cgroup2: cgroupns is not unshared when DOCKER_API_VERSION < 1.41

[AkihiroSuda]

Description

Docker is expected to unshare cgroup namespace by default on cgroup v2 hosts.
However, the cgroup namespace is not unshared when a container was created by an older API client.

Steps to reproduce the issue:
Inspect the host cgroup namespace (4026531835):

$ sudo ls -l /proc/1/ns/cgroup
lrwxrwxrwx 1 root root 0 Jun  5 16:36 /proc/1/ns/cgroup -> 'cgroup:[4026531835]'

API 1.41 creates a container with a new namespace (4026533000) as expected:

$ DOCKER_API_VERSION=1.41 docker run --rm alpine ls -l /proc/1/ns/cgroup
lrwxrwxrwx    1 root     root             0 Jun  5 07:36 /proc/1/ns/cgroup -> cgroup:[4026533000]

OTOH API 1.40 creates a container with the host cgroup namespace (4026531835):

$ DOCKER_API_VERSION=1.40 docker run --rm alpine ls -l /proc/1/ns/cgroup
lrwxrwxrwx    1 root     root             0 Jun  5 07:36 /proc/1/ns/cgroup -> cgroup:[4026531835]

Describe the results you received:
API 1.40 creates a container with the host cgroup namespace (4026531835).

Describe the results you expected:
A new cgroup namespace should be always created by default on cgroup v2 hosts..

Output of docker version:

Client:
 Version:           20.03.0-dev
 API version:       1.41
 Go version:        go1.13.11
 Git commit:        8f14db8df
 Built:             Fri Jun  5 07:30:25 2020
 OS/Arch:           linux/amd64
 Context:           default
 Experimental:      true

Server:
 Engine:
  Version:          dev
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.13.11
  Git commit:       fa38a6cd21
  Built:            Fri Jun  5 07:28:36 2020
  OS/Arch:          linux/amd64
  Experimental:     true
 containerd:
  Version:          v1.4.0-beta.1-18-g38cb1c1a
  GitCommit:        38cb1c1a54e3180edd29933974d715b69334f0f1
 runc:
  Version:          1.0.0-rc10+dev
  GitCommit:        2a0466958d9af23af2ad12bd79d06ed0af4091e2
 docker-init:
  Version:          0.18.0
  GitCommit:        fec3683

Output of docker info:

Client:
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Build with BuildKit (Docker Inc., v0.4.1)

Server:
 Containers: 1
  Running: 1
  Paused: 0
  Stopped: 0
 Images: 4
 Server Version: dev
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Native Overlay Diff: true
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 38cb1c1a54e3180edd29933974d715b69334f0f1
 runc version: 2a0466958d9af23af2ad12bd79d06ed0af4091e2
 init version: fec3683
 Security Options:
  apparmor
  seccomp
   Profile: default
  cgroupns
 Kernel Version: 5.4.0-33-generic
 Operating System: Ubuntu 20.04 LTS
 OSType: linux
 Architecture: x86_64
 CPUs: 2
 Total Memory: 7.748GiB
 Name: suda-ws01
 ID: E2YB:EGZO:6BNW:EPHS:4WFQ:EIDV:ZZ6D:QBZK:6673:CIOR:DLZ6:SI3D
 Docker Root Dir: /var/lib/docker
 Debug Mode: true
  File Descriptors: 32
  Goroutines: 56
  System Time: 2020-06-05T16:42:51.430978282+09:00
  EventsListeners: 0
 Username: akihirosuda
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: true
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: No kernel memory limit support
WARNING: No kernel memory TCP limit support
WARNING: No oom kill disable support
WARNING: Support for cgroup v2 is experimental