nspawn: add new --bind-user= option for binding a host user into the container

nspawn: add new --bind-user= option for binding a host user into the container

This new option does three things for a host user specified via
--bind-user=:

1. Bind mount the home directory from the host directory into
   /run/host/home/<username>

2. Install an additional user namepace UID/GID mapping mapping the host
   UID/GID of the host user to an unused one from the container in the range
   60514…60577.

3. Synthesize a user/group record for the user/group under the same name
   as on the host, with minimized information, and the UID/GID set to
   the mapped UID/GID. This data is written to /run/host/userdb/ where
   nss-system will pick it up.

This should make sharing users and home directories from host into the
container pretty seamless, under some conditions:

1. User namespacing must be used.

2. The host UID/GID of the user/group cannot be in the range assigned to
   the container (kernel already refuses this, as this would mean two
   host UIDs/GIDs might end up being mapped to the same continer
   UID/GID.

3. There's a free UID/GID in the aforementioned range in the container,
   and the name of the user/group is not used in the container.

4. Container payload is new enough to include an nss-systemd version
   that picks up records from /run/host/userdb/