From 4b80f2455e7e49a95f3a4c9102a67a57dad52207 Mon Sep 17 00:00:00 2001
From: lberki <lberki@google.com>
Date: Wed, 6 Jun 2018 08:08:34 -0700
Subject: [PATCH] Add option to enable Docker sandboxing.

RELNOTES: None.
PiperOrigin-RevId: 199467128
---
 .../sandbox/SandboxActionContextProvider.java | 52 +++++++++++--------
 .../build/lib/sandbox/SandboxOptions.java     |  8 +++
 2 files changed, 38 insertions(+), 22 deletions(-)

diff --git a/src/main/java/com/google/devtools/build/lib/sandbox/SandboxActionContextProvider.java b/src/main/java/com/google/devtools/build/lib/sandbox/SandboxActionContextProvider.java
index d6f847b75c11b4..8d04bb5b924d29 100644
--- a/src/main/java/com/google/devtools/build/lib/sandbox/SandboxActionContextProvider.java
+++ b/src/main/java/com/google/devtools/build/lib/sandbox/SandboxActionContextProvider.java
@@ -22,6 +22,7 @@
 import com.google.devtools.build.lib.actions.Spawn;
 import com.google.devtools.build.lib.actions.SpawnResult;
 import com.google.devtools.build.lib.actions.Spawns;
+import com.google.devtools.build.lib.events.Event;
 import com.google.devtools.build.lib.exec.ActionContextProvider;
 import com.google.devtools.build.lib.exec.SpawnRunner;
 import com.google.devtools.build.lib.exec.apple.XcodeLocalEnvProvider;
@@ -71,28 +72,35 @@ public static SandboxActionContextProvider create(CommandEnvironment cmdEnv, Pat
       contexts.add(new ProcessWrapperSandboxedStrategy(cmdEnv.getExecRoot(), spawnRunner));
     }
 
-    // This strategy uses Docker to execute spawns. It should work on all platforms that support
-    // Docker.
-    getPathToDockerClient(cmdEnv)
-        .ifPresent(
-            dockerClient -> {
-              if (DockerSandboxedSpawnRunner.isSupported(cmdEnv, dockerClient)) {
-                String defaultImage = options.getOptions(SandboxOptions.class).dockerImage;
-                boolean useCustomizedImages =
-                    options.getOptions(SandboxOptions.class).dockerUseCustomizedImages;
-                SpawnRunner spawnRunner =
-                    withFallback(
-                        cmdEnv,
-                        new DockerSandboxedSpawnRunner(
-                            cmdEnv,
-                            dockerClient,
-                            sandboxBase,
-                            defaultImage,
-                            timeoutKillDelay,
-                            useCustomizedImages));
-                contexts.add(new DockerSandboxedStrategy(cmdEnv.getExecRoot(), spawnRunner));
-              }
-            });
+    SandboxOptions sandboxOptions = options.getOptions(SandboxOptions.class);
+
+    if (sandboxOptions.enableDockerSandbox) {
+      // This strategy uses Docker to execute spawns. It should work on all platforms that support
+      // Docker.
+      getPathToDockerClient(cmdEnv)
+          .ifPresent(
+              dockerClient -> {
+                if (DockerSandboxedSpawnRunner.isSupported(cmdEnv, dockerClient)) {
+                  String defaultImage = sandboxOptions.dockerImage;
+                  boolean useCustomizedImages = sandboxOptions.dockerUseCustomizedImages;
+                  SpawnRunner spawnRunner =
+                      withFallback(
+                          cmdEnv,
+                          new DockerSandboxedSpawnRunner(
+                              cmdEnv,
+                              dockerClient,
+                              sandboxBase,
+                              defaultImage,
+                              timeoutKillDelay,
+                              useCustomizedImages));
+                  contexts.add(new DockerSandboxedStrategy(cmdEnv.getExecRoot(), spawnRunner));
+                }
+              });
+    } else if (sandboxOptions.dockerVerbose) {
+      cmdEnv.getReporter().handle(Event.info(
+          "Docker sandboxing disabled. Use the '--experimental_enable_docker_sandbox' command "
+          + "line option to enable it"));
+    }
 
     // This is the preferred sandboxing strategy on Linux.
     if (LinuxSandboxedSpawnRunner.isSupported(cmdEnv)) {
diff --git a/src/main/java/com/google/devtools/build/lib/sandbox/SandboxOptions.java b/src/main/java/com/google/devtools/build/lib/sandbox/SandboxOptions.java
index 60259446279850..d8ec1813ed7bd5 100644
--- a/src/main/java/com/google/devtools/build/lib/sandbox/SandboxOptions.java
+++ b/src/main/java/com/google/devtools/build/lib/sandbox/SandboxOptions.java
@@ -218,6 +218,14 @@ public ImmutableSet<Path> getInaccessiblePaths(FileSystem fs) {
   )
   public boolean collectLocalSandboxExecutionStatistics;
 
+  @Option(
+    name = "experimental_enable_docker_sandbox",
+    defaultValue = "false",
+    documentationCategory = OptionDocumentationCategory.EXECUTION_STRATEGY,
+    effectTags = {OptionEffectTag.EXECUTION},
+    help = "Enable Docker-based sandboxing. This option has no effect if Docker is not installed.")
+  public boolean enableDockerSandbox;
+
   @Option(
     name = "experimental_docker_image",
     defaultValue = "",