Build images outside of FAI

Currently both the system root and the final image is built by fai-diskimage in one step. This poses some challenges like

tests are run during the build on the final system root,
image files are owned by root,
system root is built inside the final image and needs to be larger as the files need in the end, and
need loop.

The following changes should be done:

Build should run in a user namespace, possibly unprivileged.
System root is built inside a tmpfs.
Result of the first stage is a OCI-compliant tar, can later be used as container image.
Final raw image is built by adding files with mkfs.ext4 and mcopy or libguestfs, not by mounting.
Tests during the build to run with the OCI-compliant tar of the system root.