Allow mapping auxiliary filesystem groups into rootless podman-hpc containers.

[danfulton]

At NERSC, users would like to be able to map their collaboration groups, and access files owned by collaboration members into their containers. This is core functionality to work with collaboration-owned data, and required for podman-hpc to replicate the functionality of Shifter.

The fundamental configuration required to allow this is that the user must have access to their auxiliary filesystem group as a subordinate group ids listed in the /etc/subgid configuration file. This functionality is already supported by Podman, and therefore this is a "configuration and installation" issue, rather than a code change for Podman-HPC.

Even with this configuration, determining the correct id mapping scheme is still quite complicated for the user, and so we will likely want to enable or provide convenient tools to generate common id maps. We also need to provide site documentation for enabling this functionality at a multiuser HPC site.

[lastephey]

@JBlaschke

[danfulton]

Noteably, Podman provides some additional group mapping functionality when crun (as opposed to runc) is used as the backing OCI runtime. See for example https://docs.podman.io/en/latest/markdown/podman-run.1.html#group-add-group-keep-groups.

[danfulton]

I've verified that when using crun and the keep-groups flag, that users can access collab or group owned files from inside container on Perlmutter. The default runtime on Perlmutter should be crun following the maintenance today.