commit 2983d7285fe019f943f1b722f26a0f2e959c5f80
author Leopold Schabel <leo@nexantic.com> Wed Oct 23 12:16:42 2019 +0200
committer Leopold Schabel <leo@nexantic.com> Wed Oct 23 12:16:42 2019 +0200
tree f6b5056682bef41597d02347dff0d523916d196f
parent e28e1b3556feb786c71f161b357fcf6899e44c19

Improve Bazel Fedora build container handling and cache repository downloads

Adds lifecycle management scripts for the dev container and a "bazel" wrapper script, which sets container-only startup options.

Replaces /dev/null bind mounts by SELinux contexts for container breakup prevention, since newer podman versions managed to somehow break the ordering of mounts and mounting on top of a volume gives ENOENT. This requires a placeholder .arcconfig.

On Fedora, SELinux prevents the container from accessing /dev/kvm, which requires a custom policy (see rWa716c988d69e).

Design considerations:

- The build cache is on a tmpfs. This avoids fuse-overlayfs overhead. If the container is recreated, we want to drop the build cache - Bazel does not track ambient dependencies, so we do not know if we need to rebuild anything (like after upgrading a compiler).

- The repository cache contains just workspace dependencies and is mounted as a volume.

The repository caches does not work terribly well yet, we probably need to mount parts ~/.cache/bazel as well. podman always mounts volumes as noexec, so this is not as straight-forward as it looks.

Test Plan:
Ran the commands from the README as my unprivileged workstation user.
Smalltown was built and launched successfully.

X-Origin-Diff: phab/D198
GitOrigin-RevId: aff720d2862cdf5d1df67813d842d221d69a84c0

scripts/create_container.sh

diff --git a/scripts/create_container.sh b/scripts/create_container.sh
new file mode 100755
index 0000000..6d284a1
--- /dev/null
+++ b/scripts/create_container.sh
@@ -0,0 +1,37 @@
+#!/bin/bash
+set -euo pipefail
+
+# Our local user needs write access to /dev/kvm (best accomplished by
+# adding your user to the kvm group).
+if ! touch /dev/kvm; then
+  echo "Cannot write to /dev/kvm - please verify permissions."
+  exit 1
+fi
+
+# The KVM module needs to be loaded, since our container is unprivileged
+# and won't be able to do it itself.
+if ! [[ -d /sys/module/kvm ]]; then
+  echo "kvm module not loaded - please modprobe kvm"
+  exit 1
+fi
+
+# Rebuild base image
+podman build -t smalltown-builder .
+
+# Set up SELinux contexts to prevent the container from writing to
+# files that would allow for easy breakouts via tools ran on the host.
+chcon -R system_u:object_r:container_file_t:s0 .
+chcon -R unconfined_u:object_r:user_home_t:s0 \
+  .arcconfig .idea .git
+
+# Create cache volume if it does not yet exist
+! podman volume create repo-cache
+
+podman run -it -d \
+    -v $(pwd):/work \
+    -v repo-cache:/root/repo-cache \
+    --tmpfs=/root/.cache/bazel:exec \
+    --device /dev/kvm \
+    --net=host \
+    --name=smalltown-dev \
+    smalltown-builder