Add tini as PID 1, guest clock sync, and fix PATH in guest VMs

- Use tini as PID 1 in wrenn-init.sh so zombie processes are reaped
  and signals are forwarded correctly to envd
- Set standard PATH in wrenn-init.sh so child processes spawned by envd
  can find common binaries (fixes "nice: ls command not found")
- Add envdclient.Init() to POST /init on envd after every boot/resume,
  syncing the guest clock via unix.ClockSettime — critical after snapshot
  resume where the guest clock is frozen
- Run Init in a background goroutine so it doesn't block the CreateSandbox
  RPC response; a slow Init (vCPU busy with envd startup) was causing the
  RPC context to be canceled before the response reached the control plane
- Update rootfs-from-container.sh and update-debug-rootfs.sh to inject
  tini into the rootfs, checking the container image and host first,
  downloading from GitHub releases as fallback

scripts/rootfs-from-container.sh

@@ -15,7 +15,7 @@
 # Output:
 #   ${AGENT_FILES_ROOTDIR}/images/<image_name>/rootfs.ext4
 #
-# Requires: docker, mkfs.ext4, resize2fs, e2fsck, make (for building envd)
+# Requires: docker, mkfs.ext4, resize2fs, e2fsck, make (for building envd), curl (for tini download)
 # Sudo is used only for mount/umount/copy-into-image operations.
 
 set -euo pipefail
@@ -98,10 +98,42 @@ echo "==> Installing wrenn-init..."
 sudo cp "${PROJECT_ROOT}/images/wrenn-init.sh" "${MOUNT_DIR}/usr/local/bin/wrenn-init"
 sudo chmod 755 "${MOUNT_DIR}/usr/local/bin/wrenn-init"
 
+echo "==> Installing tini..."
+TINI_BIN=""
+# 1. Already in the exported container image?
+for p in "${MOUNT_DIR}/usr/bin/tini" "${MOUNT_DIR}/sbin/tini" "${MOUNT_DIR}/usr/local/bin/tini"; do
+    if [ -f "$p" ]; then TINI_BIN="$p"; break; fi
+done
+# 2. Available on the host?
+if [ -z "${TINI_BIN}" ]; then
+    for p in /usr/bin/tini /usr/local/bin/tini /sbin/tini; do
+        if [ -f "$p" ]; then TINI_BIN="$p"; break; fi
+    done
+fi
+# 3. Download from GitHub releases.
+if [ -z "${TINI_BIN}" ]; then
+    ARCH="$(uname -m)"
+    case "${ARCH}" in
+        x86_64)  TINI_ARCH="amd64" ;;
+        aarch64) TINI_ARCH="arm64" ;;
+        *)        echo "ERROR: Unsupported architecture: ${ARCH}"; exit 1 ;;
+    esac
+    TINI_VERSION="v0.19.0"
+    TINI_URL="https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini-${TINI_ARCH}"
+    TINI_TMP="/tmp/tini-${TINI_ARCH}"
+    echo "    Downloading tini ${TINI_VERSION} (${TINI_ARCH})..."
+    curl -fsSL "${TINI_URL}" -o "${TINI_TMP}"
+    chmod +x "${TINI_TMP}"
+    TINI_BIN="${TINI_TMP}"
+fi
+sudo mkdir -p "${MOUNT_DIR}/sbin"
+sudo cp "${TINI_BIN}" "${MOUNT_DIR}/sbin/tini"
+sudo chmod 755 "${MOUNT_DIR}/sbin/tini"
+
 # Step 6: Verify.
 echo ""
 echo "==> Installed guest binaries:"
-ls -la "${MOUNT_DIR}/usr/local/bin/envd" "${MOUNT_DIR}/usr/local/bin/wrenn-init"
+ls -la "${MOUNT_DIR}/usr/local/bin/envd" "${MOUNT_DIR}/usr/local/bin/wrenn-init" "${MOUNT_DIR}/sbin/tini"
 
 # Unmount before shrinking.
 sudo umount "${MOUNT_DIR}"