Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

When sandbox network is disabled rules_docker rules cannot communicate with docker daemon #2238

Open
mark-thm opened this issue Mar 28, 2023 · 2 comments
Labels
Can Close? Will close in 30 days unless there is a comment indicating why not

Comments

@mark-thm
Copy link

🐞 bug report

Affected Rule

All rules_docker rules that communicate with the Docker daemon, at least:

  • container_image
  • container_pull
  • container_run_and_commit
  • container_flatten
  • container_layer
  • install_pkgs
  • add_apt_key

Is this a regression?

I'm not aware of prior versions where this worked correctly.

Description

When --sandbox_default_allow_network=false and running in --spawn_strategy=linux-sandbox, the rules_docker rules cannot communicate with the Docker daemon because the rules do not declare requires-network in their execution_requirements.

🔬 Minimal Reproduction

tbd

🔥 Exception or Error


ERROR: /runner/_work/.../BUILD:13:14: Action path/to/target.tar failed: (Exit 1): target.sh failed: error executing command bazel-out/k8-fastbuild-ST-fff/bin/path/to/target.sh
Use --sandbox_debug to see verbose messages from the sandbox and retain the sandbox build root for debugging
Cannot connect to the Docker daemon at tcp://localhost:2376. Is the docker daemon running?

🌍 Your Environment

Operating System:

  
Ubuntu 22.04
  

Output of bazel version:

  
Build label: 5.4.0
Build target: bazel-out/k8-opt/bin/src/main/java/com/google/devtools/build/lib/bazel/BazelServer_deploy.jar
Build time: Thu Dec 15 16:14:25 20[22]() (1671120865)
Build timestamp: 1671120865
Build timestamp as int: 1671120865
  

Rules_docker version:

  
0.25.0
  

Anything else relevant?

Some of the rules_docker rules do not provide a meaningful mnemonic -- the rule that generates .tar and add_apt_key, which makes a workaround difficult. At least for my repo, a sufficient workaround is to spec a number of strategy_regexp values and drop back to processwrapper-sandbox, which cannot enforce the network restrictions:

--strategy_regexp='Action .*\.tar'=processwrapper-sandbox
--strategy_regexp='Action .*-trusted.gpg'=processwrapper-sandbox
--strategy_regexp=ContainerPushDigest=processwrapper-sandbox
--strategy_regexp=ExtractConfig=processwrapper-sandbox
--strategy_regexp=ExtractImageId=processwrapper-sandbox
--strategy_regexp=ImageLayer=processwrapper-sandbox
--strategy_regexp=JoinLayers=processwrapper-sandbox
--strategy_regexp=RunAndCommit=processwrapper-sandbox
--strategy_regexp=RunAndCommitLayer=processwrapper-sandbox
--strategy_regexp=RunAndExtract=processwrapper-sandbox
@github-actions
Copy link

This issue has been automatically marked as stale because it has not had any activity for 180 days. It will be closed if no further activity occurs in 30 days.
Collaborators can add an assignee to keep this open indefinitely. Thanks for your contributions to rules_docker!

@github-actions github-actions bot added the Can Close? Will close in 30 days unless there is a comment indicating why not label Sep 24, 2023
Copy link

This issue was automatically closed because it went 30 days without a reply since it was labeled "Can Close?"

@alexeagle alexeagle reopened this Dec 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Can Close? Will close in 30 days unless there is a comment indicating why not
Projects
None yet
Development

No branches or pull requests

2 participants