Description of the Pull Request (PR):

Pick #2699

Note - there are no e2e tests for the nested containers / nested namespaces situations that are fixed by the commits in this PR. However, our e2e tests do confirm the changes don't cause regressions in non-nested cases.

The e2e framework doesn't offer a great way of executing singularity nested, and I've opened an issue (#2700) to address this to verify functionality more generally than a messy one-off for this PR would handle.

fix: use rootless umoci inside user namespace

If we are running from within a user namespace, then use rootless OCI layer extrraction with umoci.

This permits the extraction to complete when singularity is run under unshare -r.

fix: honor --userns in unsquashfs wrapping

If singularity is executed with --userns/-u then it should also use a user namespace where it executes unsquashfs in a wrapped manner.

Previously the unsquashfs wrapping was without --userns/-u in a setuid installation. This caused extraction to fail from within a non-root-mapped user namespace (e.g. unshare -c).

This fixes or addresses the following GitHub issues:

• Fixes Running Singularity in a user namespace created by an unprivileged user doesn't work #2698

Before submitting a PR, make sure you have done the following:

• Read the Guidelines for Contributing, and this PR conforms to the stated requirements.
• Added changes to the CHANGELOG if necessary according to the Contribution Guidelines
• Added tests to validate this PR, linted with make check and tested this PR locally with a make test, and make testall if possible (see CONTRIBUTING.md).
• Based this PR against the appropriate branch according to the Contribution Guidelines
• Added myself as a contributor to the Contributors File