This is an automated email from the ASF dual-hosted git repository. juergbi pushed a commit to branch jbilleter/nested-ac-update in repository https://gitbox.apache.org/repos/asf/buildstream.git
commit 8e77f4d75e88423381385de66143f0646aa735f9 Author: Jürg Billeter <[email protected]> AuthorDate: Fri Jul 18 14:18:46 2025 +0200 sandbox: Add support for action cache updates via `remote-apis-socket` Action cache updates from sandboxed REAPI clients are disabled by default to protect action cache integrity. --- doc/source/format_declaring.rst | 7 +++++++ src/buildstream/sandbox/_config.py | 28 +++++++++++++++++++++----- src/buildstream/sandbox/_sandboxbuildboxrun.py | 2 ++ 3 files changed, 32 insertions(+), 5 deletions(-) diff --git a/doc/source/format_declaring.rst b/doc/source/format_declaring.rst index 7a1f71854..596a9434a 100644 --- a/doc/source/format_declaring.rst +++ b/doc/source/format_declaring.rst @@ -395,6 +395,7 @@ having implemented these options the same as buildstream. sandbox: remote-apis-socket: path: /run/reapi.sock + action-cache-enable-update: false Setting a path will add a UNIX socket to the sandbox that allows the use of `REAPI <https://github.com/bazelbuild/remote-apis>`_ clients such as @@ -407,6 +408,12 @@ This is supported with and without :ref:`remote execution <user_config_remote_ex With remote execution configured, this additionally enables scaling out of, e.g., compile commands across a cluster of build machines. +Action cache updates from sandboxed REAPI clients are disabled by default to +protect action cache integrity. However, if a trusted REAPI client doesn't +support remote execution, action cache updates can be enabled by setting +``action-cache-enable-update`` to ``true``. This requires an ``action-cache-service`` +to be configured with ``push`` set to ``true``. + .. _format_dependencies: diff --git a/src/buildstream/sandbox/_config.py b/src/buildstream/sandbox/_config.py index 87e6b35fa..0be530411 100644 --- a/src/buildstream/sandbox/_config.py +++ b/src/buildstream/sandbox/_config.py @@ -52,13 +52,15 @@ class SandboxConfig: build_arch: str, build_uid: Optional[int] = None, build_gid: Optional[int] = None, - remote_apis_socket_path: Optional[str] = None + remote_apis_socket_path: Optional[str] = None, + remote_apis_socket_action_cache_enable_update: bool = False ): self.build_os = build_os self.build_arch = build_arch self.build_uid = build_uid self.build_gid = build_gid self.remote_apis_socket_path = remote_apis_socket_path + self.remote_apis_socket_action_cache_enable_update = remote_apis_socket_action_cache_enable_update # to_dict(): # @@ -74,7 +76,7 @@ class SandboxConfig: # Returns: # A dictionary representation of this SandboxConfig # - def to_dict(self) -> Dict[str, Union[str, int]]: + def to_dict(self) -> Dict[str, Union[str, int, bool]]: # Assign mandatory portions of the sandbox configuration # @@ -82,7 +84,7 @@ class SandboxConfig: # the sandbox configuration, as that would result in # breaking cache key stability. # - sandbox_dict: Dict[str, Union[str, int]] = {"build-os": self.build_os, "build-arch": self.build_arch} + sandbox_dict: Dict[str, Union[str, int, bool]] = {"build-os": self.build_os, "build-arch": self.build_arch} # Assign optional portions of the sandbox configuration # @@ -97,6 +99,8 @@ class SandboxConfig: if self.remote_apis_socket_path is not None: sandbox_dict["remote-apis-socket-path"] = self.remote_apis_socket_path + if self.remote_apis_socket_action_cache_enable_update: + sandbox_dict["remote-apis-socket-action-cache-enable-update"] = True return sandbox_dict @@ -119,7 +123,16 @@ class SandboxConfig: # @classmethod def new_from_node(cls, config: "MappingNode[Node]", *, platform: Optional[Platform] = None) -> "SandboxConfig": - config.validate_keys(["build-uid", "build-gid", "build-os", "build-arch", "remote-apis-socket"]) + config.validate_keys( + [ + "build-uid", + "build-gid", + "build-os", + "build-arch", + "remote-apis-socket", + "remote-apis-socket-action-cache-enable-update", + ] + ) build_os: str build_arch: str @@ -145,10 +158,14 @@ class SandboxConfig: remote_apis_socket = config.get_mapping("remote-apis-socket", default=None) if remote_apis_socket: - remote_apis_socket.validate_keys(["path"]) + remote_apis_socket.validate_keys(["path", "action-cache-enable-update"]) remote_apis_socket_path = remote_apis_socket.get_str("path") + remote_apis_socket_action_cache_enable_update = remote_apis_socket.get_bool( + "action-cache-enable-update", default=False + ) else: remote_apis_socket_path = None + remote_apis_socket_action_cache_enable_update = False return cls( build_os=build_os, @@ -156,4 +173,5 @@ class SandboxConfig: build_uid=build_uid, build_gid=build_gid, remote_apis_socket_path=remote_apis_socket_path, + remote_apis_socket_action_cache_enable_update=remote_apis_socket_action_cache_enable_update, ) diff --git a/src/buildstream/sandbox/_sandboxbuildboxrun.py b/src/buildstream/sandbox/_sandboxbuildboxrun.py index 99dadad4b..e188c1ac1 100644 --- a/src/buildstream/sandbox/_sandboxbuildboxrun.py +++ b/src/buildstream/sandbox/_sandboxbuildboxrun.py @@ -132,6 +132,8 @@ class SandboxBuildBoxRun(SandboxREAPI): if self.re_remote: buildbox_command.append("--instance={}".format(self.re_remote.local_cas_instance_name)) + if config.remote_apis_socket_action_cache_enable_update: + buildbox_command.append("--nested-ac-enable-update") # Do not redirect stdout/stderr if "no-logs-capture" in self._capabilities:
