Open gigaroby opened 1 year ago
larsrc-google
commented
1 year ago Before changing the API, I'd like to hear more precisely what you need to do based on this information. Would it for instance be enough to be able to tag rules with "requires-sandbox" or somesuch?
gigaroby
commented
1 year ago Ideally I'd like to replace part 2 here with a call to something like is_filesystem_sandboxed(). I don't really need much else.
larsrc-google
commented
1 year ago So this determines whether you output an extra file with metadata? That's not something that can be determined that early. Only once the action graph has been built and execution has started will the process of figuring out what strategy to use (remote, sandboxed, worker, docker, ...) get initiated. So that's already a problem. Then there's the question of how to restrict whatever action actually creates that file to only run in a sandbox. We try hard to make it transparent to the rule how it actually gets run, as we want to get the same results regardless of strategy. What is it that makes this part require sandboxing when the rest doesn't? That's unusual.
gigaroby
commented
1 year ago The reason why I need to know is that we run two (very similar) instances of the same compiler. Those are similar enough that they emit the same file twice (but we only care about it from one of the rules). Without filesystem sandboxing, one compiler tries to overwrite the output of the other (and fails). Right now if we try to run with the feature enabled but without sandbox we get a very confusing (for the user) message about file permissions.
larsrc-google
commented
1 year ago That's not a good state to be in. Bazel assumes that a given output is only declared by one rule, the ActionConflictChecker checks for that. Are you only declaring it as an output from one of the rules, but the compiler for the other one happens to also write it? If so, you ought to be able to check what outputs you declare and adjust creating metadata.
github-actions[bot]
commented
1 month ago Thank you for contributing to the Bazel repository! This issue has been marked as stale since it has not had any activity in the last 1+ years. It will be closed in the next 90 days unless any other activity occurs. If you think this issue is still relevant and should stay open, please post any comment here and the issue will no longer be marked as stale.
In rules_rust we have a feature (pipelining) that requires filesystem sandboxing in order to work correctly but (as far as I can tell) there's no API to tell if sandboxing is enabled. We have resorted to workarounds like disabling windows (where sandboxing is not available) but this still causes confusing errors. Could we please expose such an API to rule authors?