join the cgroup after the initial setup finished

lifubang · lifubang · commit ea5f8e0445e8 · 2024-10-11T09:32:25.000+08:00
We should join the cgroup after the initial setup finished, but before runc init clone new children processes. (#4427) Because we should try our best to reduce the influence of memory cgroup accounting from all runc init processes before we start the container init process. Signed-off-by: lifubang <lifubang@acmcoder.com> (cherry picked from commit 4f6000e) Signed-off-by: lifubang <lifubang@acmcoder.com>
diff --git a/libcontainer/process_linux.go b/libcontainer/process_linux.go
@@ -407,6 +407,13 @@ func (p *initProcess) start() (retErr error) {
 		}
 	}()
 
+	// We should join the cgroup after the initial setup finished,
+	// but before runc init clone new children processes. (#4427)
+	err = <-waitInit
+	if err != nil {
+		return err
+	}
+
 	// Do this before syncing with child so that no children can escape the
 	// cgroup. We don't need to worry about not doing this and not being root
 	// because we'd be using the rootless cgroup manager in that case.
@@ -421,10 +428,6 @@ func (p *initProcess) start() (retErr error) {
 	if _, err := io.Copy(p.messageSockPair.parent, p.bootstrapData); err != nil {
 		return fmt.Errorf("can't copy bootstrap data to pipe: %w", err)
 	}
-	err = <-waitInit
-	if err != nil {
-		return err
-	}
 
 	childPid, err := p.getChildPid()
 	if err != nil {
