search

apache / buildstream

BuildStream, the software integration tool
https://buildstream.build/
Apache License 2.0
85 stars 30 forks source link

Allow configuring sandbox option casd-socket #1945

Open nanonyme opened 3 months ago

nanonyme commented 3 months ago

This declares path in sandbox where casd socket will be mounted to. Continuation of https://github.com/apache/buildstream/pull/1772

juergbi commented 3 months ago

Exposing the unfiltered buildbox-casd socket would result in exposing access to the host filesystem via the LocalCAS protocol.

An option that may be safe (to be reviewed) would be to change the instance name to a random token, generated in each BuildStream session, and then use GetInstanceNameForNamespace() to create a second instance that is then exposed to the sandbox.

Ideally, REAPI upstream would define a standard way how REAPI access can be exposed to a the action command. This shouldn't be buildbox-casd-specific and should also be supported with remote execution. Maybe configured by platform property.

abderrahim commented 3 months ago

use GetInstanceNameForNamespace() to create a second instance that is then exposed to the sandbox.

I'm not sure how this works: does it create a "sandboxed" instance somehow or is it just to have the LocalCas methods apply on the sandbox instead of the host?

But this indeed needs to put some thoughts on what exactly we want to provide to the sandboxes: just CAS? CAS and action cache? do we need remote asset too? (we need to at least restrict what can be requested from remote asset). How about remote execution? maybe not by default, but it's probably what would give the most performance benefit. How about LocalCAS? do we need to restrict that?

juergbi commented 3 months ago

I'm not sure how this works: does it create a "sandboxed" instance somehow or is it just to have the LocalCas methods apply on the sandbox instead of the host?

That's kind of the same thing, isn't it? Is there a particular difference between the two options that needs to be clarified? As mentioned, we should review the code to make sure it's sufficiently sandboxed, though.

just CAS? CAS and action cache? do we need remote asset too?

Yes, we certainly need to give this some more thought.

abderrahim commented 3 months ago

That's kind of the same thing, isn't it? Is there a particular difference between the two options that needs to be clarified?

I meant is access to the CAS somehow sandboxed? (from your answer I guess it's not). Not that I think it should be, I just wanted clarification.