set non device cgroup items before the cgroup is entered

This allows some special cgroup items such as memory.kmem.limit_in_bytes
to be successfully set, since they must be set before any task is put
into the cgroup.

The devices cgroup is setup later giving the container a chance to mount
file systems before the device it might want to mount from becomes
unavailable.

Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

src/lxc/conf.c

@@ -1401,7 +1401,8 @@ static int setup_kmsg(const struct lxc_rootfs *rootfs,
 	return 0;
 }
 
-int setup_cgroup(const char *cgpath, struct lxc_list *cgroups)
+static int _setup_cgroup(const char *cgpath, struct lxc_list *cgroups,
+			  int devices)
 {
 	struct lxc_list *iterator;
 	struct lxc_cgroup *cg;
@@ -1411,14 +1412,16 @@ int setup_cgroup(const char *cgpath, struct lxc_list *cgroups)
 		return 0;
 
 	lxc_list_for_each(iterator, cgroups) {
-
 		cg = iterator->elem;
 
-		if (lxc_cgroup_set_bypath(cgpath, cg->subsystem, cg->value)) {
+		if (devices == !strncmp("devices", cg->subsystem, 7)) {
-			ERROR("Error setting %s to %s for %s\n", cg->subsystem,
+			if (lxc_cgroup_set_bypath(cgpath, cg->subsystem,
-				cg->value, cgpath);
+			    cg->value)) {
+				ERROR("Error setting %s to %s for %s\n",
+				      cg->subsystem, cg->value, cgpath);
 				goto out;
 			}
+		}
 
 		DEBUG("cgroup '%s' set to '%s'", cg->subsystem, cg->value);
 	}
@@ -1429,6 +1432,16 @@ out:
 	return ret;
 }
 
+int setup_cgroup_devices(const char *cgpath, struct lxc_list *cgroups)
+{
+	return _setup_cgroup(cgpath, cgroups, 1);
+}
+
+int setup_cgroup(const char *cgpath, struct lxc_list *cgroups)
+{
+	return _setup_cgroup(cgpath, cgroups, 0);
+}
+
 static void parse_mntopt(char *opt, unsigned long *flags, char **data)
 {
 	struct mount_opt *mo;

src/lxc/conf.h

@@ -287,6 +287,7 @@ struct lxc_conf {
 int run_lxc_hooks(const char *name, char *hook, struct lxc_conf *conf);
 
 extern int setup_cgroup(const char *cgpath, struct lxc_list *cgroups);
+extern int setup_cgroup_devices(const char *cgpath, struct lxc_list *cgroups);
 extern int detect_shared_rootfs(void);
 
 /*
@@ -313,8 +314,6 @@ extern int lxc_clear_cgroups(struct lxc_conf *c, const char *key);
 extern int lxc_clear_mount_entries(struct lxc_conf *c);
 extern int lxc_clear_hooks(struct lxc_conf *c, const char *key);
 
-extern int setup_cgroup(const char *name, struct lxc_list *cgroups);
-
 extern int uid_shift_ttys(int pid, struct lxc_conf *conf);
 
 /*

src/lxc/start.c

@@ -809,6 +809,11 @@ int lxc_spawn(struct lxc_handler *handler)
 	if ((handler->cgroup = lxc_cgroup_path_create(NULL, name)) == NULL)
 		goto out_delete_net;
 
+	if (setup_cgroup(handler->cgroup, &handler->conf->cgroup)) {
+		ERROR("failed to setup the cgroups for '%s'", name);
+		goto out_delete_net;
+	}
+
 	if (lxc_cgroup_enter(handler->cgroup, handler->pid) < 0)
 		goto out_delete_net;
 
@@ -839,12 +844,11 @@ int lxc_spawn(struct lxc_handler *handler)
 	if (lxc_sync_barrier_child(handler, LXC_SYNC_POST_CONFIGURE))
 		goto out_delete_net;
 
-	if (setup_cgroup(handler->cgroup, &handler->conf->cgroup)) {
+	if (setup_cgroup_devices(handler->cgroup, &handler->conf->cgroup)) {
-		ERROR("failed to setup the cgroups for '%s'", name);
+		ERROR("failed to setup the devices cgroup for '%s'", name);
 		goto out_delete_net;
 	}
 
-
 	/* Tell the child to complete its initialization and wait for
 	 * it to exec or return an error.  (the child will never
 	 * return LXC_SYNC_POST_CGROUP+1.  It will either close the