virtcontainers: constrain runtime after creating network

Runtime must setup the network before moving itself into the cgroup, otherwise it won't be able to get the vhost/net queues file descriptors for the hypervisor. Signed-off-by: Julio Montes <[email protected]>
kata-containers · Apr 29, 2020 · 93b1b83 · 93b1b83
1 parent fc9be99
commit 93b1b83
Showing 1 changed file with 7 additions and 7 deletions.
diff --git a/virtcontainers/api.go b/virtcontainers/api.go
@@ -76,13 +76,6 @@ func createSandboxFromConfig(ctx context.Context, sandboxConfig SandboxConfig, f
 		return nil, err
 	}
 
-	// Move runtime to sandbox cgroup so all process are created there.
-	if s.config.SandboxCgroupOnly {
-		if err := s.setupSandboxCgroup(); err != nil {
-			return nil, err
-		}
-	}
-
 	// cleanup sandbox resources in case of any failure
 	defer func() {
 		if err != nil {
@@ -102,6 +95,13 @@ func createSandboxFromConfig(ctx context.Context, sandboxConfig SandboxConfig, f
 		}
 	}()
 
+	// Move runtime to sandbox cgroup so all process are created there.
+	if s.config.SandboxCgroupOnly {
+		if err := s.setupSandboxCgroup(); err != nil {
+			return nil, err
+		}
+	}
+
 	// Start the VM
 	if err = s.startVM(); err != nil {
 		return nil, err