当不支持沙盒化时,有没有办法让Bazel使用沙盒目录?

huangapple go评论96阅读模式
英文:

Is there a way to get bazel to use sandbox directories when sandboxing is not supported?

问题

我正在一个 Docker 容器中运行 bazel。在本地运行 bazel 时,如果没有使用任何标志,我会收到以下警告:

警告:您的系统不支持沙盒执行,因此无法保证操作的隔离性。有关更多信息,请参阅 http://bazel.build/docs/bazel-user-manual.html#sandboxing。您可以通过使用 --ignore_unsupported_sandboxing 来关闭此警告。

虽然我失去了一些关于隔离性的保证,但 Bazel 仍然会在运行任何 genrule 之前创建所有的沙盒目录。

然而,在 CI 中,我没有看到这个警告,而是在尝试进行沙盒操作时出现故障。所以我传递了 --genrule_strategy=standalone 来阻止崩溃,但现在我的 genrules 在工作区中直接执行,这绝对不是我想要的。

有没有办法让我在本地看到的行为在 CI 中也能实现,即禁用显式的沙盒调用(因为它们会失败),但仍然正确地创建 tmp 目录并复制 srcs/deps/data?

是否有一个我可以传递给 bazel 的标志来触发这种行为,或者我可以对我的系统进行一些操作,以使 bazel 相信该系统不支持沙盒操作?

英文:

I'm running bazel inside of a docker container. Locally, when I run bazel with no flags I get the following warning:

> WARNING: Sandboxed execution is not supported on your system and thus hermeticity of actions cannot be guaranteed. See http://bazel.build/docs/bazel-user-manual.html#sandboxing for more information. You can turn off this warning via --ignore_unsupported_sandboxing.

And while I lose some guarantees about hermeticity, Bazel still creates all the sandboxing directories before running any of my genrules.

However, in CI, I'm not seeing that warning and instead just get failures when sandboxing is attempted. So I passed --genrule_strategy=standalone to stop the crash, but now my genrules are executing right in the workspace, which I definitely don't want.

Is there a way for me to get the behavior I'm seeing locally, where explicit sandboxing calls are being disabled because they would fail but the tmp directory creation with srcs/deps/data being copied over correctly still happens?

Either a flag I could pass to bazel to trigger that behavior, or something I could do to my system to convince bazel that sandboxing is not supported there?

答案1

得分: 1

你使用的Bazel版本在尝试使用沙箱时崩溃了吗?我怀疑c2d773ef4c0916a44fd7936f7bbc22ec55102915会解决这个问题,因为它使得沙箱是否正常工作的检测更加健壮,这似乎能够满足你的需求。

英文:

What bazel version are you using which crashes when it tries to use sandboxing? I suspect c2d773ef4c0916a44fd7936f7bbc22ec55102915 will resolve that problem because it makes the detection of whether the sandbox works much more robust, which seems like it would then do what you're looking for.

答案2

得分: 1

两种可能的选项:

1)要禁用沙箱,--genrule_strategy=standalone 只适用于 genrule 规则。你还需要为其他规则禁用它,即添加 --spawn_strategy=standalone。你可能还需要为特定的规则类型禁用它,例如 --strategy GoCompile=standalone

2)要使用沙箱,你可以在特权容器中运行 Bazel,即使用 --privileged 标志启动其容器。这可能是你的 CI 中的一个配置选项。

英文:

Two possible options:

  1. To disable sandboxing, --genrule_strategy=standalone only applies to genrules. You also need to disable it for other rules, i.e. add --spawn_strategy=standalone. You may also need to disable it for specific rule types, e.g. --strategy GoCompile=standalone.

  2. To use sandboxing, you can run Bazel inside a privileged container, i.e. start its container with the --privileged flag. This might be a configuration option in your CI.

huangapple
  • 本文由 发表于 2017年5月3日 01:46:30
  • 转载请务必保留本文链接:https://go.coder-hub.com/43744153.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定