main: override systemd features only when security.nesting=false

[simondeziel]

Distrobuilder creates a systemd generator (/etc/systemd/system-generators/lxc) to, among other things, work around problems with broken name space support inside containers.

Many of the distro images built by distrobuilder come with systemd. Those often ship multiple systemd units leveraging hardening features that rely on mount name spaces. The problem is that mount name spaces do not work well inside containers so the workaround so far has been to disable those features to avoid causing service failures.

This PR proposes to be more selective and only disable those hardening features relying on mount name spaces when security.nesting=false.

This was tested on a Focal host with kernel 5.13, LXD 5.0.0-e478009 rev 22894 and the following containers:

Distro	Priv	Nesting
alt/Sisyphus	true	true
alt/Sisyphus	true	false
alt/Sisyphus	false	true
alt/Sisyphus	false	false
debian/sid	true	true
debian/sid	true	false
debian/sid	false	true
debian/sid	false	false
ubuntu/focal	false	true
ubuntu/focal	false	false
ubuntu/focal	false	true
ubuntu/focal	false	false
ubuntu/jammy	false	true
ubuntu/jammy	false	false
ubuntu/jammy	false	true
ubuntu/jammy	false	false

I would appreciate some extra testing because a previous attempt (#559) caused many regressions. My hope is those regressions happened because NoNewPrivileges has interactions with mount name spaces which didn't work in the security.nesting=false case.

[monstermunchkin]

@simondeziel I tested the relevant images, and they seem to behave just fine.

[simondeziel]

Thanks @monstermunchkin for the test drive, I really appreciate it!