Skip to content

Document state of linux-sandbox in the container#33

Merged
nradakovic merged 4 commits intoeclipse-score:mainfrom
elektrobit-contrib:run-privileged
Oct 23, 2025
Merged

Document state of linux-sandbox in the container#33
nradakovic merged 4 commits intoeclipse-score:mainfrom
elektrobit-contrib:run-privileged

Conversation

@lurtz
Copy link
Contributor

@lurtz lurtz commented Oct 6, 2025
edited
Loading

linux-sandbox does not work by default and is by some expected to work. For example tests of https://github.com/eclipse-score/communication actually only are stable if run with linux-sandbox. Otherwise they tip on each others toes.

Fixes #32

@lurtz
Document state of linux-sandbox in the container
7bc9a22 
linux-sandbox does not work by default and is by some expected to work.
@lurtz lurtz marked this pull request as ready for review October 6, 2025 15:13
@lurtz lurtz changed the title Document state of linux-sandbox in the container Document state of linux-sandbox in the container Oct 7, 2025
olivembo
olivembo suggested changes Oct 7, 2025
View reviewed changes
README.md Outdated
### Bazel's `linux-sandbox`

`linux-sandbox` makes use of [Linux user namespaces](https://man7.org/linux/man-pages/man7/user_namespaces.7.html).
These only work for `linux-sandbox` as expected, if the following snipped is added to the `.devcontainer/devcontainer.json`:
Copy link
Contributor

@olivembo olivembo Oct 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

typo: "snipped" should be "snippet"

@nick-hildebrant-etas
Copy link

nick-hildebrant-etas commented Oct 7, 2025

Docker capability SYS_ADM should be sufficient that the container can create and write to namespaces it created, and I suspect the test attempting to access /tmp/shm is the reason the container requires --privileged. This doesn't really change the fact that LoLa tests would likely require --privileged in any case.

@lurtz
Copy link
Contributor Author

lurtz commented Oct 7, 2025
edited
Loading

Docker capability SYS_ADM should be sufficient that the container can create and write to namespaces it created, and I suspect the test attempting to access /tmp/shm is the reason the container requires --privileged. This doesn't really change the fact that LoLa tests would likely require --privileged in any case.

I already tried SYS_ADMIN: #32 (comment)

You can check if it might work work with linux-sandbox /bin/true in the devcontainer. In my tests this failed, even when I was able to make unshare --user --mount --map-root-user bash work.

@nick-hildebrant-etas
Copy link

nick-hildebrant-etas commented Oct 7, 2025

Docker capability SYS_ADM should be sufficient that the container can create and write to namespaces it created, and I suspect the test attempting to access /tmp/shm is the reason the container requires --privileged. This doesn't really change the fact that LoLa tests would likely require --privileged in any case.

I already tried SYS_ADMIN: #32 (comment)

You can check if it might work work with linux-sandbox /bin/true in the devcontainer. In my tests this failed, even when I was able to make unshare --user --mount --map-root-user bash work.

Yes, sorry I mixed two topics. What I meant was, I think you will have this problem with that test even outside of Bazel or any sandboxing issues. Trying to run a test which is accessing /tmp/shm in a Docker container at all will require --privileged. As far as I know, there is no docker cap to cover the use case. I think it's good to document --privileged as a requirement for LoLa testing.

@lurtz
Copy link
Contributor Author

lurtz commented Oct 7, 2025

Docker capability SYS_ADM should be sufficient that the container can create and write to namespaces it created, and I suspect the test attempting to access /tmp/shm is the reason the container requires --privileged. This doesn't really change the fact that LoLa tests would likely require --privileged in any case.

I already tried SYS_ADMIN: #32 (comment)
You can check if it might work work with linux-sandbox /bin/true in the devcontainer. In my tests this failed, even when I was able to make unshare --user --mount --map-root-user bash work.

Yes, sorry I mixed two topics. What I meant was, I think you will have this problem with that test even outside of Bazel or any sandboxing issues. Trying to run a test which is accessing /tmp/shm in a Docker container at all will require --privileged. As far as I know, there is no docker cap to cover the use case. I think it's good to document --privileged as a requirement for LoLa testing.

What I also noticed is that POSIX message queue IDs might not be namespaced and I had tests with colliding IDs even though linux-sandbox is available. As far as I know lola is moved towards Unix Domain Sockets and thus I will not pursue that further.

@lurtz
Copy link
Contributor Author

lurtz commented Oct 10, 2025

https://docs.podman.io/en/latest/markdown/podman-run.1.html#privileged

podman should confine containers better than docker when using --privileged. At the moment the image works with podman, but we lack CI to test that.

@nradakovic nradakovic self-requested a review October 23, 2025 10:37
@nradakovic nradakovic merged commit 700e882 into eclipse-score:main Oct 23, 2025
2 checks passed
@lurtz lurtz deleted the run-privileged branch October 23, 2025 10:39
@lurtz lurtz mentioned this pull request Oct 24, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@opajonk opajonk opajonk approved these changes

@nradakovic nradakovic nradakovic approved these changes

+1 more reviewer

@olivembo olivembo olivembo approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

devcontainer breaks bazels linux-sandbox

5 participants

@lurtz @nick-hildebrant-etas @opajonk @nradakovic @olivembo