Replace nproc with pids limit

[ejholmes]

Support for configuring the nproc limit was added in #761, however, I don't think it's ever actually worked the way it was intended.

From the docker run docs:

Be careful setting nproc with the ulimit flag as nproc is designed by Linux to set the maximum number of processes available to a user, not to a container. For example, start four containers with daemon user:

$ docker run -d -u daemon --ulimit nproc=3 busybox top

$ docker run -d -u daemon --ulimit nproc=3 busybox top

$ docker run -d -u daemon --ulimit nproc=3 busybox top

$ docker run -d -u daemon --ulimit nproc=3 busybox top

The 4th container fails and reports “[8] System error: resource temporarily unavailable” error. This fails because the caller set nproc=3 resulting in the first three containers using up the three processes quota set for the daemon user.

I ran into this behavior when attempting to enable user namespace remapping. Recent versions of Docker support a more granular alternative that's cgroup aware: moby/moby#18697

Unfortunately, this doesn't seem to be supported in ECS yet, but I think a good alternative for the time being would be to add a flag to Empire that allows it to start in a user namespace compatibility mode so that nproc is disabled.