic tmp directory is mounted as `/tmp` as the final
step.

There is one caveat compared to user-specified mounts: Source roots,
which may themselves not lie under `/tmp`, can be symlinks to
directories under `/tmp` (e.g., when they arise from a
`local_repository`). To handle this situation in the common case, all
parent directories of package path entries (up to direct children of
`/tmp`) are mounted into the sandbox. If users use `local_repository`s
with fixed target paths under `/tmp`, they will need to specify
`--sandbox_add_mount_pair`.

Overlayfs has been considered as an alternative to this approach, but
ultimately doesn't seem to work for this use case since its `lowerpath`,
which would be `/tmp`, is not allowed to have child mounts from a
different user namespace (see
https://unix.stackexchange.com/questions/776030/mounting-overlayfs-in-a-user-namespace-with-child-mounts).
However, this is exactly the situation created by a Bazel-in-Bazel test
and can also arise if the user has existing mounts under `/tmp` when
using Bazel (e.g. the JetBrains toolbox on Linux uses such mounts).

This replaces and mostly reverts the following commits, but keeps their
tests:
*
bf6ebe9
*
fb6658c
*
bc1d9d3
*
1829883
*
70691f2
*
a556969
*
8e32f44
(had its test lost in an incorrect merge conflict resolution, this PR
adds it back)

Fixes #20533
Work towards #20753
Fixes #21215
Fixes #22117
Fixes #22226
Fixes #22290

RELNOTES: Paths in the Linux sandbox are now again identical to those
outside the sandbox, even with `--incompatible_sandbox_hermetic_tmp`.

Closes #22001.

PiperOrigin-RevId: 634381503
Change-Id: I9f7f3948c705be120c55c9b0c51204e5bea45f61

Fixes #22291
@iancha1992
Copy link
Member

Duplicate: #21217

@iancha1992 iancha1992 closed this as not planned Won't fix, can't repro, duplicate, stale May 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
7.2.0 release blockers
Development

No branches or pull requests
2 participants
@bazel-io @iancha1992