Skip to content

Allow running bubblewrap in container#22907

Merged
MikeMcQuaid merged 1 commit into
mainfrom
linux-ci-sandbox
Jul 4, 2026
Merged

Allow running bubblewrap in container#22907
MikeMcQuaid merged 1 commit into
mainfrom
linux-ci-sandbox

Conversation

@cho-m

@cho-m cho-m commented Jun 29, 2026

Copy link
Copy Markdown
Member

Experimenting to see if it is possible to run bubblewrap inside container.

Currently, Homebrew/core always disables sandbox on Linux as container lacks necessary privileges to run bubblewrap. This means sandbox feature, deny_network_access!, etc don't actually work yet.


  • Have you followed our Contributing guidelines?
  • Have you checked for other open Pull Requests for the same change?
  • Have you explained what your changes do? Performance claims (e.g. "this is faster") must include Hyperfine benchmarks.
  • Have you explained why you'd like these changes included, not just what they do?
  • For bug fixes, have you given step-by-step brew commands to reproduce the bug?
  • Have you written new tests (excluding integration tests)? Here's an example.
  • Have you successfully run brew lgtm (style, typechecking and tests) locally?

  • AI was used to generate or assist with generating this PR.

@cho-m cho-m force-pushed the linux-ci-sandbox branch from 5c5ac1b to 3386bf0 Compare June 29, 2026 18:48
@cho-m

cho-m commented Jun 30, 2026

Copy link
Copy Markdown
Member Author

Looks like --privileged is needed to provide write access to /sys path so bubblewrap can handle Ubuntu 24.04+ AppArmor defaults. Maybe a non-user-namespace-based sandbox could work better, e.g. Lacklock API, but relatively new and would need to find another tool as Bubblewrap doesn't support it.

Not sure how much --privileged container matters within GitHub actions runners. At least should be similar to a containerless run. I guess it depends on whether there is anything security-specific we wanted from container isolation or if mainly for a fixed/reproducible environment.

@cho-m cho-m force-pushed the linux-ci-sandbox branch from 7db5714 to a1f278e Compare June 30, 2026 04:06
@cho-m cho-m force-pushed the linux-ci-sandbox branch from a1f278e to 6a27d8d Compare June 30, 2026 04:58
Comment thread .github/workflows/tests.yml Dismissed
@SMillerDev

Copy link
Copy Markdown
Member

Any way we can build it with this configuration instead?

@MikeMcQuaid MikeMcQuaid left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This makes sense, let's do it!

@MikeMcQuaid MikeMcQuaid marked this pull request as ready for review July 4, 2026 10:54
Copilot AI review requested due to automatic review settings July 4, 2026 10:54
@MikeMcQuaid MikeMcQuaid added this pull request to the merge queue Jul 4, 2026
@MikeMcQuaid

Copy link
Copy Markdown
Member

Thanks @cho-m!

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR experiments with enabling Bubblewrap-based sandboxing when Homebrew runs inside Linux containers by (a) tightening sandbox availability checks and (b) configuring GitHub Actions container execution to run with elevated privileges when needed.

Changes:

  • Add Sandbox.ensure_sandbox_available! and use it from sandbox execution paths.
  • Make test-bot on GitHub Actions raise (for Homebrew-owned repos) when sandbox configuration fails, instead of silently disabling sandboxing.
  • Update GitHub Actions runner/container configuration to add --privileged for container-based Linux test-bot runs.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
Library/Homebrew/sandbox.rb Adds ensure_sandbox_available! and reuses it in run_command.
Library/Homebrew/test_bot.rb Enforces sandbox availability for Homebrew-owned repos on GitHub Actions before disabling sandboxing.
Library/Homebrew/github_runner_matrix.rb Adds conditional --privileged container options when Linux sandboxing is enabled.
.github/workflows/tests.yml Refactors test-bot job container config to include options (intended for --privileged).
Library/Homebrew/extend/os/linux/dev-cmd/tests.rb Switches to Sandbox.ensure_sandbox_available! during environment checks.
Library/Homebrew/test/dev-cmd/tests_spec.rb Updates expectation to match the new exception type from sandbox availability checks.
Library/Homebrew/test/test_bot_spec.rb Splits behavior between Homebrew-owned vs external repos and updates sandbox setup expectations.
Comments suppressed due to low confidence (1)

Library/Homebrew/test/test_bot_spec.rb:226

  • Similar to the previous example: prefer with_env over stubbing ENV[] to avoid interfering with unrelated environment lookups and keep the test isolated.
      allow(described_class).to receive(:configure_sandbox!).and_return(false)
      allow(ENV).to receive(:[]).with("GITHUB_REPOSITORY_OWNER").and_return("foo")

      described_class.setup_github_actions_sandbox!

      expect(ENV.fetch("HOMEBREW_NO_SANDBOX_LINUX")).to eq("1")

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/tests.yml
Comment on lines 213 to +217
allow(described_class).to receive(:configure_sandbox!).and_return(false)
allow(ENV).to receive(:[]).with("GITHUB_REPOSITORY_OWNER").and_return("Homebrew")
allow(Sandbox).to receive(:available?).and_return(false)

expect { described_class.setup_github_actions_sandbox! }.to raise_error(RuntimeError)
Comment thread Library/Homebrew/extend/os/linux/dev-cmd/tests.rb
Merged via the queue into main with commit ebcfaf9 Jul 4, 2026
42 checks passed
@MikeMcQuaid MikeMcQuaid deleted the linux-ci-sandbox branch July 4, 2026 11:11
@cho-m

cho-m commented Jul 4, 2026

Copy link
Copy Markdown
Member Author

Will take a look at Copilot comments to see if we need any.

EDIT: Don't think any are required. Test change could be cleaner to scope module-under-test boundary.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants