Split neonvm runtime tools out of VM image, supply it from neonvm-runner

[sharnoff]

Problem description / Motivation

Currently (2025-01), vm-builder is responsible for adding the "neonvm runtime" to the VM image — this is the set of binaries and scripts responsible for management of the VM.

We have a number of issues resulting from the "neonvm runtime" being tied to the VM image, rather than anything else:

1. Rollout of neonvm runtime changes is multi-step and slow: It requires cutting a release on this repo, bumping vm-builder in neondatabase/neon, and waiting for a compute release.
2. We have no way of aligning the contents of the VM with our kernel image

There's also related issues from the input container image being used as the basis for the VM image's filesystem — in particular, that there's no isolation between that and the neonvm runtime, and so any work on the neonvm parts inside the VM must be very careful to not rely on anything outside the /neonvm directory. For example, we need to always set the path to just /neonvm/bin.

Implementation ideas

The internal "neonvm runtime" components should be packaged as a separate QCOW2 image (or similar), distributed as part of the neonvm-runner image, and do the initial boot before mounting what was the VM image. Programs from the VM image should be run by chroot'ing into the mount.

We may also want to configure sshd to chroot into the mount as well, because that's probably more likely to match existing expectations. Access via screen + tty can still work for things outside of that.