libcontainer: Use gocapability's NewPid2

For newContainerCapList, we don't care what the current values are.
Using NewPid2 saves us a few syscalls at no cost.

For bootstrapData, this avoids crashing when there is no
container-side /proc.  Previously you'd get:

   container_linux.go:... starting container process caused "open
     /proc/self/status: no such file or directory"

The IsNotExist check is because we do need to load the effective set.
But capsV3's Load() does that first with the capget() call.  After the
capget call it hits /proc for bounding and ambient capabilities.  We
don't need those, so the not-exist error isn't a problem.  This is a
fairly tight binding to the current gocapability implementation, but
we vendor gocapability, so I'm not too worried about it.  If it
becomes an issue we can follow up with a LoadType(which CapType) so we
can explicitly ask to only load the effective set.

Signed-off-by: W. Trevor King <wking@tremily.us>

libcontainer/capabilities_linux.go

@@ -71,7 +71,7 @@ func newContainerCapList(capConfig *configs.Capabilities) (*containerCapabilitie
 		}
 		ambient = append(ambient, v)
 	}
-	pid, err := capability.NewPid(0)
+	pid, err := capability.NewPid2(0)
 	if err != nil {
 		return nil, err
 	}

libcontainer/container_linux.go

@@ -1804,10 +1804,14 @@ func (c *linuxContainer) bootstrapData(cloneFlags uintptr, nsMaps map[configs.Na
 			// The following only applies if we are root.
 			if !c.config.Rootless {
 				// check if we have CAP_SETGID to setgroup properly
-				pid, err := capability.NewPid(0)
+				pid, err := capability.NewPid2(0)
 				if err != nil {
 					return nil, err
 				}
+				err = pid.Load()
+				if err != nil && !os.IsNotExist(err) {
+					return nil, err
+				}
 				if !pid.Get(capability.EFFECTIVE, capability.CAP_SETGID) {
 					r.AddData(&Boolmsg{
 						Type:  SetgroupAttr,