Consider `--try-unshare-cgroup` for bubblewrap

mozilla / sccache

Sccache is a ccache-like tool. It is used as a compiler wrapper and avoids compilation when possible. Sccache has the capability to utilize caching in remote storage environments, including various cloud storage options, or alternatively, in local storage.

Apache License 2.0

5.72k stars 540 forks source link

Consider `--try-unshare-cgroup` for bubblewrap #469

Open chmanchester opened 5 years ago

chmanchester commented 5 years ago

We're passing --unshare-croup to bubblewrap, which fails on older kernels without cgroup namespaces. My understanding of cgroup namespaces from reading their documentation is that they provide isolation primarily for cgroup properties themselves. We're not doing anything interesting with cgroup settings for sandboxed builder processes, so this doesn't seem to be offering meaningful isolation at this point.

chmanchester commented 5 years ago

@jld, I believe you have some expertise in this area. Does my assessment above seem accurate? In other words, if we're not doing anything significant with cgroup configuration, is there any point to creating a cgroup namespace for the spawned process?