diff --git a/libcontainer/compat_1.5_linux.go b/libcontainer/compat_1.5_linux.go
new file mode 100644
index 00000000000..c7bdf1f60a0
--- /dev/null
+++ b/libcontainer/compat_1.5_linux.go
@@ -0,0 +1,10 @@
+// +build linux,!go1.5
+
+package libcontainer
+
+import "syscall"
+
+// GidMappingsEnableSetgroups was added in Go 1.5, so do nothing when building
+// with earlier versions
+func enableSetgroups(sys *syscall.SysProcAttr) {
+}
diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go
index a6680197a78..108c58f2f17 100644
--- a/libcontainer/container_linux.go
+++ b/libcontainer/container_linux.go
@@ -164,6 +164,7 @@ func (c *linuxContainer) newInitProcess(p *Process, cmd *exec.Cmd, parentPipe, c
 			// user mappings are not supported
 			return nil, err
 		}
+		enableSetgroups(cmd.SysProcAttr)
 		// Default to root user when user namespaces are enabled.
 		if cmd.SysProcAttr.Credential == nil {
 			cmd.SysProcAttr.Credential = &syscall.Credential{}
diff --git a/libcontainer/setgroups_linux.go b/libcontainer/setgroups_linux.go
new file mode 100644
index 00000000000..c7bdb605aa8
--- /dev/null
+++ b/libcontainer/setgroups_linux.go
@@ -0,0 +1,11 @@
+// +build linux,go1.5
+
+package libcontainer
+
+import "syscall"
+
+// Set the GidMappingsEnableSetgroups member to true, so the process's
+// setgroups proc entry wont be set to 'deny' if GidMappings are set
+func enableSetgroups(sys *syscall.SysProcAttr) {
+	sys.GidMappingsEnableSetgroups = true
+}