Add option to enable Docker sandboxing.

RELNOTES: None.
PiperOrigin-RevId: 199467128

src/main/java/com/google/devtools/build/lib/sandbox/SandboxActionContextProvider.java

@@ -22,6 +22,7 @@
 import com.google.devtools.build.lib.actions.Spawn;
 import com.google.devtools.build.lib.actions.SpawnResult;
 import com.google.devtools.build.lib.actions.Spawns;
+import com.google.devtools.build.lib.events.Event;
 import com.google.devtools.build.lib.exec.ActionContextProvider;
 import com.google.devtools.build.lib.exec.SpawnRunner;
 import com.google.devtools.build.lib.exec.apple.XcodeLocalEnvProvider;
@@ -71,28 +72,35 @@ public static SandboxActionContextProvider create(CommandEnvironment cmdEnv, Pat
       contexts.add(new ProcessWrapperSandboxedStrategy(cmdEnv.getExecRoot(), spawnRunner));
     }
 
-    // This strategy uses Docker to execute spawns. It should work on all platforms that support
-    // Docker.
-    getPathToDockerClient(cmdEnv)
-        .ifPresent(
-            dockerClient -> {
-              if (DockerSandboxedSpawnRunner.isSupported(cmdEnv, dockerClient)) {
-                String defaultImage = options.getOptions(SandboxOptions.class).dockerImage;
-                boolean useCustomizedImages =
-                    options.getOptions(SandboxOptions.class).dockerUseCustomizedImages;
-                SpawnRunner spawnRunner =
-                    withFallback(
-                        cmdEnv,
-                        new DockerSandboxedSpawnRunner(
-                            cmdEnv,
-                            dockerClient,
-                            sandboxBase,
-                            defaultImage,
-                            timeoutKillDelay,
-                            useCustomizedImages));
-                contexts.add(new DockerSandboxedStrategy(cmdEnv.getExecRoot(), spawnRunner));
-              }
-            });
+    SandboxOptions sandboxOptions = options.getOptions(SandboxOptions.class);
+
+    if (sandboxOptions.enableDockerSandbox) {
+      // This strategy uses Docker to execute spawns. It should work on all platforms that support
+      // Docker.
+      getPathToDockerClient(cmdEnv)
+          .ifPresent(
+              dockerClient -> {
+                if (DockerSandboxedSpawnRunner.isSupported(cmdEnv, dockerClient)) {
+                  String defaultImage = sandboxOptions.dockerImage;
+                  boolean useCustomizedImages = sandboxOptions.dockerUseCustomizedImages;
+                  SpawnRunner spawnRunner =
+                      withFallback(
+                          cmdEnv,
+                          new DockerSandboxedSpawnRunner(
+                              cmdEnv,
+                              dockerClient,
+                              sandboxBase,
+                              defaultImage,
+                              timeoutKillDelay,
+                              useCustomizedImages));
+                  contexts.add(new DockerSandboxedStrategy(cmdEnv.getExecRoot(), spawnRunner));
+                }
+              });
+    } else if (sandboxOptions.dockerVerbose) {
+      cmdEnv.getReporter().handle(Event.info(
+          "Docker sandboxing disabled. Use the '--experimental_enable_docker_sandbox' command "
+          + "line option to enable it"));
+    }
 
     // This is the preferred sandboxing strategy on Linux.
     if (LinuxSandboxedSpawnRunner.isSupported(cmdEnv)) {

src/main/java/com/google/devtools/build/lib/sandbox/SandboxOptions.java

@@ -218,6 +218,14 @@ public ImmutableSet<Path> getInaccessiblePaths(FileSystem fs) {
   )
   public boolean collectLocalSandboxExecutionStatistics;
 
+  @Option(
+    name = "experimental_enable_docker_sandbox",
+    defaultValue = "false",
+    documentationCategory = OptionDocumentationCategory.EXECUTION_STRATEGY,
+    effectTags = {OptionEffectTag.EXECUTION},
+    help = "Enable Docker-based sandboxing. This option has no effect if Docker is not installed.")
+  public boolean enableDockerSandbox;
+
   @Option(
     name = "experimental_docker_image",
     defaultValue = "",