Skip to content

Comments

Custom sandboxing implementation as linux usernamespace calls - port cachepot/#128#1628

Merged
sylvestre merged 4 commits intomainfrom
bernhard-port-cachepot-128
Mar 11, 2023
Merged

Custom sandboxing implementation as linux usernamespace calls - port cachepot/#128#1628
sylvestre merged 4 commits intomainfrom
bernhard-port-cachepot-128

Conversation

@drahnr
Copy link
Collaborator

@drahnr drahnr commented Feb 27, 2023
edited
Loading

Implementes a custom sandboxing implementation as linux usernamespace calls.

It's opt-in, and has to be enabled with setting the SCCACHE_SANDBOX environment variable.

Ref #1620

Original work done by @Xanewok

@drahnr drahnr mentioned this pull request Feb 27, 2023
Open
5 tasks
@codecov-commenter
Copy link

codecov-commenter commented Feb 27, 2023
edited
Loading

Codecov Report

Patch coverage has no change and project coverage change: +0.17 🎉

Comparison is base (c5215da) 29.75% compared to head (9a7c723) 29.92%.

❗ Current head 9a7c723 differs from pull request most recent head 9fb6a25. Consider uploading reports for the commit 9fb6a25 to get more accurate results

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #1628      +/-   ##
==========================================
+ Coverage   29.75%   29.92%   +0.17%     
==========================================
  Files          49       49              
  Lines       16661    16659       -2     
  Branches     8065     8057       -8     
==========================================
+ Hits         4957     4985      +28     
+ Misses       6790     6786       -4     
+ Partials     4914     4888      -26
Impacted Files Coverage Δ
src/dist/mod.rs 33.75% <0.00%> (-0.22%) ⬇️
src/compiler/c.rs 38.16% <0.00%> (-0.23%) ⬇️
src/compiler/rust.rs 33.88% <0.00%> (-0.20%) ⬇️
src/errors.rs 3.51% <0.00%> (+0.05%) ⬆️
src/lib.rs 6.93% <0.00%> (+0.08%) ⬆️
src/server.rs 30.96% <0.00%> (+0.10%) ⬆️
src/config.rs 35.65% <0.00%> (+0.17%) ⬆️
src/compiler/compiler.rs 36.18% <0.00%> (+0.28%) ⬆️
src/compiler/args.rs 62.52% <0.00%> (+0.53%) ⬆️
src/lru_disk_cache/mod.rs 41.76% <0.00%> (+0.60%) ⬆️
... and 6 more

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

@drahnr drahnr requested a review from Xanewok February 28, 2023 08:25
@drahnr
Copy link
Collaborator Author

drahnr commented Mar 1, 2023

@sylvestre /sccache-dist: error while loading shared libraries: libssl.so.1.1: cannot open shared object file: No such file or directory not sure how to resolve this, do you have an insight into the container env?

Xuanwo
Xuanwo reviewed Mar 1, 2023
View reviewed changes
drahnr
drahnr commented Mar 1, 2023
View reviewed changes
@sylvestre sylvestre changed the title port cachepot/#128 Custom sandboxing implementation as linux usernamespace calls - port cachepot/#128 Mar 3, 2023
Xanewok and others added 4 commits March 3, 2023 13:43
@Xanewok @sylvestre
Support running dist compilations in unprivileged scenarios (#128)
5f4083e 
* WIP: Implement build sandboxing using unshared user namespaces

* Don't derive Debug when not needed

* Gate the new unshared user namespace behind CACHEPOT_SANDBOX env var

* Minimize diff

* Remove a trailing comma

* Clean up CI and temp. allow unprivileged dist tests to fail

* Simulate allow-failure in GHA

* ci: oops, GHA uses ! for negation

* Fetch gid correctly and use effective IDs to mimic `unshare`'s behavior

* WIP: See if GHA will be fixed now

* Warn if overlay build failed

* Actually, GHA using unprivileged user namespaces works!

* Revert .gitlab-ci.yml

Don't run relevant test in CI for now; we don't want to mark the test
suite as red in GH for the time being

* Address review feedback
@drahnr @sylvestre
amend to sccache
83ccce2
@drahnr @sylvestre
remove remainder cachepot and replace by sccache
8d40cdc
@drahnr @sylvestre
migrate to ubuntu 22.04 for newly added ci check
9fb6a25
@sylvestre sylvestre force-pushed the bernhard-port-cachepot-128 branch from 9a7c723 to 9fb6a25 Compare March 3, 2023 12:43
@drahnr drahnr requested review from Xuanwo and sylvestre March 3, 2023 14:41
@sylvestre
Copy link
Collaborator

sylvestre commented Mar 11, 2023

dunno much about this one but I guess it is working with cachepot, why not :)

@sylvestre sylvestre merged commit bc0718f into main Mar 11, 2023
@sylvestre sylvestre deleted the bernhard-port-cachepot-128 branch March 11, 2023 10:20
@drahnr
Copy link
Collaborator Author

drahnr commented Mar 11, 2023

It does work, I'll add some documentation once the safety concern in in the comments is addressed - it should be considered experimental.

@drahnr drahnr mentioned this pull request Mar 15, 2023
Open
@drahnr drahnr mentioned this pull request Mar 27, 2023
Open
@sylvestre sylvestre mentioned this pull request Mar 27, 2023
Merged
tottoto added a commit to tottoto/sccache that referenced this pull request Feb 6, 2026
@tottoto @LucioFranco
chore: Use nightly-2024-02-06 on udeps ci (mozilla#1628)
408f46d 
Co-authored-by: Lucio Franco <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Xanewok Xanewok Awaiting requested review from Xanewok

@sylvestre sylvestre Awaiting requested review from sylvestre

@Xuanwo Xuanwo Awaiting requested review from Xuanwo

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@drahnr @codecov-commenter @sylvestre @Xuanwo @Xanewok