Put envd, ptys, socats, and commands into their own cgroups

[djeebus]

This configures memory reservations on the envd service, and puts internal processes into cgroups based on their process type. Most importantly, this keeps envd responsive when the system is saturated.

envd.service cgroup:

the envd process. manages and handles communication into the sandbox.

• memory.min = 50 megabytes. envd seems to use ~10 MB of memory, so this should be plenty
• memory.low = 100 megabytes. if available memory is less than this, try to free up more memory
• cpu.weight = 1000. this gives it 10x the priority of an average process, and 20x background procs launched by the user. this isn't a reservation, it's just priority. if envd doesn't need the cpu cycles, they go to other processes.

pty cgroup:

any process that defines a pty configuration. assumed to be interactive, so it gets higher priority.

• cpu.weight = 200

socat cgroup:

forwarded ports. shouldn't require much cpu, but is used for interaction, so it gets higher priority.

• cpu.weight = 150

user cgroup:

every other command launched by the user. the lowest priority, as it has the highest chance of interrupting envd.

• cpu.weight = 50
• memory.high = 7/8 of the total sandbox

---

Note

Adds a cgroup v2 manager and assigns envd, PTY, socat, and user processes to dedicated cgroups with CPU/memory settings; integrated into process handling, port forwarding, and orchestrator templates.

• Cgroups (new):
  • Add cgroups package with cgroup v2 manager (Cgroup2Manager), options, noop manager, and tests.
• envd runtime:
  • main.go: create and configure cgroup manager (flags: --cgroup-root), set per-type CPU/memory (pty, socat, user), pass to process service and port forwarder; bump Version to 0.4.3.
  • port/forward.go: run socat in ProcessTypeSocat cgroup via SysProcAttr FD.
  • services/process: plumb cgroup manager; handler.New sets SysProcAttr{UseCgroupFD,CgroupFD} and selects proc type (pty vs user).
• Orchestrator:
  • Update envd.service.tpl with cgroup delegation and resource reservations (Delegate=yes, MemoryMin/Low, CPUWeight).
  • Bump github.com/opencontainers/runtime-spec to v1.3.0; adjust rootfs test accordingly.

^{Written by Cursor Bugbot for commit 4d795e6. This will update automatically on new commits. Configure here.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".