Issue description

When a container is created with extraFlags = [ "-U" ] (user namespace), nixos-container command doesn't behave correctly. In particular, it doesn't enter a container user namespace (note UID/GID):

$ ~ sudo nixos-container run my-container -- bash -c 'ls -ld /'    
drwxr-xr-x 14 873857024 873857024 4096 Jul 20  2018 /

This happens due to the missing argument (-U) to nsenter command:

Running nsenter manually with -U added fixes the issue:

$ ~ sudo nsenter -t `machinectl show my-container -p Leader | sed -e "s/Leader=//"` -m -u -U -i -n -p -- bash -c 'ls -ld /'    
drwxr-xr-x 14 root root 4096 Jul 20  2018 /

This also afects nixos-container login command. machinectl shell my-container works as expected btw.

nixos-container command among other things is used to reload containers on configuration change and I'm not sure if it will behave correctly when it doesn't use the correct user namespace.

Steps to reproduce

Declare minimal container with user namespace enabled in configuration.nix:

containers.test = {
  extraFlags = [ "-U" ];
  config = {};
};

Run nixos-container login or nixos-container run commands.

Technical details

 - system: `"x86_64-linux"`
 - host os: `Linux 4.14.104, NixOS, 18.09pre-git (Jellyfish)`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.1.3`
 - channels(root): `"nixos-server-18.09.1834.9d608a6f592, nixos-18.03"`
 - nixpkgs: `/var/src/nixpkgs`