Re: [BuildStream] Introduce a docker sandbox

[Richard Maw <richard maw codethink co uk>]

On Tue, Oct 23, 2018 at 06:34:32PM +0100, Benjamin Schubert via BuildStream-list wrote:
> - How that would be implemented ?
>
> The aim is to have a second sandbox implementation, using docker that
> would behave similarily to the current bwrap sandbox.
> We would introduce a "sandbox" parameter in the buildstream.conf user
> configuration that would default to "brwap" on linux and to "docker"
> on any other OS.

My recollection of discussions I was present to
suggested that it would be branded as something OCI-compatible
and stick to the subset of Docker that has been standardised in OCI
rather than explicitly Docker.

Other than that it sounds like a good thing to have.

> - Questions to answer:
>
> - How would we handle cache keys? Would docker and brwap sandbox
> considered equivalent and the cache keys match? Do we want a cache key
> per sandbox?
>   - We think a single cache key would be enough, if, and only if, we
> consider brwap and docker sandboxes "equal" in term of features.
>     There is a precedent for that: remote execution uses the same keys
> than the local ones.

I think bwrap and remote execution get away with it from the assumption
that the remote end is going to be using the same technology.

If we are making this assumption then it's going to require
that the remote execution protocol can report its sandbox backend.

I think Docker's containment capabilities should be a superset of bubblewrap's,
though things might get interesting when it comes to user namespaces
and the copy-on-write overlay may be less capable and stat differently,
so we ought to be able to consider their artifacts equivalent.

If you find difficulties making the sandboxes behave equivalently
we can re-visit whether they should cache to the same keys.