Fail gracefully if bwrap sandbox is available but not functional

[mato]

On Linux, when opam init is run in an existing, external, sandbox (i.e. chroot, Docker container or other mechanism) where bwrap is available but not functional, we fail with an obscure error message.

For example, building this Dockerfile:

FROM debian:stable

RUN apt-get update && \
    DEBIAN_FRONTEND=noninteractive apt install -qq -y \
    opam \
    mccs \
    && apt-get clean

RUN useradd -u 1000 -m -s /bin/bash user
USER user
WORKDIR /home/user

then, running:

$ docker run --rm -ti <IMAGE>
user@e3a63af02536:~$ opam init -a

produces:

[NOTE] Will configure from built-in defaults.
Checking for available remotes: rsync and local, git, mercurial, darcs. Perfect!

<><> Fetching repository information ><><><><><><><><><><><><><><><><><><><><><>
[default] Initialised

User configuration:
  Updating ~/.profile.
[NOTE] Make sure that ~/.profile is well sourced in your ~/.bashrc.


<><> Creating initial switch (ocaml-system>=4.02.3) <><><><><><><><><><><><><><>

<><> Gathering sources ><><><><><><><><><><><><><><><><><><><><><><><><><><><><>

<><> Processing actions <><><><><><><><><><><><><><><><><><><><><><><><><><><><>
-> installed base-bigarray.base
-> installed base-threads.base
-> installed base-unix.base
[ERROR] The compilation of ocaml-system failed at
        "/home/user/.opam/opam-init/hooks/sandbox.sh build ocaml
        gen_ocaml_config.ml".

#=== ERROR while compiling ocaml-system.4.05.0 ================================#
# context     2.0.3 | linux/x86_64 |  | https://opam.ocaml.org#eea367ce
# path        ~/.opam/default/.opam-switch/build/ocaml-system.4.05.0
# command     ~/.opam/opam-init/hooks/sandbox.sh build ocaml gen_ocaml_config.ml
# exit-code   1
# env-file    /tmp/opam-xxx-7/ocaml-system-7-0c525f.env
# output-file /tmp/opam-xxx-7/ocaml-system-7-0c525f.out
### output ###
# bwrap: capset failed: Operation not permitted



<><> Error report <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
+- The following actions failed
| - build ocaml-system 4.05.0
+- 
+- The following changes have been performed (the rest was aborted)
| - install base-bigarray base
| - install base-threads  base
| - install base-unix     base
+- 
# Run eval $(opam env) to update the current shell environment
Switch initialisation failed: clean up? ('n' will leave the switch partially
installed) [Y/n] 

Suggested solution:

We should test that the sandbox actually works, e.g. by running something known to succeed in it at opam init time. If it does not work, then we should fail with a useful error message, similarly to what we do if bwrap is not present.

As for testing that the sandbox works, briefly looking at related issues in this repository suggests that we may want to do something more than just an /bin/echo SUCCESS, perhaps compile and link a C "Hello World"?

Related: #3747 #3773

[mato]

From some discussion on Slack, there is also the "average user runs OPAM in Docker and expects it to just work" case.

We may want to consider detecting if Docker is present and disabling sandboxing by default with a warning in this case only. However, given that there is no "100% standard, guaranteed to work forever" method to do so [1] this may be more trouble than it's worth.

[1] https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker/41559867#41559867

[rjbou]

This check can be also helpful for arch.