Better errors from runc init

[kolyshkin]

This currently includes #4930 (and serves as a test for it). Draft until that one is merged.

Inspired by the discussion in #4905.

In case early stage of runc init (nsenter) fails for some reason, it
logs error(s) with FATAL log level, via bail().

The runc init log is read by a parent (runc create/run/exec) and is
logged via normal logrus mechanism, which is all fine and dandy, except
when runc init fails, we return the error from the parent (which is
usually not too helpful, for example):

runc run failed: unable to start container process: can't get final child's PID from pipe: EOF

Now, the actual underlying error is from runc init and it was logged
earlier; here's how full runc output looks like:

FATA[0000] nsexec-1[3247792]: failed to unshare remaining namespaces: No space left on device
FATA[0000] nsexec-0[3247790]: failed to sync with stage-1: next state: Success
ERRO[0000] runc run failed: unable to start container process: can't get final child's PID from pipe: EOF

The problem is, upper level runtimes tend to ignore everything except
the last line from runc, and thus error reported by e.g. docker is not
very helpful.

This patch tries to improve the situation by collecting FATAL errors
from runc init and appending those to the error returned (instead of
logging). With it, the above error will look like this:

ERRO[0000] runc run failed: unable to start container process: can't get final child's PID from pipe: EOF; runc init error(s): nsexec-1[141549]: failed to unshare remaining namespaces: No space left on device; nsexec-0[141547]: failed to sync with stage-1: next state: Success

Yes, it is long and ugly, but at least the upper level runtime will
report it.

---

In addition, this slightly improves error reporting in nsexec itself
(see commits prefixed with "libct/nsenter:" for details).

[lifubang]

Very nice!

I think the first three commits are bug fixes — could you please move them to a separate PR?

[lifubang]

Maybe we can add an internal macro to reduce code duplication?
For example:

/**
 * Write a fatal error message to stderr or logfd.
 *
 * This internal macro handles the common logic of output destination
 * selection based on the value of logfd.
 */
#define __log_fatal(fmt, ...)                                      \
    do {                                                           \
        if (logfd < 0)                                             \
            fprintf(stderr, "FATAL: " fmt "\n", ##__VA_ARGS__);   \
        else                                                       \
            write_log(FATAL, fmt, ##__VA_ARGS__);                  \
    } while (0)

/**
 * Terminate the program with a fatal error message including errno.
 *
 * Use this macro when a system call fails and you want to include
 * the corresponding strerror(errno) message via %m.
 *
 * Example: if (fork() < 0) bail("failed to fork");
 */
#define bail(fmt, ...)           \
    do {                         \
        __log_fatal(fmt ": %m", ##__VA_ARGS__); \
        exit(1);                 \
    } while (0)

/**
 * Terminate the program with a fatal error message without errno.
 *
 * Use this macro for configuration errors, programming errors, or any
 * condition not related to errno. This is the same as bail(), except
 * it does not append ": %m" (errno description).
 *
 * Example: if (!app) bailx("mapping tool not present");
 */
#define bailx(fmt, ...)          \
    do {                         \
        __log_fatal(fmt, ##__VA_ARGS__); \
        exit(1);                 \
    } while (0)

[lifubang]

From my personal opinion, I'd rather use a function to replace these two macros to improve readability. For example:

void check_io(int ret, size_t size, char *err_msg, pid_t stage1_pid, pid_t stage2_pid) {
    if (ret != size) {
        sane_kill(stage1_pid, SIGKILL);
        sane_kill(stage2_pid, SIGKILL);
        if (ret < 0)
            bail(err_msg);
        bailx("%s: %d byte(s), expected: %d byte(s)", err_msg, ret, size);
    }
}