virtcontainers: constrain docker container when sandbox_cgroup_only=true

The sandbox cgroup will be constrained if there is no container
type annotation, otherwise kata will rely on container engine's cgroup
configuration

Depends-on: github.com/kata-containers/tests#2255

fixes #2408

Signed-off-by: Julio Montes <julio.montes@intel.com>

cli/config/configuration-acrn.toml.in

@@ -223,9 +223,9 @@ disable_guest_seccomp=@DEFDISABLEGUESTSECCOMP@
 
 # if enabled, the runtime will add all the kata processes inside one dedicated cgroup.
 # The container cgroups in the host are not created, just one single cgroup per sandbox.
-# The sandbox cgroup is not constrained by the runtime
 # The runtime caller is free to restrict or collect cgroup stats of the overall Kata sandbox.
 # The sandbox cgroup path is the parent cgroup of a container with the PodSandbox annotation.
+# The sandbox cgroup is constrained if there is no container type annotation.
 # See: https://godoc.org/github.com/kata-containers/runtime/virtcontainers#ContainerType
 sandbox_cgroup_only=@DEFSANDBOXCGROUPONLY@
 

cli/config/configuration-clh.toml.in

@@ -199,9 +199,9 @@ disable_guest_seccomp=@DEFDISABLEGUESTSECCOMP@
 
 # if enabled, the runtime will add all the kata processes inside one dedicated cgroup.
 # The container cgroups in the host are not created, just one single cgroup per sandbox.
-# The sandbox cgroup is not constrained by the runtime
 # The runtime caller is free to restrict or collect cgroup stats of the overall Kata sandbox.
 # The sandbox cgroup path is the parent cgroup of a container with the PodSandbox annotation.
+# The sandbox cgroup is constrained if there is no container type annotation.
 # See: https://godoc.org/github.com/kata-containers/runtime/virtcontainers#ContainerType
 sandbox_cgroup_only=@DEFSANDBOXCGROUPONLY@
 

cli/config/configuration-fc.toml.in

@@ -325,9 +325,9 @@ disable_guest_seccomp=@DEFDISABLEGUESTSECCOMP@
 
 # if enable, the runtime will add all the kata processes inside one dedicated cgroup.
 # The container cgroups in the host are not created, just one single cgroup per sandbox.
-# The sandbox cgroup is not constrained by the runtime
 # The runtime caller is free to restrict or collect cgroup stats of the overall Kata sandbox.
 # The sandbox cgroup path is the parent cgroup of a container with the PodSandbox annotation.
+# The sandbox cgroup is constrained if there is no container type annotation.
 # See: https://godoc.org/github.com/kata-containers/runtime/virtcontainers#ContainerType
 sandbox_cgroup_only=@DEFSANDBOXCGROUPONLY@
 

cli/config/configuration-qemu-virtiofs.toml.in

@@ -427,9 +427,9 @@ disable_guest_seccomp=@DEFDISABLEGUESTSECCOMP@
 
 # if enabled, the runtime will add all the kata processes inside one dedicated cgroup.
 # The container cgroups in the host are not created, just one single cgroup per sandbox.
-# The sandbox cgroup is not constrained by the runtime
 # The runtime caller is free to restrict or collect cgroup stats of the overall Kata sandbox.
 # The sandbox cgroup path is the parent cgroup of a container with the PodSandbox annotation.
+# The sandbox cgroup is constrained if there is no container type annotation.
 # See: https://godoc.org/github.com/kata-containers/runtime/virtcontainers#ContainerType
 sandbox_cgroup_only=@DEFSANDBOXCGROUPONLY@
 

cli/config/configuration-qemu.toml.in

@@ -422,9 +422,9 @@ disable_guest_seccomp=@DEFDISABLEGUESTSECCOMP@
 
 # if enabled, the runtime will add all the kata processes inside one dedicated cgroup.
 # The container cgroups in the host are not created, just one single cgroup per sandbox.
-# The sandbox cgroup is not constrained by the runtime
 # The runtime caller is free to restrict or collect cgroup stats of the overall Kata sandbox.
 # The sandbox cgroup path is the parent cgroup of a container with the PodSandbox annotation.
+# The sandbox cgroup is constrained if there is no container type annotation.
 # See: https://godoc.org/github.com/kata-containers/runtime/virtcontainers#ContainerType
 sandbox_cgroup_only=@DEFSANDBOXCGROUPONLY@