Fixes for running in a container

[nalind]

In Dockerfile_build, don't try to build with one libc and run with another.

In Dockerfile_build, don't disable cgo - it's a hard requirement for setting up user namespaces. The default seccomp filter for dockerd doesn't allow us to use the unshare() syscall, which is part of setting up namespaces, so if we're running under dockerd, we still need to be started with either

--security-opt seccomp=unconfined

to not use a seccomp filter, or

--security-opt seccomp=/usr/share/containers/seccomp.json

to use the seccomp filter that podman uses, which will allow the container to use the unshare() syscall.

In Dockerfile_build, supply additional configuration files used by underlying libraries.

Force the type of isolation used for RUN instructions to "chroot", since we'll be running in a container and it doesn't have other runtimes installed in it.

Always make sure to initialize the reexec functionality first. The init() function might still error out if specific environment variables aren't to our liking, but the parent process, which isn't started by reexec, should error out if that's the case, long before it starts any child processes that the error messages might interfere with.

Reexec into a new user namespace at startup if we don't have CAP_SYS_ADMIN in the one that we're started in, even if we're UID 0.

Use github.com/containers/image/v5/storage.Transport.NewStoreReference() to convert the built image's ID into a reference suitable for copying from, rather than attempting to generate an intermediate string representation and parse it again.

Have CopyImage() just use the source reference that its caller already built.

[nalind]

Rebased.

[cmoulliard]

Many thanks for this PR :-). I will merge it and make a test.