Fix spec validation to be called on all containers in a Pod.

Earlier, it was being called on a randomly selected container.

PiperOrigin-RevId: 831044513

Author: ayushr2

runsc/boot/controller.go

@@ -716,7 +716,6 @@ func (cm *containerManager) RestoreSubcontainer(args *StartArgs, _ *struct{}) er
 
 	// All validation passed, logs the spec for debugging.
 	specutils.LogSpecDebug(args.Spec, args.Conf.OCISeccomp)
-	timeline.Reached("spec validated")
 
 	goferFiles := args.Files
 	var stdios []*fd.FD

runsc/boot/restore.go

@@ -163,6 +163,7 @@ func (r *restorer) restoreContainerInfo(l *Loader, info *containerInfo, containe
 		if err := specutils.RestoreValidateSpec(r.checkpointedSpecs, l.GetContainerSpecs(), l.root.conf); err != nil {
 			return fmt.Errorf("failed to handle restore spec validation: %w", err)
 		}
+		r.timer.Reached("specs validated")
 
 		// Trigger the restore if this is the last container.
 		return r.restore(l)

runsc/specutils/restore.go

@@ -463,7 +463,9 @@ func validateSpecs(oldSpecs, newSpecs map[string]*specs.Spec) error {
 		if !ok {
 			return fmt.Errorf("checkpoint image does not contain spec for container: %q", cName)
 		}
-		return validateSpecForContainer(oldSpec, newSpec, cName)
+		if err := validateSpecForContainer(oldSpec, newSpec, cName); err != nil {
+			return fmt.Errorf("failed to validate spec for container %q: %w", cName, err)
+		}
 	}
 
 	return nil