Tuesday, August 4, 2015

Get the max from bazel: use a dashboard to track the build status

Build the dashboard server:

$ ./output/bazel build //src/tools/dash:all

Run it locally

$ bazel-bin/src/tools/dash/dash

Then you can stream your build result to this local server:

$ bazel build --use_dash --dash_url http://localhost:8080 lte/base:all


Or deploy it on appengine
$ bazel-bin/src/tools/dash/dash.deploy app-engine-app-id

Then use
http://app-engine-app-id.appspot.com to access it.

Sunday, June 21, 2015

Use Namespace to gain special capabilities for testing(without docker)

Starting with kernel 2.2, Linux divides the privileges traditionally associated with superuser into distinct units, known as capabilities, which can be independently enabled and disabled.  Capabilities are a per-thread attribute.

For example, to be able to configure network setting, instead of becoming root user, if the process has CAP_NET_ADMIN capability, the relevant syscall will be permitted by kernel.

More information about capabilities can be found in Linux man page: man 7 CAPABILITIES.


Linux provides the following namespaces

       Namespace   Constant        Isolates
       IPC         CLONE_NEWIPC    System V IPC, POSIX message queues
       Network     CLONE_NEWNET    Network devices, stacks, ports, etc.
       Mount       CLONE_NEWNS     Mount points
       PID         CLONE_NEWPID    Process IDs
       User        CLONE_NEWUSER   User and group IDs
       UTS         CLONE_NEWUTS    Hostname and NIS domain name


User namespaces isolate security-related identifiers and attributes, in particular, user IDs and group IDs (see credentials(7)), the root directory, keys (see keyctl(2)), and capabilities (see capabilities(7)).

When a new user namespace is created(either using clone or unshare), it starts with *a complete/full set of capabilities*.

But that's good enough for us to run some test program inside. Inspired by the namespace-sandbox.c tool from bazel, I wrote a simpler version new-network-namespace.c that just creates an empty user namespace with network namespace and launch a given program inside the namespace. Inside that program, the user can perform ifconfig/iptables operation without being the real root, and without
worrying about break the real system by accident.

For example:

$ ./new-network-namespace /bin/bash
root@myhost:~# ifconfig -a
lo        Link encap:Local Loopback
          LOOPBACK  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

Please give it a try, :)

Saturday, May 23, 2015

Build DPDK with bazel

bazel is the open sourced version of Google build tool, and it has proved itself is a nice solution for monolithic server side development. DPDK is a nice solution for user mode packet processing. In our company, we use both to build our products and it greatly reduced the hurdle of rolling out any change because we put the whole DPDK source code into our source tree and the build process can easily produce final binaries at any point(i.e. we can put a fix to DPDK code and the build process will always produce up-to-date binary based on the change).

We pushed all our changes to github in "bazel" branch in case any one wants to try it. At the moment, due to the complexity of setting up bazel BUILD files to handle different compilation settings, we are not actively pursuing to integrate these changes back to upstream. But I'll be happy to answer any question and provide help in case anyone wants to do so.