Jailing should be available without calling firecracker-containerd's APIs

[kzys]

While Firecracker is recommending customers to use a jailer in production;

Using Jailer in a production Firecracker deployment is highly recommended, as it provides additional security boundaries for the microVM.

Our internal, implicit CreateVM call doesn't use a jailer.

firecracker-containerd/runtime/service.go

Lines 355 to 359 in 4d1bab3

	_, err = fcControlClient.CreateVM(shimCtx, &proto.CreateVMRequest{
	VMID: s.vmID,
	ExitAfterAllTasksDeleted: exitAfterAllTasksDeleted,
	ContainerCount: int32(containerCount),
	})

In other words, customers need to use CreateVM explicitly to enable a jailer.