Fix auto-uid-allocation in Docker containers

[edolstra]

Motivation

Fixes

# nix build --extra-experimental-features 'auto-allocate-uids nix-command flakes' --auto-allocate-uids --impure --expr 'with import <nixpkgs> {}; runCommand "foo" {} "mkdir $out"'
foo> /tmp/nix-build-foo.drv-0/.attr-0l2nkwhif96f51f4amnlf414lhl4rv9vh8iffyp431v6s28gsr90: line 1: /nix/store/2fhbn9q5q3r96p9jmrnwh36a7m3iwvar-foo: Permission denied

This didn't work because sandboxing doesn't work in Docker. However, the sandboxing check is done lazily - after clone(CLONE_NEWNS) fails, we retry with sandboxing disabled. But at that point, we've already done UID allocation under the assumption that user namespaces are enabled.

So let's get rid of the "goto fallback" logic and just detect early whether user / mount namespaces are enabled.

This commit also gets rid of a compatibility hack for some ancient Linux kernels (<2.13).

It also adds a check to automatically disable sandboxing in unprivileged podman containers, since that doesn't work.

Checklist for maintainers

Maintainers: tick if completed or explain if not relevant

• agreed on idea
• agreed on implementation strategy
• tests, as appropriate
  • functional tests - tests/**.sh
  • unit tests - src/*/tests
  • integration tests
• documentation in the manual
• code and comments are self-explanatory
• commit message explains why the change was made
• new feature or bug fix: updated release notes

[thufschmitt]

Looks great overall. Beyond the actual bugfix, it feels like this is untangling this piece of code quite a lot, which is quite pleasant :)

Comments addressed.

[abathur]

@edolstra #8481 may be related to this change? It sounds like some of the old lack-of-sandboxing-support issues, but it looks like reports of that problem dried up a few years ago.