generalise the sandbox

[patricoferris]

This is in partial fulfilment of #57 -- in particular making the S.SANDBOX interface more general by removing runc/linux specific from build.ml.

Currently OBuilder supports Linux by using runc and a little bit of docker. The docker component is currently in the more agnostic lib/build.ml side of things, and the get_base function is the linux-y interpretation of (from <hash>). For MacOS support (and perhaps other platforms) the interpretation of (from <hash>) will be different and is therefore dependent on the sandboxing environment -- I think it makes sense to force the sandboxing environment to provide this functionality. To this end, this PR:

• Extended the interface for sandboxes by providing:
  • from which is used where the original get_base function was used -- this is a function that is passed to Store.build.
  • create before this was an additional function added to runc_sandbox.mli but MacOS will also require a create function and since the choice of sandboxing environment will likely be a compile-time choice, it makes sense I think to unify this create function type by (a) putting it in S.SANDBOX and (b) extracting a config type that has a cmdliner value that can be used to build a new S.SANDBOX.t
  • The create function has an optional state_dir parameter -- the reason this isn't baked into the config of the runc sandbox is that I think it is often provided at runtime, e.g. https://github.com/ocurrent/ocluster/blob/master/worker/obuilder_build.ml#L37

[avsm]

Suggested change

	~doc:"Install a seccomp filter that skips allsync syscalls"
	~doc:"Install a seccomp filter that skips all synchronous syscalls"

[talex5]

But the new text is wrong! The option skips all sync and related syscalls, not all synchronous syscalls.

[avsm]

can this just be a val pp : t Fmt.t instead? That would let you pretty print the abstract sandbox state, and it could simply prepend the sandbox type there as well.

[patricoferris]

Sound very reasonable to me, thanks :)) Will also update the doc comment from above shortly

[patricoferris]

It looks something like:

runc state:
 {runc_state_dir: /hello/world
  fast_sync: true
  arches: [A,B,C]}

Hopefully that's okay, I'm no Format wizard 🧙 .

[talex5]

This looks like generally the right direction - sorry for all the nit-picking!

[talex5]

Is this used for anything? We didn't need this before.

[talex5]

I don't think state_dir should be optional. We should pass every sandbox a directory it can use to persist stuff. If a sandbox doesn't need it, it can just ignore it.

[talex5]

Also, not sure that config and create should be in SANDBOX. I see this already caused some trouble for the mock sandbox. This could stay in runc_sandbox.mli for now, and then when there are multiple implementations, we can have this in a shared sandbox.mli.

[talex5]

Needs to say what the final string argument is, if we keep this API.

[talex5]

Since this is now generic, we should rename the directory, e.g.

Suggested change

	Sandbox.create ~state_dir:(Store.state_dir store / "runc") conf >|= fun sandbox ->
	Sandbox.create ~state_dir:(Store.state_dir store / "sandbox") conf >|= fun sandbox ->

[talex5]

The previous text was correct:

Suggested change

	~doc:"Install a seccomp filter that skips all synchronous syscalls"
	~doc:"Ignore sync syscalls (requires runc >= 1.0.0-rc92)"

[talex5]

If you move the constructors back out of SANDBOX, this can all go away.

[patricoferris]

Yep

[talex5]

I think we can skip all of this. mock_exec goes to some trouble to fake out all these docker commands, but since the sandbox now does the fetching we can delete all of that. There's no point testing an old copy of the real code.

It might be worth adding a test to check the real code using the existing mock_exec on Linux, but we also have integration tests on Travis that will test it anyway.

[patricoferris]

Okay I think I follow -- would it be enough then for the mock_sandbox to just be:

let from : Obuilder.Runc_sandbox.from

for now?

[talex5]

That would be an easy solution for now, yes.

Probably the from stuff should go in a separate module anyway (so we have three concepts: stores, sandboxes, and image sources). It would be quite possible to use docker pull even on macos, for example.

[talex5]

We could just keep this bit of get_base, I think, instead of making every sandbox duplicate it.

[talex5]

... and keep this bit too.

[patricoferris]

I think I agree. Certainly the logging of what is going on can stay, so perhaps get_base can just be passed the Sandbox.from function to be passed into Store.build, the only issue I see with that is that we would require Sandbox.from to persist the environment in a specific location.

Or should Sandbox.from be changed to something like:

val from : 
  log:Build_log.t -> base:string -> string -> (Saved_context.env, [ `Cancelled | `Msg of string ]) result Lwt.t

And get base becomes:

let get_base t ~log base =
    log `Heading (Fmt.strf "(from %a)" Sexplib.Sexp.pp_hum (Atom base));
    let id = Sha256.to_hex (Sha256.string base) in
    Store.build t.store ~id ~log (fun ~cancelled:_ ~log tmp ->
        Log.info (fun f -> f "Base image not present; importing %S..." base);
        Sandbox.from ~log ~base tmp >>!= fun env -> 
        Os.write_file ~path:(tmp / "env")
          (Sexplib.Sexp.to_string_hum Saved_context.(sexp_of_t {env})) >>= fun () ->
        Lwt_result.return ()
      )
    >>!= fun id ->
    let path = Option.get (Store.result t.store id) in
    let { Saved_context.env } = Saved_context.t_of_sexp (Sexplib.Sexp.load_sexp (path / "env")) in
    Lwt_result.return (id, env)

[talex5]

Yes. You could also create rootfs here too, and pass that to the fetcher, so it doesn't need to know about the layout.

[patricoferris]

I think I may have been mistaken about the implementation. Am I right in thinking that the runc/zfs implementation builds inside of /tank/result/<hash>/rootfs/ ? So that's where I should build the MacOS one too? Up until now I've just been building it inside of /tank/result/<hash>, to make it uniform I can use rootfs which as you said reduces the amount of things the fetcher needs to do/know about?

[talex5]

Yes, that's right. It allows us to store extra data about the build, such as the environment variables and the log, plus anything else we think of in the future.

[talex5]

If you keep get_base, this part doesn't need to be duplicated.

[patricoferris]

Thanks for the detailed feedback, have responded to various bits but I think these changes clean the code up quite a bit!

[patricoferris]

I think I agree. Certainly the logging of what is going on can stay, so perhaps get_base can just be passed the Sandbox.from function to be passed into Store.build, the only issue I see with that is that we would require Sandbox.from to persist the environment in a specific location.

Or should Sandbox.from be changed to something like:

val from : 
  log:Build_log.t -> base:string -> string -> (Saved_context.env, [ `Cancelled | `Msg of string ]) result Lwt.t

And get base becomes:

let get_base t ~log base =
    log `Heading (Fmt.strf "(from %a)" Sexplib.Sexp.pp_hum (Atom base));
    let id = Sha256.to_hex (Sha256.string base) in
    Store.build t.store ~id ~log (fun ~cancelled:_ ~log tmp ->
        Log.info (fun f -> f "Base image not present; importing %S..." base);
        Sandbox.from ~log ~base tmp >>!= fun env -> 
        Os.write_file ~path:(tmp / "env")
          (Sexplib.Sexp.to_string_hum Saved_context.(sexp_of_t {env})) >>= fun () ->
        Lwt_result.return ()
      )
    >>!= fun id ->
    let path = Option.get (Store.result t.store id) in
    let { Saved_context.env } = Saved_context.t_of_sexp (Sexplib.Sexp.load_sexp (path / "env")) in
    Lwt_result.return (id, env)

[patricoferris]

Agreed -- see comment above about a proposed get_base + from combination that requires from to return a Saved_context.env that get_base can persist.

[patricoferris]

Yep

[patricoferris]

Okay I think I follow -- would it be enough then for the mock_sandbox to just be:

let from : Obuilder.Runc_sandbox.from

for now?

[talex5]

What's happening with this? Is there a new version available to review?

I'd like to make some improvements to the docs, but I don't want to create conflicts with this work.

[patricoferris]

Hi @talex5 :)) I would say conflict away, this is currently somewhat shelved in favour me testing the idea more (e.g. deploying a little version of opam-health-check with my own modified version of OCluster/OBuilder). Sorry for not mentioning that.

[talex5]

I've updated the docs, so this needs rebasing now.

It would be good to get this in soon, because we're going to need it for the Windows support too.

[patricoferris]

Okay 👍 -- will work on it this afternoon

[patricoferris]

@talex5 this should be ready for a second review, sorry about the weird formatting errors I had to fix. I still have a few questions though.

Re:#58 (comment) do you want this in this PR? I took this implementation and used it with ocluster to see what it would look like and because cmdliner/config is in Runc_sandbox.mli everything is... not very generalised 😅 ?

After re-writing everything to go with your suggestions, this comment #58 (comment) really resonated with me. Do you think there should be a S.FETCH with a docker.ml implementation or something like that (if so in this PR or a different one?).

Lastly I haven't passed in tmp / "rootfs" -- I wasn't 100% sure all implementations would use that directory so just passing tmp and forcing the implementation to decide seemed safest, but let me know if that's not the case :)

[talex5]

Thanks, this is good progress :-)

Re:#58 (comment) do you want this in this PR? I took this implementation and used it with ocluster to see what it would look like and because cmdliner/config is in Runc_sandbox.mli everything is... not very generalised?

Well, the interface should eventually be in sandbox.mli, not runc_sandbox.mli, and then it should look OK. If you prefer, I don't mind creating another signature for this (e.g. STORE_MAKER or something), as long as it's separate from STORE.

Do you think there should be a S.FETCH with a docker.ml implementation or something like that (if so in this PR or a different one?).

I think that makes sense, especially as the Windows implementation will be using docker pull too. For now, I'd suggest just putting the docker-pull stuff in its own module (since you're moving it anyway).

Lastly I haven't passed in tmp / "rootfs" -- I wasn't 100% sure all implementations would use that directory so just passing tmp and forcing the implementation to decide seemed safest, but let me know if that's not the case :)

It's not a good idea to let the sandboxes/fetchers pick a name themselves because:

1. It has to not conflict with the names used in the main library (e.g. log), and we may add new ones later.
2. It has to be the same for fetchers and sandboxes.

[MisterDA]

Nothing much really, but you've left trailing whitespace in the obuilder PR.
Could you do a little run of something akin to this?
sed -i'' 's/[[:space:]]*$//' **/*.ml{i,}

Passing the conf parameter doesn't play nicely with multiple sandboxes implementation: I have the Runc_sandbox.config type and the Docker_sandbox.config that conflict. I'm thinking of moving it to the S.SANDBOX module, a bit like the BUILDER.context type.

[patricoferris]

Yeah sorry about the formatting, without ocamlformat I'm at a loss :)) Thanks for looking through this.

I didn't change the config type problem just yet because I wasn't adding anymore sandboxes I can definitely extract this out now to a sandbox.mli and a dune rule for always choosing the runc implementation.

I'm thinking of moving it to the S.SANDBOX module

See comment #58 (comment) why it was moved out of there. As @talex5 said would this not work eventually with a sandbox.mli interface? The eventual solution for macOS was something like this https://github.com/patricoferris/obuilder/blob/macos-sandbox/lib/dune#L1-L13 so the sandbox became a build-time choice, does this work for windows?

[MisterDA]

Thanks for the explanation!
The sandbox doesn't have to become a build choice, it can be selected according to the chosen storage. In the case of the Docker sandbox, it makes sense to decide to use it depending on the storage: if the Docker storage is used, then the Docker sandbox should be used too, otherwise (btrfs/zfs) use runc. On Windows, if (when) we'll use a snapshotting filesystem, we'll also switch to the port of runc.

[patricoferris]

Would be good to get this merged, as it is now blocking @MisterDA.

To summarise the changes:

• There is now a notion of FETCHER to perform the initialisation of the rootfs directory. For now there is one implementation, Docker, but macOS currently does something completely different so it is nice to have this flexibility.
• Sandboxes have been generalised to be passed a config argument which is implementation specific and a config Cmdliner.Term.t value is provided so the CLI(s) can expose the configuration parameters, in runc's case this is just the fast_sync functionality. At the moment I don't think we're using OBuilder anywhere where we can't use a CLI so the fact that the config is abstract and can only be built via the CLI is ok, but I'm not 100% sure on this.
• The build log copy function which is used in multiple places now lives in build_log.ml

I think that's everything, apart from some formatting what do you think in terms of next steps for this @talex5? @MisterDA too ? Sorry it's taken so long!

[talex5]

Thanks! Looks good to merge once CI is done (I just rebased it and reindented the get_base function).