From d4b78d0f7c2d3e6714f82538eca30e2414e97fdc Mon Sep 17 00:00:00 2001
From: Philipp Wollermann <philwo@google.com>
Date: Thu, 10 Dec 2015 11:16:42 +0000
Subject: Further improve sandbox documentation.

--
MOS_MIGRATED_REVID=109881691
---
 site/docs/bazel-user-manual.html | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

(limited to 'site')

diff --git a/site/docs/bazel-user-manual.html b/site/docs/bazel-user-manual.html
index 5ebca69c56..62261d6881 100644
--- a/site/docs/bazel-user-manual.html
+++ b/site/docs/bazel-user-manual.html
@@ -844,18 +844,20 @@ $ bazel fetch //...
 </p>
 
 <p>
-  On some platform such as <a href="https://cloud.google.com/container-engine/">GKE</a>
-  cluster nodes, namespace are deactivated using the <code>kernel.unprivileged_userns_clone</code>
-  sysctl. This can be checked by looking at the file
-  <code>/proc/sys/kernel/unprivileged_userns_clone</code>: if it exists and set to 0, then
-  namespace can be activated with <code>sudo sysctl kernel.unprivileged_userns_clone=1</code>.
+  On some platforms such as <a href="https://cloud.google.com/container-engine/">Google Container
+  Engine</a> cluster nodes or Debian, user namespaces are deactivated by default due to security
+  concerns. This can be checked by looking at the file
+  <code>/proc/sys/kernel/unprivileged_userns_clone</code>: if it exists and contains a 0, then
+  user namespaces can be activated with <code>sudo sysctl kernel.unprivileged_userns_clone=1</code>.
 </p>
 <p>
-  In some cases, Bazel sandbox fails to execute rules because of the system setup. The symptom is
-  generally a failure that output a message similar to
+  In some cases, the Bazel sandbox fails to execute rules because of the system setup. The symptom
+  is generally a failure that output a message similar to
   <code>namespace-sandbox.c:633: execvp(argv[0], argv): No such file or directory</code>. In that
-  case, try to deactivate the sandbox for genrule with <code>--genrule_strategy=standalone</code>
-  and for other rules with <code>--spawn_strategy=standalone</code>.
+  case, try to deactivate the sandbox for genrules with <code>--genrule_strategy=standalone</code>
+  and for other rules with <code>--spawn_strategy=standalone</code>. Also please report a bug on our
+  issue tracker and mention which Linux distribution you're using so that we can investigate and
+  provide a fix in a subsequent release.
 </p>
 
 <p>
-- 
cgit v1.2.3