guest: use OCIBundlePath as sandbox root source of truth

[shreyanshjain7174]

Guest-side GCS currently derives sandbox paths by combining a hard-coded prefix (/run/gcs/c) with the sandbox ID, ignoring the OCIBundlePath the host already sends. This breaks with Shim v2 path layouts and multi-pod UVMs.

This PR stores settings.OCIBundlePath as the canonical sandbox root on the Host struct (sandboxRoots map), and threads the resolved root through all setup and cleanup functions instead of re-deriving it.

For virtual pods, the sandbox root is derived from OCIBundlePath's parent directory (preserving the virtual-pods/ layout). For workload containers, it's looked up from the mapping. A legacy fallback ensures backwards compatibility with shim v1.

When the old shim sends OCIBundlePath in the legacy format, all paths are identical to before — verified by parity tests and a full CRI lifecycle (crictl runp/create/start/stop/rm) on a Hyper-V UVM.

Depends on: #2655 (bug fix for leaked LCOW resources) — both PRs modify uvm.go cleanup paths. Will rebase after #2655 merges.

[rawahars]

Overall love the simplification of the virtual pod vs normal pod differentiation.

Major comments are regarding keeping existing utility methods, while removing virtual pod specific ones and then changing these methods to return paths/values which you are creating on the fly. That would make it easier to review too.

[rawahars]

@anmaxvl Can you please take a look too to see if any invariant of Security Policy gets impacted with this change. As I see it that should not change but please do confirm that.

[anmaxvl]

@micromaomao as well.

[micromaomao]

@anmaxvl:

@micromaomao as well.

I will have a closer look tomorrow, but I think this is probably good because #2581 added validation to settings.OCIBundlePath (not in this PR's branch yet but in main) to force it to be the expected value.

[shreyanshjain7174]

@rawahars Addressed all 8 review comments. Also added scripts/validate-sandbox-paths.ps1 — a portable E2E validation script that exercises real CRI pod lifecycles via crictl and validates that /etc/hostname, /etc/hosts, and /etc/resolv.conf are correctly mounted from the sandbox root. It tests single-pod, sandbox+workload, and sequential multi-pod scenarios. All 13 checks pass locally.

Do you think this script is worth keeping in the repo for manual validation, or should it go in a separate PR / be dropped from this one?

[rawahars]

Major driving comment are that for the current change, try to align as close to original code structure as possible.

[shreyanshjain7174]

Thanks for the detailed round 2 review. Pushed an update addressing all the comments:

• Restored section comments in Container.Delete (remove user mounts, tmpfs mounts, hugepages)
• Added utility methods back: getSandboxHostnamePath/HostsPath/ResolvPath in sandbox_container.go, getStandaloneHostnamePath/HostsPath/ResolvPath in standalone_container.go
• Restored original setup function names: setupSandboxMountsPath, setupSandboxTmpfsMountsPath, etc.
• Moved the root-based path helpers (SandboxMountsDirFromRoot, SandboxTmpfsMountsDirFromRoot, etc.) into spec.go alongside the existing ID-based methods
• Moved GenerateWorkloadContainerNetworkMountsFromRoot into spec.go as well, removed the local inline version
• Added whitespace and comments in registerSandboxRoot for readability
• Kept the VirtualPod* methods in spec.go for now since GenerateWorkloadContainerNetworkMounts (used by securitypolicy) still depends on VirtualPodAwareSandboxRootDir. Happy to remove them in a follow-up once we wire that caller through the root-based path too.

All tests pass locally (unit + E2E via crictl).

[shreyanshjain7174]

Note: this PR has a merge conflict with #2655 (bug fix for leaked LCOW resources) in uvm.go — specifically around RemoveContainer and the virtual pod cleanup paths. Once #2655 merges, I'll rebase on top of it.

[helsaawy]

Can we switch entirely to the *FromRoot functions and delete the [VirtualPodAware]*MountsDir/Source functions in internal/guest/spec?

[helsaawy]

Might be worthwhile to add Sandbox[Tmpfs]MountsSourceFromRoot or something similar.

[shreyanshjain7174]

Added SandboxMountSourceFromRoot, SandboxTmpfsMountSourceFromRoot, and HugePagesMountSourceFromRoot to spec.go. The updateSandboxMounts and updateHugePageMounts functions in workload_container.go now use these instead of inline filepath.Join + TrimPrefix.

[rawahars]

Are we planning on removing VirtualPodAwareSandboxMountsDir and other utility methods in next PR?

[shreyanshjain7174]

Yes, the follow-up PR (guest-pod-unification branch) removes VirtualPodAwareSandboxMountsDir and the other VirtualPod* methods as part of the unified pod model.

[rawahars]

nit: Consider adding this comment in next PR when you do the refactoring.

[shreyanshjain7174]

Will add in the follow-up.

[rawahars]

nit: Why not just use the containersMutex? If sandboxRoots is always used under containersMutex then you can skip sandboxRootsMutex.

[shreyanshjain7174]

Good point — sandboxRoots is only accessed within CreateContainer and RemoveContainer which both hold containersMutex. I'll consolidate to use containersMutex only in the follow-up to keep this PR minimal.