Implement runc support, we can rely on runc in the path for this.
runc will run a compiled program we embed into tarutil for the sole purpose of unpacking a file with a specialized filename.
The filename and tar program are stored at the root of the rootfs.
The runc command is invoked with the appropriate container flags for unpacking. It's important to not unpack over the tar file for hopefully obvious security reasons.
The files are overwritten (whiteout) in the unlucky event the inodes are the same file, they won't refer to our tar program or tar file (it'll just be nulled).
This should be done as follows: