Make sandboxed execution the default in Bazel. This should be safe, a…

…s the strategy is only used if your Linux kernel is new enough and your running system supports it. If this breaks you, please file a bug and you can always go back to non-sandboxed execution by using --spawn_strategy=standalone. -- MOS_MIGRATED_REVID=101464269
bazelbuild · Aug 26, 2015 · e0ac088 · e0ac088
1 parent e5994a9
commit e0ac088
Show file tree

Hide file tree

Showing 3 changed files with 53 additions and 25 deletions.
diff --git a/site/docs/bazel-user-manual.html b/site/docs/bazel-user-manual.html
@@ -952,6 +952,23 @@ <h4>Build consistency and incremental builds</h4>
 
 </p>
 
+<h4 id='sandboxing'>Sandboxed execution</h4>
+<p>
+  In order to guarantee hermeticity (i.e. the build does not use input files
+  that are not explicitly listed and does not produce output files that were
+  not expected to be created) and correctness, Bazel runs spawns (i.e. a
+  compiler invocation) in sandboxes that only contain the minimum necessary
+  set of files for the tool to run and do its work. Currently this works on
+  Linux 3.12 or newer with the CONFIG_USER_NS option enabled. Bazel will
+  print a warning if sandboxing cannot be used to alert you to the fact that
+  builds are not guaranteed hermetic and might affect the host system in
+  unknown ways.
+</p>
+<p>
+  To disable the warning about non-sandboxed execution, you can pass the
+  --ignore_unsupported_sandboxing flag to Bazel.
+</p>
+
 <h3 id='clean'>Deleting the outputs of a build</h3>
 
 <h4>The <code>clean</code> command</h4>

diff --git a/src/main/java/com/google/devtools/build/lib/bazel/BazelMain.java b/src/main/java/com/google/devtools/build/lib/bazel/BazelMain.java
@@ -30,19 +30,26 @@
 public final class BazelMain {
   private static final String BUILD_DATA_PROPERTIES = "/build-data.properties";
 
-  public static final List<Class<? extends BlazeModule>> BAZEL_MODULES = ImmutableList.of(
-      com.google.devtools.build.lib.bazel.BazelShutdownLoggerModule.class,
-      com.google.devtools.build.lib.bazel.BazelWorkspaceStatusModule.class,
-      com.google.devtools.build.lib.bazel.BazelDiffAwarenessModule.class,
-      com.google.devtools.build.lib.bazel.BazelRepositoryModule.class,
-      com.google.devtools.build.lib.bazel.dash.DashModule.class,
-      com.google.devtools.build.lib.bazel.rules.BazelRulesModule.class,
-      com.google.devtools.build.lib.sandbox.SandboxModule.class,
-      com.google.devtools.build.lib.standalone.StandaloneModule.class,
-      com.google.devtools.build.lib.runtime.BuildSummaryStatsModule.class,
-      com.google.devtools.build.lib.webstatusserver.WebStatusServerModule.class,
-      com.google.devtools.build.lib.worker.WorkerModule.class
-  );
+  /**
+   * The list of modules to load. Note that the order is important: In case multiple modules provide
+   * strategies for the same things, the last module wins and its strategy becomes the default.
+   *
+   * <p>Example: To make the "standalone" execution strategy the default for spawns, put it after
+   * all the other modules that provider spawn strategies (e.g. WorkerModule and SandboxModule).
+   */
+  public static final List<Class<? extends BlazeModule>> BAZEL_MODULES =
+      ImmutableList.of(
+          com.google.devtools.build.lib.bazel.BazelShutdownLoggerModule.class,
+          com.google.devtools.build.lib.bazel.BazelWorkspaceStatusModule.class,
+          com.google.devtools.build.lib.bazel.BazelDiffAwarenessModule.class,
+          com.google.devtools.build.lib.bazel.BazelRepositoryModule.class,
+          com.google.devtools.build.lib.bazel.dash.DashModule.class,
+          com.google.devtools.build.lib.bazel.rules.BazelRulesModule.class,
+          com.google.devtools.build.lib.worker.WorkerModule.class,
+          com.google.devtools.build.lib.standalone.StandaloneModule.class,
+          com.google.devtools.build.lib.sandbox.SandboxModule.class,
+          com.google.devtools.build.lib.runtime.BuildSummaryStatsModule.class,
+          com.google.devtools.build.lib.webstatusserver.WebStatusServerModule.class);
 
   public static void main(String[] args) {
     BlazeVersionInfo.setBuildInfo(tryGetBuildInfo());

diff --git a/src/main/java/com/google/devtools/build/lib/bazel/rules/BazelRulesModule.java b/src/main/java/com/google/devtools/build/lib/bazel/rules/BazelRulesModule.java
@@ -53,21 +53,25 @@ public class BazelRulesModule extends BlazeModule {
    */
   public static class BazelExecutionOptions extends OptionsBase {
     @Option(
-        name = "spawn_strategy",
-        defaultValue = "standalone",
-        category = "strategy",
-        help = "Specify how spawn actions are executed by default."
-            + "'standalone' means run all of them locally."
-            + "'sandboxed' means run them in namespaces based sandbox (available only on Linux)")
+      name = "spawn_strategy",
+      defaultValue = "",
+      category = "strategy",
+      help =
+          "Specify how spawn actions are executed by default."
+              + "'standalone' means run all of them locally."
+              + "'sandboxed' means run them in namespaces based sandbox (available only on Linux)"
+    )
     public String spawnStrategy;
 
     @Option(
-        name = "genrule_strategy",
-        defaultValue = "standalone",
-        category = "strategy",
-        help = "Specify how to execute genrules."
-            + "'standalone' means run all of them locally."
-            + "'sandboxed' means run them in namespaces based sandbox (available only on Linux)")
+      name = "genrule_strategy",
+      defaultValue = "",
+      category = "strategy",
+      help =
+          "Specify how to execute genrules."
+              + "'standalone' means run all of them locally."
+              + "'sandboxed' means run them in namespaces based sandbox (available only on Linux)"
+    )
     public String genruleStrategy;
 
     @Option(name = "strategy",