From a7f5e1c4c3559127758131123242bb54f26da8ce Mon Sep 17 00:00:00 2001
From: Qiang Huang <h.huangqiang@huawei.com>
Date: Tue, 14 Jul 2015 15:00:41 +0800
Subject: [PATCH] Remove cgroup read-only flag when privileged

Fixes: #14543

It needs libcontainer fix from:
https://github.com/opencontainers/runc/pull/91

Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
---
 daemon/execdriver/native/create.go | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/daemon/execdriver/native/create.go b/daemon/execdriver/native/create.go
index a9328408ca..61b8e9cd7e 100644
--- a/daemon/execdriver/native/create.go
+++ b/daemon/execdriver/native/create.go
@@ -48,6 +48,13 @@ func (d *driver) createContainer(c *execdriver.Command) (*configs.Config, error)
 			container.ReadonlyPaths = nil
 		}
 
+		// clear readonly for cgroup
+		for i := range container.Mounts {
+			if container.Mounts[i].Device == "cgroup" {
+				container.Mounts[i].Flags &= ^syscall.MS_RDONLY
+			}
+		}
+
 		container.MaskPaths = nil
 		if err := d.setPrivileged(container); err != nil {
 			return nil, err