Improve Bazel Fedora build container handling and cache repository downloads
Adds lifecycle management scripts for the dev container and a "bazel" wrapper script, which sets container-only startup options.
Replaces /dev/null bind mounts by SELinux contexts for container breakup prevention, since newer podman versions managed to somehow break the ordering of mounts and mounting on top of a volume gives ENOENT. This requires a placeholder .arcconfig.
On Fedora, SELinux prevents the container from accessing /dev/kvm, which requires a custom policy (see rWa716c988d69e).
Design considerations:
- The build cache is on a tmpfs. This avoids fuse-overlayfs overhead. If the container is recreated, we want to drop the build cache - Bazel does not track ambient dependencies, so we do not know if we need to rebuild anything (like after upgrading a compiler).
- The repository cache contains just workspace dependencies and is mounted as a volume.
The repository caches does not work terribly well yet, we probably need to mount parts ~/.cache/bazel as well. podman always mounts volumes as noexec, so this is not as straight-forward as it looks.
Test Plan:
Ran the commands from the README as my unprivileged workstation user.
Smalltown was built and launched successfully.
X-Origin-Diff: phab/D198
GitOrigin-RevId: aff720d2862cdf5d1df67813d842d221d69a84c0
diff --git a/scripts/run_in_container.sh b/scripts/run_in_container.sh
new file mode 100755
index 0000000..8b60bd6
--- /dev/null
+++ b/scripts/run_in_container.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+set -euo pipefail
+
+podman exec -it smalltown-dev $@
\ No newline at end of file