| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
|
|
|
| |
This adds a bunch of classes that only implement the SpawnRunner interface, and
will allow us to support remote caching in combination with local sandboxed
execution in a subsequent change.
PiperOrigin-RevId: 161664556
|
| |
|
|
|
|
|
|
| |
This will allow us to add new and optional flags like selecting a strategy used to spawn / wait for the child process.
No one except Bazel should be calling "process-wrapper" and I couldn't find any references, so this breaking change should be fine.
PiperOrigin-RevId: 159685867
|
| |
|
|
| |
PiperOrigin-RevId: 159423459
|
| |
|
|
|
|
|
|
|
| |
This gives us much improved process management, because Bazel can now
reliably kill child processes of spawns via their process group and wait
for them to exit.
Change-Id: Ib3cb20725b3c569aa5b317a69d7682f5774707b0
PiperOrigin-RevId: 155493511
|
| |
|
|
|
| |
Change-Id: I1bc1901ea7cd9a5b93c280ec0ff8ac0d10959a09
PiperOrigin-RevId: 155381163
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(fallback only).
On macOS the processwrapper-sandbox will be used when the darwin-sandbox doesn't
work. Most notably this is the case for nested sandboxing, e.g. Bazel running
Bazel inside an integration test.
Also includes a fix to pull in some extra environment vars on macOS, similar to
what DarwinSandboxedStrategy and StandaloneSpawnStrategy already do. Without
this the processwrapper-sandbox seems to occasionally cause ObjC builds (and two
of our tests) to fail.
Change-Id: Ic7462080caf56d9bb98e2f3765bd37853b01632b
RELNOTES: Sandboxing is now enabled by default on FreeBSD (via processwrapper-sandbox).
PiperOrigin-RevId: 155366728
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This change is part of the mu-bazel effort, which aims to build a minimally
useful Bazel binary with most extraneous functionality removed. As part of
that, we want to enforce layering of packages. In particular, lib.actions must
not depend on lib.rules or lib.exec. lib.rules must not depend on lib.exec.
Moving these classes is a necessary step to enforce that layering.
--
PiperOrigin-RevId: 142668172
MOS_MIGRATED_REVID=142668172
|
| |
|
|
|
|
|
| |
RELNOTES: Darwin sandboxing is default.
--
MOS_MIGRATED_REVID=136013826
|
| |
|
|
|
| |
--
MOS_MIGRATED_REVID=136011723
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
*** Reason for rollback ***
Make darwin sandboxing default again.
*** Original change description ***
Fix #1849: Sandboxing on OS X should be turned off by default for 0.3.2.
This restructures the way we set the default Spawn strategy so that each BlazeModule supplying a SpawnActionContext has an ActionContextConsumer that sets its own SpawnActionContext as the default, with the BazelRulesModule being put as the last module loaded in BazelMain, so that it can override that decision - it only does, if the user explicitly specifies a --spawn_strategy flag. IMHO this is a much saner approach than...
***
ROLLBACK_OF=134770427
RELNOTES: Darwin sandboxing is default.
--
MOS_MIGRATED_REVID=135905657
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This restructures the way we set the default Spawn strategy so that each BlazeModule supplying a SpawnActionContext has an ActionContextConsumer that sets its own SpawnActionContext as the default, with the BazelRulesModule being put as the last module loaded in BazelMain, so that it can override that decision - it only does, if the user explicitly specifies a --spawn_strategy flag. IMHO this is a much saner approach than the older one.
So the flow is essentially this:
- StandaloneActionContextConsumer sets the default strategy to "standalone".
- SandboxActionContextConsumer sets the default strategy to "sandboxed", but only on Linux
- BazelRulesModule sets the default strategy to the value of the --spawn_strategy flag, if it is set.
--
MOS_MIGRATED_REVID=134770427
|
| |
|
|
|
| |
--
MOS_MIGRATED_REVID=131817068
|
| |
|
|
|
|
|
|
|
| |
linux-sandbox in the same sandbox execution environment.
--
Change-Id: I51a875a87d92ae13ad575eb41026ce5d3db94f8b
Reviewed-on: https://bazel-review.googlesource.com/#/c/5611/
MOS_MIGRATED_REVID=131578077
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This has the following improvements upon the older one:
- Uses PID namespaces, PR_SET_PDEATHSIG and a number of other tricks for
further process isolation and 100% reliable killing of child processes.
- Uses clone() instead of unshare() to work around a Linux kernel bug that
made creating a sandbox unreliable.
- Instead of mounting a hardcoded list of paths + whatever you add with
--sandbox_add_path, this sandbox instead mounts all of /, except for what
you make inaccessible via --sandbox_block_path. This should solve the
majority of "Sandboxing breaks my build, because my compiler is installed
in /opt or /usr/local" issues that users have seen.
- Instead of doing magic with bind mounts, we create a separate execroot for
each process containing symlinks to the input files. This is simpler and
gives more predictable performance.
- Actually makes everything except the working directory read-only
(fixes #1364). This means that a running process can no longer accidentally
modify your source code (yay!).
- Prevents a number of additional "attacks" or leaks, like accidentally
inheriting file handles from the parent.
- Simpler command-line interface.
- We can provide the same semantics in a Mac OS X sandbox, which will come in
a separate code review from yueg@.
It has the following caveats / known issues:
- The "fallback to /bin/bash on error" feature is gone, but now that the
sandbox mounts everything by default, the main use-case for this is no
longer needed.
The following improvements are planned:
- Use a FUSE filesystem if possible for the new execroot, instead of creating
symlinks.
- Mount a base image instead of "/".
FAQ:
Q: Why is mounting all of "/" okay, doesn't this make the whole sandbox
useless?
A: This is still a reasonable behavior, because the sandbox never tried to
isolate your build from the operating system it runs in. Instead it is
supposed to protect your data from a test running "rm -rf $HOME" and to
make it difficult / impossible for actions to use input files that are not
declared dependencies. For even more isolation the sandbox will support
mounting a base image as its root in a future version (similar to Docker
images).
Q: Let's say my process-specific execroot contains a symlink to an input file
"good.h", can't the process just resolve the symlink, strip off the file
name and then look around in the workspace?
A: Yes. Unfortunately we could not find any way on Linux to make a file appear
in a different directory with *all* of the semantics we would like. The
options investigated were:
1) Copying input files, which is much too slow.
2) Hard linking input files, which is fast, but doesn't work cross-
filesystems and it's also not possible to make them read-only.
3) Bind mounts, which don't scale once you're up in the thousands of input
files (across all actions) - it seems like the kernel has some
non-linear performance behavior when the mount table grows too much,
resulting in the mount syscall taking more time the more mounts you
have.
4) FUSE filesystem, good in theory, but wasn't ready for the first
iteration.
RELNOTES: New sandboxing implementation for Linux in which all actions run in a separate execroot that contains input files as symlinks back to the originals in the workspace. The running action now has read-write access to its execroot and /tmp only and can no longer write in arbitrary other places in the file system.
--
Change-Id: Ic91386fc92f8eef727ed6d22e6bd0f357d145063
Reviewed-on: https://bazel-review.googlesource.com/#/c/4053
MOS_MIGRATED_REVID=130638204
|
| |
|
|
| |
MOS_MIGRATED_REVID=127927495
|
| |
|
|
|
|
|
|
|
|
|
| |
Map.
This makes it possible to request multiple implementations of the same ActionContext to be available via Executor#getContext().
Currently, specialized SpawnActionContexts like the sandbox or the worker strategy that might have to do a fallback each instantiate their own private copy of e.g. the StandaloneSpawnStrategy. With this change, they can instead get a global instance from the Executor.
--
MOS_MIGRATED_REVID=115705811
|
| |
|
|
|
|
|
|
|
|
|
| |
The headers were modified with
`find . -type f -exec 'sed' '-Ei' 's|Copyright 201([45]) Google|Copyright 201\1 The Bazel Authors|' '{}' ';'`
And manual edit for not Google owned copyright. Because of the nature of ijar, I did not modified the header of file owned by Alan Donovan.
The list of authors were extracted from the git log. It is missing older Google contributors that can be added on-demand.
--
MOS_MIGRATED_REVID=103938715
|
|
|
--
MOS_MIGRATED_REVID=97126283
|
ulfjack
philwo
Yue Gan
Luis Fernando Pino Duque
Damien Martin-Guillerez