From ea5f8e0445e80dc29acd9b5d57481a0e936af89b Mon Sep 17 00:00:00 2001
From: lifubang <lifubang@acmcoder.com>
Date: Fri, 11 Oct 2024 09:22:48 +0800
Subject: [PATCH] join the cgroup after the initial setup finished

We should join the cgroup after the initial setup finished,
but before runc init clone new children processes. (#4427)
Because we should try our best to reduce the influence of
memory cgroup accounting from all runc init processes
before we start the container init process.

Signed-off-by: lifubang <lifubang@acmcoder.com>
(cherry picked from commit 4f6000e7004eec3da217ed8c4ec4dafe6b9169d6)
Signed-off-by: lifubang <lifubang@acmcoder.com>
---
 libcontainer/process_linux.go | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/libcontainer/process_linux.go b/libcontainer/process_linux.go
index ac3b104ea02..822edefc9bb 100644
--- a/libcontainer/process_linux.go
+++ b/libcontainer/process_linux.go
@@ -407,6 +407,13 @@ func (p *initProcess) start() (retErr error) {
 		}
 	}()
 
+	// We should join the cgroup after the initial setup finished,
+	// but before runc init clone new children processes. (#4427)
+	err = <-waitInit
+	if err != nil {
+		return err
+	}
+
 	// Do this before syncing with child so that no children can escape the
 	// cgroup. We don't need to worry about not doing this and not being root
 	// because we'd be using the rootless cgroup manager in that case.
@@ -421,10 +428,6 @@ func (p *initProcess) start() (retErr error) {
 	if _, err := io.Copy(p.messageSockPair.parent, p.bootstrapData); err != nil {
 		return fmt.Errorf("can't copy bootstrap data to pipe: %w", err)
 	}
-	err = <-waitInit
-	if err != nil {
-		return err
-	}
 
 	childPid, err := p.getChildPid()
 	if err != nil {