Document state of linux-sandbox in the container

[lurtz]

linux-sandbox does not work by default and is by some expected to work. For example tests of https://github.com/eclipse-score/communication actually only are stable if run with linux-sandbox. Otherwise they tip on each others toes.

Fixes #32

[olivembo]

typo: "snipped" should be "snippet"

[nick-hildebrant-etas]

Docker capability SYS_ADM should be sufficient that the container can create and write to namespaces it created, and I suspect the test attempting to access /tmp/shm is the reason the container requires --privileged. This doesn't really change the fact that LoLa tests would likely require --privileged in any case.

[lurtz]

Docker capability SYS_ADM should be sufficient that the container can create and write to namespaces it created, and I suspect the test attempting to access /tmp/shm is the reason the container requires --privileged. This doesn't really change the fact that LoLa tests would likely require --privileged in any case.

I already tried SYS_ADMIN: #32 (comment)

You can check if it might work work with linux-sandbox /bin/true in the devcontainer. In my tests this failed, even when I was able to make unshare --user --mount --map-root-user bash work.

[nick-hildebrant-etas]

Docker capability SYS_ADM should be sufficient that the container can create and write to namespaces it created, and I suspect the test attempting to access /tmp/shm is the reason the container requires --privileged. This doesn't really change the fact that LoLa tests would likely require --privileged in any case.

I already tried SYS_ADMIN: #32 (comment)

You can check if it might work work with linux-sandbox /bin/true in the devcontainer. In my tests this failed, even when I was able to make unshare --user --mount --map-root-user bash work.

Yes, sorry I mixed two topics. What I meant was, I think you will have this problem with that test even outside of Bazel or any sandboxing issues. Trying to run a test which is accessing /tmp/shm in a Docker container at all will require --privileged. As far as I know, there is no docker cap to cover the use case. I think it's good to document --privileged as a requirement for LoLa testing.

[lurtz]

Docker capability SYS_ADM should be sufficient that the container can create and write to namespaces it created, and I suspect the test attempting to access /tmp/shm is the reason the container requires --privileged. This doesn't really change the fact that LoLa tests would likely require --privileged in any case.

I already tried SYS_ADMIN: #32 (comment)
You can check if it might work work with linux-sandbox /bin/true in the devcontainer. In my tests this failed, even when I was able to make unshare --user --mount --map-root-user bash work.

Yes, sorry I mixed two topics. What I meant was, I think you will have this problem with that test even outside of Bazel or any sandboxing issues. Trying to run a test which is accessing /tmp/shm in a Docker container at all will require --privileged. As far as I know, there is no docker cap to cover the use case. I think it's good to document --privileged as a requirement for LoLa testing.

What I also noticed is that POSIX message queue IDs might not be namespaced and I had tests with colliding IDs even though linux-sandbox is available. As far as I know lola is moved towards Unix Domain Sockets and thus I will not pursue that further.

[lurtz]

https://docs.podman.io/en/latest/markdown/podman-run.1.html#privileged

podman should confine containers better than docker when using --privileged. At the moment the image works with podman, but we lack CI to test that.