linux - 使用 bazel 和 linux 进行端口隔离

Question

尝试使用 bazel 和 linux 测试端口隔离，但失败了。

我的环境如下(在aws上启动):

$ cat /etc/*-release
PRETTY_NAME="Debian GNU/Linux 8 (jessie)"
NAME="Debian GNU/Linux"
VERSION_ID="8"
VERSION="8 (jessie)"
ID=debian
HOME_URL="http://www.debian.org/"
SUPPORT_URL="http://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

$ uname -mrs
Linux 3.16.0-4-amd64 x86_64

巴泽尔版本

$ bazel version
Build label: 0.5.1
Build target: bazel-out/local-fastbuild/bin/src/main/java/com/google/devtools/build/lib/bazel/BazelServer_deploy.jar
Build time: Tue Jun 6 10:34:11 2017 (1496745251)
Build timestamp: 1496745251
Build timestamp as int: 1496745251

仓库:https://github.com/ittaiz/bazel-port-isolation

运行测试: $ 巴泽尔测试//...

____Loading package:
____Loading package: @bazel_tools//tools/cpp
____Loading package: @local_config_xcode//
____Loading package: @local_jdk//
____Loading package: @local_config_cc//
____Loading complete.  Analyzing...
____Loading package: tools/defaults
____Loading package: @bazel_tools//tools/test
____Loading package: @junit_junit//jar
____Found 2 test targets...
____Building...
____[0 / 12] Expanding template SocketIsolation2Test
____[10 / 12] Building SocketIsolationTest.jar (1 source file)
FAIL: //:SocketIsolation2Test (see /home/builduser/.cache/bazel/_bazel_builduser/a589c0f8758972ab3aadcf172c468873/execroot/bazel-port-isolation/bazel-out/local-fastbuild/testlogs/SocketIsolation2Test/test.log)
PASS: //:SocketIsolationTest
____Elapsed time: 11.152s, Critical Path: 7.03s
//:SocketIsolationTest                                                   PASSED in 5.3s
//:SocketIsolation2Test                                                  FAILED in 0.3s
  /home/builduser/.cache/bazel/_bazel_builduser/a589c0f8758972ab3aadcf172c468873/execroot/bazel-port-isolation/bazel-out/local-fastbuild/testlogs/SocketIsolation2Test/test.log

(如您所见 - 没有沙箱失败或警告)

tet 日志显示“地址已在使用中” - 这意味着没有端口隔离。

为什么不工作？

Answer 1

找出原因...

从这里:https://bazel.build/versions/master/docs/bazel-user-manual.html#sandboxing

On some platforms such as Google Container Engine cluster nodes or Debian, user namespaces are deactivated by default due to security concerns. This can be checked by looking at the file /proc/sys/kernel/unprivileged_userns_clone: if it exists and contains a 0, then user namespaces can be activated with sudo sysctl kernel.unprivileged_userns_clone=1.

/proc/sys/kernel/unprivileged_userns_clone 存在并且其中有 0...所以根据说明进行更改解决了它。