[cgroupv2] Add workspace cgroup evacuation

[csweichel]

Description

This PR introduces a cgroup v2 structure in workspaces which lends itself to more rootless workloads within the workspace. For example:

cgroup v2 - new structure - Watch Video

The structure it produces looks as follows:

<container-cgorup>  drwxr-xr-x 3 root root
└── workspace       drwxr-xr-x 5 33333 33333
    └── user        drwxr-xr-x 5 33333 33333

Note that the container-cgroup does not change ownership, but only the child cgroups do. This way, users cannot escape the control imposed by the container runtime.

Related Issue(s)

Fixes #8567

How to test

• Start a workspace on https://g95471cf099b5f2cd7927b3.workspace-preview.gitpod-io-dev.com/workspaces
• Inspect /sys/fs/cgroup
• Run k3s:

curl -OL https://github.com/k3s-io/k3s/releases/download/v1.23.4%2Bk3s1/k3s
chmod +x k3s
sudo ./k3s server -d /workspace/data

Release Notes

Support user-modifiable cgroupv2 structure

[codecov]

Codecov Report

Merging #8578 (c1f3d94) into main (ede9db9) will increase coverage by 15.62%.
The diff coverage is 4.76%.

@@             Coverage Diff             @@
##             main    #8578       +/-   ##
===========================================
+ Coverage   12.31%   27.94%   +15.62%     
===========================================
  Files          20       85       +65     
  Lines        1161    13874    +12713     
===========================================
+ Hits          143     3877     +3734     
- Misses       1014     9674     +8660     
- Partials        4      323      +319     

Flag	Coverage Δ
components-gitpod-cli-app	11.17% <ø> (ø)
components-local-app-app-darwin-amd64	?
components-local-app-app-darwin-arm64	?
components-local-app-app-linux-amd64	?
components-local-app-app-linux-arm64	?
components-local-app-app-windows-386	?
components-local-app-app-windows-amd64	?
components-local-app-app-windows-arm64	?
components-supervisor-app	35.51% <ø> (?)
components-workspacekit-app	6.86% <6.25%> (?)
components-ws-daemon-api-go-lib	∅ <ø> (?)
components-ws-daemon-app	21.16% <0.00%> (?)
components-ws-daemon-lib	21.16% <0.00%> (?)
components-ws-daemon-nsinsider-app	∅ <ø> (?)
components-ws-manager-app	39.44% <ø> (?)
install-installer-raw-app	4.49% <ø> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
components/ws-daemon/pkg/content/hooks.go	0.00% <0.00%> (ø)
components/ws-daemon/pkg/content/service.go	0.00% <0.00%> (ø)
components/ws-daemon/pkg/daemon/daemon.go	0.00% <0.00%> (ø)
components/workspacekit/cmd/rings.go	6.14% <6.25%> (ø)
components/local-app/pkg/auth/auth.go
components/local-app/pkg/auth/pkce.go
components/ws-manager/pkg/manager/create.go	82.95% <0.00%> (ø)
components/workspacekit/cmd/root.go	0.00% <0.00%> (ø)
components/supervisor/pkg/ports/ports.go	59.62% <0.00%> (ø)
components/ws-manager/pkg/manager/probe.go	0.00% <0.00%> (ø)
... and 63 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update ede9db9...c1f3d94. Read the comment docs.

[aledbf]

LGTM