Fix Bazel failing to build anything when its workspace or output base is in /tmp.

Add "-b" option to linux-sandbox to explicitly bind mount files / directories into the sandbox. This is used to pull in the workspace and output base of Bazel even when they're located in /tmp and would thus be hidden by the tmpfs we mount on the /tmp directory in the sandbox.

Add "-S" option to linux-sandbox to explicitly specify a temporary directory to be used to contain the sandbox. This can be created by Bazel and then removed more reliably, compared to the earlier behavior where the sandbox would create its own temporary root directory in /tmp/sandbox.XXXXXX (and fail to delete it in case it gets killed by a signal).

Fix spurious empty.XXXXXX files and directories not being deleted from /tmp.

--
MOS_MIGRATED_REVID=133695992

3 files changed, 34 insertions, 2 deletions

diff --git a/src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxRunner.java b/src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxRunner.java
index cceed552ba..c3d36a615f 100644
--- a/src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxRunner.java
+++ b/src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxRunner.java
@@ -15,6 +15,7 @@
 package com.google.devtools.build.lib.sandbox;
 
 import com.google.common.collect.ImmutableMap;
+import com.google.common.collect.ImmutableSet;
 import com.google.common.io.ByteStreams;
 import com.google.devtools.build.lib.runtime.CommandEnvironment;
 import com.google.devtools.build.lib.shell.Command;
@@ -40,25 +41,31 @@ final class LinuxSandboxRunner extends SandboxRunner {
 
   private final Path execRoot;
   private final Path sandboxExecRoot;
+  private final Path sandboxTempDir;
   private final Path argumentsFilePath;
   private final Set<Path> writableDirs;
   private final Set<Path> inaccessiblePaths;
+  private final Set<Path> bindMounts;
   private final boolean sandboxDebug;
 
   LinuxSandboxRunner(
       Path execRoot,
       Path sandboxPath,
       Path sandboxExecRoot,
+      Path sandboxTempDir,
       Set<Path> writableDirs,
       Set<Path> inaccessiblePaths,
+      ImmutableSet<Path> bindMounts,
       boolean verboseFailures,
       boolean sandboxDebug) {
     super(sandboxPath, sandboxExecRoot, verboseFailures);
     this.execRoot = execRoot;
     this.sandboxExecRoot = sandboxExecRoot;
+    this.sandboxTempDir = sandboxTempDir;
     this.argumentsFilePath = sandboxPath.getRelative("linux-sandbox.params");
     this.writableDirs = writableDirs;
     this.inaccessiblePaths = inaccessiblePaths;
+    this.bindMounts = bindMounts;
     this.sandboxDebug = sandboxDebug;
   }
 
@@ -116,6 +123,10 @@ final class LinuxSandboxRunner extends SandboxRunner {
       fileArgs.add("-D");
     }
 
+    // Temporary directory of the sandbox.
+    fileArgs.add("-S");
+    fileArgs.add(sandboxTempDir.toString());
+
     // Working directory of the spawn.
     fileArgs.add("-W");
     fileArgs.add(sandboxExecRoot.toString());
@@ -137,6 +148,11 @@ final class LinuxSandboxRunner extends SandboxRunner {
       fileArgs.add(inaccessiblePath.getPathString());
     }
 
+    for (Path bindMount : bindMounts) {
+      fileArgs.add("-b");
+      fileArgs.add(bindMount.getPathString());
+    }
+
     if (!allowNetwork) {
       // Block network access out of the namespace.
       fileArgs.add("-N");
diff --git a/src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxedStrategy.java b/src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxedStrategy.java
index be49446a82..0e38d0d891 100644
--- a/src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxedStrategy.java
+++ b/src/main/java/com/google/devtools/build/lib/sandbox/LinuxSandboxedStrategy.java
@@ -101,6 +101,7 @@ public class LinuxSandboxedStrategy extends SandboxStrategy {
     // Each invocation of "exec" gets its own sandbox.
     Path sandboxPath = SandboxHelpers.getSandboxRoot(blazeDirs, productName, uuid, execCounter);
     Path sandboxExecRoot = sandboxPath.getRelative("execroot").getRelative(execRoot.getBaseName());
+    Path sandboxTempDir = sandboxPath.getRelative("tmp");
 
 
     try {
@@ -110,6 +111,7 @@ public class LinuxSandboxedStrategy extends SandboxStrategy {
       Set<Path> writableDirs = getWritableDirs(sandboxExecRoot, spawn.getEnvironment(), outputs);
       symlinkedExecRoot.createFileSystem(
           getMounts(spawn, actionExecutionContext), outputs, writableDirs);
+      sandboxTempDir.createDirectory();
 
       final SandboxRunner runner;
       if (fullySupported) {
@@ -118,8 +120,10 @@ public class LinuxSandboxedStrategy extends SandboxStrategy {
                 execRoot,
                 sandboxPath,
                 sandboxExecRoot,
+                sandboxTempDir,
                 getWritableDirs(sandboxExecRoot, spawn.getEnvironment(), outputs),
                 getInaccessiblePaths(),
+                getBindMounts(blazeDirs),
                 verboseFailures,
                 sandboxOptions.sandboxDebug);
       } else {
@@ -143,4 +147,17 @@ public class LinuxSandboxedStrategy extends SandboxStrategy {
     }
   }
 
+  private ImmutableSet<Path> getBindMounts(BlazeDirectories blazeDirs) {
+    Path tmpPath = blazeDirs.getFileSystem().getPath("/tmp");
+    ImmutableSet.Builder<Path> bindMounts = ImmutableSet.builder();
+    if (blazeDirs.getWorkspace().startsWith(tmpPath)) {
+
+      bindMounts.add(blazeDirs.getWorkspace());
+    }
+    if (blazeDirs.getOutputBase().startsWith(tmpPath)) {
+      bindMounts.add(blazeDirs.getOutputBase());
+    }
+    return bindMounts.build();
+  }
+
 }
diff --git a/src/main/java/com/google/devtools/build/lib/sandbox/SandboxHelpers.java b/src/main/java/com/google/devtools/build/lib/sandbox/SandboxHelpers.java
index 8573ad5fa7..004c8dffbc 100644
--- a/src/main/java/com/google/devtools/build/lib/sandbox/SandboxHelpers.java
+++ b/src/main/java/com/google/devtools/build/lib/sandbox/SandboxHelpers.java
@@ -128,7 +128,6 @@ final class SandboxHelpers {
     return blazeDirs
         .getOutputBase()
         .getRelative(productName + "-sandbox")
-        .getRelative(uuid + "-" + execCounter.getAndIncrement())
-        .getRelative(blazeDirs.getExecRoot().getBaseName());
+        .getRelative(uuid + "-" + execCounter.getAndIncrement());
   }
 }