guest: use OCIBundlePath as sandbox root source of truth

Replace heuristic sandbox path derivation (hard-coded /run/gcs/c prefix + ID)
with host-provided OCIBundlePath as the canonical sandbox root directory.

This change prepares the guest-side GCS for Shim v2 and multi-pod UVM support,
where the host may use a different path layout than the legacy /run/gcs/c/<id>.

Key changes:
- Add sandboxRoots mapping on Host to store resolved sandbox root per sandbox ID
- Sandbox containers: register OCIBundlePath as sandbox root
- Virtual pods: derive sandbox root from OCIBundlePath parent + /virtual-pods/<id>
- Workload containers: resolve sandbox root from Host mapping (fallback to legacy)
- Standalone containers: use OCIBundlePath directly as root
- Container.Delete: use stored sandboxRoot for cleanup paths
- Remove duplicate setup functions (setupVirtualPod* merged into unified setup*)

The refactor produces identical paths when the old shim sends OCIBundlePath in
the legacy format, ensuring zero behavior change for existing deployments.

Security: virtualPodID is validated against path traversal before use.
Signed-off-by: Shreyansh Sancheti <shsancheti@microsoft.com>

Author: Shreyansh Sancheti

internal/guest/runtime/hcsv2/container.go

@@ -30,7 +30,6 @@ import (
 	"github.com/Microsoft/hcsshim/internal/oc"
 	"github.com/Microsoft/hcsshim/internal/protocol/guestrequest"
 	"github.com/Microsoft/hcsshim/internal/protocol/guestresource"
-	"github.com/Microsoft/hcsshim/pkg/annotations"
 )
 
 // containerStatus has been introduced to enable parallel container creation
@@ -77,6 +76,10 @@ type Container struct {
 	// of this container is located. Usually, this is either `/run/gcs/c/<containerID>` or
 	// `/run/gcs/c/<UVMID>/container_<containerID>` if scratch is shared with UVM scratch.
 	scratchDirPath string
+
+	// sandboxRoot is the root directory of the pod within the guest.
+	// Used during cleanup to unmount sandbox-specific paths.
+	sandboxRoot string
 }
 
 func (c *Container) Start(ctx context.Context, conSettings stdio.ConnectionSettings) (_ int, err error) {
@@ -229,25 +232,19 @@ func (c *Container) Kill(ctx context.Context, signal syscall.Signal) error {
 func (c *Container) Delete(ctx context.Context) error {
 	entity := log.G(ctx).WithField(logfields.ContainerID, c.id)
 	entity.Info("opengcs::Container::Delete")
-	if c.isSandbox {
-		// Check if this is a virtual pod
-		virtualSandboxID := ""
-		if c.spec != nil && c.spec.Annotations != nil {
-			virtualSandboxID = c.spec.Annotations[annotations.VirtualPodID]
-		}
-
-		// remove user mounts in sandbox container - use virtual pod aware paths
-		if err := storage.UnmountAllInPath(ctx, specGuest.VirtualPodAwareSandboxMountsDir(c.id, virtualSandboxID), true); err != nil {
+	if c.isSandbox && c.sandboxRoot != "" {
+		// remove user mounts in sandbox container
+		if err := storage.UnmountAllInPath(ctx, specGuest.SandboxMountsDirFromRoot(c.sandboxRoot), true); err != nil {
 			entity.WithError(err).Error("failed to unmount sandbox mounts")
 		}
 
-		// remove user mounts in tmpfs sandbox container - use virtual pod aware paths
-		if err := storage.UnmountAllInPath(ctx, specGuest.VirtualPodAwareSandboxTmpfsMountsDir(c.id, virtualSandboxID), true); err != nil {
+		// remove tmpfs mounts in sandbox container
+		if err := storage.UnmountAllInPath(ctx, specGuest.SandboxTmpfsMountsDirFromRoot(c.sandboxRoot), true); err != nil {
 			entity.WithError(err).Error("failed to unmount tmpfs sandbox mounts")
 		}
 
-		// remove hugepages mounts in sandbox container - use virtual pod aware paths
-		if err := storage.UnmountAllInPath(ctx, specGuest.VirtualPodAwareHugePagesMountsDir(c.id, virtualSandboxID), true); err != nil {
+		// remove hugepages mounts in sandbox container
+		if err := storage.UnmountAllInPath(ctx, specGuest.SandboxHugePagesMountsDirFromRoot(c.sandboxRoot), true); err != nil {
 			entity.WithError(err).Error("failed to unmount hugepages mounts")
 		}
 	}

internal/guest/runtime/hcsv2/sandbox_container.go

@@ -20,35 +20,30 @@ import (
 	"github.com/Microsoft/hcsshim/pkg/annotations"
 )
 
-func getSandboxHostnamePath(id, virtualSandboxID string) string {
-	return filepath.Join(specGuest.VirtualPodAwareSandboxRootDir(id, virtualSandboxID), "hostname")
+func getSandboxHostnamePath(sandboxRoot string) string {
+	return filepath.Join(sandboxRoot, "hostname")
 }
 
-func getSandboxHostsPath(id, virtualSandboxID string) string {
-	return filepath.Join(specGuest.VirtualPodAwareSandboxRootDir(id, virtualSandboxID), "hosts")
+func getSandboxHostsPath(sandboxRoot string) string {
+	return filepath.Join(sandboxRoot, "hosts")
 }
 
-func getSandboxResolvPath(id, virtualSandboxID string) string {
-	return filepath.Join(specGuest.VirtualPodAwareSandboxRootDir(id, virtualSandboxID), "resolv.conf")
+func getSandboxResolvPath(sandboxRoot string) string {
+	return filepath.Join(sandboxRoot, "resolv.conf")
 }
 
-func setupSandboxContainerSpec(ctx context.Context, id string, spec *oci.Spec) (err error) {
+func setupSandboxContainerSpec(ctx context.Context, id, sandboxRoot string, spec *oci.Spec) (err error) {
 	ctx, span := oc.StartSpan(ctx, "hcsv2::setupSandboxContainerSpec")
 	defer span.End()
 	defer func() { oc.SetSpanStatus(span, err) }()
 	span.AddAttributes(trace.StringAttribute("cid", id))
 
-	// Check if this is a virtual pod to use appropriate root directory
-	virtualSandboxID := spec.Annotations[annotations.VirtualPodID]
-
-	// Generate the sandbox root dir - virtual pod aware
-	rootDir := specGuest.VirtualPodAwareSandboxRootDir(id, virtualSandboxID)
-	if err := os.MkdirAll(rootDir, 0755); err != nil {
-		return errors.Wrapf(err, "failed to create sandbox root directory %q", rootDir)
+	if err := os.MkdirAll(sandboxRoot, 0755); err != nil {
+		return errors.Wrapf(err, "failed to create sandbox root directory %q", sandboxRoot)
 	}
 	defer func() {
 		if err != nil {
-			_ = os.RemoveAll(rootDir)
+			_ = os.RemoveAll(sandboxRoot)
 		}
 	}()
 
@@ -62,19 +57,20 @@ func setupSandboxContainerSpec(ctx context.Context, id string, spec *oci.Spec) (
 		}
 	}
 
-	sandboxHostnamePath := getSandboxHostnamePath(id, virtualSandboxID)
+	sandboxHostnamePath := getSandboxHostnamePath(sandboxRoot)
 	if err := os.WriteFile(sandboxHostnamePath, []byte(hostname+"\n"), 0644); err != nil {
 		return errors.Wrapf(err, "failed to write hostname to %q", sandboxHostnamePath)
 	}
 
 	// Write the hosts
 	sandboxHostsContent := network.GenerateEtcHostsContent(ctx, hostname)
-	sandboxHostsPath := getSandboxHostsPath(id, virtualSandboxID)
+	sandboxHostsPath := getSandboxHostsPath(sandboxRoot)
 	if err := os.WriteFile(sandboxHostsPath, []byte(sandboxHostsContent), 0644); err != nil {
 		return errors.Wrapf(err, "failed to write sandbox hosts to %q", sandboxHostsPath)
 	}
 
 	// Check if this is a virtual pod sandbox container by comparing container ID with virtual pod ID
+	virtualSandboxID := spec.Annotations[annotations.VirtualPodID]
 	isVirtualPodSandbox := virtualSandboxID != "" && id == virtualSandboxID
 	if strings.EqualFold(spec.Annotations[annotations.SkipPodNetworking], "true") || isVirtualPodSandbox {
 		ns := GetOrAddNetworkNamespace(specGuest.GetNetworkNamespaceID(spec))
@@ -97,7 +93,7 @@ func setupSandboxContainerSpec(ctx context.Context, id string, spec *oci.Spec) (
 		if err != nil {
 			return errors.Wrap(err, "failed to generate sandbox resolv.conf content")
 		}
-		sandboxResolvPath := getSandboxResolvPath(id, virtualSandboxID)
+		sandboxResolvPath := getSandboxResolvPath(sandboxRoot)
 		if err := os.WriteFile(sandboxResolvPath, []byte(resolvContent), 0644); err != nil {
 			return errors.Wrap(err, "failed to write sandbox resolv.conf")
 		}
@@ -125,10 +121,8 @@ func setupSandboxContainerSpec(ctx context.Context, id string, spec *oci.Spec) (
 
 	// Set cgroup path - check if this is a virtual pod
 	if virtualSandboxID != "" {
-		// Virtual pod sandbox gets its own cgroup under /containers/virtual-pods using the virtual pod ID
 		spec.Linux.CgroupsPath = "/containers/virtual-pods/" + virtualSandboxID
 	} else {
-		// Traditional sandbox goes under /containers
 		spec.Linux.CgroupsPath = "/containers/" + id
 	}