Can I run multiple processes in the same sandbox? For workflows like running an OCI image with runc it needs to be unpacked on top of the local fs, which looks very odd when inspected from the outside. If it's unpacked to

/tmp/sandbox/image/fs

there'll be symlinks that are relative to that fs root, like this:

/tmp/sandbox/image/fs/lib/foo.2.3 -> /lib/foo.2

. Trying to output this from a process makes Pants understandably barf.

Error expanding output globs: Failed to read link "/tmp/pants-sandbox-Qipcu3/unpacked_image/rootfs/lib64/ld-linux-x86-64.so.2": Absolute symlink: "/lib/x86_64-linux-gnu/ld-2.31.so"

Optimally unpack + run would be a single step; but I can't see how I can use

Process

to achieve that without writing scripts.

It’s one sandbox per Process, so you’d have to write a wrapper script to invoke unpack and then run, I guess.

There are a number of examples of this in the repo including

setup_go_sdk_process

and the Coursier jar resolution rules

Yeah, I'll look at that. Might make a feature request to be able to fuse processes into one sandbox. Would be quite ergonomic.

side note: Pants does not yet support capture of symlinks from an execution sandbox. https://github.com/pantsbuild/pants/pull/16844 is the WIP PR to support sandbox-relative symlinks. Absolute symlinks would need different work.

In this case I don't want any symlink resolution. I want the whole tree to be kept as is. :P

the whole tree as an archive or captured as a

Digest

into the Pants cache?

Wouldn't the same issue occur for the return digest of unpacking an archive?

when unpacking Pants ends up writing them as normal files

Yeah, but what I'm saying is that it's impossible for that to happen, since the symlink only has a valid destination inside the rootfs of the container. So it has to be kept as an invalid symlink throughout the process.

There seems to be some miscommunication here. The validity or invalidity of the symlink isn't really an issue here. Pants essentially captures the directory listing so it can reproduce the fileystsem tree at a later point. Pants will just refuse to capture symlinks currently. Moreover, the PR linked above is only to support sandbox-relative symlinks (whether valid or invalid). Symlinks that point to an absolute path will just cause Pants to error if the

Process

tries to capture them as an output.

Yeah; I had a look. I think if the goal of that PR is to capture symlinks verbatim, then that'll work for absolute symlinks too in my case. My interpretation of

when unpacking Pants ends up writing them as normal files

was that a captured symlink would be replaced with its content. But if you mean it'll be written back to disk as a regular file but flagged as a symlink, then that sounds like what I want. 🙂 Just need to make it work for absolute links. OTOH (and this'll be problematic for image builds too) - it isn't unfeasible that we'll have some massive trees generated from this. The largest container build I run at work today comes out to a total of 9GB, squashed, cleansed, purged and compressed.

separately Pants may not work well with input/output files at the GB scale. See https://github.com/pantsbuild/pants/issues/16697 where a user had an issue with a pex build at ~2GB size.

Yeah; for sure. It does take quite some painful design decisions to get a container to that size, and I don't expect any framework to handle it gracefully - It's a very custom process even with buildah.

A feature request for a “MultiProcess” of some kind would be appropriate, I think

Yepp! I'll set up an issue after work today 🙂