From 655f8ea80851d4b41620f1584bf17fedc10184d3 Mon Sep 17 00:00:00 2001
From: Serge Hallyn <serge.hallyn@ubuntu.com>
Date: Tue, 16 Feb 2016 16:43:42 -0800
Subject: [PATCH] Do not set devices cgroup entries if in a user namespace

When in a non-initial user namespace you cannot update the devices
cgroup whitelist (or blacklist).  The kernel won't allow it.  So
detect that case and don't try.

This is a step to being able to run docker/runc containers inside a user
namespaced container.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
---
 libcontainer/cgroups/fs/devices.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/libcontainer/cgroups/fs/devices.go b/libcontainer/cgroups/fs/devices.go
index 4969798c..5f783310 100644
--- a/libcontainer/cgroups/fs/devices.go
+++ b/libcontainer/cgroups/fs/devices.go
@@ -5,6 +5,7 @@ package fs
 import (
 	"github.com/opencontainers/runc/libcontainer/cgroups"
 	"github.com/opencontainers/runc/libcontainer/configs"
+	"github.com/opencontainers/runc/libcontainer/system"
 )
 
 type DevicesGroup struct {
@@ -25,6 +26,10 @@ func (s *DevicesGroup) Apply(d *cgroupData) error {
 }
 
 func (s *DevicesGroup) Set(path string, cgroup *configs.Cgroup) error {
+	if system.RunningInUserNS() {
+		return nil
+	}
+
 	devices := cgroup.Resources.Devices
 	if len(devices) > 0 {
 		for _, dev := range devices {