virsh: make lxc-enter-namespace also join the cgroups

Extend the lxc-enter-namespace command so that it joins the
containers' cgroups before starting new namespaces. This
ensures that the commands run have the normal resource
limits applied

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

diff --git a/tools/virsh-domain.c b/tools/virsh-domain.c
index 11116a90ad733d0bbc6285aef0123660b6c9d40e..02be58f19a9ba2f135494f40da075dbbd840e009 100644 (file)
--- a/tools/virsh-domain.c
+++ b/tools/virsh-domain.c
@@ -9334,6 +9334,9 @@ cmdLxcEnterNamespace(vshControl *ctl, const vshCmd *cmd)
                                            0) < 0)
             _exit(EXIT_CANCELED);
 
+        if (virDomainLxcEnterCGroup(dom, 0) < 0)
+            _exit(EXIT_CANCELED);
+
         if (virDomainLxcEnterNamespace(dom,
                                        nfdlist,
                                        fdlist,

diff --git a/tools/virsh.pod b/tools/virsh.pod
index 6844823b345bd1e6e263f16f8160c4e4811efd84..1e5666064a8df34c139aee949acb5430c577cc53 100644 (file)
--- a/tools/virsh.pod
+++ b/tools/virsh.pod
@@ -4195,9 +4195,10 @@ omitted.
 Enter the namespace of I<domain> and execute the command C</path/to/binary>
 passing the requested args. The binary path is relative to the container
 root filesystem, not the host root filesystem. The binary will inherit the
-environment variables / console visible to virsh. This command only works
-when connected to the LXC hypervisor driver.  This command succeeds only
-if C</path/to/binary> has 0 exit status.
+environment variables / console visible to virsh. The command will be run
+with the same sVirt context and cgroups placement as processes within the
+container. This command only works when connected to the LXC hypervisor
+driver.  This command succeeds only if C</path/to/binary> has 0 exit status.
 
 By default the new process will run with the security label of the new
 parent container. Use the I<--noseclabel> option to instead have the