raw_exec: make raw exec driver work with cgroups v2

[shoenig]

This PR adds support for the raw_exec driver on systems with only cgroups v2.

The raw exec driver is may use cgroups to manage processes. This happens
only on Linux, when exec_driver is enabled, and the no_cgroups option is not
set. The driver uses the freezer controller to freeze processes of a task,
issue a sigkill, then unfreeze. Previously the implementation assumed cgroups
v1, and now it also supports cgroups v2. Because the driver manages cgroups
directly and not via containerd, we must account for the v2 changes ourselves.

There is a bit of refactoring in this PR, but the fundamental design remains
the same.

Unlike the v1 implementation, the v2 implementation respects the client cgroup_parent
configuration option. This value is plumbed through to the driver via a task
environment variable, since it (and allocID / taskName) are not available otherwise
from the task config protobuf. A new environment variable NOMAD_PARENT_CGROUP
is now part of the task runtime when supported.

A few irrelevant tests have been stubbed out with SkipSlow because they are very flaky
on GHA, which skips slow tests. Circle is still configured to run slow tests.

Closes #12351 #12348
Partial #10251 (leaving open for the memory stats)

Reviewers:
Neither GHA or Circle are yet to offer machine types using only cgroupsv2. Instead of running everything manually I forked Nomad into shoenig/nomad and setup a temporary self-hosted GHA runner running ubuntu-21.10. The run based on c8d2402 (this PR) is HERE. The show-system job indicates the cgroupv2 mount point on /sys/fs/cgroup, which activates Nomad's cgroup v2 code paths and tests. Which you can't the output of unless you're me 😞

shoenig@opti3010:~$ cat /etc/os-release 
PRETTY_NAME="Ubuntu 21.10"
NAME="Ubuntu"
VERSION_ID="21.10"
VERSION="21.10 (Impish Indri)"
VERSION_CODENAME=impish
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=impish
shoenig@opti3010:~$ mount -l | grep cgroup 
cgroup2 on /sys/fs/cgroup type cgroup2 (rw,nosuid,nodev,noexec,relatime,nsdelegate,memory_recursiveprot)

[shoenig]

TestFS_Log checks the alloc becomes complete, which it doesn't because it gets blocked by the missing cgroup for cpuset unless running as root.

[tgross]

LGTM @shoenig. I've left some comments but they're mostly more like questions. 😀

[tgross]

Should this show up in the api.Node struct as well?

[shoenig]

good catch! fixed

[tgross]

This isn't a streaming test as suggested in #12358. I think it's fixed with #12439 which merged yesterday. Have you seen otherwise?

[shoenig]

Ah yup this is out of date, removed!

[tgross]

I'm having a little trouble following what we're doing with the Containment interface. We don't implement it for the non-Linux case (here), so isn't there only ever 1 implementation?

[shoenig]

Good point, the only implementation applies to Linux and the creation / usage is all gated in build-tagged files. The implementation in containment_default.go isn't even complete much less used; let's just get rid of it.

[tgross]

Do we not expect that all the PIDs are going to be in the same process group? That is, could we kill via -pid here the same way we do for non-Linux use cases, or is this so we can avoid killing the executor even though we moved it into a different cgroup?

[shoenig]

This is honestly just copying the original implementation, but I believe this defends against sub-sub-sub processes that get daemonized. So like

Executor -> A -> B -> C

If B dies C gets owed by PID 1, not A and is no longer part of the process group ... right? 🤔

[tgross]

Children always get the parent's process group when forked, so the chain would be preserved even in that case (I don't think it gets changed after the fact on wait). But this implementation works, so let's keep it.

[shoenig]

This is pretty in the weeds but I guess it does protect against callers of setsid or setpgid

[tgross]

That's a good point. 👍

[tgross]

If we leave AllocID out then the AllocDir.SharedDir and AllocDir.AllocDir then both end up directly under the tempdirthen ends up directly under the tempdir (which is also task.AllocDir), instead of under the allocation ID one level down.

That is instead of /tmp/nomad_driver_harness-/alloc/:alloc_id and /tmp/nomad_driver_harness-/alloc we get /tmp/nomad_driver_harness-/alloc and /tmp/nomad_driver_harness- and maybe the latter has the wrong permissions now?

[tgross]

And those changes would be platform-specific, which would be sad to have to plumb into the protobufs if we can avoid it. It's probably worth considering whether we want to have a "platform variables" field or something in the future so we're not trying to smuggle things in thru env vars that we might not necessarily want to expose to the workload.

[shoenig]

"platform variables" field

That's a clever idea I'm definitely going to forget, so I created #12468

[shoenig]

Final CI run on V2 https://github.com/shoenig/nomad/actions/runs/2098586202

[github-actions]

I'm going to lock this pull request because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.