Using the fake* combo suffers from a number of issues:
- does not properly preserve the names (see the tar comment)
- the fake* packages semi-regularly fail to build
- mixing glibc versions on each side is a recipe for disaster, since some functions might not be caught via the LD_PRELOAD magic
Instead let's opt for unshare with user namespaces. This requires kernel.unprivileged_userns_clone=1 or equivalent.
This MR builds upon/supersedes !72 (closed)
It includes, one patch from !81 (merged) to avoid conflicts, keeps the tar workaround removal a separate commit and most importantly documents all the changes that we get (for base.tar) - be that varying files, extra files or permissions/ownership changes.