Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Custom sandboxing implementation as linux usernamespace calls - port cachepot/#128 #1628

Merged
merged 4 commits into from Mar 11, 2023
Merged

Custom sandboxing implementation as linux usernamespace calls - port cachepot/#128 #1628

merged 4 commits into from Mar 11, 2023

Conversation

drahnr
Copy link
Collaborator

@drahnr drahnr commented Feb 27, 2023
edited

Implementes a custom sandboxing implementation as linux usernamespace calls.

It's opt-in, and has to be enabled with setting the SCCACHE_SANDBOX environment variable.

Ref #1620

Original work done by @Xanewok

@drahnr drahnr mentioned this pull request Feb 27, 2023
Open
5 tasks
@codecov-commenter
Copy link

codecov-commenter commented Feb 27, 2023
edited

Codecov Report

Patch coverage has no change and project coverage change: +0.17 🎉

Comparison is base (c5215da) 29.75% compared to head (9a7c723) 29.92%.

❗ Current head 9a7c723 differs from pull request most recent head 9fb6a25. Consider uploading reports for the commit 9fb6a25 to get more accurate results

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #1628      +/-   ##
==========================================
+ Coverage   29.75%   29.92%   +0.17%     
==========================================
  Files          49       49              
  Lines       16661    16659       -2     
  Branches     8065     8057       -8     
==========================================
+ Hits         4957     4985      +28     
+ Misses       6790     6786       -4     
+ Partials     4914     4888      -26
Impacted Files Coverage Δ
src/dist/mod.rs 33.75% <0.00%> (-0.22%) ⬇️
src/compiler/c.rs 38.16% <0.00%> (-0.23%) ⬇️
src/compiler/rust.rs 33.88% <0.00%> (-0.20%) ⬇️
src/errors.rs 3.51% <0.00%> (+0.05%) ⬆️
src/lib.rs 6.93% <0.00%> (+0.08%) ⬆️
src/server.rs 30.96% <0.00%> (+0.10%) ⬆️
src/config.rs 35.65% <0.00%> (+0.17%) ⬆️
src/compiler/compiler.rs 36.18% <0.00%> (+0.28%) ⬆️
src/compiler/args.rs 62.52% <0.00%> (+0.53%) ⬆️
src/lru_disk_cache/mod.rs 41.76% <0.00%> (+0.60%) ⬆️
... and 6 more

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

@drahnr drahnr requested a review from Xanewok February 28, 2023 08:25
@drahnr
Copy link
Collaborator Author

drahnr commented Mar 1, 2023

@sylvestre /sccache-dist: error while loading shared libraries: libssl.so.1.1: cannot open shared object file: No such file or directory not sure how to resolve this, do you have an insight into the container env?

Xuanwo
Xuanwo reviewed Mar 1, 2023
View reviewed changes
.github/workflows/ci.yml Outdated Show resolved Hide resolved
drahnr
drahnr commented Mar 1, 2023
View reviewed changes
.github/workflows/ci.yml Outdated Show resolved Hide resolved
@sylvestre sylvestre changed the title port cachepot/#128 Custom sandboxing implementation as linux usernamespace calls - port cachepot/#128 Mar 3, 2023
Xanewok and others added 4 commits March 3, 2023 13:43
@Xanewok @sylvestre
Support running dist compilations in unprivileged scenarios (#128)
5f4083e 
* WIP: Implement build sandboxing using unshared user namespaces

* Don't derive Debug when not needed

* Gate the new unshared user namespace behind CACHEPOT_SANDBOX env var

* Minimize diff

* Remove a trailing comma

* Clean up CI and temp. allow unprivileged dist tests to fail

* Simulate allow-failure in GHA

* ci: oops, GHA uses ! for negation

* Fetch gid correctly and use effective IDs to mimic `unshare`'s behavior

* WIP: See if GHA will be fixed now

* Warn if overlay build failed

* Actually, GHA using unprivileged user namespaces works!

* Revert .gitlab-ci.yml

Don't run relevant test in CI for now; we don't want to mark the test
suite as red in GH for the time being

* Address review feedback
@drahnr @sylvestre
amend to sccache
83ccce2
@drahnr @sylvestre
remove remainder cachepot and replace by sccache
8d40cdc
@drahnr @sylvestre
migrate to ubuntu 22.04 for newly added ci check
9fb6a25
@drahnr drahnr requested review from sylvestre and Xuanwo March 3, 2023 14:41
@sylvestre
Copy link
Collaborator

dunno much about this one but I guess it is working with cachepot, why not :)

@sylvestre sylvestre merged commit bc0718f into main Mar 11, 2023
@sylvestre sylvestre deleted the bernhard-port-cachepot-128 branch March 11, 2023 10:20
@drahnr
Copy link
Collaborator Author

drahnr commented Mar 11, 2023

It does work, I'll add some documentation once the safety concern in in the comments is addressed - it should be considered experimental.

@drahnr drahnr mentioned this pull request Mar 15, 2023
Open
@drahnr drahnr mentioned this pull request Mar 27, 2023
Open
@sylvestre sylvestre mentioned this pull request Mar 27, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Xanewok Xanewok Awaiting requested review from Xanewok

@sylvestre sylvestre Awaiting requested review from sylvestre

@Xuanwo Xuanwo Awaiting requested review from Xuanwo

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@drahnr @codecov-commenter @sylvestre @Xuanwo @Xanewok