| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Make use of existing abstractions like SpawnRunner and SpawnExecutionPolicy.
- Instead of having the *Strategy create a *Runner, and then call back into
SandboxStrategy, create a single SandboxContainer which contains the full
command line, environment, and everything needed to create and delete the
sandbox directory.
- Do all the work in SandboxStrategy, including creation and deletion of the
sandbox directory.
- Use SpawnResult instead of throwing, catching, and rethrowing.
- Simplify the control flow a bit.
PiperOrigin-RevId: 161644979
|
| |
|
|
|
|
|
|
| |
By removing the now unnecessary call to Path#resolveSymbolicLinks we can save a
few stat's per action execution.
Change-Id: Iee157e941c1cd3515ff5ea3b7f410824c24cf44d
PiperOrigin-RevId: 155946544
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This is basically a rollback of https://github.com/bazelbuild/bazel/commit/3e2329a73ffd5d60e5e2babe60ebe5bf322c07da, except this solves the
reason why the feature was removed in the first place. We now create
the helper files necessary to make files unreadable in Linux in Bazel's
Java code and manage their lifetime there.
Request was filed by a user here:
http://stackoverflow.com/questions/43849651/how-to-lock-down-the-bazel-filesystem-sandbox
PiperOrigin-RevId: 155913246
|
| |
|
|
|
|
|
|
|
| |
This gives us much improved process management, because Bazel can now
reliably kill child processes of spawns via their process group and wait
for them to exit.
Change-Id: Ib3cb20725b3c569aa5b317a69d7682f5774707b0
PiperOrigin-RevId: 155493511
|
| |
|
|
|
|
|
|
| |
There's no need to make it explicitly readable, because the entire host
filesystem is readable anyway.
Change-Id: I6a63cc93b600250c1c8828ef8d1c9d6133b671d7
PiperOrigin-RevId: 155477093
|
| |
|
|
|
| |
Change-Id: I1bc1901ea7cd9a5b93c280ec0ff8ac0d10959a09
PiperOrigin-RevId: 155381163
|
| |
|
|
|
|
|
|
| |
There's no need to check for the OS version, as we can just try to use
sandbox-exec and if it works, we're good.
Change-Id: I7fe9a0b55856c646da915a2872531f050a25b110
PiperOrigin-RevId: 155368707
|
| |
|
|
|
| |
Change-Id: I1355c2448cb6cbbcdbace81051a7beb8659f1f00
PiperOrigin-RevId: 155366727
|
| |
|
|
|
|
|
|
|
| |
macOS version strings that have only two components, e.g. "10.12", were
always failing the check that the macOS version is >= 10.11, causing
Bazel to erroneously think sandboxing isn't supported
Change-Id: Ifa4a01fc304e7620502d3f0f9f70c3b500d23864
PiperOrigin-RevId: 152493682
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This can be reactivated by passing the --sandbox_fake_username flag
to Bazel.
Reasoning: 'nobody' has a non-existent home directory on many Linux
distros, leading to issues when tools try to stat / read / write to the
home directory.
Related to #2688.
RELNOTES: The Linux sandbox no longer changes the user to 'nobody' by
default, instead the current user is used as is. The old behavior can be
restored via the --sandbox_fake_username flag.
--
PiperOrigin-RevId: 151115218
MOS_MIGRATED_REVID=151115218
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It is in the way of optimizing the performance of the sandbox, because
it requires us to create two helper files (an unreadable file and an
unreadable directory) which are bind-mounted on top of paths specified
via this flag. These two helper files were created on a tmpfs mounted by
the sandbox until now, which ensured that they were automatically
deleted on exit. However, mounting tmpfs on /dev/shm or /tmp causes
issues like #2686 or #1882.
By removing this flag, we can get rid of the two helper files, which
means we can also remove the reliance on a "sandbox temp directory"
completely in the next change.
--
PiperOrigin-RevId: 151107496
MOS_MIGRATED_REVID=151107496
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The behavior of the Linux sandbox was changed to not hide the local hostname by default.
It is now only hidden when the --sandbox_fake_hostname flag is specified.
Also, instead of using the hostname "sandbox" in this case, it now uses "localhost", which fixes the issue of sandboxed processes not being able to resolve their local hostname.
RELNOTES: For increased compatibility with environments where UTS namespaces are not available, the Linux sandbox no longer hides the hostname of the local machine by default. Use --sandbox_fake_hostname to re-enable this feature.
--
PiperOrigin-RevId: 146244268
MOS_MIGRATED_REVID=146244268
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
1. no flag: only the direct reason is given (command execution termination status), and also the instruction to use "--verbose_failures"
2. flag "--verbose_failures": gives failed execution command and the instruction to use "--sandbox_debug --strategy"
3. flag "--verbose_failures --sandbox_debug": gives failed execution command, debugging message from sandboxing, and the instruction to use "--strategy"
Also removes "cd <sandbox_path>" in given failed command, since debugging is only necessary with flag "--verbose_failures --sandbox_debug" and the path is already given in sandboxing debugging message.
Addresses #2174.
Fixes bazel_sandboxing_test.sh and bazel_test_test.sh for the new error message.
Fixes timeout.
--
PiperOrigin-RevId: 144285435
MOS_MIGRATED_REVID=144285435
|
| |
|
|
|
|
|
|
|
|
|
|
| |
*** Reason for rollback ***
Still breaks //src/test/shell/bazel:bazel_test_test
http://ci.bazel.io/job/bazel-tests/BAZEL_VERSION=HEAD,PLATFORM_NAME=linux-x86_64/lastCompletedBuild/testReport/(root)/(empty)/test_test_timeout/
--
PiperOrigin-RevId: 144107285
MOS_MIGRATED_REVID=144107285
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
1. no flag: only the direct reason is given (command execution termination status), and also the instruction to use "--verbose_failures"
2. flag "--verbose_failures": gives failed execution command and the instruction to use "--sandbox_debug --strategy"
3. flag "--verbose_failures --sandbox_debug": gives failed execution command, debugging message from sandboxing, and the instruction to use "--strategy"
Also removes "cd <sandbox_path>" in given failed command, since debugging is only necessary with flag "--verbose_failures --sandbox_debug" and the path is already given in sandboxing debugging message.
Addresses #2174.
Fixes bazel_sandboxing_test.sh and bazel_test_test.sh for the new error message.
--
PiperOrigin-RevId: 144058351
MOS_MIGRATED_REVID=144058351
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
*** Reason for rollback ***
Breaks //src/test/shell/bazel:bazel_sandboxing_test:
http://ci.bazel.io/job/bazel-tests/lastCompletedBuild/BAZEL_VERSION=latest-jdk7,PLATFORM_NAME=linux-x86_64/testReport/(root)/(empty)/test_failing_action_with_ioexception_while_copying_outputs_throws_correct_exception/
*** Original change description ***
Gives 3 levels of sandbox error message under different flags.
1. no flag: only the direct reason is given (command execution termination status), and also the instruction to use "--verbose_failures"
2. flag "--verbose_failures": gives failed execution command and the instruction to use "--sandbox_debug --strategy"
3. flag "--verbose_failures --sandbox_debug": gives failed execution command, debugging message from sandboxing, and the instruction to use "--strategy"
Also removes "cd <sandbox_...
***
ROLLBACK_OF=143937589
--
PiperOrigin-RevId: 143951901
MOS_MIGRATED_REVID=143951901
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
1. no flag: only the direct reason is given (command execution termination status), and also the instruction to use "--verbose_failures"
2. flag "--verbose_failures": gives failed execution command and the instruction to use "--sandbox_debug --strategy"
3. flag "--verbose_failures --sandbox_debug": gives failed execution command, debugging message from sandboxing, and the instruction to use "--strategy"
Also removes "cd <sandbox_path>" in given failed command, since debugging is only necessary with flag "--verbose_failures --sandbox_debug" and the path is already given in sandboxing debugging message.
Addresses #2174.
--
PiperOrigin-RevId: 143937589
MOS_MIGRATED_REVID=143937589
|
| |
|
|
|
| |
--
MOS_MIGRATED_REVID=135360041
|
| |
|
|
|
|
|
|
|
| |
simple synchronous cleanup.
Tested with bazel building itself that this does not result in a performance degradation.
--
MOS_MIGRATED_REVID=134766597
|
| |
|
|
|
| |
--
MOS_MIGRATED_REVID=132570504
|
| |
|
|
|
|
|
| |
--
Change-Id: I765eaa6f0ecb31508eaf41f88be989f8e1169c51
Reviewed-on: https://bazel-review.googlesource.com/#/c/5711
MOS_MIGRATED_REVID=131934871
|
| |
|
|
|
| |
--
MOS_MIGRATED_REVID=131817068
|
|
|
--
Change-Id: Idf232f3dce3a3221d9a35c89dcef13437b0c25ba
Reviewed-on: https://bazel-review.googlesource.com/#/c/3905/
MOS_MIGRATED_REVID=129620348
|
ulfjack
Philipp Wollermann
Ty Book
Yue Gan
Marcel Hlopko