Remove nsenter.c in Go >= 1.10

[ccope]

Go will now actually isolate an OS thread when you call LockOSThread, so the C hack shouldn't be necessary anymore: https://golang.org/doc/go1.10#runtime

[cyphar]

I'm not sure that it'd be reasonable to do it, even with LockOSThread. Go will spawn threads automatically, and there's no way to stop it from doing that. CLONE_NEWUSER requires that you be a single-threaded process -- so we would have to do several hacks to get around that. Then you have the general issue that namespace operations affect only the calling thread -- and while we would execute execve(2) in the same thread we did namespace setup I am very cautious about trusting the Go runtime to not break underneath us.

To be frank, I just trust that the C code we have is doing the right thing in a way that I don't think I'll ever be able to trust the Go runtime in the same way. I've had to deal with far too many Go bugs in my time.

[ccope]

The change prevents spawning from locked threads, and was directly in response to the blog post about namespace issues with go: golang/go#20676

I'd consider this 'wishlist' level priority, given that the C shim seems to be doing fine, but a pure Go alternative should work if issues arise.

[brb]

It's unsafe to replace nsenter.c with any implementation in Go.

As @cyphar mentioned, it's not possible to ensure that all Go runtime threads will have the same thread-state modifications. Additionally, if you spawn a new goroutine from the locked one, the new goroutine will end up running on a different "non-modified" thread leading to funky results, see https://www.weave.works/blog/linux-namespaces-golang-followup.