libct: Destroy: don't proceed in case of errors

For some reason, container destroy operation removes container's state
directory even if cgroup removal fails (and then still returns an
error). It has been that way since commit 5c246d0, which added
cgroup removal.

This is problematic because once the container state dir is removed, we
no longer know container's cgroup and thus can't remove it.

Let's return the error early and fail if cgroup can't be removed.

Same for other operations: do not proceed if we fail.

Signed-off-by: Kir Kolyshkin <[email protected]>

Author: kolyshkin

libcontainer/state_linux.go

@@ -46,19 +46,19 @@ func destroy(c *Container) error {
 	if !c.config.Namespaces.IsPrivate(configs.NEWPID) {
 		_ = signalAllProcesses(c.cgroupManager, unix.SIGKILL)
 	}
-	err := c.cgroupManager.Destroy()
+	if err := c.cgroupManager.Destroy(); err != nil {
+		return fmt.Errorf("unable to remove container's cgroup: %w", err)
+	}
 	if c.intelRdtManager != nil {
-		if ierr := c.intelRdtManager.Destroy(); err == nil {
-			err = ierr
+		if err := c.intelRdtManager.Destroy(); err != nil {
+			return fmt.Errorf("unable to remove container's IntelRDT group: %w", err)
 		}
 	}
-	if rerr := os.RemoveAll(c.stateDir); err == nil {
-		err = rerr
+	if err := os.RemoveAll(c.stateDir); err != nil {
+		return fmt.Errorf("unable to remove container state dir: %w", err)
 	}
 	c.initProcess = nil
-	if herr := runPoststopHooks(c); err == nil {
-		err = herr
-	}
+	err := runPoststopHooks(c)
 	c.state = &stoppedState{c: c}
 	return err
 }