[BuildStream] Introduce a docker sandbox

From: Benjamin Schubert <ben c schubert gmail com>
To: buildstream-list gnome org
Subject: [BuildStream] Introduce a docker sandbox
Date: Tue, 23 Oct 2018 18:34:32 +0100

Hey everyone,

We are currently developping software for Linux on either MacOS or Windows using Buildstream.
Given that Buildstream can run natively on Windows and MacOS but cannot build anything, we usually
ssh to a linux VM and do all our development from there or run BuildStream in a docker container, which introduces
an extra unneeded layer of sandboxing. That is far from ideal and we would
like to find a solution where we could ahve the tool installed natively and would run the builds transparently
on linux.

We therefore want to propose the usage of docker as a sandbox mechanism for Buildstream.

- Why add yet another sandbox mechanism ?

Currently BuildStream works on MacOS and Windows but cannot build locally. It can however use Remote Execution to do so.

We want to be able to use BuildStream on MacOS and Windows for doing linux builds and Bubblewrap cannot run on those platforms.

- Why docker ?

Docker is widely used, runs on all three platforms and would allow building for Linux on MacOS/Windows transparent to the user.
Moreover, it should have all the required capabilities that are needed to fully sandbox the build (network and filesystem isolation).
There are no other solutions that are cross platform and widely used (except for VMs, which is less practical to put in place)

- How that would be implemented ?

The aim is to have a second sandbox implementation, using docker that would behave similarily to the current bwrap sandbox.
We would introduce a "sandbox" parameter in the buildstream.conf user configuration that would default to "brwap" on linux and to "docker" on any other OS.

- Questions to answer:

- How would we handle cache keys? Would docker and brwap sandbox considered equivalent and the cache keys match? Do we want a cache key per sandbox?
- We think a single cache key would be enough, if, and only if, we consider brwap and docker sandboxes "equal" in term of features.
There is a precedent for that: remote execution uses the same keys than the local ones.

Please let me know what you think about this proposal. I'll work on a proof of concept using docker as a sandbox in the meantime.

Best,

Benjamin

Follow-Ups:
- Re: [BuildStream] Introduce a docker sandbox
  - From: Sander Striker
- Re: [BuildStream] Introduce a docker sandbox
  - From: Richard Maw

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]