@@ -247,7 +247,7 @@ RUN set -x \

 	&& rm -rf "$GOPATH"

 # Install runc

-ENV RUNC_COMMIT d563bd134293c1026976a8f5764d5df5612f1dbf

+ENV RUNC_COMMIT 5439bd2d95229c4e213a219174c7b9da284e3487

 RUN set -x \

 	&& export GOPATH="$(mktemp -d)" \

 	&& git clone git://github.com/opencontainers/runc.git "$GOPATH/src/github.com/opencontainers/runc" \

@@ -257,7 +257,7 @@ RUN set -x \

 	&& cp runc /usr/local/bin/docker-runc

 # Install containerd

-ENV CONTAINERD_COMMIT c761085e92be09df9d5298f852c328b538f5dc2f

+ENV CONTAINERD_COMMIT 471bb075214cf0ad85f74f003ca00c7651638c79

 RUN set -x \

 	&& export GOPATH="$(mktemp -d)" \

 	&& git clone git://github.com/docker/containerd.git "$GOPATH/src/github.com/docker/containerd" \

@@ -181,7 +181,7 @@ RUN set -x \

 	&& rm -rf "$GOPATH"

 # Install runc

-ENV RUNC_COMMIT d563bd134293c1026976a8f5764d5df5612f1dbf

+ENV RUNC_COMMIT 5439bd2d95229c4e213a219174c7b9da284e3487

 RUN set -x \

 	&& export GOPATH="$(mktemp -d)" \

 	&& git clone git://github.com/opencontainers/runc.git "$GOPATH/src/github.com/opencontainers/runc" \

@@ -191,7 +191,7 @@ RUN set -x \

 	&& cp runc /usr/local/bin/docker-runc

 # Install containerd

-ENV CONTAINERD_COMMIT c761085e92be09df9d5298f852c328b538f5dc2f

+ENV CONTAINERD_COMMIT 471bb075214cf0ad85f74f003ca00c7651638c79

 RUN set -x \

 	&& export GOPATH="$(mktemp -d)" \

 	&& git clone git://github.com/docker/containerd.git "$GOPATH/src/github.com/docker/containerd" \

@@ -198,7 +198,7 @@ RUN set -x \

 	&& rm -rf "$GOPATH"

 # Install runc

-ENV RUNC_COMMIT d563bd134293c1026976a8f5764d5df5612f1dbf

+ENV RUNC_COMMIT 5439bd2d95229c4e213a219174c7b9da284e3487

 RUN set -x \

 	&& export GOPATH="$(mktemp -d)" \

 	&& git clone git://github.com/opencontainers/runc.git "$GOPATH/src/github.com/opencontainers/runc" \

@@ -208,7 +208,7 @@ RUN set -x \

 	&& cp runc /usr/local/bin/docker-runc

 # Install containerd

-ENV CONTAINERD_COMMIT c761085e92be09df9d5298f852c328b538f5dc2f

+ENV CONTAINERD_COMMIT 471bb075214cf0ad85f74f003ca00c7651638c79

 RUN set -x \

 	&& export GOPATH="$(mktemp -d)" \

 	&& git clone git://github.com/docker/containerd.git "$GOPATH/src/github.com/docker/containerd" \

@@ -74,7 +74,7 @@ WORKDIR /go/src/github.com/docker/docker

 ENV DOCKER_BUILDTAGS apparmor seccomp selinux

 # Install runc

-ENV RUNC_COMMIT d563bd134293c1026976a8f5764d5df5612f1dbf

+ENV RUNC_COMMIT 5439bd2d95229c4e213a219174c7b9da284e3487

 RUN set -x \

 	&& export GOPATH="$(mktemp -d)" \

 	&& git clone git://github.com/opencontainers/runc.git "$GOPATH/src/github.com/opencontainers/runc" \

@@ -84,7 +84,7 @@ RUN set -x \

 	&& cp runc /usr/local/bin/docker-runc

 # Install containerd

-ENV CONTAINERD_COMMIT c761085e92be09df9d5298f852c328b538f5dc2f

+ENV CONTAINERD_COMMIT 471bb075214cf0ad85f74f003ca00c7651638c79

 RUN set -x \

 	&& export GOPATH="$(mktemp -d)" \

 	&& git clone git://github.com/docker/containerd.git "$GOPATH/src/github.com/docker/containerd" \

@@ -199,7 +199,7 @@ RUN set -x \

 	&& rm -rf "$GOPATH"

 # Install runc

-ENV RUNC_COMMIT d563bd134293c1026976a8f5764d5df5612f1dbf

+ENV RUNC_COMMIT 5439bd2d95229c4e213a219174c7b9da284e3487

 RUN set -x \

 	&& export GOPATH="$(mktemp -d)" \

 	&& git clone git://github.com/opencontainers/runc.git "$GOPATH/src/github.com/opencontainers/runc" \

@@ -209,7 +209,7 @@ RUN set -x \

 	&& cp runc /usr/local/bin/docker-runc

 # Install containerd

-ENV CONTAINERD_COMMIT c761085e92be09df9d5298f852c328b538f5dc2f

+ENV CONTAINERD_COMMIT 471bb075214cf0ad85f74f003ca00c7651638c79

 RUN set -x \

 	&& export GOPATH="$(mktemp -d)" \

 	&& git clone git://github.com/docker/containerd.git "$GOPATH/src/github.com/docker/containerd" \

@@ -178,7 +178,7 @@ RUN set -x \

 	&& rm -rf "$GOPATH"

 # Install runc

-ENV RUNC_COMMIT d563bd134293c1026976a8f5764d5df5612f1dbf

+ENV RUNC_COMMIT 5439bd2d95229c4e213a219174c7b9da284e3487

 RUN set -x \

 	&& export GOPATH="$(mktemp -d)" \

 	&& git clone git://github.com/opencontainers/runc.git "$GOPATH/src/github.com/opencontainers/runc" \

@@ -188,7 +188,7 @@ RUN set -x \

 	&& cp runc /usr/local/bin/docker-runc

 # Install containerd

-ENV CONTAINERD_COMMIT c761085e92be09df9d5298f852c328b538f5dc2f

+ENV CONTAINERD_COMMIT 471bb075214cf0ad85f74f003ca00c7651638c79

 RUN set -x \

 	&& export GOPATH="$(mktemp -d)" \

 	&& git clone git://github.com/docker/containerd.git "$GOPATH/src/github.com/docker/containerd" \

@@ -30,7 +30,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \

 	&& rm -rf /var/lib/apt/lists/*

 # Install runc

-ENV RUNC_COMMIT d563bd134293c1026976a8f5764d5df5612f1dbf

+ENV RUNC_COMMIT 5439bd2d95229c4e213a219174c7b9da284e3487

 RUN set -x \

 	&& export GOPATH="$(mktemp -d)" \

 	&& git clone git://github.com/opencontainers/runc.git "$GOPATH/src/github.com/opencontainers/runc" \

@@ -40,7 +40,7 @@ RUN set -x \

 	&& cp runc /usr/local/bin/docker-runc

 # Install containerd

-ENV CONTAINERD_COMMIT c761085e92be09df9d5298f852c328b538f5dc2f

+ENV CONTAINERD_COMMIT 471bb075214cf0ad85f74f003ca00c7651638c79

 RUN set -x \

 	&& export GOPATH="$(mktemp -d)" \

 	&& git clone git://github.com/docker/containerd.git "$GOPATH/src/github.com/docker/containerd" \

@@ -466,28 +466,36 @@ func verifyContainerResources(resources *containertypes.Resources, sysInfo *sysi

 func (daemon *Daemon) getCgroupDriver() string {

 	cgroupDriver := cgroupFsDriver

-	// No other cgroup drivers are supported at the moment. Warn the

-	// user if they tried to set one other than cgroupfs

-	for _, option := range daemon.configStore.ExecOptions {

+	if UsingSystemd(daemon.configStore) {

+		cgroupDriver = cgroupSystemdDriver

+	}

+	return cgroupDriver

+}

+

+// getCD gets the raw value of the native.cgroupdriver option, if set.

+func getCD(config *Config) string {

+	for _, option := range config.ExecOptions {

 		key, val, err := parsers.ParseKeyValueOpt(option)

 		if err != nil || !strings.EqualFold(key, "native.cgroupdriver") {

 			continue

 		}

-		if val != cgroupFsDriver {

-			logrus.Warnf("cgroupdriver '%s' is not supported", val)

-		}

+		return val

 	}

-

-	return cgroupDriver

+	return ""

 }

-func usingSystemd(config *Config) bool {

-	// No support for systemd cgroup atm

-	return false

+// VerifyCgroupDriver validates native.cgroupdriver

+func VerifyCgroupDriver(config *Config) error {

+	cd := getCD(config)

+	if cd == "" || cd == cgroupFsDriver || cd == cgroupSystemdDriver {

+		return nil

+	}

+	return fmt.Errorf("native.cgroupdriver option %s not supported", cd)

 }

-func (daemon *Daemon) usingSystemd() bool {

-	return daemon.getCgroupDriver() == cgroupSystemdDriver

+// UsingSystemd returns true if cli option includes native.cgroupdriver=systemd

+func UsingSystemd(config *Config) bool {

+	return getCD(config) == cgroupSystemdDriver

 }

 // verifyPlatformContainerSettings performs platform-specific validation of the

@@ -533,7 +541,7 @@ func verifyPlatformContainerSettings(daemon *Daemon, hostConfig *containertypes.

 			return warnings, fmt.Errorf("Cannot use the --read-only option when user namespaces are enabled")

 		}

 	}

-	if hostConfig.CgroupParent != "" && daemon.usingSystemd() {

+	if hostConfig.CgroupParent != "" && UsingSystemd(daemon.configStore) {

 		// CgroupParent for systemd cgroup should be named as "xxx.slice"

 		if len(hostConfig.CgroupParent) <= 6 || !strings.HasSuffix(hostConfig.CgroupParent, ".slice") {

 			return warnings, fmt.Errorf("cgroup-parent for systemd cgroup should be a valid slice named as \"xxx.slice\"")

@@ -554,7 +562,10 @@ func verifyDaemonSettings(config *Config) error {

 	if !config.bridgeConfig.EnableIPTables && config.bridgeConfig.EnableIPMasq {

 		config.bridgeConfig.EnableIPMasq = false

 	}

-	if config.CgroupParent != "" && usingSystemd(config) {

+	if err := VerifyCgroupDriver(config); err != nil {

+		return err

+	}

+	if config.CgroupParent != "" && UsingSystemd(config) {

 		if len(config.CgroupParent) <= 6 || !strings.HasSuffix(config.CgroupParent, ".slice") {

 			return fmt.Errorf("cgroup-parent for systemd cgroup should be a valid slice named as \"xxx.slice\"")

 		}

@@ -8,6 +8,7 @@ import (

 	"strconv"

 	"strings"

+	"github.com/Sirupsen/logrus"

 	"github.com/docker/docker/container"

 	"github.com/docker/docker/daemon/caps"

 	"github.com/docker/docker/libcontainerd"

@@ -583,16 +584,24 @@ func (daemon *Daemon) createSpec(c *container.Container) (*libcontainerd.Spec, e

 	}

 	var cgroupsPath string

+	scopePrefix := "docker"

+	parent := "/docker"

+	useSystemd := UsingSystemd(daemon.configStore)

+	if useSystemd {

+		parent = "system.slice"

+	}

+

 	if c.HostConfig.CgroupParent != "" {

-		cgroupsPath = filepath.Join(c.HostConfig.CgroupParent, c.ID)

+		parent = c.HostConfig.CgroupParent

+	} else if daemon.configStore.CgroupParent != "" {

+		parent = daemon.configStore.CgroupParent

+	}

+

+	if useSystemd {

+		cgroupsPath = parent + ":" + scopePrefix + ":" + c.ID

+		logrus.Debugf("createSpec: cgroupsPath: %s", cgroupsPath)

 	} else {

-		defaultCgroupParent := "/docker"

-		if daemon.configStore.CgroupParent != "" {

-			defaultCgroupParent = daemon.configStore.CgroupParent

-		} else if daemon.usingSystemd() {

-			defaultCgroupParent = "system.slice"

-		}

-		cgroupsPath = filepath.Join(defaultCgroupParent, c.ID)

+		cgroupsPath = filepath.Join(parent, c.ID)

 	}

 	s.Linux.CgroupsPath = &cgroupsPath

@@ -74,5 +74,9 @@ func (cli *DaemonCli) getPlatformRemoteOptions() []libcontainerd.RemoteOption {

 	} else {

 		opts = append(opts, libcontainerd.WithStartDaemon(true))

 	}

+	if daemon.UsingSystemd(cli.Config) {

+		args := []string{"--systemd-cgroup=true"}

+		opts = append(opts, libcontainerd.WithRuntimeArgs(args))

+	}

 	return opts

 }

@@ -491,12 +491,13 @@ with the `--exec-opt` flag. All the flag's options have the `native` prefix. A

 single `native.cgroupdriver` option is available.

 The `native.cgroupdriver` option specifies the management of the container's

-cgroups. You can specify only specify `cgroupfs` at the moment.  If you omit the

+cgroups. You can specify only specify `cgroupfs` or `systemd`. If you specify

+`systemd` and it is not available, the system errors out. If you omit the

 `native.cgroupdriver` option,` cgroupfs` is used.

-This example explicitely sets the `cgroupdriver` to `cgroupfs`:

+This example sets the `cgroupdriver` to `systemd`:

-    $ sudo docker daemon --exec-opt native.cgroupdriver=cgroupfs

+    $ sudo docker daemon --exec-opt native.cgroupdriver=systemd

 Setting this option applies to all containers the daemon launches.

@@ -46,6 +46,7 @@ type remote struct {

 	clients     []*client

 	eventTsPath string

 	pastEvents  map[string]*containerd.Event

+	runtimeArgs []string

 }

 // New creates a fresh instance of libcontainerd remote.

@@ -341,7 +342,14 @@ func (r *remote) runContainerdDaemon() error {

 	// Start a new instance

 	args := []string{"-l", r.rpcAddr, "--runtime", "docker-runc"}

 	if r.debugLog {

-		args = append(args, "--debug", "true")

+		args = append(args, "--debug")

+	}

+	if len(r.runtimeArgs) > 0 {

+		for _, v := range r.runtimeArgs {

+			args = append(args, "--runtime-args")

+			args = append(args, v)

+		}

+		logrus.Debugf("runContainerdDaemon: runtimeArgs: %s", args)

 	}

 	cmd := exec.Command(containerdBinary, args...)

 	// TODO: store logs?

@@ -376,6 +384,21 @@ func (a rpcAddr) Apply(r Remote) error {

 	return fmt.Errorf("WithRemoteAddr option not supported for this remote")

 }

+// WithRuntimeArgs sets the list of runtime args passed to containerd

+func WithRuntimeArgs(args []string) RemoteOption {

+	return runtimeArgs(args)

+}

+

+type runtimeArgs []string

+

+func (rt runtimeArgs) Apply(r Remote) error {

+	if remote, ok := r.(*remote); ok {

+		remote.runtimeArgs = rt

+		return nil

+	}

+	return fmt.Errorf("WithRuntimeArgs option not supported for this remote")

+}

+

 // WithStartDaemon defines if libcontainerd should also run containerd daemon.

 func WithStartDaemon(start bool) RemoteOption {

 	return startDaemon(start)

@@ -230,8 +230,9 @@ Use the **--exec-opt** flags to specify options to the execution driver.

 The following options are available:

 #### native.cgroupdriver

-Specifies the management of the container's `cgroups`. Only `cgroupfs` can be specified

-`cgroupfs` at the moment.

+Specifies the management of the container's `cgroups`. You can specify `cgroupfs`

+or `systemd`. If you specify `systemd` and it is not available, the system errors

+out.

 #### Client

 For specific client examples please see the man page for the specific Docker