Closes #218 (closed)
This PR increases the isolation of the job containers:
- disable network access
- run the job as an arbitrary ordinary user, rather that root (note that is is still possible to become root with setuid executables, until #271 is implemented)
- remove all kernel capabilities
- change the workdir to /work (rather that /tmp), the rationale is that since we no longer run the container as root, it is not possible to create arbitrary dirs for storing temporary data (/tmp is actually the most straightforward choice for storing tmp data)