Make sandboxed execution the default in Bazel. This should be safe, as the strategy is only used if your Linux kernel is new enough and your running system supports it. If this breaks you, please file a bug and you can always go back to non-sandboxed execution by using --spawn_strategy=standalone.

--
MOS_MIGRATED_REVID=101464269

1 files changed, 17 insertions, 0 deletions

diff --git a/site/docs/bazel-user-manual.html b/site/docs/bazel-user-manual.html
index 2c615eea34..3a367ec530 100644
--- a/site/docs/bazel-user-manual.html
+++ b/site/docs/bazel-user-manual.html
@@ -952,6 +952,23 @@ $ bazel fetch //...
 
 </p>
 
+<h4 id='sandboxing'>Sandboxed execution</h4>
+<p>
+  In order to guarantee hermeticity (i.e. the build does not use input files
+  that are not explicitly listed and does not produce output files that were
+  not expected to be created) and correctness, Bazel runs spawns (i.e. a
+  compiler invocation) in sandboxes that only contain the minimum necessary
+  set of files for the tool to run and do its work. Currently this works on
+  Linux 3.12 or newer with the CONFIG_USER_NS option enabled. Bazel will
+  print a warning if sandboxing cannot be used to alert you to the fact that
+  builds are not guaranteed hermetic and might affect the host system in
+  unknown ways.
+</p>
+<p>
+  To disable the warning about non-sandboxed execution, you can pass the
+  --ignore_unsupported_sandboxing flag to Bazel.
+</p>
+
 <h3 id='clean'>Deleting the outputs of a build</h3>
 
 <h4>The <code>clean</code> command</h4>