lxc: delay setup of cgroup until we have the init pid

Don't create the cgroups ahead of launching the container since
there is no need for the limits to apply during initial bootstrap.
Create the cgroup after the container PID is known and tell
systemd the initpid is the leader, instead of the controller
pid.

src/lxc/lxc_cgroup.c

@@ -462,7 +462,8 @@ static int virLXCCgroupSetupDeviceACL(virDomainDefPtr def,
 }
 
 
-virCgroupPtr virLXCCgroupCreate(virDomainDefPtr def)
+virCgroupPtr virLXCCgroupCreate(virDomainDefPtr def,
+                                pid_t initpid)
 {
     virCgroupPtr cgroup = NULL;
 
@@ -473,18 +474,12 @@ virCgroupPtr virLXCCgroupCreate(virDomainDefPtr def)
         goto cleanup;
     }
 
-    /*
-     * XXX
-     * We should pass the PID of the LXC init process
-     * not ourselves, but this requires some more
-     * refactoring. We should also pass the root dir
-     */
     if (virCgroupNewMachine(def->name,
                             "lxc",
                             true,
                             def->uuid,
                             NULL,
-                            getpid(),
+                            initpid,
                             true,
                             0, NULL,
                             def->resource->partition,

src/lxc/lxc_cgroup.h

@@ -27,7 +27,8 @@
 # include "lxc_fuse.h"
 # include "virusb.h"
 
-virCgroupPtr virLXCCgroupCreate(virDomainDefPtr def);
+virCgroupPtr virLXCCgroupCreate(virDomainDefPtr def,
+                                pid_t initpid);
 virCgroupPtr virLXCCgroupJoin(virDomainDefPtr def);
 int virLXCCgroupSetup(virDomainDefPtr def,
                       virCgroupPtr cgroup,

src/lxc/lxc_controller.c

@@ -680,8 +680,9 @@ static int virLXCControllerGetNumadAdvice(virLXCControllerPtr ctrl,
  * virLXCControllerSetupResourceLimits
  * @ctrl: the controller state
  *
- * Creates a cgroup for the container, moves the task inside,
- * and sets resource limits
+ * Sets up the non-cgroup based resource limits that need
+ * to be inherited by the child process across clone()/exec().
+ * The cgroup limits are setup later
  *
  * Returns 0 on success or -1 in case of error
  */
@@ -704,6 +705,37 @@ static int virLXCControllerSetupResourceLimits(virLXCControllerPtr ctrl)
     if (virLXCControllerSetupCpuAffinity(ctrl) < 0)
         goto cleanup;
 
+    ret = 0;
+ cleanup:
+    virBitmapFree(auto_nodeset);
+    return ret;
+}
+
+
+/*
+ * Creates the cgroup and sets up the various limits associated
+ * with it
+ */
+static int virLXCControllerSetupCgroupLimits(virLXCControllerPtr ctrl)
+{
+    virBitmapPtr auto_nodeset = NULL;
+    int ret = -1;
+    virBitmapPtr nodeset = NULL;
+
+    VIR_DEBUG("Setting up cgroup resource limits");
+
+    if (virLXCControllerGetNumadAdvice(ctrl, &auto_nodeset) < 0)
+        goto cleanup;
+
+    nodeset = virDomainNumatuneGetNodeset(ctrl->def->numatune, auto_nodeset, -1);
+
+    if (!(ctrl->cgroup = virLXCCgroupCreate(ctrl->def,
+                                            ctrl->initpid)))
+        goto cleanup;
+
+    if (virCgroupAddTask(ctrl->cgroup, getpid()) < 0)
+        goto cleanup;
+
     if (virLXCCgroupSetup(ctrl->def, ctrl->cgroup, nodeset) < 0)
         goto cleanup;
 
@@ -2224,6 +2256,9 @@ virLXCControllerRun(virLXCControllerPtr ctrl)
     for (i = 0; i < ctrl->npassFDs; i++)
         VIR_FORCE_CLOSE(ctrl->passFDs[i]);
 
+    if (virLXCControllerSetupCgroupLimits(ctrl) < 0)
+        goto cleanup;
+
     if (virLXCControllerSetupUserns(ctrl) < 0)
         goto cleanup;
 
@@ -2454,9 +2489,6 @@ int main(int argc, char *argv[])
     if (virLXCControllerValidateConsoles(ctrl) < 0)
         goto cleanup;
 
-    if (!(ctrl->cgroup = virLXCCgroupCreate(ctrl->def)))
-        goto cleanup;
-
     if (virLXCControllerSetupServer(ctrl) < 0)
         goto cleanup;