Tip / hack: /usr/bin/bazel setgid docker to allow bazel run on docker_build rules
146 views
Skip to first unread message
Kamal Marhubi
Nov 26, 2015, 12:01:01 AM11/26/15
to bazel-discuss
I like to keep myself out of the docker group for security reasons, which makes the very convenient bazel run //some/docker/build:target not work. I chgrp'ed bazel do docker, and made it setgid. This allows bazel run to put image layers into the local repository, which is super convenient compared to having to load the .tar.
Just thought I'd share!Kamal Marhubi
Nov 26, 2015, 12:02:31 AM11/26/15
to bazel-discuss
(Yes, this is not entirely safe. I'm happy to do it on my laptop, but wouldn't want to do it on a machine where someone else could easily get a shell.)
Damien Martin-guillerez
Nov 26, 2015, 7:10:28 AM11/26/15
to Kamal Marhubi, bazel-discuss
I wonder what's the gain you have by doing so compared to latest version of docker_build's run that only reload the changed layers?
I mean the docker daemon should be as fast as doing the copy, isn't it?
--
You received this message because you are subscribed to the Google Groups "bazel-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bazel-discus...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/bazel-discuss/CAK-ZPek6k6L7a5E7JYSZKupxCHjdohC9tZ1%3DQX85rT8jOGpLdA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Kamal Marhubi
Nov 26, 2015, 10:16:31 AM11/26/15
to Damien Martin-guillerez, bazel-discuss
On Thu, Nov 26, 2015 at 7:10 AM Damien Martin-guillerez <dmar...@google.com> wrote:
I wonder what's the gain you have by doing so compared to latest version of docker_build's run that only reload the changed layers?
This is with 0.1.2rc1, so I'm probably using the latest version. The difference is that if I'm not in the docker group, the docker_build's run under my user won't have permission to talk to the docker daemon. The natural thing would be to try sudo bazel, but it starts an entire run under root's home, losing all incrementality. This is a little hack to give my docker_build run access to the docker socket without requiring that i operate with that privilege all the time.
-Kamal
Damien Martin-guillerez
Nov 26, 2015, 10:20:06 AM11/26/15
to Kamal Marhubi, bazel-discuss
Oh I see, yes you are supposed to be in the docker group to load the image.
Alternatively you could simply do
```
bazel build //my:docker_image
sudo ./bazel-bin/my/docker_image
```
So you don't spawn a new bazel process.
Kamal Marhubi
Nov 26, 2015, 10:21:38 AM11/26/15
to Damien Martin-guillerez, bazel-discuss
That is probably a safer approach! I came up with this before I'd looked into how it was implemented, but that makes more sense now. Thanks!
Reply all
Reply to author
Forward
0 new messages