diff --git a/libcontainer/cgroups/fs/fs.go b/libcontainer/cgroups/fs/fs.go
index 98e1e342663..29690dd62b8 100644
--- a/libcontainer/cgroups/fs/fs.go
+++ b/libcontainer/cgroups/fs/fs.go
@@ -218,7 +218,10 @@ func (m *manager) Apply(pid int) (err error) {
 	m.mu.Lock()
 	defer m.mu.Unlock()
 
-	var c = m.cgroups
+	c := m.cgroups
+	if c.Resources.Unified != nil {
+		return cgroups.ErrV1NoUnified
+	}
 
 	m.paths = make(map[string]string)
 	if c.Paths != nil {
@@ -309,6 +312,9 @@ func (m *manager) Set(container *configs.Config) error {
 	if m.cgroups != nil && m.cgroups.Paths != nil {
 		return nil
 	}
+	if container.Cgroups.Resources.Unified != nil {
+		return cgroups.ErrV1NoUnified
+	}
 
 	m.mu.Lock()
 	defer m.mu.Unlock()
diff --git a/libcontainer/cgroups/fs2/fs2.go b/libcontainer/cgroups/fs2/fs2.go
index 0975064f2da..a0691f6a558 100644
--- a/libcontainer/cgroups/fs2/fs2.go
+++ b/libcontainer/cgroups/fs2/fs2.go
@@ -3,11 +3,14 @@
 package fs2
 
 import (
+	"fmt"
 	"io/ioutil"
+	"os"
 	"path/filepath"
 	"strings"
 
 	"github.com/opencontainers/runc/libcontainer/cgroups"
+	"github.com/opencontainers/runc/libcontainer/cgroups/fscommon"
 	"github.com/opencontainers/runc/libcontainer/configs"
 	"github.com/pkg/errors"
 )
@@ -206,10 +209,41 @@ func (m *manager) Set(container *configs.Config) error {
 	if err := setFreezer(m.dirPath, container.Cgroups.Freezer); err != nil {
 		return err
 	}
+	if err := m.setUnified(container.Cgroups.Unified); err != nil {
+		return err
+	}
 	m.config = container.Cgroups
 	return nil
 }
 
+func (m *manager) setUnified(res map[string]string) error {
+	for k, v := range res {
+		if strings.Contains(k, "/") {
+			return fmt.Errorf("unified resource %q must be a file name (no slashes)", k)
+		}
+		if err := fscommon.WriteFile(m.dirPath, k, v); err != nil {
+			errC := errors.Cause(err)
+			// Check for both EPERM and ENOENT since O_CREAT is used by WriteFile.
+			if errors.Is(errC, os.ErrPermission) || errors.Is(errC, os.ErrNotExist) {
+				// Check if a controller is available,
+				// to give more specific error if not.
+				sk := strings.SplitN(k, ".", 2)
+				if len(sk) != 2 {
+					return fmt.Errorf("unified resource %q must be in the form CONTROLLER.PARAMETER", k)
+				}
+				c := sk[0]
+				if _, ok := m.controllers[c]; !ok && c != "cgroup" {
+					return fmt.Errorf("unified resource %q can't be set: controller %q not available", k, c)
+				}
+			}
+			return errors.Wrapf(err, "can't set unified resource %q", k)
+		}
+
+	}
+
+	return nil
+}
+
 func (m *manager) GetPaths() map[string]string {
 	paths := make(map[string]string, 1)
 	paths[""] = m.dirPath
diff --git a/libcontainer/cgroups/systemd/v1.go b/libcontainer/cgroups/systemd/v1.go
index cc2d19cd2f1..eeda18a90cc 100644
--- a/libcontainer/cgroups/systemd/v1.go
+++ b/libcontainer/cgroups/systemd/v1.go
@@ -101,6 +101,10 @@ func (m *legacyManager) Apply(pid int) error {
 		properties []systemdDbus.Property
 	)
 
+	if c.Resources.Unified != nil {
+		return cgroups.ErrV1NoUnified
+	}
+
 	m.mu.Lock()
 	defer m.mu.Unlock()
 	if c.Paths != nil {
@@ -342,6 +346,9 @@ func (m *legacyManager) Set(container *configs.Config) error {
 	if m.cgroups.Paths != nil {
 		return nil
 	}
+	if container.Cgroups.Resources.Unified != nil {
+		return cgroups.ErrV1NoUnified
+	}
 	dbusConnection, err := getDbusConnection(false)
 	if err != nil {
 		return err
diff --git a/libcontainer/cgroups/v1_utils.go b/libcontainer/cgroups/v1_utils.go
index a94f208616e..8b9275fb926 100644
--- a/libcontainer/cgroups/v1_utils.go
+++ b/libcontainer/cgroups/v1_utils.go
@@ -23,7 +23,8 @@ const (
 )
 
 var (
-	errUnified = errors.New("not implemented for cgroup v2 unified hierarchy")
+	errUnified     = errors.New("not implemented for cgroup v2 unified hierarchy")
+	ErrV1NoUnified = errors.New("invalid configuration: cannot use unified on cgroup v1")
 )
 
 type NotFoundError struct {
diff --git a/libcontainer/configs/cgroup_linux.go b/libcontainer/configs/cgroup_linux.go
index 6e90ae16b50..dcc29c61944 100644
--- a/libcontainer/configs/cgroup_linux.go
+++ b/libcontainer/configs/cgroup_linux.go
@@ -127,6 +127,9 @@ type Resources struct {
 	// CpuWeight sets a proportional bandwidth limit.
 	CpuWeight uint64 `json:"cpu_weight"`
 
+	// Unified is cgroupv2-only key-value map.
+	Unified map[string]string `json:"unified"`
+
 	// SkipDevices allows to skip configuring device permissions.
 	// Used by e.g. kubelet while creating a parent cgroup (kubepods)
 	// common for many containers.
diff --git a/libcontainer/integration/exec_test.go b/libcontainer/integration/exec_test.go
index 923c5797c7e..3fdf04be8af 100644
--- a/libcontainer/integration/exec_test.go
+++ b/libcontainer/integration/exec_test.go
@@ -705,6 +705,155 @@ func testRunWithKernelMemory(t *testing.T, systemd bool) {
 	}
 }
 
+func TestCgroupResourcesUnifiedErrorOnV1(t *testing.T) {
+	testCgroupResourcesUnifiedErrorOnV1(t, false)
+}
+
+func TestCgroupResourcesUnifiedErrorOnV1Systemd(t *testing.T) {
+	if !systemd.IsRunningSystemd() {
+		t.Skip("Systemd is unsupported")
+	}
+	testCgroupResourcesUnifiedErrorOnV1(t, true)
+}
+
+func testCgroupResourcesUnifiedErrorOnV1(t *testing.T, systemd bool) {
+	if testing.Short() {
+		return
+	}
+	if cgroups.IsCgroup2UnifiedMode() {
+		t.Skip("requires cgroup v1")
+	}
+	rootfs, err := newRootfs()
+	ok(t, err)
+	defer remove(rootfs)
+
+	config := newTemplateConfig(rootfs)
+	if systemd {
+		config.Cgroups.Parent = "system.slice"
+	}
+	config.Cgroups.Resources.Unified = map[string]string{
+		"memory.min": "10240",
+	}
+	_, _, err = runContainer(config, "", "true")
+	if !strings.Contains(err.Error(), cgroups.ErrV1NoUnified.Error()) {
+		t.Fatalf("expected error to contain %v, got %v", cgroups.ErrV1NoUnified, err)
+	}
+}
+
+func TestCgroupResourcesUnified(t *testing.T) {
+	testCgroupResourcesUnified(t, false)
+}
+
+func TestCgroupResourcesUnifiedSystemd(t *testing.T) {
+	if !systemd.IsRunningSystemd() {
+		t.Skip("Systemd is unsupported")
+	}
+	testCgroupResourcesUnified(t, true)
+}
+
+func testCgroupResourcesUnified(t *testing.T, systemd bool) {
+	if testing.Short() {
+		return
+	}
+	if !cgroups.IsCgroup2UnifiedMode() {
+		t.Skip("requires cgroup v2")
+	}
+	rootfs, err := newRootfs()
+	ok(t, err)
+	defer remove(rootfs)
+
+	config := newTemplateConfig(rootfs)
+	config.Cgroups.Resources.Memory = 536870912     // 512M
+	config.Cgroups.Resources.MemorySwap = 536870912 // 512M, i.e. no swap
+	config.Namespaces.Add(configs.NEWCGROUP, "")
+	config.Mounts = append(config.Mounts, &configs.Mount{
+		Destination: "/sys/fs/cgroup",
+		Device:      "cgroup",
+		Flags:       defaultMountFlags | unix.MS_RDONLY,
+	})
+	if systemd {
+		config.Cgroups.Parent = "system.slice"
+	}
+
+	testCases := []struct {
+		name     string
+		cfg      map[string]string
+		expError string
+		cmd      []string
+		exp      string
+	}{
+		{
+			name: "dummy",
+			cmd:  []string{"true"},
+			exp:  "",
+		},
+		{
+			name: "set memory.min",
+			cfg:  map[string]string{"memory.min": "131072"},
+			cmd:  []string{"cat", "/sys/fs/cgroup/memory.min"},
+			exp:  "131072\n",
+		},
+		{
+			name: "check memory.max",
+			cmd:  []string{"cat", "/sys/fs/cgroup/memory.max"},
+			exp:  strconv.Itoa(int(config.Cgroups.Resources.Memory)) + "\n",
+		},
+
+		{
+			name: "overwrite memory.max",
+			cfg:  map[string]string{"memory.max": "268435456"},
+			cmd:  []string{"cat", "/sys/fs/cgroup/memory.max"},
+			exp:  "268435456\n",
+		},
+		{
+			name:     "no such controller error",
+			cfg:      map[string]string{"privet.vsem": "vam"},
+			expError: "controller \"privet\" not available",
+		},
+		{
+			name:     "slash in key error",
+			cfg:      map[string]string{"bad/key": "val"},
+			expError: "must be a file name (no slashes)",
+		},
+		{
+			name:     "no dot in key error",
+			cfg:      map[string]string{"badkey": "val"},
+			expError: "must be in the form CONTROLLER.PARAMETER",
+		},
+		{
+			name:     "read-only parameter",
+			cfg:      map[string]string{"pids.current": "42"},
+			expError: "failed to write",
+		},
+	}
+
+	for _, tc := range testCases {
+		config.Cgroups.Resources.Unified = tc.cfg
+		buffers, ret, err := runContainer(config, "", tc.cmd...)
+		if tc.expError != "" {
+			if err == nil {
+				t.Errorf("case %q failed: expected error, got nil", tc.name)
+				continue
+			}
+			if !strings.Contains(err.Error(), tc.expError) {
+				t.Errorf("case %q failed: expected error to contain %q, got %q", tc.name, tc.expError, err)
+			}
+			continue
+		}
+		if err != nil {
+			t.Errorf("case %q failed: expected no error, got %v (command: %v, status: %d, stderr: %q)",
+				tc.name, err, tc.cmd, ret, buffers.Stderr.String())
+			continue
+		}
+		if tc.exp != "" {
+			out := buffers.Stdout.String()
+			if out != tc.exp {
+				t.Errorf("expected %q, got %q", tc.exp, out)
+			}
+		}
+	}
+}
+
 func TestContainerState(t *testing.T) {
 	if testing.Short() {
 		return
diff --git a/libcontainer/specconv/spec_linux.go b/libcontainer/specconv/spec_linux.go
index 11235acc432..ce74bcf2d47 100644
--- a/libcontainer/specconv/spec_linux.go
+++ b/libcontainer/specconv/spec_linux.go
@@ -619,6 +619,13 @@ func CreateCgroupConfig(opts *CreateOpts, defaultDevs []*configs.Device) (*confi
 					})
 				}
 			}
+			if len(r.Unified) > 0 {
+				// copy the map
+				c.Resources.Unified = make(map[string]string, len(r.Unified))
+				for k, v := range r.Unified {
+					c.Resources.Unified[k] = v
+				}
+			}
 		}
 	}