-
Notifications
You must be signed in to change notification settings - Fork 69
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Mount '/proc' into chrooted actions #115
Comments
Thank you @stagnation for writing this up I will not that rustc will not do much more than print its version without |
This works fine for regular runners that uses the docker image user-space. But the next commit enables chroot runners and it starts to fail. bazel build \ --remote_executor=grpc://localhost:8980 \ --remote_instance_name=fuse \ --remote_default_exec_properties OSFamily=linux \ --remote_default_exec_properties container-image="docker://ghcr.io/catthehacker/ubuntu:act-22.04@sha256:5f9c35c25db1d51a8ddaae5c0ba8d3c163c5e9a4a6cc97acd409ac7eae239448" \ @//:introspection This is step one of three to verify the solution to: buildbarn/bb-remote-execution#115
Now the build fails. This is step two of three to verify the solution to: buildbarn/bb-remote-execution#115
This is step three of three to verify the solution to: buildbarn/bb-remote-execution#115
This works fine for regular runners that uses the docker image user-space. But the next commit enables chroot runners and it starts to fail. bazel build \ --remote_executor=grpc://localhost:8980 \ --remote_instance_name=fuse \ --remote_default_exec_properties OSFamily=linux \ --remote_default_exec_properties container-image="docker://ghcr.io/catthehacker/ubuntu:act-22.04@sha256:5f9c35c25db1d51a8ddaae5c0ba8d3c163c5e9a4a6cc97acd409ac7eae239448" \ @//:introspection This is step one of three to verify the solution to: buildbarn/bb-remote-execution#115
Now the build fails. This is step two of three to verify the solution to: buildbarn/bb-remote-execution#115
This is step three of three to verify the solution to: buildbarn/bb-remote-execution#115
I have a solution in review now. And a reproduction here: https://github.com/stagnation/bb-deployments/tree/feature/reproduce-bb-remote-execution-115 that uses the Reproducing the problemThe problem statement is simple: However, there are not publicly available programs that create a user-space input root. What options do we have? Thankfully it is simple to create a statically linked
And we can use the eminent run_binary rule, But with this we fail, here is the output from
This is because Get yourself an /usr/bin/env for fun and profitThankfully $ docker run -v .:/out busybox:musl sh -c "cp /usr/bin/env /out/env" Now we just need to put it in the input root as $ mkdir -p usr/bin With the "introspection" target
Build remotelyWith the customary
This works with regular runners, Apply the patchesA setback! The docker-compose setup does not build the docker images, So we instead build with:
And instead start it through
Notice that we no longer use FUSE, The pull requests are applied through the go_dependencies
Successful build
P.S: Sorry for the spam, I wish github wouldn't be quite so verbose about my pushes. |
This works fine for regular runners that uses the docker image user-space. But the next commit enables chroot runners and it starts to fail. bazel build \ --remote_executor=grpc://localhost:8980 \ --remote_instance_name=fuse \ --remote_default_exec_properties OSFamily=linux \ --remote_default_exec_properties container-image="docker://ghcr.io/catthehacker/ubuntu:act-22.04@sha256:5f9c35c25db1d51a8ddaae5c0ba8d3c163c5e9a4a6cc97acd409ac7eae239448" \ @//:introspection This is step one of three to verify the solution to: buildbarn/bb-remote-execution#115
Now the build fails. This is step two of three to verify the solution to: buildbarn/bb-remote-execution#115
This is step three of three to verify the solution to: buildbarn/bb-remote-execution#115
This is step three of three to verify the solution to: buildbarn/bb-remote-execution#115
This works fine for regular runners that uses the docker image user-space. But the next commit enables chroot runners and it starts to fail. bazel build \ --remote_executor=grpc://localhost:8980 \ --remote_instance_name=fuse \ --remote_default_exec_properties OSFamily=linux \ --remote_default_exec_properties container-image="docker://ghcr.io/catthehacker/ubuntu:act-22.04@sha256:5f9c35c25db1d51a8ddaae5c0ba8d3c163c5e9a4a6cc97acd409ac7eae239448" \ @//:introspection This is step one of three to verify the solution to: buildbarn/bb-remote-execution#115
Now the build fails. This is step two of three to verify the solution to: buildbarn/bb-remote-execution#115
This works fine for regular runners that uses the docker image user-space. But the next commit enables chroot runners and it starts to fail. bazel build \ --remote_executor=grpc://localhost:8980 \ --remote_instance_name=fuse \ --remote_default_exec_properties OSFamily=linux \ --remote_default_exec_properties container-image="docker://ghcr.io/catthehacker/ubuntu:act-22.04@sha256:5f9c35c25db1d51a8ddaae5c0ba8d3c163c5e9a4a6cc97acd409ac7eae239448" \ @//:introspection This is step one of three to verify the solution to: buildbarn/bb-remote-execution#115
Now the build fails. This is step two of three to verify the solution to: buildbarn/bb-remote-execution#115
This can be used to mount special filesystems like '/proc' and '/sys' in the input root of actions if 'chroot' is enabled. The filesystems are required for many tools to work. Solves: buildbarn#115
This can be used to mount special filesystems like '/proc' and '/sys' in the input root of actions if 'chroot' is enabled. The filesystems are required for many tools to work. Solves: buildbarn#115
This can be used to mount special filesystems like '/proc' and '/sys' in the input root of actions if 'chroot' is enabled. The filesystems are required for many tools to work. Solves: buildbarn#115
This can be used to mount special filesystems like '/proc' and '/sys' in the input root of actions if 'chroot' is enabled. The filesystems are required for many tools to work. Solves: buildbarn#115
This works fine for regular runners that uses the docker image user-space. But the next commit enables chroot runners and it starts to fail. bazel build \ --remote_executor=grpc://localhost:8980 \ --remote_instance_name=fuse \ --remote_default_exec_properties OSFamily=linux \ --remote_default_exec_properties container-image="docker://ghcr.io/catthehacker/ubuntu:act-22.04@sha256:5f9c35c25db1d51a8ddaae5c0ba8d3c163c5e9a4a6cc97acd409ac7eae239448" \ @//:introspection This is step one of three to verify the solution to: buildbarn/bb-remote-execution#115
Now the build fails. This is step two of three to verify the solution to: buildbarn/bb-remote-execution#115
I had a bit of a surge of motivation to try this out recently, i normally use the docker compose in bb-deployments to use buildbarn is there a similarly easy way to try this out? What's the recommended way to try out a patch like this if your not used to setting up buildbarn? |
Hi! Thank you, I do not have pre-built docker images, and have not rebased the patches in a while. |
This can be used to mount special filesystems like '/proc' and '/sys' in the input root of actions if 'chroot' is enabled. The filesystems are required for many tools to work. Solves: buildbarn#115
This can be used to mount special filesystems like '/proc' and '/sys' in the input root of actions if 'chroot' is enabled. The filesystems are required for many tools to work. Solves: buildbarn#115
This works fine for regular runners that uses the docker image user-space. But the next commit enables chroot runners and it starts to fail. bazel build \ --remote_executor=grpc://localhost:8980 \ --remote_instance_name=fuse \ --remote_default_exec_properties OSFamily=linux \ --remote_default_exec_properties container-image="docker://ghcr.io/catthehacker/ubuntu:act-22.04@sha256:5f9c35c25db1d51a8ddaae5c0ba8d3c163c5e9a4a6cc97acd409ac7eae239448" \ @//:introspection This is step one of three to verify the solution to: buildbarn/bb-remote-execution#115
Now the build fails. This is step two of three to verify the solution to: buildbarn/bb-remote-execution#115
I have rebased the PR now and will try to get it over the finish line soon. Here is the instructions you need in our documentation repo. |
Problem Description / Feature Request
Using chrooted actions is great for fully hermetic input roots,
but some tools rely on the
/proc
filesystem to be mounted and will not work without it.The block devices from
/dev
can all be mounted (or created) into the input root,but full filesystems are trickier.
This lists some tools that do not work without
/proc
,shows a patch I used to work around it and discusses the limitations of the patch
and what we need before we can merge it.
Problems
In building
bb-deployments
I found the following issues::and::
It was easy to find the root cause for the go problem::
It tries to find the go binary by looking at itself through
/proc
,and then find the default
GOROOT
standard library relative to the compiler.The proc filesystem is core to Unix/Posix, or some such standard execution environment specification
and for chrooted actions to work for all tools we should have it.
This is also a problem for rust, which has the best error message of the bunch
https://buildteamworld.slack.com/archives/CD6HZC750/p1692391421607939
::
Proof of Concept Patch
Note, this was developed in February, and has not been rebased on recent work,
1524fef
which adds PATH lookup to the same file. Though the patch is orthogonal.
::
Problems with merging
Note that the absolute path is constructed here.
Because the
mount
syscall does not work with relative paths.So the
Directory
abstraction in the runner, where the directory is hidden,cannot be used for these mounts.
Mountat
The solution is to use the newer mount syscall api to construct a "mountat" functionality, which can mount with relative filepaths. (What the "at" suffix typically means).
But when I prototyped this I could not find a way to unmount the paths.
::
This can be used in go as well, last I checked there was a PR in review for these new syscalls, but to create a wrapper for what we need is not hard.
The problem is how to unmount the "proc" and "sys" relative paths after the action.
According to the documentation it should work, but I could not piece it together.
TODO
++++
I have a lot more to say on this topic,
and should wrap up my investigation and publish that.
and should publish the scaffolding c and go code to use them, but the files are too long to paste in here.
The text was updated successfully, but these errors were encountered: