与bazel和linux的端口隔离

时间:2017-06-20 14:09:12

标签: linux sandbox bazel

尝试使用bazel和linux测试端口隔离,但失败了。

我的环境如下(从aws开始):

$ cat /etc/*-release
PRETTY_NAME="Debian GNU/Linux 8 (jessie)"
NAME="Debian GNU/Linux"
VERSION_ID="8"
VERSION="8 (jessie)"
ID=debian
HOME_URL="http://www.debian.org/"
SUPPORT_URL="http://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

$ uname -mrs
Linux 3.16.0-4-amd64 x86_64

Bazel版

$ bazel version
Build label: 0.5.1
Build target: bazel-out/local-fastbuild/bin/src/main/java/com/google/devtools/build/lib/bazel/BazelServer_deploy.jar
Build time: Tue Jun 6 10:34:11 2017 (1496745251)
Build timestamp: 1496745251
Build timestamp as int: 1496745251

回购:https://github.com/ittaiz/bazel-port-isolation

运行测试: $ bazel test //...

____Loading package:
____Loading package: @bazel_tools//tools/cpp
____Loading package: @local_config_xcode//
____Loading package: @local_jdk//
____Loading package: @local_config_cc//
____Loading complete.  Analyzing...
____Loading package: tools/defaults
____Loading package: @bazel_tools//tools/test
____Loading package: @junit_junit//jar
____Found 2 test targets...
____Building...
____[0 / 12] Expanding template SocketIsolation2Test
____[10 / 12] Building SocketIsolationTest.jar (1 source file)
FAIL: //:SocketIsolation2Test (see /home/builduser/.cache/bazel/_bazel_builduser/a589c0f8758972ab3aadcf172c468873/execroot/bazel-port-isolation/bazel-out/local-fastbuild/testlogs/SocketIsolation2Test/test.log)
PASS: //:SocketIsolationTest
____Elapsed time: 11.152s, Critical Path: 7.03s
//:SocketIsolationTest                                                   PASSED in 5.3s
//:SocketIsolation2Test                                                  FAILED in 0.3s
  /home/builduser/.cache/bazel/_bazel_builduser/a589c0f8758972ab3aadcf172c468873/execroot/bazel-port-isolation/bazel-out/local-fastbuild/testlogs/SocketIsolation2Test/test.log

(如您所见 - 没有沙箱失败或警告)

tet日志显示"地址已在使用" - 这意味着没有端口隔离。

为什么不起作用?

1 个答案:

答案 0 :(得分:4)

找出原因......

从这里开始:https://bazel.build/versions/master/docs/bazel-user-manual.html#sandboxing

  

在某些平台上,例如Google Container Engine群集节点或   默认情况下,Debian,用户命名空间由于安全性而被停用   关注。这可以通过查看文件来检查   / proc / sys / kernel / unprivileged_userns_clone:如果它存在且包含   a 0,然后可以使用sudo sysctl激活用户命名空间   kernel.unprivileged_userns_clone = 1。

/proc/sys/kernel/unprivileged_userns_clone已存在并且其中有0 ..因此根据行为改变它解决了它。

相关问题
最新问题