Google Git
Sign in
chromium / infra / sanddune / 052f3fc30b1da63d4d370a77c19855d6ed1853f9
commit052f3fc30b1da63d4d370a77c19855d6ed1853f9[log] [tgz]
authorYulan Lin <yulanlin@google.com>Fri Apr 02 17:24:01 2021
committerYulan Lin <yulanlin@google.com>Fri Apr 02 17:24:01 2021
tree39bf2caca0a1f255e915a2324854deb8afdb6cd4
parent133e415cde259ed916a8d76470b75e19761a3771 [diff]
[sanddune]: add first pass test for packet

Change-Id: I1b88855ec90e021df19f11a16c364b1e5e5297eb
Reviewed-on: https://chromium-review.googlesource.com/c/infra/sanddune/+/2801441
Reviewed-by: Camilo Jacomet <cjacomet@google.com>
1 file changed
tree: 39bf2caca0a1f255e915a2324854deb8afdb6cd4
  1. .buildkite/
  2. .github/
  3. debian/
  4. images/
  5. pkg/
  6. runsc/
  7. shim/
  8. test/
  9. tools/
  10. vdso/
  11. webhook/
  12. .bazelrc
  13. .gitignore
  14. .travis.yml
  15. AUTHORS
  16. BUILD
  17. go.mod
  18. go.sum
  19. LICENSE
  20. Makefile
  21. nogo.yaml
  22. OWNERS
  23. README.md
  24. WORKSPACE
README.md

SandDune

What is SandDune?

Sanddune is an experimental hermetic build sandbox for Chrome builds that builds off of the core hypervisor ideas from gvisor. The goal would be to isolate builds, trap syscalls and network requests to assert the hermeticity of builds.

It was forked from gvisor at commit 3ff7324.

The documentation below is from gvisor and will eventually be deleted or updated as we plan to remove everything that isn't directly related to the goal of hermetic assertions.

Documentation

User documentation and technical architecture, including quick start guides, can be found at gvisor.dev.

Installing from source

gVisor builds on x86_64 and ARM64. Other architectures may become available in the future.

For the purposes of these instructions, bazel and other build dependencies are wrapped in a build container. It is possible to use bazel directly, or type make help for standard targets.

Requirements

Make sure the following dependencies are installed:

Building

Build and install the runsc binary:

make runsc
sudo cp ./bazel-bin/runsc/linux_amd64_pure_stripped/runsc /usr/local/bin

Testing

To run standard test suites, you can use:

make unit-tests
make tests

To run specific tests, you can specify the target:

make test TARGETS="//runsc:version_test"

Using go get

This project uses bazel to build and manage dependencies. A synthetic go branch is maintained that is compatible with standard go tooling for convenience.

For example, to build and install runsc directly from this branch:

echo "module runsc" > go.mod
GO111MODULE=on go get gvisor.dev/gvisor/runsc@go
CGO_ENABLED=0 GO111MODULE=on sudo -E go build -o /usr/local/bin/runsc gvisor.dev/gvisor/runsc

Subsequently, you can build and install the shim binaries for containerd:

GO111MODULE=on sudo -E go build -o /usr/local/bin/gvisor-containerd-shim gvisor.dev/gvisor/shim/v1
GO111MODULE=on sudo -E go build -o /usr/local/bin/containerd-shim-runsc-v1 gvisor.dev/gvisor/shim/v2

Note that this branch is supported in a best effort capacity, and direct development on this branch is not supported. Development should occur on the master branch, which is then reflected into the go branch.