diff options
| author |  Philipp Wollermann <philwo@google.com> | 2016-10-07 13:36:04 +0000 |
|---|---|---|
| committer |  Damien Martin-Guillerez <dmarting@google.com> | 2016-10-07 13:51:43 +0000 |
| commit | c5af2f3f2d974f7d0d84cecab6c57444b3413b01 (patch) | |
| tree | 5c0b008ca35d538351ad5180439b0bafaabcea67 /src/test/shell | |
| parent | a70d37391d7365f0d64be1fa0c49ce556a319094 (diff) | |
sandbox: Allow network access by default, unless a target has a "block-network" tag.
To block network access, you can set the "block-network" tag on a target like this:
genrule(
name = "no_access_to_network",
cmd = "curl http://www.bazel.io/this_will_fail",
tags = [ "block-network" ],
)
This is needed to fix a performance issue due to a bug in the Linux kernel: https://lkml.org/lkml/2014/8/28/656
RELNOTES[INC]: Sandboxed actions can access the network by default, unless their target has a "block-network" tag.
--
MOS_MIGRATED_REVID=135470811
Diffstat (limited to 'src/test/shell')
| -rw-r--r-- | src/test/shell/bazel/BUILD | 3 | ||||
| -rwxr-xr-x | src/test/shell/bazel/bazel_sandboxing_test.sh | 42 |
2 files changed, 20 insertions, 25 deletions
diff --git a/src/test/shell/bazel/BUILD b/src/test/shell/bazel/BUILD index ce0efd433a..2be680b2f0 100644 --- a/src/test/shell/bazel/BUILD +++ b/src/test/shell/bazel/BUILD @@ -164,9 +164,6 @@ sh_test( ":test-deps", "//src/test/shell/bazel/testdata:bazel_toolchain_test_project_pkg", ], - tags = [ - "requires-network", - ], ) # TODO(bazel-team): zip is non-deterministic because of file timestamp, diff --git a/src/test/shell/bazel/bazel_sandboxing_test.sh b/src/test/shell/bazel/bazel_sandboxing_test.sh index 685bf05c54..0b796683ed 100755 --- a/src/test/shell/bazel/bazel_sandboxing_test.sh +++ b/src/test/shell/bazel/bazel_sandboxing_test.sh @@ -328,17 +328,15 @@ function test_sandbox_network_access() { cat << EOF >> examples/genrule/BUILD genrule( - name = "breaks4", - outs = [ "breaks4.txt" ], + name = "sandbox_network_access", + outs = [ "sandbox_network_access.txt" ], cmd = "curl -o \$@ localhost:${nc_port}", ) EOF - bazel build examples/genrule:breaks1 &> $TEST_log \ - && fail "Non-hermetic genrule succeeded: examples/genrule:breaks4" || true - [ ! -f "${BAZEL_GENFILES_DIR}/examples/genrule/breaks4.txt" ] || { - output=$(cat "${BAZEL_GENFILES_DIR}/examples/genrule/breaks4.txt") - fail "Non-hermetic genrule breaks1 succeeded with following output: $output" - } + bazel build examples/genrule:sandbox_network_access &> $TEST_log \ + || fail "genrule 'sandbox_network_access' trying to use network failed, but should have succeeded" + [ -f "${BAZEL_GENFILES_DIR}/examples/genrule/sandbox_network_access.txt" ] \ + || fail "genrule 'sandbox_network_access' did not produce output" kill_nc } @@ -347,34 +345,34 @@ function test_sandbox_network_access_with_local() { cat << EOF >> examples/genrule/BUILD genrule( - name = "breaks4_works_with_local", - outs = [ "breaks4_works_with_local.txt" ], + name = "sandbox_network_access_with_local", + outs = [ "sandbox_network_access_with_local.txt" ], cmd = "curl -o \$@ localhost:${nc_port}", tags = [ "local" ], ) EOF - bazel build examples/genrule:breaks4_works_with_local &> $TEST_log \ - || fail "Non-hermetic genrule failed even though tags=['local']: examples/genrule:breaks4_works_with_local" - [ -f "${BAZEL_GENFILES_DIR}/examples/genrule/breaks4_works_with_local.txt" ] \ - || fail "Genrule did not produce output: examples/genrule:breaks4_works_with_local" + bazel build examples/genrule:sandbox_network_access_with_local &> $TEST_log \ + || fail "genrule 'sandbox_network_access_with_local' trying to use network failed, but should have succeeded" + [ -f "${BAZEL_GENFILES_DIR}/examples/genrule/sandbox_network_access_with_local.txt" ] \ + || fail "genrule 'sandbox_network_access_with_local' did not produce output" kill_nc } -function test_sandbox_network_access_with_requires_network() { +function test_sandbox_network_access_with_block_network() { serve_file file_to_serve cat << EOF >> examples/genrule/BUILD genrule( - name = "breaks4_works_with_requires_network", - outs = [ "breaks4_works_with_requires_network.txt" ], + name = "sandbox_network_access_with_block_network", + outs = [ "sandbox_network_access_with_block_network.txt" ], cmd = "curl -o \$@ localhost:${nc_port}", - tags = [ "requires-network" ], + tags = [ "block-network" ], ) EOF - bazel build examples/genrule:breaks4_works_with_requires_network &> $TEST_log \ - || fail "Non-hermetic genrule failed even though tags=['requires-network']: examples/genrule:breaks4_works_with_requires_network" - [ -f "${BAZEL_GENFILES_DIR}/examples/genrule/breaks4_works_with_requires_network.txt" ] \ - || fail "Genrule did not produce output: examples/genrule:breaks4_works_with_requires_network" + bazel build examples/genrule:sandbox_network_access_with_block_network &> $TEST_log \ + && fail "genrule 'sandbox_network_access_with_block_network' trying to use network succeeded, but should have failed" || true + [ ! -f "${BAZEL_GENFILES_DIR}/examples/genrule/breaks4_works_with_requires_network.txt" ] \ + || fail "genrule 'sandbox_network_access_with_block_network' produced output, but was expected to fail" kill_nc } |