Bump dependency opencontainers/runc@v1.0.0-rc10

2020-01-24 13:11:01 +01:00
parent 90da466221
commit 088ee920e0
116 changed files with 9182 additions and 1047 deletions
--- a/vendor/github.com/opencontainers/runc/libcontainer/BUILD
+++ b/vendor/github.com/opencontainers/runc/libcontainer/BUILD
@@ -23,7 +23,6 @@ go_library(
        "setns_init_linux.go",
        "standard_init_linux.go",
        "state_linux.go",
-        "stats.go",
        "stats_linux.go",
        "sync.go",
    ],
@@ -45,6 +44,7 @@ go_library(
            "//vendor/github.com/opencontainers/runc/libcontainer/apparmor:go_default_library",
            "//vendor/github.com/opencontainers/runc/libcontainer/cgroups:go_default_library",
            "//vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs:go_default_library",
+            "//vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs2:go_default_library",
            "//vendor/github.com/opencontainers/runc/libcontainer/cgroups/systemd:go_default_library",
            "//vendor/github.com/opencontainers/runc/libcontainer/configs/validate:go_default_library",
            "//vendor/github.com/opencontainers/runc/libcontainer/intelrdt:go_default_library",
@@ -54,6 +54,7 @@ go_library(
            "//vendor/github.com/opencontainers/runc/libcontainer/seccomp:go_default_library",
            "//vendor/github.com/opencontainers/runc/libcontainer/system:go_default_library",
            "//vendor/github.com/opencontainers/runc/libcontainer/user:go_default_library",
+            "//vendor/github.com/opencontainers/runc/types:go_default_library",
            "//vendor/github.com/opencontainers/selinux/go-selinux/label:go_default_library",
            "//vendor/github.com/pkg/errors:go_default_library",
            "//vendor/github.com/sirupsen/logrus:go_default_library",
@@ -71,6 +72,7 @@ go_library(
            "//vendor/github.com/opencontainers/runc/libcontainer/apparmor:go_default_library",
            "//vendor/github.com/opencontainers/runc/libcontainer/cgroups:go_default_library",
            "//vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs:go_default_library",
+            "//vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs2:go_default_library",
            "//vendor/github.com/opencontainers/runc/libcontainer/cgroups/systemd:go_default_library",
            "//vendor/github.com/opencontainers/runc/libcontainer/configs/validate:go_default_library",
            "//vendor/github.com/opencontainers/runc/libcontainer/intelrdt:go_default_library",
@@ -80,6 +82,7 @@ go_library(
            "//vendor/github.com/opencontainers/runc/libcontainer/seccomp:go_default_library",
            "//vendor/github.com/opencontainers/runc/libcontainer/system:go_default_library",
            "//vendor/github.com/opencontainers/runc/libcontainer/user:go_default_library",
+            "//vendor/github.com/opencontainers/runc/types:go_default_library",
            "//vendor/github.com/opencontainers/selinux/go-selinux/label:go_default_library",
            "//vendor/github.com/pkg/errors:go_default_library",
            "//vendor/github.com/sirupsen/logrus:go_default_library",
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/BUILD
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/BUILD
@@ -37,7 +37,10 @@ filegroup(
    name = "all-srcs",
    srcs = [
        ":package-srcs",
+        "//vendor/github.com/opencontainers/runc/libcontainer/cgroups/ebpf:all-srcs",
        "//vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs:all-srcs",
+        "//vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs2:all-srcs",
+        "//vendor/github.com/opencontainers/runc/libcontainer/cgroups/fscommon:all-srcs",
        "//vendor/github.com/opencontainers/runc/libcontainer/cgroups/systemd:all-srcs",
    ],
    tags = ["automanaged"],
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/cgroups.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/cgroups.go
@@ -37,8 +37,18 @@ type Manager interface {
 	// restore the object later.
 	GetPaths() map[string]string

+	// GetUnifiedPath returns the unified path when running in unified mode.
+	// The value corresponds to the all values of GetPaths() map.
+	//
+	// GetUnifiedPath returns error when running in hybrid mode as well as
+	// in legacy mode.
+	GetUnifiedPath() (string, error)
+
 	// Sets the cgroup as configured.
 	Set(container *configs.Config) error
+
+	// Gets the cgroup as configured.
+	GetCgroups() (*configs.Cgroup, error)
 }

 type NotFoundError struct {
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/ebpf/BUILD
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/ebpf/BUILD
@@ -0,0 +1,32 @@
+load("@io_bazel_rules_go//go:def.bzl", "go_library")
+
+go_library(
+    name = "go_default_library",
+    srcs = ["ebpf.go"],
+    importmap = "k8s.io/kubernetes/vendor/github.com/opencontainers/runc/libcontainer/cgroups/ebpf",
+    importpath = "github.com/opencontainers/runc/libcontainer/cgroups/ebpf",
+    visibility = ["//visibility:public"],
+    deps = [
+        "//vendor/github.com/cilium/ebpf:go_default_library",
+        "//vendor/github.com/cilium/ebpf/asm:go_default_library",
+        "//vendor/github.com/pkg/errors:go_default_library",
+        "//vendor/golang.org/x/sys/unix:go_default_library",
+    ],
+)
+
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [
+        ":package-srcs",
+        "//vendor/github.com/opencontainers/runc/libcontainer/cgroups/ebpf/devicefilter:all-srcs",
+    ],
+    tags = ["automanaged"],
+    visibility = ["//visibility:public"],
+)
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/ebpf/devicefilter/BUILD
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/ebpf/devicefilter/BUILD
@@ -0,0 +1,29 @@
+load("@io_bazel_rules_go//go:def.bzl", "go_library")
+
+go_library(
+    name = "go_default_library",
+    srcs = ["devicefilter.go"],
+    importmap = "k8s.io/kubernetes/vendor/github.com/opencontainers/runc/libcontainer/cgroups/ebpf/devicefilter",
+    importpath = "github.com/opencontainers/runc/libcontainer/cgroups/ebpf/devicefilter",
+    visibility = ["//visibility:public"],
+    deps = [
+        "//vendor/github.com/cilium/ebpf/asm:go_default_library",
+        "//vendor/github.com/opencontainers/runc/libcontainer/configs:go_default_library",
+        "//vendor/github.com/pkg/errors:go_default_library",
+        "//vendor/golang.org/x/sys/unix:go_default_library",
+    ],
+)
+
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [":package-srcs"],
+    tags = ["automanaged"],
+    visibility = ["//visibility:public"],
+)
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/ebpf/devicefilter/devicefilter.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/ebpf/devicefilter/devicefilter.go
@@ -0,0 +1,180 @@
+// Package devicefilter containes eBPF device filter program
+//
+// The implementation is based on https://github.com/containers/crun/blob/0.10.2/src/libcrun/ebpf.c
+//
+// Although ebpf.c is originally licensed under LGPL-3.0-or-later, the author (Giuseppe Scrivano)
+// agreed to relicense the file in Apache License 2.0: https://github.com/opencontainers/runc/issues/2144#issuecomment-543116397
+package devicefilter
+
+import (
+	"fmt"
+	"math"
+
+	"github.com/cilium/ebpf/asm"
+	"github.com/opencontainers/runc/libcontainer/configs"
+	"github.com/pkg/errors"
+	"golang.org/x/sys/unix"
+)
+
+const (
+	// license string format is same as kernel MODULE_LICENSE macro
+	license = "Apache"
+)
+
+// DeviceFilter returns eBPF device filter program and its license string
+func DeviceFilter(devices []*configs.Device) (asm.Instructions, string, error) {
+	p := &program{}
+	p.init()
+	for i := len(devices) - 1; i >= 0; i-- {
+		if err := p.appendDevice(devices[i]); err != nil {
+			return nil, "", err
+		}
+	}
+	insts, err := p.finalize()
+	return insts, license, err
+}
+
+type program struct {
+	insts       asm.Instructions
+	hasWildCard bool
+	blockID     int
+}
+
+func (p *program) init() {
+	// struct bpf_cgroup_dev_ctx: https://elixir.bootlin.com/linux/v5.3.6/source/include/uapi/linux/bpf.h#L3423
+	/*
+		u32 access_type
+		u32 major
+		u32 minor
+	*/
+	// R2 <- type (lower 16 bit of u32 access_type at R1[0])
+	p.insts = append(p.insts,
+		asm.LoadMem(asm.R2, asm.R1, 0, asm.Half))
+
+	// R3 <- access (upper 16 bit of u32 access_type at R1[0])
+	p.insts = append(p.insts,
+		asm.LoadMem(asm.R3, asm.R1, 0, asm.Word),
+		// RSh: bitwise shift right
+		asm.RSh.Imm32(asm.R3, 16))
+
+	// R4 <- major (u32 major at R1[4])
+	p.insts = append(p.insts,
+		asm.LoadMem(asm.R4, asm.R1, 4, asm.Word))
+
+	// R5 <- minor (u32 minor at R1[8])
+	p.insts = append(p.insts,
+		asm.LoadMem(asm.R5, asm.R1, 8, asm.Word))
+}
+
+// appendDevice needs to be called from the last element of OCI linux.resources.devices to the head element.
+func (p *program) appendDevice(dev *configs.Device) error {
+	if p.blockID < 0 {
+		return errors.New("the program is finalized")
+	}
+	if p.hasWildCard {
+		// All entries after wildcard entry are ignored
+		return nil
+	}
+
+	bpfType := int32(-1)
+	hasType := true
+	switch dev.Type {
+	case 'c':
+		bpfType = int32(unix.BPF_DEVCG_DEV_CHAR)
+	case 'b':
+		bpfType = int32(unix.BPF_DEVCG_DEV_BLOCK)
+	case 'a':
+		hasType = false
+	default:
+		// if not specified in OCI json, typ is set to DeviceTypeAll
+		return errors.Errorf("invalid DeviceType %q", string(dev.Type))
+	}
+	if dev.Major > math.MaxUint32 {
+		return errors.Errorf("invalid major %d", dev.Major)
+	}
+	if dev.Minor > math.MaxUint32 {
+		return errors.Errorf("invalid minor %d", dev.Major)
+	}
+	hasMajor := dev.Major >= 0 // if not specified in OCI json, major is set to -1
+	hasMinor := dev.Minor >= 0
+	bpfAccess := int32(0)
+	for _, r := range dev.Permissions {
+		switch r {
+		case 'r':
+			bpfAccess |= unix.BPF_DEVCG_ACC_READ
+		case 'w':
+			bpfAccess |= unix.BPF_DEVCG_ACC_WRITE
+		case 'm':
+			bpfAccess |= unix.BPF_DEVCG_ACC_MKNOD
+		default:
+			return errors.Errorf("unknown device access %v", r)
+		}
+	}
+	// If the access is rwm, skip the check.
+	hasAccess := bpfAccess != (unix.BPF_DEVCG_ACC_READ | unix.BPF_DEVCG_ACC_WRITE | unix.BPF_DEVCG_ACC_MKNOD)
+
+	blockSym := fmt.Sprintf("block-%d", p.blockID)
+	nextBlockSym := fmt.Sprintf("block-%d", p.blockID+1)
+	prevBlockLastIdx := len(p.insts) - 1
+	if hasType {
+		p.insts = append(p.insts,
+			// if (R2 != bpfType) goto next
+			asm.JNE.Imm(asm.R2, bpfType, nextBlockSym),
+		)
+	}
+	if hasAccess {
+		p.insts = append(p.insts,
+			// if (R3 & bpfAccess == 0 /* use R1 as a temp var */) goto next
+			asm.Mov.Reg32(asm.R1, asm.R3),
+			asm.And.Imm32(asm.R1, bpfAccess),
+			asm.JEq.Imm(asm.R1, 0, nextBlockSym),
+		)
+	}
+	if hasMajor {
+		p.insts = append(p.insts,
+			// if (R4 != major) goto next
+			asm.JNE.Imm(asm.R4, int32(dev.Major), nextBlockSym),
+		)
+	}
+	if hasMinor {
+		p.insts = append(p.insts,
+			// if (R5 != minor) goto next
+			asm.JNE.Imm(asm.R5, int32(dev.Minor), nextBlockSym),
+		)
+	}
+	if !hasType && !hasAccess && !hasMajor && !hasMinor {
+		p.hasWildCard = true
+	}
+	p.insts = append(p.insts, acceptBlock(dev.Allow)...)
+	// set blockSym to the first instruction we added in this iteration
+	p.insts[prevBlockLastIdx+1] = p.insts[prevBlockLastIdx+1].Sym(blockSym)
+	p.blockID++
+	return nil
+}
+
+func (p *program) finalize() (asm.Instructions, error) {
+	if p.hasWildCard {
+		// acceptBlock with asm.Return() is already inserted
+		return p.insts, nil
+	}
+	blockSym := fmt.Sprintf("block-%d", p.blockID)
+	p.insts = append(p.insts,
+		// R0 <- 0
+		asm.Mov.Imm32(asm.R0, 0).Sym(blockSym),
+		asm.Return(),
+	)
+	p.blockID = -1
+	return p.insts, nil
+}
+
+func acceptBlock(accept bool) asm.Instructions {
+	v := int32(0)
+	if accept {
+		v = 1
+	}
+	return []asm.Instruction{
+		// R0 <- v
+		asm.Mov.Imm32(asm.R0, v),
+		asm.Return(),
+	}
+}
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/ebpf/ebpf.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/ebpf/ebpf.go
@@ -0,0 +1,45 @@
+package ebpf
+
+import (
+	"github.com/cilium/ebpf"
+	"github.com/cilium/ebpf/asm"
+	"github.com/pkg/errors"
+	"golang.org/x/sys/unix"
+)
+
+// LoadAttachCgroupDeviceFilter installs eBPF device filter program to /sys/fs/cgroup/<foo> directory.
+//
+// Requires the system to be running in cgroup2 unified-mode with kernel >= 4.15 .
+//
+// https://github.com/torvalds/linux/commit/ebc614f687369f9df99828572b1d85a7c2de3d92
+func LoadAttachCgroupDeviceFilter(insts asm.Instructions, license string, dirFD int) (func() error, error) {
+	nilCloser := func() error {
+		return nil
+	}
+	// Increase `ulimit -l` limit to avoid BPF_PROG_LOAD error (#2167).
+	// This limit is not inherited into the container.
+	memlockLimit := &unix.Rlimit{
+		Cur: unix.RLIM_INFINITY,
+		Max: unix.RLIM_INFINITY,
+	}
+	_ = unix.Setrlimit(unix.RLIMIT_MEMLOCK, memlockLimit)
+	spec := &ebpf.ProgramSpec{
+		Type:         ebpf.CGroupDevice,
+		Instructions: insts,
+		License:      license,
+	}
+	prog, err := ebpf.NewProgram(spec)
+	if err != nil {
+		return nilCloser, err
+	}
+	if err := prog.Attach(dirFD, ebpf.AttachCGroupDevice, unix.BPF_F_ALLOW_MULTI); err != nil {
+		return nilCloser, errors.Wrap(err, "failed to call BPF_PROG_ATTACH (BPF_CGROUP_DEVICE, BPF_F_ALLOW_MULTI)")
+	}
+	closer := func() error {
+		if err := prog.Detach(dirFD, ebpf.AttachCGroupDevice, unix.BPF_F_ALLOW_MULTI); err != nil {
+			return errors.Wrap(err, "failed to call BPF_PROG_DETACH (BPF_CGROUP_DEVICE, BPF_F_ALLOW_MULTI)")
+		}
+		return nil
+	}
+	return closer, nil
+}
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/BUILD
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/BUILD
@@ -6,26 +6,19 @@ go_library(
        "apply_raw.go",
        "blkio.go",
        "cpu.go",
-        "cpu_v2.go",
        "cpuacct.go",
        "cpuset.go",
-        "cpuset_v2.go",
        "devices.go",
        "freezer.go",
-        "freezer_v2.go",
        "fs_unsupported.go",
        "hugetlb.go",
-        "io_v2.go",
        "kmem.go",
        "memory.go",
-        "memory_v2.go",
        "name.go",
        "net_cls.go",
        "net_prio.go",
        "perf_event.go",
        "pids.go",
-        "pids_v2.go",
-        "utils.go",
    ],
    importmap = "k8s.io/kubernetes/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs",
    importpath = "github.com/opencontainers/runc/libcontainer/cgroups/fs",
@@ -33,6 +26,7 @@ go_library(
    deps = select({
        "@io_bazel_rules_go//go/platform:android": [
            "//vendor/github.com/opencontainers/runc/libcontainer/cgroups:go_default_library",
+            "//vendor/github.com/opencontainers/runc/libcontainer/cgroups/fscommon:go_default_library",
            "//vendor/github.com/opencontainers/runc/libcontainer/configs:go_default_library",
            "//vendor/github.com/opencontainers/runc/libcontainer/system:go_default_library",
            "//vendor/github.com/opencontainers/runc/libcontainer/utils:go_default_library",
@@ -41,6 +35,7 @@ go_library(
        ],
        "@io_bazel_rules_go//go/platform:linux": [
            "//vendor/github.com/opencontainers/runc/libcontainer/cgroups:go_default_library",
+            "//vendor/github.com/opencontainers/runc/libcontainer/cgroups/fscommon:go_default_library",
            "//vendor/github.com/opencontainers/runc/libcontainer/configs:go_default_library",
            "//vendor/github.com/opencontainers/runc/libcontainer/system:go_default_library",
            "//vendor/github.com/opencontainers/runc/libcontainer/utils:go_default_library",
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/apply_raw.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/apply_raw.go
@@ -5,7 +5,6 @@ package fs
 import (
 	"fmt"
 	"io"
-	"io/ioutil"
 	"os"
 	"path/filepath"
 	"sync"
@@ -33,14 +32,6 @@ var (
 		&FreezerGroup{},
 		&NameGroup{GroupName: "name=systemd", Join: true},
 	}
-	subsystemsUnified = subsystemSet{
-		&CpusetGroupV2{},
-		&FreezerGroupV2{},
-		&CpuGroupV2{},
-		&MemoryGroupV2{},
-		&IOGroupV2{},
-		&PidsGroupV2{},
-	}
 	HugePageSizes, _ = cgroups.GetHugePageSize()
 )

@@ -138,9 +129,6 @@ func isIgnorableError(rootless bool, err error) bool {
 }

 func (m *Manager) getSubsystems() subsystemSet {
-	if cgroups.IsCgroup2UnifiedMode() {
-		return subsystemsUnified
-	}
 	return subsystemsLegacy
 }

@@ -224,6 +212,10 @@ func (m *Manager) GetPaths() map[string]string {
 	return paths
 }

+func (m *Manager) GetUnifiedPath() (string, error) {
+	return "", errors.New("unified path is only supported when running in unified mode")
+}
+
 func (m *Manager) GetStats() (*cgroups.Stats, error) {
 	m.mu.Lock()
 	defer m.mu.Unlock()
@@ -377,23 +369,6 @@ func (raw *cgroupData) join(subsystem string) (string, error) {
 	return path, nil
 }

-func writeFile(dir, file, data string) error {
-	// Normally dir should not be empty, one case is that cgroup subsystem
-	// is not mounted, we will get empty dir, and we want it fail here.
-	if dir == "" {
-		return fmt.Errorf("no such directory for %s", file)
-	}
-	if err := ioutil.WriteFile(filepath.Join(dir, file), []byte(data), 0700); err != nil {
-		return fmt.Errorf("failed to write %v to %v: %v", data, file, err)
-	}
-	return nil
-}
-
-func readFile(dir, file string) (string, error) {
-	data, err := ioutil.ReadFile(filepath.Join(dir, file))
-	return string(data), err
-}
-
 func removePath(p string, err error) error {
 	if err != nil {
 		return err
@@ -430,3 +405,7 @@ func CheckCpushares(path string, c uint64) error {

 	return nil
 }
+
+func (m *Manager) GetCgroups() (*configs.Cgroup, error) {
+	return m.Cgroups, nil
+}
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/blkio.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/blkio.go
@@ -11,6 +11,7 @@ import (
 	"strings"

 	"github.com/opencontainers/runc/libcontainer/cgroups"
+	"github.com/opencontainers/runc/libcontainer/cgroups/fscommon"
 	"github.com/opencontainers/runc/libcontainer/configs"
 )

@@ -31,41 +32,41 @@ func (s *BlkioGroup) Apply(d *cgroupData) error {

 func (s *BlkioGroup) Set(path string, cgroup *configs.Cgroup) error {
 	if cgroup.Resources.BlkioWeight != 0 {
-		if err := writeFile(path, "blkio.weight", strconv.FormatUint(uint64(cgroup.Resources.BlkioWeight), 10)); err != nil {
+		if err := fscommon.WriteFile(path, "blkio.weight", strconv.FormatUint(uint64(cgroup.Resources.BlkioWeight), 10)); err != nil {
 			return err
 		}
 	}

 	if cgroup.Resources.BlkioLeafWeight != 0 {
-		if err := writeFile(path, "blkio.leaf_weight", strconv.FormatUint(uint64(cgroup.Resources.BlkioLeafWeight), 10)); err != nil {
+		if err := fscommon.WriteFile(path, "blkio.leaf_weight", strconv.FormatUint(uint64(cgroup.Resources.BlkioLeafWeight), 10)); err != nil {
 			return err
 		}
 	}
 	for _, wd := range cgroup.Resources.BlkioWeightDevice {
-		if err := writeFile(path, "blkio.weight_device", wd.WeightString()); err != nil {
+		if err := fscommon.WriteFile(path, "blkio.weight_device", wd.WeightString()); err != nil {
 			return err
 		}
-		if err := writeFile(path, "blkio.leaf_weight_device", wd.LeafWeightString()); err != nil {
+		if err := fscommon.WriteFile(path, "blkio.leaf_weight_device", wd.LeafWeightString()); err != nil {
 			return err
 		}
 	}
 	for _, td := range cgroup.Resources.BlkioThrottleReadBpsDevice {
-		if err := writeFile(path, "blkio.throttle.read_bps_device", td.String()); err != nil {
+		if err := fscommon.WriteFile(path, "blkio.throttle.read_bps_device", td.String()); err != nil {
 			return err
 		}
 	}
 	for _, td := range cgroup.Resources.BlkioThrottleWriteBpsDevice {
-		if err := writeFile(path, "blkio.throttle.write_bps_device", td.String()); err != nil {
+		if err := fscommon.WriteFile(path, "blkio.throttle.write_bps_device", td.String()); err != nil {
 			return err
 		}
 	}
 	for _, td := range cgroup.Resources.BlkioThrottleReadIOPSDevice {
-		if err := writeFile(path, "blkio.throttle.read_iops_device", td.String()); err != nil {
+		if err := fscommon.WriteFile(path, "blkio.throttle.read_iops_device", td.String()); err != nil {
 			return err
 		}
 	}
 	for _, td := range cgroup.Resources.BlkioThrottleWriteIOPSDevice {
-		if err := writeFile(path, "blkio.throttle.write_iops_device", td.String()); err != nil {
+		if err := fscommon.WriteFile(path, "blkio.throttle.write_iops_device", td.String()); err != nil {
 			return err
 		}
 	}
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/cpu.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/cpu.go
@@ -9,6 +9,7 @@ import (
 	"strconv"

 	"github.com/opencontainers/runc/libcontainer/cgroups"
+	"github.com/opencontainers/runc/libcontainer/cgroups/fscommon"
 	"github.com/opencontainers/runc/libcontainer/configs"
 )

@@ -51,12 +52,12 @@ func (s *CpuGroup) ApplyDir(path string, cgroup *configs.Cgroup, pid int) error

 func (s *CpuGroup) SetRtSched(path string, cgroup *configs.Cgroup) error {
 	if cgroup.Resources.CpuRtPeriod != 0 {
-		if err := writeFile(path, "cpu.rt_period_us", strconv.FormatUint(cgroup.Resources.CpuRtPeriod, 10)); err != nil {
+		if err := fscommon.WriteFile(path, "cpu.rt_period_us", strconv.FormatUint(cgroup.Resources.CpuRtPeriod, 10)); err != nil {
 			return err
 		}
 	}
 	if cgroup.Resources.CpuRtRuntime != 0 {
-		if err := writeFile(path, "cpu.rt_runtime_us", strconv.FormatInt(cgroup.Resources.CpuRtRuntime, 10)); err != nil {
+		if err := fscommon.WriteFile(path, "cpu.rt_runtime_us", strconv.FormatInt(cgroup.Resources.CpuRtRuntime, 10)); err != nil {
 			return err
 		}
 	}
@@ -65,17 +66,17 @@ func (s *CpuGroup) SetRtSched(path string, cgroup *configs.Cgroup) error {

 func (s *CpuGroup) Set(path string, cgroup *configs.Cgroup) error {
 	if cgroup.Resources.CpuShares != 0 {
-		if err := writeFile(path, "cpu.shares", strconv.FormatUint(cgroup.Resources.CpuShares, 10)); err != nil {
+		if err := fscommon.WriteFile(path, "cpu.shares", strconv.FormatUint(cgroup.Resources.CpuShares, 10)); err != nil {
 			return err
 		}
 	}
 	if cgroup.Resources.CpuPeriod != 0 {
-		if err := writeFile(path, "cpu.cfs_period_us", strconv.FormatUint(cgroup.Resources.CpuPeriod, 10)); err != nil {
+		if err := fscommon.WriteFile(path, "cpu.cfs_period_us", strconv.FormatUint(cgroup.Resources.CpuPeriod, 10)); err != nil {
 			return err
 		}
 	}
 	if cgroup.Resources.CpuQuota != 0 {
-		if err := writeFile(path, "cpu.cfs_quota_us", strconv.FormatInt(cgroup.Resources.CpuQuota, 10)); err != nil {
+		if err := fscommon.WriteFile(path, "cpu.cfs_quota_us", strconv.FormatInt(cgroup.Resources.CpuQuota, 10)); err != nil {
 			return err
 		}
 	}
@@ -98,7 +99,7 @@ func (s *CpuGroup) GetStats(path string, stats *cgroups.Stats) error {

 	sc := bufio.NewScanner(f)
 	for sc.Scan() {
-		t, v, err := getCgroupParamKeyValue(sc.Text())
+		t, v, err := fscommon.GetCgroupParamKeyValue(sc.Text())
 		if err != nil {
 			return err
 		}
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/cpu_v2.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/cpu_v2.go
@@ -1,92 +0,0 @@
-// +build linux
-
-package fs
-
-import (
-	"bufio"
-	"os"
-	"path/filepath"
-	"strconv"
-
-	"github.com/opencontainers/runc/libcontainer/cgroups"
-	"github.com/opencontainers/runc/libcontainer/configs"
-)
-
-type CpuGroupV2 struct {
-}
-
-func (s *CpuGroupV2) Name() string {
-	return "cpu"
-}
-
-func (s *CpuGroupV2) Apply(d *cgroupData) error {
-	// We always want to join the cpu group, to allow fair cpu scheduling
-	// on a container basis
-	path, err := d.path("cpu")
-	if err != nil && !cgroups.IsNotFound(err) {
-		return err
-	}
-	return s.ApplyDir(path, d.config, d.pid)
-}
-
-func (s *CpuGroupV2) ApplyDir(path string, cgroup *configs.Cgroup, pid int) error {
-	// This might happen if we have no cpu cgroup mounted.
-	// Just do nothing and don't fail.
-	if path == "" {
-		return nil
-	}
-	if err := os.MkdirAll(path, 0755); err != nil {
-		return err
-	}
-	return cgroups.WriteCgroupProc(path, pid)
-}
-
-func (s *CpuGroupV2) Set(path string, cgroup *configs.Cgroup) error {
-	if cgroup.Resources.CpuWeight != 0 {
-		if err := writeFile(path, "cpu.weight", strconv.FormatUint(cgroup.Resources.CpuWeight, 10)); err != nil {
-			return err
-		}
-	}
-
-	if cgroup.Resources.CpuMax != "" {
-		if err := writeFile(path, "cpu.max", cgroup.Resources.CpuMax); err != nil {
-			return err
-		}
-	}
-
-	return nil
-}
-
-func (s *CpuGroupV2) Remove(d *cgroupData) error {
-	return removePath(d.path("cpu"))
-}
-
-func (s *CpuGroupV2) GetStats(path string, stats *cgroups.Stats) error {
-	f, err := os.Open(filepath.Join(path, "cpu.stat"))
-	if err != nil {
-		if os.IsNotExist(err) {
-			return nil
-		}
-		return err
-	}
-	defer f.Close()
-
-	sc := bufio.NewScanner(f)
-	for sc.Scan() {
-		t, v, err := getCgroupParamKeyValue(sc.Text())
-		if err != nil {
-			return err
-		}
-		switch t {
-		case "usage_usec":
-			stats.CpuStats.CpuUsage.TotalUsage = v * 1000
-
-		case "user_usec":
-			stats.CpuStats.CpuUsage.UsageInUsermode = v * 1000
-
-		case "system_usec":
-			stats.CpuStats.CpuUsage.UsageInKernelmode = v * 1000
-		}
-	}
-	return nil
-}
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/cpuacct.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/cpuacct.go
@@ -10,6 +10,7 @@ import (
 	"strings"

 	"github.com/opencontainers/runc/libcontainer/cgroups"
+	"github.com/opencontainers/runc/libcontainer/cgroups/fscommon"
 	"github.com/opencontainers/runc/libcontainer/configs"
 	"github.com/opencontainers/runc/libcontainer/system"
 )
@@ -51,7 +52,7 @@ func (s *CpuacctGroup) GetStats(path string, stats *cgroups.Stats) error {
 		return err
 	}

-	totalUsage, err := getCgroupParamUint(path, "cpuacct.usage")
+	totalUsage, err := fscommon.GetCgroupParamUint(path, "cpuacct.usage")
 	if err != nil {
 		return err
 	}
@@ -85,8 +86,8 @@ func getCpuUsageBreakdown(path string) (uint64, uint64, error) {
 		return 0, 0, err
 	}
 	fields := strings.Fields(string(data))
-	if len(fields) != 4 {
-		return 0, 0, fmt.Errorf("failure - %s is expected to have 4 fields", filepath.Join(path, cgroupCpuacctStat))
+	if len(fields) < 4 {
+		return 0, 0, fmt.Errorf("failure - %s is expected to have at least 4 fields", filepath.Join(path, cgroupCpuacctStat))
 	}
 	if fields[0] != userField {
 		return 0, 0, fmt.Errorf("unexpected field %q in %q, expected %q", fields[0], cgroupCpuacctStat, userField)
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/cpuset.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/cpuset.go
@@ -10,6 +10,7 @@ import (
 	"path/filepath"

 	"github.com/opencontainers/runc/libcontainer/cgroups"
+	"github.com/opencontainers/runc/libcontainer/cgroups/fscommon"
 	"github.com/opencontainers/runc/libcontainer/configs"
 	libcontainerUtils "github.com/opencontainers/runc/libcontainer/utils"
 )
@@ -31,12 +32,12 @@ func (s *CpusetGroup) Apply(d *cgroupData) error {

 func (s *CpusetGroup) Set(path string, cgroup *configs.Cgroup) error {
 	if cgroup.Resources.CpusetCpus != "" {
-		if err := writeFile(path, "cpuset.cpus", cgroup.Resources.CpusetCpus); err != nil {
+		if err := fscommon.WriteFile(path, "cpuset.cpus", cgroup.Resources.CpusetCpus); err != nil {
 			return err
 		}
 	}
 	if cgroup.Resources.CpusetMems != "" {
-		if err := writeFile(path, "cpuset.mems", cgroup.Resources.CpusetMems); err != nil {
+		if err := fscommon.WriteFile(path, "cpuset.mems", cgroup.Resources.CpusetMems); err != nil {
 			return err
 		}
 	}
@@ -135,12 +136,12 @@ func (s *CpusetGroup) copyIfNeeded(current, parent string) error {
 	}

 	if s.isEmpty(currentCpus) {
-		if err := writeFile(current, "cpuset.cpus", string(parentCpus)); err != nil {
+		if err := fscommon.WriteFile(current, "cpuset.cpus", string(parentCpus)); err != nil {
 			return err
 		}
 	}
 	if s.isEmpty(currentMems) {
-		if err := writeFile(current, "cpuset.mems", string(parentMems)); err != nil {
+		if err := fscommon.WriteFile(current, "cpuset.mems", string(parentMems)); err != nil {
 			return err
 		}
 	}
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/cpuset_v2.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/cpuset_v2.go
@@ -1,159 +0,0 @@
-// +build linux
-
-package fs
-
-import (
-	"bytes"
-	"fmt"
-	"io/ioutil"
-	"os"
-	"path/filepath"
-
-	"github.com/opencontainers/runc/libcontainer/cgroups"
-	"github.com/opencontainers/runc/libcontainer/configs"
-	libcontainerUtils "github.com/opencontainers/runc/libcontainer/utils"
-)
-
-type CpusetGroupV2 struct {
-}
-
-func (s *CpusetGroupV2) Name() string {
-	return "cpuset"
-}
-
-func (s *CpusetGroupV2) Apply(d *cgroupData) error {
-	dir, err := d.path("cpuset")
-	if err != nil && !cgroups.IsNotFound(err) {
-		return err
-	}
-	return s.ApplyDir(dir, d.config, d.pid)
-}
-
-func (s *CpusetGroupV2) Set(path string, cgroup *configs.Cgroup) error {
-	if cgroup.Resources.CpusetCpus != "" {
-		if err := writeFile(path, "cpuset.cpus", cgroup.Resources.CpusetCpus); err != nil {
-			return err
-		}
-	}
-	if cgroup.Resources.CpusetMems != "" {
-		if err := writeFile(path, "cpuset.mems", cgroup.Resources.CpusetMems); err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-func (s *CpusetGroupV2) Remove(d *cgroupData) error {
-	return removePath(d.path("cpuset"))
-}
-
-func (s *CpusetGroupV2) GetStats(path string, stats *cgroups.Stats) error {
-	return nil
-}
-
-func (s *CpusetGroupV2) ApplyDir(dir string, cgroup *configs.Cgroup, pid int) error {
-	// This might happen if we have no cpuset cgroup mounted.
-	// Just do nothing and don't fail.
-	if dir == "" {
-		return nil
-	}
-	mountInfo, err := ioutil.ReadFile("/proc/self/mountinfo")
-	if err != nil {
-		return err
-	}
-	root := filepath.Dir(cgroups.GetClosestMountpointAncestor(dir, string(mountInfo)))
-	// 'ensureParent' start with parent because we don't want to
-	// explicitly inherit from parent, it could conflict with
-	// 'cpuset.cpu_exclusive'.
-	if err := s.ensureParent(filepath.Dir(dir), root); err != nil {
-		return err
-	}
-	if err := os.MkdirAll(dir, 0755); err != nil {
-		return err
-	}
-	// We didn't inherit cpuset configs from parent, but we have
-	// to ensure cpuset configs are set before moving task into the
-	// cgroup.
-	// The logic is, if user specified cpuset configs, use these
-	// specified configs, otherwise, inherit from parent. This makes
-	// cpuset configs work correctly with 'cpuset.cpu_exclusive', and
-	// keep backward compatibility.
-	if err := s.ensureCpusAndMems(dir, cgroup); err != nil {
-		return err
-	}
-
-	// because we are not using d.join we need to place the pid into the procs file
-	// unlike the other subsystems
-	return cgroups.WriteCgroupProc(dir, pid)
-}
-
-func (s *CpusetGroupV2) getSubsystemSettings(parent string) (cpus []byte, mems []byte, err error) {
-	if cpus, err = ioutil.ReadFile(filepath.Join(parent, "cpuset.cpus.effective")); err != nil {
-		return
-	}
-	if mems, err = ioutil.ReadFile(filepath.Join(parent, "cpuset.mems.effective")); err != nil {
-		return
-	}
-	return cpus, mems, nil
-}
-
-// ensureParent makes sure that the parent directory of current is created
-// and populated with the proper cpus and mems files copied from
-// it's parent.
-func (s *CpusetGroupV2) ensureParent(current, root string) error {
-	parent := filepath.Dir(current)
-	if libcontainerUtils.CleanPath(parent) == root {
-		return nil
-	}
-	// Avoid infinite recursion.
-	if parent == current {
-		return fmt.Errorf("cpuset: cgroup parent path outside cgroup root")
-	}
-	if err := s.ensureParent(parent, root); err != nil {
-		return err
-	}
-	if err := os.MkdirAll(current, 0755); err != nil {
-		return err
-	}
-	return s.copyIfNeeded(current, parent)
-}
-
-// copyIfNeeded copies the cpuset.cpus and cpuset.mems from the parent
-// directory to the current directory if the file's contents are 0
-func (s *CpusetGroupV2) copyIfNeeded(current, parent string) error {
-	var (
-		err                      error
-		currentCpus, currentMems []byte
-		parentCpus, parentMems   []byte
-	)
-
-	if currentCpus, currentMems, err = s.getSubsystemSettings(current); err != nil {
-		return err
-	}
-	if parentCpus, parentMems, err = s.getSubsystemSettings(parent); err != nil {
-		return err
-	}
-
-	if s.isEmpty(currentCpus) {
-		if err := writeFile(current, "cpuset.cpus", string(parentCpus)); err != nil {
-			return err
-		}
-	}
-	if s.isEmpty(currentMems) {
-		if err := writeFile(current, "cpuset.mems", string(parentMems)); err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-func (s *CpusetGroupV2) isEmpty(b []byte) bool {
-	return len(bytes.Trim(b, "\n")) == 0
-}
-
-func (s *CpusetGroupV2) ensureCpusAndMems(path string, cgroup *configs.Cgroup) error {
-	if err := s.Set(path, cgroup); err != nil {
-		return err
-	}
-	return s.copyIfNeeded(path, filepath.Dir(path))
-}
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/devices.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/devices.go
@@ -4,6 +4,7 @@ package fs

 import (
 	"github.com/opencontainers/runc/libcontainer/cgroups"
+	"github.com/opencontainers/runc/libcontainer/cgroups/fscommon"
 	"github.com/opencontainers/runc/libcontainer/configs"
 	"github.com/opencontainers/runc/libcontainer/system"
 )
@@ -37,7 +38,7 @@ func (s *DevicesGroup) Set(path string, cgroup *configs.Cgroup) error {
 			if dev.Allow {
 				file = "devices.allow"
 			}
-			if err := writeFile(path, file, dev.CgroupString()); err != nil {
+			if err := fscommon.WriteFile(path, file, dev.CgroupString()); err != nil {
 				return err
 			}
 		}
@@ -45,25 +46,25 @@ func (s *DevicesGroup) Set(path string, cgroup *configs.Cgroup) error {
 	}
 	if cgroup.Resources.AllowAllDevices != nil {
 		if *cgroup.Resources.AllowAllDevices == false {
-			if err := writeFile(path, "devices.deny", "a"); err != nil {
+			if err := fscommon.WriteFile(path, "devices.deny", "a"); err != nil {
 				return err
 			}

 			for _, dev := range cgroup.Resources.AllowedDevices {
-				if err := writeFile(path, "devices.allow", dev.CgroupString()); err != nil {
+				if err := fscommon.WriteFile(path, "devices.allow", dev.CgroupString()); err != nil {
 					return err
 				}
 			}
 			return nil
 		}

-		if err := writeFile(path, "devices.allow", "a"); err != nil {
+		if err := fscommon.WriteFile(path, "devices.allow", "a"); err != nil {
 			return err
 		}
 	}

 	for _, dev := range cgroup.Resources.DeniedDevices {
-		if err := writeFile(path, "devices.deny", dev.CgroupString()); err != nil {
+		if err := fscommon.WriteFile(path, "devices.deny", dev.CgroupString()); err != nil {
 			return err
 		}
 	}
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/freezer.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/freezer.go
@@ -8,6 +8,7 @@ import (
 	"time"

 	"github.com/opencontainers/runc/libcontainer/cgroups"
+	"github.com/opencontainers/runc/libcontainer/cgroups/fscommon"
 	"github.com/opencontainers/runc/libcontainer/configs"
 )

@@ -34,11 +35,11 @@ func (s *FreezerGroup) Set(path string, cgroup *configs.Cgroup) error {
 			// state, let's write again this state, hoping it's going to be properly
 			// set this time. Otherwise, this loop could run infinitely, waiting for
 			// a state change that would never happen.
-			if err := writeFile(path, "freezer.state", string(cgroup.Resources.Freezer)); err != nil {
+			if err := fscommon.WriteFile(path, "freezer.state", string(cgroup.Resources.Freezer)); err != nil {
 				return err
 			}

-			state, err := readFile(path, "freezer.state")
+			state, err := fscommon.ReadFile(path, "freezer.state")
 			if err != nil {
 				return err
 			}
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/freezer_v2.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/freezer_v2.go
@@ -1,74 +0,0 @@
-// +build linux
-
-package fs
-
-import (
-	"fmt"
-	"strings"
-	"time"
-
-	"github.com/opencontainers/runc/libcontainer/cgroups"
-	"github.com/opencontainers/runc/libcontainer/configs"
-)
-
-type FreezerGroupV2 struct {
-}
-
-func (s *FreezerGroupV2) Name() string {
-	return "freezer"
-}
-
-func (s *FreezerGroupV2) Apply(d *cgroupData) error {
-	_, err := d.join("freezer")
-	if err != nil && !cgroups.IsNotFound(err) {
-		return err
-	}
-	return nil
-}
-
-func (s *FreezerGroupV2) Set(path string, cgroup *configs.Cgroup) error {
-	var desiredState string
-	filename := "cgroup.freeze"
-	if cgroup.Resources.Freezer == configs.Frozen {
-		desiredState = "1"
-	} else {
-		desiredState = "0"
-	}
-
-	switch cgroup.Resources.Freezer {
-	case configs.Frozen, configs.Thawed:
-		for {
-			// In case this loop does not exit because it doesn't get the expected
-			// state, let's write again this state, hoping it's going to be properly
-			// set this time. Otherwise, this loop could run infinitely, waiting for
-			// a state change that would never happen.
-			if err := writeFile(path, filename, desiredState); err != nil {
-				return err
-			}
-
-			state, err := readFile(path, filename)
-			if err != nil {
-				return err
-			}
-			if strings.TrimSpace(state) == desiredState {
-				break
-			}
-
-			time.Sleep(1 * time.Millisecond)
-		}
-	case configs.Undefined:
-		return nil
-	default:
-		return fmt.Errorf("Invalid argument '%s' to freezer.state", string(cgroup.Resources.Freezer))
-	}
-
-	return nil
-}
-
-func (s *FreezerGroupV2) Remove(d *cgroupData) error {
-	return removePath(d.path("freezer"))
-}
-
-func (s *FreezerGroupV2) GetStats(path string, stats *cgroups.Stats) error {
-	return nil
-}
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/hugetlb.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/hugetlb.go
@@ -8,6 +8,7 @@ import (
 	"strings"

 	"github.com/opencontainers/runc/libcontainer/cgroups"
+	"github.com/opencontainers/runc/libcontainer/cgroups/fscommon"
 	"github.com/opencontainers/runc/libcontainer/configs"
 )

@@ -28,7 +29,7 @@ func (s *HugetlbGroup) Apply(d *cgroupData) error {

 func (s *HugetlbGroup) Set(path string, cgroup *configs.Cgroup) error {
 	for _, hugetlb := range cgroup.Resources.HugetlbLimit {
-		if err := writeFile(path, strings.Join([]string{"hugetlb", hugetlb.Pagesize, "limit_in_bytes"}, "."), strconv.FormatUint(hugetlb.Limit, 10)); err != nil {
+		if err := fscommon.WriteFile(path, strings.Join([]string{"hugetlb", hugetlb.Pagesize, "limit_in_bytes"}, "."), strconv.FormatUint(hugetlb.Limit, 10)); err != nil {
 			return err
 		}
 	}
@@ -44,21 +45,21 @@ func (s *HugetlbGroup) GetStats(path string, stats *cgroups.Stats) error {
 	hugetlbStats := cgroups.HugetlbStats{}
 	for _, pageSize := range HugePageSizes {
 		usage := strings.Join([]string{"hugetlb", pageSize, "usage_in_bytes"}, ".")
-		value, err := getCgroupParamUint(path, usage)
+		value, err := fscommon.GetCgroupParamUint(path, usage)
 		if err != nil {
 			return fmt.Errorf("failed to parse %s - %v", usage, err)
 		}
 		hugetlbStats.Usage = value

 		maxUsage := strings.Join([]string{"hugetlb", pageSize, "max_usage_in_bytes"}, ".")
-		value, err = getCgroupParamUint(path, maxUsage)
+		value, err = fscommon.GetCgroupParamUint(path, maxUsage)
 		if err != nil {
 			return fmt.Errorf("failed to parse %s - %v", maxUsage, err)
 		}
 		hugetlbStats.MaxUsage = value

 		failcnt := strings.Join([]string{"hugetlb", pageSize, "failcnt"}, ".")
-		value, err = getCgroupParamUint(path, failcnt)
+		value, err = fscommon.GetCgroupParamUint(path, failcnt)
 		if err != nil {
 			return fmt.Errorf("failed to parse %s - %v", failcnt, err)
 		}
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/io_v2.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/io_v2.go
@@ -1,191 +0,0 @@
-// +build linux
-
-package fs
-
-import (
-	"bufio"
-	"os"
-	"path/filepath"
-	"strconv"
-	"strings"
-
-	"github.com/opencontainers/runc/libcontainer/cgroups"
-	"github.com/opencontainers/runc/libcontainer/configs"
-)
-
-type IOGroupV2 struct {
-}
-
-func (s *IOGroupV2) Name() string {
-	return "blkio"
-}
-
-func (s *IOGroupV2) Apply(d *cgroupData) error {
-	_, err := d.join("blkio")
-	if err != nil && !cgroups.IsNotFound(err) {
-		return err
-	}
-	return nil
-}
-
-func (s *IOGroupV2) Set(path string, cgroup *configs.Cgroup) error {
-	cgroupsv2 := cgroups.IsCgroup2UnifiedMode()
-
-	if cgroup.Resources.BlkioWeight != 0 {
-		filename := "blkio.weight"
-		if cgroupsv2 {
-			filename = "io.bfq.weight"
-		}
-		if err := writeFile(path, filename, strconv.FormatUint(uint64(cgroup.Resources.BlkioWeight), 10)); err != nil {
-			return err
-		}
-	}
-
-	if cgroup.Resources.BlkioLeafWeight != 0 {
-		if err := writeFile(path, "blkio.leaf_weight", strconv.FormatUint(uint64(cgroup.Resources.BlkioLeafWeight), 10)); err != nil {
-			return err
-		}
-	}
-	for _, wd := range cgroup.Resources.BlkioWeightDevice {
-		if err := writeFile(path, "blkio.weight_device", wd.WeightString()); err != nil {
-			return err
-		}
-		if err := writeFile(path, "blkio.leaf_weight_device", wd.LeafWeightString()); err != nil {
-			return err
-		}
-	}
-	for _, td := range cgroup.Resources.BlkioThrottleReadBpsDevice {
-		if cgroupsv2 {
-			if err := writeFile(path, "io.max", td.StringName("rbps")); err != nil {
-				return err
-			}
-		} else {
-			if err := writeFile(path, "blkio.throttle.read_bps_device", td.String()); err != nil {
-				return err
-			}
-		}
-	}
-	for _, td := range cgroup.Resources.BlkioThrottleWriteBpsDevice {
-		if cgroupsv2 {
-			if err := writeFile(path, "io.max", td.StringName("wbps")); err != nil {
-				return err
-			}
-		} else {
-			if err := writeFile(path, "blkio.throttle.write_bps_device", td.String()); err != nil {
-				return err
-			}
-		}
-	}
-	for _, td := range cgroup.Resources.BlkioThrottleReadIOPSDevice {
-		if cgroupsv2 {
-			if err := writeFile(path, "io.max", td.StringName("riops")); err != nil {
-				return err
-			}
-		} else {
-			if err := writeFile(path, "blkio.throttle.read_iops_device", td.String()); err != nil {
-				return err
-			}
-		}
-	}
-	for _, td := range cgroup.Resources.BlkioThrottleWriteIOPSDevice {
-		if cgroupsv2 {
-			if err := writeFile(path, "io.max", td.StringName("wiops")); err != nil {
-				return err
-			}
-		} else {
-			if err := writeFile(path, "blkio.throttle.write_iops_device", td.String()); err != nil {
-				return err
-			}
-		}
-	}
-
-	return nil
-}
-
-func (s *IOGroupV2) Remove(d *cgroupData) error {
-	return removePath(d.path("blkio"))
-}
-
-func readCgroup2MapFile(path string, name string) (map[string][]string, error) {
-	ret := map[string][]string{}
-	p := filepath.Join("/sys/fs/cgroup", path, name)
-	f, err := os.Open(p)
-	if err != nil {
-		if os.IsNotExist(err) {
-			return ret, nil
-		}
-		return nil, err
-	}
-	defer f.Close()
-	scanner := bufio.NewScanner(f)
-	for scanner.Scan() {
-		line := scanner.Text()
-		parts := strings.Fields(line)
-		if len(parts) < 2 {
-			continue
-		}
-		ret[parts[0]] = parts[1:]
-	}
-	if err := scanner.Err(); err != nil {
-		return nil, err
-	}
-	return ret, nil
-}
-
-func (s *IOGroupV2) getCgroupV2Stats(path string, stats *cgroups.Stats) error {
-	// more details on the io.stat file format: https://www.kernel.org/doc/Documentation/cgroup-v2.txt
-	var ioServiceBytesRecursive []cgroups.BlkioStatEntry
-	values, err := readCgroup2MapFile(path, "io.stat")
-	if err != nil {
-		return err
-	}
-	for k, v := range values {
-		d := strings.Split(k, ":")
-		if len(d) != 2 {
-			continue
-		}
-		minor, err := strconv.ParseUint(d[0], 10, 0)
-		if err != nil {
-			return err
-		}
-		major, err := strconv.ParseUint(d[1], 10, 0)
-		if err != nil {
-			return err
-		}
-
-		for _, item := range v {
-			d := strings.Split(item, "=")
-			if len(d) != 2 {
-				continue
-			}
-			op := d[0]
-
-			// Accommodate the cgroup v1 naming
-			switch op {
-			case "rbytes":
-				op = "read"
-			case "wbytes":
-				op = "write"
-			}
-
-			value, err := strconv.ParseUint(d[1], 10, 0)
-			if err != nil {
-				return err
-			}
-
-			entry := cgroups.BlkioStatEntry{
-				Op:    op,
-				Major: major,
-				Minor: minor,
-				Value: value,
-			}
-			ioServiceBytesRecursive = append(ioServiceBytesRecursive, entry)
-		}
-	}
-	stats.BlkioStats = cgroups.BlkioStats{IoServiceBytesRecursive: ioServiceBytesRecursive}
-	return nil
-}
-
-func (s *IOGroupV2) GetStats(path string, stats *cgroups.Stats) error {
-	return s.getCgroupV2Stats(path, stats)
-}
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/memory.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/memory.go
@@ -11,6 +11,7 @@ import (
 	"strings"

 	"github.com/opencontainers/runc/libcontainer/cgroups"
+	"github.com/opencontainers/runc/libcontainer/cgroups/fscommon"
 	"github.com/opencontainers/runc/libcontainer/configs"
 )

@@ -84,28 +85,28 @@ func setMemoryAndSwap(path string, cgroup *configs.Cgroup) error {
 		// for memory and swap memory, so it won't fail because the new
 		// value and the old value don't fit kernel's validation.
 		if cgroup.Resources.MemorySwap == -1 || memoryUsage.Limit < uint64(cgroup.Resources.MemorySwap) {
-			if err := writeFile(path, cgroupMemorySwapLimit, strconv.FormatInt(cgroup.Resources.MemorySwap, 10)); err != nil {
+			if err := fscommon.WriteFile(path, cgroupMemorySwapLimit, strconv.FormatInt(cgroup.Resources.MemorySwap, 10)); err != nil {
 				return err
 			}
-			if err := writeFile(path, cgroupMemoryLimit, strconv.FormatInt(cgroup.Resources.Memory, 10)); err != nil {
+			if err := fscommon.WriteFile(path, cgroupMemoryLimit, strconv.FormatInt(cgroup.Resources.Memory, 10)); err != nil {
 				return err
 			}
 		} else {
-			if err := writeFile(path, cgroupMemoryLimit, strconv.FormatInt(cgroup.Resources.Memory, 10)); err != nil {
+			if err := fscommon.WriteFile(path, cgroupMemoryLimit, strconv.FormatInt(cgroup.Resources.Memory, 10)); err != nil {
 				return err
 			}
-			if err := writeFile(path, cgroupMemorySwapLimit, strconv.FormatInt(cgroup.Resources.MemorySwap, 10)); err != nil {
+			if err := fscommon.WriteFile(path, cgroupMemorySwapLimit, strconv.FormatInt(cgroup.Resources.MemorySwap, 10)); err != nil {
 				return err
 			}
 		}
 	} else {
 		if cgroup.Resources.Memory != 0 {
-			if err := writeFile(path, cgroupMemoryLimit, strconv.FormatInt(cgroup.Resources.Memory, 10)); err != nil {
+			if err := fscommon.WriteFile(path, cgroupMemoryLimit, strconv.FormatInt(cgroup.Resources.Memory, 10)); err != nil {
 				return err
 			}
 		}
 		if cgroup.Resources.MemorySwap != 0 {
-			if err := writeFile(path, cgroupMemorySwapLimit, strconv.FormatInt(cgroup.Resources.MemorySwap, 10)); err != nil {
+			if err := fscommon.WriteFile(path, cgroupMemorySwapLimit, strconv.FormatInt(cgroup.Resources.MemorySwap, 10)); err != nil {
 				return err
 			}
 		}
@@ -126,25 +127,25 @@ func (s *MemoryGroup) Set(path string, cgroup *configs.Cgroup) error {
 	}

 	if cgroup.Resources.MemoryReservation != 0 {
-		if err := writeFile(path, "memory.soft_limit_in_bytes", strconv.FormatInt(cgroup.Resources.MemoryReservation, 10)); err != nil {
+		if err := fscommon.WriteFile(path, "memory.soft_limit_in_bytes", strconv.FormatInt(cgroup.Resources.MemoryReservation, 10)); err != nil {
 			return err
 		}
 	}

 	if cgroup.Resources.KernelMemoryTCP != 0 {
-		if err := writeFile(path, "memory.kmem.tcp.limit_in_bytes", strconv.FormatInt(cgroup.Resources.KernelMemoryTCP, 10)); err != nil {
+		if err := fscommon.WriteFile(path, "memory.kmem.tcp.limit_in_bytes", strconv.FormatInt(cgroup.Resources.KernelMemoryTCP, 10)); err != nil {
 			return err
 		}
 	}
 	if cgroup.Resources.OomKillDisable {
-		if err := writeFile(path, "memory.oom_control", "1"); err != nil {
+		if err := fscommon.WriteFile(path, "memory.oom_control", "1"); err != nil {
 			return err
 		}
 	}
 	if cgroup.Resources.MemorySwappiness == nil || int64(*cgroup.Resources.MemorySwappiness) == -1 {
 		return nil
 	} else if *cgroup.Resources.MemorySwappiness <= 100 {
-		if err := writeFile(path, "memory.swappiness", strconv.FormatUint(*cgroup.Resources.MemorySwappiness, 10)); err != nil {
+		if err := fscommon.WriteFile(path, "memory.swappiness", strconv.FormatUint(*cgroup.Resources.MemorySwappiness, 10)); err != nil {
 			return err
 		}
 	} else {
@@ -171,7 +172,7 @@ func (s *MemoryGroup) GetStats(path string, stats *cgroups.Stats) error {

 	sc := bufio.NewScanner(statsFile)
 	for sc.Scan() {
-		t, v, err := getCgroupParamKeyValue(sc.Text())
+		t, v, err := fscommon.GetCgroupParamKeyValue(sc.Text())
 		if err != nil {
 			return fmt.Errorf("failed to parse memory.stat (%q) - %v", sc.Text(), err)
 		}
@@ -201,7 +202,7 @@ func (s *MemoryGroup) GetStats(path string, stats *cgroups.Stats) error {
 	stats.MemoryStats.KernelTCPUsage = kernelTCPUsage

 	useHierarchy := strings.Join([]string{"memory", "use_hierarchy"}, ".")
-	value, err := getCgroupParamUint(path, useHierarchy)
+	value, err := fscommon.GetCgroupParamUint(path, useHierarchy)
 	if err != nil {
 		return err
 	}
@@ -233,7 +234,7 @@ func getMemoryData(path, name string) (cgroups.MemoryData, error) {
 	failcnt := strings.Join([]string{moduleName, "failcnt"}, ".")
 	limit := strings.Join([]string{moduleName, "limit_in_bytes"}, ".")

-	value, err := getCgroupParamUint(path, usage)
+	value, err := fscommon.GetCgroupParamUint(path, usage)
 	if err != nil {
 		if moduleName != "memory" && os.IsNotExist(err) {
 			return cgroups.MemoryData{}, nil
@@ -241,7 +242,7 @@ func getMemoryData(path, name string) (cgroups.MemoryData, error) {
 		return cgroups.MemoryData{}, fmt.Errorf("failed to parse %s - %v", usage, err)
 	}
 	memoryData.Usage = value
-	value, err = getCgroupParamUint(path, maxUsage)
+	value, err = fscommon.GetCgroupParamUint(path, maxUsage)
 	if err != nil {
 		if moduleName != "memory" && os.IsNotExist(err) {
 			return cgroups.MemoryData{}, nil
@@ -249,7 +250,7 @@ func getMemoryData(path, name string) (cgroups.MemoryData, error) {
 		return cgroups.MemoryData{}, fmt.Errorf("failed to parse %s - %v", maxUsage, err)
 	}
 	memoryData.MaxUsage = value
-	value, err = getCgroupParamUint(path, failcnt)
+	value, err = fscommon.GetCgroupParamUint(path, failcnt)
 	if err != nil {
 		if moduleName != "memory" && os.IsNotExist(err) {
 			return cgroups.MemoryData{}, nil
@@ -257,7 +258,7 @@ func getMemoryData(path, name string) (cgroups.MemoryData, error) {
 		return cgroups.MemoryData{}, fmt.Errorf("failed to parse %s - %v", failcnt, err)
 	}
 	memoryData.Failcnt = value
-	value, err = getCgroupParamUint(path, limit)
+	value, err = fscommon.GetCgroupParamUint(path, limit)
 	if err != nil {
 		if moduleName != "memory" && os.IsNotExist(err) {
 			return cgroups.MemoryData{}, nil
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/memory_v2.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/memory_v2.go
@@ -1,164 +0,0 @@
-// +build linux
-
-package fs
-
-import (
-	"bufio"
-	"fmt"
-	"os"
-	"path/filepath"
-	"strconv"
-	"strings"
-
-	"github.com/opencontainers/runc/libcontainer/cgroups"
-	"github.com/opencontainers/runc/libcontainer/configs"
-)
-
-type MemoryGroupV2 struct {
-}
-
-func (s *MemoryGroupV2) Name() string {
-	return "memory"
-}
-
-func (s *MemoryGroupV2) Apply(d *cgroupData) (err error) {
-	path, err := d.path("memory")
-	if err != nil && !cgroups.IsNotFound(err) {
-		return err
-	} else if path == "" {
-		return nil
-	}
-	if memoryAssigned(d.config) {
-		if _, err := os.Stat(path); os.IsNotExist(err) {
-			if err := os.MkdirAll(path, 0755); err != nil {
-				return err
-			}
-			// Only enable kernel memory accouting when this cgroup
-			// is created by libcontainer, otherwise we might get
-			// error when people use `cgroupsPath` to join an existed
-			// cgroup whose kernel memory is not initialized.
-			if err := EnableKernelMemoryAccounting(path); err != nil {
-				return err
-			}
-		}
-	}
-	defer func() {
-		if err != nil {
-			os.RemoveAll(path)
-		}
-	}()
-
-	// We need to join memory cgroup after set memory limits, because
-	// kmem.limit_in_bytes can only be set when the cgroup is empty.
-	_, err = d.join("memory")
-	if err != nil && !cgroups.IsNotFound(err) {
-		return err
-	}
-	return nil
-}
-
-func setMemoryAndSwapCgroups(path string, cgroup *configs.Cgroup) error {
-	if cgroup.Resources.MemorySwap != 0 {
-		if err := writeFile(path, "memory.swap.max", strconv.FormatInt(cgroup.Resources.MemorySwap, 10)); err != nil {
-			return err
-		}
-	}
-	if cgroup.Resources.Memory != 0 {
-		if err := writeFile(path, "memory.max", strconv.FormatInt(cgroup.Resources.Memory, 10)); err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-func (s *MemoryGroupV2) Set(path string, cgroup *configs.Cgroup) error {
-
-	if err := setMemoryAndSwapCgroups(path, cgroup); err != nil {
-		return err
-	}
-
-	if cgroup.Resources.KernelMemory != 0 {
-		if err := setKernelMemory(path, cgroup.Resources.KernelMemory); err != nil {
-			return err
-		}
-	}
-
-	if cgroup.Resources.MemoryReservation != 0 {
-		if err := writeFile(path, "memory.high", strconv.FormatInt(cgroup.Resources.MemoryReservation, 10)); err != nil {
-			return err
-		}
-	}
-
-	return nil
-}
-
-func (s *MemoryGroupV2) Remove(d *cgroupData) error {
-	return removePath(d.path("memory"))
-}
-
-func (s *MemoryGroupV2) GetStats(path string, stats *cgroups.Stats) error {
-	// Set stats from memory.stat.
-	statsFile, err := os.Open(filepath.Join(path, "memory.stat"))
-	if err != nil {
-		if os.IsNotExist(err) {
-			return nil
-		}
-		return err
-	}
-	defer statsFile.Close()
-
-	sc := bufio.NewScanner(statsFile)
-	for sc.Scan() {
-		t, v, err := getCgroupParamKeyValue(sc.Text())
-		if err != nil {
-			return fmt.Errorf("failed to parse memory.stat (%q) - %v", sc.Text(), err)
-		}
-		stats.MemoryStats.Stats[t] = v
-	}
-	stats.MemoryStats.Cache = stats.MemoryStats.Stats["cache"]
-
-	memoryUsage, err := getMemoryDataV2(path, "")
-	if err != nil {
-		return err
-	}
-	stats.MemoryStats.Usage = memoryUsage
-	swapUsage, err := getMemoryDataV2(path, "swap")
-	if err != nil {
-		return err
-	}
-	stats.MemoryStats.SwapUsage = swapUsage
-
-	stats.MemoryStats.UseHierarchy = true
-	return nil
-}
-
-func getMemoryDataV2(path, name string) (cgroups.MemoryData, error) {
-	memoryData := cgroups.MemoryData{}
-
-	moduleName := "memory"
-	if name != "" {
-		moduleName = strings.Join([]string{"memory", name}, ".")
-	}
-	usage := strings.Join([]string{moduleName, "current"}, ".")
-	limit := strings.Join([]string{moduleName, "max"}, ".")
-
-	value, err := getCgroupParamUint(path, usage)
-	if err != nil {
-		if moduleName != "memory" && os.IsNotExist(err) {
-			return cgroups.MemoryData{}, nil
-		}
-		return cgroups.MemoryData{}, fmt.Errorf("failed to parse %s - %v", usage, err)
-	}
-	memoryData.Usage = value
-
-	value, err = getCgroupParamUint(path, limit)
-	if err != nil {
-		if moduleName != "memory" && os.IsNotExist(err) {
-			return cgroups.MemoryData{}, nil
-		}
-		return cgroups.MemoryData{}, fmt.Errorf("failed to parse %s - %v", limit, err)
-	}
-	memoryData.Limit = value
-
-	return memoryData, nil
-}
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/net_cls.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/net_cls.go
@@ -6,6 +6,7 @@ import (
 	"strconv"

 	"github.com/opencontainers/runc/libcontainer/cgroups"
+	"github.com/opencontainers/runc/libcontainer/cgroups/fscommon"
 	"github.com/opencontainers/runc/libcontainer/configs"
 )

@@ -26,7 +27,7 @@ func (s *NetClsGroup) Apply(d *cgroupData) error {

 func (s *NetClsGroup) Set(path string, cgroup *configs.Cgroup) error {
 	if cgroup.Resources.NetClsClassid != 0 {
-		if err := writeFile(path, "net_cls.classid", strconv.FormatUint(uint64(cgroup.Resources.NetClsClassid), 10)); err != nil {
+		if err := fscommon.WriteFile(path, "net_cls.classid", strconv.FormatUint(uint64(cgroup.Resources.NetClsClassid), 10)); err != nil {
 			return err
 		}
 	}
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/net_prio.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/net_prio.go
@@ -4,6 +4,7 @@ package fs

 import (
 	"github.com/opencontainers/runc/libcontainer/cgroups"
+	"github.com/opencontainers/runc/libcontainer/cgroups/fscommon"
 	"github.com/opencontainers/runc/libcontainer/configs"
 )

@@ -24,7 +25,7 @@ func (s *NetPrioGroup) Apply(d *cgroupData) error {

 func (s *NetPrioGroup) Set(path string, cgroup *configs.Cgroup) error {
 	for _, prioMap := range cgroup.Resources.NetPrioIfpriomap {
-		if err := writeFile(path, "net_prio.ifpriomap", prioMap.CgroupString()); err != nil {
+		if err := fscommon.WriteFile(path, "net_prio.ifpriomap", prioMap.CgroupString()); err != nil {
 			return err
 		}
 	}
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/pids.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/pids.go
@@ -8,6 +8,7 @@ import (
 	"strconv"

 	"github.com/opencontainers/runc/libcontainer/cgroups"
+	"github.com/opencontainers/runc/libcontainer/cgroups/fscommon"
 	"github.com/opencontainers/runc/libcontainer/configs"
 )

@@ -35,7 +36,7 @@ func (s *PidsGroup) Set(path string, cgroup *configs.Cgroup) error {
 			limit = strconv.FormatInt(cgroup.Resources.PidsLimit, 10)
 		}

-		if err := writeFile(path, "pids.max", limit); err != nil {
+		if err := fscommon.WriteFile(path, "pids.max", limit); err != nil {
 			return err
 		}
 	}
@@ -48,12 +49,12 @@ func (s *PidsGroup) Remove(d *cgroupData) error {
 }

 func (s *PidsGroup) GetStats(path string, stats *cgroups.Stats) error {
-	current, err := getCgroupParamUint(path, "pids.current")
+	current, err := fscommon.GetCgroupParamUint(path, "pids.current")
 	if err != nil {
 		return fmt.Errorf("failed to parse pids.current - %s", err)
 	}

-	maxString, err := getCgroupParamString(path, "pids.max")
+	maxString, err := fscommon.GetCgroupParamString(path, "pids.max")
 	if err != nil {
 		return fmt.Errorf("failed to parse pids.max - %s", err)
 	}
@@ -61,7 +62,7 @@ func (s *PidsGroup) GetStats(path string, stats *cgroups.Stats) error {
 	// Default if pids.max == "max" is 0 -- which represents "no limit".
 	var max uint64
 	if maxString != "max" {
-		max, err = parseUint(maxString, 10, 64)
+		max, err = fscommon.ParseUint(maxString, 10, 64)
 		if err != nil {
 			return fmt.Errorf("failed to parse pids.max - unable to parse %q as a uint from Cgroup file %q", maxString, filepath.Join(path, "pids.max"))
 		}
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/pids_v2.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs/pids_v2.go
@@ -1,107 +0,0 @@
-// +build linux
-
-package fs
-
-import (
-	"fmt"
-	"io/ioutil"
-	"os"
-	"path/filepath"
-	"strconv"
-	"strings"
-
-	"github.com/opencontainers/runc/libcontainer/cgroups"
-	"github.com/opencontainers/runc/libcontainer/configs"
-	"golang.org/x/sys/unix"
-)
-
-type PidsGroupV2 struct {
-}
-
-func (s *PidsGroupV2) Name() string {
-	return "pids"
-}
-
-func (s *PidsGroupV2) Apply(d *cgroupData) error {
-	_, err := d.join("pids")
-	if err != nil && !cgroups.IsNotFound(err) {
-		return err
-	}
-	return nil
-}
-
-func (s *PidsGroupV2) Set(path string, cgroup *configs.Cgroup) error {
-	if cgroup.Resources.PidsLimit != 0 {
-		// "max" is the fallback value.
-		limit := "max"
-
-		if cgroup.Resources.PidsLimit > 0 {
-			limit = strconv.FormatInt(cgroup.Resources.PidsLimit, 10)
-		}
-
-		if err := writeFile(path, "pids.max", limit); err != nil {
-			return err
-		}
-	}
-
-	return nil
-}
-
-func (s *PidsGroupV2) Remove(d *cgroupData) error {
-	return removePath(d.path("pids"))
-}
-
-func isNOTSUP(err error) bool {
-	switch err := err.(type) {
-	case *os.PathError:
-		return err.Err == unix.ENOTSUP
-	default:
-		return false
-	}
-}
-
-func (s *PidsGroupV2) GetStats(path string, stats *cgroups.Stats) error {
-	current, err := getCgroupParamUint(path, "pids.current")
-	if os.IsNotExist(err) {
-		// if the controller is not enabled, let's read the list
-		// PIDs (or threads if cgroup.threads is enabled)
-		contents, err := ioutil.ReadFile(filepath.Join(path, "cgroup.procs"))
-		if err != nil && isNOTSUP(err) {
-			contents, err = ioutil.ReadFile(filepath.Join(path, "cgroup.threads"))
-		}
-		if err != nil {
-			return err
-		}
-		pids := make(map[string]string)
-		for _, i := range strings.Split(string(contents), "\n") {
-			if i != "" {
-				pids[i] = i
-			}
-		}
-		stats.PidsStats.Current = uint64(len(pids))
-		stats.PidsStats.Limit = 0
-		return nil
-
-	}
-	if err != nil {
-		return fmt.Errorf("failed to parse pids.current - %s", err)
-	}
-
-	maxString, err := getCgroupParamString(path, "pids.max")
-	if err != nil {
-		return fmt.Errorf("failed to parse pids.max - %s", err)
-	}
-
-	// Default if pids.max == "max" is 0 -- which represents "no limit".
-	var max uint64
-	if maxString != "max" {
-		max, err = parseUint(maxString, 10, 64)
-		if err != nil {
-			return fmt.Errorf("failed to parse pids.max - unable to parse %q as a uint from Cgroup file %q", maxString, filepath.Join(path, "pids.max"))
-		}
-	}
-
-	stats.PidsStats.Current = current
-	stats.PidsStats.Limit = max
-	return nil
-}
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs2/BUILD
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs2/BUILD
@@ -0,0 +1,56 @@
+load("@io_bazel_rules_go//go:def.bzl", "go_library")
+
+go_library(
+    name = "go_default_library",
+    srcs = [
+        "cpu.go",
+        "cpuset.go",
+        "defaultpath.go",
+        "devices.go",
+        "freezer.go",
+        "fs2.go",
+        "io.go",
+        "memory.go",
+        "pids.go",
+    ],
+    importmap = "k8s.io/kubernetes/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs2",
+    importpath = "github.com/opencontainers/runc/libcontainer/cgroups/fs2",
+    visibility = ["//visibility:public"],
+    deps = [
+        "//vendor/github.com/opencontainers/runc/libcontainer/configs:go_default_library",
+        "//vendor/github.com/opencontainers/runc/libcontainer/utils:go_default_library",
+        "//vendor/github.com/pkg/errors:go_default_library",
+    ] + select({
+        "@io_bazel_rules_go//go/platform:android": [
+            "//vendor/github.com/cyphar/filepath-securejoin:go_default_library",
+            "//vendor/github.com/opencontainers/runc/libcontainer/cgroups:go_default_library",
+            "//vendor/github.com/opencontainers/runc/libcontainer/cgroups/ebpf:go_default_library",
+            "//vendor/github.com/opencontainers/runc/libcontainer/cgroups/ebpf/devicefilter:go_default_library",
+            "//vendor/github.com/opencontainers/runc/libcontainer/cgroups/fscommon:go_default_library",
+            "//vendor/golang.org/x/sys/unix:go_default_library",
+        ],
+        "@io_bazel_rules_go//go/platform:linux": [
+            "//vendor/github.com/cyphar/filepath-securejoin:go_default_library",
+            "//vendor/github.com/opencontainers/runc/libcontainer/cgroups:go_default_library",
+            "//vendor/github.com/opencontainers/runc/libcontainer/cgroups/ebpf:go_default_library",
+            "//vendor/github.com/opencontainers/runc/libcontainer/cgroups/ebpf/devicefilter:go_default_library",
+            "//vendor/github.com/opencontainers/runc/libcontainer/cgroups/fscommon:go_default_library",
+            "//vendor/golang.org/x/sys/unix:go_default_library",
+        ],
+        "//conditions:default": [],
+    }),
+)
+
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [":package-srcs"],
+    tags = ["automanaged"],
+    visibility = ["//visibility:public"],
+)
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs2/cpu.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs2/cpu.go
@@ -0,0 +1,56 @@
+// +build linux
+
+package fs2
+
+import (
+	"bufio"
+	"os"
+	"path/filepath"
+	"strconv"
+
+	"github.com/opencontainers/runc/libcontainer/cgroups"
+	"github.com/opencontainers/runc/libcontainer/cgroups/fscommon"
+	"github.com/opencontainers/runc/libcontainer/configs"
+)
+
+func setCpu(dirPath string, cgroup *configs.Cgroup) error {
+	if cgroup.Resources.CpuWeight != 0 {
+		if err := fscommon.WriteFile(dirPath, "cpu.weight", strconv.FormatUint(cgroup.Resources.CpuWeight, 10)); err != nil {
+			return err
+		}
+	}
+
+	if cgroup.Resources.CpuMax != "" {
+		if err := fscommon.WriteFile(dirPath, "cpu.max", cgroup.Resources.CpuMax); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+func statCpu(dirPath string, stats *cgroups.Stats) error {
+	f, err := os.Open(filepath.Join(dirPath, "cpu.stat"))
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+
+	sc := bufio.NewScanner(f)
+	for sc.Scan() {
+		t, v, err := fscommon.GetCgroupParamKeyValue(sc.Text())
+		if err != nil {
+			return err
+		}
+		switch t {
+		case "usage_usec":
+			stats.CpuStats.CpuUsage.TotalUsage = v * 1000
+
+		case "user_usec":
+			stats.CpuStats.CpuUsage.UsageInUsermode = v * 1000
+
+		case "system_usec":
+			stats.CpuStats.CpuUsage.UsageInKernelmode = v * 1000
+		}
+	}
+	return nil
+}
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs2/cpuset.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs2/cpuset.go
@@ -0,0 +1,22 @@
+// +build linux
+
+package fs2
+
+import (
+	"github.com/opencontainers/runc/libcontainer/cgroups/fscommon"
+	"github.com/opencontainers/runc/libcontainer/configs"
+)
+
+func setCpuset(dirPath string, cgroup *configs.Cgroup) error {
+	if cgroup.Resources.CpusetCpus != "" {
+		if err := fscommon.WriteFile(dirPath, "cpuset.cpus", cgroup.Resources.CpusetCpus); err != nil {
+			return err
+		}
+	}
+	if cgroup.Resources.CpusetMems != "" {
+		if err := fscommon.WriteFile(dirPath, "cpuset.mems", cgroup.Resources.CpusetMems); err != nil {
+			return err
+		}
+	}
+	return nil
+}
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs2/defaultpath.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs2/defaultpath.go
@@ -0,0 +1,99 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package fs2
+
+import (
+	"bufio"
+	"io"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/opencontainers/runc/libcontainer/configs"
+	libcontainerUtils "github.com/opencontainers/runc/libcontainer/utils"
+	"github.com/pkg/errors"
+)
+
+const UnifiedMountpoint = "/sys/fs/cgroup"
+
+func defaultDirPath(c *configs.Cgroup) (string, error) {
+	if (c.Name != "" || c.Parent != "") && c.Path != "" {
+		return "", errors.Errorf("cgroup: either Path or Name and Parent should be used, got %+v", c)
+	}
+	if len(c.Paths) != 0 {
+		// never set by specconv
+		return "", errors.Errorf("cgroup: Paths is unsupported, use Path, got %+v", c)
+	}
+
+	// XXX: Do not remove this code. Path safety is important! -- cyphar
+	cgPath := libcontainerUtils.CleanPath(c.Path)
+	cgParent := libcontainerUtils.CleanPath(c.Parent)
+	cgName := libcontainerUtils.CleanPath(c.Name)
+
+	ownCgroup, err := parseCgroupFile("/proc/self/cgroup")
+	if err != nil {
+		return "", err
+	}
+	return _defaultDirPath(UnifiedMountpoint, cgPath, cgParent, cgName, ownCgroup)
+}
+
+func _defaultDirPath(root, cgPath, cgParent, cgName, ownCgroup string) (string, error) {
+	if (cgName != "" || cgParent != "") && cgPath != "" {
+		return "", errors.New("cgroup: either Path or Name and Parent should be used")
+	}
+	innerPath := cgPath
+	if innerPath == "" {
+		innerPath = filepath.Join(cgParent, cgName)
+	}
+	if filepath.IsAbs(innerPath) {
+		return filepath.Join(root, innerPath), nil
+	}
+	return filepath.Join(root, ownCgroup, innerPath), nil
+}
+
+// parseCgroupFile parses /proc/PID/cgroup file and return string
+func parseCgroupFile(path string) (string, error) {
+	f, err := os.Open(path)
+	if err != nil {
+		return "", err
+	}
+	defer f.Close()
+	return parseCgroupFromReader(f)
+}
+
+func parseCgroupFromReader(r io.Reader) (string, error) {
+	var (
+		s = bufio.NewScanner(r)
+	)
+	for s.Scan() {
+		if err := s.Err(); err != nil {
+			return "", err
+		}
+		var (
+			text  = s.Text()
+			parts = strings.SplitN(text, ":", 3)
+		)
+		if len(parts) < 3 {
+			return "", errors.Errorf("invalid cgroup entry: %q", text)
+		}
+		// text is like "0::/user.slice/user-1001.slice/session-1.scope"
+		if parts[0] == "0" && parts[1] == "" {
+			return parts[2], nil
+		}
+	}
+	return "", errors.New("cgroup path not found")
+}
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs2/devices.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs2/devices.go
@@ -0,0 +1,73 @@
+// +build linux
+
+package fs2
+
+import (
+	"github.com/opencontainers/runc/libcontainer/cgroups/ebpf"
+	"github.com/opencontainers/runc/libcontainer/cgroups/ebpf/devicefilter"
+	"github.com/opencontainers/runc/libcontainer/configs"
+	"github.com/pkg/errors"
+	"golang.org/x/sys/unix"
+)
+
+func isRWM(cgroupPermissions string) bool {
+	r := false
+	w := false
+	m := false
+	for _, rn := range cgroupPermissions {
+		switch rn {
+		case 'r':
+			r = true
+		case 'w':
+			w = true
+		case 'm':
+			m = true
+		}
+	}
+	return r && w && m
+}
+
+// the logic is from crun
+// https://github.com/containers/crun/blob/0.10.2/src/libcrun/cgroup.c#L1644-L1652
+func canSkipEBPFError(cgroup *configs.Cgroup) bool {
+	for _, dev := range cgroup.Resources.Devices {
+		if dev.Allow || !isRWM(dev.Permissions) {
+			return false
+		}
+	}
+	return true
+}
+
+func setDevices(dirPath string, cgroup *configs.Cgroup) error {
+	devices := cgroup.Devices
+	if allowAllDevices := cgroup.Resources.AllowAllDevices; allowAllDevices != nil {
+		// never set by OCI specconv, but *allowAllDevices=false is still used by the integration test
+		if *allowAllDevices == true {
+			return errors.New("libcontainer AllowAllDevices is not supported, use Devices")
+		}
+		for _, ad := range cgroup.Resources.AllowedDevices {
+			d := *ad
+			d.Allow = true
+			devices = append(devices, &d)
+		}
+	}
+	if len(cgroup.Resources.DeniedDevices) != 0 {
+		// never set by OCI specconv
+		return errors.New("libcontainer DeniedDevices is not supported, use Devices")
+	}
+	insts, license, err := devicefilter.DeviceFilter(devices)
+	if err != nil {
+		return err
+	}
+	dirFD, err := unix.Open(dirPath, unix.O_DIRECTORY|unix.O_RDONLY, 0600)
+	if err != nil {
+		return errors.Errorf("cannot get dir FD for %s", dirPath)
+	}
+	defer unix.Close(dirFD)
+	if _, err := ebpf.LoadAttachCgroupDeviceFilter(insts, license, dirFD); err != nil {
+		if !canSkipEBPFError(cgroup) {
+			return err
+		}
+	}
+	return nil
+}
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs2/freezer.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs2/freezer.go
@@ -0,0 +1,53 @@
+// +build linux
+
+package fs2
+
+import (
+	"strconv"
+	"strings"
+
+	"github.com/opencontainers/runc/libcontainer/cgroups/fscommon"
+	"github.com/opencontainers/runc/libcontainer/configs"
+	"github.com/pkg/errors"
+)
+
+func setFreezer(dirPath string, state configs.FreezerState) error {
+	var desired int
+	switch state {
+	case configs.Undefined:
+		return nil
+	case configs.Frozen:
+		desired = 1
+	case configs.Thawed:
+		desired = 0
+	default:
+		return errors.Errorf("unknown freezer state %+v", state)
+	}
+	supportedErr := supportsFreezer(dirPath)
+	if supportedErr != nil && desired != 0 {
+		// can ignore error if desired == 1
+		return errors.Wrap(supportedErr, "freezer not supported")
+	}
+	return freezeWithInt(dirPath, desired)
+}
+
+func supportsFreezer(dirPath string) error {
+	_, err := fscommon.ReadFile(dirPath, "cgroup.freeze")
+	return err
+}
+
+// freeze writes desired int to "cgroup.freeze".
+func freezeWithInt(dirPath string, desired int) error {
+	desiredS := strconv.Itoa(desired)
+	if err := fscommon.WriteFile(dirPath, "cgroup.freeze", desiredS); err != nil {
+		return err
+	}
+	got, err := fscommon.ReadFile(dirPath, "cgroup.freeze")
+	if err != nil {
+		return err
+	}
+	if gotS := strings.TrimSpace(string(got)); gotS != desiredS {
+		return errors.Errorf("expected \"cgroup.freeze\" in %q to be %q, got %q", dirPath, desiredS, gotS)
+	}
+	return nil
+}
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs2/fs2.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs2/fs2.go
@@ -0,0 +1,214 @@
+// +build linux
+
+package fs2
+
+import (
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"strings"
+
+	securejoin "github.com/cyphar/filepath-securejoin"
+	"github.com/opencontainers/runc/libcontainer/cgroups"
+	"github.com/opencontainers/runc/libcontainer/configs"
+	"github.com/pkg/errors"
+)
+
+// NewManager creates a manager for cgroup v2 unified hierarchy.
+// dirPath is like "/sys/fs/cgroup/user.slice/user-1001.slice/session-1.scope".
+// If dirPath is empty, it is automatically set using config.
+func NewManager(config *configs.Cgroup, dirPath string, rootless bool) (cgroups.Manager, error) {
+	if config == nil {
+		config = &configs.Cgroup{}
+	}
+	if dirPath != "" {
+		if filepath.Clean(dirPath) != dirPath || !filepath.IsAbs(dirPath) {
+			return nil, errors.Errorf("invalid dir path %q", dirPath)
+		}
+	} else {
+		var err error
+		dirPath, err = defaultDirPath(config)
+		if err != nil {
+			return nil, err
+		}
+	}
+	controllers, err := detectControllers(dirPath)
+	if err != nil && !rootless {
+		return nil, err
+	}
+
+	m := &manager{
+		config:      config,
+		dirPath:     dirPath,
+		controllers: controllers,
+		rootless:    rootless,
+	}
+	return m, nil
+}
+
+func detectControllers(dirPath string) (map[string]struct{}, error) {
+	if err := os.MkdirAll(dirPath, 0755); err != nil {
+		return nil, err
+	}
+	controllersPath, err := securejoin.SecureJoin(dirPath, "cgroup.controllers")
+	if err != nil {
+		return nil, err
+	}
+	controllersData, err := ioutil.ReadFile(controllersPath)
+	if err != nil {
+		return nil, err
+	}
+	controllersFields := strings.Fields(string(controllersData))
+	controllers := make(map[string]struct{}, len(controllersFields))
+	for _, c := range controllersFields {
+		controllers[c] = struct{}{}
+	}
+	return controllers, nil
+}
+
+type manager struct {
+	config *configs.Cgroup
+	// dirPath is like "/sys/fs/cgroup/user.slice/user-1001.slice/session-1.scope"
+	dirPath string
+	// controllers is content of "cgroup.controllers" file.
+	// excludes pseudo-controllers ("devices" and "freezer").
+	controllers map[string]struct{}
+	rootless    bool
+}
+
+func (m *manager) Apply(pid int) error {
+	if err := cgroups.WriteCgroupProc(m.dirPath, pid); err != nil && !m.rootless {
+		return err
+	}
+	return nil
+}
+
+func (m *manager) GetPids() ([]int, error) {
+	return cgroups.GetPids(m.dirPath)
+}
+
+func (m *manager) GetAllPids() ([]int, error) {
+	return cgroups.GetAllPids(m.dirPath)
+}
+
+func (m *manager) GetStats() (*cgroups.Stats, error) {
+	var (
+		st   cgroups.Stats
+		errs []error
+	)
+	// pids (since kernel 4.5)
+	if _, ok := m.controllers["pids"]; ok {
+		if err := statPids(m.dirPath, &st); err != nil {
+			errs = append(errs, err)
+		}
+	} else {
+		if err := statPidsWithoutController(m.dirPath, &st); err != nil {
+			errs = append(errs, err)
+		}
+	}
+	// memory (since kenrel 4.5)
+	if _, ok := m.controllers["memory"]; ok {
+		if err := statMemory(m.dirPath, &st); err != nil {
+			errs = append(errs, err)
+		}
+	}
+	// io (since kernel 4.5)
+	if _, ok := m.controllers["io"]; ok {
+		if err := statIo(m.dirPath, &st); err != nil {
+			errs = append(errs, err)
+		}
+	}
+	// cpu (since kernel 4.15)
+	if _, ok := m.controllers["cpu"]; ok {
+		if err := statCpu(m.dirPath, &st); err != nil {
+			errs = append(errs, err)
+		}
+	}
+	if len(errs) > 0 && !m.rootless {
+		return &st, errors.Errorf("error while statting cgroup v2: %+v", errs)
+	}
+	return &st, nil
+}
+
+func (m *manager) Freeze(state configs.FreezerState) error {
+	if err := setFreezer(m.dirPath, state); err != nil {
+		return err
+	}
+	m.config.Resources.Freezer = state
+	return nil
+}
+
+func (m *manager) Destroy() error {
+	return os.RemoveAll(m.dirPath)
+}
+
+// GetPaths is for compatibility purpose and should be removed in future
+func (m *manager) GetPaths() map[string]string {
+	paths := map[string]string{
+		// pseudo-controller for compatibility
+		"devices": m.dirPath,
+		"freezer": m.dirPath,
+	}
+	for c := range m.controllers {
+		paths[c] = m.dirPath
+	}
+	return paths
+}
+
+func (m *manager) GetUnifiedPath() (string, error) {
+	return m.dirPath, nil
+}
+
+func (m *manager) Set(container *configs.Config) error {
+	if container == nil || container.Cgroups == nil {
+		return nil
+	}
+	var errs []error
+	// pids (since kernel 4.5)
+	if _, ok := m.controllers["pids"]; ok {
+		if err := setPids(m.dirPath, container.Cgroups); err != nil {
+			errs = append(errs, err)
+		}
+	}
+	// memory (since kernel 4.5)
+	if _, ok := m.controllers["memory"]; ok {
+		if err := setMemory(m.dirPath, container.Cgroups); err != nil {
+			errs = append(errs, err)
+		}
+	}
+	// io (since kernel 4.5)
+	if _, ok := m.controllers["io"]; ok {
+		if err := setIo(m.dirPath, container.Cgroups); err != nil {
+			errs = append(errs, err)
+		}
+	}
+	// cpu (since kernel 4.15)
+	if _, ok := m.controllers["cpu"]; ok {
+		if err := setCpu(m.dirPath, container.Cgroups); err != nil {
+			errs = append(errs, err)
+		}
+	}
+	// devices (since kernel 4.15, pseudo-controller)
+	if err := setDevices(m.dirPath, container.Cgroups); err != nil {
+		errs = append(errs, err)
+	}
+	// cpuset (since kernel 5.0)
+	if _, ok := m.controllers["cpuset"]; ok {
+		if err := setCpuset(m.dirPath, container.Cgroups); err != nil {
+			errs = append(errs, err)
+		}
+	}
+	// freezer (since kernel 5.2, pseudo-controller)
+	if err := setFreezer(m.dirPath, container.Cgroups.Freezer); err != nil {
+		errs = append(errs, err)
+	}
+	if len(errs) > 0 && !m.rootless {
+		return errors.Errorf("error while setting cgroup v2: %+v", errs)
+	}
+	m.config = container.Cgroups
+	return nil
+}
+
+func (m *manager) GetCgroups() (*configs.Cgroup, error) {
+	return m.config, nil
+}
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs2/io.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs2/io.go
@@ -0,0 +1,124 @@
+// +build linux
+
+package fs2
+
+import (
+	"bufio"
+	"os"
+	"path/filepath"
+	"strconv"
+	"strings"
+
+	"github.com/opencontainers/runc/libcontainer/cgroups"
+	"github.com/opencontainers/runc/libcontainer/cgroups/fscommon"
+	"github.com/opencontainers/runc/libcontainer/configs"
+)
+
+func setIo(dirPath string, cgroup *configs.Cgroup) error {
+	if cgroup.Resources.BlkioWeight != 0 {
+		filename := "io.bfq.weight"
+		if err := fscommon.WriteFile(dirPath, filename, strconv.FormatUint(uint64(cgroup.Resources.BlkioWeight), 10)); err != nil {
+			return err
+		}
+	}
+
+	for _, td := range cgroup.Resources.BlkioThrottleReadBpsDevice {
+		if err := fscommon.WriteFile(dirPath, "io.max", td.StringName("rbps")); err != nil {
+			return err
+		}
+	}
+	for _, td := range cgroup.Resources.BlkioThrottleWriteBpsDevice {
+		if err := fscommon.WriteFile(dirPath, "io.max", td.StringName("wbps")); err != nil {
+			return err
+		}
+	}
+	for _, td := range cgroup.Resources.BlkioThrottleReadIOPSDevice {
+		if err := fscommon.WriteFile(dirPath, "io.max", td.StringName("riops")); err != nil {
+			return err
+		}
+	}
+	for _, td := range cgroup.Resources.BlkioThrottleWriteIOPSDevice {
+		if err := fscommon.WriteFile(dirPath, "io.max", td.StringName("wiops")); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func readCgroup2MapFile(dirPath string, name string) (map[string][]string, error) {
+	ret := map[string][]string{}
+	p := filepath.Join(dirPath, name)
+	f, err := os.Open(p)
+	if err != nil {
+		return nil, err
+	}
+	defer f.Close()
+	scanner := bufio.NewScanner(f)
+	for scanner.Scan() {
+		line := scanner.Text()
+		parts := strings.Fields(line)
+		if len(parts) < 2 {
+			continue
+		}
+		ret[parts[0]] = parts[1:]
+	}
+	if err := scanner.Err(); err != nil {
+		return nil, err
+	}
+	return ret, nil
+}
+
+func statIo(dirPath string, stats *cgroups.Stats) error {
+	// more details on the io.stat file format: https://www.kernel.org/doc/Documentation/cgroup-v2.txt
+	var ioServiceBytesRecursive []cgroups.BlkioStatEntry
+	values, err := readCgroup2MapFile(dirPath, "io.stat")
+	if err != nil {
+		return err
+	}
+	for k, v := range values {
+		d := strings.Split(k, ":")
+		if len(d) != 2 {
+			continue
+		}
+		minor, err := strconv.ParseUint(d[0], 10, 0)
+		if err != nil {
+			return err
+		}
+		major, err := strconv.ParseUint(d[1], 10, 0)
+		if err != nil {
+			return err
+		}
+
+		for _, item := range v {
+			d := strings.Split(item, "=")
+			if len(d) != 2 {
+				continue
+			}
+			op := d[0]
+
+			// Accommodate the cgroup v1 naming
+			switch op {
+			case "rbytes":
+				op = "read"
+			case "wbytes":
+				op = "write"
+			}
+
+			value, err := strconv.ParseUint(d[1], 10, 0)
+			if err != nil {
+				return err
+			}
+
+			entry := cgroups.BlkioStatEntry{
+				Op:    op,
+				Major: major,
+				Minor: minor,
+				Value: value,
+			}
+			ioServiceBytesRecursive = append(ioServiceBytesRecursive, entry)
+		}
+	}
+	stats.BlkioStats = cgroups.BlkioStats{IoServiceBytesRecursive: ioServiceBytesRecursive}
+	return nil
+}
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs2/memory.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs2/memory.go
@@ -0,0 +1,103 @@
+// +build linux
+
+package fs2
+
+import (
+	"bufio"
+	"os"
+	"path/filepath"
+	"strconv"
+	"strings"
+
+	"github.com/opencontainers/runc/libcontainer/cgroups"
+	"github.com/opencontainers/runc/libcontainer/cgroups/fscommon"
+	"github.com/opencontainers/runc/libcontainer/configs"
+	"github.com/pkg/errors"
+)
+
+func setMemory(dirPath string, cgroup *configs.Cgroup) error {
+	if cgroup.Resources.MemorySwap != 0 {
+		if err := fscommon.WriteFile(dirPath, "memory.swap.max", strconv.FormatInt(cgroup.Resources.MemorySwap, 10)); err != nil {
+			return err
+		}
+	}
+	if cgroup.Resources.Memory != 0 {
+		if err := fscommon.WriteFile(dirPath, "memory.max", strconv.FormatInt(cgroup.Resources.Memory, 10)); err != nil {
+			return err
+		}
+	}
+
+	// cgroup.Resources.KernelMemory is ignored
+
+	if cgroup.Resources.MemoryReservation != 0 {
+		if err := fscommon.WriteFile(dirPath, "memory.low", strconv.FormatInt(cgroup.Resources.MemoryReservation, 10)); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func statMemory(dirPath string, stats *cgroups.Stats) error {
+	// Set stats from memory.stat.
+	statsFile, err := os.Open(filepath.Join(dirPath, "memory.stat"))
+	if err != nil {
+		return err
+	}
+	defer statsFile.Close()
+
+	sc := bufio.NewScanner(statsFile)
+	for sc.Scan() {
+		t, v, err := fscommon.GetCgroupParamKeyValue(sc.Text())
+		if err != nil {
+			return errors.Wrapf(err, "failed to parse memory.stat (%q)", sc.Text())
+		}
+		stats.MemoryStats.Stats[t] = v
+	}
+	stats.MemoryStats.Cache = stats.MemoryStats.Stats["cache"]
+
+	memoryUsage, err := getMemoryDataV2(dirPath, "")
+	if err != nil {
+		return err
+	}
+	stats.MemoryStats.Usage = memoryUsage
+	swapUsage, err := getMemoryDataV2(dirPath, "swap")
+	if err != nil {
+		return err
+	}
+	stats.MemoryStats.SwapUsage = swapUsage
+
+	stats.MemoryStats.UseHierarchy = true
+	return nil
+}
+
+func getMemoryDataV2(path, name string) (cgroups.MemoryData, error) {
+	memoryData := cgroups.MemoryData{}
+
+	moduleName := "memory"
+	if name != "" {
+		moduleName = strings.Join([]string{"memory", name}, ".")
+	}
+	usage := strings.Join([]string{moduleName, "current"}, ".")
+	limit := strings.Join([]string{moduleName, "max"}, ".")
+
+	value, err := fscommon.GetCgroupParamUint(path, usage)
+	if err != nil {
+		if moduleName != "memory" && os.IsNotExist(err) {
+			return cgroups.MemoryData{}, nil
+		}
+		return cgroups.MemoryData{}, errors.Wrapf(err, "failed to parse %s", usage)
+	}
+	memoryData.Usage = value
+
+	value, err = fscommon.GetCgroupParamUint(path, limit)
+	if err != nil {
+		if moduleName != "memory" && os.IsNotExist(err) {
+			return cgroups.MemoryData{}, nil
+		}
+		return cgroups.MemoryData{}, errors.Wrapf(err, "failed to parse %s", limit)
+	}
+	memoryData.Limit = value
+
+	return memoryData, nil
+}
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs2/pids.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs2/pids.go
@@ -0,0 +1,90 @@
+// +build linux
+
+package fs2
+
+import (
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"strconv"
+	"strings"
+
+	"github.com/opencontainers/runc/libcontainer/cgroups"
+	"github.com/opencontainers/runc/libcontainer/cgroups/fscommon"
+	"github.com/opencontainers/runc/libcontainer/configs"
+	"github.com/pkg/errors"
+	"golang.org/x/sys/unix"
+)
+
+func setPids(dirPath string, cgroup *configs.Cgroup) error {
+	if cgroup.Resources.PidsLimit != 0 {
+		// "max" is the fallback value.
+		limit := "max"
+
+		if cgroup.Resources.PidsLimit > 0 {
+			limit = strconv.FormatInt(cgroup.Resources.PidsLimit, 10)
+		}
+
+		if err := fscommon.WriteFile(dirPath, "pids.max", limit); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func isNOTSUP(err error) bool {
+	switch err := err.(type) {
+	case *os.PathError:
+		return err.Err == unix.ENOTSUP
+	default:
+		return false
+	}
+}
+
+func statPidsWithoutController(dirPath string, stats *cgroups.Stats) error {
+	// if the controller is not enabled, let's read PIDS from cgroups.procs
+	// (or threads if cgroup.threads is enabled)
+	contents, err := ioutil.ReadFile(filepath.Join(dirPath, "cgroup.procs"))
+	if err != nil && isNOTSUP(err) {
+		contents, err = ioutil.ReadFile(filepath.Join(dirPath, "cgroup.threads"))
+	}
+	if err != nil {
+		return err
+	}
+	pids := make(map[string]string)
+	for _, i := range strings.Split(string(contents), "\n") {
+		if i != "" {
+			pids[i] = i
+		}
+	}
+	stats.PidsStats.Current = uint64(len(pids))
+	stats.PidsStats.Limit = 0
+	return nil
+}
+
+func statPids(dirPath string, stats *cgroups.Stats) error {
+	current, err := fscommon.GetCgroupParamUint(dirPath, "pids.current")
+	if err != nil {
+		return errors.Wrap(err, "failed to parse pids.current")
+	}
+
+	maxString, err := fscommon.GetCgroupParamString(dirPath, "pids.max")
+	if err != nil {
+		return errors.Wrap(err, "failed to parse pids.max")
+	}
+
+	// Default if pids.max == "max" is 0 -- which represents "no limit".
+	var max uint64
+	if maxString != "max" {
+		max, err = fscommon.ParseUint(maxString, 10, 64)
+		if err != nil {
+			return errors.Wrapf(err, "failed to parse pids.max - unable to parse %q as a uint from Cgroup file %q",
+				maxString, filepath.Join(dirPath, "pids.max"))
+		}
+	}
+
+	stats.PidsStats.Current = current
+	stats.PidsStats.Limit = max
+	return nil
+}
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fscommon/BUILD
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fscommon/BUILD
@@ -0,0 +1,37 @@
+load("@io_bazel_rules_go//go:def.bzl", "go_library")
+
+go_library(
+    name = "go_default_library",
+    srcs = [
+        "fscommon.go",
+        "utils.go",
+    ],
+    importmap = "k8s.io/kubernetes/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fscommon",
+    importpath = "github.com/opencontainers/runc/libcontainer/cgroups/fscommon",
+    visibility = ["//visibility:public"],
+    deps = select({
+        "@io_bazel_rules_go//go/platform:android": [
+            "//vendor/github.com/cyphar/filepath-securejoin:go_default_library",
+            "//vendor/github.com/pkg/errors:go_default_library",
+        ],
+        "@io_bazel_rules_go//go/platform:linux": [
+            "//vendor/github.com/cyphar/filepath-securejoin:go_default_library",
+            "//vendor/github.com/pkg/errors:go_default_library",
+        ],
+        "//conditions:default": [],
+    }),
+)
+
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [":package-srcs"],
+    tags = ["automanaged"],
+    visibility = ["//visibility:public"],
+)
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fscommon/fscommon.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fscommon/fscommon.go
@@ -0,0 +1,36 @@
+// +build linux
+
+package fscommon
+
+import (
+	"io/ioutil"
+
+	securejoin "github.com/cyphar/filepath-securejoin"
+	"github.com/pkg/errors"
+)
+
+func WriteFile(dir, file, data string) error {
+	if dir == "" {
+		return errors.Errorf("no directory specified for %s", file)
+	}
+	path, err := securejoin.SecureJoin(dir, file)
+	if err != nil {
+		return err
+	}
+	if err := ioutil.WriteFile(path, []byte(data), 0700); err != nil {
+		return errors.Wrapf(err, "failed to write %q to %q", data, path)
+	}
+	return nil
+}
+
+func ReadFile(dir, file string) (string, error) {
+	if dir == "" {
+		return "", errors.Errorf("no directory specified for %s", file)
+	}
+	path, err := securejoin.SecureJoin(dir, file)
+	if err != nil {
+		return "", err
+	}
+	data, err := ioutil.ReadFile(path)
+	return string(data), err
+}
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fscommon/utils.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/fscommon/utils.go
@@ -1,6 +1,6 @@
 // +build linux

-package fs
+package fscommon

 import (
 	"errors"
@@ -18,7 +18,7 @@ var (

 // Saturates negative values at zero and returns a uint64.
 // Due to kernel bugs, some of the memory cgroup stats can be negative.
-func parseUint(s string, base, bitSize int) (uint64, error) {
+func ParseUint(s string, base, bitSize int) (uint64, error) {
 	value, err := strconv.ParseUint(s, base, bitSize)
 	if err != nil {
 		intValue, intErr := strconv.ParseInt(s, base, bitSize)
@@ -38,11 +38,11 @@ func parseUint(s string, base, bitSize int) (uint64, error) {

 // Parses a cgroup param and returns as name, value
 //  i.e. "io_service_bytes 1234" will return as io_service_bytes, 1234
-func getCgroupParamKeyValue(t string) (string, uint64, error) {
+func GetCgroupParamKeyValue(t string) (string, uint64, error) {
 	parts := strings.Fields(t)
 	switch len(parts) {
 	case 2:
-		value, err := parseUint(parts[1], 10, 64)
+		value, err := ParseUint(parts[1], 10, 64)
 		if err != nil {
 			return "", 0, fmt.Errorf("unable to convert param value (%q) to uint64: %v", parts[1], err)
 		}
@@ -54,7 +54,7 @@ func getCgroupParamKeyValue(t string) (string, uint64, error) {
 }

 // Gets a single uint64 value from the specified cgroup file.
-func getCgroupParamUint(cgroupPath, cgroupFile string) (uint64, error) {
+func GetCgroupParamUint(cgroupPath, cgroupFile string) (uint64, error) {
 	fileName := filepath.Join(cgroupPath, cgroupFile)
 	contents, err := ioutil.ReadFile(fileName)
 	if err != nil {
@@ -65,7 +65,7 @@ func getCgroupParamUint(cgroupPath, cgroupFile string) (uint64, error) {
 		return math.MaxUint64, nil
 	}

-	res, err := parseUint(trimmed, 10, 64)
+	res, err := ParseUint(trimmed, 10, 64)
 	if err != nil {
 		return res, fmt.Errorf("unable to parse %q as a uint from Cgroup file %q", string(contents), fileName)
 	}
@@ -73,7 +73,7 @@ func getCgroupParamUint(cgroupPath, cgroupFile string) (uint64, error) {
 }

 // Gets a string value from the specified cgroup file
-func getCgroupParamString(cgroupPath, cgroupFile string) (string, error) {
+func GetCgroupParamString(cgroupPath, cgroupFile string) (string, error) {
 	contents, err := ioutil.ReadFile(filepath.Join(cgroupPath, cgroupFile))
 	if err != nil {
 		return "", err
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/systemd/BUILD
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/systemd/BUILD
@@ -16,7 +16,9 @@ go_library(
            "//vendor/github.com/godbus/dbus:go_default_library",
            "//vendor/github.com/opencontainers/runc/libcontainer/cgroups:go_default_library",
            "//vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs:go_default_library",
+            "//vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs2:go_default_library",
            "//vendor/github.com/opencontainers/runc/libcontainer/configs:go_default_library",
+            "//vendor/github.com/pkg/errors:go_default_library",
            "//vendor/github.com/sirupsen/logrus:go_default_library",
        ],
        "@io_bazel_rules_go//go/platform:darwin": [
@@ -40,7 +42,9 @@ go_library(
            "//vendor/github.com/godbus/dbus:go_default_library",
            "//vendor/github.com/opencontainers/runc/libcontainer/cgroups:go_default_library",
            "//vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs:go_default_library",
+            "//vendor/github.com/opencontainers/runc/libcontainer/cgroups/fs2:go_default_library",
            "//vendor/github.com/opencontainers/runc/libcontainer/configs:go_default_library",
+            "//vendor/github.com/pkg/errors:go_default_library",
            "//vendor/github.com/sirupsen/logrus:go_default_library",
        ],
        "@io_bazel_rules_go//go/platform:nacl": [
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/systemd/apply_nosystemd.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/systemd/apply_nosystemd.go
@@ -1,4 +1,4 @@
-// +build !linux static_build
+// +build !linux

 package systemd

@@ -42,6 +42,10 @@ func (m *Manager) GetPaths() map[string]string {
 	return nil
 }

+func (m *Manager) GetUnifiedPath() (string, error) {
+	return "", fmt.Errorf("Systemd not supported")
+}
+
 func (m *Manager) GetStats() (*cgroups.Stats, error) {
 	return nil, fmt.Errorf("Systemd not supported")
 }
@@ -57,3 +61,7 @@ func (m *Manager) Freeze(state configs.FreezerState) error {
 func Freeze(c *configs.Cgroup, state configs.FreezerState) error {
 	return fmt.Errorf("Systemd not supported")
 }
+
+func (m *Manager) GetCgroups() (*configs.Cgroup, error) {
+	return nil, fmt.Errorf("Systemd not supported")
+}
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/systemd/apply_systemd.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/systemd/apply_systemd.go
@@ -1,4 +1,4 @@
-// +build linux,!static_build
+// +build linux

 package systemd

@@ -297,6 +297,10 @@ func (m *LegacyManager) GetPaths() map[string]string {
 	return paths
 }

+func (m *LegacyManager) GetUnifiedPath() (string, error) {
+	return "", errors.New("unified path is only supported when running in unified mode")
+}
+
 func join(c *configs.Cgroup, subsystem string, pid int) (string, error) {
 	path, err := getSubsystemPath(c, subsystem)
 	if err != nil {
@@ -524,3 +528,7 @@ func isUnitExists(err error) bool {
 	}
 	return false
 }
+
+func (m *LegacyManager) GetCgroups() (*configs.Cgroup, error) {
+	return m.Cgroups, nil
+}
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/systemd/unified_hierarchy.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/systemd/unified_hierarchy.go
@@ -1,4 +1,4 @@
-// +build linux,!static_build
+// +build linux

 package systemd

@@ -14,8 +14,9 @@ import (

 	systemdDbus "github.com/coreos/go-systemd/dbus"
 	"github.com/opencontainers/runc/libcontainer/cgroups"
-	"github.com/opencontainers/runc/libcontainer/cgroups/fs"
+	"github.com/opencontainers/runc/libcontainer/cgroups/fs2"
 	"github.com/opencontainers/runc/libcontainer/configs"
+	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 )

@@ -25,15 +26,6 @@ type UnifiedManager struct {
 	Paths   map[string]string
 }

-var unifiedSubsystems = subsystemSet{
-	&fs.CpusetGroupV2{},
-	&fs.FreezerGroupV2{},
-	&fs.CpuGroupV2{},
-	&fs.MemoryGroupV2{},
-	&fs.IOGroupV2{},
-	&fs.PidsGroupV2{},
-}
-
 func (m *UnifiedManager) Apply(pid int) error {
 	var (
 		c          = m.Cgroups
@@ -159,19 +151,19 @@ func (m *UnifiedManager) Apply(pid int) error {
 		return err
 	}

-	paths := make(map[string]string)
-	for _, s := range unifiedSubsystems {
-		subsystemPath, err := getSubsystemPath(m.Cgroups, s.Name())
-		if err != nil {
-			// Don't fail if a cgroup hierarchy was not found, just skip this subsystem
-			if cgroups.IsNotFound(err) {
-				continue
-			}
-			return err
-		}
-		paths[s.Name()] = subsystemPath
+	path, err := getSubsystemPath(m.Cgroups, "")
+	if err != nil {
+		return err
+	}
+	m.Paths = map[string]string{
+		"pids":    path,
+		"memory":  path,
+		"io":      path,
+		"cpu":     path,
+		"devices": path,
+		"cpuset":  path,
+		"freezer": path,
 	}
-	m.Paths = paths
 	return nil
 }

@@ -195,7 +187,24 @@ func (m *UnifiedManager) GetPaths() map[string]string {
 	m.mu.Unlock()
 	return paths
 }
-
+func (m *UnifiedManager) GetUnifiedPath() (string, error) {
+	unifiedPath := ""
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	for k, v := range m.Paths {
+		if unifiedPath == "" {
+			unifiedPath = v
+		} else if v != unifiedPath {
+			return unifiedPath,
+				errors.Errorf("expected %q path to be unified path %q, got %q", k, unifiedPath, v)
+		}
+	}
+	if unifiedPath == "" {
+		// FIXME: unified path could be detected even when no controller is available
+		return unifiedPath, errors.New("cannot detect unified path")
+	}
+	return unifiedPath, nil
+}
 func createCgroupsv2Path(path string) (Err error) {
 	content, err := ioutil.ReadFile("/sys/fs/cgroup/cgroup.controllers")
 	if err != nil {
@@ -250,27 +259,24 @@ func joinCgroupsV2(c *configs.Cgroup, pid int) error {
 	return createCgroupsv2Path(path)
 }

+func (m *UnifiedManager) fsManager() (cgroups.Manager, error) {
+	path, err := m.GetUnifiedPath()
+	if err != nil {
+		return nil, err
+	}
+	return fs2.NewManager(m.Cgroups, path, false)
+}
+
 func (m *UnifiedManager) Freeze(state configs.FreezerState) error {
-	path, err := getSubsystemPath(m.Cgroups, "freezer")
+	fsMgr, err := m.fsManager()
 	if err != nil {
 		return err
 	}
-	prevState := m.Cgroups.Resources.Freezer
-	m.Cgroups.Resources.Freezer = state
-	freezer, err := unifiedSubsystems.Get("freezer")
-	if err != nil {
-		return err
-	}
-	err = freezer.Set(path, m.Cgroups)
-	if err != nil {
-		m.Cgroups.Resources.Freezer = prevState
-		return err
-	}
-	return nil
+	return fsMgr.Freeze(state)
 }

 func (m *UnifiedManager) GetPids() ([]int, error) {
-	path, err := getSubsystemPath(m.Cgroups, "devices")
+	path, err := m.GetUnifiedPath()
 	if err != nil {
 		return nil, err
 	}
@@ -278,7 +284,7 @@ func (m *UnifiedManager) GetPids() ([]int, error) {
 }

 func (m *UnifiedManager) GetAllPids() ([]int, error) {
-	path, err := getSubsystemPath(m.Cgroups, "devices")
+	path, err := m.GetUnifiedPath()
 	if err != nil {
 		return nil, err
 	}
@@ -286,44 +292,21 @@ func (m *UnifiedManager) GetAllPids() ([]int, error) {
 }

 func (m *UnifiedManager) GetStats() (*cgroups.Stats, error) {
-	m.mu.Lock()
-	defer m.mu.Unlock()
-	stats := cgroups.NewStats()
-	for name, path := range m.Paths {
-		sys, err := unifiedSubsystems.Get(name)
-		if err == errSubsystemDoesNotExist || !cgroups.PathExists(path) {
-			continue
-		}
-		if err := sys.GetStats(path, stats); err != nil {
-			return nil, err
-		}
+	fsMgr, err := m.fsManager()
+	if err != nil {
+		return nil, err
 	}
-
-	return stats, nil
+	return fsMgr.GetStats()
 }

 func (m *UnifiedManager) Set(container *configs.Config) error {
-	// If Paths are set, then we are just joining cgroups paths
-	// and there is no need to set any values.
-	if m.Cgroups.Paths != nil {
-		return nil
+	fsMgr, err := m.fsManager()
+	if err != nil {
+		return err
 	}
-	for _, sys := range unifiedSubsystems {
-		// Get the subsystem path, but don't error out for not found cgroups.
-		path, err := getSubsystemPath(container.Cgroups, sys.Name())
-		if err != nil && !cgroups.IsNotFound(err) {
-			return err
-		}
-
-		if err := sys.Set(path, container.Cgroups); err != nil {
-			return err
-		}
-	}
-
-	if m.Paths["cpu"] != "" {
-		if err := fs.CheckCpushares(m.Paths["cpu"], container.Cgroups.Resources.CpuShares); err != nil {
-			return err
-		}
-	}
-	return nil
+	return fsMgr.Set(container)
+}
+
+func (m *UnifiedManager) GetCgroups() (*configs.Cgroup, error) {
+	return m.Cgroups, nil
 }
--- a/vendor/github.com/opencontainers/runc/libcontainer/cgroups/utils.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/cgroups/utils.go
@@ -20,8 +20,9 @@ import (
 )

 const (
-	CgroupNamePrefix = "name="
-	CgroupProcesses  = "cgroup.procs"
+	CgroupNamePrefix  = "name="
+	CgroupProcesses   = "cgroup.procs"
+	unifiedMountpoint = "/sys/fs/cgroup"
 )

 var (
@@ -40,7 +41,7 @@ var HugePageSizeUnitList = []string{"B", "KB", "MB", "GB", "TB", "PB"}
 func IsCgroup2UnifiedMode() bool {
 	isUnifiedOnce.Do(func() {
 		var st syscall.Statfs_t
-		if err := syscall.Statfs("/sys/fs/cgroup", &st); err != nil {
+		if err := syscall.Statfs(unifiedMountpoint, &st); err != nil {
 			panic("cannot statfs cgroup root")
 		}
 		isUnified = st.Type == unix.CGROUP2_SUPER_MAGIC
@@ -50,6 +51,9 @@ func IsCgroup2UnifiedMode() bool {

 // https://www.kernel.org/doc/Documentation/cgroup-v1/cgroups.txt
 func FindCgroupMountpoint(cgroupPath, subsystem string) (string, error) {
+	if IsCgroup2UnifiedMode() {
+		return unifiedMountpoint, nil
+	}
 	mnt, _, err := FindCgroupMountpointAndRoot(cgroupPath, subsystem)
 	return mnt, err
 }
@@ -235,8 +239,8 @@ func GetCgroupMounts(all bool) ([]Mount, error) {
 			return nil, err
 		}
 		m := Mount{
-			Mountpoint: "/sys/fs/cgroup",
-			Root:       "/sys/fs/cgroup",
+			Mountpoint: unifiedMountpoint,
+			Root:       unifiedMountpoint,
 			Subsystems: availableControllers,
 		}
 		return []Mount{m}, nil
@@ -262,6 +266,21 @@ func GetCgroupMounts(all bool) ([]Mount, error) {

 // GetAllSubsystems returns all the cgroup subsystems supported by the kernel
 func GetAllSubsystems() ([]string, error) {
+	// /proc/cgroups is meaningless for v2
+	// https://github.com/torvalds/linux/blob/v5.3/Documentation/admin-guide/cgroup-v2.rst#deprecated-v1-core-features
+	if IsCgroup2UnifiedMode() {
+		// "pseudo" controllers do not appear in /sys/fs/cgroup/cgroup.controllers.
+		// - devices: implemented in kernel 4.15
+		// - freezer: implemented in kernel 5.2
+		// We assume these are always available, as it is hard to detect availability.
+		pseudo := []string{"devices", "freezer"}
+		data, err := ioutil.ReadFile("/sys/fs/cgroup/cgroup.controllers")
+		if err != nil {
+			return nil, err
+		}
+		subsystems := append(pseudo, strings.Fields(string(data))...)
+		return subsystems, nil
+	}
 	f, err := os.Open("/proc/cgroups")
 	if err != nil {
 		return nil, err
--- a/vendor/github.com/opencontainers/runc/libcontainer/container_linux.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/container_linux.go
@@ -265,22 +265,24 @@ func (c *linuxContainer) Exec() error {

 func (c *linuxContainer) exec() error {
 	path := filepath.Join(c.root, execFifoFilename)
+	pid := c.initProcess.pid()
+	blockingFifoOpenCh := awaitFifoOpen(path)
+	for {
+		select {
+		case result := <-blockingFifoOpenCh:
+			return handleFifoResult(result)

-	fifoOpen := make(chan struct{})
-	select {
-	case <-awaitProcessExit(c.initProcess.pid(), fifoOpen):
-		return errors.New("container process is already dead")
-	case result := <-awaitFifoOpen(path):
-		close(fifoOpen)
-		if result.err != nil {
-			return result.err
+		case <-time.After(time.Millisecond * 100):
+			stat, err := system.Stat(pid)
+			if err != nil || stat.State == system.Zombie {
+				// could be because process started, ran, and completed between our 100ms timeout and our system.Stat() check.
+				// see if the fifo exists and has data (with a non-blocking open, which will succeed if the writing process is complete).
+				if err := handleFifoResult(fifoOpen(path, false)); err != nil {
+					return errors.New("container process is already dead")
+				}
+				return nil
+			}
 		}
-		f := result.file
-		defer f.Close()
-		if err := readFromExecFifo(f); err != nil {
-			return err
-		}
-		return os.Remove(path)
 	}
 }

@@ -295,38 +297,39 @@ func readFromExecFifo(execFifo io.Reader) error {
 	return nil
 }

-func awaitProcessExit(pid int, exit <-chan struct{}) <-chan struct{} {
-	isDead := make(chan struct{})
-	go func() {
-		for {
-			select {
-			case <-exit:
-				return
-			case <-time.After(time.Millisecond * 100):
-				stat, err := system.Stat(pid)
-				if err != nil || stat.State == system.Zombie {
-					close(isDead)
-					return
-				}
-			}
-		}
-	}()
-	return isDead
-}
-
 func awaitFifoOpen(path string) <-chan openResult {
 	fifoOpened := make(chan openResult)
 	go func() {
-		f, err := os.OpenFile(path, os.O_RDONLY, 0)
-		if err != nil {
-			fifoOpened <- openResult{err: newSystemErrorWithCause(err, "open exec fifo for reading")}
-			return
-		}
-		fifoOpened <- openResult{file: f}
+		result := fifoOpen(path, true)
+		fifoOpened <- result
 	}()
 	return fifoOpened
 }

+func fifoOpen(path string, block bool) openResult {
+	flags := os.O_RDONLY
+	if !block {
+		flags |= syscall.O_NONBLOCK
+	}
+	f, err := os.OpenFile(path, flags, 0)
+	if err != nil {
+		return openResult{err: newSystemErrorWithCause(err, "open exec fifo for reading")}
+	}
+	return openResult{file: f}
+}
+
+func handleFifoResult(result openResult) error {
+	if result.err != nil {
+		return result.err
+	}
+	f := result.file
+	defer f.Close()
+	if err := readFromExecFifo(f); err != nil {
+		return err
+	}
+	return os.Remove(f.Name())
+}
+
 type openResult struct {
 	file *os.File
 	err  error
@@ -940,7 +943,7 @@ func (c *linuxContainer) Checkpoint(criuOpts *CriuOpts) error {

 	// Since a container can be C/R'ed multiple times,
 	// the checkpoint directory may already exist.
-	if err := os.Mkdir(criuOpts.ImagesDirectory, 0755); err != nil && !os.IsExist(err) {
+	if err := os.Mkdir(criuOpts.ImagesDirectory, 0700); err != nil && !os.IsExist(err) {
 		return err
 	}

@@ -948,7 +951,7 @@ func (c *linuxContainer) Checkpoint(criuOpts *CriuOpts) error {
 		criuOpts.WorkDirectory = filepath.Join(c.root, "criu.work")
 	}

-	if err := os.Mkdir(criuOpts.WorkDirectory, 0755); err != nil && !os.IsExist(err) {
+	if err := os.Mkdir(criuOpts.WorkDirectory, 0700); err != nil && !os.IsExist(err) {
 		return err
 	}

@@ -1111,7 +1114,7 @@ func (c *linuxContainer) Checkpoint(criuOpts *CriuOpts) error {
 			return err
 		}

-		err = ioutil.WriteFile(filepath.Join(criuOpts.ImagesDirectory, descriptorsFilename), fdsJSON, 0655)
+		err = ioutil.WriteFile(filepath.Join(criuOpts.ImagesDirectory, descriptorsFilename), fdsJSON, 0600)
 		if err != nil {
 			return err
 		}
@@ -1246,7 +1249,7 @@ func (c *linuxContainer) Restore(process *Process, criuOpts *CriuOpts) error {
 	}
 	// Since a container can be C/R'ed multiple times,
 	// the work directory may already exist.
-	if err := os.Mkdir(criuOpts.WorkDirectory, 0655); err != nil && !os.IsExist(err) {
+	if err := os.Mkdir(criuOpts.WorkDirectory, 0700); err != nil && !os.IsExist(err) {
 		return err
 	}
 	workDir, err := os.Open(criuOpts.WorkDirectory)
@@ -1824,7 +1827,7 @@ func (c *linuxContainer) isPaused() (bool, error) {
 	data, err := ioutil.ReadFile(filepath.Join(fcg, filename))
 	if err != nil {
 		// If freezer cgroup is not mounted, the container would just be not paused.
-		if os.IsNotExist(err) {
+		if os.IsNotExist(err) || err == syscall.ENODEV {
 			return false, nil
 		}
 		return false, newSystemErrorWithCause(err, "checking if container is paused")
--- a/vendor/github.com/opencontainers/runc/libcontainer/factory_linux.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/factory_linux.go
@@ -14,12 +14,14 @@ import (
 	"github.com/cyphar/filepath-securejoin"
 	"github.com/opencontainers/runc/libcontainer/cgroups"
 	"github.com/opencontainers/runc/libcontainer/cgroups/fs"
+	"github.com/opencontainers/runc/libcontainer/cgroups/fs2"
 	"github.com/opencontainers/runc/libcontainer/cgroups/systemd"
 	"github.com/opencontainers/runc/libcontainer/configs"
 	"github.com/opencontainers/runc/libcontainer/configs/validate"
 	"github.com/opencontainers/runc/libcontainer/intelrdt"
 	"github.com/opencontainers/runc/libcontainer/mount"
 	"github.com/opencontainers/runc/libcontainer/utils"
+	"github.com/pkg/errors"

 	"golang.org/x/sys/unix"
 )
@@ -59,10 +61,37 @@ func SystemdCgroups(l *LinuxFactory) error {
 	return nil
 }

+func getUnifiedPath(paths map[string]string) string {
+	unifiedPath := ""
+	for k, v := range paths {
+		if unifiedPath == "" {
+			unifiedPath = v
+		} else if v != unifiedPath {
+			panic(errors.Errorf("expected %q path to be unified path %q, got %q", k, unifiedPath, v))
+		}
+	}
+	// can be empty
+	return unifiedPath
+}
+
+func cgroupfs2(l *LinuxFactory, rootless bool) error {
+	l.NewCgroupsManager = func(config *configs.Cgroup, paths map[string]string) cgroups.Manager {
+		m, err := fs2.NewManager(config, getUnifiedPath(paths), rootless)
+		if err != nil {
+			panic(err)
+		}
+		return m
+	}
+	return nil
+}
+
 // Cgroupfs is an options func to configure a LinuxFactory to return containers
 // that use the native cgroups filesystem implementation to create and manage
 // cgroups.
 func Cgroupfs(l *LinuxFactory) error {
+	if cgroups.IsCgroup2UnifiedMode() {
+		return cgroupfs2(l, false)
+	}
 	l.NewCgroupsManager = func(config *configs.Cgroup, paths map[string]string) cgroups.Manager {
 		return &fs.Manager{
 			Cgroups: config,
@@ -79,6 +108,9 @@ func Cgroupfs(l *LinuxFactory) error {
 // during rootless container (including euid=0 in userns) setup (while still allowing cgroup usage if
 // they've been set up properly).
 func RootlessCgroupfs(l *LinuxFactory) error {
+	if cgroups.IsCgroup2UnifiedMode() {
+		return cgroupfs2(l, true)
+	}
 	l.NewCgroupsManager = func(config *configs.Cgroup, paths map[string]string) cgroups.Manager {
 		return &fs.Manager{
 			Cgroups:  config,
--- a/vendor/github.com/opencontainers/runc/libcontainer/init_linux.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/init_linux.go
@@ -127,6 +127,12 @@ func finalizeNamespace(config *initConfig) error {
 		return errors.Wrap(err, "close exec fds")
 	}

+	if config.Cwd != "" {
+		if err := unix.Chdir(config.Cwd); err != nil {
+			return fmt.Errorf("chdir to cwd (%q) set in config.json failed: %v", config.Cwd, err)
+		}
+	}
+
 	capabilities := &configs.Capabilities{}
 	if config.Capabilities != nil {
 		capabilities = config.Capabilities
@@ -154,11 +160,6 @@ func finalizeNamespace(config *initConfig) error {
 	if err := w.ApplyCaps(); err != nil {
 		return errors.Wrap(err, "apply caps")
 	}
-	if config.Cwd != "" {
-		if err := unix.Chdir(config.Cwd); err != nil {
-			return fmt.Errorf("chdir to cwd (%q) set in config.json failed: %v", config.Cwd, err)
-		}
-	}
 	return nil
 }

--- a/vendor/github.com/opencontainers/runc/libcontainer/network_linux.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/network_linux.go
@@ -10,6 +10,7 @@ import (
 	"strings"

 	"github.com/opencontainers/runc/libcontainer/configs"
+	"github.com/opencontainers/runc/types"
 	"github.com/vishvananda/netlink"
 )

@@ -37,8 +38,8 @@ func getStrategy(tpe string) (networkStrategy, error) {
 }

 // Returns the network statistics for the network interfaces represented by the NetworkRuntimeInfo.
-func getNetworkInterfaceStats(interfaceName string) (*NetworkInterface, error) {
-	out := &NetworkInterface{Name: interfaceName}
+func getNetworkInterfaceStats(interfaceName string) (*types.NetworkInterface, error) {
+	out := &types.NetworkInterface{Name: interfaceName}
 	// This can happen if the network runtime information is missing - possible if the
 	// container was created by an old version of libcontainer.
 	if interfaceName == "" {
--- a/vendor/github.com/opencontainers/runc/libcontainer/rootfs_linux.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/rootfs_linux.go
@@ -279,8 +279,14 @@ func mountCgroupV2(m *configs.Mount, rootfs, mountLabel string, enableCgroupns b
 	if err := os.MkdirAll(cgroupPath, 0755); err != nil {
 		return err
 	}
-
-	return unix.Mount(m.Source, cgroupPath, "cgroup2", uintptr(m.Flags), m.Data)
+	if err := unix.Mount(m.Source, cgroupPath, "cgroup2", uintptr(m.Flags), m.Data); err != nil {
+		// when we are in UserNS but CgroupNS is not unshared, we cannot mount cgroup2 (#2158)
+		if err == unix.EPERM || err == unix.EBUSY {
+			return unix.Mount("/sys/fs/cgroup", cgroupPath, "", uintptr(m.Flags)|unix.MS_BIND, "")
+		}
+		return err
+	}
+	return nil
 }

 func mountToRootfs(m *configs.Mount, rootfs, mountLabel string, enableCgroupns bool) error {
@@ -293,6 +299,18 @@ func mountToRootfs(m *configs.Mount, rootfs, mountLabel string, enableCgroupns b

 	switch m.Device {
 	case "proc", "sysfs":
+		// If the destination already exists and is not a directory, we bail
+		// out This is to avoid mounting through a symlink or similar -- which
+		// has been a "fun" attack scenario in the past.
+		// TODO: This won't be necessary once we switch to libpathrs and we can
+		//       stop all of these symlink-exchange attacks.
+		if fi, err := os.Lstat(dest); err != nil {
+			if !os.IsNotExist(err) {
+				return err
+			}
+		} else if fi.Mode()&os.ModeDir == 0 {
+			return fmt.Errorf("filesystem %q must be mounted on ordinary directory", m.Device)
+		}
 		if err := os.MkdirAll(dest, 0755); err != nil {
 			return err
 		}
--- a/vendor/github.com/opencontainers/runc/libcontainer/stats.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/stats.go
@@ -1,15 +0,0 @@
-package libcontainer
-
-type NetworkInterface struct {
-	// Name is the name of the network interface.
-	Name string
-
-	RxBytes   uint64
-	RxPackets uint64
-	RxErrors  uint64
-	RxDropped uint64
-	TxBytes   uint64
-	TxPackets uint64
-	TxErrors  uint64
-	TxDropped uint64
-}
--- a/vendor/github.com/opencontainers/runc/libcontainer/stats_linux.go
+++ b/vendor/github.com/opencontainers/runc/libcontainer/stats_linux.go
@@ -1,10 +1,13 @@
 package libcontainer

-import "github.com/opencontainers/runc/libcontainer/cgroups"
-import "github.com/opencontainers/runc/libcontainer/intelrdt"
+import (
+	"github.com/opencontainers/runc/libcontainer/cgroups"
+	"github.com/opencontainers/runc/libcontainer/intelrdt"
+	"github.com/opencontainers/runc/types"
+)

 type Stats struct {
-	Interfaces    []*NetworkInterface
+	Interfaces    []*types.NetworkInterface
 	CgroupStats   *cgroups.Stats
 	IntelRdtStats *intelrdt.Stats
 }