rootlessutil: remove dead -r/ from nsenter args

[MayCXC]

Summary

The -r/ flag in ParentMain's nsenter args has been a no-op since it was added. It was placed at args[0], which becomes argv[0] (the program name) when passed to syscall.Exec(arg0, args, env). nsenter consumes it as its own name and never parses it as a flag.

This is harmless today, but if someone corrects the argv ordering (e.g. prepending arg0 to the slice), -r/ would start working and break rootless container creation:

1. nsenter opens the root fd (/) before setns
2. After entering the mount namespace, fchdir(root_fd) + chroot(\".\") anchors the process to the host root
3. In rootless mode, the host's /var/lib/containerd is owned by real root (uid 0), which is unmapped in the user namespace (appears as nobody/65534)
4. Overlay mount lowerdir resolution fails with EACCES because the process cannot traverse the 0700 host directory

This also fixes argv[0] to be arg0 (the nsenter binary path), matching the standard convention.

Verification

Strace comparison before and after, running nerdctl create in rootless mode:

Before (current code, -r/ accidentally in argv[0]):

execve("/usr/bin/nsenter", ["-r/", "-w/home/user", "--preserve-credentials", "-m", "-U", ...], ...)
setns(CLONE_NEWUSER) = 0
setns(CLONE_NEWNS) = 0
fchdir(3) = 0          # -r/ consumed as argv[0], no chroot
execve("nerdctl", ...)
mount("overlay", ...) = 0   # works because no chroot happened

If -r/ were at argv[1] (the latent bug):

setns(CLONE_NEWUSER) = 0
setns(CLONE_NEWNS) = 0
fchdir(3) = 0
chroot(".") = 0       # anchors to host root
fchdir(4) = 0
execve("nerdctl", ...)
mount("overlay", ...) = -1 EACCES   # host /var/lib/containerd inaccessible

After (this PR, -r/ removed, arg0 as argv[0]):

execve("/usr/bin/nsenter", ["/usr/bin/nsenter", "-w/home/user", "--preserve-credentials", "-m", "-U", ...], ...)
setns(CLONE_NEWUSER) = 0
setns(CLONE_NEWNS) = 0
execve("nerdctl", ...)
mount("overlay", ...) = 0   # paths resolve through mount namespace
``` debugger eval code:1:9

[utafrali]

The fix is correct: -r/ was sitting at argv[0] and was consumed by nsenter as its own program name, never parsed as a flag, so its removal is a no-op today and a safety improvement if argv ordering is ever corrected. Setting args[0] = arg0 now properly follows Unix convention. The only minor gap is the loss of the busybox nsenter compatibility comment without any replacement explanation.

[utafrali]

The removed comment mentioned busybox nsenter compatibility with -r/. Now that the flag is intentionally absent, a short note here explaining why it is omitted would help future readers avoid re-adding it. For example:

// Note: -r/ (root dir) is intentionally omitted. In rootless mode, chrooting to
// the host root before setns would anchor the process to host paths that are
// inaccessible inside the user namespace, breaking overlay mounts.
args := []string{arg0}