AI 助理
文档备案控制台
开发者社区 云原生 文章 正文

docker中编译android aosp源码,出现Build sandboxing disabled due to nsjail error

2024-08-28 3071
版权
版权声明:
本文内容由阿里云实名注册用户自发贡献,版权归原作者所有,阿里云开发者社区不拥有其著作权,亦不承担相应法律责任。具体规则请查看《 阿里云开发者社区用户服务协议》和 《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容,填写 侵权投诉表单进行举报,一经查实,本社区将立刻删除涉嫌侵权内容。
简介: 在使用Docker编译Android AOSP源码时,如果遇到"Build sandboxing disabled due to nsjail error"的错误,可以通过在docker run命令中添加`--privileged`参数来解决权限不足的问题。

使用docker搭建aosp的编译环境,测试中,出现Build sandboxing disabled due to nsjail error.解决办法如下。

1.错误现场

szhou@81fe32c25a6f:/home/builder/code/aosp$ source  build/envsetup.sh 
szhou@81fe32c25a6f:/home/builder/code/aosp$ lunch 

You're building on Linux

Lunch menu... pick a combo:
     1. aosp_arm-eng
     2. aosp_arm64-eng
     …… 省略 ……
     30. aosp_x86-eng
     31. aosp_x86_64-eng
     …… 省略 ……

Which would you like? [aosp_arm-eng] 31
16:23:33 Build sandboxing disabled due to nsjail error.
16:23:33 Build sandboxing disabled due to nsjail error.

============================================
PLATFORM_VERSION_CODENAME=S
PLATFORM_VERSION=S
TARGET_PRODUCT=aosp_x86_64
TARGET_BUILD_VARIANT=eng
TARGET_BUILD_TYPE=release
TARGET_ARCH=x86_64
TARGET_ARCH_VARIANT=x86_64
TARGET_2ND_ARCH=x86
TARGET_2ND_ARCH_VARIANT=x86_64
HOST_ARCH=x86_64
HOST_2ND_ARCH=x86
HOST_OS=linux
HOST_OS_EXTRA=Linux-4.15.0-142-generic-x86_64-Ubuntu-14.04.5-LTS
HOST_CROSS_OS=windows
HOST_CROSS_ARCH=x86
HOST_CROSS_2ND_ARCH=x86_64
HOST_BUILD_TYPE=release
BUILD_ID=AOSP.MASTER
OUT_DIR=out
PRODUCT_SOONG_NAMESPACES=device/generic/goldfish device/generic/goldfish-opengl hardware/google/camera hardware/google/camera/devices/EmulatedCamera
============================================
szhou@81fe32c25a6f:/home/builder/code/aosp$

2. 错误分析

2.1 soong 错误打印

Z:\works\android\ustc\aosp\out\soong.log

2021/06/16 16:52:54.815584 build/soong/ui/build/build.go:184: Starting build with args: []
2021/06/16 16:52:54.815614 build/soong/ui/build/build.go:185: Environment: [HOSTNAME=81fe32c25a6f TRACE_BEGIN_SOONG=1623833572854843900 TERM=xterm ANDROID_PYTHONPATH=/home/builder/code/aosp/development/python-packages: OLDPWD=/home/builder/code/aosp OUT=/home/builder/code/aosp/out/target/product/generic_x86_64 TARGET_BUILD_VARIANT=eng BUILD_ENV_SEQUENCE_NUMBER=13 ANDROID_BUILD_PATHS=/home/builder/code/aosp/out/soong/host/linux-x86/bin:/home/builder/code/aosp/out/host/linux-x86/bin:/home/builder/code/aosp/prebuilts/gcc/linux-x86/x86/x86_64-linux-android-4.9/bin:/home/builder/code/aosp/development/scripts:/home/builder/code/aosp/prebuilts/devtools/tools:/home/builder/code/aosp/external/selinux/prebuilts/bin:/home/builder/code/aosp/prebuilts/misc/linux-x86/dtc:/home/builder/code/aosp/prebuilts/misc/linux-x86/libufdt:/home/builder/code/aosp/prebuilts/clang/host/linux-x86/llvm-binutils-stable:/home/builder/code/aosp/prebuilts/android-emulator/linux-x86_64:/home/builder/code/aosp/prebuilts/asuite/acloud/linux-x86:/home/builder/code/aosp/prebuilts/asuite/aidegen/linux-x86:/home/builder/code/aosp/prebuilts/asuite/atest/linux-x86: TOP=/home/builder/code/aosp TARGET_BUILD_APPS= TARGET_BUILD_TYPE=release PWD=/home/builder/code/aosp GCC_COLORS=error=01;31:warning=01;35:note=01;36:caret=01;32:locus=01:quote=01 HOME=/home/disk3/szhou SHLVL=1 ORIGINAL_PWD=/home/builder/code/aosp PYTHONPATH=/home/builder/code/aosp/development/python-packages: TARGET_GCC_VERSION=4.9 ANDROID_SOONG_HOST_OUT=/home/builder/code/aosp/out/soong/host/linux-x86 TARGET_PRODUCT=aosp_x86_64 OUT_DIR=out PYTHONDONTWRITEBYTECODE=1 TMPDIR=/home/builder/code/aosp/out/soong/.temp ASAN_SYMBOLIZER_PATH=/home/builder/code/aosp/prebuilts/clang/host/linux-x86/llvm-binutils-stable/llvm-symbolizer LANG=C.UTF-8 JAVA_HOME=/home/builder/code/aosp/prebuilts/jdk/jdk11/linux-x86 ANDROID_JAVA_HOME=prebuilts/jdk/jdk11/linux-x86 ANDROID_JAVA8_HOME=prebuilts/jdk/jdk8/linux-x86 ANDROID_JAVA9_HOME=prebuilts/jdk/jdk9/linux-x86 ANDROID_JAVA11_HOME=prebuilts/jdk/jdk11/linux-x86 PATH=/home/builder/code/aosp/prebuilts/jdk/jdk11/linux-x86/bin:/home/builder/code/aosp/prebuilts/jdk/jdk11/linux-x86/bin:/home/builder/code/aosp/out/soong/host/linux-x86/bin:/home/builder/code/aosp/out/host/linux-x86/bin:/home/builder/code/aosp/prebuilts/gcc/linux-x86/x86/x86_64-linux-android-4.9/bin:/home/builder/code/aosp/development/scripts:/home/builder/code/aosp/prebuilts/devtools/tools:/home/builder/code/aosp/external/selinux/prebuilts/bin:/home/builder/code/aosp/prebuilts/misc/linux-x86/dtc:/home/builder/code/aosp/prebuilts/misc/linux-x86/libufdt:/home/builder/code/aosp/prebuilts/clang/host/linux-x86/llvm-binutils-stable:/home/builder/code/aosp/prebuilts/android-emulator/linux-x86_64:/home/builder/code/aosp/prebuilts/asuite/acloud/linux-x86:/home/builder/code/aosp/prebuilts/asuite/aidegen/linux-x86:/home/builder/code/aosp/prebuilts/asuite/atest/linux-x86:/opt/mtk/neon_4.8.2_2.6.35_cortex-a9-ubuntu/x86_64/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin BUILD_DATETIME_FILE=out/build_date.txt]
2021/06/16 16:52:54.815674 build/soong/ui/build/build.go:161: Total RAM: 31.4GB
2021/06/16 16:52:55.013537 build/soong/ui/build/sandbox_linux.go:120: [prebuilts/build-tools/linux-x86/bin/nsjail -H android-build -e -u nobody -g nogroup -R / -B /home/builder/code/aosp -B /tmp -B /home/builder/code/aosp/out --disable_clone_newcgroup -- /bin/bash -c if [ $(hostname) == "android-build" ]; then echo "Android" "Success"; else echo Failure; fi]
2021/06/16 16:52:55.015716 build/soong/ui/build/sandbox_linux.go:127: Build sandboxing disabled due to nsjail error.
2021/06/16 16:52:55.015726 build/soong/ui/build/sandbox_linux.go:130: [I][2021-06-16T16:52:55+0800] Mode: STANDALONE_ONCE
2021/06/16 16:52:55.015732 build/soong/ui/build/sandbox_linux.go:130: [I][2021-06-16T16:52:55+0800] Jail parameters: hostname:'android-build', chroot:'', process:'/bin/bash', bind:[::]:0, max_conns_per_ip:0, time_limit:0, personality:0, daemonize:false, clone_newnet:true, clone_newuser:true, clone_newns:true, clone_newpid:true, clone_newipc:true, clone_newuts:true, clone_newcgroup:false, keep_caps:false, disable_no_new_privs:false, max_cpus:0
2021/06/16 16:52:55.015735 build/soong/ui/build/sandbox_linux.go:130: [I][2021-06-16T16:52:55+0800] Mount point: '/' flags:MS_RDONLY type:'tmpfs' options:'' is_dir:true
2021/06/16 16:52:55.015737 build/soong/ui/build/sandbox_linux.go:130: [I][2021-06-16T16:52:55+0800] Mount point: '/' -> '/' flags:MS_RDONLY|MS_BIND|MS_REC|MS_PRIVATE type:'' options:'' is_dir:true
2021/06/16 16:52:55.015740 build/soong/ui/build/sandbox_linux.go:130: [I][2021-06-16T16:52:55+0800] Mount point: '/home/builder/code/aosp' -> '/home/builder/code/aosp' flags:MS_BIND|MS_REC|MS_PRIVATE type:'' options:'' is_dir:true
2021/06/16 16:52:55.015742 build/soong/ui/build/sandbox_linux.go:130: [I][2021-06-16T16:52:55+0800] Mount point: '/tmp' -> '/tmp' flags:MS_BIND|MS_REC|MS_PRIVATE type:'' options:'' is_dir:true
2021/06/16 16:52:55.015744 build/soong/ui/build/sandbox_linux.go:130: [I][2021-06-16T16:52:55+0800] Mount point: '/home/builder/code/aosp/out' -> '/home/builder/code/aosp/out' flags:MS_BIND|MS_REC|MS_PRIVATE type:'' options:'' is_dir:true
2021/06/16 16:52:55.015747 build/soong/ui/build/sandbox_linux.go:130: [I][2021-06-16T16:52:55+0800] Mount point: '/proc' flags:MS_RDONLY type:'proc' options:'' is_dir:true
2021/06/16 16:52:55.015749 build/soong/ui/build/sandbox_linux.go:130: [I][2021-06-16T16:52:55+0800] Uid map: inside_uid:65534 outside_uid:1007 count:1 newuidmap:false
2021/06/16 16:52:55.015751 build/soong/ui/build/sandbox_linux.go:130: [I][2021-06-16T16:52:55+0800] Gid map: inside_gid:65534 outside_gid:1007 count:1 newgidmap:false
2021/06/16 16:52:55.015755 build/soong/ui/build/sandbox_linux.go:130: [E][2021-06-16T16:52:55+0800][9596] bool subproc::runChild(nsjconf_t *, int, int, int)():447 clone(flags=CLONE_NEWNS|CLONE_NEWUTS|CLONE_NEWIPC|CLONE_NEWUSER|CLONE_NEWPID|CLONE_NEWNET|SIGCHLD) failed. You probably need root privileges if your system doesn't support CLONE_NEWUSER. Alternatively, you might want to recompile your kernel with support for namespaces or check the current value of the kernel.unprivileged_userns_clone sysctl: Operation not permitted
2021/06/16 16:52:55.015758 build/soong/ui/build/sandbox_linux.go:130: [E][2021-06-16T16:52:55+0800][9596] int nsjail::standaloneMode(nsjconf_t *)():146 Couldn't launch the child process
2021/06/16 16:52:55.015761 build/soong/ui/build/sandbox_linux.go:136: nsjail failed with exit status 255
2021/06/16 16:52:55.015768 build/soong/ui/build/exec.go:64: "dumpvars" executing "prebuilts/build-tools/linux-x86/bin/ckati" [prebuilts/build-tools/linux-x86/bin/ckati -f build/make/core/config.mk --color_warnings --kati_stats dump-many-vars MAKECMDGOALS=]
2021/06/16 16:52:55.396789 build/soong/ui/build/exec.go:74: "dumpvars" finished with exit code 0 (381ms real, 346ms user, 47ms system, 363MB maxrss)
2021/06/16 16:52:55.396818 build/soong/ui/build/dumpvars.go:123: NINJA_GOALS droid
2021/06/16 16:52:55.396822 build/soong/ui/build/dumpvars.go:123: KATI_GOALS

2.2 关键错误提示

从下面的错误看,已经提示权限不够,可能需要root权限。

  • You probably need root privileges if your system doesn’t support CLONE_NEWUSER.
  • sysctl: Operation not permitted
clone(flags=CLONE_NEWNS|CLONE_NEWUTS|CLONE_NEWIPC|CLONE_NEWUSER|CLONE_NEWPID|CLONE_NEWNET|SIGCHLD) failed. You probably need root privileges if your system doesn't support CLONE_NEWUSER. Alternatively, you might want to recompile your kernel with support for namespaces or check the current value of the kernel.unprivileged_userns_clone sysctl: Operation not permitted

2.3 google结果

that does look docker-specific. Based on the nsjail readme, it looks like --privileged may be needed, which is unfortunate: https://github.com/google/nsjail#launching-in-docker

2.4 解决办法

添加 --privileged 参数

docker run --privileged  -it --user $(id -u ${
    USER}):$(id -g ${
    USER})   -v $PWD:/home/builder/code  -v /etc/passwd:/etc/passwd:ro -v /etc/group:/etc/group:ro -v /etc/shadow:/etc/shadow:ro   android_mm_build:latest /bin/bash

2.5 关于–privileged 参数

官网原文https://docs.docker.com/engine/reference/run/

–privileged Give extended privileges to this container.

By default, Docker containers are “unprivileged” and cannot, for example, run a Docker daemon inside a Docker container. This is because by default a container is not allowed to access any devices, but a “privileged” container is given access to all devices (see the documentation on cgroups devices).

When the operator executes docker run --privileged, Docker will enable access to all devices on the host as well as set some configuration in AppArmor or SELinux to allow the container nearly all the same access to the host as processes running outside containers on the host. Additional information about running with --privileged is available on the Docker Blog.

大致是说,不带此参数启动的容器,是不能访问host的device的,而使用了此参数之后,就如同有了root权限,可以像在host上访问device一样,访问各种设备、文件和配置。

文章标签:
容器
Docker
Android开发
关键词:
Android源码
Docker error
Android Build
Docker disabled
Docker build
阿迷创客
目录
相关文章
阿迷创客
|
Java Android开发 C++
Android Studio JNI 使用模板:c/cpp源文件的集成编译,快速上手
本文提供了一个Android Studio中JNI使用的模板,包括创建C/C++源文件、编辑CMakeLists.txt、编写JNI接口代码、配置build.gradle以及编译生成.so库的详细步骤,以帮助开发者快速上手Android平台的JNI开发和编译过程。
阿迷创客
1363 1
蓝易云
|
Linux Docker 容器
安装docker-18.06报错Error: libseccomp conflicts with docker-18.06
通过这些步骤,您可以成功在CentOS上安装Docker 18.06,并解决libseccomp的冲突问题。这些方法确保系统兼容性,并保证Docker的正常运行。
蓝易云
420 27
mshfx
|
关系型数据库 MySQL Docker
docker pull mysql:8.0.26提示Error response from daemon: Get “https://registry-1.docker.io/v2/“: EOF错误
docker pull mysql:8.0.26提示Error response from daemon: Get “https://registry-1.docker.io/v2/“: EOF错误
mshfx
4809 9
游客lijmi4663rgsa
|
JavaScript Java Docker
干货含源码!如何用Java后端操作Docker(命令行篇)
只有锻炼思维才能可持续地解决问题,只有思维才是真正值得学习和分享的核心要素。如果这篇博客能给您带来一点帮助,麻烦您点个赞支持一下,还可以收藏起来以备不时之需,有疑问和错误欢迎在评论区指出~
游客lijmi4663rgsa
307 0
aqi00
|
Linux API 开发工具
FFmpeg开发笔记(五十九)Linux编译ijkplayer的Android平台so库
ijkplayer是由B站研发的移动端播放器,基于FFmpeg 3.4,支持Android和iOS。其源码托管于GitHub,截至2024年9月15日,获得了3.24万星标和0.81万分支,尽管已停止更新6年。本文档介绍了如何在Linux环境下编译ijkplayer的so库,以便在较新的开发环境中使用。首先需安装编译工具并调整/tmp分区大小,接着下载并安装Android SDK和NDK,最后下载ijkplayer源码并编译。详细步骤包括环境准备、工具安装及库编译等。更多FFmpeg开发知识可参考相关书籍。
aqi00
789 0
FFmpeg开发笔记(五十九)Linux编译ijkplayer的Android平台so库
游客cxtb2yf2r55as
|
编译器 Android开发
配置环境变量,使CMakeLists.txt可直接使用Android NDK工具链编译项目
配置环境变量,使CMakeLists.txt可直接使用Android NDK工具链编译项目
游客cxtb2yf2r55as
739 1
游客cxtb2yf2r55as
|
Ubuntu Shell API
Ubuntu 64系统编译android arm64-v8a 的openssl静态库libssl.a和libcrypto.a
Ubuntu 64系统编译android arm64-v8a 的openssl静态库libssl.a和libcrypto.a
游客cxtb2yf2r55as
653 1
小Tomkk
|
网络虚拟化 Docker 容器
docker Desktop报错 error pulling image configuration 处理
docker Desktop报错 error pulling image configuration 处理
小Tomkk
318 0
爱吃龙利鱼
|
网络协议 应用服务中间件 Linux
docker常见报错提示WARNING: IPv4 forwarding is disabled. Networking will not work.或/usr/bin/docker-current:
### 故障与解决方法概览 1. **故障现象**:运行 `docker run -d -P httpd:centos` 时提示“IPv4转发已禁用,网络将无法工作”。 - **解决方法**:通过编辑 `/etc/sysctl.conf` 设置 `net.ipv4.ip_forward=1` 并执行 `sysctl -p` 启用路由转发,然后重启 Docker 服务。
爱吃龙利鱼
947 0

热门文章

最新文章

  • 1
    推荐3款 Docker 认证的实用免费插件,帮助您快速构建云原生应用程序!
  • 2
    【云栖大会】Docker与阿里云达成战略合作 为企业级客户提供容器服务
  • 3
    Docker Enterprise 正式对 Windows Server 2019 提供支持服务
  • 4
    docker-compose v3版本命令详解参考
  • 5
    docker “no space left on device” 解决方案
  • 6
    docker run 报错“Container XXX is restarting, wait until the container is running“
  • 7
    Windows下部署SpringBoot的实践方案(Docker & Docker Desktop)
  • 8
    Docker搭建开源版禅道以及项目基本流程介绍
  • 9
    【云原生 | Docker篇】Docker镜像(image)与服务
  • 10
    Kubernetes部署文档 使用cri-docker部署K8s集群
  • 1
    Android与iOS的比较:哪个更适合你?
    777
  • 2
    Android 生成jar installable 控制生成的是dex还是class
    653
  • 3
    探索Android与iOS平台的安全性:一场永无止境的较量
    706
  • 4
    构建高效Android应用:Kotlin协程的实践指南
    268
  • 5
    构建高效Android应用:Kotlin协程的全面指南
    225
  • 6
    构建高效Android应用:采用Kotlin协程优化网络请求
    433
  • 7
    构建高效Android应用:Kotlin与Jetpack的实践之路未来技术的融合潮流:区块链、物联网与虚拟现实的交汇点
    221
  • 8
    提升Android应用性能的实用策略
    274
  • 9
    提升安卓应用性能的十大技巧
    362
  • 10
    Android 开发中的内存优化策略
    298

    • 相关课程

    更多
  • 基于Docker与Jenkins实现自动化部署
  • Docker 快速入门
  • Docker完全自学手册图文教程
  • 开源Android容器化框架Atlas开发者指南
  • AI开发者的Docker实践
  • Docker 入门

    • 相关电子书

    更多
  • 应用 Docker 进行持续交付:用技术改变交付路程
  • 从Docker到容器服务
  • 构建基因数据应用生态系统—— docker in Bio/informatics

    • 推荐镜像

    更多
  • docker-ce
  • docker-toolbox
    • 下一篇
    阿里云重磅新品:Agent安全中心,全新安全框架下AI Agent一体化防御平台