Preserve paths under hermetic /tmp in the sandbox
#22001
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
fmeum
changed the title
/tmp/ implementation with overlayfs/tmp implementation with overlayfs
fmeum
force-pushed
the
21215-revert-hermetic-tmp-impl
branch
2 times, most recently
from
e5dbc28
to
aec09a2
Compare
fmeum
force-pushed
the
21215-revert-hermetic-tmp-impl
branch
8 times, most recently
from
4945777
to
21fcad5
Compare
fmeum
changed the title
/tmp implementation with overlayfs/tmp in the sandbox
fmeum
force-pushed
the
21215-revert-hermetic-tmp-impl
branch
from
3a641ff
to
9055f00
Compare
|
@bazel-io fork 7.2.0 |
github-actions
bot
added
team-Performance
fmeum
commented
May 8, 2024
| @@ -309,6 +317,68 @@ EOF | |||
| bazel build //pkg:a &>$TEST_log || fail "expected build to succeed" | |||
| } | |||
|
|
|||
| # Sets up targets under //test that, when building //test:all, verify that the | |||
There was a problem hiding this comment.
I introduced this check instead of checking for whether /tmp is shared with the host directly. We don't care so much about the latter, so I felt that encoding it in tests would make them more brittle as we explore alternative options.
|
Thanks a lot for the PR Fabian. #22226 was broken because of hermetic tmp. The error used to be: Now the error is: Do you think this is fixable in this PR? |
|
I extended an existing integration test to cover what I think is the root cause of the issue you linked: Neither the logic on `master` nor the current PR track external roots that only arise as targets of resolved symlink artifacts.
We probably need similar logic to that in fb6658c to handle this. That commit by itself doesn't suffice since it only covers source roots on the package path.
|
fmeum
force-pushed
the
21215-revert-hermetic-tmp-impl
branch
from
5204156
to
9ebdcc2
Compare
|
Tests are passing 🎉 |
oquenchil
approved these changes
May 15, 2024
oquenchil
added
awaiting-PR-merge
|
This is amazing work, Fabian! Thank you. |
|
Just noticed that the PR description was out of date, I updated it. |
github-actions
bot
removed
the
awaiting-PR-merge
fmeum
added a commit
to fmeum/bazel
that referenced
this pull request
May 16, 2024
The bind mounting scheme used with the Linux sandbox' hermetic `/tmp` feature is modified to preserve all paths as they are outside the sandbox, which removes the need to rewrite paths when staging inputs into and, crucially, moving outputs out of the sandbox. Source roots and output base paths under `/tmp` are now treated just like any user-specified bind mount under `/tmp`: They are mounted under the hermetic tmp directory with their path relativized against `/tmp` before the hermetic tmp directory is mounted as `/tmp` as the final step. There is one caveat compared to user-specified mounts: Source roots, which may themselves not lie under `/tmp`, can be symlinks to directories under `/tmp` (e.g., when they arise from a `local_repository`). To handle this situation in the common case, all parent directories of package path entries (up to direct children of `/tmp`) are mounted into the sandbox. If users use `local_repository`s with fixed target paths under `/tmp`, they will need to specify `--sandbox_add_mount_pair`. Overlayfs has been considered as an alternative to this approach, but ultimately doesn't seem to work for this use case since its `lowerpath`, which would be `/tmp`, is not allowed to have child mounts from a different user namespace (see https://unix.stackexchange.com/questions/776030/mounting-overlayfs-in-a-user-namespace-with-child-mounts). However, this is exactly the situation created by a Bazel-in-Bazel test and can also arise if the user has existing mounts under `/tmp` when using Bazel (e.g. the JetBrains toolbox on Linux uses such mounts). This replaces and mostly reverts the following commits, but keeps their tests: * bazelbuild@bf6ebe9 * bazelbuild@fb6658c * bazelbuild@bc1d9d3 * bazelbuild@1829883 * bazelbuild@70691f2 * bazelbuild@a556969 * bazelbuild@8e32f44 (had its test lost in an incorrect merge conflict resolution, this PR adds it back) Fixes bazelbuild#20533 Work towards bazelbuild#20753 Fixes bazelbuild#21215 Fixes bazelbuild#22117 Fixes bazelbuild#22226 Fixes bazelbuild#22290 RELNOTES: Paths in the Linux sandbox are now again identical to those outside the sandbox, even with `--incompatible_sandbox_hermetic_tmp`. Closes bazelbuild#22001. PiperOrigin-RevId: 634381503 Change-Id: I9f7f3948c705be120c55c9b0c51204e5bea45f61
github-merge-queue bot
pushed a commit
that referenced
this pull request
May 16, 2024
The bind mounting scheme used with the Linux sandbox' hermetic `/tmp` feature is modified to preserve all paths as they are outside the sandbox, which removes the need to rewrite paths when staging inputs into and, crucially, moving outputs out of the sandbox. Source roots and output base paths under `/tmp` are now treated just like any user-specified bind mount under `/tmp`: They are mounted under the hermetic tmp directory with their path relativized against `/tmp` before the hermetic tmp directory is mounted as `/tmp` as the final step. There is one caveat compared to user-specified mounts: Source roots, which may themselves not lie under `/tmp`, can be symlinks to directories under `/tmp` (e.g., when they arise from a `local_repository`). To handle this situation in the common case, all parent directories of package path entries (up to direct children of `/tmp`) are mounted into the sandbox. If users use `local_repository`s with fixed target paths under `/tmp`, they will need to specify `--sandbox_add_mount_pair`. Overlayfs has been considered as an alternative to this approach, but ultimately doesn't seem to work for this use case since its `lowerpath`, which would be `/tmp`, is not allowed to have child mounts from a different user namespace (see https://unix.stackexchange.com/questions/776030/mounting-overlayfs-in-a-user-namespace-with-child-mounts). However, this is exactly the situation created by a Bazel-in-Bazel test and can also arise if the user has existing mounts under `/tmp` when using Bazel (e.g. the JetBrains toolbox on Linux uses such mounts). This replaces and mostly reverts the following commits, but keeps their tests: * bf6ebe9 * fb6658c * bc1d9d3 * 1829883 * 70691f2 * a556969 * 8e32f44 (had its test lost in an incorrect merge conflict resolution, this PR adds it back) Fixes #20533 Work towards #20753 Fixes #21215 Fixes #22117 Fixes #22226 Fixes #22290 RELNOTES: Paths in the Linux sandbox are now again identical to those outside the sandbox, even with `--incompatible_sandbox_hermetic_tmp`. Closes #22001. PiperOrigin-RevId: 634381503 Change-Id: I9f7f3948c705be120c55c9b0c51204e5bea45f61 Fixes #22291
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The bind mounting scheme used with the Linux sandbox' hermetic
/tmpfeature is modified to preserve all paths as they are outside the sandbox, which removes the need to rewrite paths when staging inputs into and, crucially, moving outputs out of the sandbox.Source roots and output base paths under
/tmpare now treated just like any user-specified bind mount under/tmp: They are mounted under the hermetic tmp directory with their path relativized against/tmpbefore the hermetic tmp directory is mounted as/tmpas the final step.There is one caveat compared to user-specified mounts: Source roots, which may themselves not lie under
/tmp, can be symlinks to directories under/tmp(e.g., when they arise from alocal_repository). To handle this situation in the common case, all parent directories of package path entries (up to direct children of/tmp) are mounted into the sandbox. If users uselocal_repositorys with fixed target paths under/tmp, they will need to specify--sandbox_add_mount_pair.Overlayfs has been considered as an alternative to this approach, but ultimately doesn't seem to work for this use case since its
lowerpath, which would be/tmp, is not allowed to have child mounts from a different user namespace (see https://unix.stackexchange.com/questions/776030/mounting-overlayfs-in-a-user-namespace-with-child-mounts). However, this is exactly the situation created by a Bazel-in-Bazel test and can also arise if the user has existing mounts under/tmpwhen using Bazel (e.g. the JetBrains toolbox on Linux uses such mounts).This replaces and mostly reverts the following commits, but keeps their tests:
Fixes #20533
Work towards #20753
Fixes #21215
Fixes #22117
Fixes #22226
Fixes #22290
RELNOTES: Paths in the Linux sandbox are now again identical to those outside the sandbox, even with
--incompatible_sandbox_hermetic_tmp.