[dnm/rfc] remove cilium/ebpf dependency to save 1.1M

[kolyshkin]

This replaces use of the main cilium/ebpf package (in oc/cgroups) by our
own code, while keeping the usage of cilium/ebpf/asm.

As a result, runc binary is about 1MB smaller, which is ~7% savings:

[kir@kir-tp1 runc]$ size runc.before runc
   text	   data	    bss	    dec	    hex	filename
6492732	4615697	 229160	11337589	 acff75	runc.before
6018676	4319913	 228392	10566981	 a13d45	runc

[kir@kir-tp1 runc]$ ls -la runc.before runc
-rwxr-xr-x. 1 kir kir 15749568 Apr  2 16:31 runc.before
-rwxr-xr-x. 1 kir kir 14687496 Apr  2 16:31 runc

[kir@kir-tp1 runc]$ gsa runc.before runc
┌─────────────────────────────────────────────────────────────────────────────────┐
│ Diff between runc.before and runc                                               │
├─────────┬───────────────────────────────────────┬──────────┬──────────┬─────────┤
│ PERCENT │ NAME                                  │ OLD SIZE │ NEW SIZE │ DIFF    │
├─────────┼───────────────────────────────────────┼──────────┼──────────┼─────────┤
│ +0.42%  │ github.com/opencontainers/cgroups     │ 323 kB   │ 324 kB   │ +1.4 kB │
│ -3.97%  │ encoding/binary                       │ 55 kB    │ 53 kB    │ -2.2 kB │
│ -8.65%  │ bytes                                 │ 27 kB    │ 25 kB    │ -2.3 kB │
│ -5.31%  │ golang.org/x/sys                      │ 82 kB    │ 78 kB    │ -4.4 kB │
│ -15.93% │ debug/elf                             │ 42 kB    │ 35 kB    │ -6.6 kB │
│ -37.61% │ math                                  │ 24 kB    │ 15 kB    │ -9.2 kB │
│ -9.25%  │ <autogenerated>                       │ 155 kB   │ 141 kB   │ -14 kB  │
│ -83.62% │ github.com/cilium/ebpf                │ 652 kB   │ 107 kB   │ -545 kB │
├─────────┼───────────────────────────────────────┼──────────┼──────────┼─────────┤
│ -10.30% │ .data                                 │ 52 kB    │ 47 kB    │ -5.4 kB │
│ -7.00%  │ .debug_frame                          │ 159 kB   │ 148 kB   │ -11 kB  │
│ -6.05%  │ .debug_ranges                         │ 254 kB   │ 239 kB   │ -15 kB  │
│ -6.14%  │ .symtab                               │ 419 kB   │ 393 kB   │ -26 kB  │
│ -6.61%  │ .rodata                               │ 675 kB   │ 631 kB   │ -45 kB  │
│ -6.39%  │ .debug_line                           │ 739 kB   │ 692 kB   │ -47 kB  │
│ -6.70%  │ .strtab                               │ 762 kB   │ 711 kB   │ -51 kB  │
│ -8.93%  │ .data.rel.ro                          │ 680 kB   │ 620 kB   │ -61 kB  │
│ -7.35%  │ .debug_loc                            │ 840 kB   │ 778 kB   │ -62 kB  │
│ -5.87%  │ .debug_info                           │ 1.4 MB   │ 1.4 MB   │ -85 kB  │
│ -7.62%  │ .rela.dyn                             │ 1.1 MB   │ 1.1 MB   │ -87 kB  │
├─────────┼───────────────────────────────────────┼──────────┼──────────┼─────────┤
│ -6.74%  │ runc.before                           │ 16 MB    │ 15 MB    │ -1.1 MB │
│         │ runc                                  │          │          │         │
└─────────┴───────────────────────────────────────┴──────────┴──────────┴─────────┘

I am unsure if the added maintenance cost is worth the savings, so this is more like an experiment and a request for comments.

[kolyshkin]

A quick observation (which is semi-relevant to this PR). The runc binary used to be 12M only a few years ago (see #3460 (comment)), and it's 15-16M now.

I guess the biggest issue here is we're using packages that eventually grow in size (due to feature creep etc), which is not a problem per se, but becomes a problem together with disabled DCE, and DCE is disabled due to use of introspection/reflect in some of our dependencies. So, we are bundling some code into our binary which is never used. To re-enable DCE we need to eliminate the use of reflect.Method etc.

[kolyshkin]

@cyphar what do you think (not about the implementation, which might be rough, but about the overall approach)?

[cyphar]

Yeah this seems like a reasonable thing to do. To be honest I found the dependency on cilium here a little weird (and required a few hacks as well).

[cyphar]

It might also be a good idea to add a CI job to track binary sizes (I have something similar in libpathrs).

This is much less of an issue than it used to be (now that we no longer copy the runc binary for every execution) but if we want to minimise this we need to start tracking it.

[kolyshkin]

It might also be a good idea to add a CI job to track binary sizes (I have something similar in libpathrs).

Always wanted to have that but too lazy to implement.

This is much less of an issue than it used to be (now that we no longer copy the runc binary for every execution) but if we want to minimise this we need to start tracking it.

Unless I'm missing something, we still do for the rootless case.

[cyphar]

Unless I'm missing something, we still do for the rootless case

Ah right. Though, we could in principle do the overlayfs trick for rootless too on modern kernels (it would require a not-fun amount of CGo though).