Make it easier for humans to use RBE, and maintain our bazelrc.

This CL merges all RBE-specific configuration from .bazelrc_rbe into .bazelrc
so that it will be picked up by default by users running bazel.

It also checks in a bazelrc from the upstream bazel-toolchains repository, and
imports that into our repo-specific .bazelrc. This makes it easier to maintain
and update the bazelrc going forward.

Documentation was added to the README.

PiperOrigin-RevId: 242208733
Change-Id: Iea32de9be85b024bd74f88909b56b2a8ab34851a

.bazelrc

@@ -1 +1,55 @@
+# Copyright 2019 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Start with a base bazelrc for a recent version of bazel. These can be
+# downloaded from:
+# https://github.com/bazelbuild/bazel-toolchains/tree/master/bazelrc
+import %workspace%/tools/bazel-0.24.0.bazelrc
+
+# All changes below are gVisor-specific.
+
+# Display the current git revision in the info block.
 build --workspace_status_command tools/workspace_status.sh
+
+# Add a custom toolchain that builds in a privileged docker container, which is
+# required by our syscall tests.
+build:remote --extra_toolchains=//test:cc-toolchain-clang-x86_64-default
+build:remote --extra_execution_platforms=//test:rbe_ubuntu1604
+build:remote --host_platform=//test:rbe_ubuntu1604
+build:remote --platforms=//test:rbe_ubuntu1604
+
+# RBE requires a strong hash function, such as SHA256.
+startup --host_jvm_args=-Dbazel.DigestFunction=SHA256
+
+# Auth scope needed for authentication with RBE.
+build:remote --auth_scope="https://www.googleapis.com/auth/cloud-source-tools"
+
+# Set flags for uploading to BES in order to view results in the Bazel Build
+# Results UI.
+build:results --bes_backend="buildeventservice.googleapis.com"
+build:results --bes_timeout=60s
+build:results --tls_enabled
+
+# Output BES results url
+build:results --bes_results_url="https://source.cloud.google.com/results/invocations/"
+
+# Set flags for uploading to BES without Remote Build Execution.
+build:results-local --bes_backend="buildeventservice.googleapis.com"
+build:results-local --bes_timeout=60s
+build:results-local --tls_enabled=true
+build:results-local --auth_enabled=true
+build:results-local --spawn_strategy=local
+build:results-local --remote_cache=remotebuildexecution.googleapis.com
+build:results-local --remote_timeout=3600
+build:results-local --bes_results_url="https://source.cloud.google.com/results/invocations/"

README.md

@@ -314,6 +314,28 @@ Run your container again, and inspect the files under `/tmp/runsc`. The log file
 with name `boot` will contain the strace logs from your application, which can
 be useful for identifying missing or broken system calls in gVisor.
 
+### Building/testing with Remote Execution
+
+If you have a [Remote Build Execution][rbe] environment, you can use it to speed
+up gVisor build and test cycles.
+
+You must authenticate with the project first:
+
+```
+gcloud auth application-default login --no-launch-browser
+```
+
+Then invoke bazel with the following flags:
+
+```
+--config=remote
+--project_id=$PROJECT
+--remote_instance_name=projects/$PROJECT/instances/default_instance
+```
+
+You can also add those flags to your local ~/.bazelrc to avoid needing to
+specify them each time on the command line.
+
 ### Enabling network passthrough
 
 For high-performance networking applications, you may choose to disable the user
@@ -455,6 +477,7 @@ See [Contributing.md](CONTRIBUTING.md).
 [netstack]: https://github.com/google/netstack
 [oci]: https://www.opencontainers.org
 [python]: https://python.org
+[rbe]: https://blog.bazel.build/2018/10/05/remote-build-execution.html
 [runsc-nightly-sha]: https://storage.googleapis.com/gvisor/releases/nightly/latest/runsc.sha512
 [runsc-nightly]: https://storage.googleapis.com/gvisor/releases/nightly/latest/runsc
 [sandbox]: https://en.wikipedia.org/wiki/Sandbox_(computer_security)

WORKSPACE

@@ -27,11 +27,11 @@ gazelle_dependencies()
 # See releases at https://releases.bazel.build/bazel-toolchains.html
 http_archive(
     name = "bazel_toolchains",
-    sha256 = "4b1468b254a572dbe134cc1fd7c6eab1618a72acd339749ea343bd8f55c3b7eb",
-    strip_prefix = "bazel-toolchains-d665ccfa3e9c90fa789671bf4ef5f7c19c5715c4",
+    sha256 = "67335b3563d9b67dc2550b8f27cc689b64fadac491e69ce78763d9ba894cc5cc",
+    strip_prefix = "bazel-toolchains-cddc376d428ada2927ad359211c3e356bd9c9fbb",
     urls = [
-        "https://mirror.bazel.build/github.com/bazelbuild/bazel-toolchains/archive/d665ccfa3e9c90fa789671bf4ef5f7c19c5715c4.tar.gz",
-        "https://github.com/bazelbuild/bazel-toolchains/archive/d665ccfa3e9c90fa789671bf4ef5f7c19c5715c4.tar.gz",
+        "https://mirror.bazel.build/github.com/bazelbuild/bazel-toolchains/archive/cddc376d428ada2927ad359211c3e356bd9c9fbb.tar.gz",
+        "https://github.com/bazelbuild/bazel-toolchains/archive/cddc376d428ada2927ad359211c3e356bd9c9fbb.tar.gz",
     ],
 )
 

kokoro/run_tests.sh

@@ -47,11 +47,6 @@ bazel version
 # Load the kvm module
 sudo -n -E modprobe kvm
 
-# Bazel start-up flags for RBE.
-BAZEL_RBE_FLAGS=(
-  "--bazelrc=${WORKSPACE_DIR}/.bazelrc_rbe"
-)
-
 # General Bazel build/test flags.
 BAZEL_BUILD_FLAGS=(
   "--show_timestamps"
@@ -77,9 +72,7 @@ build_everything() {
   FLAVOR="${1}"
 
   cd ${WORKSPACE_DIR}
-  bazel \
-    "${BAZEL_RBE_FLAGS[@]}" \
-    build \
+  bazel build \
     -c "${FLAVOR}" "${BAZEL_BUILD_RBE_FLAGS[@]}" \
     "${BUILD_PACKAGES[@]}"
 }
@@ -88,8 +81,7 @@ build_everything() {
 # configuration.
 run_simple_tests() {
   cd ${WORKSPACE_DIR}
-  bazel \
-    test \
+  bazel test \
     "${BAZEL_BUILD_FLAGS[@]}" \
     "${TEST_PACKAGES[@]}"
 }
@@ -178,9 +170,7 @@ run_root_tests() {
 # Run syscall unit tests.
 run_syscall_tests() {
   cd ${WORKSPACE_DIR}
-  bazel \
-    "${BAZEL_RBE_FLAGS[@]}" \
-    test "${BAZEL_BUILD_RBE_FLAGS[@]}" \
+  bazel test "${BAZEL_BUILD_RBE_FLAGS[@]}" \
     --test_tag_filters=runsc_ptrace //test/syscalls/...
 }
 

.bazelrc_rbe → tools/bazel-0.24.0.bazelrc

@@ -12,17 +12,14 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# Note for gVisor authors:
-#   This version is a derivative of: bazel-0.23.0.bazelrc
-#   From: https://github.com/bazelbuild/bazel-toolchains/blob/master/bazelrc/bazel-0.20.0.bazelrc
+# This file is auto-generated from release/bazelrc.tpl and should not be
+# modified directly.
 
-# This .bazelrc file contains all of the flags required for the toolchain,
-# Remote Build Execution, and the Bazel Build Results UI. Specific flags in
-# your Bazel command allow you to use only the remote build, to use only the
-# results UI, or to use them both together.
-
-# Remote Build Execution requires a strong hash function, such as SHA256.
-startup --host_jvm_args=-Dbazel.DigestFunction=SHA256
+# This .bazelrc file contains all of the flags required for the provided
+# toolchain with Remote Build Execution.
+#
+# This .bazelrc file also contains all of the flags required for the local
+# docker sandboxing.
 
 # Depending on how many machines are in the remote execution instance, setting
 # this higher can make builds faster by allowing more jobs to run in parallel.
@@ -41,7 +38,7 @@ build:remote --host_javabase=@bazel_toolchains//configs/ubuntu16_04_clang/1.2:jd
 build:remote --javabase=@bazel_toolchains//configs/ubuntu16_04_clang/1.2:jdk8
 build:remote --host_java_toolchain=@bazel_tools//tools/jdk:toolchain_hostjdk8
 build:remote --java_toolchain=@bazel_tools//tools/jdk:toolchain_hostjdk8
-build:remote --crosstool_top=@bazel_toolchains//configs/ubuntu16_04_clang/1.2/bazel_0.23.0/default:toolchain
+build:remote --crosstool_top=@bazel_toolchains//configs/ubuntu16_04_clang/1.2/bazel_0.24.0/default:toolchain
 build:remote --action_env=BAZEL_DO_NOT_DETECT_CPP_TOOLCHAIN=1
 # Platform flags:
 # The toolchain container used for execution is defined in the target indicated
@@ -51,10 +48,10 @@ build:remote --action_env=BAZEL_DO_NOT_DETECT_CPP_TOOLCHAIN=1
 # "extra_toolchains" to be selected (given constraints defined in
 # "exec_compatible_with").
 # More about platforms: https://docs.bazel.build/versions/master/platforms.html
-build:remote --extra_toolchains=//test:cc-toolchain-clang-x86_64-default
-build:remote --extra_execution_platforms=//test:rbe_ubuntu1604
-build:remote --host_platform=//test:rbe_ubuntu1604
-build:remote --platforms=//test:rbe_ubuntu1604
+build:remote --extra_toolchains=@bazel_toolchains//configs/ubuntu16_04_clang/1.2/bazel_0.24.0/cpp:cc-toolchain-clang-x86_64-default
+build:remote --extra_execution_platforms=@bazel_toolchains//configs/ubuntu16_04_clang/1.2:rbe_ubuntu1604
+build:remote --host_platform=@bazel_toolchains//configs/ubuntu16_04_clang/1.2:rbe_ubuntu1604
+build:remote --platforms=@bazel_toolchains//configs/ubuntu16_04_clang/1.2:rbe_ubuntu1604
 
 # Set various strategies so that all actions execute remotely. Mixing remote
 # and local execution will lead to errors unless the toolchain and remote
@@ -82,26 +79,20 @@ build:remote --remote_timeout=3600
 # default. You can use --auth_credentials=some_file.json to use a service
 # account credential instead.
 build:remote --auth_enabled=true
-build:remote --auth_scope="https://www.googleapis.com/auth/cloud-source-tools"
-
-# Set flags for uploading to BES in order to view results in the Bazel Build
-# Results UI.
-build:results --bes_backend="buildeventservice.googleapis.com"
-build:results --bes_timeout=60s
-build:results --tls_enabled
-
-# Output BES results url
-build:results --bes_results_url="https://source.cloud.google.com/results/invocations/"
 
-# Set flags for uploading to BES without Remote Build Execution.
-build:results-local --bes_backend="buildeventservice.googleapis.com"
-build:results-local --bes_timeout=60s
-build:results-local --tls_enabled=true
-build:results-local --auth_enabled=true
-build:results-local --spawn_strategy=local
-build:results-local --remote_cache=remotebuildexecution.googleapis.com
-build:results-local --remote_timeout=3600
-build:results-local --bes_results_url="https://source.cloud.google.com/results/invocations/"
+# The following flags are only necessary for local docker sandboxing
+# with the rbe-ubuntu16-04 container. Use of these flags is still experimental.
+build:docker-sandbox --host_javabase=@bazel_toolchains//configs/ubuntu16_04_clang/1.2:jdk8
+build:docker-sandbox --javabase=@bazel_toolchains//configs/ubuntu16_04_clang/1.2:jdk8
+build:docker-sandbox --crosstool_top=@bazel_toolchains//configs/ubuntu16_04_clang/1.2/bazel_0.24.0/default:toolchain
+build:docker-sandbox --experimental_docker_image=gcr.io/cloud-marketplace/google/rbe-ubuntu16-04@sha256:da0f21c71abce3bbb92c3a0c44c3737f007a82b60f8bd2930abc55fe64fc2729
+build:docker-sandbox --spawn_strategy=docker
+build:docker-sandbox --strategy=Javac=docker
+build:docker-sandbox --strategy=Closure=docker
+build:docker-sandbox --strategy=Genrule=docker
+build:docker-sandbox --define=EXECUTOR=remote
+build:docker-sandbox --experimental_docker_verbose
+build:docker-sandbox --experimental_enable_docker_sandbox
 
 # The following flags enable the remote cache so action results can be shared
 # across machines, developers, and workspaces.