From 33ee7941d4d929e4c4fce1d905ceaa793f7612ff Mon Sep 17 00:00:00 2001
From: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Date: Tue, 21 Apr 2020 23:06:44 +0900
Subject: [PATCH] support `--privileged --cgroupns=private` on cgroup v1

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
---
 daemon/daemon_unix.go                            | 4 ----
 daemon/oci_linux.go                              | 5 +----
 integration/container/run_cgroupns_linux_test.go | 5 ++---
 3 files changed, 3 insertions(+), 11 deletions(-)

diff --git a/daemon/daemon_unix.go b/daemon/daemon_unix.go
index e3e4cb52b1..c7279ddd6d 100644
--- a/daemon/daemon_unix.go
+++ b/daemon/daemon_unix.go
@@ -711,10 +711,6 @@ func verifyPlatformContainerSettings(daemon *Daemon, hostConfig *containertypes.
 		if !sysInfo.CgroupNamespaces {
 			warnings = append(warnings, "Your kernel does not support cgroup namespaces.  Cgroup namespace setting discarded.")
 		}
-
-		if hostConfig.Privileged && !cgroups.IsCgroup2UnifiedMode() {
-			return warnings, fmt.Errorf("privileged mode is incompatible with private cgroup namespaces on cgroup v1 host.  You must run the container in the host cgroup namespace when running privileged mode")
-		}
 	}
 
 	return warnings, nil
diff --git a/daemon/oci_linux.go b/daemon/oci_linux.go
index f12d7ea197..fe72c24f01 100644
--- a/daemon/oci_linux.go
+++ b/daemon/oci_linux.go
@@ -339,10 +339,7 @@ func WithNamespaces(daemon *Daemon, c *container.Container) coci.SpecOpts {
 			if !cgroupNsMode.Valid() {
 				return fmt.Errorf("invalid cgroup namespace mode: %v", cgroupNsMode)
 			}
-
-			// for cgroup v2: unshare cgroupns even for privileged containers
-			// https://github.com/containers/libpod/pull/4374#issuecomment-549776387
-			if cgroupNsMode.IsPrivate() && (cgroups.IsCgroup2UnifiedMode() || !c.HostConfig.Privileged) {
+			if cgroupNsMode.IsPrivate() {
 				nsCgroup := specs.LinuxNamespace{Type: "cgroup"}
 				setNamespace(s, nsCgroup)
 			}
diff --git a/integration/container/run_cgroupns_linux_test.go b/integration/container/run_cgroupns_linux_test.go
index 9754a9682c..adf691c3c7 100644
--- a/integration/container/run_cgroupns_linux_test.go
+++ b/integration/container/run_cgroupns_linux_test.go
@@ -114,9 +114,8 @@ func TestCgroupNamespacesRunPrivilegedAndPrivate(t *testing.T) {
 	skip.If(t, testEnv.IsRemoteDaemon())
 	skip.If(t, !requirement.CgroupNamespacesEnabled())
 
-	// Running with both privileged and cgroupns=private is not allowed
-	errStr := "privileged mode is incompatible with private cgroup namespaces on cgroup v1 host.  You must run the container in the host cgroup namespace when running privileged mode"
-	testCreateFailureWithCgroupNs(t, "private", errStr, container.WithPrivileged(true), container.WithCgroupnsMode("private"))
+	containerCgroup, daemonCgroup := testRunWithCgroupNs(t, "private", container.WithPrivileged(true), container.WithCgroupnsMode("private"))
+	assert.Assert(t, daemonCgroup != containerCgroup)
 }
 
 func TestCgroupNamespacesRunInvalidMode(t *testing.T) {