fix: accurate sandbox metrics and memory management

Three issues fixed:

1. Memory metrics read host-side VmRSS of the Firecracker process,
   which includes guest page cache and never decreases. Replaced
   readMemRSS(fcPID) with readEnvdMemUsed(client) that queries
   envd's /metrics endpoint for guest-side total - MemAvailable.
   This matches neofetch and reflects actual process memory.

2. Added Firecracker balloon device (deflate_on_oom, 5s stats) and
   envd-side periodic page cache reclaimer (drop_caches when >80%
   used). Reclaimer is gated by snapshot_in_progress flag with
   sync() before freeze to prevent memory corruption during pause.

3. Sampling interval 500ms → 1s, ring buffer capacities adjusted
   to maintain same time windows. Reduces per-host HTTP load from
   240 calls/sec to 120 calls/sec at 120 capsules.

Also: maxDiffGenerations 8 → 1 (merge every re-pause since UFFD
lazy-loads anyway), envd mem_used formula uses total - available.

envd-rs/src/http/health.rs

@@ -29,6 +29,8 @@ pub async fn get_health(State(state): State<Arc<AppState>>) -> impl IntoResponse
 fn post_restore_recovery(state: &AppState) {
     tracing::info!("restore: post-restore recovery (no GC needed in Rust)");
 
+    state.snapshot_in_progress.store(false, std::sync::atomic::Ordering::Release);
+
     state.conn_tracker.restore_after_snapshot();
     tracing::info!("restore: zombie connections closed");
 

envd-rs/src/http/init.rs

@@ -147,6 +147,9 @@ async fn trigger_restore_and_respond(state: &AppState) -> axum::response::Respon
 
 fn post_restore_recovery(state: &AppState) {
     tracing::info!("restore: post-restore recovery (no GC needed in Rust)");
+
+    state.snapshot_in_progress.store(false, std::sync::atomic::Ordering::Release);
+
     state.conn_tracker.restore_after_snapshot();
 
     if let Some(ref ps) = state.port_subsystem {

envd-rs/src/http/metrics.rs

@@ -46,7 +46,8 @@ fn collect_metrics(state: &AppState) -> Result<Metrics, String> {
     let mut sys = sysinfo::System::new();
     sys.refresh_memory();
     let mem_total = sys.total_memory();
-    let mem_used = sys.used_memory();
+    let mem_available = sys.available_memory();
+    let mem_used = mem_total.saturating_sub(mem_available);
     let mem_total_mib = mem_total / 1024 / 1024;
     let mem_used_mib = mem_used / 1024 / 1024;
 

envd-rs/src/http/snapshot.rs

@@ -14,6 +14,10 @@ use crate::state::AppState;
 /// 2. Close idle connections via conntracker
 /// 3. Set needs_restore flag
 pub async fn post_snapshot_prepare(State(state): State<Arc<AppState>>) -> impl IntoResponse {
+    // Block memory reclaimer before anything else — prevents drop_caches
+    // from running mid-freeze which would corrupt kernel page table state.
+    state.snapshot_in_progress.store(true, Ordering::Release);
+
     if let Some(ref ps) = state.port_subsystem {
         ps.stop();
         tracing::info!("snapshot/prepare: port subsystem stopped");
@@ -22,6 +26,9 @@ pub async fn post_snapshot_prepare(State(state): State<Arc<AppState>>) -> impl I
     state.conn_tracker.prepare_for_snapshot();
     tracing::info!("snapshot/prepare: connections prepared");
 
+    // Sync filesystem buffers so dirty pages are flushed before freeze.
+    unsafe { libc::sync(); }
+
     state.needs_restore.store(true, Ordering::Release);
     tracing::info!("snapshot/prepare: ready for freeze");
 

envd-rs/src/main.rs

@@ -147,6 +147,14 @@ async fn main() {
         Some(Arc::clone(&port_subsystem)),
     );
 
+    // Memory reclaimer — drop page cache when available memory is low.
+    // Firecracker balloon device can only reclaim pages the guest kernel freed.
+    // Pauses during snapshot/prepare to avoid corrupting kernel page table state.
+    if !cli.is_not_fc {
+        let state_for_reclaimer = Arc::clone(&state);
+        std::thread::spawn(move || memory_reclaimer(state_for_reclaimer));
+    }
+
     // RPC services (Connect protocol — serves Connect + gRPC + gRPC-Web on same port)
     let connect_router = rpc::rpc_router(Arc::clone(&state));
 
@@ -222,3 +230,44 @@ fn spawn_initial_command(cmd: &str, state: &AppState) {
         }
     }
 }
+
+fn memory_reclaimer(state: Arc<AppState>) {
+    use std::sync::atomic::Ordering;
+
+    const CHECK_INTERVAL: std::time::Duration = std::time::Duration::from_secs(10);
+    const DROP_THRESHOLD_PCT: u64 = 80;
+
+    loop {
+        std::thread::sleep(CHECK_INTERVAL);
+
+        if state.snapshot_in_progress.load(Ordering::Acquire) {
+            continue;
+        }
+
+        let mut sys = sysinfo::System::new();
+        sys.refresh_memory();
+        let total = sys.total_memory();
+        let available = sys.available_memory();
+
+        if total == 0 {
+            continue;
+        }
+
+        let used_pct = ((total - available) * 100) / total;
+        if used_pct >= DROP_THRESHOLD_PCT {
+            if state.snapshot_in_progress.load(Ordering::Acquire) {
+                continue;
+            }
+
+            if let Err(e) = std::fs::write("/proc/sys/vm/drop_caches", "3") {
+                tracing::debug!(error = %e, "drop_caches failed");
+            } else {
+                let mut sys2 = sysinfo::System::new();
+                sys2.refresh_memory();
+                let freed_mb =
+                    sys2.available_memory().saturating_sub(available) / (1024 * 1024);
+                tracing::info!(used_pct, freed_mb, "page cache dropped");
+            }
+        }
+    }
+}

envd-rs/src/state.rs

@@ -19,6 +19,7 @@ pub struct AppState {
     pub port_subsystem: Option<Arc<PortSubsystem>>,
     pub cpu_used_pct: AtomicU32,
     pub cpu_count: AtomicU32,
+    pub snapshot_in_progress: AtomicBool,
 }
 
 impl AppState {
@@ -41,6 +42,7 @@ impl AppState {
             port_subsystem,
             cpu_used_pct: AtomicU32::new(0),
             cpu_count: AtomicU32::new(0),
+            snapshot_in_progress: AtomicBool::new(false),
         });
 
         let state_clone = Arc::clone(&state);