Skim — hash-with-debug-symlink approach is clean; the 12-char budget derivation in the comment is exactly what I'd want when re-reading this in 6 months.

One observation worth raising before this lands:

• os.Symlink(ateomDir, debugAteomDir) is not idempotent across restarts. MkdirAll above it is (returns nil if the dir exists); RemoveAll(sockPath) a few lines down is too. But os.Symlink returns EEXIST if the link already exists → on the 2nd start of an ateom for the same (namespace, podName) pair, this line errors and the process exits.
• Whether it matters depends on the /run/ateom-gvisor lifecycle:
  • per-container tmpfs blown away on container restart → no concern, drop this
  • hostPath / persistent emptyDir surviving container restarts within a pod → restart loop on 2nd start
• If it's a concern, cheapest fix is os.Remove(debugAteomDir) (ignoring os.IsNotExist) before the Symlink — symmetric with the RemoveAll(sockPath) pattern a few lines down.

Q: is /run/ateom-gvisor's lifecycle scoped to the ateom process, or does it survive an ateom container restart within the same pod?

If it's a concern, cheapest fix is os.Remove(debugAteomDir) (ignoring os.IsNotExist) before the Symlink — symmetric with the RemoveAll(sockPath) pattern a few lines down.

Agreed. Done.

This is a host mount, which you can discover from the install manifests.

Confirmed via manifests/ate-install/atelet.yaml — /run/ateom-gvisor is hostPath with DirectoryOrCreate, which means:

• ateom container restart within the same pod → symlink survives → EEXIST on 2nd os.Symlink → process exits → restart loop.
• Pod eviction to a different node → fresh path → no issue.

Your os.Remove fix resolves the realistic crashloop path. Thanks for the host-mount pointer — useful context for future ateom-side work.

Technically we could also solve this with Chdir and using a short relative path but I went with this approach because we'd have to be careful to lock to an OS thread without CLONE_FS and isolate it in atelet or else race on process-wide chdir.

Thinking about it more, maybe we want to make the symlink the shortened path and use that just for socket binding.

EDIT: Squashed down.

The diff is a bit more involved ... but I think this is still better architecturally.