Hermetic sandbox doesn't expose basic system binaries and libraries by default.

[tjgq]

When using --experimental_use_hermetic_linux_sandbox on Linux, it's impossible to run any executable requiring an interpreter that isn't an explicit input. Most notably, none of #!/bin/sh, #!/bin/bash or #/usr/bin/env bash work, which means none of Bazel's embedded scripts (genrule-setup.sh, test-setup.sh, etc) work.

A trivial genrule or sh_test serves as a repro.

This can be worked around using --sandbox_add_mount_pair to mount additional directories in the sandbox; /bin, /lib and /lib64 appear to be enough for Bash scripts, but this is likely system-dependent.

cc @larsrc-google since we were discussing this today.

[prasvelagapudiagility]

Note that this might be working as intended, as you might want to mount these directories from an isolated sysroot (like a nix store) rather than your actual system copies.

[jjmaestro]

IMHO this is working as intended, I think the --experimental_use_hermetic_linux_sandbox CLI docs are quite clear:

If set to true, do not mount root, only mount whats provided with sandbox_add_mount_pair. Input files will be hardlinked to the sandbox instead of symlinked to from the sandbox. If action input files are located on a filesystem different from the sandbox, then the input files will be copied instead.

So, the sandbox is empty and you have to mount what you need.