support binfmt in isolation-container environments

About back in Sept 2019, something changed in the lxc container environment that broke binfmt support. Java and other envs use binfmt to directly run native binary formats like JAR without needing a wrapper script. Packages like apksigner rely on binfmt support. For it to work, the kernel module must be loaded, and /proc/sys/fs/binfmt_misc/ must be usable.

One related case is binfmt support in gitlab.com's CI runner setup, based on Docker. binfmt works in containers there, for example on Ubuntu/bionic. Something in Ubuntu/focal broke this when running focal in the container.