[20.10 backport] daemon.WithCommonOptions() fix detection of user-namespaces

[AkihiroSuda]

Cherry-pick #42736

Commit dae652e (#41030) added support for non-privileged containers to use ICMP_PROTO (used for ping). This option cannot be set for containers that have user-namespaces enabled.

However, the detection looks to be incorrect; HostConfig.UsernsMode was added in 6993e89 (#20111) / ee21838 (#20913), and the property only has meaning if the daemon is running with user namespaces enabled. In other situations, the property has no meaning.

As a result of the above, the sysctl would only be set for containers running with UsernsMode=host on a daemon running with user-namespaces enabled.

This patch adds a check if the daemon has user-namespaces enabled (RemappedRoot having a non-empty value) to fix the detection.

- Description for the changelog

- A picture of a cute animal (not mandatory but encouraged)

The cherry-pick was almost clean but userns.RunningInUserNS() -> sys.RunningInUserNS().

diff --git a/daemon/oci_linux.go b/daemon/oci_linux.go
index 9b39b8f615..3d34dcb31d 100644
--- a/daemon/oci_linux.go
+++ b/daemon/oci_linux.go
@@ -768,7 +768,7 @@ func WithCommonOptions(daemon *Daemon, c *container.Container) coci.SpecOpts {
                if c.HostConfig.NetworkMode.IsPrivate() {
                        // We cannot set up ping socket support in a user namespace
                        userNS := daemon.configStore.RemappedRoot != "" && c.HostConfig.UsernsMode.IsPrivate()
-                       if !userNS && !userns.RunningInUserNS() && sysctlExists("net.ipv4.ping_group_range") {
+                       if !userNS && !sys.RunningInUserNS() && sysctlExists("net.ipv4.ping_group_range") {
                                // allow unprivileged ICMP echo sockets without CAP_NET_RAW
                                s.Linux.Sysctl["net.ipv4.ping_group_range"] = "0 2147483647"
                        }

Fix docker/buildx#561

[thaJeztah]

LGTM