diff options
| author |  Philipp Wollermann <philwo@google.com> | 2017-06-27 15:12:20 +0200 |
|---|---|---|
| committer |  Marcel Hlopko <hlopko@google.com> | 2017-06-28 10:16:38 +0200 |
| commit | 329d79e3599469186c0e261182550eb57bd6140d (patch) | |
| tree | 6829f0f061212e88d28a0d1ef15ac750c6870184 /src/test | |
| parent | f2ed858ee37b4694b2c29851509d1f33847e1608 (diff) | |
Fixes #3188: Implement sandboxing for remote_worker on Linux.
RELNOTES: Bazel's remote_worker backend for remote execution supports sandboxing on Linux now. Check https://github.com/bazelbuild/bazel/blob/master/src/tools/remote_worker/README.md for details.
Change-Id: I918b0291472c8c7d4884850d9ca0f03674ef2f31
PiperOrigin-RevId: 160266742
Diffstat (limited to 'src/test')
| -rw-r--r-- | src/test/shell/bazel/BUILD | 10 | ||||
| -rw-r--r-- | src/test/shell/bazel/remote_execution_sandboxing_test.sh | 120 | ||||
| -rwxr-xr-x | src/test/shell/bazel/remote_execution_test.sh | 22 |
3 files changed, 141 insertions, 11 deletions
diff --git a/src/test/shell/bazel/BUILD b/src/test/shell/bazel/BUILD index efd5232354..a3882937eb 100644 --- a/src/test/shell/bazel/BUILD +++ b/src/test/shell/bazel/BUILD @@ -379,6 +379,16 @@ sh_test( ) sh_test( + name = "remote_execution_sandboxing_test", + size = "large", + srcs = ["remote_execution_sandboxing_test.sh"], + data = [ + ":test-deps", + "//src/tools/remote_worker", + ], +) + +sh_test( name = "client_test", size = "medium", srcs = ["client_test.sh"], diff --git a/src/test/shell/bazel/remote_execution_sandboxing_test.sh b/src/test/shell/bazel/remote_execution_sandboxing_test.sh new file mode 100644 index 0000000000..38c1c2c04f --- /dev/null +++ b/src/test/shell/bazel/remote_execution_sandboxing_test.sh @@ -0,0 +1,120 @@ +#!/bin/bash +# +# Copyright 2017 The Bazel Authors. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# Tests remote execution and caching. +# + +# Load the test setup defined in the parent directory +CURRENT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +source "${CURRENT_DIR}/../integration_test_setup.sh" \ + || { echo "integration_test_setup.sh not found!" >&2; exit 1; } +source "${CURRENT_DIR}/bazel_sandboxing_test_utils.sh" \ + || { echo "bazel_sandboxing_test_utils.sh not found!" >&2; exit 1; } + +function set_up() { + work_path=$(mktemp -d "${TEST_TMPDIR}/remote.XXXXXXXX") + writable_path=$(mktemp -d "${TEST_TMPDIR}/remote.XXXXXXXX") + readonly_path=$(mktemp -d "${TEST_TMPDIR}/remote.XXXXXXXX") + pid_file=$(mktemp -u "${TEST_TMPDIR}/remote.XXXXXXXX") + worker_port=$(pick_random_unused_tcp_port) || fail "no port found" + "${bazel_data}/src/tools/remote_worker/remote_worker" \ + --work_path="${work_path}" \ + --listen_port=${worker_port} \ + --sandboxing \ + --sandboxing_writable_path="${writable_path}" \ + --pid_file="${pid_file}" >& $TEST_log & + local wait_seconds=0 + until [ -s "${pid_file}" ] || [ "$wait_seconds" -eq 30 ]; do + sleep 1 + ((wait_seconds++)) || true + done + if [ ! -s "${pid_file}" ]; then + fail "Timed out waiting for remote worker to start." + fi + + mkdir -p examples/genrule + cat > examples/genrule/BUILD <<'EOF' +genrule( + name = "simple", + srcs = ["a.txt"], + outs = ["simple.txt"], + cmd = "wc $(location :a.txt) > $@", +) + +genrule( + name = "writes_to_writable_path", + srcs = ["writable_path.txt"], + outs = ["writes_to_writable_path.txt"], + cmd = "touch $@; touch \"`cat $(location :writable_path.txt)`/out.txt\"", +) + +genrule( + name = "writes_to_readonly_path", + srcs = ["readonly_path.txt"], + outs = ["writes_to_readonly_path.txt"], + cmd = "touch $@; touch \"`cat $(location :readonly_path.txt)`/out.txt\"", +) +EOF + echo -n "12345" > examples/genrule/a.txt + echo -n "$writable_path" > examples/genrule/writable_path.txt + echo -n "$readonly_path" > examples/genrule/readonly_path.txt +} + +function tear_down() { + if [ -s "${pid_file}" ]; then + local pid=$(cat "${pid_file}") + kill "${pid}" || true + fi + rm -rf "${pid_file}" + rm -rf "${work_path}" +} + +function test_genrule() { + bazel --host_jvm_args=-Dbazel.DigestFunction=SHA1 build \ + --spawn_strategy=remote \ + --remote_executor=localhost:${worker_port} \ + --remote_cache=localhost:${worker_port} \ + examples/genrule:simple &> $TEST_log \ + || fail "Hermetic genrule failed: examples/genrule:simple" +} + +function test_genrule_can_write_to_path() { + bazel --host_jvm_args=-Dbazel.DigestFunction=SHA1 build \ + --spawn_strategy=remote \ + --remote_executor=localhost:${worker_port} \ + --remote_cache=localhost:${worker_port} \ + examples/genrule:writes_to_writable_path &> $TEST_log \ + || fail "Hermetic genrule failed: examples/genrule:writes_to_writable_path" + [ -f "$(cat examples/genrule/writable_path.txt)/out.txt" ] \ + || fail "Genrule did not write to expected path: $(cat examples/genrule/writable_path.txt)/out.txt" +} + +function test_genrule_cannot_write_to_other_path() { + bazel --host_jvm_args=-Dbazel.DigestFunction=SHA1 build \ + --spawn_strategy=remote \ + --remote_executor=localhost:${worker_port} \ + --remote_cache=localhost:${worker_port} \ + examples/genrule:writes_to_readonly_path &> $TEST_log \ + && fail "Non-hermetic genrule succeeded: examples/genrule:writes_to_readonly_path" || true + [ -f "$(cat examples/genrule/readonly_path.txt)/out.txt" ] \ + && fail "Genrule was able to write to readonly path: $(cat examples/genrule/readonly_path.txt)/out.txt" || true +} + +# The test shouldn't fail if the environment doesn't support running it. +check_supported_platform || exit 0 +check_sandbox_allowed || exit 0 + +run_suite "Remote execution with sandboxing tests" diff --git a/src/test/shell/bazel/remote_execution_test.sh b/src/test/shell/bazel/remote_execution_test.sh index b119f885f7..87d6b514b8 100755 --- a/src/test/shell/bazel/remote_execution_test.sh +++ b/src/test/shell/bazel/remote_execution_test.sh @@ -23,17 +23,17 @@ source "${CURRENT_DIR}/../integration_test_setup.sh" \ || { echo "integration_test_setup.sh not found!" >&2; exit 1; } function set_up() { - work_path=$(mktemp -d ${TEST_TMPDIR}/remote.XXXXXXXX) - pid_file=$(mktemp -u ${TEST_TMPDIR}/remote.XXXXXXXX) + work_path=$(mktemp -d "${TEST_TMPDIR}/remote.XXXXXXXX") + pid_file=$(mktemp -u "${TEST_TMPDIR}/remote.XXXXXXXX") worker_port=$(pick_random_unused_tcp_port) || fail "no port found" hazelcast_port=$(pick_random_unused_tcp_port) || fail "no port found" - ${bazel_data}/src/tools/remote_worker/remote_worker \ - --work_path=${work_path} \ + "${bazel_data}/src/tools/remote_worker/remote_worker" \ + --work_path="${work_path}" \ --listen_port=${worker_port} \ --hazelcast_standalone_listen_port=${hazelcast_port} \ - --pid_file=${pid_file} >& $TEST_log & + --pid_file="${pid_file}" >& $TEST_log & local wait_seconds=0 - until [ -s "${pid_file}" ] || [ $wait_seconds -eq 30 ]; do + until [ -s "${pid_file}" ] || [ "$wait_seconds" -eq 30 ]; do sleep 1 ((wait_seconds++)) || true done @@ -43,12 +43,12 @@ function set_up() { } function tear_down() { - if [ -s ${pid_file} ]; then - local pid=$(cat ${pid_file}) - kill ${pid} || true + if [ -s "${pid_file}" ]; then + local pid=$(cat "${pid_file}") + kill "${pid}" || true fi - rm -rf ${pid_file} - rm -rf ${work_path} + rm -rf "${pid_file}" + rm -rf "${work_path}" } function test_cc_binary() { |