commit | 134b9a67932efb09a4043c87e194d8588fddcb5c | [log] [tgz] |
---|---|---|
author | Camilo Jacomet <cjacomet@google.com> | Thu Jan 14 22:22:43 2021 |
committer | Camilo Jacomet <cjacomet@google.com> | Thu Jan 14 22:22:43 2021 |
tree | 658eeded98019ce58b15a6f2fb5dfacff8c2083c | |
parent | 2eed836c0f00a173cf3e0fc70748a8e919170622 [diff] |
[sanddune]: Call sanddune command from inside gVisor Got gVisor to call sanddune command, the call currently happens inside container.go, from there the sanddune command calls duneserver. It does not get started in the same namespace as the gofer or sandbox at the moment. Change-Id: I20601cffb536788c4228bd5d7e5d3f71c9a4d79e Reviewed-on: https://chromium-review.googlesource.com/c/infra/sanddune/+/2629889 Reviewed-by: Yulan Lin <yulanlin@google.com> Reviewed-by: Jason Clinton <jclinton@chromium.org> Reviewed-by: Edward Lesmes <ehmaldonado@chromium.org>
Sanddune is an experimental hermetic build sandbox for Chrome builds that builds off of the core hypervisor ideas from gvisor. The goal would be to isolate builds, trap syscalls and network requests to assert the hermeticity of builds.
It was forked from gvisor at commit 3ff7324.
The documentation below is from gvisor and will eventually be deleted or updated as we plan to remove everything that isn't directly related to the goal of hermetic assertions.
User documentation and technical architecture, including quick start guides, can be found at gvisor.dev.
gVisor builds on x86_64 and ARM64. Other architectures may become available in the future.
For the purposes of these instructions, bazel and other build dependencies are wrapped in a build container. It is possible to use bazel directly, or type make help
for standard targets.
Make sure the following dependencies are installed:
Build and install the runsc
binary:
make runsc sudo cp ./bazel-bin/runsc/linux_amd64_pure_stripped/runsc /usr/local/bin
To run standard test suites, you can use:
make unit-tests make tests
To run specific tests, you can specify the target:
make test TARGETS="//runsc:version_test"
go get
This project uses bazel to build and manage dependencies. A synthetic go
branch is maintained that is compatible with standard go
tooling for convenience.
For example, to build and install runsc
directly from this branch:
echo "module runsc" > go.mod GO111MODULE=on go get gvisor.dev/gvisor/runsc@go CGO_ENABLED=0 GO111MODULE=on sudo -E go build -o /usr/local/bin/runsc gvisor.dev/gvisor/runsc
Subsequently, you can build and install the shim binaries for containerd
:
GO111MODULE=on sudo -E go build -o /usr/local/bin/gvisor-containerd-shim gvisor.dev/gvisor/shim/v1 GO111MODULE=on sudo -E go build -o /usr/local/bin/containerd-shim-runsc-v1 gvisor.dev/gvisor/shim/v2
Note that this branch is supported in a best effort capacity, and direct development on this branch is not supported. Development should occur on the master
branch, which is then reflected into the go
branch.