feat(bazel): provide remote-execution platform with network access.

Initially when we designed the RBE platform toolchain as part of dev-infra, we decided to ship a single `platform` that does not have network access enabled. This is helpful preventing bad tests or a bad setup in Bazel where actions may not be hermetic due to network access. We continue providing this as the default platform. There are cases though where a platform with network access is desirable. This platform can be specifically used in jobs like the `integration_test` one to run integration tests that rely on e.g. Yarn install. Alternatively this platform can become the default one in projects, but then it's recommended to disable network access in sandboxes; allowing authors to grant certain targets network access while others will not have access by default.
angular · Oct 14, 2021 · 4c652ca · 4c652ca
1 parent a5b16dd
commit 4c652ca
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 0 deletions.
diff --git a/.bazelrc b/.bazelrc
@@ -1,6 +1,11 @@
 # Enable debugging tests with --config=debug
 test:debug --test_arg=--node_options=--inspect-brk --test_output=streamed --test_strategy=exclusive --test_timeout=9999 --nocache_test_results
 
+# By default, network access should be disabled unless explicitly granted for certain targets
+using the `requires-network` tag. https://docs.bazel.build/versions/main/be/common-definitions.html
+build --sandbox_default_allow_network=false
+test --sandbox_default_allow_network=false
+
 ###############################
 # Filesystem interactions     #
 ###############################

diff --git a/bazel/remote-execution/BUILD.bazel b/bazel/remote-execution/BUILD.bazel
@@ -27,6 +27,21 @@ platform(
     },
 )
 
+platform(
+    name = "platform_with_network",
+    exec_properties = {
+        # By default we have network access disabled with the `:platform` target. This is an
+        # additional platform that extends from the default one but enables network access.
+        # Network is generally not recommended, but for some exceptions, like integration tests
+        # running a Yarn install, network access is reasonable. In such special cases, Bazel can
+        # be invoked to run with this platform. It is recommended that exec platforms with network
+        # access are used in combination with `--sandbox_default_allow_network=false` as this allows
+        # specific targets to be granted network access, while others will not have access.
+        "dockerNetwork": "standard",
+    },
+    parents = [":platform"],
+)
+
 filegroup(
     name = "files",
     srcs = [