Skip to content

Sandbox

For enforcing hermetic execution of build steps, Zack needs sandboxing technology. The immediate goal is to prevent accidental sources of non-determinism such as inputs unknown to the build system.

The implementation will most likely overlap with Execution VFS and Execution Instrumentation.

Existing Tools

The Bazel Sandbox (not well documented)
Docker: Very common. Startup of individual containers relatively slow, so probably not suited for many small isolated actions.

Not triaged yet

jailtime Linux / Mac OS
jailkit Linux / Mac OS

Probably too restrictive

goal
rusty-sandbox: We’d need to allow more IO.

How do others do it?

The sandbox in Dune sounds very pragmatic.