Sandbox - The build sandbox

Element plugins which want to interface with the sandbox need only understand this interface, while it may be given a different sandbox implementation, any sandbox implementation it is given will conform to this interface.

See also: Sandboxing.

class SandboxFlags

Bases: object

Flags indicating how the sandbox should be run.

ROOT_READ_ONLY = 1

The root filesystem is read only.

This is normally true except when running integration commands on staged dependencies, where we have to update caches and run things such as ldconfig.

NETWORK_ENABLED = 2

Whether to expose host network.

This should not be set when running builds, but can be allowed for running a shell in a sandbox.

INTERACTIVE = 4

Whether to run the sandbox interactively

This determines if the sandbox should attempt to connect the terminal through to the calling process, or detach the terminal entirely.

INHERIT_UID = 8

Whether to use the user id and group id from the host environment

This determines if processes in the sandbox should run with the same user id and group id as BuildStream itself. By default, processes run with user id and group id 0, protected by a user namespace where available.

CREATE_DEV_SHM = 16

Whether to create /dev/shm in the sandbox.

This allows plugins to create /dev/shm in the sandbox. This flag was added to fix a bug in which /dev/shm was not added in, meaning our sandbox was not POSIX compliant.

class Sandbox

Bases: object

Sandbox programming interface for Element plugins.

DEVICES = ['/dev/urandom', '/dev/random', '/dev/zero', '/dev/null']
get_directory()

Fetches the sandbox root directory

The root directory is where artifacts for the base runtime environment should be staged.

Returns:

The sandbox root directory

Return type:

(str)

set_environment(environment)

Sets the environment variables for the sandbox

Parameters:

directory (dict) – The environment variables to use in the sandbox

set_work_directory(directory)

Sets the work directory for commands run in the sandbox

Parameters:

directory (str) – An absolute path within the sandbox

mark_directory(directory, *, artifact=False)

Marks a sandbox directory and ensures it will exist

Parameters:
  • directory (str) – An absolute path within the sandbox to mark

  • artifact (bool) – Whether the content staged at this location contains artifacts

Note

Any marked directories will be read-write in the sandboxed environment, only the root directory is allowed to be readonly.

run(command, flags, *, cwd=None, env=None)

Run a command in the sandbox.

Parameters:
  • command (list) – The command to run in the sandboxed environment, as a list of strings starting with the binary to run.

  • flags (SandboxFlags) – The flags for running this command.

  • cwd (str) – The sandbox relative working directory in which to run the command.

  • env (dict) – A dictionary of string key, value pairs to set as environment variables inside the sandbox environment.

Returns:

The program exit code.

Return type:

(int)

:raises (ProgramNotFoundError): If a host tool which the given sandbox implementation requires is not found.

Note

The optional cwd argument will default to the value set with set_work_directory()