Detect when unprivileged user namespaces are disabled

[debfx]

Some distros have unprivileged user namespaces disabled by default (e.g. kernel.unprivileged_userns_clone sysctl).

We should detect this and print a proper error (set the sysctl or use bwrap backend).

[debfx]

The two sysctls are /proc/sys/kernel/unprivileged_userns_clone (Debian-specific) and /proc/sys/user/max_user_namespaces.