Add additional sandbox modes #591
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jkloetzke
force-pushed
the
sandbox-modes
branch
from
91f6659 to
c4149f5
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #591 +/- ##
==========================================
+ Coverage 88.78% 88.88% +0.09%
==========================================
Files 48 48
Lines 15144 15270 +126
==========================================
+ Hits 13446 13572 +126
Misses 1698 1698 ☔ View full report in Codecov by Sentry. |
jkloetzke
force-pushed
the
sandbox-modes
branch
from
c4149f5 to
69b94db
Compare
Hide it from "git grep" and similar commands.
Export the job configurations XML and verify that the plugin was executed successfully.
Add the possibility to apply version dependent fix-ups when invoking hook functions.
The usage of stable paths (/bob/...) has traditionally been bound to the usage of a sandbox. This makes sense insofar as these virtual paths depend on the usage of mount namespaces. The new "stablePaths" option allows to override the usage of virtual, stable paths. By default, the existing heuristic is retained. But the usage of stable paths can be now forced or prohibited too.
The slim sandbox uses the bob-namespace-sandbox to restrict access to workspace paths. But in contrast to the existing "fat" sandbox, a slim sandbox does not use a sandbox image. To gain at least a bit of information hiding, the current working directory is hidden behind a whiteout. This should usually hide all other workspaces.
To introduce different sandbox modes, a SandboxMode helper is added. This helper controls three different aspects of the sandbox operation: * slimSandbox: use mount namespaces without a sandbox image. * sandboxEnabled: usage of the sanbox image * stablePaths: force or prohibit stable paths Using these properties, the following sandbox modes are defined: * no-sandbox * sandbox: traditional sandbox mode * slim-sandbox: always isolate, always use workspace path, not use sandbox images. * dev-sandbox: always isolate, always use workspace path, use sandbox images if available. * strict-sandbox: always isolate, always use stable paths, use sandbox images if available.
Adds the new --slim-sandbox, --dev-sandbox and --strict-sandbox options to the dev/build commands.
Let the "sandbox" command default additionally accept the 'no', 'yes', 'slim', 'dev' and 'strict' strings that correspond to the respective command line options.
Adds the new --slim-sandbox, --dev-sandbox and --strict-sandbox options to the jenkins commands.
The function actually tests the usage of a sandbox image. This is an important distinction because it won't return true in case of the slim sandbox build mode. Likewise, it will return false in the dev- or strict-sandbox modes when packages have no available sandbox image even though isolation is applied.
The test incorrectly uses `--dev' as abbreviation for the '--develop' option. While this worked so far, it will be ambiguous with the introduction of the '--dev-sandbox' option.
This does not actually add any new behaviour. But it makes the remaining commands consistent with the build/dev/jenkins commands by accepting the same options.
jkloetzke
force-pushed
the
sandbox-modes
branch
from
69b94db to
c51d5de
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The
--sandboxmode is nice but sometimes cumbersome to use. It will use stable paths (/bob/...) which is good for reproducibility but bad for debugging. OTOH, no isolation will be applied without a sandbox image. This PR adds a couple of other sandbox modes to make the usage more flexible:--slim-sandbox: Applies isolation (e.g. make dependencies read-only) but do not use a sandbox image, even if available. Do not virtualize paths.--dev-sandbox: Always apply isolation but use a sandbox image if available. Like the slim sandbox, do not virtualize paths.--strict-sandbox: Always apply isolation, always use stable paths and use the sandbox image if available.