Loopback mount @TBROOT@/lib/geni-lib directory read-only in the jail.
This way we don't have to copy geni-lib stuff into the base jail and worry
about multiple versions. The version mounted in the jail can either be
the standard version or a dev-tree version depending on which copy of the
script is run.

Create per-instance snapshots of the base jail rather than having one
"current" snapshot that all instances used. Not as efficient, but allows
us to update the base (e.g., with security fixes) without needing to
remember to create a new "current" snapshot!

Add -C option to just create a jail instance without running anything
in it. Then you can use "jexec" to test stuff in the jail. Use the new
-R option afterward to remove the instance.

Try to sanitize the environment passed to the command script. We cannot
just give it a "clean" environment because genilib passes stuff via the
environment. So we get rid of SUDO_* and SSH_* and set the assorted USER*
variables correctly. This may have to be refined depending on how much
geni-lib scripts expect from the environment.