setns: always assume a user identity, default to root.

Without this, an invocation like:

    sudo ansible-playbook foo.yml

Where foo.yml uses setns, could inherit the HOME environment variable
from the external non-root user, which broke /usr/bin/mysql_upgrade and
plenty more.

docs/api.rst

@@ -616,7 +616,7 @@ Router Class
             Filename or complete path to the ``lxc`` binary. ``PATH`` will be
             searched if given as a filename. Defaults to ``lxc``.
 
-    .. method:: setns (container, kind, docker_path=None, lxc_info_path=None, machinectl_path=None, \**kwargs)
+    .. method:: setns (container, kind, username=None, docker_path=None, lxc_info_path=None, machinectl_path=None, \**kwargs)
 
         Construct a context in the style of :meth:`local`, but change the
         active Linux process namespaces via calls to `setns(1)` before
@@ -633,6 +633,9 @@ Router Class
             Container to connect to.
         :param str kind:
             One of ``docker``, ``lxc``, ``lxd`` or ``machinectl``.
+        :param str username:
+            Username within the container to :func:`setuid` to. Defaults to
+            ``root``.
         :param str docker_path:
             Filename or complete path to the Docker binary. ``PATH`` will be
             searched if given as a filename. Defaults to ``docker``.

mitogen/setns.py

@@ -118,7 +118,7 @@ class Stream(mitogen.parent.Stream):
     child_is_immediate_subprocess = False
 
     container = None
-    username = None
+    username = 'root'
     kind = None
     python_path = 'python'
     docker_path = 'docker'
@@ -184,7 +184,6 @@ class Stream(mitogen.parent.Stream):
             except AttributeError:
                 pass
 
-        if self.username:
         try:
             os.setgroups([grent.gr_gid
                           for grent in grp.getgrall()