diff --git a/.semaphore/semaphore-runner.sh b/.semaphore/semaphore-runner.sh
index 6b4aedbd09f..8c99b68156a 100755
--- a/.semaphore/semaphore-runner.sh
+++ b/.semaphore/semaphore-runner.sh
@@ -23,9 +23,19 @@ create_container() {
     sudo lxc-create -n "$CONTAINER" -t download -- -d "$DISTRO" -r "$RELEASE" -a "$ARCH"
 
     # unconfine the container, otherwise some tests fail
-    echo 'lxc.apparmor.profile = unconfined' | sudo tee -a "/var/lib/lxc/$CONTAINER/config"
+    #
+    # disable automatic cgroup setup, instead let pid1 figure it out in mount_setup().
+    # This is especially important to ensure we get unified cgroup hierarchy
+    #
+    # FIXME: remove cgroup workarounds once the host runs on unified hierarchy
+    sudo tee "/var/lib/lxc/$CONTAINER/config.systemd_upstream" <<EOF
+lxc.apparmor.profile = unconfined
+lxc.mount.auto =
+lxc.mount.auto = proc:mixed sys:mixed
+lxc.init.cmd = /sbin/init systemd.unified_cgroup_hierarchy=1
+EOF
 
-    sudo lxc-start -n "$CONTAINER"
+    sudo lxc-start -n "$CONTAINER" --define "lxc.include=/var/lib/lxc/$CONTAINER/config.systemd_upstream"
 
     # enable source repositories so that apt-get build-dep works
     sudo lxc-attach -n "$CONTAINER" -- sh -ex <<EOF
@@ -111,6 +121,7 @@ EOF
                                                        ../systemd_*.dsc \
                                                        -o "$ARTIFACTS_DIR" \
                                                        -- lxc -s "$CONTAINER" \
+                                                           --define "lxc.include=/var/lib/lxc/$CONTAINER/config.systemd_upstream" \
                 || [ $? -eq 2 ]
         ;;
         *)