Search code examples
linuxsandboxbazel

port isolation with bazel and linux

Trying to test out port isolation with bazel and linux and it fails.

My env is as following (started on aws):

$ cat /etc/*-release
PRETTY_NAME="Debian GNU/Linux 8 (jessie)"
NAME="Debian GNU/Linux"
VERSION_ID="8"
VERSION="8 (jessie)"
ID=debian
HOME_URL="http://www.debian.org/"
SUPPORT_URL="http://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

$ uname -mrs
Linux 3.16.0-4-amd64 x86_64

Bazel version

$ bazel version
Build label: 0.5.1
Build target: bazel-out/local-fastbuild/bin/src/main/java/com/google/devtools/build/lib/bazel/BazelServer_deploy.jar
Build time: Tue Jun 6 10:34:11 2017 (1496745251)
Build timestamp: 1496745251
Build timestamp as int: 1496745251

The repo: https://github.com/ittaiz/bazel-port-isolation

Running the test: $ bazel test //...

____Loading package:
____Loading package: @bazel_tools//tools/cpp
____Loading package: @local_config_xcode//
____Loading package: @local_jdk//
____Loading package: @local_config_cc//
____Loading complete.  Analyzing...
____Loading package: tools/defaults
____Loading package: @bazel_tools//tools/test
____Loading package: @junit_junit//jar
____Found 2 test targets...
____Building...
____[0 / 12] Expanding template SocketIsolation2Test
____[10 / 12] Building SocketIsolationTest.jar (1 source file)
FAIL: //:SocketIsolation2Test (see /home/builduser/.cache/bazel/_bazel_builduser/a589c0f8758972ab3aadcf172c468873/execroot/bazel-port-isolation/bazel-out/local-fastbuild/testlogs/SocketIsolation2Test/test.log)
PASS: //:SocketIsolationTest
____Elapsed time: 11.152s, Critical Path: 7.03s
//:SocketIsolationTest                                                   PASSED in 5.3s
//:SocketIsolation2Test                                                  FAILED in 0.3s
  /home/builduser/.cache/bazel/_bazel_builduser/a589c0f8758972ab3aadcf172c468873/execroot/bazel-port-isolation/bazel-out/local-fastbuild/testlogs/SocketIsolation2Test/test.log

(As you can see - no sandbox failure or warnings)

The tet log show "Address already in use" - which means that there were no port isolation.

Why is it not working?

Solution

  • Found out why...

    From here: https://bazel.build/versions/master/docs/bazel-user-manual.html#sandboxing

    On some platforms such as Google Container Engine cluster nodes or Debian, user namespaces are deactivated by default due to security concerns. This can be checked by looking at the file /proc/sys/kernel/unprivileged_userns_clone: if it exists and contains a 0, then user namespaces can be activated with sudo sysctl kernel.unprivileged_userns_clone=1.

    The /proc/sys/kernel/unprivileged_userns_clone existed and had 0 in it.. . so changing it according to the insturction solved it.