Sandbox

For enforcing hermetic execution of build steps, Zack needs sandboxing technology. The immediate goal is to prevent accidental sources of non-determinism such as inputs unknown to the build system.

The implementation will most likely overlap with Execution VFS and Execution Instrumentation.

Existing Tools

• The Bazel Sandbox (not well documented)
• Docker: Very common. Startup of individual containers relatively slow, so probably not suited for many small isolated actions.
• buildah during building
• common-rs A pod level OCI container runtime monitor.
• youki A container runtime in Rust, awesome pointers here: https://youki-dev.github.io/youki/developer/libcontainer.html
• syd

https://doc.rust-lang.org/std/os/unix/process/trait.CommandExt.html#tymethod.pre_exec

Not triaged yet

• jailtime Linux / Mac OS
• jailkit Linux / Mac OS

Probably too restrictive

• goal
• rusty-sandbox: We’d need to allow more IO.

How do others do it?

The sandbox in Dune sounds very pragmatic.

Technology

https://github.com/soh0ro0t/kernel-namespace/blob/master/user-namespace.md