From 90f244f3c2d11ad0df530210d16a89b4f53e829a Mon Sep 17 00:00:00 2001
From: sxlijin <sxlijin@google.com>
Date: Tue, 12 May 2020 06:08:15 -0700
Subject: [PATCH] Fail with a more useful warning when
 --output_base=/tmp/something

Fix the documentation to not suggest using /tmp for output_base

PiperOrigin-RevId: 311110102
---
 site/docs/user-manual.html           | 20 ++------------------
 src/main/tools/linux-sandbox-pid1.cc | 13 +++++++++++++
 2 files changed, 15 insertions(+), 18 deletions(-)

diff --git a/site/docs/user-manual.html b/site/docs/user-manual.html
index e1b9b927c6c082..0910a25cddd144 100644
--- a/site/docs/user-manual.html
+++ b/site/docs/user-manual.html
@@ -2723,24 +2723,8 @@ <h4 id='flag--output_base'><code class='flag'>--output_base=<var>dir</var></code
 </p>
 
 <p>For example:</p>
-<pre>
-  % bazel --output_base /tmp/1 build //foo  &amp;  bazel --output_base /tmp/2 build //bar
-</pre>
-<p>
-  In this command, the two Bazel commands run concurrently (because of
-  the shell <code>&amp;</code> operator), each using a different Bazel
-  server instance (because of the different output bases).
-  In contrast, if the default output base was used in both commands,
-  then both requests would be sent to the same server, which would
-  handle them sequentially: building <code>//foo</code> first, followed
-  by an incremental build of <code>//bar</code>.
-</p>
-<p>
-  We recommend you do not use NFS locations for the output base, as
-  the higher access latency of NFS will cause noticeably slower
-  builds.
-</p>
-
+<pre><code>
+  OUTPUT_BASE=/var/tmp/google/_bazel_johndoe/custom_output_base
 <h4 id='flag--output_user_root'><code class='flag'>--output_user_root=<var>dir</var></code></h4>
 <p>
   By default, the <code>output_base</code> value is chosen to as to
diff --git a/src/main/tools/linux-sandbox-pid1.cc b/src/main/tools/linux-sandbox-pid1.cc
index 651465445cc90c..cb1f50aadcf048 100644
--- a/src/main/tools/linux-sandbox-pid1.cc
+++ b/src/main/tools/linux-sandbox-pid1.cc
@@ -175,6 +175,19 @@ static void MountFilesystems() {
   // do this is by bind-mounting it upon itself.
   PRINT_DEBUG("working dir: %s", opt.working_dir.c_str());
 
+  // An attempt to mount the sandbox in tmpfs will always fail, so this block is
+  // slightly redundant with the next mount() check, but dumping the mount()
+  // syscall is incredibly cryptic, so we explicitly check against and warn
+  // about attempts to use tmpfs.
+  for (const std::string &tmpfs_dir : opt.tmpfs_dirs) {
+    if (opt.working_dir.find(tmpfs_dir) == 0) {
+      DIE("The sandbox working directory cannot be below a path where we mount "
+          "tmpfs (you requested mounting %s in %s). Is your --output_base= "
+          "below one of your --sandbox_tmpfs_path values?",
+          opt.working_dir.c_str(), tmpfs_dir.c_str());
+    }
+  }
+
   if (mount(opt.working_dir.c_str(), opt.working_dir.c_str(), nullptr, MS_BIND,
             nullptr) < 0) {
     DIE("mount(%s, %s, nullptr, MS_BIND, nullptr)", opt.working_dir.c_str(),