diff --git a/.cirrus.yml b/.cirrus.yml
index 6c67763dc54..cfd238f154e 100644
--- a/.cirrus.yml
+++ b/.cirrus.yml
@@ -31,12 +31,12 @@ task:
 
   host_info_script: |
     uname -a
-    echo "-----"
+    # -----
     cat /etc/os-release
-    echo "-----"
-    cat /proc/cpuinfo
-    echo "-----"
+    # -----
     df -T
+    # -----
+    cat /proc/cpuinfo
   install_libvirt_vagrant_script: |
     curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
     echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
@@ -77,7 +77,7 @@ task:
   env:
     HOME: /root
     CIRRUS_WORKING_DIR: /home/runc
-    GO_VERSION: "1.19.8"
+    GO_VERSION: "1.20"
     BATS_VERSION: "v1.9.0"
     RPMS: gcc git iptables jq glibc-static libseccomp-devel make criu fuse-sshfs
     # yamllint disable rule:key-duplicates
@@ -130,7 +130,10 @@ task:
     # Use --whatprovides since some packages are renamed.
     rpm -q --whatprovides $RPMS
     # install Go
-    curl -fsSL "https://dl.google.com/go/go${GO_VERSION}.linux-amd64.tar.gz" | tar Cxz /usr/local
+    PREFIX="https://go.dev/dl/"
+    # Find out the latest minor release URL.
+    eval $(curl -fsSL "${PREFIX}?mode=json" | jq -r  --arg Ver "$GO_VERSION" '.[] | select(.version | startswith("go\($Ver)")) | .files[] | select(.os == "linux" and .arch == "amd64" and .kind == "archive") | "filename=\"" + .filename + "\""')
+    curl -fsSL "$PREFIX$filename" | tar Cxz /usr/local
     # install bats
     cd /tmp
     git clone https://github.com/bats-core/bats-core
@@ -158,14 +161,16 @@ task:
     systemctl restart sshd
   host_info_script: |
     uname -a
-    echo "-----"
+    # -----
+    /usr/local/go/bin/go version
+    # -----
+    systemctl --version
+    # -----
     cat /etc/os-release
-    echo "-----"
-    cat /proc/cpuinfo
-    echo "-----"
+    # -----
     df -T
-    echo "-----"
-    systemctl --version
+    # -----
+    cat /proc/cpuinfo
   check_config_script: |
     /home/runc/script/check-config.sh
   unit_tests_script: |
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index c93167e94a1..dc12234b3f9 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -21,7 +21,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        go-version: [1.17.x, 1.19.x, 1.20.x]
+        go-version: [1.17.x, 1.20.x, 1.21.x]
         rootless: ["rootless", ""]
         race: ["-race", ""]
         criu: [""]
@@ -60,7 +60,7 @@ jobs:
         rm -rf ~/criu
 
     - name: install go ${{ matrix.go-version }}
-      uses: actions/setup-go@v3
+      uses: actions/setup-go@v4
       with:
         go-version: ${{ matrix.go-version }}
 
@@ -119,7 +119,7 @@ jobs:
         sudo apt -q install libseccomp-dev libseccomp-dev:i386 gcc-multilib criu
 
     - name: install go
-      uses: actions/setup-go@v3
+      uses: actions/setup-go@v4
       with:
         go-version: 1.x # Latest stable
 
diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
index c1ee2692d18..d97b1afe366 100644
--- a/.github/workflows/validate.yml
+++ b/.github/workflows/validate.yml
@@ -8,7 +8,7 @@ on:
       - release-*
   pull_request:
 env:
-  GO_VERSION: 1.19.x
+  GO_VERSION: 1.20.x
 
 jobs:
   keyring:
@@ -24,16 +24,17 @@ jobs:
       - uses: actions/checkout@v3
         with:
           fetch-depth: 2
-      - uses: actions/setup-go@v3
+      - uses: actions/setup-go@v4
         with:
           go-version: "${{ env.GO_VERSION }}"
+          cache: false # golangci-lint-action does its own caching
       - name: install deps
         run: |
           sudo apt -q update
           sudo apt -q install libseccomp-dev
       - uses: golangci/golangci-lint-action@v3
         with:
-          version: v1.48
+          version: v1.53
       # Extra linters, only checking new code from a pull request.
       - name: lint-extra
         if: github.event_name == 'pull_request'
@@ -48,7 +49,7 @@ jobs:
     steps:
       - uses: actions/checkout@v3
       - name: install go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@v4
         with:
           go-version: "${{ env.GO_VERSION }}"
       - name: compile with no build tags
@@ -101,17 +102,9 @@ jobs:
     steps:
     - uses: actions/checkout@v3
     - name: install go
-      uses: actions/setup-go@v3
+      uses: actions/setup-go@v4
       with:
         go-version: "${{ env.GO_VERSION }}"
-    - name: cache go mod and $GOCACHE
-      uses: actions/cache@v3
-      with:
-        path: |
-          ~/go/pkg/mod
-          ~/.cache/go-build
-        key: ${{ runner.os }}-go.sum-${{ hashFiles('**/go.sum') }}
-        restore-keys: ${{ runner.os }}-go.sum-
     - name: verify deps
       run: make verify-dependencies
 
diff --git a/Dockerfile b/Dockerfile
index 8c4138b6dae..d24756bc1fc 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -62,3 +62,7 @@ ENV PKG_CONFIG_PATH=/opt/libseccomp/lib/pkgconfig
 RUN git config --global --add safe.directory /go/src/github.com/opencontainers/runc
 
 WORKDIR /go/src/github.com/opencontainers/runc
+
+# Fixup for cgroup v2.
+COPY script/prepare-cgroup-v2.sh /
+ENTRYPOINT [ "/prepare-cgroup-v2.sh" ]
diff --git a/libcontainer/cgroups/file_test.go b/libcontainer/cgroups/file_test.go
index dc2b0630cde..94f1a99bff0 100644
--- a/libcontainer/cgroups/file_test.go
+++ b/libcontainer/cgroups/file_test.go
@@ -58,8 +58,6 @@ func TestOpenat2(t *testing.T) {
 		{"/sys/fs/cgroup", "/cgroup.controllers"},
 		{"/sys/fs/cgroup/", "cgroup.controllers"},
 		{"/sys/fs/cgroup/", "/cgroup.controllers"},
-		{"/sys/fs/cgroup/user.slice", "cgroup.controllers"},
-		{"/sys/fs/cgroup/user.slice/", "/cgroup.controllers"},
 		{"/", "/sys/fs/cgroup/cgroup.controllers"},
 		{"/", "sys/fs/cgroup/cgroup.controllers"},
 		{"/sys/fs/cgroup/cgroup.controllers", ""},
diff --git a/libcontainer/cgroups/manager/manager_test.go b/libcontainer/cgroups/manager/manager_test.go
index b53e6f1761e..6f0c0703a60 100644
--- a/libcontainer/cgroups/manager/manager_test.go
+++ b/libcontainer/cgroups/manager/manager_test.go
@@ -3,6 +3,7 @@ package manager
 import (
 	"testing"
 
+	"github.com/opencontainers/runc/libcontainer/cgroups/systemd"
 	"github.com/opencontainers/runc/libcontainer/configs"
 )
 
@@ -10,35 +11,45 @@ import (
 // config.Resources is nil. While it does not make sense to use a
 // manager with no resources, it should not result in a panic.
 //
-// This tests either v1 or v2 managers (both fs and systemd),
-// depending on what cgroup version is available on the host.
+// This tests either v1 or v2 fs cgroup manager, depending on which
+// cgroup version is available.
 func TestNilResources(t *testing.T) {
-	for _, sd := range []bool{false, true} {
-		cg := &configs.Cgroup{} // .Resources is nil
-		cg.Systemd = sd
-		mgr, err := New(cg)
+	testNilResources(t, false)
+}
+
+// TestNilResourcesSystemd is the same as TestNilResources,
+// only checking the systemd cgroup manager.
+func TestNilResourcesSystemd(t *testing.T) {
+	if !systemd.IsRunningSystemd() {
+		t.Skip("requires systemd")
+	}
+	testNilResources(t, true)
+}
+
+func testNilResources(t *testing.T, systemd bool) {
+	cg := &configs.Cgroup{} // .Resources is nil
+	cg.Systemd = systemd
+	mgr, err := New(cg)
+	if err != nil {
+		// Some managers require non-nil Resources during
+		// instantiation -- provide and retry. In such case
+		// we're mostly testing Set(nil) below.
+		cg.Resources = &configs.Resources{}
+		mgr, err = New(cg)
 		if err != nil {
-			// Some managers require non-nil Resources during
-			// instantiation -- provide and retry. In such case
-			// we're mostly testing Set(nil) below.
-			cg.Resources = &configs.Resources{}
-			mgr, err = New(cg)
-			if err != nil {
-				t.Error(err)
-				continue
-			}
+			t.Fatal(err)
 		}
-		_ = mgr.Apply(-1)
-		_ = mgr.Set(nil)
-		_ = mgr.Freeze(configs.Thawed)
-		_ = mgr.Exists()
-		_, _ = mgr.GetAllPids()
-		_, _ = mgr.GetCgroups()
-		_, _ = mgr.GetFreezerState()
-		_ = mgr.Path("")
-		_ = mgr.GetPaths()
-		_, _ = mgr.GetStats()
-		_, _ = mgr.OOMKillCount()
-		_ = mgr.Destroy()
 	}
+	_ = mgr.Apply(-1)
+	_ = mgr.Set(nil)
+	_ = mgr.Freeze(configs.Thawed)
+	_ = mgr.Exists()
+	_, _ = mgr.GetAllPids()
+	_, _ = mgr.GetCgroups()
+	_, _ = mgr.GetFreezerState()
+	_ = mgr.Path("")
+	_ = mgr.GetPaths()
+	_, _ = mgr.GetStats()
+	_, _ = mgr.OOMKillCount()
+	_ = mgr.Destroy()
 }
diff --git a/libcontainer/user/user.go b/libcontainer/user/user.go
index a1e216683d9..984466d1ab5 100644
--- a/libcontainer/user/user.go
+++ b/libcontainer/user/user.go
@@ -201,7 +201,7 @@ func ParseGroupFilter(r io.Reader, filter func(Group) bool) ([]Group, error) {
 			if err != nil {
 				// We should return no error if EOF is reached
 				// without a match.
-				if err == io.EOF { //nolint:errorlint // comparison with io.EOF is legit, https://github.com/polyfloyd/go-errorlint/pull/12
+				if err == io.EOF {
 					err = nil
 				}
 				return out, err
diff --git a/script/prepare-cgroup-v2.sh b/script/prepare-cgroup-v2.sh
new file mode 100755
index 00000000000..886c550ec46
--- /dev/null
+++ b/script/prepare-cgroup-v2.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+#
+# This script is used from ../Dockerfile as the ENTRYPOINT. It sets up cgroup
+# delegation for cgroup v2 to make sure runc tests can be properly run inside
+# a container.
+
+# Only do this for cgroup v2.
+if [ -f /sys/fs/cgroup/cgroup.controllers ]; then
+	set -x
+	# Move the current process to a sub-cgroup.
+	mkdir /sys/fs/cgroup/init
+	echo 0 >/sys/fs/cgroup/init/cgroup.procs
+	# Enable all controllers.
+	sed 's/\b\w/+\0/g' <"/sys/fs/cgroup/cgroup.controllers" >"/sys/fs/cgroup/cgroup.subtree_control"
+fi
+
+exec "$@"