Decouple setting cgroup device rules from cgroup manager

[kolyshkin]

This is an alternative to #3421, which tries to remove the functionality of setting cgroup device access rules from the cgroup managers.

Motivation

This should help runc/libct/cg users who are

1. Worried that adding libct/cg as a dependency increases the binary size considerably (because of cilium/ebpf dependency).
2. Not interested in managing device rules for cgroups (such as kubelet, which only uses libct/cg to create parent/pod cgroups). Previously we have added two workarounds: SkipDevices and SkipFreezeOnSet for such users, and with this code SkipDevices can be omitted entirely in case the sources do not include github.com/opencontainers/runc/libcontainer/cgroups/devices package.

Implementation

This

• Moves the functionality to set cgroup device rules to a separate package, libct/cg/devices. Those are setV1 and setV2. Same for generating systemd cgroup device properties (systemdProperties).
• If the above package is included, it autoconfigures cgroup managers to manage devices; if not, they will return an error if any devices rules are specified. So, a user can choose to have a cgroup manager with or without device management functionality (by adding or not adding an import statement).

As a result:

• By default, cgroup managers are not able to set any device rules (and will error out if any devices rules are set in config)
• If device rules management is needed, one has to do something like

+import _ "github.com/opencontainers/runc/libcontainer/cgroups/devices"

Caveats

• It seems impossible to get rid of SkipFreezeOnSet for systemd v1 cgroup manager since it can manage an existing systemd unit which has some device rules set, and any update of such unit results in rules being reloaded, so we have to freeze it before set.

[kolyshkin]

@AkihiroSuda PTAL 🙏🏻 (if you like this more or less than #3421). It is not finished, but it is more or less clear where this is going.

Personally I think this is better than the build tag, because we can use the same library with and without device management (i.e. a runtime switch is better than the compile time)

[AkihiroSuda]

Probably no need to unexpose DeviceFilter, Emulator, etc.
Or this could be another PR.

[kolyshkin]

It's a separate commit so I can just drop it.

Or, if moving everything in a single package is not that good (let's see what @cyphar says), this can be undone, too.

[cyphar]

Moving it to a single package is fine. Honestly I probably should've kept it in this package in the first place (I wish Go had project-level internal symbols that didn't require you to restructure everything to use internal/).

[kolyshkin]

@cyphar PTAL

[cdoern]

@kolyshkin is there any movement on this?

[kolyshkin]

@cyphar @opencontainers/runc-maintainers PTAL

[cdoern]

@kolyshkin @AkihiroSuda @cyphar is there any chance of getting this merged this week so work on containers/common#936 can resume?

[kolyshkin]

@kolyshkin @AkihiroSuda @cyphar is there any chance of getting this merged this week so work on containers/common#936 can resume?

Being the author of this, I can not really influence its acceptance (although I am a maintainer here, I can not accept my own PRs, and so I rely on other maintainers for this, the same way they rely on me).

You can still work on that using my repo fork; I guess that until a tagged runc release is made, you can't include this anyway so the fork is as good as the unreleased version.

[kolyshkin]

OK, I have simplified the code a bit, removed all the new methods from cgroup managers, replacing those with 3 functions variables added to cgroups package, and added init to libct/cg/dev which sets those three variables to its own implementations. This should simplify the review as well. Still a big change, but mostly it's just moving the code around without changing it.

comments addressed

[cyphar]

LGTM.