container start: unshare cgns when possible

src/lxc/namespace.h

@@ -34,6 +34,9 @@
 #ifndef CLONE_NEWNS
 #  define CLONE_NEWNS             0x00020000
 #endif
+#ifndef CLONE_NEWCGROUP
+#  define CLONE_NEWCGROUP         0x02000000
+#endif
 #ifndef CLONE_NEWUTS
 #  define CLONE_NEWUTS            0x04000000
 #endif

src/lxc/start.c

@@ -842,6 +842,11 @@ static int do_start(void *data)
 	if (handler->backgrounded && null_stdfds() < 0)
 		goto out_warn_father;
 
+	if (cgns_supported() && unshare(CLONE_NEWCGROUP) != 0) {
+		SYSERROR("Failed to unshare cgroup namespace");
+		goto out_warn_father;
+	}
+
 	/* after this call, we are in error because this
 	 * ops should not return as it execs */
 	handler->ops->start(handler, handler->data);

src/lxc/utils.c

@@ -1185,6 +1185,11 @@ bool file_exists(const char *f)
 	return stat(f, &statbuf) == 0;
 }
 
+bool cgns_supported(void)
+{
+	return file_exists("/proc/self/ns/cgroup");
+}
+
 /* historically lxc-init has been under /usr/lib/lxc and under
  * /usr/lib/$ARCH/lxc.  It now lives as $prefix/sbin/init.lxc.
  */

src/lxc/utils.h

@@ -273,6 +273,7 @@ int detect_shared_rootfs(void);
 int detect_ramfs_rootfs(void);
 char *on_path(char *cmd, const char *rootfs);
 bool file_exists(const char *f);
+bool cgns_supported(void);
 char *choose_init(const char *rootfs);
 int print_to_file(const char *file, const char *content);
 bool switch_to_ns(pid_t pid, const char *ns);