Detect when unprivileged user namespaces are disabled

Some distros have unprivileged user namespaces disabled by default (e.g. kernel.unprivileged_userns_clone sysctl).

We should detect this and print a proper error (set the sysctl or use bwrap backend).