Hermetic sandbox doesn't expose basic system binaries and libraries by default. #18377
Labels
P3
We're not considering working on this, but happy to review a PR. (No assignee)
team-Local-Exec
Issues and PRs for the Execution (Local) team
type: feature request
Comments
tjgq
added
team-Local-Exec
coeuvre
added
P3
|
Note that this might be working as intended, as you might want to mount these directories from an isolated sysroot (like a nix store) rather than your actual system copies. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When using
--experimental_use_hermetic_linux_sandboxon Linux, it's impossible to run any executable requiring an interpreter that isn't an explicit input. Most notably, none of#!/bin/sh,#!/bin/bashor#/usr/bin/env bashwork, which means none of Bazel's embedded scripts (genrule-setup.sh,test-setup.sh, etc) work.A trivial genrule or sh_test serves as a repro.
This can be worked around using
--sandbox_add_mount_pairto mount additional directories in the sandbox;/bin,/liband/lib64appear to be enough for Bash scripts, but this is likely system-dependent.cc @larsrc-google since we were discussing this today.
The text was updated successfully, but these errors were encountered: