Build sandboxing disabled due to nsjail error on lxc

[Sahaj Sarup]

AOSP master.
 
Getting the following warnings:
 
18:54:25 Build sandboxing disabled due to nsjail error. This may become fatal in the future.
18:54:25 Please let us know why nsjail doesn't work in your environment at:
18:54:25   https://groups.google.com/forum/#!forum/android-building
18:54:25   https://issuetracker.google.com/issues/new?component=381517
18:54:25 Build sandboxing disabled due to nsjail error. This may become fatal in the future.
18:54:25 Please let us know why nsjail doesn't work in your environment at:
18:54:25   https://groups.google.com/forum/#!forum/android-building
18:54:25   https://issuetracker.google.com/issues/new?component=381517
 
My best guess is that since this _might_ be related to nsjail container and apparmour, these warnings appear because I am running ubuntu inside a lxc container.
 
I have two questions regarding this:
 
1. How fatal is it, do I need a machine running Ubuntu natively.
2. If the build system is being containerized, can i just rub the build on my fedora machine and not care about build environment as much?

[Dan Willemsen]

> 1. How fatal is it, do I need a machine running Ubuntu natively.

It's not fatal, the build should continue and work successfully. I know that there are problems with docker-like systems (eventually tracking down to some workarounds for a kernel bug -- turning off a lot of the security helps, but doesn't get you all the way there), and there are problems with systems that don't enable user namespaces (which means we'd need root 😞). Between those problems it's likely not to become fatal anytime in the near future, I should probably remove those messages from master.

Right now it's only giving us two benefits: (1) disabling networking for the build and (2) preventing processes from staying alive after the build exits (either normally, or on a failure). I'd like to do some more changes (hiding / making visible different portions of the source tree, ensuring that the current output directory is always out/, making the source tree readonly, etc), but with enough people not being able to use it, we'll need to find other ways to satisfy those goals.

2. If the build system is being containerized, can i just rub the build on my fedora machine and not care about build environment as much?

 

Yes, I'd expect that to work. Please let us know if you have any problems doing that.

We're not fully containerizing, but we do include our own versions of most of the tools that we use. The list of host tools that we're using is shrinking, but bug reports would help us identify which ones should be prioritized.

- Dan

--
--
You received this message because you are subscribed to the "Android Building" mailing list.
To post to this group, send email to android-...@googlegroups.com
To unsubscribe from this group, send email to
android-buildi...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-building?hl=en

---
You received this message because you are subscribed to the Google Groups "Android Building" group.
To unsubscribe from this group and stop receiving emails from it, send an email to android-buildi...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/android-building/c2d1ec8a-d092-4731-9db9-ed9ca1708d56%40googlegroups.com.