Report child error better (and later)

[alexlarsson]

We use a unix domain socketpair instead of a pipe for the sync pipe,
which allows us to use two-way shutdown. After sending the
context we shut down the write side which lets the child know
it finished reading.

We then block on a read in the parent for the child closing the file
(ensuring we close our version of it too) to sync for when the child
is finished initializing. If the read is non-empty we assume this
is an error report and fail with an error. Otherwise we continue as
before.

This also means we're now calling back the start callback later,
meaning at that point its more likely to have succeeded, as well as
having consumed all the container resources (like volume mounts,
making it safe to e.g. unmount them when the start callback is
called).

Docker-DCO-1.1-Signed-off-by: Alexander Larsson alexl@redhat.com (github: alexlarsson)

[bernerdschaefer]

Any reason not to let CLOEXEC handle the closing, and really notify the parent that everything has started? This would have the desirable effect of also reporting errors from the following steps to the parent.

FinalizeNamespace would need to be tweaked not to close the pipe to support this, though.

[alexlarsson]

New version that relies on the close-on-exec to close the pipe, which means we report more errors. Also fixed the empty line nit.

[alexlarsson]

Note: This works because we merged the change to make FinalizeNamespace set cloexec rather than close fds.

[mrunalp]

@crosbymichael @vmarmol review please :)

[vmarmol]

nit: ReadFromChild similar to below for parent

[crosbymichael]

I'll take this PR and rebase