端口隔离与泊坞内的bazel

尝试使用docker 特权容器中的bazel和linux来testing端口隔离,并且失败。

我的环境如下(所有的命令从aws上运行的priviliged容器运行): 

$ uname -a Linux 167-docker99 3.16.0-4-amd64 #1 SMP Debian 3.16.43-2 (2017-04-30) x86_64 GNU/Linux builduser@167-docker99:~/ws/bazel-port-isolation$ cat /etc/*-release PRETTY_NAME="Debian GNU/Linux 8 (jessie)" NAME="Debian GNU/Linux" VERSION_ID="8" VERSION="8 (jessie)" ID=debian HOME_URL="http://www.debian.org/" SUPPORT_URL="http://www.debian.org/support" BUG_REPORT_URL="https://bugs.debian.org/"Bazel version $ bazel version Build label: 0.5.1 Build target: bazel-out/local-fastbuild/bin/src/main/java/com/google/devtools/build/lib/bazel/BazelServer_deploy.jar Build time: Tue Jun 6 10:34:11 2017 (1496745251) Build timestamp: 1496745251 Build timestamp as int: 1496745251

根据这条指令 – 确保启用unprivileged_userns_clone

 $ cat /proc/sys/kernel/unprivileged_userns_clone 1

回购: https : //github.com/ittaiz/bazel-port-isolation

运行testing:$ bazeltesting// … 

 ........... ____Loading package: ____Loading package: @bazel_tools//tools/cpp ____Loading package: @local_config_xcode// ____Loading package: @local_jdk// ____Loading package: @local_config_cc// ____Loading complete. Analyzing... ____Loading package: tools/defaults ____Loading package: @bazel_tools//tools/test ____Loading package: @junit_junit//jar ____Found 2 test targets... ____Building... ____[0 / 12] Expanding template SocketIsolationTest ____[9 / 12] Extracting interface @junit_junit//jar:jar ERROR: /home/builduser/.cache/bazel/_bazel_builduser/a589c0f8758972ab3aadcf172c468873/external/junit_junit/jar/BUILD.bazel:2:1: Extracting interface @junit_junit//jar:jar failed: Process exited with status 1 [sandboxed]. src/main/tools/linux-sandbox-pid1.cc:193: "mount(/tmp, /tmp, NULL, MS_BIND, NULL)": Invalid argument Use --strategy=JavaIjar=standalone to disable sandboxing for the failing actions. ____Building complete. ____Elapsed time: 5.651s, Critical Path: 1.62s //:SocketIsolation2Test NO STATUS Executed 0 out of 2 tests: 1 fails to build and 1 was skipped.

另一个重要的input可能是我设法让bazel在Docker主机上成功运行testing。

什么地方出了错?

似乎它是固定在baf7d4bce8bb14d785760d10694122e8ead2a177baf7d4bce8bb14d785760d10694122e8ead2a177 )。

安装bazel HEAD后成功通过

    Interesting Posts

    在一个Docker容器中运行sandboxing的bazel

    通过Ajax与Docker执行Sandbox命令

    Docker Containers作为编译和运行沙箱的性能下降

    Docker:从Web UI用户input到Docker运行Python解释器

    在docker中限制进程的数量

    使用docker来存档一个程序

    Lite虚拟化进程

    将文件作为参数发送到容器以便进行编译会导致问题

    我如何禁用docker集装箱的互联网访问