virsh: make lxc-enter-namespace also join the cgroups

Extend the lxc-enter-namespace command so that it joins the
containers' cgroups before starting new namespaces. This
ensures that the commands run have the normal resource
limits applied

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

tools/virsh-domain.c

@@ -9334,6 +9334,9 @@ cmdLxcEnterNamespace(vshControl *ctl, const vshCmd *cmd)
                                            0) < 0)
             _exit(EXIT_CANCELED);
 
+        if (virDomainLxcEnterCGroup(dom, 0) < 0)
+            _exit(EXIT_CANCELED);
+
         if (virDomainLxcEnterNamespace(dom,
                                        nfdlist,
                                        fdlist,

tools/virsh.pod

@@ -4195,9 +4195,10 @@ omitted.
 Enter the namespace of I<domain> and execute the command C</path/to/binary>
 passing the requested args. The binary path is relative to the container
 root filesystem, not the host root filesystem. The binary will inherit the
-environment variables / console visible to virsh. This command only works
-when connected to the LXC hypervisor driver.  This command succeeds only
-if C</path/to/binary> has 0 exit status.
+environment variables / console visible to virsh. The command will be run
+with the same sVirt context and cgroups placement as processes within the
+container. This command only works when connected to the LXC hypervisor
+driver.  This command succeeds only if C</path/to/binary> has 0 exit status.
 
 By default the new process will run with the security label of the new
 parent container. Use the I<--noseclabel> option to instead have the