Unprivileged `nvidia-container-cli --user configure`

Hi! I've encountered several issues trying (NixOS/nixpkgs#279235) to use apptainer's --nvccli and libnvidia-container, both deployed without setuid but with the support for user namespaces, and run under an unprivileged user.

Could you clarify whether nvidia-container-cli configure is intended to be used in the unprivileged scenarious, now or in the long term?
Which requirements need to be satisified for nvidia-container-cli --user configure to "fly" the way singularity-ce and apptainer use it?
- Which capabilities need to be available?
- Is it necessary for usr/bin to be writable? https://github.com/apptainer/apptainer/blob/dbaf1afa0e153e056c32dad2640b4d367a53ff14/internal/pkg/util/gpu/nvidia.go#L95-L97 asserts that, but I couldn't find any documentation about this in libnvidia-container and write access is not the error I encounter with nvidia-container-cli: apptainer/apptainer#1893 (comment)

Issues encountered

perm_drop_privileges requires non-trivial privileges:
- libnvidia-container/src/utils.c
  
  Line 926 in 5c75904
  
  if (setgroups(1, &gid) < 0)
  
  fails with EPERM
- libnvidia-container/src/utils.c
  
  Line 931 in 5c75904
  
  if (egid != gid && setregid(gid, gid) < 0)
  
  libnvidia-container/src/utils.c
  
  Line 933 in 5c75904
  
  if (euid != uid && setreuid(uid, uid) < 0)
  
  each fail with EINVAL trying to switch from 1000:100 to nobody:nogroup
perm_set_capabilities

libnvidia-container/src/utils.c

Lines 1018 to 1019 in 5c75904

if (rv < 0)

error_set(err, "capability change failed");

fails in the CAP_PERIMTTED branch
/etc/ld.so.cache is expected to exist and be writable, tracking in #234
/usr/bin seems to be expected to exist and be writable

Sorry for the short and terse description, please follow up with questions if this lacks context

	if (rv < 0)
	error_set(err, "capability change failed");