perf(sandbox): reduce memory dirtying from envd logging in journald

Route envd stdout to /dev/null and keep only stderr in journald via the
envd systemd service, so envd panics/fatal errors are still inspectable
but per-request debug events no longer dirty guest memory and rootfs
pages on every snapshot. Full debug logs continue to ship through the
HTTP exporter to the orchestrator.

Bound the rest of journald with a drop-in: persistent (rootfs-backed)
storage capped at 8M with warning-only filtering, so other systemd
services can't grow the journal without bound either.

Author: ValentaTomas

packages/orchestrator/pkg/template/build/core/rootfs/files/envd.service.tpl

@@ -12,6 +12,10 @@ Type=simple
 Restart=always
 User=root
 Group=root
+# Discard envd stdout (debug logs still ship via the HTTP exporter); only
+# stderr (envd panics/fatal errors) reaches journald.
+StandardOutput=null
+StandardError=journal
 Environment=GOTRACEBACK=all
 LimitCORE=infinity
 ExecStartPre=/bin/sh -c 'mountpoint -q /etc/ssl/certs || (mkdir -p /run/e2b/certs && mount --bind /run/e2b/certs /etc/ssl/certs) && ([ -s /etc/ssl/certs/ca-certificates.crt ] || update-ca-certificates)'

packages/orchestrator/pkg/template/build/core/rootfs/files/journald.conf.tpl

@@ -0,0 +1,12 @@
+{{- /*gotype:github.com/e2b-dev/infra/packages/orchestrator/pkg/template/build/core/rootfs.templateModel*/ -}}
+{{ .WriteFile "etc/systemd/journald.conf.d/e2b.conf" 0o644 }}
+
+[Journal]
+Storage=persistent
+SystemMaxUse=8M
+SystemMaxFileSize=2M
+MaxLevelStore=warning
+MaxLevelConsole=warning
+MaxLevelKMsg=warning
+MaxLevelWall=emerg
+ForwardToSyslog=no

packages/orchestrator/pkg/template/build/core/rootfs/rootfs_test.go

@@ -90,7 +90,7 @@ func TestAdditionalOCILayers(t *testing.T) {
 
 		keysIter := maps.Keys(actualFiles)
 		keys := slices.Collect(keysIter)
-		assert.Len(t, keys, 13)
+		assert.Len(t, keys, 14)
 		assert.Equal(t, "e2b.local", actualFiles["etc/hostname"])
 		assert.Equal(t, "nameserver 8.8.8.8", actualFiles["etc/resolv.conf"])