fix: kill orphan VMM via /proc cmdline fallback when pidfile pre-removed

[CMGS]

Summary

• Adds utils.FindVMMByCmdline /proc scan as a fallback when the pidfile-based stop path can't see a live VMM.
• Hardens WithRunningVM (recover the pid) and DeleteAll (post-stop sweep for workers/siblings).
• Repro: pidfile + api.sock removed before the VMM exits — current code declares the VM dead, wipes the rundir, deletes the DB record, but the VMM keeps running as a PPID=1 orphan.

Background

PR #50 added the socket-probe tiebreaker, which only catches orphans whose api.sock is still listening. The GKE prod scan today turned up 3 orphan VMMs whose api.sock had been wiped along with the rundir — the chain was:

CH snapshot save → InvalidStateTransition(Paused, Paused)
  → vm rm --force triggered
  → WithRunningVM (pidfile gone) → ErrNotRunning
  → socket-probe (api.sock also gone) → false
  → RemoveVMDirs + DB delete
  → VMM process still alive, now PPID=1 orphan

InvalidStateTransition(Paused, Paused) is a separate upstream CH bug (non-idempotent Vm::pause() in vmm/src/vm.rs:3239 — valid_transition rejects Paused → Paused); investigating separately. This PR closes the orphan-leak hole on the cocoon side regardless of what triggers it.

Reproduction (testbed 35.240.182.52)

cocoon vm run --nics 0 --memory 512M ghcr.io/cocoonstack/cocoon/ubuntu:24.04
rm /var/lib/cocoon/run/cloudhypervisor/$VMID/ch.pid
rm /var/lib/cocoon/run/cloudhypervisor/$VMID/api.sock
cocoon vm rm --force $VMID
# Before fix: deleted VM, but `ps | grep cloud-hypervisor` still shows the process
# After fix:  WARN "recovered live pids ... via cmdline scan", process is gone

Test plan

• make lint passes on both GOOS=linux and GOOS=darwin (0 issues)
• go test ./utils/ ./hypervisor/ passes; new TestFindVMMByCmdline covers the happy path + binary/marker negatives
• testbed repro: pidfile-only sabotage → killed (socket-probe path) + pidfile+socket sabotage → killed (cmdline-scan fallback) + normal vm rm path still works
• deploy to GKE prod, re-scan for orphans after next e2e run

[Copilot]

Pull request overview

This PR hardens VM teardown to prevent orphaned VMM processes when runtime artifacts (pidfile and/or api.sock) are removed before the VMM exits, by adding a /proc/<pid>/cmdline scan fallback and using it to recover/kill still-running VMMs.

Changes:

• Add utils.FindVMMByCmdline to locate candidate VMM PIDs by scanning /proc/*/cmdline (Linux) with a no-op stub on non-Linux.
• Update Backend.WithRunningVM to recover a live PID via cmdline scan when the pidfile path can’t validate a running process.
• Update Backend.DeleteAll to do a post-stop /proc sweep and kill any remaining worker/sibling VMM processes.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
utils/process_linux.go	Implements /proc cmdline scanning helper to find candidate VMM PIDs on Linux.
utils/process_other.go	Adds non-Linux stub for the new cmdline scan helper.
utils/process_test.go	Adds a unit test intended to validate the cmdline scan behavior.
hypervisor/state.go	Uses cmdline scan fallback in WithRunningVM to recover live PID(s) when pidfile validation fails.
hypervisor/stop.go	Adds post-stop cmdline scan sweep in DeleteAll to kill leftover VMM processes before deleting runtime dirs/DB record.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated no new comments.

[Copilot]

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.

[Copilot]

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated no new comments.