From 0ffd861a921fb276e7b3170b32df17e766d63f0e Mon Sep 17 00:00:00 2001
From: Daniel Dao <dqminh89@gmail.com>
Date: Tue, 16 Nov 2021 15:11:26 +0000
Subject: [PATCH] Always enable cgroup namespace for containers

In cgroupv2 hierrachy, cgroup setup for nested containers (i.e. docker)
are incorrect without enabling cgroup namespace. This enables cgroup
namespace for all containers to fix the incorrect cgroup setup.

See https://github.com/linuxkit/linuxkit/issues/3734

Signed-off-by: Daniel Dao <dqminh89@gmail.com>
---
 src/cmd/linuxkit/moby/config.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/cmd/linuxkit/moby/config.go b/src/cmd/linuxkit/moby/config.go
index ead81f91e..414bba81f 100644
--- a/src/cmd/linuxkit/moby/config.go
+++ b/src/cmd/linuxkit/moby/config.go
@@ -875,7 +875,8 @@ func ConfigToOCI(yaml *Image, config imagespec.ImageConfig, idMap map[string]uin
 	// Always create a new mount namespace
 	namespaces = append(namespaces, specs.LinuxNamespace{Type: specs.MountNamespace})
 
-	// TODO cgroup namespaces
+	// Always create a new cgroup namespace
+	namespaces = append(namespaces, specs.LinuxNamespace{Type: specs.CgroupNamespace})
 
 	// Capabilities
 	capCheck := map[string]bool{}