Replace one-shot clock_settime with chrony for continuous guest time sync

Switch from the envd /init endpoint pushing host time via syscall to
chronyd reading the KVM PTP hardware clock (/dev/ptp0) continuously.
This fixes clock drift between init calls and handles snapshot resume
gracefully.

Changes:
- Add clocksource=kvm-clock kernel boot arg
- Start chronyd in wrenn-init.sh before tini (PHC /dev/ptp0, makestep 1.0 -1)
- Remove clock_settime logic from envd SetData and shouldSetSystemTime
- Remove client.Init() clock sync calls from sandbox manager (3 sites)
- Remove Init() method from envdclient (no longer needed)
- Simplify rootfs scripts: socat/chrony now come from apt in the container
  image, only envd/wrenn-init/tini are injected by build scripts

images/wrenn-init.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # wrenn-init: minimal PID 1 init for Firecracker microVMs.
-# Mounts virtual filesystems then execs envd.
+# Mounts virtual filesystems, starts chronyd for time sync, then execs tini + envd.
 
 set -e
 
@@ -27,5 +27,17 @@ echo "nameserver 8.8.4.4" >> /etc/resolv.conf
 # Set a standard PATH so envd and all child processes can find common binaries.
 export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 
+# Write chrony config to sync time from the KVM PTP hardware clock.
+# /dev/ptp0 is a paravirtual clock exposed by KVM — no network required.
+mkdir -p /etc/chrony /run/chrony
+cat > /etc/chrony/chrony.conf <<EOF
+refclock PHC /dev/ptp0 poll 2 dpoll 2
+driftfile /run/chrony/chrony.drift
+makestep 1.0 -1
+EOF
+
+# Start chronyd in the background before handing off to tini.
+chronyd -f /etc/chrony/chrony.conf 2>/dev/null || true
+
 # Exec tini as PID 1 — it reaps zombie processes and forwards signals to envd.
 exec /sbin/tini -- /usr/local/bin/envd