diff --git a/.bazelrc b/.bazelrc index 4b3c31f..b776f81 100755 --- a/.bazelrc +++ b/.bazelrc @@ -44,10 +44,15 @@ build --jobs=20 build --local_resources=cpu=16 build --local_resources=memory=57344 -# Linux Sandbox Hardening: Fixes "File exists" and "/dev/null" errors +# Linux Sandbox Hardening +# --sandbox_tmpfs_path=/tmp : clean /tmp per action (isolation) +# --sandbox_add_mount_pair : ensures /dev/null is available +# NOTE: Do NOT use --sandbox_base=/dev/shm — Docker containers default +# to 64MB /dev/shm which is too small for linking large binaries. +# Stale sandbox state ("File exists" errors) is handled by cleaning +# .bazel/output_base/sandbox before builds (see dcodex-setup.sh). build:linux --sandbox_tmpfs_path=/tmp build:linux --sandbox_add_mount_pair=/dev/null -build:linux --test_tmpdir=/tmp/bazel-test-logs build:linux --dynamic_mode=off build:linux --linkopt=-Wl,--threads=16 diff --git a/dcodex-setup.sh b/dcodex-setup.sh index ceb9d5c..fc60b5a 100755 --- a/dcodex-setup.sh +++ b/dcodex-setup.sh @@ -309,6 +309,17 @@ else ok "Skipping bazel clean (incremental build — disk cache preserved)" fi +# Always purge stale sandbox directories. If a previous build was interrupted +# (Ctrl+C, OOM kill, crash), leftover files cause "File exists" errors on the +# next run. This is cheap (~instant) and only removes sandbox working dirs — +# the disk cache and repo cache are untouched. +if [[ -d "${REPO_DIR}/.bazel/output_base/sandbox" ]]; then + rm -rf "${REPO_DIR}/.bazel/output_base/sandbox" + ok "Purged stale sandbox directories" +else + ok "No stale sandbox directories to clean" +fi + timer # ───────────────────────────────────────────────────────────────────────────── @@ -350,9 +361,11 @@ timer step "6/7 Tests" # Common Bazel test flags for diagnostics — always verbose. +# NOTE: --sandbox_debug is intentionally omitted; it dumps per-action +# traces for every compile/link step, drowning test output. Pass it +# manually if debugging sandbox issues: bazel test --sandbox_debug ... BAZEL_TEST_COMMON=( --verbose_failures - --sandbox_debug --test_output=all --test_env=HOME=/tmp )