尝试使用 bazel 和 linux 测试端口隔离,但失败了。
我的环境如下(在aws上启动):
$ cat /etc/*-release
PRETTY_NAME="Debian GNU/Linux 8 (jessie)"
NAME="Debian GNU/Linux"
VERSION_ID="8"
VERSION="8 (jessie)"
ID=debian
HOME_URL="http://www.debian.org/"
SUPPORT_URL="http://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
$ uname -mrs
Linux 3.16.0-4-amd64 x86_64
巴泽尔版本
$ bazel version
Build label: 0.5.1
Build target: bazel-out/local-fastbuild/bin/src/main/java/com/google/devtools/build/lib/bazel/BazelServer_deploy.jar
Build time: Tue Jun 6 10:34:11 2017 (1496745251)
Build timestamp: 1496745251
Build timestamp as int: 1496745251
仓库:https://github.com/ittaiz/bazel-port-isolation
运行测试: $ 巴泽尔测试//...
____Loading package:
____Loading package: @bazel_tools//tools/cpp
____Loading package: @local_config_xcode//
____Loading package: @local_jdk//
____Loading package: @local_config_cc//
____Loading complete. Analyzing...
____Loading package: tools/defaults
____Loading package: @bazel_tools//tools/test
____Loading package: @junit_junit//jar
____Found 2 test targets...
____Building...
____[0 / 12] Expanding template SocketIsolation2Test
____[10 / 12] Building SocketIsolationTest.jar (1 source file)
FAIL: //:SocketIsolation2Test (see /home/builduser/.cache/bazel/_bazel_builduser/a589c0f8758972ab3aadcf172c468873/execroot/bazel-port-isolation/bazel-out/local-fastbuild/testlogs/SocketIsolation2Test/test.log)
PASS: //:SocketIsolationTest
____Elapsed time: 11.152s, Critical Path: 7.03s
//:SocketIsolationTest PASSED in 5.3s
//:SocketIsolation2Test FAILED in 0.3s
/home/builduser/.cache/bazel/_bazel_builduser/a589c0f8758972ab3aadcf172c468873/execroot/bazel-port-isolation/bazel-out/local-fastbuild/testlogs/SocketIsolation2Test/test.log
(如您所见 - 没有沙箱失败或警告)
tet 日志显示“地址已在使用中” - 这意味着没有端口隔离。
为什么不工作?
最佳答案
找出原因...
从这里:https://bazel.build/versions/master/docs/bazel-user-manual.html#sandboxing
On some platforms such as Google Container Engine cluster nodes or Debian, user namespaces are deactivated by default due to security concerns. This can be checked by looking at the file /proc/sys/kernel/unprivileged_userns_clone: if it exists and contains a 0, then user namespaces can be activated with sudo sysctl kernel.unprivileged_userns_clone=1.
/proc/sys/kernel/unprivileged_userns_clone
存在并且其中有 0...所以根据说明进行更改解决了它。
关于linux - 使用 bazel 和 linux 进行端口隔离,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/44655417/