Add guest init binary, hooks, and wiring for go-microvm runtime

The go-microvm runtime skeleton was solid but couldn't boot MCP server
images because it lacked guest-side infrastructure. go-microvm uses
gvproxy networking (virtio-net), so the guest must configure its own
network via DHCP — libkrun's built-in init doesn't do this.

This adds:
- thv-vm-init: PID 1 guest binary that boots (mounts, DHCP, SSH via
  go-microvm/guest/boot), reads /etc/thv-entrypoint.json for the original
  OCI cmd/env/workdir, execs the MCP server as a child, forwards
  signals, and halts the VM cleanly on exit
- RootFS hooks: InjectInitBinary (embeds compiled binary),
  InjectEntrypoint (captures OCI config before init override),
  InjectEntrypointOverride (explicit command), InjectSSHKeys
- libkrun backend with WithUserNamespaceUID(1000,1000) for virtiofs
  passthrough, WithCleanDataDir, WithLogLevel, WithImageCache
- HTTP readiness probe (exponential backoff, accepts any response)
- Recovered VM lifecycle fix: StopWorkload/RemoveWorkload now kill
  orphaned runner processes for VMs without handles
- Build infrastructure: build-vm-init task with CGO_ENABLED=0 GOOS=linux,
  wired as dependency of the main build task

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: JAORMX

.gitignore

@@ -47,3 +47,6 @@ coverage*
 crd-helm-wrapper
 cmd/vmcp/__debug_bin*
 /vmcp
+
+# Embedded VM init binary (built by task build-vm-init)
+pkg/container/gomicrovm/initbin/thv-vm-init

Taskfile.yml

@@ -1,11 +1,47 @@
 version: '3'
 
+vars:
+  GOMICROVM_VERSION:
+    sh: go list -m github.com/stacklok/go-microvm | awk '{print $2}'
+
 includes:
   operator:
     taskfile: ./cmd/thv-operator/Taskfile.yml
     flatten: true
 
 tasks:
+  fetch-runtime:
+    desc: Download pre-built go-microvm runtime (go-microvm-runner) from GitHub Release
+    platforms: [linux, darwin]
+    status:
+      - test -f bin/go-microvm-runner
+    cmds:
+      - mkdir -p bin
+      - |
+        if ! command -v gh >/dev/null 2>&1; then
+          echo "NOTE: gh CLI not found -- skipping go-microvm-runner download."
+          echo "  Install gh (https://cli.github.com) and run 'task fetch-runtime',"
+          echo "  or download go-microvm-runner manually from:"
+          echo "  https://github.com/stacklok/go-microvm/releases/tag/{{.GOMICROVM_VERSION}}"
+          exit 0
+        fi
+        os="$(uname -s | tr '[:upper:]' '[:lower:]')"
+        arch="$(uname -m)"
+        case "$arch" in
+          x86_64)  arch="amd64" ;;
+          aarch64) arch="arm64" ;;
+        esac
+        archive="go-microvm-runtime-${os}-${arch}.tar.gz"
+        echo "Downloading go-microvm runtime {{.GOMICROVM_VERSION}} (${os}/${arch})..."
+        gh release download {{.GOMICROVM_VERSION}} \
+          --repo stacklok/go-microvm \
+          --dir bin/ \
+          --clobber \
+          --pattern "${archive}"
+        tar -xzf "bin/${archive}" -C bin/ --strip-components=1
+        rm -f "bin/${archive}"
+        echo "Installed bin/go-microvm-runner"
+
   docs:
     desc: Regenerate the docs
     deps: [swagger-install, helm-docs]
@@ -202,9 +238,23 @@ tasks:
     desc: Run all tests (unit, integration, and e2e)
     deps: [test, test-integration, test-e2e]
 
+  build-vm-init:
+    desc: Cross-compile the thv-vm-init guest binary for Linux
+    sources:
+      - cmd/thv-vm-init/**/*.go
+    generates:
+      - pkg/container/gomicrovm/initbin/thv-vm-init
+    env:
+      CGO_ENABLED: "0"
+      GOOS: linux
+      # GOARCH is intentionally not set — it inherits the host architecture.
+      # libkrun runs guest VMs with the same arch as the host (no cross-arch).
+    cmds:
+      - go build -ldflags "-s -w" -o pkg/container/gomicrovm/initbin/thv-vm-init ./cmd/thv-vm-init
+
   build:
     desc: Build the binary
-    deps: [gen]
+    deps: [gen, build-vm-init, fetch-runtime]
     vars:
       VERSION:
         sh: git describe --tags --dirty --match "v*" 2>/dev/null || echo "dev"
@@ -224,6 +274,7 @@ tasks:
 
   install:
     desc: Install the thv binary to GOPATH/bin
+    deps: [build-vm-init, fetch-runtime]
     vars:
       VERSION:
         sh: git describe --tags --dirty --match "v*" 2>/dev/null || echo "dev"
@@ -232,6 +283,13 @@ tasks:
       BUILD_DATE: '{{dateInZone "2006-01-02T15:04:05Z" (now) "UTC"}}'
     cmds:
       - go install -ldflags "-s -w -X github.com/stacklok/toolhive/pkg/versions.Version={{.VERSION}} -X github.com/stacklok/toolhive/pkg/versions.Commit={{.COMMIT}} -X github.com/stacklok/toolhive/pkg/versions.BuildDate={{.BUILD_DATE}}" -v ./cmd/thv
+      - cmd: |
+          if [ -f bin/go-microvm-runner ]; then
+            gobin="$(go env GOPATH)/bin"
+            cp bin/go-microvm-runner "$gobin/go-microvm-runner"
+            echo "Installed go-microvm-runner to $gobin/"
+          fi
+        platforms: [linux, darwin]
 
   build-vmcp:
     desc: Build the vmcp binary

cmd/thv-vm-init/entrypoint.go

@@ -0,0 +1,41 @@
+// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.
+// SPDX-License-Identifier: Apache-2.0
+
+//go:build linux
+
+package main
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+)
+
+// DefaultEntrypointPath is the guest path where the OCI entrypoint config is
+// injected by the InjectEntrypoint rootfs hook.
+const DefaultEntrypointPath = "/etc/thv-entrypoint.json"
+
+// entrypointConfig holds the original OCI command, environment, and working
+// directory captured from the container image before the init override replaced
+// the default entrypoint.
+type entrypointConfig struct {
+	Cmd        []string `json:"cmd"`
+	Env        []string `json:"env,omitempty"`
+	WorkingDir string   `json:"working_dir,omitempty"`
+}
+
+// loadEntrypoint reads and parses an entrypoint config file.
+func loadEntrypoint(path string) (*entrypointConfig, error) {
+	data, err := os.ReadFile(path) //nolint:gosec // path is a trusted guest-internal config path
+	if err != nil {
+		return nil, fmt.Errorf("reading entrypoint config: %w", err)
+	}
+	var cfg entrypointConfig
+	if err := json.Unmarshal(data, &cfg); err != nil {
+		return nil, fmt.Errorf("parsing entrypoint config: %w", err)
+	}
+	if len(cfg.Cmd) == 0 {
+		return nil, fmt.Errorf("entrypoint config has empty cmd")
+	}
+	return &cfg, nil
+}

cmd/thv-vm-init/entrypoint_test.go

@@ -0,0 +1,74 @@
+// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.
+// SPDX-License-Identifier: Apache-2.0
+
+//go:build linux
+
+package main
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestLoadEntrypoint(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name    string
+		content string
+		wantCmd []string
+		wantErr string
+	}{
+		{
+			name:    "valid full config",
+			content: `{"cmd":["/usr/bin/mcp-server","--port","8080"],"env":["FOO=bar"],"working_dir":"/app"}`,
+			wantCmd: []string{"/usr/bin/mcp-server", "--port", "8080"},
+		},
+		{
+			name:    "valid minimal config",
+			content: `{"cmd":["python3","server.py"]}`,
+			wantCmd: []string{"python3", "server.py"},
+		},
+		{
+			name:    "empty cmd",
+			content: `{"cmd":[]}`,
+			wantErr: "entrypoint config has empty cmd",
+		},
+		{
+			name:    "null cmd",
+			content: `{"cmd":null}`,
+			wantErr: "entrypoint config has empty cmd",
+		},
+		{
+			name:    "invalid JSON",
+			content: `{not valid json}`,
+			wantErr: "parsing entrypoint config",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+			dir := t.TempDir()
+			path := filepath.Join(dir, "entrypoint.json")
+			require.NoError(t, os.WriteFile(path, []byte(tt.content), 0o644))
+
+			cfg, err := loadEntrypoint(path)
+			if tt.wantErr != "" {
+				require.ErrorContains(t, err, tt.wantErr)
+				return
+			}
+			require.NoError(t, err)
+			require.Equal(t, tt.wantCmd, cfg.Cmd)
+		})
+	}
+}
+
+func TestLoadEntrypoint_MissingFile(t *testing.T) {
+	t.Parallel()
+	_, err := loadEntrypoint("/nonexistent/path/entrypoint.json")
+	require.ErrorContains(t, err, "reading entrypoint config")
+}

cmd/thv-vm-init/main.go

@@ -0,0 +1,117 @@
+// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.
+// SPDX-License-Identifier: Apache-2.0
+
+//go:build linux
+
+// thv-vm-init is the PID 1 init process for ToolHive go-microvm guest VMs.
+// It boots the guest (mounts, DHCP, SSH), reads the original OCI entrypoint
+// from /etc/thv-entrypoint.json, starts the MCP server as a child process,
+// and forwards termination signals.
+package main
+
+import (
+	"context"
+	"log/slog"
+	"os"
+	"os/exec"
+	"os/signal"
+	"syscall"
+	"time"
+
+	"github.com/stacklok/go-microvm/guest/boot"
+	"github.com/stacklok/go-microvm/guest/reaper"
+)
+
+const shutdownTimeout = 5 * time.Second
+
+func main() {
+	logger := slog.New(slog.NewTextHandler(os.Stderr, nil))
+
+	// PID 1 must reap orphaned children.
+	stopReaper := reaper.Start(logger)
+	defer stopReaper()
+
+	// Boot: essential mounts, DHCP networking, SSH server.
+	shutdown, err := boot.Run(logger,
+		boot.WithSSHKeysPath("/root/.ssh/authorized_keys"),
+		boot.WithEnvFilePath("/etc/environment"),
+	)
+	if err != nil {
+		logger.Error("boot failed", "error", err)
+		halt()
+		return
+	}
+
+	// Load the original OCI entrypoint that was captured by the
+	// InjectEntrypoint rootfs hook before WithInitOverride replaced it.
+	ep, err := loadEntrypoint(DefaultEntrypointPath)
+	if err != nil {
+		logger.Error("failed to load entrypoint", "error", err)
+		gracefulHalt(logger, shutdown)
+		return
+	}
+
+	// Start the MCP server as a child process.
+	cmd := exec.Command(ep.Cmd[0], ep.Cmd[1:]...) //nolint:gosec // cmd comes from trusted OCI config
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+	cmd.Env = append(os.Environ(), ep.Env...)
+	if ep.WorkingDir != "" {
+		cmd.Dir = ep.WorkingDir
+	}
+
+	if err := cmd.Start(); err != nil {
+		logger.Error("failed to start MCP server", "error", err, "cmd", ep.Cmd)
+		gracefulHalt(logger, shutdown)
+		return
+	}
+	logger.Info("MCP server started", "pid", cmd.Process.Pid, "cmd", ep.Cmd)
+
+	// Forward SIGTERM/SIGINT to the child process.
+	sig := make(chan os.Signal, 1)
+	signal.Notify(sig, syscall.SIGTERM, syscall.SIGINT)
+	go func() {
+		for received := range sig {
+			logger.Info("received signal, forwarding to child", "signal", received)
+			_ = cmd.Process.Signal(received)
+		}
+	}()
+
+	// Wait for the child to exit.
+	if err := cmd.Wait(); err != nil {
+		if exitErr, ok := err.(*exec.ExitError); ok {
+			logger.Info("MCP server exited", "code", exitErr.ExitCode())
+		} else {
+			logger.Error("error waiting for MCP server", "error", err)
+		}
+	}
+
+	gracefulHalt(logger, shutdown)
+}
+
+// gracefulHalt shuts down the boot services with a timeout and then halts the VM.
+func gracefulHalt(logger *slog.Logger, shutdown func()) {
+	ctx, cancel := context.WithTimeout(context.Background(), shutdownTimeout)
+	defer cancel()
+
+	done := make(chan struct{})
+	go func() {
+		shutdown()
+		close(done)
+	}()
+
+	select {
+	case <-done:
+		logger.Info("shutdown complete")
+	case <-ctx.Done():
+		logger.Warn("shutdown timed out")
+	}
+
+	halt()
+}
+
+// halt powers off the VM. As PID 1 inside a VM, Reboot with POWER_OFF
+// is the clean way to stop — calling os.Exit() would cause a kernel panic.
+func halt() {
+	_ = syscall.Reboot(syscall.LINUX_REBOOT_CMD_POWER_OFF)
+}