cgroups/cgfsng: do not prematurely close file descriptors

src/lxc/cgroups/cgfsng.c

@@ -1413,9 +1413,9 @@ __cgfsng_ops static bool cgfsng_monitor_enter(struct cgroup_ops *ops,
 			return log_error_errno(false, errno, "Failed to enter cgroup \"%s\"", h->monitor_full_path);
 
 		/*
-		 * We don't keep the fds for non-unified hierarchies around
+		 * we don't keep the fds for non-unified hierarchies around
 		 * mainly because we don't make use of them anymore after the
-		 * core cgroup setup is done but also because they're quite a
+		 * core cgroup setup is done but also because there are quite a
 		 * lot of them.
 		 */
 		if (!is_unified_hierarchy(h))
@@ -1453,15 +1453,6 @@ __cgfsng_ops static bool cgfsng_payload_enter(struct cgroup_ops *ops,
 		ret = lxc_writeat(h->cgfd_con, "cgroup.procs", pidstr, len);
 		if (ret != 0)
 			return log_error_errno(false, errno, "Failed to enter cgroup \"%s\"", h->container_full_path);
-
-		/*
-		 * We don't keep the fds for non-unified hierarchies around
-		 * mainly because we don't make use of them anymore after the
-		 * core cgroup setup is done but also because they're quite a
-		 * lot of them.
-		 */
-		if (!is_unified_hierarchy(h))
-			close_prot_errno_disarm(h->cgfd_con);
 	}
 
 	return true;
@@ -1582,6 +1573,27 @@ __cgfsng_ops static bool cgfsng_chown(struct cgroup_ops *ops,
 	return true;
 }
 
+__cgfsng_ops void cgfsng_payload_finalize(struct cgroup_ops *ops)
+{
+	if (!ops)
+		return;
+
+	if (!ops->hierarchies)
+		return;
+
+	for (int i = 0; ops->hierarchies[i]; i++) {
+		struct hierarchy *h = ops->hierarchies[i];
+		/*
+		 * we don't keep the fds for non-unified hierarchies around
+		 * mainly because we don't make use of them anymore after the
+		 * core cgroup setup is done but also because there are quite a
+		 * lot of them.
+		 */
+		if (!is_unified_hierarchy(h))
+			close_prot_errno_disarm(h->cgfd_con);
+	}
+}
+
 /* cgroup-full:* is done, no need to create subdirs */
 static bool cg_mount_needs_subdirs(int type)
 {
@@ -3253,6 +3265,7 @@ struct cgroup_ops *cgfsng_ops_init(struct lxc_conf *conf)
 	cgfsng_ops->payload_delegate_controllers = cgfsng_payload_delegate_controllers;
 	cgfsng_ops->payload_create = cgfsng_payload_create;
 	cgfsng_ops->payload_enter = cgfsng_payload_enter;
+	cgfsng_ops->payload_finalize = cgfsng_payload_finalize;
 	cgfsng_ops->escape = cgfsng_escape;
 	cgfsng_ops->num_hierarchies = cgfsng_num_hierarchies;
 	cgfsng_ops->get_hierarchies = cgfsng_get_hierarchies;

src/lxc/cgroups/cgroup.h

@@ -166,6 +166,7 @@ struct cgroup_ops {
 				 struct lxc_handler *handler);
 	bool (*monitor_delegate_controllers)(struct cgroup_ops *ops);
 	bool (*payload_delegate_controllers)(struct cgroup_ops *ops);
+	void (*payload_finalize)(struct cgroup_ops *ops);
 };
 
 extern struct cgroup_ops *cgroup_init(struct lxc_conf *conf);

src/lxc/start.c

@@ -1922,6 +1922,9 @@ static int lxc_spawn(struct lxc_handler *handler)
 		}
 	}
 
+	cgroup_ops->payload_finalize(cgroup_ops);
+	TRACE("Finished setting up cgroups");
+
 	/* Run any host-side start hooks */
 	ret = run_lxc_hooks(name, "start-host", conf, NULL);
 	if (ret < 0) {