Storage hierarchy refactor

[leoluk]

(originally reported by @lorenz in T965)

We currently store both "real" data (etcd data, PVs, ...) as well as ephemeral data (containerd overlay2 store, kubelet logs and state dirs, ...) on the same filesystem. This is not great both for security (we can't set things like MS_NODEV and aggressive LSM policies on the data partition) as well as reliability (we want the capability to just blow away all the ephemeral storage).

The storage hierarchy should eventually look something like this:

• /run: Files which should not survive a restart and be stored in memory. Things like sockets, state bound to a running kernel, ...
• /ephemeral: Files which should survive a restart but which can be rebuilt from scratch. Things like kubelet's state dir, containerd state, ...
• /data: Actual persistent data. etcd, PVs