Check gvisor on startup of run.sh, and clean up scripts related to gvisor flags (#760)

* Check gvisor on startup
* Clear up get_checkpoint_path.sh script, so it doesn't hurt to run it twice

sandbox/gvisor/get_checkpoint_path.sh

@@ -31,7 +31,7 @@ function check_gvisor {
     return
   fi
   # Check if a trivial command works under gvisor with the proposed flags.
-  if runsc --network none "$@" do true 2> /dev/null; then
+  if runsc --network none "$@" "do" true 2> /dev/null; then
     export GVISOR_FLAGS="$@"
     export GVISOR_AVAILABLE=1
   fi
@@ -40,9 +40,9 @@ function check_gvisor {
 check_gvisor --unprivileged --ignore-cgroups
 check_gvisor --unprivileged
 
-# If we can't use --unprivileged, stick with --rootless and no checkpoint
-if [[ -z "$GVISOR_FLAGS" ]]; then
-  check_gvisor --rootless
-else
+# If we can't use --unprivileged, stick with --rootless. We will not make a checkpoint.
+check_gvisor --rootless
+
+if [[ "$GVISOR_FLAGS" =~ "-unprivileged" ]]; then
   export GRIST_CHECKPOINT=/tmp/engine_$(echo $PWD | sed "s/[^a-zA-Z0-9]/_/g")
 fi

sandbox/run.sh

@@ -3,8 +3,17 @@
 set -e
 
 if [[ "$GRIST_SANDBOX_FLAVOR" = "gvisor" ]]; then
-  ./sandbox/gvisor/update_engine_checkpoint.sh
   source ./sandbox/gvisor/get_checkpoint_path.sh
+
+  # Check GVISOR_FLAGS we ended up with. Don't ignore the output, it may be helpful in troubleshooting.
+  if runsc --network none $GVISOR_FLAGS "do" true; then
+    echo "gvisor check ok (flags: ${GVISOR_FLAGS})"
+  else
+    echo "gvisor check failed (flags: ${GVISOR_FLAGS}); consider different GVISOR_FLAGS or GRIST_SANDBOX_FLAVOR"
+    exit 1
+  fi
+
+  ./sandbox/gvisor/update_engine_checkpoint.sh
 fi
 
 NODE_PATH=_build:_build/stubs:_build/ext node _build/stubs/app/server/server.js