--worker_sandboxing works incorrectly

[pauldraper]

To be fair, with so little documentation it's hard to say conclusively what is "incorrect", but certainly --worker_sandboxing differs signficantly from --spawn_strategy=sandboxed.

WORKSPACE

rule.bzl

def _example(ctx):
    script = ctx.actions.declare_file('script')
    script_content = """#!/bin/sh
    pwd
    > /home/paul/example
    """
    ctx.actions.write(script, script_content, is_executable = True)

    output = ctx.outputs.example

    args = ctx.actions.args()
    args.use_param_file("@%s", use_always = True)

    execution_requirements = {
        "supports-workers": "1",
    }
    if ctx.attr.no_sandbox:
        execution_requirements["no-sandbox"] = "1"
    ctx.actions.run(
        arguments = [args],
        executable = script,
        execution_requirements = execution_requirements,
        mnemonic = "Script",
        outputs = [output],
    )

    return DefaultInfo(files = depset([output]))

example = rule(
    attrs = {
        "no_sandbox": attr.bool(),
    },
    implementation = _example,
    outputs = {
        "example": "%{name}.txt"
    }
)

BUILD

load(":rule.bzl", "example")

config_setting(
    name = "no-sandbox",
    values = {
        "define": "example_sandbox=false"
    }
)

example(
    name = "example",
    no_sandbox = select({
        ":no-sandbox": True,
        "//conditions:default": False,
    })
)

Ubuntu 18.04. Bazel 0.16.1.

# (Note that all of these commands fail. It's only the side effects that are interesting.)

bazel build --strategy=Script=local --spawn_strategy=standalone :example
# prints /home/paul/.cache/.../execroot/__main__
# updates /home/paul/example

bazel build --strategy=Script=local --spawn_strategy=sandboxed :example
# prints /home/paul/.cache/.../sandbox/linux-sandbox/1/execroot/__main__
# does not update /home/paul/example

bazel build --define=example_sandbox=false --strategy=Script=local --spawn_strategy=sandboxed :example
# prints /home/paul/.cache/.../execroot/__main__
# updates /home/paul/example

bazel build --strategy=Script=worker --noworker_sandboxing :example
# prints /home/paul/.cache/.../execroot/__main__
# updates /home/paul/example

bazel build --strategy=Script=worker --worker_sandboxing :example
# prints /home/paul/.cache/.../bazel-workers/worker-1-Script/__main__
# updates /home/paul/example

bazel build --define=example_sandbox=false --strategy=Script=worker --worker_sandboxing :example
# prints /home/paul/.cache/.../bazel-workers/worker-1-Script/__main__
# updates /home/paul/example

So in summary

	Local strategy	Worker strategy
No sandbox	free write, shared root	free write, shared root
Sandbox	restricted write, unique root	free write, unique root
Sandbox + no-sandbox	free write, shared root	free write, unique root

Worker and non-worker strategies only have the same behavior in the "No sandbox" case. I assume the rest are bugged states?

[philwo]

I think it's fair to call the behavior bugged, but from a code point of view it's more a feature request. :) When I built this, I didn't see a good way how to run the worker under linux-sandbox / sandbox-exec, so I didn't even try to make it more hermetic.

I agree that it would be awesome if we could actually launch the worker process in the more hermetic sandbox environment that we use for non-worker actions!

[github-actions]

Thank you for contributing to the Bazel repository! This issue has been marked as stale since it has not had any activity in the last 3 years. It will be closed in the next 14 days unless any other activity occurs or one of the following labels is added: "not stale", "awaiting-bazeler". Please reach out to the triage team (@bazelbuild/triage) if you think this issue is still relevant or you are interested in getting the issue resolved.

[github-actions]

This issue has been automatically closed due to inactivity. If you're still interested in pursuing this, please reach out to the triage team (@bazelbuild/triage). Thanks!