Allow creating of fuse3-based distribution and support mount/unmount using fusermount3 if it is available

[tildeslu]

In some HPC environments (e.g. PUHTI supercomputer) only fuse3 setuid-helper binary (fusermount3) is shipped on EL8.
Fuse2 libraries are still available but cannot be used in unprivileged way because of absence of setuid-helper, so the only solution is to use fuse3 variant of CVMFS.

This patch changes fuse3 support from apptainer-only to a generic option.

[DrDaveD]

Thank you for the contribution! This reminds me about #54 though; I really ought to have some ci checks for this project.

[DrDaveD]

I'm not very happy with an option to do this. Can't this be discovered automatically somehow? Maybe looking for fusermount3 like is done in umountrepo?

[tildeslu]

The problem is that you may need to create a distribution on another machine to be used on HPC node.
In my case fuse2 was available on login node but not on worker nodes. So there should be some way to force this.
It can be done by setting environment variable if option is not desired.

[DrDaveD]

No, I don't prefer an environment variable, I just prefer to have a default that's right most of the time. Let's have it default to fuse3 if fusermount3 is found on the host where makedist is run, and have -3 and -2 options to override the default.

[DrDaveD]

The new CI checks look good, but I'd still like to see the suggestion I had above:

Let's have it default to fuse3 if fusermount3 is found on the host where makedist is run, and have -3 and -2 options to override the default (for the non -s case).

[DrDaveD]

By the way, do your compute nodes not have user namespaces enabled? If you use the cvmfsexec command with user namespaces enabled it shouldn't try to use fusermount or fusermount3; only the mode 1 mountrepo/umountrepo commands do that.

[tildeslu]

Unfortunately unprivileged user namespaces are not usable in that environment. The kernel is capable, but it's not enabled in system config. And that's the OS image that is shipped by HPC vendor. Also, they ship both fuse2 and fuse3 libraries but fusermount binary is removed from the image, only fusermount3 is provided.
There is also setuid Apptainer installation which natively supports fuse3 - but again, because of missing support for unprivileged user namespaces, it is not possible to run nested containers.

[DrDaveD]

I have finally gotten around to making CI checks for cvmfsexec here now. Please rebase your PR on the current master so we can see if it broke any functionality or not.

[tildeslu]

Please rebase your PR on the current master so we can see if it broke any functionality or not.

Done. I see CI tests running on my branch but they are not reported in the pull request for some reason.