From ac81a17ca9bd2c767230944ce9b762692e444418 Mon Sep 17 00:00:00 2001
From: Zoe <hi@zoe.im>
Date: Mon, 3 Apr 2023 21:44:23 +0800
Subject: [PATCH] libct/cg/sd/v1: do not update non-frozen cgroup after frozen
 failed.

In code we have frozen the cgroup to avoid the processes get
an occasional "permission denied" error, while the systemd's application of device
rules is done disruptively. When the processes in the container can not
be frozen over 2 seconds (which defined in fs/freezer.go),
we still update the cgroup which resulting the container get an occasional
"permission denied" error in some cases.

Return error directly without updating cgroup, when freeze fails.

Fixes: #3803

Signed-off-by: Zoe <hi@zoe.im>
---
 libcontainer/cgroups/systemd/v1.go | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/libcontainer/cgroups/systemd/v1.go b/libcontainer/cgroups/systemd/v1.go
index 1af2f308683..2ea3c00d775 100644
--- a/libcontainer/cgroups/systemd/v1.go
+++ b/libcontainer/cgroups/systemd/v1.go
@@ -349,6 +349,15 @@ func (m *LegacyManager) Set(r *configs.Resources) error {
 		if err := m.doFreeze(configs.Frozen); err != nil {
 			// If freezer cgroup isn't supported, we just warn about it.
 			logrus.Infof("freeze container before SetUnitProperties failed: %v", err)
+			// skip update the cgroup while frozen failed. #3803
+			if err != errSubsystemDoesNotExist {
+				if needsThaw {
+					if thawErr := m.doFreeze(configs.Thawed); thawErr != nil {
+						logrus.Infof("thaw container after doFreeze failed: %v", thawErr)
+					}
+				}
+				return err
+			}
 		}
 	}
 	setErr := setUnitProperties(m.dbus, unitName, properties...)