From d4b78d0f7c2d3e6714f82538eca30e2414e97fdc Mon Sep 17 00:00:00 2001
From: Philipp Wollermann
- On some platform such as GKE
- cluster nodes, namespace are deactivated using the kernel.unprivileged_userns_clone
- sysctl. This can be checked by looking at the file
- /proc/sys/kernel/unprivileged_userns_clone
: if it exists and set to 0, then
- namespace can be activated with sudo sysctl kernel.unprivileged_userns_clone=1
.
+ On some platforms such as Google Container
+ Engine cluster nodes or Debian, user namespaces are deactivated by default due to security
+ concerns. This can be checked by looking at the file
+ /proc/sys/kernel/unprivileged_userns_clone
: if it exists and contains a 0, then
+ user namespaces can be activated with sudo sysctl kernel.unprivileged_userns_clone=1
.
- In some cases, Bazel sandbox fails to execute rules because of the system setup. The symptom is
- generally a failure that output a message similar to
+ In some cases, the Bazel sandbox fails to execute rules because of the system setup. The symptom
+ is generally a failure that output a message similar to
namespace-sandbox.c:633: execvp(argv[0], argv): No such file or directory
. In that
- case, try to deactivate the sandbox for genrule with --genrule_strategy=standalone
- and for other rules with --spawn_strategy=standalone
.
+ case, try to deactivate the sandbox for genrules with --genrule_strategy=standalone
+ and for other rules with --spawn_strategy=standalone
. Also please report a bug on our
+ issue tracker and mention which Linux distribution you're using so that we can investigate and
+ provide a fix in a subsequent release.
-- cgit v1.2.3