Google Git
Sign in
bazel / bazel / 6488b3bc824a0f19ad2924d5f7c87181f06beed9^! / . / src / main / java / com / google / devtools / build / lib / sandbox / SandboxHelpers.java
commit6488b3bc824a0f19ad2924d5f7c87181f06beed9[log] [tgz]
authorPhilipp Wollermann <philwo@google.com>Fri Aug 26 13:01:20 2016 +0000
committerJohn Cater <jcater@google.com>Fri Aug 26 18:42:15 2016 +0000
treec1e033f79baef50f7b93f9a83d27d8cc4ec5fb8d
parent3330528d760db4eb45b91f0777536414904be97f [diff] [blame]
sandbox: Allow network access for builds by default.

This solves a performance issue that slowed down builds by about 40% at least on Linux, due to clone() with CLONE_NEWNET becoming extremely slow (>1 second) for highly parallel builds. See this thread for a discussion: https://lkml.org/lkml/2014/8/20/40

For the sake of consistency, we apply the same policy on OS X, too.

If we find a better way to block network access for processes on Linux that doesn't have this performance hit, we will revisit this.

RELNOTES: Sandboxed builds allow network access for builds by default. Tests will still be run without networking, unless "requires-network" is specified as a tag.

--
MOS_MIGRATED_REVID=131393514

diff --git a/src/main/java/com/google/devtools/build/lib/sandbox/SandboxHelpers.java b/src/main/java/com/google/devtools/build/lib/sandbox/SandboxHelpers.java
new file mode 100644
index 0000000..bd8c365
--- /dev/null
+++ b/src/main/java/com/google/devtools/build/lib/sandbox/SandboxHelpers.java

@@ -0,0 +1,45 @@
+// Copyright 2016 The Bazel Authors. All rights reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//    http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+package com.google.devtools.build.lib.sandbox;
+
+import com.google.devtools.build.lib.actions.Spawn;
+import com.google.devtools.build.lib.analysis.config.BuildConfiguration;
+import com.google.devtools.build.lib.buildtool.BuildRequest;
+
+/** Helper methods that are shared by the different sandboxing strategies in this package. */
+final class SandboxHelpers {
+
+  static boolean shouldAllowNetwork(BuildRequest buildRequest, Spawn spawn) {
+    // If we don't run tests, allow network access.
+    if (!buildRequest.shouldRunTests()) {
+      return true;
+    }
+
+    // If the Spawn specifically requests network access, allow it.
+    if (spawn.getExecutionInfo().containsKey("requires-network")) {
+      return true;
+    }
+
+    // Allow network access, when --java_debug is specified, otherwise we can't connect to the
+    // remote debug server of the test.
+    if (buildRequest
+        .getOptions(BuildConfiguration.Options.class)
+        .testArguments
+        .contains("--wrapper_script_flag=--debug")) {
+      return true;
+    }
+
+    return false;
+  }
+}