1.0.4 — VM runtime + cloud-init paths per-user (closes path-leak track)

[click0]

Summary

lib/vm_run.cpp gains a vmBaseDir() helper — same lazy-resolve pattern as stack.cpp (1.0.3), spec_registry.cpp (1.0.2), network_lease6.cpp (1.0.1), network_lease.cpp (0.9.27). Two sites routed through it:

• configureVmDns() — DNS share dir tree (vm/<vmName>/dns/)
• Cloud-init user-data writer — user-data-9p-<pid>.yaml

Behaviour

Mode	DNS share base	cloud-init temp dir
Legacy (no crated)	/var/run/crate/vm/<vmName>/dns/	/var/run/crate/cloud-init/
Rootless (crated + privops)	/var/run/crate/<uid>/vm/<vmName>/dns/	/var/run/crate/<uid>/cloud-init/

Why

Two operators on a rootless host with the VM track enabled previously clobbered each other's resolv.conf 9p-share AND raced on cloud-init user-data files (the PID suffix gave a probabilistic but not deterministic guarantee against collision — fork() can reuse PIDs).

VM track is #ifdef HAVE_LIBVIRT-gated; non-libvirt builds unaffected.

Path-leak track complete

This release closes the per-user path-leak track from the pre-1.0.0 audit:

• ✅ 0.9.27: network_lease.cpp (IPv4 leases)
• ✅ 1.0.1: network_lease6.cpp (IPv6 leases)
• ✅ 1.0.2: spec_registry.cpp + lifecycle.cpp restart
• ✅ 1.0.3: stack.cpp DNS dirs
• ✅ 1.0.4: vm_run.cpp VM + cloud-init (this PR)

Remaining 1.x work (different shapes, not path leaks):

• lib/run_net.cpp:446 direct ifconfig -vnet (should use SetIfaceUp privops verb)
• PfctlOps privops-wiring — lib/run.cpp calls into pfctl ops directly; needs to route through AddPfRule privops (1.1.0)
• Query-side privops verbs (inspect/doctor/migrate inspection shells out)
• Test coverage on impure modules

Wire / API compatibility

None. Internal-only change. Suite stays at 1303.

Test plan

• FreeBSD CI lite green
• Linux CI green
• Manual (libvirt builds only): two operators bring up VMs with overlapping names; verify /var/run/crate/<uid>/vm/<vmName>/dns/resolv.conf exist separately

---

Generated by Claude Code