内部带有 bazel 的端口隔离 docker
port isolation with bazel inside docker
尝试使用 bazel 和 linux 在 docker privileged 容器中测试端口隔离,但失败了。
我的环境如下(运行 在 aws 上启动的 priviliged 容器中的所有命令 运行:
$ uname -a
Linux 167-docker99 3.16.0-4-amd64 #1 SMP Debian 3.16.43-2 (2017-04-30) x86_64 GNU/Linux
builduser@167-docker99:~/ws/bazel-port-isolation$ cat /etc/*-release
PRETTY_NAME="Debian GNU/Linux 8 (jessie)"
NAME="Debian GNU/Linux"
VERSION_ID="8"
VERSION="8 (jessie)"
ID=debian
HOME_URL="http://www.debian.org/"
SUPPORT_URL="http://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"Bazel version
$ bazel version
Build label: 0.5.1
Build target: bazel-out/local-fastbuild/bin/src/main/java/com/google/devtools/build/lib/bazel/BazelServer_deploy.jar
Build time: Tue Jun 6 10:34:11 2017 (1496745251)
Build timestamp: 1496745251
Build timestamp as int: 1496745251
根据 this 说明 - 确保 unprivileged_userns_clone
已启用。
$ cat /proc/sys/kernel/unprivileged_userns_clone
1
回购:https://github.com/ittaiz/bazel-port-isolation
运行 测试:
$ bazel 测试 //...
...........
____Loading package:
____Loading package: @bazel_tools//tools/cpp
____Loading package: @local_config_xcode//
____Loading package: @local_jdk//
____Loading package: @local_config_cc//
____Loading complete. Analyzing...
____Loading package: tools/defaults
____Loading package: @bazel_tools//tools/test
____Loading package: @junit_junit//jar
____Found 2 test targets...
____Building...
____[0 / 12] Expanding template SocketIsolationTest
____[9 / 12] Extracting interface @junit_junit//jar:jar ERROR: /home/builduser/.cache/bazel/_bazel_builduser/a589c0f8758972ab3aadcf172c468873/external/junit_junit/jar/BUILD.bazel:2:1: Extracting interface @junit_junit//jar:jar failed: Process exited with status 1 [sandboxed]. src/main/tools/linux-sandbox-pid1.cc:193: "mount(/tmp, /tmp, NULL, MS_BIND, NULL)": Invalid argument Use
--strategy=JavaIjar=standalone to disable sandboxing for the failing actions.
____Building complete.
____Elapsed time: 5.651s, Critical Path: 1.62s //:SocketIsolation2Test NO STATUS
Executed 0 out of 2 tests: 1 fails to build and 1 was skipped.
另一个重要的输入可能是我确实设法使 bazel 运行 在 docker 主机上成功测试。
出了什么问题?
似乎它已修复在 HEAD 上 (baf7d4bce8bb14d785760d10694122e8ead2a177
)。
安装bazel HEAD后顺利通过
尝试使用 bazel 和 linux 在 docker privileged 容器中测试端口隔离,但失败了。
我的环境如下(运行 在 aws 上启动的 priviliged 容器中的所有命令 运行:
$ uname -a
Linux 167-docker99 3.16.0-4-amd64 #1 SMP Debian 3.16.43-2 (2017-04-30) x86_64 GNU/Linux
builduser@167-docker99:~/ws/bazel-port-isolation$ cat /etc/*-release
PRETTY_NAME="Debian GNU/Linux 8 (jessie)"
NAME="Debian GNU/Linux"
VERSION_ID="8"
VERSION="8 (jessie)"
ID=debian
HOME_URL="http://www.debian.org/"
SUPPORT_URL="http://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"Bazel version
$ bazel version
Build label: 0.5.1
Build target: bazel-out/local-fastbuild/bin/src/main/java/com/google/devtools/build/lib/bazel/BazelServer_deploy.jar
Build time: Tue Jun 6 10:34:11 2017 (1496745251)
Build timestamp: 1496745251
Build timestamp as int: 1496745251
根据 this 说明 - 确保 unprivileged_userns_clone
已启用。
$ cat /proc/sys/kernel/unprivileged_userns_clone
1
回购:https://github.com/ittaiz/bazel-port-isolation
运行 测试: $ bazel 测试 //...
...........
____Loading package:
____Loading package: @bazel_tools//tools/cpp
____Loading package: @local_config_xcode//
____Loading package: @local_jdk//
____Loading package: @local_config_cc//
____Loading complete. Analyzing...
____Loading package: tools/defaults
____Loading package: @bazel_tools//tools/test
____Loading package: @junit_junit//jar
____Found 2 test targets...
____Building...
____[0 / 12] Expanding template SocketIsolationTest
____[9 / 12] Extracting interface @junit_junit//jar:jar ERROR: /home/builduser/.cache/bazel/_bazel_builduser/a589c0f8758972ab3aadcf172c468873/external/junit_junit/jar/BUILD.bazel:2:1: Extracting interface @junit_junit//jar:jar failed: Process exited with status 1 [sandboxed]. src/main/tools/linux-sandbox-pid1.cc:193: "mount(/tmp, /tmp, NULL, MS_BIND, NULL)": Invalid argument Use
--strategy=JavaIjar=standalone to disable sandboxing for the failing actions.
____Building complete.
____Elapsed time: 5.651s, Critical Path: 1.62s //:SocketIsolation2Test NO STATUS
Executed 0 out of 2 tests: 1 fails to build and 1 was skipped.
另一个重要的输入可能是我确实设法使 bazel 运行 在 docker 主机上成功测试。
出了什么问题?
似乎它已修复在 HEAD 上 (baf7d4bce8bb14d785760d10694122e8ead2a177
)。
安装bazel HEAD后顺利通过