使用 bazel 和 linux 进行端口隔离
port isolation with bazel and linux
尝试使用 bazel 和 linux 测试端口隔离,但失败了。
我的环境如下(在 aws 上启动):
$ cat /etc/*-release
PRETTY_NAME="Debian GNU/Linux 8 (jessie)"
NAME="Debian GNU/Linux"
VERSION_ID="8"
VERSION="8 (jessie)"
ID=debian
HOME_URL="http://www.debian.org/"
SUPPORT_URL="http://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
$ uname -mrs
Linux 3.16.0-4-amd64 x86_64
Bazel 版本
$ bazel version
Build label: 0.5.1
Build target: bazel-out/local-fastbuild/bin/src/main/java/com/google/devtools/build/lib/bazel/BazelServer_deploy.jar
Build time: Tue Jun 6 10:34:11 2017 (1496745251)
Build timestamp: 1496745251
Build timestamp as int: 1496745251
回购:https://github.com/ittaiz/bazel-port-isolation
运行 测试:
$ bazel 测试 //...
____Loading package:
____Loading package: @bazel_tools//tools/cpp
____Loading package: @local_config_xcode//
____Loading package: @local_jdk//
____Loading package: @local_config_cc//
____Loading complete. Analyzing...
____Loading package: tools/defaults
____Loading package: @bazel_tools//tools/test
____Loading package: @junit_junit//jar
____Found 2 test targets...
____Building...
____[0 / 12] Expanding template SocketIsolation2Test
____[10 / 12] Building SocketIsolationTest.jar (1 source file)
FAIL: //:SocketIsolation2Test (see /home/builduser/.cache/bazel/_bazel_builduser/a589c0f8758972ab3aadcf172c468873/execroot/bazel-port-isolation/bazel-out/local-fastbuild/testlogs/SocketIsolation2Test/test.log)
PASS: //:SocketIsolationTest
____Elapsed time: 11.152s, Critical Path: 7.03s
//:SocketIsolationTest PASSED in 5.3s
//:SocketIsolation2Test FAILED in 0.3s
/home/builduser/.cache/bazel/_bazel_builduser/a589c0f8758972ab3aadcf172c468873/execroot/bazel-port-isolation/bazel-out/local-fastbuild/testlogs/SocketIsolation2Test/test.log
(如您所见 - 没有沙盒故障或警告)
tet 日志显示 "Address already in use" - 这意味着没有端口隔离。
为什么它不起作用?
找出原因...
从这里开始:https://bazel.build/versions/master/docs/bazel-user-manual.html#sandboxing
On some platforms such as Google Container Engine cluster nodes or
Debian, user namespaces are deactivated by default due to security
concerns. This can be checked by looking at the file
/proc/sys/kernel/unprivileged_userns_clone: if it exists and contains
a 0, then user namespaces can be activated with sudo sysctl
kernel.unprivileged_userns_clone=1.
/proc/sys/kernel/unprivileged_userns_clone 存在并且其中有 0..。所以按照说明修改就解决了。
尝试使用 bazel 和 linux 测试端口隔离,但失败了。
我的环境如下(在 aws 上启动):
$ cat /etc/*-release
PRETTY_NAME="Debian GNU/Linux 8 (jessie)"
NAME="Debian GNU/Linux"
VERSION_ID="8"
VERSION="8 (jessie)"
ID=debian
HOME_URL="http://www.debian.org/"
SUPPORT_URL="http://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
$ uname -mrs
Linux 3.16.0-4-amd64 x86_64
Bazel 版本
$ bazel version
Build label: 0.5.1
Build target: bazel-out/local-fastbuild/bin/src/main/java/com/google/devtools/build/lib/bazel/BazelServer_deploy.jar
Build time: Tue Jun 6 10:34:11 2017 (1496745251)
Build timestamp: 1496745251
Build timestamp as int: 1496745251
回购:https://github.com/ittaiz/bazel-port-isolation
运行 测试: $ bazel 测试 //...
____Loading package:
____Loading package: @bazel_tools//tools/cpp
____Loading package: @local_config_xcode//
____Loading package: @local_jdk//
____Loading package: @local_config_cc//
____Loading complete. Analyzing...
____Loading package: tools/defaults
____Loading package: @bazel_tools//tools/test
____Loading package: @junit_junit//jar
____Found 2 test targets...
____Building...
____[0 / 12] Expanding template SocketIsolation2Test
____[10 / 12] Building SocketIsolationTest.jar (1 source file)
FAIL: //:SocketIsolation2Test (see /home/builduser/.cache/bazel/_bazel_builduser/a589c0f8758972ab3aadcf172c468873/execroot/bazel-port-isolation/bazel-out/local-fastbuild/testlogs/SocketIsolation2Test/test.log)
PASS: //:SocketIsolationTest
____Elapsed time: 11.152s, Critical Path: 7.03s
//:SocketIsolationTest PASSED in 5.3s
//:SocketIsolation2Test FAILED in 0.3s
/home/builduser/.cache/bazel/_bazel_builduser/a589c0f8758972ab3aadcf172c468873/execroot/bazel-port-isolation/bazel-out/local-fastbuild/testlogs/SocketIsolation2Test/test.log
(如您所见 - 没有沙盒故障或警告)
tet 日志显示 "Address already in use" - 这意味着没有端口隔离。
为什么它不起作用?
找出原因...
从这里开始:https://bazel.build/versions/master/docs/bazel-user-manual.html#sandboxing
On some platforms such as Google Container Engine cluster nodes or Debian, user namespaces are deactivated by default due to security concerns. This can be checked by looking at the file /proc/sys/kernel/unprivileged_userns_clone: if it exists and contains a 0, then user namespaces can be activated with sudo sysctl kernel.unprivileged_userns_clone=1.
/proc/sys/kernel/unprivileged_userns_clone 存在并且其中有 0..。所以按照说明修改就解决了。