[7.0.0] Enable --incompatible_sandbox_hermetic_tmp by default (#20136)

Fixes #3236 Closes #19915 RELNOTES[INC]: `--incompatible_sandbox_hermetic_tmp` is enabled by default. See #19915 for migration advice. Closes #19943. Commit e2c0276 PiperOrigin-RevId: 581165770 Change-Id: I0d98102f10b1e47c1d8fcf32fb1f7dee5ae0788c Co-authored-by: Fabian Meumertzheim <fabian@meumertzhe.im>
bazelbuild · Nov 10, 2023 · fe85936 · fe85936
1 parent 92beb02
commit fe85936
Show file tree

Hide file tree

Showing 5 changed files with 9 additions and 5 deletions.
diff --git a/src/main/java/com/google/devtools/build/lib/sandbox/SandboxOptions.java b/src/main/java/com/google/devtools/build/lib/sandbox/SandboxOptions.java
@@ -350,12 +350,12 @@ public ImmutableSet<Path> getInaccessiblePaths(FileSystem fs) {
 
  @Option(
  name = "incompatible_sandbox_hermetic_tmp",
- defaultValue = "false",
+ defaultValue = "true",
  documentationCategory = OptionDocumentationCategory.EXECUTION_STRATEGY,
  effectTags = {OptionEffectTag.EXECUTION},
  help =
  "If set to true, each Linux sandbox will have its own dedicated empty directory mounted"
- + " as /tmp rather thansharing /tmp with the host filesystem. Use"
+ + " as /tmp rather than sharing /tmp with the host filesystem. Use"
  + " --sandbox_add_mount_pair=/tmp to keep seeing the host's /tmp in all sandboxes.")
  public boolean sandboxHermeticTmp;
 

diff --git a/src/test/java/com/google/devtools/build/lib/buildtool/EditDuringBuildTest.java b/src/test/java/com/google/devtools/build/lib/buildtool/EditDuringBuildTest.java
@@ -44,9 +44,8 @@ public void testEditDuringBuild() throws Exception {
  Path in = write("edit/in", "line1");
  in.setLastModifiedTime(123456789);
 
- // Make in writable from sandbox (in case sandbox strategy is used).
- String absoluteInPath = in.getPathString();
- addOptions("--sandbox_writable_path=" + absoluteInPath);
+ // Modify the actual source file, not a sandboxed copy.
+ addOptions("--spawn_strategy=local");
 
  // The "echo" effects editing of the source file during the build:
  write("edit/BUILD",

diff --git a/src/test/shell/bazel/bazel_sandboxing_networking_test.sh b/src/test/shell/bazel/bazel_sandboxing_networking_test.sh
@@ -36,6 +36,8 @@ source ${CURRENT_DIR}/remote_helpers.sh \
 function set_up() {
  add_to_bazelrc "build --spawn_strategy=sandboxed"
  add_to_bazelrc "build --genrule_strategy=sandboxed"
+ # Allow the network socket to be seen in the sandbox.
+ add_to_bazelrc "build --sandbox_add_mount_pair=/tmp"
 
  sed -i.bak '/sandbox_tmpfs_path/d' $TEST_TMPDIR/bazelrc
 }

diff --git a/src/test/shell/integration/execution_strategies_test.sh b/src/test/shell/integration/execution_strategies_test.sh
@@ -223,6 +223,7 @@ EOF
  bazel build --internal_spawn_scheduler --genrule_strategy=dynamic \
  --dynamic_remote_strategy=sandboxed \
  --dynamic_local_strategy=standalone \
+ --noincompatible_sandbox_hermetic_tmp \
  --experimental_dynamic_ignore_local_signals=8,9,10 \
  --experimental_local_lockfree_output \
  --experimental_local_execution_delay=0 \

diff --git a/src/test/shell/integration/sandboxing_test.sh b/src/test/shell/integration/sandboxing_test.sh
@@ -735,6 +735,7 @@ EOF
 
  touch "${temp_dir}/file"
  bazel test //pkg:tmp_test \
+ --sandbox_add_mount_pair=/tmp \
  --test_output=errors &>$TEST_log || fail "Expected test to pass"
 }
 
@@ -812,6 +813,7 @@ EOF
  chmod +x pkg/tmp_test.sh
 
  bazel test //pkg:tmp_test \
+ --sandbox_add_mount_pair=/tmp \
  --test_output=errors &>$TEST_log || fail "Expected test to pass"
  [[ -f "${temp_dir}/file" ]] || fail "Expected ${temp_dir}/file to exist"
 }