Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sandbox2 wrapper #1536

Merged
merged 113 commits into from
Aug 31, 2023
Merged

Sandbox2 wrapper #1536

merged 113 commits into from
Aug 31, 2023

Conversation

lewish
Copy link
Collaborator

@lewish lewish commented Aug 29, 2023
edited
Loading

Adds a Sandbox2 wrapper for compilation.

  • Change the way we communicate between child processes to use unix domain sockets
  • Add new webpacked worker bundle, and unbundled vm2 dependencies
  • Add Sandbox2 wrapper script for running the worker bundle inside node
  • Update tests to test both sandbox2 and non-sandbox2 mode

Disable tests for CLI (which is now broken in this branch), and integration tests that have a package dependency issue on this older branch.

Ekrekr and others added 30 commits January 7, 2021 14:31
@Ekrekr
Progress adding sandbox API
eeae6a8
@Ekrekr
Fixed versioning
7403dbc
@Ekrekr
Working example, if you make runfiles visible
f74336f
@Ekrekr
Working node spawn but sketchy af
e1d069b
@Ekrekr
Progress using non fork method, but should probably ue forking method
2c12136
@Ekrekr
Fixed policy enforcement of node process, but still execveat error. S…
c209913 
…hould try using bazel pathed nodejs version
@Ekrekr
Added bazel build nodejs binary path instead of from usr root
2a4cf7c
@Ekrekr
Progress, still stuch on execveat issue
c7fd493
@Ekrekr
Tidy
76f5e01
@Ekrekr
Swap to dynamic startup
46259f7
@Ekrekr
Progress passing compile.js to sandboxed script
8faa03d
@Ekrekr
Swapped to running compile_loader.js, added custom absolute path find…
4da97fd 
…er. Still have fd > -1 error though
@Ekrekr
Simplify input
640e406
@Ekrekr
Strip fd stuff
5541d76
@Ekrekr
Tidy
90a6501
@Ekrekr
Remove runfiles build dependency
443bba6
@Ekrekr
Remove import, format
1ad0c0d
@Ekrekr
Add fd inferral, binary run seems to be failing silently
4977c17
@Ekrekr
Update to latest SAPI, timplify and tidy
d5bddd8
@Ekrekr
Entry point experimentation
713fdb5
@Ekrekr
Merge branch 'master' into sandbox-api
83eed9c
@Ekrekr
Progress updating policies
38c2c21
@Ekrekr
More allowed syscalls, with explanations
f093ebb
@Ekrekr
Tidy policy order
f4f2776
@Ekrekr
Working policies
a95d98c
@Ekrekr
Progress setting up test
a1873b3
@Ekrekr
Tidy some logging
f96775c
@Ekrekr
Merge branch 'master' into sandbox-api
8faef2e
@Ekrekr
Update entry point to new worker bundle locale
7c970c3
@dependabot @lewish
Bump protobufjs from 6.8.8 to 6.11.3 (#1346)
b06c329 
* Bump protobufjs from 6.8.8 to 6.11.3

Bumps [protobufjs](https://github.com/protobufjs/protobuf.js) from 6.8.8 to 6.11.3.
- [Release notes](https://github.com/protobufjs/protobuf.js/releases)
- [Changelog](https://github.com/protobufjs/protobuf.js/blob/v6.11.3/CHANGELOG.md)
- [Commits](protobufjs/protobuf.js@6.8.8...v6.11.3)

---
updated-dependencies:
- dependency-name: protobufjs
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

* Update protobufjs dep versions

* Upgrade to protobufjs v7.0.0, node to 16x

* Bump bazel to version 5.2.0

* Bump test CI to correct bazel version

* 3.5.0

* 3.5.0

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Lewis Hemens <lewishemens@google.com>
dependabot bot and others added 19 commits July 17, 2023 11:13
@dependabot
Bump protobufjs from 7.0.0 to 7.2.4 (#1510)
af2b0e7 
Bumps [protobufjs](https://github.com/protobufjs/protobuf.js) from 7.0.0 to 7.2.4.
- [Release notes](https://github.com/protobufjs/protobuf.js/releases)
- [Changelog](https://github.com/protobufjs/protobuf.js/blob/master/CHANGELOG.md)
- [Commits](protobufjs/protobuf.js@protobufjs-v7.0.0...protobufjs-v7.2.4)

---
updated-dependencies:
- dependency-name: protobufjs
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@maverickjoy
Update version.bzl (#1516)
9238001
@diasdauletov
Include multiline string literals when creating statements (#1520)
f053c33 
* Include multiline string literals when creating statements

* Bump version to 2.6.2
@lewish
Remove unused tools and add vscode package-lock.json (#1521)
643e918
@Ekrekr
Merge branch 'main' into sandbox-api
a3b4071
@Ekrekr
Revert "Update entry point to new worker bundle locale"
6fdb5f6 
This reverts commit 7c970c3.
@Ekrekr
Merge main_v1
94aee91
@Ekrekr
Revert "Revert "Update entry point to new worker bundle locale""
96db096 
This reverts commit 6fdb5f6.
@Ekrekr
Fix merge to be from main_v1
da68fa1
@Ekrekr
Progress re-adding sandbox/vm bundle
82f2525
@Ekrekr
Some tweaks as a hacky way to make deps work
fbb8c1d
@Ekrekr
Move to minimal bash invocation example
e42e48f
@Ekrekr
Cleanup to minimal node invocation
36bb1ea
@lewish
Checkpoint
db33155
@lewish
Tests nearly working
2b75f71
@lewish
Can run compile, but tests failing
ce7dee0
@lewish
Exit process to avoid sandbox breakage
89aaaae
@lewish
Tests passing with tight policies
7be2101
@lewish
Make sandbox2 usage configurable
6b6c56c
github-advanced-security[bot]
github-advanced-security bot found potential problems Aug 29, 2023
View reviewed changes
tests/api/examples.spec.ts Dismissed Show dismissed Hide dismissed
@lewish lewish requested a review from Ekrekr August 30, 2023 08:45
Ekrekr
Ekrekr reviewed Aug 30, 2023
View reviewed changes
WORKSPACE Outdated Show resolved Hide resolved
api/commands/compile.ts Show resolved Hide resolved
sandbox/compile_executor.cc Outdated Show resolved Hide resolved
sandbox/compile_executor.cc
{
auto result = s2.AwaitResultWithTimeout(
absl::Seconds(TIMEOUT_SECS + FALLBACK_TIMEOUT_DELAY));
LOG(ERROR) << "sandbox failed to start: " << result->ToString();
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are things logged to stderr readable from the Javascript? I'm slightly confused by the socket usage above.

Copy link
Collaborator Author

@lewish lewish Aug 30, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

They are, but we don't read them. But this might be useful if we do run into errors, that they will be in our logs at least.
Basically, all we care about is the process return code for the sandbox. The logs are ignored, and all communication back to the parent parent process goes indirectly via the socket - the path to which we pass along as an argument.

Copy link
Contributor

@Ekrekr Ekrekr Aug 31, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fair enough, if we need to add errors based off of the sandbox2 final result code we can do that later

sandbox/compile_executor.cc Show resolved Hide resolved
sandbox/worker/worker.ts Outdated Show resolved Hide resolved
scripts/cloudbuild/bazel_test Outdated Show resolved Hide resolved
@lewish lewish requested a review from Ekrekr August 30, 2023 13:12
@lewish lewish merged commit 112dad4 into main_v1 Aug 31, 2023
4 checks passed
@lewish lewish deleted the sandbox-api-lewis branch August 31, 2023 09:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Ekrekr Ekrekr Ekrekr approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.