Shield host's localhost from containers in (network host) mode

[kit-ty-kate]

Currently localhost is shared between all containers in (network host) mode. This is a security issue as well as a reliability one for packages that use the local network for testing purpose.

See https://github.com/opencontainers/runc/issues/201 for discussions and possible solutions. e.g.:

• https://github.com/p8952/bocker/blob/master/bocker#L61
• https://github.com/genuinetools/netns

[talex5]

In ocaml-ci, we perform downloading and testing in separate steps so this shouldn't be a problem (only the download step uses (network host)). Tests should be able to run without access to the Internet.