gvisor 编译

https://pkg.go.dev/gvisor.dev/gvisor@v0.0.0-20201222062610-620de250a48a?tab=versions

https://cloud-atlas.readthedocs.io/zh_CN/latest/kubernetes/virtual/gvisor/gvisor_quickstart.html

执行make

Removing intermediate container 3dcdb63a9f6d
 ---> 903876c5fb4a
Step 4/10 : RUN pip install --no-cache-dir pycparser
 ---> Running in 41ec3173068f
WARNING: Running pip install with root privileges is generally not a good idea. Try `pip install --user` instead.
Collecting pycparser
  WARNING: Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connection broken by 'ConnectTimeoutError(<pip._vendor.urllib3.connection.VerifiedHTTPSConnection object at 0xffff86941790>, 'Connection to pypi.org timed out. (connect timeout=15)')': /simple/pycparser/
  WARNING: Retrying (Retry(total=3, connect=None, read=None, redirect=None, status=None)) after connection broken by 'ConnectTimeoutError(<pip._vendor.urllib3.connection.VerifiedHTTPSConnection object at 0xffff868f6c90>, 'Connection to pypi.org timed out. (connect timeout=15)')': /simple/pycparser/
  WARNING: Retrying (Retry(total=2, connect=None, read=None, redirect=None, status=None)) after connection broken by 'ConnectTimeoutError(<pip._vendor.urllib3.connection.VerifiedHTTPSConnection object at 0xffff868f6ed0>, 'Connection to pypi.org timed out. (connect timeout=15)')': /simple/pycparser/
  WARNING: Retrying (Retry(total=1, connect=None, read=None, redirect=None, status=None)) after connection broken by 'ConnectTimeoutError(<pip._vendor.urllib3.connection.VerifiedHTTPSConnection object at 0xffff868ac050>, 'Connection to pypi.org timed out. (connect timeout=15)')': /simple/pycparser/
  WARNING: Retrying (Retry(total=0, connect=None, read=None, redirect=None, status=None)) after connection broken by 'ConnectTimeoutError(<pip._vendor.urllib3.connection.VerifiedHTTPSConnection object at 0xffff868ac110>, 'Connection to pypi.org timed out. (connect timeout=15)')': /simple/pycparser/
  ERROR: Could not find a version that satisfies the requirement pycparser (from versions: none)
ERROR: No matching distribution found for pycparser
The command '/bin/sh -c pip install --no-cache-dir pycparser' returned a non-zero code: 1
--- BUILD -c opt //runsc
Error: No such container: gvisor-bazel-3328c4e9-aarch64
root@cloud:~/gvisor# 

vi images/default/Dockerfile +6
FROM fedora:31

# Install bazel.
RUN dnf install -y dnf-plugins-core && dnf copr enable -y vbatts/bazel
RUN dnf install -y git gcc make golang gcc-c++ glibc-devel python3 which python3-pip python3-devel libffi-devel openssl-devel pkg-config glibc-static libstdc++-static patch diffutils
RUN pip install --no-cache-dir pycparser -i http://pypi.douban.com/simple --trusted-host pypi.douban.com
RUN dnf install -y bazel3

 添加pip代理

root@cloud:~/gvisor# pip install --no-cache-dir pycparser
Collecting pycparser
  Downloading https://files.pythonhosted.org/packages/ae/e7/d9c3a176ca4b02024debf82342dab36efadfc5776f9c8db077e8f6e71821/pycparser-2.20-py2.py3-none-any.whl (112kB)
    100% |████████████████████████████████| 112kB 2.9MB/s 
Installing collected packages: pycparser
Successfully installed pycparser-2.20
root@cloud:~/gvisor# make -j $(nproc)

 

Total download size: 30 M
Installed size: 149 M
Downloading Packages:
docker-ce-cli-20.10.1-3.fc31.aarch64.rpm        5.6 MB/s |  30 MB     00:05    
--------------------------------------------------------------------------------
Total                                           5.6 MB/s |  30 MB     00:05     
warning: /var/cache/dnf/docker-ce-stable-5216070ebe39d4d5/packages/docker-ce-cli-20.10.1-3.fc31.aarch64.rpm: Header V4 RSA/SHA512 Signature, key ID 621e9f35: NOKEY
Docker CE Stable - aarch64                      0.0  B/s |   0  B     00:00    
Curl error (35): SSL connect error for https://download.docker.com/linux/fedora/gpg [OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to download.docker.com:443 ]
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
The command '/bin/sh -c dnf install -y docker-ce-cli' returned a non-zero code: 1
--- BUILD -c opt //runsc
Error: No such container:

下载bazel手动编译

root@cloud:~/gvisor# ../bazel/bazel-3.7.2-linux-arm64   build runsc
Extracting Bazel installation...
Starting local Bazel server and connecting to it...
DEBUG: /root/.cache/bazel/_bazel_root/b4a6b971b553ff6e5ffe7760c9348cdd/external/bazel_toolchains/rules/rbe_repo/version_check.bzl:68:14: 
Current running Bazel is ahead of bazel-toolchains repo. Please update your pin to bazel-toolchains repo in your WORKSPACE file.
DEBUG: /root/.cache/bazel/_bazel_root/b4a6b971b553ff6e5ffe7760c9348cdd/external/bazel_toolchains/rules/rbe_repo/checked_in.bzl:125:14: rbe_default not using checked in configs; Bazel version 3.7.2 was picked/selected but no checked in config was found in map {"0.20.0": ["8.0.0"], "0.21.0": ["8.0.0"], "0.22.0": ["8.0.0", "9.0.0"], "0.23.0": ["8.0.0", "9.0.0"], "0.23.1": ["8.0.0", "9.0.0"], "0.23.2": ["9.0.0"], "0.24.0": ["9.0.0"], "0.24.1": ["9.0.0"], "0.25.0": ["9.0.0"], "0.25.1": ["9.0.0"], "0.25.2": ["9.0.0"], "0.26.0": ["9.0.0"], "0.26.1": ["9.0.0"], "0.27.0": ["9.0.0"], "0.27.1": ["9.0.0"], "0.28.0": ["9.0.0"], "0.28.1": ["9.0.0"], "0.29.0": ["9.0.0"], "0.29.1": ["9.0.0", "10.0.0"], "1.0.0": ["9.0.0", "10.0.0"], "1.0.1": ["10.0.0"], "1.1.0": ["10.0.0"], "1.2.0": ["10.0.0"], "1.2.1": ["10.0.0"], "2.0.0": ["10.0.0"], "2.1.0": ["10.0.0"], "2.1.1": ["10.0.0", "11.0.0"], "2.2.0": ["11.0.0"], "3.0.0": ["11.0.0"], "3.1.0": ["11.0.0"]}
INFO: Repository com_github_google_subcommands instantiated at:
  /root/gvisor/WORKSPACE:221:14: in <toplevel>
Repository rule go_repository defined at:
  /root/.cache/bazel/_bazel_root/b4a6b971b553ff6e5ffe7760c9348cdd/external/bazel_gazelle/internal/go_repository.bzl:194:32: in <toplevel>
ERROR: An error occurred during the fetch of repository 'com_github_google_subcommands':
   Traceback (most recent call last):
        File "/root/.cache/bazel/_bazel_root/b4a6b971b553ff6e5ffe7760c9348cdd/external/bazel_gazelle/internal/go_repository.bzl", line 129, column 17, in _go_repository_impl
                fail("failed to fetch %s: %s" % (ctx.name, result.stderr))
Error in fail: failed to fetch com_github_google_subcommands: fetch_repo: github.com/google/subcommands@v1.0.2-0.20190508160503-636abe8753b8: Get "https://proxy.golang.org/github.com/google/subcommands/@v/v1.0.2-0.20190508160503-636abe8753b8.info": dial tcp 172.217.160.113:443: i/o timeout
ERROR: /root/gvisor/runsc/cli/BUILD:5:11: //runsc/cli:cli depends on @com_github_google_subcommands//:go_default_library in repository @com_github_google_subcommands which failed to fetch. no such package '@com_github_google_subcommands//': failed to fetch com_github_google_subcommands: fetch_repo: github.com/google/subcommands@v1.0.2-0.20190508160503-636abe8753b8: Get "https://proxy.golang.org/github.com/google/subcommands/@v/v1.0.2-0.20190508160503-636abe8753b8.info": dial tcp 172.217.160.113:443: i/o timeout
ERROR: Analysis of target '//runsc:runsc' failed; build aborted: Analysis failed
INFO: Elapsed time: 91.042s
INFO: 0 processes.
FAILED: Build did NOT complete successfully (47 packages loaded, 6941 targets configured)
root@cloud:~/gvisor# 

root@cloud:~/gvisor# cat WORKSPACE  | grep com_github_google_subcommands
    name = "com_github_google_subcommands",
root@cloud:~/gvisor# 

 

usermod -G docker ubuntu，

To create the docker group and add your user:

1. Create the docker group.

   $ sudo groupadd docker
   

2. Add your user to the docker group.

   $ sudo usermod -aG docker $USER
   

3. Log out and log back in so that your group membership is re-evaluated.

   If testing on a virtual machine, it may be necessary to restart the virtual machine for changes to take effect.

   On a desktop Linux environment such as X Windows, log out of your session completely and then log back in.

   On Linux, you can also run the following command to activate the changes to groups:

   $ newgrp docker 
   

4. Verify that you can run docker commands without sudo.

   $ docker run hello-world

然后另外打开一个终端执行

 

 

ubuntu@cloud:/gvisor$ make build -j $(nproc)
--- TAG default
--- DOCKER BUILD
sha256:1c0ac5ad3d08348cc1f2f9f8f3e13d221fb5cc3d4ecd5fce90021f282cc380d6
--- DOCKER RUN
1af161bfb76a3823e7b7f96837902fa9b6f75ed0ee7c04e15a5ae265c0cca14f
--- BUILD
tee: /proc/self/fd/2: Permission denied
ubuntu@cloud:/gvisor$ 

 echo TEST > /proc/self/fd/2

查看 ubuntu

参考

https://github.com/thecodingmachine/docker-images-php/issues/133

root 用户

root@cloud:/# chmod 777 /dev/pts/0
root@cloud:/# 

github.com/google/gvisor/pkg/sentry/platform

root@cloud:/gvisor# go get gvisor.dev/gvisor/runsc@go
go: found gvisor.dev/gvisor/runsc in gvisor.dev/gvisor v0.0.0-20201228220549-5c21c7c3bd15
# gvisor.dev/gvisor/pkg/sentry/platform/ring0/pagetables
/opt/gopath15.6/pkg/mod/gvisor.dev/gvisor@v0.0.0-20201228220549-5c21c7c3bd15/pkg/sentry/platform/ring0/pagetables/walker_empty.go:121:14: pudEntry.SetSuper undefined (type *PTE has no field or method SetSuper)
/opt/gopath15.6/pkg/mod/gvisor.dev/gvisor@v0.0.0-20201228220549-5c21c7c3bd15/pkg/sentry/platform/ring0/pagetables/walker_empty.go:132:22: pudEntry.IsSuper undefined (type *PTE has no field or method IsSuper)
/opt/gopath15.6/pkg/mod/gvisor.dev/gvisor@v0.0.0-20201228220549-5c21c7c3bd15/pkg/sentry/platform/ring0/pagetables/walker_empty.go:138:24: pmdEntries[index].SetSuper undefined (type PTE has no field or method SetSuper)
/opt/gopath15.6/pkg/mod/gvisor.dev/gvisor@v0.0.0-20201228220549-5c21c7c3bd15/pkg/sentry/platform/ring0/pagetables/walker_empty.go:175:15: pmdEntry.SetSuper undefined (type *PTE has no field or method SetSuper)
/opt/gopath15.6/pkg/mod/gvisor.dev/gvisor@v0.0.0-20201228220549-5c21c7c3bd15/pkg/sentry/platform/ring0/pagetables/walker_empty.go:186:23: pmdEntry.IsSuper undefined (type *PTE has no field or method IsSuper)
/opt/gopath15.6/pkg/mod/gvisor.dev/gvisor@v0.0.0-20201228220549-5c21c7c3bd15/pkg/sentry/platform/ring0/pagetables/walker_lookup.go:121:14: pudEntry.SetSuper undefined (type *PTE has no field or method SetSuper)
/opt/gopath15.6/pkg/mod/gvisor.dev/gvisor@v0.0.0-20201228220549-5c21c7c3bd15/pkg/sentry/platform/ring0/pagetables/walker_lookup.go:132:22: pudEntry.IsSuper undefined (type *PTE has no field or method IsSuper)
/opt/gopath15.6/pkg/mod/gvisor.dev/gvisor@v0.0.0-20201228220549-5c21c7c3bd15/pkg/sentry/platform/ring0/pagetables/walker_lookup.go:138:24: pmdEntries[index].SetSuper undefined (type PTE has no field or method SetSuper)
/opt/gopath15.6/pkg/mod/gvisor.dev/gvisor@v0.0.0-20201228220549-5c21c7c3bd15/pkg/sentry/platform/ring0/pagetables/walker_lookup.go:175:15: pmdEntry.SetSuper undefined (type *PTE has no field or method SetSuper)
/opt/gopath15.6/pkg/mod/gvisor.dev/gvisor@v0.0.0-20201228220549-5c21c7c3bd15/pkg/sentry/platform/ring0/pagetables/walker_lookup.go:186:23: pmdEntry.IsSuper undefined (type *PTE has no field or method IsSuper)
/opt/gopath15.6/pkg/mod/gvisor.dev/gvisor@v0.0.0-20201228220549-5c21c7c3bd15/pkg/sentry/platform/ring0/pagetables/walker_lookup.go:186:23: too many errors
root@cloud:/gvisor# go get github.com/google/gvisor/pkg/sentry/platform

介绍

gVisor是用Go实现的用户空间内核。包括OCI运行时runsc，隔离应用和主机内核。

容器并不是沙箱。尽管容器改变了我们开发、打包和部署应用的方式，但共享一个内核带来性能和效率的同时，也让容器逃离成为可能。

gVisor是容器的用户态内核，限制应用访问内核接口的同时允许应用获得需要的特性。

适用场景：

• 小容器，快速启动，高密度（如：FaaS？）

不适用场景：

• 可信镜像
• 系统调用频繁
• 直接访问硬件

隔离机制

容器现有的安全隔离手段包括：用户/组、Capabilities、Cgroup和名字空间。

除此之外，还有其它增强容器隔离性的手段，包括虚拟化、基于规则的安全策略和沙箱。

虚拟化

通过VMM将虚拟硬件暴露给虚拟机内核，容器运行在虚拟机中可以获得更好的隔离性和兼容性，但通常需要额外的代理和更多的资源。如KVM、Xen。

基于规则

为应用或容器制定专门的安全策略，让暴露面尽量小，但不能在新的应用上通用。如seccomp、SELinux和AppArmor。

gVisor

原理

架构

gVisor解析应用的系统调用，并进行相应的处理，而不是简单的转发给主机内核。gVisor实现了内核中大部分的基础组件（primitives），包括信号、文件系统、管道、内存管理、futexes等，并在此基础上实现列完整的系统调用处理方法。

gVisor容器运行时分为2个独立进程，Sentry进程负责执行用户代码，处理系统调用，而文件系统相关的操作则由Gofer进程处理，它们之间通过9P连接。

文件系统

Gofer作为文件系统代理，按应用的需求打开主机文件。Sentry在空用户名字空间运行，gVisor的系统调用会经过seccomp filters限制，实现深度防御（defense-in-depth）。

网络

Sentry实现了自己的网络栈（netstack），负责TCP连接状态、控制消息和包组装等工作，实现了与主机网络栈的隔离。数据链路层的包会直接写入优Docker或Kubernetes创建的网络名字空间虚拟设备上。

同时也支持网络透传模式，但这样会降低隔离性。

平台

Sentry需要平台（platform）实现基本的上下文切换和内存映射功能。目前支持两种平台：

• Ptrace，使用SYSEMU功能执行用户代码，无需执行主机系统调用。
• KVM，Sentry同时充当虚拟机OS和VMM，之间无缝切换。沙箱还是进程模型，没有虚拟硬件层，只是利用了现代处理器的虚拟化扩展提高隔离性和地址空间切换性能。

UML

User-Mode Linux

附录

快速试用

1. 环境要求
   • linux 3.17+
   • docker 17.09+
   • git/Bazel/Python
2. 安装bazel工具

$ wget https://github.com/bazelbuild/bazel/releases/download/0.13.0/bazel-0.13.0-installer-linux-x86_64.sh
$ chmod +x ./bazel-0.13.0-installer-linux-x86_64.sh
$ mkdir ~/bin
$ ./bazel-0.13.0-installer-linux-x86_64.sh --user

1. 下载编译安装gvisor

$ git clone https://gvisor.googlesource.com/gvisor gvisor
$ cd gvisor
$ bazel build runsc
INFO: Analysed target //runsc:runsc (170 packages loaded).
INFO: Found 1 target...
Target //runsc:runsc up-to-date:
  bazel-bin/runsc/linux_amd64_pure_stripped/runsc
INFO: Elapsed time: 24.098s, Critical Path: 16.44s
INFO: 156 processes, linux-sandbox.
INFO: Build completed successfully, 157 total actions
$ sudo cp ./bazel-bin/runsc/linux_amd64_pure_stripped/runsc /usr/bin/

1. 配置docker

   $ cat /etc/docker/daemon.json
   {
    "runtimes": {
        "runsc": {
            "path": "/usr/bin/runsc"
            "runtimeArgs": [
                "--debug-log-dir=/tmp/runsc",
                "--debug",
                "--strace",
                "--platform=ptrace"
            ]
        }
    }
   }
   $ sudo systemctl restart docker
   

2. 验证 ``` $ sudo docker run –runtime=runsc hello-world Hello from Docker! This message shows that your installation appears to be working correctly. To generate this message, Docker took the following steps:
3. The Docker client contacted the Docker daemon.
4. The Docker daemon pulled the “hello-world” image from the Docker Hub. (amd64)
5. The Docker daemon created a new container from that image which runs the executable that produces the output you are currently reading.
6. The Docker daemon streamed that output to the Docker client, which sent it to your terminal. ```

注：由于网络问题，无法访问golang.org导致编译失败，需要修改依赖的路径

diff --git a/WORKSPACE b/WORKSPACE
index 5ce2245..655cec6 100644
--- a/WORKSPACE
+++ b/WORKSPACE
@@ -56,12 +56,16 @@ go_repository(
 go_repository(
     name = "org_golang_x_net",
     importpath = "golang.org/x/net",
+    remote = "https://github.com/golang/net.git",
+    vcs = "git",
     commit = "b3c676e531a6dc479fa1b35ac961c13f5e2b4d2e",
 )
 go_repository(
     name = "org_golang_x_sys",
     importpath = "golang.org/x/sys",
+    remote = "https://github.com/golang/sys.git",
+    vcs = "git",
     commit = "0dd5e194bbf5eb84a39666eb4c98a4d007e4203a",
 )

#go_repository(
#    name = "org_golang_x_sys",
#    importpath = "golang.org/x/sys",
#    sum = "h1:xhmwyvizuTgC2qz7ZlMluP20uW+C3Rm0FD/WLDX8884=",
#    version = "v0.0.0-20200323222414-85ca7c5b95cd",
#)
go_repository(
    name = "org_golang_x_sys",
    importpath = "golang.org/x/sys",
    remote = "https://github.com/golang/sys.git",
    vcs = "git",
    commit="0d417f6369309be088e227ead8736fb722d759d3"
)

WORKSPACE文件允许用户的目标依赖其他文件系统的目标或者从网上下载的目标。WORKSPACE文件的语法和BUILD文件一致，不过会用到一些特定的内置rule，细节参考下一个章节的内容。

一共有三种外部依赖的主要类型：

1、依赖于其他Bazel工程

根据这个Bazel工程所处的位置不同，调用不同的内置rule来获得：

• local_repository：本地
• git_repository：git仓库
• http_archive：网络下载

假如现在有个工程my-project/，需要依赖与另一个工程coworkers-project/。这两个都是Bazel工程，那么需要在my_project/WORKSPACE下添加：

local_repository(
name = “coworkers_project”,
path = “/path/to/coworkers-project”,
)

 

go get gvisor.dev/gvisor/runsc@go
go: cannot use path@version syntax in GOPATH mode

 

root@cloud:~# go build -o /usr/local/bin/runsc gvisor.dev/gvisor/runsc
can't load package: package gvisor.dev/gvisor/runsc: cannot find package "gvisor.dev/gvisor/runsc" in any of:
        /usr/local/go/src/gvisor.dev/gvisor/runsc (from $GOROOT)
        /opt/gopath/src/gvisor.dev/gvisor/runsc (from $GOPATH)
root@cloud:~# cd /gvisor/
root@cloud:/gvisor# go build -o /usr/local/bin/runsc gvisor.dev/gvisor/runsc
# gvisor.dev/gvisor/pkg/sentry/platform/ring0/pagetables
/opt/gopath/pkg/mod/gvisor.dev/gvisor@v0.0.0-20201228220549-5c21c7c3bd15/pkg/sentry/platform/ring0/pagetables/walker_empty.go:121:14: pudEntry.SetSuper undefined (type *PTE has no field or method SetSuper)
/opt/gopath/pkg/mod/gvisor.dev/gvisor@v0.0.0-20201228220549-5c21c7c3bd15/pkg/sentry/platform/ring0/pagetables/walker_empty.go:132:22: pudEntry.IsSuper undefined (type *PTE has no field or method IsSuper)
/opt/gopath/pkg/mod/gvisor.dev/gvisor@v0.0.0-20201228220549-5c21c7c3bd15/pkg/sentry/platform/ring0/pagetables/walker_empty.go:138:24: pmdEntries[index].SetSuper undefined (type PTE has no field or method SetSuper)
/opt/gopath/pkg/mod/gvisor.dev/gvisor@v0.0.0-20201228220549-5c21c7c3bd15/pkg/sentry/platform/ring0/pagetables/walker_empty.go:175:15: pmdEntry.SetSuper undefined (type *PTE has no field or method SetSuper)
/opt/gopath/pkg/mod/gvisor.dev/gvisor@v0.0.0-20201228220549-5c21c7c3bd15/pkg/sentry/platform/ring0/pagetables/walker_empty.go:186:23: pmdEntry.IsSuper undefined (type *PTE has no field or method IsSuper)
/opt/gopath/pkg/mod/gvisor.dev/gvisor@v0.0.0-20201228220549-5c21c7c3bd15/pkg/sentry/platform/ring0/pagetables/walker_lookup.go:121:14: pudEntry.SetSuper undefined (type *PTE has no field or method SetSuper)
/opt/gopath/pkg/mod/gvisor.dev/gvisor@v0.0.0-20201228220549-5c21c7c3bd15/pkg/sentry/platform/ring0/pagetables/walker_lookup.go:132:22: pudEntry.IsSuper undefined (type *PTE has no field or method IsSuper)
/opt/gopath/pkg/mod/gvisor.dev/gvisor@v0.0.0-20201228220549-5c21c7c3bd15/pkg/sentry/platform/ring0/pagetables/walker_lookup.go:138:24: pmdEntries[index].SetSuper undefined (type PTE has no field or method SetSuper)
/opt/gopath/pkg/mod/gvisor.dev/gvisor@v0.0.0-20201228220549-5c21c7c3bd15/pkg/sentry/platform/ring0/pagetables/walker_lookup.go:175:15: pmdEntry.SetSuper undefined (type *PTE has no field or method SetSuper)
/opt/gopath/pkg/mod/gvisor.dev/gvisor@v0.0.0-20201228220549-5c21c7c3bd15/pkg/sentry/platform/ring0/pagetables/walker_lookup.go:186:23: pmdEntry.IsSuper undefined (type *PTE has no field or method IsSuper)
/opt/gopath/pkg/mod/gvisor.dev/gvisor@v0.0.0-20201228220549-5c21c7c3bd15/pkg/sentry/platform/ring0/pagetables/walker_lookup.go:186:23: too many errors
note: module requires Go 1.15
root@cloud:/gvisor# 

go1.15

root@cloud:/gvisor# export GOPROXY=https://mirrors.aliyun.com/goproxy/
root@cloud:/gvisor# go get gvisor.dev/gvisor/runsc@go
go get gvisor.dev/gvisor/runsc@go: gvisor.dev/gvisor/runsc@go: invalid version: reading https://mirrors.aliyun.com/goproxy/gvisor.dev/gvisor/runsc/@v/go.info: 404 Not Found
root@cloud:/gvisor# unset GOPROXY
root@cloud:/gvisor# go get gvisor.dev/gvisor/runsc@go
^C
root@cloud:/gvisor# go version
go version go1.15 linux/arm64
root@cloud:/gvisor# go get gvisor.dev/gvisor/runsc@go

从go安装

 

 

参考

• gVisor
• Container Isolation at Scale
• bazel go rules

root@cloud:/gvisor# bazel build runsc
DEBUG: /root/.cache/bazel/_bazel_root/5c091e64dca9ad5afc61f8dabe991a85/external/bazel_toolchains/rules/rbe_repo/version_check.bzl:68:14: 
Current running Bazel is ahead of bazel-toolchains repo. Please update your pin to bazel-toolchains repo in your WORKSPACE file.
DEBUG: /root/.cache/bazel/_bazel_root/5c091e64dca9ad5afc61f8dabe991a85/external/bazel_toolchains/rules/rbe_repo/checked_in.bzl:125:14: rbe_default not using checked in configs; Bazel version 3.7.1 was picked/selected but no checked in config was found in map {"0.20.0": ["8.0.0"], "0.21.0": ["8.0.0"], "0.22.0": ["8.0.0", "9.0.0"], "0.23.0": ["8.0.0", "9.0.0"], "0.23.1": ["8.0.0", "9.0.0"], "0.23.2": ["9.0.0"], "0.24.0": ["9.0.0"], "0.24.1": ["9.0.0"], "0.25.0": ["9.0.0"], "0.25.1": ["9.0.0"], "0.25.2": ["9.0.0"], "0.26.0": ["9.0.0"], "0.26.1": ["9.0.0"], "0.27.0": ["9.0.0"], "0.27.1": ["9.0.0"], "0.28.0": ["9.0.0"], "0.28.1": ["9.0.0"], "0.29.0": ["9.0.0"], "0.29.1": ["9.0.0", "10.0.0"], "1.0.0": ["9.0.0", "10.0.0"], "1.0.1": ["10.0.0"], "1.1.0": ["10.0.0"], "1.2.0": ["10.0.0"], "1.2.1": ["10.0.0"], "2.0.0": ["10.0.0"], "2.1.0": ["10.0.0"], "2.1.1": ["10.0.0", "11.0.0"], "2.2.0": ["11.0.0"], "3.0.0": ["11.0.0"], "3.1.0": ["11.0.0"]}
INFO: Repository org_golang_x_sys instantiated at:
  /gvisor/WORKSPACE:74:14: in <toplevel>
Repository rule go_repository defined at:
  /root/.cache/bazel/_bazel_root/5c091e64dca9ad5afc61f8dabe991a85/external/bazel_gazelle/internal/go_repository.bzl:194:32: in <toplevel>
ERROR: An error occurred during the fetch of repository 'org_golang_x_sys':
   Traceback (most recent call last):
        File "/root/.cache/bazel/_bazel_root/5c091e64dca9ad5afc61f8dabe991a85/external/bazel_gazelle/internal/go_repository.bzl", line 129, column 17, in _go_repository_impl
                fail("failed to fetch %s: %s" % (ctx.name, result.stderr))
Error in fail: failed to fetch org_golang_x_sys: # cd .; git clone https://github.com/golang/sys.git /root/.cache/bazel/_bazel_root/5c091e64dca9ad5afc61f8dabe991a85/external/org_golang_x_sys
Cloning into '/root/.cache/bazel/_bazel_root/5c091e64dca9ad5afc61f8dabe991a85/external/org_golang_x_sys'...
error: RPC failed; curl 56 GnuTLS recv error (-54): Error in the pull function.
fatal: The remote end hung up unexpectedly
fatal: early EOF
fatal: index-pack failed
fetch_repo: exit status 128
ERROR: /gvisor/runsc/specutils/BUILD:5:11: //runsc/specutils:specutils depends on @org_golang_x_sys//unix:go_default_library in repository @org_golang_x_sys which failed to fetch. no such package '@org_golang_x_sys//unix': failed to fetch org_golang_x_sys: # cd .; git clone https://github.com/golang/sys.git /root/.cache/bazel/_bazel_root/5c091e64dca9ad5afc61f8dabe991a85/external/org_golang_x_sys
Cloning into '/root/.cache/bazel/_bazel_root/5c091e64dca9ad5afc61f8dabe991a85/external/org_golang_x_sys'...
error: RPC failed; curl 56 GnuTLS recv error (-54): Error in the pull function.
fatal: The remote end hung up unexpectedly
fatal: early EOF
fatal: index-pack failed
fetch_repo: exit status 128
ERROR: Analysis of target '//runsc:runsc' failed; build aborted: Analysis failed
INFO: Elapsed time: 1216.888s
INFO: 0 processes.
FAILED: Build did NOT complete successfully (241 packages loaded, 9325 targets configured)

手动下载

root@cloud:~/.cache/bazel/_bazel_root/5c091e64dca9ad5afc61f8dabe991a85/external# git clone https://github.com/golang/sys.git
Cloning into 'sys'...
remote: Enumerating objects: 51, done.
remote: Counting objects: 100% (51/51), done.
remote: Compressing objects: 100% (38/38), done.
remote: Total 10776 (delta 27), reused 31 (delta 13), pack-reused 10725
Receiving objects: 100% (10776/10776), 9.09 MiB | 33.00 KiB/s, done.
Resolving deltas: 100% (9248/9248), done.
root@cloud:~/.cache/bazel/_bazel_root/5c091e64dca9ad5afc61f8dabe991a85/external# 

手动下载后没有这个问题了

root@cloud:/gvisor# bazel build runsc
DEBUG: /root/.cache/bazel/_bazel_root/5c091e64dca9ad5afc61f8dabe991a85/external/bazel_toolchains/rules/rbe_repo/version_check.bzl:68:14: 
Current running Bazel is ahead of bazel-toolchains repo. Please update your pin to bazel-toolchains repo in your WORKSPACE file.
DEBUG: /root/.cache/bazel/_bazel_root/5c091e64dca9ad5afc61f8dabe991a85/external/bazel_toolchains/rules/rbe_repo/checked_in.bzl:125:14: rbe_default not using checked in configs; Bazel version 3.7.1 was picked/selected but no checked in config was found in map {"0.20.0": ["8.0.0"], "0.21.0": ["8.0.0"], "0.22.0": ["8.0.0", "9.0.0"], "0.23.0": ["8.0.0", "9.0.0"], "0.23.1": ["8.0.0", "9.0.0"], "0.23.2": ["9.0.0"], "0.24.0": ["9.0.0"], "0.24.1": ["9.0.0"], "0.25.0": ["9.0.0"], "0.25.1": ["9.0.0"], "0.25.2": ["9.0.0"], "0.26.0": ["9.0.0"], "0.26.1": ["9.0.0"], "0.27.0": ["9.0.0"], "0.27.1": ["9.0.0"], "0.28.0": ["9.0.0"], "0.28.1": ["9.0.0"], "0.29.0": ["9.0.0"], "0.29.1": ["9.0.0", "10.0.0"], "1.0.0": ["9.0.0", "10.0.0"], "1.0.1": ["10.0.0"], "1.1.0": ["10.0.0"], "1.2.0": ["10.0.0"], "1.2.1": ["10.0.0"], "2.0.0": ["10.0.0"], "2.1.0": ["10.0.0"], "2.1.1": ["10.0.0", "11.0.0"], "2.2.0": ["11.0.0"], "3.0.0": ["11.0.0"], "3.1.0": ["11.0.0"]}
INFO: Analyzed target //runsc:runsc (88 packages loaded, 2268 targets configured).
INFO: Found 1 target...
ERROR: /gvisor/runsc/cmd/BUILD:5:11: GoCompilePkg runsc/cmd/cmd.a failed (Exit 1): builder failed: error executing command bazel-out/host/bin/external/go_sdk/builder compilepkg -sdk external/go_sdk -installsuffix linux_arm64 -src runsc/cmd/boot.go -src runsc/cmd/capability.go -src runsc/cmd/checkpoint.go -src ... (remaining 119 argument(s) skipped)

Use --sandbox_debug to see verbose messages from the sandbox builder failed: error executing command bazel-out/host/bin/external/go_sdk/builder compilepkg -sdk external/go_sdk -installsuffix linux_arm64 -src runsc/cmd/boot.go -src runsc/cmd/capability.go -src runsc/cmd/checkpoint.go -src ... (remaining 119 argument(s) skipped)

Use --sandbox_debug to see verbose messages from the sandbox
compilepkg: missing strict dependencies:
        /root/.cache/bazel/_bazel_root/5c091e64dca9ad5afc61f8dabe991a85/sandbox/linux-sandbox/1614/execroot/__main__/runsc/cmd/boot.go: import of "github.com/google/subcommands"
        /root/.cache/bazel/_bazel_root/5c091e64dca9ad5afc61f8dabe991a85/sandbox/linux-sandbox/1614/execroot/__main__/runsc/cmd/checkpoint.go: import of "github.com/google/subcommands"
        /root/.cache/bazel/_bazel_root/5c091e64dca9ad5afc61f8dabe991a85/sandbox/linux-sandbox/1614/execroot/__main__/runsc/cmd/create.go: import of "github.com/google/subcommands"
        /root/.cache/bazel/_bazel_root/5c091e64dca9ad5afc61f8dabe991a85/sandbox/linux-sandbox/1614/execroot/__main__/runsc/cmd/debug.go: import of "github.com/google/subcommands"
        /root/.cache/bazel/_bazel_root/5c091e64dca9ad5afc61f8dabe991a85/sandbox/linux-sandbox/1614/execroot/__main__/runsc/cmd/delete.go: import of "github.com/google/subcommands"
        /root/.cache/bazel/_bazel_root/5c091e64dca9ad5afc61f8dabe991a85/sandbox/linux-sandbox/1614/execroot/__main__/runsc/cmd/do.go: import of "github.com/google/subcommands"
        /root/.cache/bazel/_bazel_root/5c091e64dca9ad5afc61f8dabe991a85/sandbox/linux-sandbox/1614/execroot/__main__/runsc/cmd/error.go: import of "github.com/google/subcommands"
        /root/.cache/bazel/_bazel_root/5c091e64dca9ad5afc61f8dabe991a85/sandbox/linux-sandbox/1614/execroot/__main__/runsc/cmd/events.go: import of "github.com/google/subcommands"
        /root/.cache/bazel/_bazel_root/5c091e64dca9ad5afc61f8dabe991a85/sandbox/linux-sandbox/1614/execroot/__main__/runsc/cmd/exec.go: import of "github.com/google/subcommands"
        /root/.cache/bazel/_bazel_root/5c091e64dca9ad5afc61f8dabe991a85/sandbox/linux-sandbox/1614/execroot/__main__/runsc/cmd/gofer.go: import of "github.com/google/subcommands"
        /root/.cache/bazel/_bazel_root/5c091e64dca9ad5afc61f8dabe991a85/sandbox/linux-sandbox/1614/execroot/__main__/runsc/cmd/help.go: import of "github.com/google/subcommands"
        /root/.cache/bazel/_bazel_root/5c091e64dca9ad5afc61f8dabe991a85/sandbox/linux-sandbox/1614/execroot/__main__/runsc/cmd/install.go: import of "github.com/google/subcommands"
        /root/.cache/bazel/_bazel_root/5c091e64dca9ad5afc61f8dabe991a85/sandbox/linux-sandbox/1614/execroot/__main__/runsc/cmd/kill.go: import of "github.com/google/subcommands"
        /root/.cache/bazel/_bazel_root/5c091e64dca9ad5afc61f8dabe991a85/sandbox/linux-sandbox/1614/execroot/__main__/runsc/cmd/list.go: import of "github.com/google/subcommands"
        /root/.cache/bazel/_bazel_root/5c091e64dca9ad5afc61f8dabe991a85/sandbox/linux-sandbox/1614/execroot/__main__/runsc/cmd/pause.go: import of "github.com/google/subcommands"
        /root/.cache/bazel/_bazel_root/5c091e64dca9ad5afc61f8dabe991a85/sandbox/linux-sandbox/1614/execroot/__main__/runsc/cmd/ps.go: import of "github.com/google/subcommands"
        /root/.cache/bazel/_bazel_root/5c091e64dca9ad5afc61f8dabe991a85/sandbox/linux-sandbox/1614/execroot/__main__/runsc/cmd/restore.go: import of "github.com/google/subcommands"
        /root/.cache/bazel/_bazel_root/5c091e64dca9ad5afc61f8dabe991a85/sandbox/linux-sandbox/1614/execroot/__main__/runsc/cmd/resume.go: import of "github.com/google/subcommands"
        /root/.cache/bazel/_bazel_root/5c091e64dca9ad5afc61f8dabe991a85/sandbox/linux-sandbox/1614/execroot/__main__/runsc/cmd/run.go: import of "github.com/google/subcommands"
        /root/.cache/bazel/_bazel_root/5c091e64dca9ad5afc61f8dabe991a85/sandbox/linux-sandbox/1614/execroot/__main__/runsc/cmd/spec.go: import of "github.com/google/subcommands"
        /root/.cache/bazel/_bazel_root/5c091e64dca9ad5afc61f8dabe991a85/sandbox/linux-sandbox/1614/execroot/__main__/runsc/cmd/start.go: import of "github.com/google/subcommands"
        /root/.cache/bazel/_bazel_root/5c091e64dca9ad5afc61f8dabe991a85/sandbox/linux-sandbox/1614/execroot/__main__/runsc/cmd/state.go: import of "github.com/google/subcommands"
        /root/.cache/bazel/_bazel_root/5c091e64dca9ad5afc61f8dabe991a85/sandbox/linux-sandbox/1614/execroot/__main__/runsc/cmd/statefile.go: import of "github.com/google/subcommands"
        /root/.cache/bazel/_bazel_root/5c091e64dca9ad5afc61f8dabe991a85/sandbox/linux-sandbox/1614/execroot/__main__/runsc/cmd/symbolize.go: import of "github.com/google/subcommands"
        /root/.cache/bazel/_bazel_root/5c091e64dca9ad5afc61f8dabe991a85/sandbox/linux-sandbox/1614/execroot/__main__/runsc/cmd/syscalls.go: import of "github.com/google/subcommands"
        /root/.cache/bazel/_bazel_root/5c091e64dca9ad5afc61f8dabe991a85/sandbox/linux-sandbox/1614/execroot/__main__/runsc/cmd/wait.go: import of "github.com/google/subcommands"
No dependencies were provided.
Check that imports in Go sources match importpath attributes in deps.
Target //runsc:runsc failed to build
Use --verbose_failures to see the command lines of failed build steps.
INFO: Elapsed time: 265.492s, Critical Path: 40.69s
INFO: 1650 processes: 37 internal, 1613 linux-sandbox.
FAILED: Build did NOT complete successfully
root@cloud:/gvisor#