Repository metrics
- Stars
- (25,384 stars)
- PR merge metrics
- (平均マージ 22d 20h) (30d で 77 merged PRs)
説明
Description of the problem / feature request:
Bazel can silently fallback to weaker symlink sandbox if /bin/ttue is not available (https://github.com/bazelbuild/bazel/issues/13994) or if there aren't enough privileges to execute clone syscall with new namespaces (say running in unprivileged docker container locally or in cloud / CI).
This makes one's CI checks weaker and difference between build/test targets on different machines hidden. And since not all rules are sandbox-ready it'd be nice to have control over whether sandbox is on.
Ideally there should be flags to: best effort sandboxing, failing if sandboxing isn't working, disabling sandboxing, and also all of it for specific aspects (networking, root filesystem access, write access to inputs or other undeclared places, sandboxfs mounts availability, etc)
Feature requests: what underlying problem are you trying to solve with this feature?
Have control over sandboxing to be more hermetic, consistent between machines and have reliable CI.
Bugs: what's the simplest, easiest way to reproduce this bug? Please provide a minimal example if possible.
Run bazel in unprivileged docker container and execute an action that escapes the sandbox (no short example yet, may add later)
What operating system are you running Bazel on?
NixOS
What's the output of bazel info release?
release 4.2.1- (@non-git)
If bazel info release returns "development version" or "(@non-git)", tell us how you built Bazel.
NixOS nixpkgs