Hello community,

here is the log from the commit of package lxc for openSUSE:Factory checked in 
at 2016-09-21 18:49:41
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/lxc (Old)
 and      /work/SRC/openSUSE:Factory/.lxc.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "lxc"

Changes:
--------
--- /work/SRC/openSUSE:Factory/lxc/lxc.changes  2016-08-03 11:44:29.000000000 
+0200
+++ /work/SRC/openSUSE:Factory/.lxc.new/lxc.changes     2016-09-21 
18:49:46.000000000 +0200
@@ -1,0 +2,37 @@
+Mon Sep 19 15:09:41 UTC 2016 - sch...@suse.de
+
+- setcap has been moved to /usr/sbin (boo#998326).
+
+-------------------------------------------------------------------
+Wed Aug 31 11:16:59 UTC 2016 - cbrau...@suse.de
+
+- update lxc to 2.0.4
+- add 0001-bdev-use-correct-overlay-module-name.patch
+- add 0002-cleanup-tools-remove-name-from-lxc-top-usage-message.patch
+- add 0003-cleanup-whitespaces-in-option-alignment-for-lxc-exec.patch
+- add 0004-Use-full-GPG-fingerprint-instead-of-long-IDs.patch
+- add 0005-tools-move-rcfile-to-the-common-options-list.patch
+- add 0006-tools-set-configfile-after-load_config.patch
+- add 0007-doc-add-rcfile-to-common-opts.patch
+- add 0008-doc-Update-Korean-lxc-attach-1.patch
+- add 0009-doc-Add-rcfile-to-Korean-common-opts.patch
+- add 0010-doc-Add-rcfile-to-Japanese-common-opts.patch
+- add 0011-tools-use-exit-EXIT_-everywhere.patch
+- add 0012-tools-unify-exit-calls-outside-of-main.patch
+- add 0013-utils-Add-mips-signalfd-syscall-numbers.patch
+- add 0014-seccomp-Implement-MIPS-seccomp-handling.patch
+- add 0015-seccomp-Add-mips-and-mips64-entries-to-lxc_config_pa.patch
+- add 0016-seccomp-fix-strerror.patch
+- add 0017-confile-add-more-archs-to-lxc_config_parse_arch.patch
+- add 0018-seccomp-add-support-for-s390x.patch
+- add 0019-seccomp-remove-double-include-and-order-includes.patch
+- add 0020-seccomp-non-functional-changes.patch
+- add 0021-templates-use-fd-9-instead-of-200.patch
+- add 0022-templates-fedora-requires-openssl-binary.patch
+- add 0023-tools-use-boolean-for-ret-in-lxc_device.c.patch
+- add 0024-c-r-use-proc-self-tid-children-instead-of-pidfile.patch
+- add 0025-c-r-Fix-pid_t-on-some-arches.patch
+- add 0026-templates-Add-mips-hostarch-detection-to-debian.patch
+- add 0027-cleanup-replace-tabs-wth-spaces-in-usage-strings.patch
+
+-------------------------------------------------------------------

Old:
----
  lxc-2.0.3.tar.gz

New:
----
  0001-bdev-use-correct-overlay-module-name.patch
  0002-cleanup-tools-remove-name-from-lxc-top-usage-message.patch
  0003-cleanup-whitespaces-in-option-alignment-for-lxc-exec.patch
  0004-Use-full-GPG-fingerprint-instead-of-long-IDs.patch
  0005-tools-move-rcfile-to-the-common-options-list.patch
  0006-tools-set-configfile-after-load_config.patch
  0007-doc-add-rcfile-to-common-opts.patch
  0008-doc-Update-Korean-lxc-attach-1.patch
  0009-doc-Add-rcfile-to-Korean-common-opts.patch
  0010-doc-Add-rcfile-to-Japanese-common-opts.patch
  0011-tools-use-exit-EXIT_-everywhere.patch
  0012-tools-unify-exit-calls-outside-of-main.patch
  0013-utils-Add-mips-signalfd-syscall-numbers.patch
  0014-seccomp-Implement-MIPS-seccomp-handling.patch
  0015-seccomp-Add-mips-and-mips64-entries-to-lxc_config_pa.patch
  0016-seccomp-fix-strerror.patch
  0017-confile-add-more-archs-to-lxc_config_parse_arch.patch
  0018-seccomp-add-support-for-s390x.patch
  0019-seccomp-remove-double-include-and-order-includes.patch
  0020-seccomp-non-functional-changes.patch
  0021-templates-use-fd-9-instead-of-200.patch
  0022-templates-fedora-requires-openssl-binary.patch
  0023-tools-use-boolean-for-ret-in-lxc_device.c.patch
  0024-c-r-use-proc-self-tid-children-instead-of-pidfile.patch
  0025-c-r-Fix-pid_t-on-some-arches.patch
  0026-templates-Add-mips-hostarch-detection-to-debian.patch
  0027-cleanup-replace-tabs-wth-spaces-in-usage-strings.patch
  lxc-2.0.4.tar.gz

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ lxc.spec ++++++
--- /var/tmp/diff_new_pack.PSsFot/_old  2016-09-21 18:49:48.000000000 +0200
+++ /var/tmp/diff_new_pack.PSsFot/_new  2016-09-21 18:49:48.000000000 +0200
@@ -18,7 +18,7 @@
 
 %define                shlib_version 1
 Name:           lxc
-Version:        2.0.3
+Version:        2.0.4
 Release:        0
 Url:            http://linuxcontainers.org/
 Summary:        Userspace tools for Linux kernel containers
@@ -27,13 +27,40 @@
 Source:         http://linuxcontainers.org/downloads/%{name}-%{version}.tar.gz
 Source1:        README.SUSE
 Source2:        lxc-createconfig.in
-Patch1:         lxc-aa_allow_incomplete-default.patch
-
+Patch0001:     0001-bdev-use-correct-overlay-module-name.patch
+Patch0002:     0002-cleanup-tools-remove-name-from-lxc-top-usage-message.patch
+Patch0003:     0003-cleanup-whitespaces-in-option-alignment-for-lxc-exec.patch
+Patch0004:     0004-Use-full-GPG-fingerprint-instead-of-long-IDs.patch
+Patch0005:     0005-tools-move-rcfile-to-the-common-options-list.patch
+Patch0006:     0006-tools-set-configfile-after-load_config.patch
+Patch0007:     0007-doc-add-rcfile-to-common-opts.patch
+Patch0008:     0008-doc-Update-Korean-lxc-attach-1.patch
+Patch0009:     0009-doc-Add-rcfile-to-Korean-common-opts.patch
+Patch0010:     0010-doc-Add-rcfile-to-Japanese-common-opts.patch
+Patch0011:     0011-tools-use-exit-EXIT_-everywhere.patch
+Patch0012:     0012-tools-unify-exit-calls-outside-of-main.patch
+Patch0013:     0013-utils-Add-mips-signalfd-syscall-numbers.patch
+Patch0014:     0014-seccomp-Implement-MIPS-seccomp-handling.patch
+Patch0015:     0015-seccomp-Add-mips-and-mips64-entries-to-lxc_config_pa.patch
+Patch0016:     0016-seccomp-fix-strerror.patch
+Patch0017:     0017-confile-add-more-archs-to-lxc_config_parse_arch.patch
+Patch0018:     0018-seccomp-add-support-for-s390x.patch
+Patch0019:     0019-seccomp-remove-double-include-and-order-includes.patch
+Patch0020:     0020-seccomp-non-functional-changes.patch
+Patch0021:     0021-templates-use-fd-9-instead-of-200.patch
+Patch0022:     0022-templates-fedora-requires-openssl-binary.patch
+Patch0023:     0023-tools-use-boolean-for-ret-in-lxc_device.c.patch
+Patch0024:     0024-c-r-use-proc-self-tid-children-instead-of-pidfile.patch
+Patch0025:     0025-c-r-Fix-pid_t-on-some-arches.patch
+Patch0026:     0026-templates-Add-mips-hostarch-detection-to-debian.patch
+Patch0027:     0027-cleanup-replace-tabs-wth-spaces-in-usage-strings.patch
+Patch0028:     lxc-aa_allow_incomplete-default.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
 BuildRequires:  docbook-utils
 BuildRequires:  docbook2x
 BuildRequires:  fdupes
+BuildRequires:  git
 BuildRequires:  libapparmor-devel
 BuildRequires:  libcap-devel
 %ifarch %ix86 x86_64
@@ -49,7 +76,7 @@
 BuildRequires:  systemd
 %endif
 
-Requires:       /sbin/setcap
+Requires:       /usr/sbin/setcap
 Requires:       lxcfs
 Requires:       rsync
 
@@ -90,8 +117,35 @@
 Provides the LXC container runtime library development files
 
 %prep
-%setup -q
-%patch1 -p1
+%setup
+%patch0001 -p1
+%patch0002 -p1
+%patch0003 -p1
+%patch0004 -p1
+%patch0005 -p1
+%patch0006 -p1
+%patch0007 -p1
+%patch0008 -p1
+%patch0009 -p1
+%patch0010 -p1
+%patch0011 -p1
+%patch0012 -p1
+%patch0013 -p1
+%patch0014 -p1
+%patch0015 -p1
+%patch0016 -p1
+%patch0017 -p1
+%patch0018 -p1
+%patch0019 -p1
+%patch0020 -p1
+%patch0021 -p1
+%patch0022 -p1
+%patch0023 -p1
+%patch0024 -p1
+%patch0025 -p1
+%patch0026 -p1
+%patch0027 -p1
+%patch0028 -p1
 
 %build
 chmod 755 configure

++++++ 0001-bdev-use-correct-overlay-module-name.patch ++++++
>From c3612dc03d7b2d43799334095be1566e567a03f9 Mon Sep 17 00:00:00 2001
From: Christian Brauner <cbrau...@suse.de>
Date: Tue, 16 Aug 2016 20:00:35 +0200
Subject: [PATCH 01/27] bdev: use correct overlay module name

- Assume that the module name is "overlay" per default and not "overlayfs".
- Assume that the overlay version we are using requires a workdir.
- When we mount an overlay filesystem and we fail with ENODEV retry once with
  the module name we haven't already used.

Signed-off-by: Christian Brauner <cbrau...@suse.de>
---
 src/lxc/bdev/lxcoverlay.c | 53 +++++++++++++++++++++++++++++++++--------------
 1 file changed, 38 insertions(+), 15 deletions(-)

diff --git a/src/lxc/bdev/lxcoverlay.c b/src/lxc/bdev/lxcoverlay.c
index 3caadbc..e8d0f6d 100644
--- a/src/lxc/bdev/lxcoverlay.c
+++ b/src/lxc/bdev/lxcoverlay.c
@@ -39,6 +39,7 @@
 lxc_log_define(lxcoverlay, lxc);
 
 static char *ovl_name;
+static char *ovl_version[] = {"overlay", "overlayfs"};
 
 /* defined in lxccontainer.c: needs to become common helper */
 extern char *dir_new_path(char *src, const char *oldname, const char *name,
@@ -49,6 +50,9 @@ static int ovl_do_rsync(struct bdev *orig, struct bdev *new,
                        struct lxc_conf *conf);
 static int ovl_rsync(struct rsync_data *data);
 static int ovl_rsync_wrapper(void *data);
+static int ovl_remount_on_enodev(const char *lower, const char *target,
+                                const char *name, unsigned long mountflags,
+                                const void *options);
 
 int ovl_clonepaths(struct bdev *orig, struct bdev *new, const char *oldname,
                   const char *cname, const char *oldpath, const char *lxcpath,
@@ -408,23 +412,28 @@ int ovl_mount(struct bdev *bdev)
                return -1;
        }
 
-       // mount without workdir option for overlayfs before v21
-       ret = mount(lower, bdev->dest, ovl_name, MS_MGC_VAL | mntflags, 
options);
+        /* Assume we need a workdir as we are on a overlay version >= v22. */
+       ret = ovl_remount_on_enodev(lower, bdev->dest, ovl_name,
+                                   MS_MGC_VAL | mntflags, options_work);
        if (ret < 0) {
-               INFO("overlayfs: error mounting %s onto %s options %s. retry 
with workdir",
-                       lower, bdev->dest, options);
+               INFO("Overlayfs: Error mounting %s onto %s with options %s. "
+                    "Retrying without workdir: %s.",
+                    lower, bdev->dest, options_work, strerror(errno));
 
-               // retry with workdir option for overlayfs v22 and higher
-               ret = mount(lower, bdev->dest, ovl_name, MS_MGC_VAL | mntflags, 
options_work);
+                /* Assume we cannot use a workdir as we are on a version <= 
v21. */
+               ret = ovl_remount_on_enodev(lower, bdev->dest, ovl_name,
+                                         MS_MGC_VAL | mntflags, options);
                if (ret < 0)
-                       SYSERROR("overlayfs: error mounting %s onto %s options 
%s",
-                               lower, bdev->dest, options_work);
+                       SYSERROR("Overlayfs: Error mounting %s onto %s with "
+                                "options %s: %s.",
+                                lower, bdev->dest, options,
+                                strerror(errno));
                else
-                       INFO("overlayfs: mounted %s onto %s options %s",
-                               lower, bdev->dest, options_work);
+                       INFO("Overlayfs: Mounted %s onto %s with options %s.",
+                            lower, bdev->dest, options);
        } else {
-               INFO("overlayfs: mounted %s onto %s options %s",
-                       lower, bdev->dest, options);
+               INFO("Overlayfs: Mounted %s onto %s with options %s.", lower,
+                    bdev->dest, options_work);
        }
        return ret;
 }
@@ -652,6 +661,20 @@ err:
        return fret;
 }
 
+static int ovl_remount_on_enodev(const char *lower, const char *target,
+                                const char *name, unsigned long mountflags,
+                                const void *options)
+{
+        int ret;
+        ret = mount(lower, target, ovl_name, MS_MGC_VAL | mountflags, options);
+        if (ret < 0 && errno == ENODEV) /* Try other module name. */
+               ret = mount(lower, target,
+                           ovl_name == ovl_version[0] ? ovl_version[1]
+                                                      : ovl_version[0],
+                           MS_MGC_VAL | mountflags, options);
+        return ret;
+}
+
 static int ovl_rsync(struct rsync_data *data)
 {
        int ret;
@@ -700,7 +723,7 @@ static int ovl_rsync(struct rsync_data *data)
 
 static char *ovl_detect_name(void)
 {
-       char *v = "overlayfs";
+       char *v = ovl_version[0];
        char *line = NULL;
        size_t len = 0;
        FILE *f = fopen("/proc/filesystems", "r");
@@ -708,8 +731,8 @@ static char *ovl_detect_name(void)
                return v;
 
        while (getline(&line, &len, f) != -1) {
-               if (strcmp(line, "nodev\toverlay\n") == 0) {
-                       v = "overlay";
+               if (strcmp(line, "nodev\toverlayfs\n") == 0) {
+                       v = ovl_version[1];
                        break;
                }
        }
-- 
2.9.3

++++++ 0002-cleanup-tools-remove-name-from-lxc-top-usage-message.patch ++++++
>From 476402ab6c7daea1db8ff103767dc88ac5331570 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumil...@proxmox.com>
Date: Fri, 12 Aug 2016 12:28:16 +0200
Subject: [PATCH 02/27] cleanup: tools: remove --name from lxc-top usage
 message

It doesn't have any effect on what lxc-top does and is only
accepted on account of being part of the common option list.

Signed-off-by: Wolfgang Bumiller <w.bumil...@proxmox.com>
---
 src/lxc/tools/lxc_top.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/lxc/tools/lxc_top.c b/src/lxc/tools/lxc_top.c
index c4cb871..47deddd 100644
--- a/src/lxc/tools/lxc_top.c
+++ b/src/lxc/tools/lxc_top.c
@@ -91,7 +91,7 @@ static const struct option my_longopts[] = {
 static struct lxc_arguments my_args = {
        .progname = "lxc-top",
        .help     = "\
-[--name=NAME]\n\
+\n\
 \n\
 lxc-top monitors the state of the active containers\n\
 \n\
-- 
2.9.3

++++++ 0003-cleanup-whitespaces-in-option-alignment-for-lxc-exec.patch ++++++
>From b4e66653f4c3ac0240e5ff810c74a44f554e2bac Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumil...@proxmox.com>
Date: Fri, 12 Aug 2016 12:33:10 +0200
Subject: [PATCH 03/27] cleanup: whitespaces in option alignment for
 lxc-execute

Signed-off-by: Wolfgang Bumiller <w.bumil...@proxmox.com>
---
 src/lxc/tools/lxc_execute.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/lxc/tools/lxc_execute.c b/src/lxc/tools/lxc_execute.c
index 50d481f..c7c5096 100644
--- a/src/lxc/tools/lxc_execute.c
+++ b/src/lxc/tools/lxc_execute.c
@@ -86,8 +86,8 @@ Options :\n\
   -n, --name=NAME      NAME of the container\n\
   -f, --rcfile=FILE    Load configuration file FILE\n\
   -s, --define KEY=VAL Assign VAL to configuration variable KEY\n\
-  -u, --uid=UID Execute COMMAND with UID inside the container\n\
-  -g, --gid=GID Execute COMMAND with GID inside the container\n",
+  -u, --uid=UID        Execute COMMAND with UID inside the container\n\
+  -g, --gid=GID        Execute COMMAND with GID inside the container\n",
        .options  = my_longopts,
        .parser   = my_parser,
        .checker  = my_checker,
-- 
2.9.3

++++++ 0004-Use-full-GPG-fingerprint-instead-of-long-IDs.patch ++++++
>From 3b9494bd64334d9c02a4fd2f9af04fa839830667 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgra...@ubuntu.com>
Date: Wed, 17 Aug 2016 15:42:34 -0400
Subject: [PATCH 04/27] Use full GPG fingerprint instead of long IDs.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

With how easy it is to create a collision on a short ID nowadays and
given that the user doesn't actually have to remember or manually enter
the key ID, lets just use the full fingerprint from now on.

Signed-off-by: Stéphane Graber <stgra...@ubuntu.com>
---
 templates/lxc-download.in | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/lxc-download.in b/templates/lxc-download.in
index d4cf830..4a67a7c 100644
--- a/templates/lxc-download.in
+++ b/templates/lxc-download.in
@@ -33,7 +33,7 @@ DOWNLOAD_DIST=
 DOWNLOAD_FLUSH_CACHE="false"
 DOWNLOAD_FORCE_CACHE="false"
 DOWNLOAD_INTERACTIVE="false"
-DOWNLOAD_KEYID="0xBAEFF88C22F6E216"
+DOWNLOAD_KEYID="0xE7FB0CAEC8173D669066514CBAEFF88C22F6E216"
 DOWNLOAD_KEYSERVER="hkp://pool.sks-keyservers.net"
 DOWNLOAD_LIST_IMAGES="false"
 DOWNLOAD_MODE="system"
-- 
2.9.3

++++++ 0005-tools-move-rcfile-to-the-common-options-list.patch ++++++
>From fe3b02ff94da199a8a327b3e92b6e42f2d875a45 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumil...@proxmox.com>
Date: Fri, 12 Aug 2016 12:21:22 +0200
Subject: [PATCH 05/27] tools: move --rcfile to the common options list

In almost all commands it's a useful addition to the -n
switch which is a common option, too.

Signed-off-by: Wolfgang Bumiller <w.bumil...@proxmox.com>
---
 src/lxc/arguments.c            |  1 +
 src/lxc/arguments.h            |  2 ++
 src/lxc/tools/lxc_cgroup.c     | 12 +++++++++++-
 src/lxc/tools/lxc_checkpoint.c | 10 ++++++++++
 src/lxc/tools/lxc_console.c    | 12 +++++++++++-
 src/lxc/tools/lxc_copy.c       | 11 ++++++++++-
 src/lxc/tools/lxc_destroy.c    | 12 +++++++++++-
 src/lxc/tools/lxc_device.c     | 11 ++++++++++-
 src/lxc/tools/lxc_freeze.c     | 12 +++++++++++-
 src/lxc/tools/lxc_info.c       | 12 +++++++++++-
 src/lxc/tools/lxc_snapshot.c   | 12 +++++++++++-
 src/lxc/tools/lxc_stop.c       | 11 ++++++++++-
 src/lxc/tools/lxc_unfreeze.c   | 12 +++++++++++-
 src/lxc/tools/lxc_wait.c       | 12 +++++++++++-
 14 files changed, 131 insertions(+), 11 deletions(-)

diff --git a/src/lxc/arguments.c b/src/lxc/arguments.c
index c2f7b67..0d2b203 100644
--- a/src/lxc/arguments.c
+++ b/src/lxc/arguments.c
@@ -203,6 +203,7 @@ extern int lxc_arguments_parse(struct lxc_arguments *args,
                case 'o':       args->log_file = optarg; break;
                case 'l':       args->log_priority = optarg; break;
                case 'q':       args->quiet = 1; break;
+               case OPT_RCFILE: args->rcfile = optarg; break;
                case 'P':
                        remove_trailing_slashes(optarg);
                        ret = lxc_arguments_lxcpath_add(args, optarg);
diff --git a/src/lxc/arguments.h b/src/lxc/arguments.h
index 6bc6fcd..956cb37 100644
--- a/src/lxc/arguments.h
+++ b/src/lxc/arguments.h
@@ -148,11 +148,13 @@ struct lxc_arguments {
        {"logfile", required_argument, 0, 'o'}, \
        {"logpriority", required_argument, 0, 'l'}, \
        {"lxcpath", required_argument, 0, 'P'}, \
+       {"rcfile", required_argument, 0, OPT_RCFILE}, \
        {0, 0, 0, 0}
 
 /* option keys for long only options */
 #define        OPT_USAGE 0x1000
 #define        OPT_VERSION OPT_USAGE-1
+#define        OPT_RCFILE OPT_USAGE-2
 
 extern int lxc_arguments_parse(struct lxc_arguments *args,
                               int argc, char *const argv[]);
diff --git a/src/lxc/tools/lxc_cgroup.c b/src/lxc/tools/lxc_cgroup.c
index dd60fd1..c644501 100644
--- a/src/lxc/tools/lxc_cgroup.c
+++ b/src/lxc/tools/lxc_cgroup.c
@@ -56,7 +56,8 @@ Get or set the value of a state object (for example, 
'cpuset.cpus')\n\
 in the container's cgroup for the corresponding subsystem.\n\
 \n\
 Options :\n\
-  -n, --name=NAME      NAME of the container",
+  -n, --name=NAME      NAME of the container\n\
+  --rcfile=FILE        Load configuration file FILE\n",
        .options  = my_longopts,
        .parser   = NULL,
        .checker  = my_checker,
@@ -84,6 +85,15 @@ int main(int argc, char *argv[])
        if (!c)
                return 1;
 
+       if (my_args.rcfile) {
+               c->clear_config(c);
+               if (!c->load_config(c, my_args.rcfile)) {
+                       ERROR("Failed to load rcfile");
+                       lxc_container_put(c);
+                       return 1;
+               }
+       }
+
        if (!c->may_control(c)) {
                ERROR("Insufficent privileges to control %s:%s", 
my_args.lxcpath[0], my_args.name);
                lxc_container_put(c);
diff --git a/src/lxc/tools/lxc_checkpoint.c b/src/lxc/tools/lxc_checkpoint.c
index 7130245..bc18b80 100644
--- a/src/lxc/tools/lxc_checkpoint.c
+++ b/src/lxc/tools/lxc_checkpoint.c
@@ -114,6 +114,7 @@ Options :\n\
   Restore options:\n\
   -d, --daemon              Daemonize the container (default)\n\
   -F, --foreground          Start with the current tty attached to 
/dev/console\n\
+  --rcfile=FILE             Load configuration file FILE\n\
 ",
        .options   = my_longopts,
        .parser    = my_parser,
@@ -214,6 +215,15 @@ int main(int argc, char *argv[])
                exit(1);
        }
 
+       if (my_args.rcfile) {
+               c->clear_config(c);
+               if (!c->load_config(c, my_args.rcfile)) {
+                       fprintf(stderr, "Failed to load rcfile\n");
+                       lxc_container_put(c);
+                       exit(1);
+               }
+       }
+
        if (!c->may_control(c)) {
                fprintf(stderr, "Insufficent privileges to control %s\n", 
my_args.name);
                lxc_container_put(c);
diff --git a/src/lxc/tools/lxc_console.c b/src/lxc/tools/lxc_console.c
index adbd7e0..8a4d1c0 100644
--- a/src/lxc/tools/lxc_console.c
+++ b/src/lxc/tools/lxc_console.c
@@ -80,7 +80,8 @@ lxc-console logs on the container with the identifier NAME\n\
 Options :\n\
   -n, --name=NAME      NAME of the container\n\
   -t, --tty=NUMBER     console tty number\n\
-  -e, --escape=PREFIX  prefix for escape command\n",
+  -e, --escape=PREFIX  prefix for escape command\n\
+  --rcfile=FILE        Load configuration file FILE\n",
        .options  = my_longopts,
        .parser   = my_parser,
        .checker  = NULL,
@@ -112,6 +113,15 @@ int main(int argc, char *argv[])
                exit(EXIT_FAILURE);
        }
 
+       if (my_args.rcfile) {
+               c->clear_config(c);
+               if (!c->load_config(c, my_args.rcfile)) {
+                       fprintf(stderr, "Failed to load rcfile\n");
+                       lxc_container_put(c);
+                       exit(EXIT_FAILURE);
+               }
+       }
+
        if (!c->may_control(c)) {
                fprintf(stderr, "Insufficent privileges to control %s\n", 
my_args.name);
                lxc_container_put(c);
diff --git a/src/lxc/tools/lxc_copy.c b/src/lxc/tools/lxc_copy.c
index db63a6c..900a590 100644
--- a/src/lxc/tools/lxc_copy.c
+++ b/src/lxc/tools/lxc_copy.c
@@ -123,7 +123,8 @@ Options :\n\
   -D, --keedata                    pass together with -e start a persistent 
snapshot \n\
   -K, --keepname           keep the hostname of the original container\n\
   --  hook options         arguments passed to the hook program\n\
-  -M, --keepmac                    keep the MAC address of the original 
container\n",
+  -M, --keepmac                    keep the MAC address of the original 
container\n\
+  --rcfile=FILE                    Load configuration file FILE\n",
        .options = my_longopts,
        .parser = my_parser,
        .task = CLONE,
@@ -199,6 +200,14 @@ int main(int argc, char *argv[])
        if (!c)
                exit(ret);
 
+       if (my_args.rcfile) {
+               c->clear_config(c);
+               if (!c->load_config(c, my_args.rcfile)) {
+                       fprintf(stderr, "Failed to load rcfile\n");
+                       goto out;
+               }
+       }
+
        if (!c->may_control(c)) {
                if (!my_args.quiet)
                        fprintf(stderr, "Insufficent privileges to control 
%s\n", c->name);
diff --git a/src/lxc/tools/lxc_destroy.c b/src/lxc/tools/lxc_destroy.c
index b521739..50fd708 100644
--- a/src/lxc/tools/lxc_destroy.c
+++ b/src/lxc/tools/lxc_destroy.c
@@ -53,7 +53,8 @@ lxc-destroy destroys a container with the identifier NAME\n\
 Options :\n\
   -n, --name=NAME   NAME of the container\n\
   -s, --snapshots   destroy including all snapshots\n\
-  -f, --force       wait for the container to shut down\n",
+  -f, --force       wait for the container to shut down\n\
+  --rcfile=FILE     Load configuration file FILE\n",
        .options  = my_longopts,
        .parser   = my_parser,
        .checker  = NULL,
@@ -88,6 +89,15 @@ int main(int argc, char *argv[])
                exit(EXIT_FAILURE);
        }
 
+       if (my_args.rcfile) {
+               c->clear_config(c);
+               if (!c->load_config(c, my_args.rcfile)) {
+                       fprintf(stderr, "Failed to load rcfile\n");
+                       lxc_container_put(c);
+                       exit(EXIT_FAILURE);
+               }
+       }
+
        if (!c->may_control(c)) {
                if (!quiet)
                        fprintf(stderr, "Insufficent privileges to control 
%s\n", my_args.name);
diff --git a/src/lxc/tools/lxc_device.c b/src/lxc/tools/lxc_device.c
index 0c9e066..0f1ee8b 100644
--- a/src/lxc/tools/lxc_device.c
+++ b/src/lxc/tools/lxc_device.c
@@ -53,7 +53,8 @@ static struct lxc_arguments my_args = {
 lxc-device attach or detach DEV to or from container.\n\
 \n\
 Options :\n\
-  -n, --name=NAME      NAME of the container",
+  -n, --name=NAME      NAME of the container\n\
+  --rcfile=FILE        Load configuration file FILE\n",
        .options  = my_longopts,
        .parser   = NULL,
        .checker  = NULL,
@@ -125,6 +126,14 @@ int main(int argc, char *argv[])
                goto err;
        }
 
+       if (my_args.rcfile) {
+               c->clear_config(c);
+               if (!c->load_config(c, my_args.rcfile)) {
+                       ERROR("Failed to load rcfile");
+                       goto err1;
+               }
+       }
+
        if (!c->is_running(c)) {
                ERROR("Container %s is not running.", c->name);
                goto err1;
diff --git a/src/lxc/tools/lxc_freeze.c b/src/lxc/tools/lxc_freeze.c
index ea8bd3e..d0239bf 100644
--- a/src/lxc/tools/lxc_freeze.c
+++ b/src/lxc/tools/lxc_freeze.c
@@ -47,7 +47,8 @@ static struct lxc_arguments my_args = {
 lxc-freeze freezes a container with the identifier NAME\n\
 \n\
 Options :\n\
-  -n, --name=NAME      NAME of the container",
+  -n, --name=NAME      NAME of the container\n\
+  --rcfile=FILE        Load configuration file FILE\n",
        .options  = my_longopts,
        .parser   = NULL,
        .checker  = NULL,
@@ -74,6 +75,15 @@ int main(int argc, char *argv[])
                exit(1);
        }
 
+       if (my_args.rcfile) {
+               c->clear_config(c);
+               if (!c->load_config(c, my_args.rcfile)) {
+                       ERROR("Failed to load rcfile");
+                       lxc_container_put(c);
+                       exit(1);
+               }
+       }
+
        if (!c->may_control(c)) {
                ERROR("Insufficent privileges to control %s:%s", 
my_args.lxcpath[0], my_args.name);
                lxc_container_put(c);
diff --git a/src/lxc/tools/lxc_info.c b/src/lxc/tools/lxc_info.c
index 58ff619..e833697 100644
--- a/src/lxc/tools/lxc_info.c
+++ b/src/lxc/tools/lxc_info.c
@@ -93,7 +93,8 @@ Options :\n\
   -p, --pid             shows the process id of the init container\n\
   -S, --stats           shows usage stats\n\
   -H, --no-humanize     shows stats as raw numbers, not humanized\n\
-  -s, --state           shows the state of the container\n",
+  -s, --state           shows the state of the container\n\
+  --rcfile=FILE         Load configuration file FILE\n",
        .name     = NULL,
        .options  = my_longopts,
        .parser   = my_parser,
@@ -295,6 +296,15 @@ static int print_info(const char *name, const char 
*lxcpath)
                return -1;
        }
 
+       if (my_args.rcfile) {
+               c->clear_config(c);
+               if (!c->load_config(c, my_args.rcfile)) {
+                       fprintf(stderr, "Failed to load rcfile\n");
+                       lxc_container_put(c);
+                       return -1;
+               }
+       }
+
        if (!c->may_control(c)) {
                fprintf(stderr, "Insufficent privileges to control %s\n", 
c->name);
                lxc_container_put(c);
diff --git a/src/lxc/tools/lxc_snapshot.c b/src/lxc/tools/lxc_snapshot.c
index 8f44891..aa9b6fe 100644
--- a/src/lxc/tools/lxc_snapshot.c
+++ b/src/lxc/tools/lxc_snapshot.c
@@ -62,7 +62,8 @@ Options :\n\
   -d, --destroy=NAME     destroy snapshot NAME, e.g. 'snap0'\n\
                          use ALL to destroy all snapshots\n\
   -c, --comment=FILE     add FILE as a comment\n\
-  -C, --showcomments     show snapshot comments\n",
+  -C, --showcomments     show snapshot comments\n\
+  --rcfile=FILE          Load configuration file FILE\n",
        .options = my_longopts,
        .parser = my_parser,
        .checker = NULL,
@@ -107,6 +108,15 @@ int main(int argc, char *argv[])
                exit(EXIT_FAILURE);
        }
 
+       if (my_args.rcfile) {
+               c->clear_config(c);
+               if (!c->load_config(c, my_args.rcfile)) {
+                       fprintf(stderr, "Failed to load rcfile\n");
+                       lxc_container_put(c);
+                       exit(EXIT_FAILURE);
+               }
+       }
+
        if (!c->may_control(c)) {
                fprintf(stderr, "Insufficent privileges to control %s\n",
                        my_args.name);
diff --git a/src/lxc/tools/lxc_stop.c b/src/lxc/tools/lxc_stop.c
index 10ddce6..bbe1f1c 100644
--- a/src/lxc/tools/lxc_stop.c
+++ b/src/lxc/tools/lxc_stop.c
@@ -75,7 +75,8 @@ Options :\n\
   -t, --timeout=T   wait T seconds before hard-stopping\n\
   -k, --kill        kill container rather than request clean shutdown\n\
       --nolock      Avoid using API locks\n\
-      --nokill      Only request clean shutdown, don't force kill after 
timeout\n",
+      --nokill      Only request clean shutdown, don't force kill after 
timeout\n\
+  --rcfile=FILE     Load configuration file FILE\n",
        .options  = my_longopts,
        .parser   = my_parser,
        .checker  = NULL,
@@ -203,6 +204,14 @@ int main(int argc, char *argv[])
                goto out;
        }
 
+       if (my_args.rcfile) {
+               c->clear_config(c);
+               if (!c->load_config(c, my_args.rcfile)) {
+                       fprintf(stderr, "Failed to load rcfile\n");
+                       goto out;
+               }
+       }
+
        if (!c->may_control(c)) {
                fprintf(stderr, "Insufficent privileges to control %s\n", 
c->name);
                goto out;
diff --git a/src/lxc/tools/lxc_unfreeze.c b/src/lxc/tools/lxc_unfreeze.c
index 3a13d37..b7bbea6 100644
--- a/src/lxc/tools/lxc_unfreeze.c
+++ b/src/lxc/tools/lxc_unfreeze.c
@@ -45,7 +45,8 @@ static struct lxc_arguments my_args = {
 lxc-unfreeze unfreezes a container with the identifier NAME\n\
 \n\
 Options :\n\
-  -n, --name=NAME   NAME of the container\n",
+  -n, --name=NAME   NAME of the container\n\
+  --rcfile=FILE     Load configuration file FILE\n",
        .options  = my_longopts,
        .parser   = NULL,
        .checker  = NULL,
@@ -78,6 +79,15 @@ int main(int argc, char *argv[])
                exit(1);
        }
 
+       if (my_args.rcfile) {
+               c->clear_config(c);
+               if (!c->load_config(c, my_args.rcfile)) {
+                       ERROR("Failed to load rcfile");
+                       lxc_container_put(c);
+                       exit(1);
+               }
+       }
+
        if (!c->unfreeze(c)) {
                ERROR("Failed to unfreeze %s:%s", my_args.lxcpath[0], 
my_args.name);
                lxc_container_put(c);
diff --git a/src/lxc/tools/lxc_wait.c b/src/lxc/tools/lxc_wait.c
index 712ba52..deeff98 100644
--- a/src/lxc/tools/lxc_wait.c
+++ b/src/lxc/tools/lxc_wait.c
@@ -72,7 +72,8 @@ Options :\n\
   -s, --state=STATE ORed states to wait for\n\
                     STOPPED, STARTING, RUNNING, STOPPING,\n\
                     ABORTING, FREEZING, FROZEN, THAWED\n\
-  -t, --timeout=TMO Seconds to wait for state changes\n",
+  -t, --timeout=TMO Seconds to wait for state changes\n\
+  --rcfile=FILE     Load configuration file FILE\n",
        .options  = my_longopts,
        .parser   = my_parser,
        .checker  = my_checker,
@@ -104,6 +105,15 @@ int main(int argc, char *argv[])
                return 1;
        }
 
+       if (my_args.rcfile) {
+               c->clear_config(c);
+               if (!c->load_config(c, my_args.rcfile)) {
+                       fprintf(stderr, "Failed to load rcfile\n");
+                       lxc_container_put(c);
+                       return 1;
+               }
+       }
+
        if (!c->wait(c, my_args.states, my_args.timeout)) {
                lxc_container_put(c);
                return 1;
-- 
2.9.3

++++++ 0006-tools-set-configfile-after-load_config.patch ++++++
>From 700f5c364c4650149006131ded6baf4f85dcd32c Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumil...@proxmox.com>
Date: Fri, 12 Aug 2016 14:49:37 +0200
Subject: [PATCH 06/27] tools: set configfile after load_config

In order to cause c->is_defined() to become true.

Signed-off-by: Wolfgang Bumiller <w.bumil...@proxmox.com>
---
 src/lxc/tools/lxc_attach.c     | 6 ++++++
 src/lxc/tools/lxc_cgroup.c     | 6 ++++++
 src/lxc/tools/lxc_checkpoint.c | 6 ++++++
 src/lxc/tools/lxc_console.c    | 6 ++++++
 src/lxc/tools/lxc_copy.c       | 5 +++++
 src/lxc/tools/lxc_destroy.c    | 6 ++++++
 src/lxc/tools/lxc_device.c     | 5 +++++
 src/lxc/tools/lxc_freeze.c     | 6 ++++++
 src/lxc/tools/lxc_info.c       | 6 ++++++
 src/lxc/tools/lxc_snapshot.c   | 6 ++++++
 src/lxc/tools/lxc_stop.c       | 5 +++++
 src/lxc/tools/lxc_unfreeze.c   | 6 ++++++
 src/lxc/tools/lxc_wait.c       | 6 ++++++
 13 files changed, 75 insertions(+)

diff --git a/src/lxc/tools/lxc_attach.c b/src/lxc/tools/lxc_attach.c
index 281f97a..9d71388 100644
--- a/src/lxc/tools/lxc_attach.c
+++ b/src/lxc/tools/lxc_attach.c
@@ -385,6 +385,12 @@ int main(int argc, char *argv[])
                        lxc_container_put(c);
                        exit(EXIT_FAILURE);
                }
+               c->configfile = strdup(my_args.rcfile);
+               if (!c->configfile) {
+                       ERROR("Out of memory setting new config filename");
+                       lxc_container_put(c);
+                       exit(EXIT_FAILURE);
+               }
        }
 
        if (!c->may_control(c)) {
diff --git a/src/lxc/tools/lxc_cgroup.c b/src/lxc/tools/lxc_cgroup.c
index c644501..4dc2682 100644
--- a/src/lxc/tools/lxc_cgroup.c
+++ b/src/lxc/tools/lxc_cgroup.c
@@ -92,6 +92,12 @@ int main(int argc, char *argv[])
                        lxc_container_put(c);
                        return 1;
                }
+               c->configfile = strdup(my_args.rcfile);
+               if (!c->configfile) {
+                       ERROR("Out of memory setting new config filename");
+                       lxc_container_put(c);
+                       return 1;
+               }
        }
 
        if (!c->may_control(c)) {
diff --git a/src/lxc/tools/lxc_checkpoint.c b/src/lxc/tools/lxc_checkpoint.c
index bc18b80..6de3d23 100644
--- a/src/lxc/tools/lxc_checkpoint.c
+++ b/src/lxc/tools/lxc_checkpoint.c
@@ -222,6 +222,12 @@ int main(int argc, char *argv[])
                        lxc_container_put(c);
                        exit(1);
                }
+               c->configfile = strdup(my_args.rcfile);
+               if (!c->configfile) {
+                       fprintf(stderr, "Out of memory setting new config 
filename\n");
+                       lxc_container_put(c);
+                       exit(1);
+               }
        }
 
        if (!c->may_control(c)) {
diff --git a/src/lxc/tools/lxc_console.c b/src/lxc/tools/lxc_console.c
index 8a4d1c0..829c908 100644
--- a/src/lxc/tools/lxc_console.c
+++ b/src/lxc/tools/lxc_console.c
@@ -120,6 +120,12 @@ int main(int argc, char *argv[])
                        lxc_container_put(c);
                        exit(EXIT_FAILURE);
                }
+               c->configfile = strdup(my_args.rcfile);
+               if (!c->configfile) {
+                       fprintf(stderr, "Out of memory setting new config 
filename\n");
+                       lxc_container_put(c);
+                       exit(EXIT_FAILURE);
+               }
        }
 
        if (!c->may_control(c)) {
diff --git a/src/lxc/tools/lxc_copy.c b/src/lxc/tools/lxc_copy.c
index 900a590..f8ca861 100644
--- a/src/lxc/tools/lxc_copy.c
+++ b/src/lxc/tools/lxc_copy.c
@@ -206,6 +206,11 @@ int main(int argc, char *argv[])
                        fprintf(stderr, "Failed to load rcfile\n");
                        goto out;
                }
+               c->configfile = strdup(my_args.rcfile);
+               if (!c->configfile) {
+                       fprintf(stderr, "Out of memory setting new config 
filename\n");
+                       goto out;
+               }
        }
 
        if (!c->may_control(c)) {
diff --git a/src/lxc/tools/lxc_destroy.c b/src/lxc/tools/lxc_destroy.c
index 50fd708..3f46415 100644
--- a/src/lxc/tools/lxc_destroy.c
+++ b/src/lxc/tools/lxc_destroy.c
@@ -96,6 +96,12 @@ int main(int argc, char *argv[])
                        lxc_container_put(c);
                        exit(EXIT_FAILURE);
                }
+               c->configfile = strdup(my_args.rcfile);
+               if (!c->configfile) {
+                       fprintf(stderr, "Out of memory setting new config 
filename\n");
+                       lxc_container_put(c);
+                       exit(EXIT_FAILURE);
+               }
        }
 
        if (!c->may_control(c)) {
diff --git a/src/lxc/tools/lxc_device.c b/src/lxc/tools/lxc_device.c
index 0f1ee8b..49af062 100644
--- a/src/lxc/tools/lxc_device.c
+++ b/src/lxc/tools/lxc_device.c
@@ -132,6 +132,11 @@ int main(int argc, char *argv[])
                        ERROR("Failed to load rcfile");
                        goto err1;
                }
+               c->configfile = strdup(my_args.rcfile);
+               if (!c->configfile) {
+                       ERROR("Out of memory setting new config filename");
+                       goto err1;
+               }
        }
 
        if (!c->is_running(c)) {
diff --git a/src/lxc/tools/lxc_freeze.c b/src/lxc/tools/lxc_freeze.c
index d0239bf..ac0802e 100644
--- a/src/lxc/tools/lxc_freeze.c
+++ b/src/lxc/tools/lxc_freeze.c
@@ -82,6 +82,12 @@ int main(int argc, char *argv[])
                        lxc_container_put(c);
                        exit(1);
                }
+               c->configfile = strdup(my_args.rcfile);
+               if (!c->configfile) {
+                       ERROR("Out of memory setting new config filename");
+                       lxc_container_put(c);
+                       exit(1);
+               }
        }
 
        if (!c->may_control(c)) {
diff --git a/src/lxc/tools/lxc_info.c b/src/lxc/tools/lxc_info.c
index e833697..08c698d 100644
--- a/src/lxc/tools/lxc_info.c
+++ b/src/lxc/tools/lxc_info.c
@@ -303,6 +303,12 @@ static int print_info(const char *name, const char 
*lxcpath)
                        lxc_container_put(c);
                        return -1;
                }
+               c->configfile = strdup(my_args.rcfile);
+               if (!c->configfile) {
+                       fprintf(stderr, "Out of memory setting new config 
filename\n");
+                       lxc_container_put(c);
+                       return -1;
+               }
        }
 
        if (!c->may_control(c)) {
diff --git a/src/lxc/tools/lxc_snapshot.c b/src/lxc/tools/lxc_snapshot.c
index aa9b6fe..a1166bc 100644
--- a/src/lxc/tools/lxc_snapshot.c
+++ b/src/lxc/tools/lxc_snapshot.c
@@ -115,6 +115,12 @@ int main(int argc, char *argv[])
                        lxc_container_put(c);
                        exit(EXIT_FAILURE);
                }
+               c->configfile = strdup(my_args.rcfile);
+               if (!c->configfile) {
+                       fprintf(stderr, "Out of memory setting new config 
filename\n");
+                       lxc_container_put(c);
+                       exit(EXIT_FAILURE);
+               }
        }
 
        if (!c->may_control(c)) {
diff --git a/src/lxc/tools/lxc_stop.c b/src/lxc/tools/lxc_stop.c
index bbe1f1c..cb7cfe2 100644
--- a/src/lxc/tools/lxc_stop.c
+++ b/src/lxc/tools/lxc_stop.c
@@ -210,6 +210,11 @@ int main(int argc, char *argv[])
                        fprintf(stderr, "Failed to load rcfile\n");
                        goto out;
                }
+               c->configfile = strdup(my_args.rcfile);
+               if (!c->configfile) {
+                       fprintf(stderr, "Out of memory setting new config 
filename\n");
+                       goto out;
+               }
        }
 
        if (!c->may_control(c)) {
diff --git a/src/lxc/tools/lxc_unfreeze.c b/src/lxc/tools/lxc_unfreeze.c
index b7bbea6..24faf5e 100644
--- a/src/lxc/tools/lxc_unfreeze.c
+++ b/src/lxc/tools/lxc_unfreeze.c
@@ -86,6 +86,12 @@ int main(int argc, char *argv[])
                        lxc_container_put(c);
                        exit(1);
                }
+               c->configfile = strdup(my_args.rcfile);
+               if (!c->configfile) {
+                       ERROR("Out of memory setting new config filename");
+                       lxc_container_put(c);
+                       exit(1);
+               }
        }
 
        if (!c->unfreeze(c)) {
diff --git a/src/lxc/tools/lxc_wait.c b/src/lxc/tools/lxc_wait.c
index deeff98..61fd869 100644
--- a/src/lxc/tools/lxc_wait.c
+++ b/src/lxc/tools/lxc_wait.c
@@ -112,6 +112,12 @@ int main(int argc, char *argv[])
                        lxc_container_put(c);
                        return 1;
                }
+               c->configfile = strdup(my_args.rcfile);
+               if (!c->configfile) {
+                       fprintf(stderr, "Out of memory setting new config 
filename\n");
+                       lxc_container_put(c);
+                       return 1;
+               }
        }
 
        if (!c->wait(c, my_args.states, my_args.timeout)) {
-- 
2.9.3

++++++ 0007-doc-add-rcfile-to-common-opts.patch ++++++
>From d36ccc89dbd1dd1e564a70999f0780d08e48cab5 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumil...@proxmox.com>
Date: Fri, 12 Aug 2016 14:55:42 +0200
Subject: [PATCH 07/27] doc: add --rcfile to common opts

Signed-off-by: Wolfgang Bumiller <w.bumil...@proxmox.com>
---
 doc/common_options.sgml.in | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/doc/common_options.sgml.in b/doc/common_options.sgml.in
index 38783dd..978c0ba 100644
--- a/doc/common_options.sgml.in
+++ b/doc/common_options.sgml.in
@@ -107,6 +107,21 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, 
MA 02110-1301 USA
     </varlistentry>
 
     <varlistentry>
+      <term><option>--rcfile=<replaceable>FILE</replaceable></option></term>
+      <listitem>
+       <para>
+         Specify the configuration file to configure the virtualization
+         and isolation functionalities for the container.
+       </para>
+       <para>
+        This configuration file if present will be used even if there is
+        already a configuration file present in the previously created
+        container (via lxc-create).
+       </para>
+      </listitem>
+    </varlistentry>
+
+    <varlistentry>
       <term><option>--version</option></term>
       <listitem>
         <para>
-- 
2.9.3

++++++ 0008-doc-Update-Korean-lxc-attach-1.patch ++++++
>From d2fc8f3bac94504ff99c26bdbb31007703c8ac43 Mon Sep 17 00:00:00 2001
From: Sungbae Yoo <sungbae....@samsung.com>
Date: Thu, 18 Aug 2016 16:36:24 +0900
Subject: [PATCH 08/27] doc: Update Korean lxc-attach(1)

 * Update for commit 03b0398
 * Fix mistranslation words

Signed-off-by: Sungbae Yoo <sungbae....@samsung.com>
---
 doc/ko/lxc-attach.sgml.in | 91 ++++++++++++++++++++++++++++++++++++++---------
 1 file changed, 75 insertions(+), 16 deletions(-)

diff --git a/doc/ko/lxc-attach.sgml.in b/doc/ko/lxc-attach.sgml.in
index eb7baf0..7a7dfa5 100644
--- a/doc/ko/lxc-attach.sgml.in
+++ b/doc/ko/lxc-attach.sgml.in
@@ -55,15 +55,18 @@ by Sungbae Yoo <sungbae.yoo at samsung.com>
   <refsynopsisdiv>
     <cmdsynopsis>
       <command>lxc-attach</command>
-      <arg choice="req">-n <replaceable>name</replaceable></arg>
-      <arg choice="opt">-a <replaceable>arch</replaceable></arg>
-      <arg choice="opt">-e</arg>
-      <arg choice="opt">-s <replaceable>namespaces</replaceable></arg>
-      <arg choice="opt">-R</arg>
+      <arg choice="req">-n, --name <replaceable>name</replaceable></arg>
+      <arg choice="opt">-f, --rcfile 
<replaceable>config_file</replaceable></arg>
+      <arg choice="opt">-a, --arch <replaceable>arch</replaceable></arg>
+      <arg choice="opt">-e, --elevated-privileges 
<replaceable>privileges</replaceable></arg>
+      <arg choice="opt">-s, --namespaces 
<replaceable>namespaces</replaceable></arg>
+      <arg choice="opt">-R, --remount-sys-proc</arg>
       <arg choice="opt">--keep-env</arg>
       <arg choice="opt">--clear-env</arg>
+      <arg choice="opt">-L, --pty-log <replaceable>file</replaceable></arg>
+      <arg choice="opt">-v, --set-var <replaceable>variable</replaceable></arg>
+      <arg choice="opt">--keep-var <replaceable>variable</replaceable></arg>
       <arg choice="opt">-- <replaceable>command</replaceable></arg>
-      <arg choice="opt">-L <replaceable>file</replaceable></arg>
     </cmdsynopsis>
   </refsynopsisdiv>
 
@@ -107,10 +110,10 @@ by Sungbae Yoo <sungbae.yoo at samsung.com>
       will not try to allocate a pseudo terminal. Instead it will simply attach
       to the containers namespaces and run a shell or the specified command.
       -->
-      이전 버전의 <command>lxc-attach</command>는 단순히 컨테이너의 특정 네임스페이스에 붙어, 쉘을 실행하거나 
첫 번째 pseudo 터미널 할당 없이 특정 명령어를 실행하였다.
+      이전 버전의 <command>lxc-attach</command>는 단순히 컨테이너의 특정 네임스페이스 내에서 쉘이나 명령어를 
pseudo 터미널 할당 없이 실행하였다.
       이는 다른 특권 수준을 갖는 사용자 영역 컨텍스트 간의 전환후 TIOCSTI <command>ioctl</command>를 
호출하여 입력을 가로챌 수 있는 취약점이 있다.
-      새로운 버전의 <command>lxc-attach</command>는 쉘이나 명령어를 실행하기 전에, pseudo 터미널 
마스터/슬레이브 쌍을 호스트에 할당하고 터미널을 가리키고 있던 표준 입출력 파일 디스크립터들은 슬레이브 pseudo 터미널로 붙인다.
-      터미널을 가리키고 있던 표준 입출력 파일 디스크립터가 아예 없었다면, <command>lxc-attach</command>는 
pseudo 터미널 할당을 시도하지 않음에 주의해야 한다. 단순히 컨테이너 네임스페이스에 붙어 쉘이나 지정한 명령어만 실행할 뿐이다.
+      새로운 버전의 <command>lxc-attach</command>는 쉘이나 명령어를 실행하기 전, 호스트에서 pseudo 터미널 
마스터/슬레이브 쌍을 할당하고, 터미널을 가리키고 있던 표준 입출력 파일 디스크립터들을 pseudo 터미널의 슬레이브로 연결한다.
+      터미널을 가리키고 있던 표준 입출력 파일 디스크립터가 아예 없었다면, <command>lxc-attach</command>는 
pseudo 터미널 할당을 시도하지 않음에 주의해야 한다. 단순히 컨테이너 네임스페이스 내부에서 쉘이나 지정한 명령어를 실행할 뿐이다.
     </para>
 
   </refsect1>
@@ -123,6 +126,29 @@ by Sungbae Yoo <sungbae.yoo at samsung.com>
 
       <varlistentry>
        <term>
+       <option>-f, --rcfile <replaceable>config_file</replaceable></option>
+       </term>
+       <listitem>
+         <para>
+         <!--
+           Specify the configuration file to configure the virtualization
+           and isolation functionalities for the container.
+        -->
+               컨테이너의 가상화 및 고립 기능들을 설정할 파일을 지정한다.
+         </para>
+         <para>
+        <!--
+           This configuration file if present will be used even if there is
+           already a configuration file present in the previously created
+           container (via lxc-create).
+        -->
+       이전에 만들어졌던 컨테이너에 설정 파일이 이미 있더라도, 이 옵션이 지정되어 있다면 해당 파일을 사용한다.
+         </para>
+       </listitem>
+      </varlistentry>
+
+      <varlistentry>
+       <term>
          <option>-a, --arch <replaceable>arch</replaceable></option>
        </term>
        <listitem>
@@ -217,7 +243,7 @@ by Sungbae Yoo <sungbae.yoo at samsung.com>
             <replaceable>MOUNT\|PID</replaceable> or quoted, e.g.
             <replaceable>"MOUNT|PID"</replaceable>.)
             -->
-            붙일 네임스페이스를 지정한다. <replaceable>NETWORK|IPC</replaceable>와 같이 
파이프(|)로 구분된 리스트를 사용할 수 있다. 허용되는 값은 <replaceable>MOUNT</replaceable>, 
<replaceable>PID</replaceable>, <replaceable>UTSNAME</replaceable>, 
<replaceable>IPC</replaceable>, <replaceable>USER </replaceable>, 
<replaceable>NETWORK</replaceable>이다. 이를 사용하여, 컨테이너의 네트워크 네임스페이스를 사용하면서도 다른 
네임스페이스는 호스트의 것을 그대로 사용하는 등의 조작이 가능하다.
+           컨테이너의 어떤 네임스페이스와 연결할지 지정한다. <replaceable>NETWORK|IPC</replaceable>와 
같이 파이프(|)로 구분된 리스트를 사용할 수 있다. 허용되는 값은 <replaceable>MOUNT</replaceable>, 
<replaceable>PID</replaceable>, <replaceable>UTSNAME</replaceable>, 
<replaceable>IPC</replaceable>, <replaceable>USER </replaceable>, 
<replaceable>NETWORK</replaceable>이다. 이를 사용하여, 컨테이너의 네트워크 네임스페이스를 사용하면서도 다른 
네임스페이스는 호스트의 것을 그대로 사용하는 등의 조작이 가능하다.
             (파이프 기호는 <replaceable>MOUNT\|PID</replaceable>처럼 \로 처리를 해주거나, 
<replaceable>"MOUNT|PID"</replaceable>처럼 따옴표를 붙여야 한다.)
          </para>
          <para>
@@ -258,7 +284,7 @@ by Sungbae Yoo <sungbae.yoo at samsung.com>
            This option will be ignored if one tries to attach to the
            mount namespace anyway.
             -->
-            만약 마운트 네임스페이스에 attach하려고 한다면, 이 옵션은 무시된다.
+            만약 마운트 네임스페이스에 연결하려고 한다면, 이 옵션은 무시된다.
          </para>
        </listitem>
       </varlistentry>
@@ -278,7 +304,7 @@ by Sungbae Yoo <sungbae.yoo at samsung.com>
            please use this option to be future-proof. In addition to
            current environment variables, container=lxc will be set.
             -->
-            현재의 환경변수를 attach될 프로그램에도 그대로 적용한다. 이것은 현재 기본 동작이지만 (버전 0.9에서), 향후에 
충분히 바뀔 수도 있다. 왜냐하면, 이것은 컨테이너에게 바람직하지 않은 정보를 넘겨줄 수 있는 위험성이 있기 때문이다. 따라서 이 기능에 
의존하고 있다면, 향후에도 이를 보장할 수 있도록 이 옵션을 사용하는 것이 좋다. 또한 현재 환경 변수와 더불어, container=lxc도 
설정된다.
+            현재의 환경변수를 실행할 프로그램에도 그대로 적용한다. 이것은 현재 기본 동작이지만 (버전 0.9에서), 향후에 충분히 
바뀔 수도 있다. 왜냐하면, 이것은 컨테이너에게 바람직하지 않은 정보를 넘겨줄 수 있는 위험성이 있기 때문이다. 따라서 이 기능에 의존하고 
있다면, 향후에도 이를 보장할 수 있도록 이 옵션을 사용하는 것이 좋다. 또한 현재 환경 변수와 더불어, container=lxc도 설정된다.
          </para>
        </listitem>
       </varlistentry>
@@ -295,8 +321,8 @@ by Sungbae Yoo <sungbae.yoo at samsung.com>
            container=lxc will be the only environment with which the
            attached program starts.
             -->
-            attach하기 전에 모든 환경변수를 지운다.
-            이를 통해 바람직하지 않은 환경변수 누출을 막을 수 있다. container=lxc 만이 attach된 프로그램이 
실행되기 전에 설정되는 유일한 환경변수이다.
+            프로그램을 실행하기 전에 모든 환경변수를 지운다.
+            이를 통해 바람직하지 않은 환경변수 누출을 막을 수 있다. container=lxc 만이 프로그램이 실행되기 전에 
설정되는 유일한 환경변수이다.
          </para>
        </listitem>
       </varlistentry>
@@ -322,6 +348,39 @@ by Sungbae Yoo <sungbae.yoo at samsung.com>
           </para>
         </listitem>
       </varlistentry>
+     <varlistentry>
+       <term>
+         <option>-v, --set-var <replaceable>variable</replaceable></option>
+       </term>
+       <listitem>
+         <para>
+           <!--
+           Set an additional environment variable that is seen by the
+           attached program in the container. It is specified in the
+           form of "VAR=VALUE", and can be specified multiple times.
+           -->
+        컨테이너 내에서 실행되는 프로그램이 볼 수 있는 환경변수를 추가한다.
+        이는 "VAR=VALUE" 형태로 지정되며, 여러 번 지정할 수 있다.
+         </para>
+       </listitem>
+      </varlistentry>
+
+      <varlistentry>
+       <term>
+         <option>--keep-var <replaceable>variable</replaceable></option>
+       </term>
+       <listitem>
+         <para>
+           <!--
+           Keep a specified environment variable. It can only be
+           specified in conjunction
+           with <replaceable>\-\-clear-env</replaceable>, and can be
+           specified multiple times.
+           -->
+        <replaceable>\-\-clear-env</replaceable>와 함께 사용되며, 지정한 환경변수를 지우지 않고 
그대로 유지한다. 여러 번 지정할 수 있다.
+         </para>
+       </listitem>
+      </varlistentry>
 
     </variablelist>
 
@@ -399,7 +458,7 @@ by Sungbae Yoo <sungbae.yoo at samsung.com>
       Attaching to user namespaces is supported by kernel 3.8 or higher
       with enabling user namespace.
       -->
-      사용자 네임스페이스에 attach하기 위해서는 커널 버전이 3.8 이상이어야 하고 사용자 네임스페이스가 활성화되어야 한다.
+      사용자 네임스페이스와 연결되기 위해서는 커널 버전이 3.8 이상이어야 하고 사용자 네임스페이스가 활성화되어야 한다.
     </para>
   </refsect1>
 
@@ -419,7 +478,7 @@ by Sungbae Yoo <sungbae.yoo at samsung.com>
       <replaceable>/sys</replaceable>.
       -->
       리눅스의 <replaceable>/proc</replaceable>와 <replaceable>/sys</replaceable> 
파일시스템은 네임스페이스의해 영향받는 몇가지 정보들을 포함하고 있다. 예를 들어 <replaceable>/proc</replaceable>의 
프로세스 id로 된 폴더들이나 <replaceable>/sys/class/net</replaceable>의 네트워크 인터페이스 정보 등이다.
-의사파일시스템을 마운트하는 프로세스의 네임스페이스가 여기에 어떤 정보를 표시할지 결정하는 것이지, 
<replaceable>/proc</replaceable> 또는 <replaceable>/sys</replaceable>에 접근하는 프로세스의 
네임스페이스가 결정하는 것은 <emphasis>아니다.</emphasis>
+pseudo 파일시스템을 마운트하는 프로세스의 네임스페이스가 여기에 어떤 정보를 표시할지 결정하는 것이지, 
<replaceable>/proc</replaceable> 또는 <replaceable>/sys</replaceable>에 접근하는 프로세스의 
네임스페이스가 결정하는 것은 <emphasis>아니다.</emphasis>
     </para>
     <para>
       <!--
-- 
2.9.3

++++++ 0009-doc-Add-rcfile-to-Korean-common-opts.patch ++++++
>From 88a2aad66bfd4aec5da8ff684572cb98a4ce981d Mon Sep 17 00:00:00 2001
From: Sungbae Yoo <sungbae....@samsung.com>
Date: Thu, 18 Aug 2016 16:49:26 +0900
Subject: [PATCH 09/27] doc: Add --rcfile to Korean common opts

Update for commit 71d74a8

Signed-off-by: Sungbae Yoo <sungbae....@samsung.com>
---
 doc/ko/common_options.sgml.in | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/doc/ko/common_options.sgml.in b/doc/ko/common_options.sgml.in
index a7c405e..9e8b1b1 100644
--- a/doc/ko/common_options.sgml.in
+++ b/doc/ko/common_options.sgml.in
@@ -141,6 +141,27 @@ by Sungbae Yoo <sungbae.yoo at samsung.com>
     </varlistentry>
 
     <varlistentry>
+      <term><option>--rcfile=<replaceable>FILE</replaceable></option></term>
+      <listitem>
+       <para>
+         <!--
+         Specify the configuration file to configure the virtualization
+         and isolation functionalities for the container.
+         -->
+         컨테이너의 가상화 및 고립 기능들을 설정할 파일을 지정한다.
+       </para>
+       <para>
+         <!--
+         This configuration file if present will be used even if there is
+         already a configuration file present in the previously created
+         container (via lxc-create).
+         -->
+         이전에 만들어졌던 컨테이너에 설정 파일이 이미 있더라도, 이 옵션이 지정되어 있다면 해당 파일을 사용한다.
+       </para>
+      </listitem>
+    </varlistentry>
+
+    <varlistentry>
       <term><option>--version</option></term>
       <listitem>
        <para>
-- 
2.9.3

++++++ 0010-doc-Add-rcfile-to-Japanese-common-opts.patch ++++++
>From e30ace060250dbf0ed50cb117db8f123779d6136 Mon Sep 17 00:00:00 2001
From: Sungbae Yoo <sungbae....@samsung.com>
Date: Thu, 18 Aug 2016 17:09:00 +0900
Subject: [PATCH 10/27] doc: Add --rcfile to Japanese common opts

Update for commit 71d74a8

Signed-off-by: Sungbae Yoo <sungbae....@samsung.com>
---
 doc/ja/common_options.sgml.in | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/doc/ja/common_options.sgml.in b/doc/ja/common_options.sgml.in
index 912298f..5360945 100644
--- a/doc/ja/common_options.sgml.in
+++ b/doc/ja/common_options.sgml.in
@@ -141,6 +141,27 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
     </varlistentry>
 
     <varlistentry>
+     <term><option>--rcfile=<replaceable>FILE</replaceable></option></term>
+      <listitem>
+       <para>
+         <!--
+         Specify the configuration file to configure the virtualization
+         and isolation functionalities for the container.
+         -->
+         コンテナの仮想化、隔離機能の設定のための設定ファイルを指定します。
+       </para>
+       <para>
+         <!--
+         This configuration file if present will be used even if there is
+         already a configuration file present in the previously created
+         container (via lxc-create).
+         -->
+         (lxc-create 経由で) 
前もってコンテナが作られた際の設定ファイルが既にあった場合でも、このオプションが指定された場合は、指定した設定ファイルが使用されます。
+       </para>
+      </listitem>
+    </varlistentry>
+
+    <varlistentry>
       <term><option>--version</option></term>
       <listitem>
         <para>
-- 
2.9.3

++++++ 0011-tools-use-exit-EXIT_-everywhere.patch ++++++
++++ 986 lines (skipped)

++++++ 0012-tools-unify-exit-calls-outside-of-main.patch ++++++
>From d61666a3c3d3925dab671947d55a7af6a2448bc3 Mon Sep 17 00:00:00 2001
From: Christian Brauner <cbrau...@suse.de>
Date: Thu, 18 Aug 2016 11:11:34 +0200
Subject: [PATCH 12/27] tools: unify exit() calls outside of main()

This also changes the help exit status of lxc-unshare and lxc-usernsexec. So
far they did exit(EXIT_FAILURE) whereas all other tools do exit(EXIT_SUCCESS).
Let's align them with the rest of the tools. This should be safe to do.

Signed-off-by: Christian Brauner <cbrau...@suse.de>
---
 src/lxc/tools/lxc_clone.c      |  2 +-
 src/lxc/tools/lxc_config.c     |  4 ++--
 src/lxc/tools/lxc_device.c     |  6 +++---
 src/lxc/tools/lxc_unshare.c    | 10 +++++-----
 src/lxc/tools/lxc_usernsexec.c |  2 +-
 5 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/src/lxc/tools/lxc_clone.c b/src/lxc/tools/lxc_clone.c
index 6bd2226..e7ecd0c 100644
--- a/src/lxc/tools/lxc_clone.c
+++ b/src/lxc/tools/lxc_clone.c
@@ -89,7 +89,7 @@ static void usage(const char *me)
        printf("  -p: use container orig from custom lxcpath\n");
        printf("  -P: create container new in custom lxcpath\n");
        printf("  -R: rename existing container\n");
-       exit(1);
+       exit(EXIT_SUCCESS);
 }
 
 static struct option options[] = {
diff --git a/src/lxc/tools/lxc_config.c b/src/lxc/tools/lxc_config.c
index 998fa32..c26b1a0 100644
--- a/src/lxc/tools/lxc_config.c
+++ b/src/lxc/tools/lxc_config.c
@@ -45,7 +45,7 @@ static void usage(char *me)
 {
        printf("Usage: %s -l: list all available configuration items\n", me);
        printf("       %s item: print configuration item\n", me);
-       exit(1);
+       exit(EXIT_SUCCESS);
 }
 
 static void list_config_items(void)
@@ -54,7 +54,7 @@ static void list_config_items(void)
 
        for (i = &items[0]; i->name; i++)
                printf("%s\n", i->name);
-       exit(0);
+       exit(EXIT_SUCCESS);
 }
 
 int main(int argc, char *argv[])
diff --git a/src/lxc/tools/lxc_device.c b/src/lxc/tools/lxc_device.c
index 9cd7614..abf52b9 100644
--- a/src/lxc/tools/lxc_device.c
+++ b/src/lxc/tools/lxc_device.c
@@ -66,7 +66,7 @@ static bool is_interface(const char* dev_name, pid_t pid)
 
        if (p < 0) {
                SYSERROR("failed to fork task.");
-               exit(1);
+               exit(EXIT_FAILURE);
        }
 
        if (p == 0) {
@@ -86,10 +86,10 @@ static bool is_interface(const char* dev_name, pid_t pid)
                /* Iterate through the interfaces */
                for (tempIfAddr = interfaceArray; tempIfAddr != NULL; 
tempIfAddr = tempIfAddr->ifa_next) {
                        if (strcmp(tempIfAddr->ifa_name, dev_name) == 0) {
-                               exit(0);
+                               exit(EXIT_SUCCESS);
                        }
                }
-               exit(1);
+               exit(EXIT_FAILURE);
        }
 
        if (wait_for_pid(p) == 0) {
diff --git a/src/lxc/tools/lxc_unshare.c b/src/lxc/tools/lxc_unshare.c
index 646c97f..6c9423f 100644
--- a/src/lxc/tools/lxc_unshare.c
+++ b/src/lxc/tools/lxc_unshare.c
@@ -77,7 +77,7 @@ static void usage(char *cmd)
        fprintf(stderr, "\t -H <hostname>: Set the hostname in the 
container\n");
        fprintf(stderr, "\t -d           : Daemonize (do not wait for container 
to exit)\n");
        fprintf(stderr, "\t -M           : reMount default fs inside container 
(/proc /dev/shm /dev/mqueue)\n");
-       _exit(1);
+       _exit(EXIT_SUCCESS);
 }
 
 static bool lookup_user(const char *optarg, uid_t *uid)
@@ -134,13 +134,13 @@ static int do_start(void *arg)
        if ((flags & CLONE_NEWUTS) && want_hostname)
                if (sethostname(want_hostname, strlen(want_hostname)) < 0) {
                        ERROR("failed to set hostname %s: %s", want_hostname, 
strerror(errno));
-                       exit(1);
+                       exit(EXIT_FAILURE);
                }
 
        // Setuid is useful even without a new user id space
        if (start_arg->setuid && setuid(uid)) {
                ERROR("failed to set uid %d: %s", uid, strerror(errno));
-               exit(1);
+               exit(EXIT_FAILURE);
        }
 
        execvp(args[0], args);
@@ -177,7 +177,7 @@ int main(int argc, char *argv[])
                case 'i':
                        if (!(tmpif = malloc(sizeof(*tmpif)))) {
                                perror("malloc");
-                               exit(1);
+                               exit(EXIT_FAILURE);
                        }
                        tmpif->mi_ifname = optarg;
                        tmpif->mi_next = my_iflist;
@@ -246,7 +246,7 @@ int main(int argc, char *argv[])
        }
 
        if (daemonize)
-               exit(0);
+               exit(EXIT_SUCCESS);
 
        if (waitpid(pid, &status, 0) < 0) {
                ERROR("failed to wait for '%d'", pid);
diff --git a/src/lxc/tools/lxc_usernsexec.c b/src/lxc/tools/lxc_usernsexec.c
index 6ba9d1e..d4c730a 100644
--- a/src/lxc/tools/lxc_usernsexec.c
+++ b/src/lxc/tools/lxc_usernsexec.c
@@ -71,7 +71,7 @@ static void usage(const char *name)
        printf("  Note: This program uses newuidmap(2) and newgidmap(2).\n");
        printf("        As such, /etc/subuid and /etc/subgid must grant the\n");
        printf("        calling user permission to use the mapped ranges\n");
-       exit(1);
+       exit(EXIT_SUCCESS);
 }
 
 static void opentty(const char * tty, int which) {
-- 
2.9.3

++++++ 0013-utils-Add-mips-signalfd-syscall-numbers.patch ++++++
>From 5837b986d840a34e1e185fa4b88369e00bb66315 Mon Sep 17 00:00:00 2001
From: James Cowgill <james...@cowgill.org.uk>
Date: Fri, 12 Aug 2016 15:54:14 +0000
Subject: [PATCH 13/27] utils: Add mips signalfd syscall numbers

Signed-off-by: James Cowgill <james...@cowgill.org.uk>
---
 src/lxc/utils.h | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/src/lxc/utils.h b/src/lxc/utils.h
index b541e07..98b4e13 100644
--- a/src/lxc/utils.h
+++ b/src/lxc/utils.h
@@ -117,6 +117,12 @@ struct signalfd_siginfo
 #      define __NR_signalfd4 322
 #    elif __arm__
 #      define __NR_signalfd4 355
+#    elif __mips__ && _MIPS_SIM == _ABIO32
+#      define __NR_signalfd4 4324
+#    elif __mips__ && _MIPS_SIM == _ABI64
+#      define __NR_signalfd4 5283
+#    elif __mips__ && _MIPS_SIM == _ABIN32
+#      define __NR_signalfd4 6287
 #    endif
 #endif
 
@@ -132,6 +138,12 @@ struct signalfd_siginfo
 #      define __NR_signalfd 316
 #    elif __arm__
 #      define __NR_signalfd 349
+#    elif __mips__ && _MIPS_SIM == _ABIO32
+#      define __NR_signalfd 4317
+#    elif __mips__ && _MIPS_SIM == _ABI64
+#      define __NR_signalfd 5276
+#    elif __mips__ && _MIPS_SIM == _ABIN32
+#      define __NR_signalfd 6280
 #    endif
 #endif
 
-- 
2.9.3

++++++ 0014-seccomp-Implement-MIPS-seccomp-handling.patch ++++++
>From 39df19c4f72408f9961cd05e8a31a3a91e477896 Mon Sep 17 00:00:00 2001
From: James Cowgill <james...@cowgill.org.uk>
Date: Mon, 15 Aug 2016 16:09:44 +0000
Subject: [PATCH 14/27] seccomp: Implement MIPS seccomp handling

MIPS processors implement 3 ABIs: o32, n64 and n32 (similar to x32). The kernel
treats each ABI separately so syscalls disallowed on "all" arches should be
added to all three seccomp sets. This is implemented by expanding compat_arch
and compat_ctx to accept two compat architectures.

After this, the MIPS hostarch detection code and config section code is added.

Signed-off-by: James Cowgill <james...@cowgill.org.uk>
---
 src/lxc/seccomp.c | 141 +++++++++++++++++++++++++++++++++++++++++++++++-------
 1 file changed, 123 insertions(+), 18 deletions(-)

diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index 451e315..0374eca 100644
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -125,9 +125,23 @@ enum lxc_hostarch_t {
        lxc_seccomp_arch_ppc64,
        lxc_seccomp_arch_ppc64le,
        lxc_seccomp_arch_ppc,
+       lxc_seccomp_arch_mips,
+       lxc_seccomp_arch_mips64,
+       lxc_seccomp_arch_mips64n32,
+       lxc_seccomp_arch_mipsel,
+       lxc_seccomp_arch_mipsel64,
+       lxc_seccomp_arch_mipsel64n32,
        lxc_seccomp_arch_unknown = 999,
 };
 
+#ifdef __MIPSEL__
+# define MIPS_ARCH_O32 lxc_seccomp_arch_mipsel
+# define MIPS_ARCH_N64 lxc_seccomp_arch_mipsel64
+#else
+# define MIPS_ARCH_O32 lxc_seccomp_arch_mips
+# define MIPS_ARCH_N64 lxc_seccomp_arch_mips64
+#endif
+
 int get_hostarch(void)
 {
        struct utsname uts;
@@ -149,6 +163,10 @@ int get_hostarch(void)
                return lxc_seccomp_arch_ppc64;
        else if (strncmp(uts.machine, "ppc", 3) == 0)
                return lxc_seccomp_arch_ppc;
+       else if (strncmp(uts.machine, "mips64", 6) == 0)
+               return MIPS_ARCH_N64;
+       else if (strncmp(uts.machine, "mips", 4) == 0)
+               return MIPS_ARCH_O32;
        return lxc_seccomp_arch_unknown;
 }
 
@@ -174,6 +192,14 @@ scmp_filter_ctx get_new_ctx(enum lxc_hostarch_t n_arch, 
uint32_t default_policy_
 #ifdef SCMP_ARCH_PPC
        case lxc_seccomp_arch_ppc: arch = SCMP_ARCH_PPC; break;
 #endif
+#ifdef SCMP_ARCH_MIPS
+       case lxc_seccomp_arch_mips: arch = SCMP_ARCH_MIPS; break;
+       case lxc_seccomp_arch_mips64: arch = SCMP_ARCH_MIPS64; break;
+       case lxc_seccomp_arch_mips64n32: arch = SCMP_ARCH_MIPS64N32; break;
+       case lxc_seccomp_arch_mipsel: arch = SCMP_ARCH_MIPSEL; break;
+       case lxc_seccomp_arch_mipsel64: arch = SCMP_ARCH_MIPSEL64; break;
+       case lxc_seccomp_arch_mipsel64n32: arch = SCMP_ARCH_MIPSEL64N32; break;
+#endif
        default: return NULL;
        }
 
@@ -260,12 +286,12 @@ static int parse_config_v2(FILE *f, char *line, struct 
lxc_conf *conf)
 {
        char *p;
        int ret;
-       scmp_filter_ctx compat_ctx = NULL;
+       scmp_filter_ctx compat_ctx[2] = { NULL, NULL };
        bool blacklist = false;
        uint32_t default_policy_action = -1, default_rule_action = -1, action;
        enum lxc_hostarch_t native_arch = get_hostarch(),
                            cur_rule_arch = native_arch;
-       uint32_t compat_arch = SCMP_ARCH_NATIVE;
+       uint32_t compat_arch[2] = { SCMP_ARCH_NATIVE, SCMP_ARCH_NATIVE };
 
        if (strncmp(line, "blacklist", 9) == 0)
                blacklist = true;
@@ -295,27 +321,49 @@ static int parse_config_v2(FILE *f, char *line, struct 
lxc_conf *conf)
 
        if (native_arch == lxc_seccomp_arch_amd64) {
                cur_rule_arch = lxc_seccomp_arch_all;
-               compat_arch = SCMP_ARCH_X86;
-               compat_ctx = get_new_ctx(lxc_seccomp_arch_i386,
+               compat_arch[0] = SCMP_ARCH_X86;
+               compat_ctx[0] = get_new_ctx(lxc_seccomp_arch_i386,
                                default_policy_action);
-               if (!compat_ctx)
+               if (!compat_ctx[0])
                        goto bad;
 #ifdef SCMP_ARCH_PPC
        } else if (native_arch == lxc_seccomp_arch_ppc64) {
                cur_rule_arch = lxc_seccomp_arch_all;
-               compat_arch = SCMP_ARCH_PPC;
-               compat_ctx = get_new_ctx(lxc_seccomp_arch_ppc,
+               compat_arch[0] = SCMP_ARCH_PPC;
+               compat_ctx[0] = get_new_ctx(lxc_seccomp_arch_ppc,
                                default_policy_action);
-               if (!compat_ctx)
+               if (!compat_ctx[0])
                        goto bad;
 #endif
 #ifdef SCMP_ARCH_ARM
        } else if (native_arch == lxc_seccomp_arch_arm64) {
                cur_rule_arch = lxc_seccomp_arch_all;
-               compat_arch = SCMP_ARCH_ARM;
-               compat_ctx = get_new_ctx(lxc_seccomp_arch_arm,
+               compat_arch[0] = SCMP_ARCH_ARM;
+               compat_ctx[0] = get_new_ctx(lxc_seccomp_arch_arm,
+                               default_policy_action);
+               if (!compat_ctx[0])
+                       goto bad;
+#endif
+#ifdef SCMP_ARCH_MIPS
+       } else if (native_arch == lxc_seccomp_arch_mips64) {
+               cur_rule_arch = lxc_seccomp_arch_all;
+               compat_arch[0] = SCMP_ARCH_MIPS;
+               compat_arch[1] = SCMP_ARCH_MIPS64N32;
+               compat_ctx[0] = get_new_ctx(lxc_seccomp_arch_mips,
+                               default_policy_action);
+               compat_ctx[1] = get_new_ctx(lxc_seccomp_arch_mips64n32,
+                               default_policy_action);
+               if (!compat_ctx[0] || !compat_ctx[1])
+                       goto bad;
+       } else if (native_arch == lxc_seccomp_arch_mipsel64) {
+               cur_rule_arch = lxc_seccomp_arch_all;
+               compat_arch[0] = SCMP_ARCH_MIPSEL;
+               compat_arch[1] = SCMP_ARCH_MIPSEL64N32;
+               compat_ctx[0] = get_new_ctx(lxc_seccomp_arch_mipsel,
                                default_policy_action);
-               if (!compat_ctx)
+               compat_ctx[1] = get_new_ctx(lxc_seccomp_arch_mipsel64n32,
+                               default_policy_action);
+               if (!compat_ctx[0] || !compat_ctx[1])
                        goto bad;
 #endif
        }
@@ -413,6 +461,53 @@ static int parse_config_v2(FILE *f, char *line, struct 
lxc_conf *conf)
                                cur_rule_arch = lxc_seccomp_arch_ppc;
                        }
 #endif
+#ifdef SCMP_ARCH_MIPS
+                       else if (strcmp(line, "[mips64]") == 0 ||
+                                       strcmp(line, "[MIPS64]") == 0) {
+                               if (native_arch != lxc_seccomp_arch_mips64) {
+                                       cur_rule_arch = 
lxc_seccomp_arch_unknown;
+                                       continue;
+                               }
+                               cur_rule_arch = lxc_seccomp_arch_mips64;
+                       } else if (strcmp(line, "[mips64n32]") == 0 ||
+                                       strcmp(line, "[MIPS64N32]") == 0) {
+                               if (native_arch != lxc_seccomp_arch_mips64) {
+                                       cur_rule_arch = 
lxc_seccomp_arch_unknown;
+                                       continue;
+                               }
+                               cur_rule_arch = lxc_seccomp_arch_mips64n32;
+                       } else if (strcmp(line, "[mips]") == 0 ||
+                                       strcmp(line, "[MIPS]") == 0) {
+                               if (native_arch != lxc_seccomp_arch_mips &&
+                                               native_arch != 
lxc_seccomp_arch_mips64) {
+                                       cur_rule_arch = 
lxc_seccomp_arch_unknown;
+                                       continue;
+                               }
+                               cur_rule_arch = lxc_seccomp_arch_mips;
+                       } else if (strcmp(line, "[mipsel64]") == 0 ||
+                                       strcmp(line, "[MIPSEL64]") == 0) {
+                               if (native_arch != lxc_seccomp_arch_mipsel64) {
+                                       cur_rule_arch = 
lxc_seccomp_arch_unknown;
+                                       continue;
+                               }
+                               cur_rule_arch = lxc_seccomp_arch_mipsel64;
+                       } else if (strcmp(line, "[mipsel64n32]") == 0 ||
+                                       strcmp(line, "[MIPSEL64N32]") == 0) {
+                               if (native_arch != lxc_seccomp_arch_mipsel64) {
+                                       cur_rule_arch = 
lxc_seccomp_arch_unknown;
+                                       continue;
+                               }
+                               cur_rule_arch = lxc_seccomp_arch_mipsel64n32;
+                       } else if (strcmp(line, "[mipsel]") == 0 ||
+                                       strcmp(line, "[MIPSEL]") == 0) {
+                               if (native_arch != lxc_seccomp_arch_mipsel &&
+                                               native_arch != 
lxc_seccomp_arch_mipsel64) {
+                                       cur_rule_arch = 
lxc_seccomp_arch_unknown;
+                                       continue;
+                               }
+                               cur_rule_arch = lxc_seccomp_arch_mipsel;
+                       }
+#endif
                        else
                                goto bad_arch;
 
@@ -432,14 +527,18 @@ static int parse_config_v2(FILE *f, char *line, struct 
lxc_conf *conf)
 
                if (cur_rule_arch == native_arch ||
                    cur_rule_arch == lxc_seccomp_arch_native ||
-                   compat_arch == SCMP_ARCH_NATIVE) {
+                   compat_arch[0] == SCMP_ARCH_NATIVE) {
                        INFO("Adding native rule for %s action %d", line, 
action);
                        if (!do_resolve_add_rule(SCMP_ARCH_NATIVE, line, 
conf->seccomp_ctx, action))
                                goto bad_rule;
                }
                else if (cur_rule_arch != lxc_seccomp_arch_all) {
+                       int arch_index =
+                               cur_rule_arch == lxc_seccomp_arch_mips64n32 ||
+                               cur_rule_arch == lxc_seccomp_arch_mipsel64n32 ? 
1 : 0;
+
                        INFO("Adding compat-only rule for %s action %d", line, 
action);
-                       if (!do_resolve_add_rule(compat_arch, line, compat_ctx, 
action))
+                       if (!do_resolve_add_rule(compat_arch[arch_index], line, 
compat_ctx[arch_index], action))
                                goto bad_rule;
                }
                else {
@@ -447,14 +546,18 @@ static int parse_config_v2(FILE *f, char *line, struct 
lxc_conf *conf)
                        if (!do_resolve_add_rule(SCMP_ARCH_NATIVE, line, 
conf->seccomp_ctx, action))
                                goto bad_rule;
                        INFO("Adding compat rule for %s action %d", line, 
action);
-                       if (!do_resolve_add_rule(compat_arch, line, compat_ctx, 
action))
+                       if (!do_resolve_add_rule(compat_arch[0], line, 
compat_ctx[0], action))
+                               goto bad_rule;
+                       if (compat_arch[1] != SCMP_ARCH_NATIVE &&
+                               !do_resolve_add_rule(compat_arch[1], line, 
compat_ctx[1], action))
                                goto bad_rule;
                }
        }
 
-       if (compat_ctx) {
+       if (compat_ctx[0]) {
                INFO("Merging in the compat seccomp ctx into the main one");
-               if (seccomp_merge(conf->seccomp_ctx, compat_ctx) != 0) {
+               if (seccomp_merge(conf->seccomp_ctx, compat_ctx[0]) != 0 ||
+                       (compat_ctx[1] != NULL && 
seccomp_merge(conf->seccomp_ctx, compat_ctx[1]) != 0)) {
                        ERROR("Error merging compat seccomp contexts");
                        goto bad;
                }
@@ -466,8 +569,10 @@ bad_arch:
        ERROR("Unsupported arch: %s", line);
 bad_rule:
 bad:
-       if (compat_ctx)
-               seccomp_release(compat_ctx);
+       if (compat_ctx[0])
+               seccomp_release(compat_ctx[0]);
+       if (compat_ctx[1])
+               seccomp_release(compat_ctx[1]);
        return -1;
 }
 #else /* HAVE_DECL_SECCOMP_SYSCALL_RESOLVE_NAME_ARCH */
-- 
2.9.3

++++++ 0015-seccomp-Add-mips-and-mips64-entries-to-lxc_config_pa.patch ++++++
>From 24cbc4434c8c4b11b356cc399182ad8e155a9225 Mon Sep 17 00:00:00 2001
From: James Cowgill <james...@cowgill.org.uk>
Date: Thu, 18 Aug 2016 14:27:35 +0100
Subject: [PATCH 15/27] seccomp: Add mips and mips64 entries to
 lxc_config_parse_arch

Fixes "unsupported personality" warnings when starting containers.

Signed-off-by: James Cowgill <james...@cowgill.org.uk>
---
 src/lxc/confile.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/lxc/confile.c b/src/lxc/confile.c
index 2cbf375..5235b3d 100644
--- a/src/lxc/confile.c
+++ b/src/lxc/confile.c
@@ -2059,9 +2059,13 @@ signed long lxc_config_parse_arch(const char *arch)
                { "i586", PER_LINUX32 },
                { "i686", PER_LINUX32 },
                { "athlon", PER_LINUX32 },
+               { "mips", PER_LINUX32 },
+               { "mipsel", PER_LINUX32 },
                { "linux64", PER_LINUX },
                { "x86_64", PER_LINUX },
                { "amd64", PER_LINUX },
+               { "mips64", PER_LINUX },
+               { "mips64el", PER_LINUX },
        };
        size_t len = sizeof(pername) / sizeof(pername[0]);
 
-- 
2.9.3

++++++ 0016-seccomp-fix-strerror.patch ++++++
>From 8f484e2fa0d56eb2412da5505de2703d2a192d73 Mon Sep 17 00:00:00 2001
From: James Cowgill <james...@cowgill.org.uk>
Date: Thu, 18 Aug 2016 16:48:24 +0100
Subject: [PATCH 16/27] seccomp: fix strerror()

Signed-off-by: James Cowgill <james...@cowgill.org.uk>
---
 src/lxc/seccomp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index 0374eca..ec77c45 100644
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -215,7 +215,7 @@ scmp_filter_ctx get_new_ctx(enum lxc_hostarch_t n_arch, 
uint32_t default_policy_
        ret = seccomp_arch_add(ctx, arch);
        if (ret != 0) {
                ERROR("Seccomp error %d (%s) adding arch: %d", ret,
-                               strerror(ret), (int)n_arch);
+                               strerror(-ret), (int)n_arch);
                seccomp_release(ctx);
                return NULL;
        }
-- 
2.9.3

++++++ 0017-confile-add-more-archs-to-lxc_config_parse_arch.patch ++++++
>From d8b7637476fe39fe6acd43f61a8e1c9a20bd72c0 Mon Sep 17 00:00:00 2001
From: Christian Brauner <cbrau...@suse.de>
Date: Fri, 19 Aug 2016 11:15:30 +0200
Subject: [PATCH 17/27] confile: add more archs to lxc_config_parse_arch()

Signed-off-by: Christian Brauner <cbrau...@suse.de>
---
 src/lxc/confile.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/src/lxc/confile.c b/src/lxc/confile.c
index 5235b3d..9c250f3 100644
--- a/src/lxc/confile.c
+++ b/src/lxc/confile.c
@@ -2061,11 +2061,24 @@ signed long lxc_config_parse_arch(const char *arch)
                { "athlon", PER_LINUX32 },
                { "mips", PER_LINUX32 },
                { "mipsel", PER_LINUX32 },
+               { "ppc", PER_LINUX32 },
+               { "arm", PER_LINUX32 },
+               { "armv7l", PER_LINUX32 },
+               { "armhf", PER_LINUX32 },
+               { "armel", PER_LINUX32 },
+               { "powerpc", PER_LINUX32 },
                { "linux64", PER_LINUX },
                { "x86_64", PER_LINUX },
                { "amd64", PER_LINUX },
                { "mips64", PER_LINUX },
                { "mips64el", PER_LINUX },
+               { "ppc64", PER_LINUX },
+               { "ppc64le", PER_LINUX },
+               { "ppc64el", PER_LINUX },
+               { "powerpc64", PER_LINUX },
+               { "s390x", PER_LINUX },
+               { "aarch64", PER_LINUX },
+               { "arm64", PER_LINUX },
        };
        size_t len = sizeof(pername) / sizeof(pername[0]);
 
-- 
2.9.3

++++++ 0018-seccomp-add-support-for-s390x.patch ++++++
>From e68715eee02a9d7aaa7fb1c573e7d6411e7cdc11 Mon Sep 17 00:00:00 2001
From: Christian Brauner <cbrau...@suse.de>
Date: Fri, 19 Aug 2016 11:57:14 +0200
Subject: [PATCH 18/27] seccomp: add support for s390x

Signed-off-by: Christian Brauner <cbrau...@suse.de>
---
 src/lxc/seccomp.c | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index ec77c45..28c4d62 100644
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -131,6 +131,7 @@ enum lxc_hostarch_t {
        lxc_seccomp_arch_mipsel,
        lxc_seccomp_arch_mipsel64,
        lxc_seccomp_arch_mipsel64n32,
+       lxc_seccomp_arch_s390x,
        lxc_seccomp_arch_unknown = 999,
 };
 
@@ -167,6 +168,8 @@ int get_hostarch(void)
                return MIPS_ARCH_N64;
        else if (strncmp(uts.machine, "mips", 4) == 0)
                return MIPS_ARCH_O32;
+       else if (strncmp(uts.machine, "s390x", 5) == 0)
+               return lxc_seccomp_arch_s390x;
        return lxc_seccomp_arch_unknown;
 }
 
@@ -200,6 +203,9 @@ scmp_filter_ctx get_new_ctx(enum lxc_hostarch_t n_arch, 
uint32_t default_policy_
        case lxc_seccomp_arch_mipsel64: arch = SCMP_ARCH_MIPSEL64; break;
        case lxc_seccomp_arch_mipsel64n32: arch = SCMP_ARCH_MIPSEL64N32; break;
 #endif
+#ifdef SCMP_ARCH_S390X
+       case lxc_seccomp_arch_s390x: arch = SCMP_ARCH_S390X; break;
+#endif
        default: return NULL;
        }
 
@@ -366,6 +372,15 @@ static int parse_config_v2(FILE *f, char *line, struct 
lxc_conf *conf)
                if (!compat_ctx[0] || !compat_ctx[1])
                        goto bad;
 #endif
+#ifdef SCMP_ARCH_S390X
+       } else if (native_arch == lxc_seccomp_arch_s390x) {
+               cur_rule_arch = lxc_seccomp_arch_all;
+               compat_arch[0] = SCMP_ARCH_S390X;
+               compat_ctx[0] = get_new_ctx(lxc_seccomp_arch_s390x,
+                               default_policy_action);
+               if (!compat_ctx[0])
+                       goto bad;
+#endif
        }
 
        if (default_policy_action != SCMP_ACT_KILL) {
@@ -508,6 +523,16 @@ static int parse_config_v2(FILE *f, char *line, struct 
lxc_conf *conf)
                                cur_rule_arch = lxc_seccomp_arch_mipsel;
                        }
 #endif
+#ifdef SCMP_ARCH_S390X
+                       else if (strcmp(line, "[s390x]") == 0 ||
+                                       strcmp(line, "[S390X]") == 0) {
+                               if (native_arch != lxc_seccomp_arch_s390x) {
+                                       cur_rule_arch = 
lxc_seccomp_arch_unknown;
+                                       continue;
+                               }
+                               cur_rule_arch = lxc_seccomp_arch_s390x;
+                       }
+#endif
                        else
                                goto bad_arch;
 
-- 
2.9.3

++++++ 0019-seccomp-remove-double-include-and-order-includes.patch ++++++
>From 4e2d66eab423794a589382a86109ad004b579bfc Mon Sep 17 00:00:00 2001
From: Christian Brauner <cbrau...@suse.de>
Date: Fri, 19 Aug 2016 15:20:22 +0200
Subject: [PATCH 19/27] seccomp: remove double include and order includes

Signed-off-by: Christian Brauner <cbrau...@suse.de>
---
 src/lxc/seccomp.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index 28c4d62..3548725 100644
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -22,17 +22,16 @@
  */
 
 #define _GNU_SOURCE
+#include <errno.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <seccomp.h>
-#include <errno.h>
-#include <seccomp.h>
-#include <sys/utsname.h>
 #include <sys/mount.h>
+#include <sys/utsname.h>
 
 #include "config.h"
-#include "lxcseccomp.h"
 #include "log.h"
+#include "lxcseccomp.h"
 
 lxc_log_define(lxc_seccomp, lxc);
 
-- 
2.9.3

++++++ 0020-seccomp-non-functional-changes.patch ++++++
>From 2b3a8ceb51ff4c14a143c59ae02df9f17318ce13 Mon Sep 17 00:00:00 2001
From: Christian Brauner <cbrau...@suse.de>
Date: Fri, 19 Aug 2016 18:53:02 +0200
Subject: [PATCH 20/27] seccomp: non functional changes

- log more errnos
- adapt coding style

Signed-off-by: Christian Brauner <cbrau...@suse.de>
---
 src/lxc/seccomp.c | 144 ++++++++++++++++++++++++++++--------------------------
 1 file changed, 76 insertions(+), 68 deletions(-)

diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index 3548725..5069730 100644
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -47,11 +47,11 @@ static int parse_config_v1(FILE *f, struct lxc_conf *conf)
                        return -1;
                ret = seccomp_rule_add(
 #if HAVE_SCMP_FILTER_CTX
-                       conf->seccomp_ctx,
+                   conf->seccomp_ctx,
 #endif
-                       SCMP_ACT_ALLOW, nr, 0);
+                   SCMP_ACT_ALLOW, nr, 0);
                if (ret < 0) {
-                       ERROR("failed loading allow rule for %d", nr);
+                       ERROR("Failed loading allow rule for %d.", nr);
                        return ret;
                }
        }
@@ -73,14 +73,15 @@ static uint32_t get_v2_default_action(char *line)
 {
        uint32_t ret_action = -1;
 
-       while (*line == ' ') line++;
+       while (*line == ' ')
+               line++;
        // after 'whitelist' or 'blacklist' comes default behavior
        if (strncmp(line, "kill", 4) == 0)
                ret_action = SCMP_ACT_KILL;
        else if (strncmp(line, "errno", 5) == 0) {
                int e;
-               if (sscanf(line+5, "%d", &e) != 1) {
-                       ERROR("Bad errno value in %s", line);
+               if (sscanf(line + 5, "%d", &e) != 1) {
+                       ERROR("Bad errno value in %s.", line);
                        return -2;
                }
                ret_action = SCMP_ACT_ERRNO(e);
@@ -146,7 +147,7 @@ int get_hostarch(void)
 {
        struct utsname uts;
        if (uname(&uts) < 0) {
-               SYSERROR("Failed to read host arch");
+               SYSERROR("Failed to read host arch.");
                return -1;
        }
        if (strcmp(uts.machine, "i686") == 0)
@@ -209,18 +210,18 @@ scmp_filter_ctx get_new_ctx(enum lxc_hostarch_t n_arch, 
uint32_t default_policy_
        }
 
        if ((ctx = seccomp_init(default_policy_action)) == NULL) {
-               ERROR("Error initializing seccomp context");
+               ERROR("Error initializing seccomp context.");
                return NULL;
        }
        if (seccomp_attr_set(ctx, SCMP_FLTATR_CTL_NNP, 0)) {
-               ERROR("failed to turn off n-new-privs");
+               ERROR("Failed to turn off n-new-privs.");
                seccomp_release(ctx);
                return NULL;
        }
        ret = seccomp_arch_add(ctx, arch);
        if (ret != 0) {
                ERROR("Seccomp error %d (%s) adding arch: %d", ret,
-                               strerror(-ret), (int)n_arch);
+                     strerror(-ret), (int)n_arch);
                seccomp_release(ctx);
                return NULL;
        }
@@ -238,17 +239,22 @@ bool do_resolve_add_rule(uint32_t arch, char *line, 
scmp_filter_ctx ctx,
 {
        int nr, ret;
 
-       if (arch && seccomp_arch_exist(ctx, arch) != 0) {
-               ERROR("BUG: seccomp: rule and context arch do not match (arch 
%d)", arch);
+       ret = seccomp_arch_exist(ctx, arch);
+       if (arch && ret != 0) {
+               ERROR("BUG: Seccomp: rule and context arch do not match (arch "
+                     "%d): %s.",
+                     arch, strerror(-ret));
                return false;
        }
 
        if (strncmp(line, "reject_force_umount", 19) == 0) {
-               INFO("Setting seccomp rule to reject force umounts\n");
+               INFO("Setting Seccomp rule to reject force umounts.");
                ret = seccomp_rule_add_exact(ctx, SCMP_ACT_ERRNO(EACCES), 
SCMP_SYS(umount2),
                                1, SCMP_A1(SCMP_CMP_MASKED_EQ , MNT_FORCE , 
MNT_FORCE ));
                if (ret < 0) {
-                       ERROR("failed (%d) loading rule to reject force 
umount", ret);
+                       ERROR("Failed (%d) loading rule to reject force "
+                             "umount: %s.",
+                             ret, strerror(-ret));
                        return false;
                }
                return true;
@@ -256,18 +262,19 @@ bool do_resolve_add_rule(uint32_t arch, char *line, 
scmp_filter_ctx ctx,
 
        nr = seccomp_syscall_resolve_name(line);
        if (nr == __NR_SCMP_ERROR) {
-               WARN("Seccomp: failed to resolve syscall: %s", line);
-               WARN("This syscall will NOT be blacklisted");
+               WARN("Seccomp: failed to resolve syscall: %s.", line);
+               WARN("This syscall will NOT be blacklisted.");
                return true;
        }
        if (nr < 0) {
-               WARN("Seccomp: got negative # for syscall: %s", line);
-               WARN("This syscall will NOT be blacklisted");
+               WARN("Seccomp: got negative for syscall: %d: %s.", nr, line);
+               WARN("This syscall will NOT be blacklisted.");
                return true;
        }
        ret = seccomp_rule_add_exact(ctx, action, nr, 0);
        if (ret < 0) {
-               ERROR("failed (%d) loading rule for %s (nr %d action %d)", ret, 
line, nr, action);
+               ERROR("Failed (%d) loading rule for %s (nr %d action %d): %s.",
+                     ret, line, nr, action, strerror(-ret));
                return false;
        }
        return true;
@@ -291,22 +298,22 @@ static int parse_config_v2(FILE *f, char *line, struct 
lxc_conf *conf)
 {
        char *p;
        int ret;
-       scmp_filter_ctx compat_ctx[2] = { NULL, NULL };
+       scmp_filter_ctx compat_ctx[2] = {NULL, NULL};
        bool blacklist = false;
        uint32_t default_policy_action = -1, default_rule_action = -1, action;
        enum lxc_hostarch_t native_arch = get_hostarch(),
                            cur_rule_arch = native_arch;
-       uint32_t compat_arch[2] = { SCMP_ARCH_NATIVE, SCMP_ARCH_NATIVE };
+       uint32_t compat_arch[2] = {SCMP_ARCH_NATIVE, SCMP_ARCH_NATIVE};
 
        if (strncmp(line, "blacklist", 9) == 0)
                blacklist = true;
        else if (strncmp(line, "whitelist", 9) != 0) {
-               ERROR("Bad seccomp policy style: %s", line);
+               ERROR("Bad seccomp policy style: %s.", line);
                return -1;
        }
 
        if ((p = strchr(line, ' '))) {
-               default_policy_action = get_v2_default_action(p+1);
+               default_policy_action = get_v2_default_action(p + 1);
                if (default_policy_action == -2)
                        return -1;
        }
@@ -385,11 +392,11 @@ static int parse_config_v2(FILE *f, char *line, struct 
lxc_conf *conf)
        if (default_policy_action != SCMP_ACT_KILL) {
                ret = seccomp_reset(conf->seccomp_ctx, default_policy_action);
                if (ret != 0) {
-                       ERROR("Error re-initializing seccomp");
+                       ERROR("Error re-initializing Seccomp.");
                        return -1;
                }
                if (seccomp_attr_set(conf->seccomp_ctx, SCMP_FLTATR_CTL_NNP, 
0)) {
-                       ERROR("failed to turn off n-new-privs");
+                       ERROR("Failed to turn off n-new-privs.");
                        return -1;
                }
        }
@@ -405,7 +412,7 @@ static int parse_config_v2(FILE *f, char *line, struct 
lxc_conf *conf)
                if (line[0] == '[') {
                        // read the architecture for next set of rules
                        if (strcmp(line, "[x86]") == 0 ||
-                                       strcmp(line, "[X86]") == 0) {
+                           strcmp(line, "[X86]") == 0) {
                                if (native_arch != lxc_seccomp_arch_i386 &&
                                                native_arch != 
lxc_seccomp_arch_amd64) {
                                        cur_rule_arch = 
lxc_seccomp_arch_unknown;
@@ -413,19 +420,19 @@ static int parse_config_v2(FILE *f, char *line, struct 
lxc_conf *conf)
                                }
                                cur_rule_arch = lxc_seccomp_arch_i386;
                        } else if (strcmp(line, "[X86_64]") == 0 ||
-                                       strcmp(line, "[x86_64]") == 0) {
+                                  strcmp(line, "[x86_64]") == 0) {
                                if (native_arch != lxc_seccomp_arch_amd64) {
                                        cur_rule_arch = 
lxc_seccomp_arch_unknown;
                                        continue;
                                }
                                cur_rule_arch = lxc_seccomp_arch_amd64;
                        } else if (strcmp(line, "[all]") == 0 ||
-                                       strcmp(line, "[ALL]") == 0) {
+                                  strcmp(line, "[ALL]") == 0) {
                                cur_rule_arch = lxc_seccomp_arch_all;
                        }
 #ifdef SCMP_ARCH_ARM
                        else if (strcmp(line, "[arm]") == 0 ||
-                                       strcmp(line, "[ARM]") == 0) {
+                                strcmp(line, "[ARM]") == 0) {
                                if (native_arch != lxc_seccomp_arch_arm &&
                                                native_arch != 
lxc_seccomp_arch_arm64) {
                                        cur_rule_arch = 
lxc_seccomp_arch_unknown;
@@ -436,7 +443,7 @@ static int parse_config_v2(FILE *f, char *line, struct 
lxc_conf *conf)
 #endif
 #ifdef SCMP_ARCH_AARCH64
                        else if (strcmp(line, "[arm64]") == 0 ||
-                                       strcmp(line, "[ARM64]") == 0) {
+                                strcmp(line, "[ARM64]") == 0) {
                                if (native_arch != lxc_seccomp_arch_arm64) {
                                        cur_rule_arch = 
lxc_seccomp_arch_unknown;
                                        continue;
@@ -446,7 +453,7 @@ static int parse_config_v2(FILE *f, char *line, struct 
lxc_conf *conf)
 #endif
 #ifdef SCMP_ARCH_PPC64LE
                        else if (strcmp(line, "[ppc64le]") == 0 ||
-                                       strcmp(line, "[PPC64LE]") == 0) {
+                                strcmp(line, "[PPC64LE]") == 0) {
                                if (native_arch != lxc_seccomp_arch_ppc64le) {
                                        cur_rule_arch = 
lxc_seccomp_arch_unknown;
                                        continue;
@@ -456,7 +463,7 @@ static int parse_config_v2(FILE *f, char *line, struct 
lxc_conf *conf)
 #endif
 #ifdef SCMP_ARCH_PPC64
                        else if (strcmp(line, "[ppc64]") == 0 ||
-                                       strcmp(line, "[PPC64]") == 0) {
+                                strcmp(line, "[PPC64]") == 0) {
                                if (native_arch != lxc_seccomp_arch_ppc64) {
                                        cur_rule_arch = 
lxc_seccomp_arch_unknown;
                                        continue;
@@ -466,7 +473,7 @@ static int parse_config_v2(FILE *f, char *line, struct 
lxc_conf *conf)
 #endif
 #ifdef SCMP_ARCH_PPC
                        else if (strcmp(line, "[ppc]") == 0 ||
-                                       strcmp(line, "[PPC]") == 0) {
+                                strcmp(line, "[PPC]") == 0) {
                                if (native_arch != lxc_seccomp_arch_ppc &&
                                                native_arch != 
lxc_seccomp_arch_ppc64) {
                                        cur_rule_arch = 
lxc_seccomp_arch_unknown;
@@ -477,21 +484,21 @@ static int parse_config_v2(FILE *f, char *line, struct 
lxc_conf *conf)
 #endif
 #ifdef SCMP_ARCH_MIPS
                        else if (strcmp(line, "[mips64]") == 0 ||
-                                       strcmp(line, "[MIPS64]") == 0) {
+                                strcmp(line, "[MIPS64]") == 0) {
                                if (native_arch != lxc_seccomp_arch_mips64) {
                                        cur_rule_arch = 
lxc_seccomp_arch_unknown;
                                        continue;
                                }
                                cur_rule_arch = lxc_seccomp_arch_mips64;
                        } else if (strcmp(line, "[mips64n32]") == 0 ||
-                                       strcmp(line, "[MIPS64N32]") == 0) {
+                                  strcmp(line, "[MIPS64N32]") == 0) {
                                if (native_arch != lxc_seccomp_arch_mips64) {
                                        cur_rule_arch = 
lxc_seccomp_arch_unknown;
                                        continue;
                                }
                                cur_rule_arch = lxc_seccomp_arch_mips64n32;
                        } else if (strcmp(line, "[mips]") == 0 ||
-                                       strcmp(line, "[MIPS]") == 0) {
+                                  strcmp(line, "[MIPS]") == 0) {
                                if (native_arch != lxc_seccomp_arch_mips &&
                                                native_arch != 
lxc_seccomp_arch_mips64) {
                                        cur_rule_arch = 
lxc_seccomp_arch_unknown;
@@ -499,21 +506,21 @@ static int parse_config_v2(FILE *f, char *line, struct 
lxc_conf *conf)
                                }
                                cur_rule_arch = lxc_seccomp_arch_mips;
                        } else if (strcmp(line, "[mipsel64]") == 0 ||
-                                       strcmp(line, "[MIPSEL64]") == 0) {
+                                  strcmp(line, "[MIPSEL64]") == 0) {
                                if (native_arch != lxc_seccomp_arch_mipsel64) {
                                        cur_rule_arch = 
lxc_seccomp_arch_unknown;
                                        continue;
                                }
                                cur_rule_arch = lxc_seccomp_arch_mipsel64;
                        } else if (strcmp(line, "[mipsel64n32]") == 0 ||
-                                       strcmp(line, "[MIPSEL64N32]") == 0) {
+                                  strcmp(line, "[MIPSEL64N32]") == 0) {
                                if (native_arch != lxc_seccomp_arch_mipsel64) {
                                        cur_rule_arch = 
lxc_seccomp_arch_unknown;
                                        continue;
                                }
                                cur_rule_arch = lxc_seccomp_arch_mipsel64n32;
                        } else if (strcmp(line, "[mipsel]") == 0 ||
-                                       strcmp(line, "[MIPSEL]") == 0) {
+                                  strcmp(line, "[MIPSEL]") == 0) {
                                if (native_arch != lxc_seccomp_arch_mipsel &&
                                                native_arch != 
lxc_seccomp_arch_mipsel64) {
                                        cur_rule_arch = 
lxc_seccomp_arch_unknown;
@@ -524,7 +531,7 @@ static int parse_config_v2(FILE *f, char *line, struct 
lxc_conf *conf)
 #endif
 #ifdef SCMP_ARCH_S390X
                        else if (strcmp(line, "[s390x]") == 0 ||
-                                       strcmp(line, "[S390X]") == 0) {
+                                strcmp(line, "[S390X]") == 0) {
                                if (native_arch != lxc_seccomp_arch_s390x) {
                                        cur_rule_arch = 
lxc_seccomp_arch_unknown;
                                        continue;
@@ -545,14 +552,14 @@ static int parse_config_v2(FILE *f, char *line, struct 
lxc_conf *conf)
                /* read optional action which follows the syscall */
                action = get_and_clear_v2_action(line, default_rule_action);
                if (action == -1) {
-                       ERROR("Failed to interpret action");
+                       ERROR("Failed to interpret action.");
                        goto bad_rule;
                }
 
                if (cur_rule_arch == native_arch ||
                    cur_rule_arch == lxc_seccomp_arch_native ||
                    compat_arch[0] == SCMP_ARCH_NATIVE) {
-                       INFO("Adding native rule for %s action %d", line, 
action);
+                       INFO("Adding native rule for %s action %d.", line, 
action);
                        if (!do_resolve_add_rule(SCMP_ARCH_NATIVE, line, 
conf->seccomp_ctx, action))
                                goto bad_rule;
                }
@@ -561,15 +568,15 @@ static int parse_config_v2(FILE *f, char *line, struct 
lxc_conf *conf)
                                cur_rule_arch == lxc_seccomp_arch_mips64n32 ||
                                cur_rule_arch == lxc_seccomp_arch_mipsel64n32 ? 
1 : 0;
 
-                       INFO("Adding compat-only rule for %s action %d", line, 
action);
+                       INFO("Adding compat-only rule for %s action %d.", line, 
action);
                        if (!do_resolve_add_rule(compat_arch[arch_index], line, 
compat_ctx[arch_index], action))
                                goto bad_rule;
                }
                else {
-                       INFO("Adding native rule for %s action %d", line, 
action);
+                       INFO("Adding native rule for %s action %d.", line, 
action);
                        if (!do_resolve_add_rule(SCMP_ARCH_NATIVE, line, 
conf->seccomp_ctx, action))
                                goto bad_rule;
-                       INFO("Adding compat rule for %s action %d", line, 
action);
+                       INFO("Adding compat rule for %s action %d.", line, 
action);
                        if (!do_resolve_add_rule(compat_arch[0], line, 
compat_ctx[0], action))
                                goto bad_rule;
                        if (compat_arch[1] != SCMP_ARCH_NATIVE &&
@@ -579,10 +586,10 @@ static int parse_config_v2(FILE *f, char *line, struct 
lxc_conf *conf)
        }
 
        if (compat_ctx[0]) {
-               INFO("Merging in the compat seccomp ctx into the main one");
+               INFO("Merging in the compat Seccomp ctx into the main one.");
                if (seccomp_merge(conf->seccomp_ctx, compat_ctx[0]) != 0 ||
                        (compat_ctx[1] != NULL && 
seccomp_merge(conf->seccomp_ctx, compat_ctx[1]) != 0)) {
-                       ERROR("Error merging compat seccomp contexts");
+                       ERROR("Error merging compat Seccomp contexts.");
                        goto bad;
                }
        }
@@ -590,7 +597,7 @@ static int parse_config_v2(FILE *f, char *line, struct 
lxc_conf *conf)
        return 0;
 
 bad_arch:
-       ERROR("Unsupported arch: %s", line);
+       ERROR("Unsupported arch: %s.", line);
 bad_rule:
 bad:
        if (compat_ctx[0])
@@ -621,20 +628,20 @@ static int parse_config(FILE *f, struct lxc_conf *conf)
 
        ret = fscanf(f, "%d\n", &version);
        if (ret != 1 || (version != 1 && version != 2)) {
-               ERROR("invalid version");
+               ERROR("Invalid version.");
                return -1;
        }
        if (!fgets(line, 1024, f)) {
-               ERROR("invalid config file");
+               ERROR("Invalid config file.");
                return -1;
        }
        if (version == 1 && !strstr(line, "whitelist")) {
-               ERROR("only whitelist policy is supported");
+               ERROR("Only whitelist policy is supported.");
                return -1;
        }
 
        if (strstr(line, "debug")) {
-               ERROR("debug not yet implemented");
+               ERROR("Debug not yet implemented.");
                return -1;
        }
 
@@ -664,7 +671,7 @@ static bool use_seccomp(void)
        while (fgets(line, 1024, f)) {
                if (strncmp(line, "Seccomp:", 8) == 0) {
                        found = true;
-                       ret = sscanf(line+8, "%d", &v);
+                       ret = sscanf(line + 8, "%d", &v);
                        if (ret == 1 && v != 0)
                                already_enabled = true;
                        break;
@@ -672,12 +679,12 @@ static bool use_seccomp(void)
        }
 
        fclose(f);
-       if (!found) {  /* no Seccomp line, no seccomp in kernel */
-               INFO("Seccomp is not enabled in the kernel");
+       if (!found) { /* no Seccomp line, no seccomp in kernel */
+               INFO("Seccomp is not enabled in the kernel.");
                return false;
        }
-       if (already_enabled) {  /* already seccomp-confined */
-               INFO("Already seccomp-confined, not loading new policy");
+       if (already_enabled) { /* already seccomp-confined */
+               INFO("Already seccomp-confined, not loading new policy.");
                return false;
        }
        return true;
@@ -702,25 +709,25 @@ int lxc_read_seccomp_config(struct lxc_conf *conf)
        ret = seccomp_init(SCMP_ACT_KILL) < 0;
 #endif
        if (ret) {
-               ERROR("failed initializing seccomp");
+               ERROR("Failed initializing seccomp.");
                return -1;
        }
 
-       /* turn of no-new-privs.  We don't want it in lxc, and it breaks
-        * with apparmor */
+/* turn of no-new-privs.  We don't want it in lxc, and it breaks
+ * with apparmor */
 #if HAVE_SCMP_FILTER_CTX
-  check_seccomp_attr_set = seccomp_attr_set(conf->seccomp_ctx, 
SCMP_FLTATR_CTL_NNP, 0);
+       check_seccomp_attr_set = seccomp_attr_set(conf->seccomp_ctx, 
SCMP_FLTATR_CTL_NNP, 0);
 #else
-  check_seccomp_attr_set = seccomp_attr_set(SCMP_FLTATR_CTL_NNP, 0);
+       check_seccomp_attr_set = seccomp_attr_set(SCMP_FLTATR_CTL_NNP, 0);
 #endif
        if (check_seccomp_attr_set) {
-               ERROR("failed to turn off n-new-privs");
+               ERROR("Failed to turn off n-new-privs.");
                return -1;
        }
 
        f = fopen(conf->seccomp, "r");
        if (!f) {
-               SYSERROR("failed to open seccomp policy file %s", 
conf->seccomp);
+               SYSERROR("Failed to open seccomp policy file %s.", 
conf->seccomp);
                return -1;
        }
        ret = parse_config(f, conf);
@@ -737,17 +744,18 @@ int lxc_seccomp_load(struct lxc_conf *conf)
                return 0;
        ret = seccomp_load(
 #if HAVE_SCMP_FILTER_CTX
-                       conf->seccomp_ctx
+           conf->seccomp_ctx
 #endif
-       );
+           );
        if (ret < 0) {
-               ERROR("Error loading the seccomp policy");
+               ERROR("Error loading the seccomp policy.");
                return -1;
        }
        return 0;
 }
 
-void lxc_seccomp_free(struct lxc_conf *conf) {
+void lxc_seccomp_free(struct lxc_conf *conf)
+{
        free(conf->seccomp);
        conf->seccomp = NULL;
 #if HAVE_SCMP_FILTER_CTX
-- 
2.9.3

++++++ 0021-templates-use-fd-9-instead-of-200.patch ++++++
>From 2c0f32e6432f24dcc698d8fe0bd84d83a3588bdc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Elan=20Ruusam=C3=A4e?= <g...@delfi.ee>
Date: Sat, 20 Aug 2016 17:09:28 +0300
Subject: [PATCH 21/27] templates: use fd 9 instead of 200
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

to catch up mksh changes from 17abf27

Signed-off-by: Elan Ruusamäe <g...@delfi.ee>
---
 templates/lxc-slackware.in | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/templates/lxc-slackware.in b/templates/lxc-slackware.in
index c8e8e73..5005918 100644
--- a/templates/lxc-slackware.in
+++ b/templates/lxc-slackware.in
@@ -501,7 +501,7 @@ install_slackware()
 rootfs=$1
 mkdir -p /var/lock/subsys/
 (
-flock -n -x 200
+flock -n -x 9
 if [ $? -ne 0 ]; then
        echo "Cache repository is busy."
        return 1
@@ -629,7 +629,7 @@ sed -i 's|3\ \-x|3 -x -s|' $ROOT/etc/rc.d/rc.syslog || true
 
 return 0
 
-) 200>/var/lock/subsys/lxc
+) 9>/var/lock/subsys/lxc
 
 return $?
 }
@@ -666,7 +666,7 @@ fi
 
 # lock, so we won't purge while someone is creating a repository
 (
-flock -n -x 200
+flock -n -x 9
 if [ $? != 0 ]; then
        echo "Cache repository is busy."
        exit 1
@@ -676,7 +676,7 @@ echo -n "Purging the download cache..."
 rm --preserve-root --one-file-system -rf $cache && echo "Done." || exit 1
 exit 0
 
-) 200>/var/lock/subsys/lxc
+) 9>/var/lock/subsys/lxc
 }
 
 usage()
-- 
2.9.3

++++++ 0022-templates-fedora-requires-openssl-binary.patch ++++++
>From c86f214c1e07e13414d43c34711702ed659f8a65 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Elan=20Ruusam=C3=A4e?= <g...@delfi.ee>
Date: Tue, 23 Aug 2016 19:31:38 +0300
Subject: [PATCH 22/27] templates: fedora requires openssl binary
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

/usr/share/lxc/templates/lxc-fedora: line 1078: openssl: command not found

Signed-off-by: Elan Ruusamäe <g...@delfi.ee>
---
 templates/lxc-fedora.in | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/templates/lxc-fedora.in b/templates/lxc-fedora.in
index a83a590..88f5ca9 100644
--- a/templates/lxc-fedora.in
+++ b/templates/lxc-fedora.in
@@ -1336,6 +1336,10 @@ type curl >/dev/null 2>&1
 if [ $? -ne 0 ]; then
     needed_pkgs="curl $needed_pkgs"
 fi
+type openssl >/dev/null 2>&1
+if [ $? -ne 0 ]; then
+    needed_pkgs="openssl $needed_pkgs"
+fi
 
 if [ -n "$needed_pkgs" ]; then
     echo "Missing commands: $needed_pkgs"
-- 
2.9.3

++++++ 0023-tools-use-boolean-for-ret-in-lxc_device.c.patch ++++++
>From 599a84d5aa0798ff6aa896806829aa28351a5aff Mon Sep 17 00:00:00 2001
From: Christian Brauner <cbrau...@suse.de>
Date: Fri, 26 Aug 2016 12:49:23 +0200
Subject: [PATCH 23/27] tools: use boolean for ret in lxc_device.c

Signed-off-by: Christian Brauner <cbrau...@suse.de>
---
 src/lxc/tools/lxc_device.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/src/lxc/tools/lxc_device.c b/src/lxc/tools/lxc_device.c
index abf52b9..39c560c 100644
--- a/src/lxc/tools/lxc_device.c
+++ b/src/lxc/tools/lxc_device.c
@@ -102,7 +102,7 @@ int main(int argc, char *argv[])
 {
        struct lxc_container *c;
        char *cmd, *dev_name, *dst_name;
-       int ret = 1;
+       bool ret = false;
 
        if (geteuid() != 0) {
                ERROR("%s must be run as root", argv[0]);
@@ -164,7 +164,6 @@ int main(int argc, char *argv[])
                }
                if (ret != true) {
                        ERROR("Failed to add %s to %s.", dev_name, c->name);
-                       ret = 1;
                        goto err1;
                }
                INFO("Add %s to %s.", dev_name, c->name);
@@ -176,7 +175,6 @@ int main(int argc, char *argv[])
                }
                if (ret != true) {
                        ERROR("Failed to del %s from %s.", dev_name, c->name);
-                       ret = 1;
                        goto err1;
                }
                INFO("Delete %s from %s.", dev_name, c->name);
-- 
2.9.3

++++++ 0024-c-r-use-proc-self-tid-children-instead-of-pidfile.patch ++++++
>From 9bec7ccd65d53936ef41e5d2ffc0a6e9f6c1df7c Mon Sep 17 00:00:00 2001
From: Tycho Andersen <tycho.ander...@canonical.com>
Date: Fri, 26 Aug 2016 16:07:19 +0000
Subject: [PATCH 24/27] c/r: use /proc/self/tid/children instead of pidfile

All we really needed a unique temp file for was passing the pid. Since CRIU
opened this with O_EXCL | O_CREAT, this was "safe" (users could still
overwrite it afterwards, but the monitor would immediately die since the
only valid number in there was the init process).

In any case, we can just read /proc/self/tid/children, which lists the
child process.

Closes #1150

Signed-off-by: Tycho Andersen <tycho.ander...@canonical.com>
---
 src/lxc/criu.c | 38 ++++++++++++++------------------------
 1 file changed, 14 insertions(+), 24 deletions(-)

diff --git a/src/lxc/criu.c b/src/lxc/criu.c
index 65998ed..76d7080 100644
--- a/src/lxc/criu.c
+++ b/src/lxc/criu.c
@@ -69,7 +69,6 @@ struct criu_opts {
        char tty_id[32]; /* the criu tty id for /dev/console, i.e. 
"tty[${rdev}:${dev}]" */
 
        /* restore: the file to write the init process' pid into */
-       char *pidfile;
        const char *cgroup_path;
        int console_fd;
        /* The path that is bind mounted from /dev/console, if any. We don't
@@ -176,10 +175,10 @@ static void exec_criu(struct criu_opts *opts)
                        static_args += 2;
        } else if (strcmp(opts->action, "restore") == 0) {
                /* --root $(lxc_mount_point) --restore-detached
-                * --restore-sibling --pidfile $foo --cgroup-root $foo
+                * --restore-sibling --cgroup-root $foo
                 * --lsm-profile apparmor:whatever
                 */
-               static_args += 10;
+               static_args += 8;
 
                tty_info[0] = 0;
                if (load_tty_major_minor(opts->user->directory, tty_info, 
sizeof(tty_info)))
@@ -330,8 +329,6 @@ static void exec_criu(struct criu_opts *opts)
                DECLARE_ARG(opts->c->lxc_conf->rootfs.mount);
                DECLARE_ARG("--restore-detached");
                DECLARE_ARG("--restore-sibling");
-               DECLARE_ARG("--pidfile");
-               DECLARE_ARG(opts->pidfile);
                DECLARE_ARG("--cgroup-root");
                DECLARE_ARG(opts->cgroup_path);
 
@@ -604,13 +601,8 @@ static void do_restore(struct lxc_container *c, int 
status_pipe, struct migrate_
 {
        pid_t pid;
        struct lxc_handler *handler;
-       int fd, status;
+       int status;
        int pipes[2] = {-1, -1};
-       char pidfile[] = "criu_restore_XXXXXX";
-
-       fd = mkstemp(pidfile);
-       if (fd < 0)
-               goto out;
 
        handler = lxc_init(c->name, c->lxc_conf, c->config_path);
        if (!handler)
@@ -690,7 +682,6 @@ static void do_restore(struct lxc_container *c, int 
status_pipe, struct migrate_
                os.action = "restore";
                os.user = opts;
                os.c = c;
-               os.pidfile = pidfile;
                os.cgroup_path = cgroup_canonical_path(handler);
                os.console_fd = c->lxc_conf->console.slave;
                os.criu_version = criu_version;
@@ -742,8 +733,9 @@ static void do_restore(struct lxc_container *c, int 
status_pipe, struct migrate_
                }
 
                if (WIFEXITED(status)) {
+                       char buf[4096];
+
                        if (WEXITSTATUS(status)) {
-                               char buf[4096];
                                int n;
 
                                n = read(pipes[0], buf, sizeof(buf));
@@ -758,18 +750,21 @@ static void do_restore(struct lxc_container *c, int 
status_pipe, struct migrate_
                                goto out_fini_handler;
                        } else {
                                int ret;
-                               FILE *f = fdopen(fd, "r");
+
+                               ret = snprintf(buf, sizeof(buf), 
"/proc/self/task/%" PRId64 "/children", syscall(__NR_gettid));
+                               if (ret < 0 || ret >= sizeof(buf)) {
+                                       ERROR("snprintf'd too many characters: 
%d", ret);
+                                       goto out_fini_handler;
+                               }
+
+                               FILE *f = fopen(buf, "r");
                                if (!f) {
-                                       SYSERROR("couldn't read restore's init 
pidfile %s\n", pidfile);
+                                       SYSERROR("couldn't read restore's 
children file %s\n", buf);
                                        goto out_fini_handler;
                                }
-                               fd = -1;
 
                                ret = fscanf(f, "%d", (int*) &handler->pid);
                                fclose(f);
-                               if (unlink(pidfile) < 0 && errno != ENOENT)
-                                       SYSERROR("unlinking pidfile failed");
-
                                if (ret != 1) {
                                        ERROR("reading restore pid failed");
                                        goto out_fini_handler;
@@ -809,8 +804,6 @@ out_fini_handler:
                close(pipes[1]);
 
        lxc_fini(c->name, handler);
-       if (unlink(pidfile) < 0 && errno != ENOENT)
-               SYSERROR("unlinking pidfile failed");
 
 out:
        if (status_pipe >= 0) {
@@ -821,9 +814,6 @@ out:
                close(status_pipe);
        }
 
-       if (fd > 0)
-               close(fd);
-
        exit(1);
 }
 
-- 
2.9.3

++++++ 0025-c-r-Fix-pid_t-on-some-arches.patch ++++++
>From eeca23a1f8a584732099a76e540d6aed87b39a94 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgra...@ubuntu.com>
Date: Fri, 26 Aug 2016 15:41:34 -0400
Subject: [PATCH 25/27] c/r: Fix pid_t on some arches
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stéphane Graber <stgra...@ubuntu.com>
---
 src/lxc/criu.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/lxc/criu.c b/src/lxc/criu.c
index 76d7080..c20c00a 100644
--- a/src/lxc/criu.c
+++ b/src/lxc/criu.c
@@ -751,7 +751,7 @@ static void do_restore(struct lxc_container *c, int 
status_pipe, struct migrate_
                        } else {
                                int ret;
 
-                               ret = snprintf(buf, sizeof(buf), 
"/proc/self/task/%" PRId64 "/children", syscall(__NR_gettid));
+                               ret = snprintf(buf, sizeof(buf), 
"/proc/self/task/%lu/children", (unsigned long)syscall(__NR_gettid));
                                if (ret < 0 || ret >= sizeof(buf)) {
                                        ERROR("snprintf'd too many characters: 
%d", ret);
                                        goto out_fini_handler;
-- 
2.9.3

++++++ 0026-templates-Add-mips-hostarch-detection-to-debian.patch ++++++
>From 6219206fc4e76d108f9bb2d0a8cd55b7070fd467 Mon Sep 17 00:00:00 2001
From: James Cowgill <james...@cowgill.org.uk>
Date: Mon, 15 Aug 2016 16:10:00 +0000
Subject: [PATCH 26/27] templates: Add mips hostarch detection to debian

Signed-off-by: James Cowgill <james...@cowgill.org.uk>
---
 templates/lxc-debian.in | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/templates/lxc-debian.in b/templates/lxc-debian.in
index ac8158c..7ebea90 100644
--- a/templates/lxc-debian.in
+++ b/templates/lxc-debian.in
@@ -543,6 +543,8 @@ if [ $? -ne 0 ]; then
 fi
 eval set -- "$options"
 
+littleendian=$(lscpu | grep '^Byte Order' | grep -q Little && echo yes)
+
 arch=$(uname -m)
 if [ "$arch" = "i686" ]; then
     arch="i386"
@@ -550,6 +552,10 @@ elif [ "$arch" = "x86_64" ]; then
     arch="amd64"
 elif [ "$arch" = "armv7l" ]; then
     arch="armhf"
+elif [ "$arch" = "mips" -a "$littleendian" = "yes" ]; then
+    arch="mipsel"
+elif [ "$arch" = "mips64" -a "$littleendian" = "yes" ]; then
+    arch="mips64el"
 fi
 hostarch=$arch
 mainonly=1
-- 
2.9.3

++++++ 0027-cleanup-replace-tabs-wth-spaces-in-usage-strings.patch ++++++
>From 6a49f2c6912d8e113fe478e0b86c96acd12fc155 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumil...@proxmox.com>
Date: Fri, 12 Aug 2016 12:33:44 +0200
Subject: [PATCH 27/27] cleanup: replace tabs wth spaces in usage strings

Signed-off-by: Wolfgang Bumiller <w.bumil...@proxmox.com>
---
 src/lxc/tools/lxc_copy.c       | 26 +++++++++++++-------------
 src/lxc/tools/lxc_ls.c         |  4 ++--
 src/lxc/tools/lxc_snapshot.c   |  2 +-
 src/lxc/tools/lxc_usernsexec.c |  2 +-
 4 files changed, 17 insertions(+), 17 deletions(-)

diff --git a/src/lxc/tools/lxc_copy.c b/src/lxc/tools/lxc_copy.c
index f8ca861..5a6ced2 100644
--- a/src/lxc/tools/lxc_copy.c
+++ b/src/lxc/tools/lxc_copy.c
@@ -111,20 +111,20 @@ Options :\n\
   -n, --name=NAME           NAME of the container\n\
   -N, --newname=NEWNAME     NEWNAME for the restored container\n\
   -p, --newpath=NEWPATH     NEWPATH for the container to be stored\n\
-  -R, --rename             rename container\n\
-  -s, --snapshot           create snapshot instead of clone\n\
-  -F, --foreground         start with current tty attached to /dev/console\n\
-  -d, --daemon             daemonize the container (default)\n\
-  -e, --ephemeral          start ephemeral container\n\
-  -m, --mount              directory to mount into container, either \n\
-                           {bind,aufs,overlay}=/src-path or 
{bind,aufs,overlay}=/src-path:/dst-path\n\
+  -R, --rename              rename container\n\
+  -s, --snapshot            create snapshot instead of clone\n\
+  -F, --foreground          start with current tty attached to /dev/console\n\
+  -d, --daemon              daemonize the container (default)\n\
+  -e, --ephemeral           start ephemeral container\n\
+  -m, --mount               directory to mount into container, either \n\
+                            {bind,aufs,overlay}=/src-path or 
{bind,aufs,overlay}=/src-path:/dst-path\n\
   -B, --backingstorage=TYPE backingstorage type for the container\n\
-  -L, --fssize             size of the new block device for block device 
containers\n\
-  -D, --keedata                    pass together with -e start a persistent 
snapshot \n\
-  -K, --keepname           keep the hostname of the original container\n\
-  --  hook options         arguments passed to the hook program\n\
-  -M, --keepmac                    keep the MAC address of the original 
container\n\
-  --rcfile=FILE                    Load configuration file FILE\n",
+  -L, --fssize              size of the new block device for block device 
containers\n\
+  -D, --keedata             pass together with -e start a persistent snapshot 
\n\
+  -K, --keepname            keep the hostname of the original container\n\
+  --  hook options          arguments passed to the hook program\n\
+  -M, --keepmac             keep the MAC address of the original container\n\
+  --rcfile=FILE             Load configuration file FILE\n",
        .options = my_longopts,
        .parser = my_parser,
        .task = CLONE,
diff --git a/src/lxc/tools/lxc_ls.c b/src/lxc/tools/lxc_ls.c
index 0575277..e22c715 100644
--- a/src/lxc/tools/lxc_ls.c
+++ b/src/lxc/tools/lxc_ls.c
@@ -184,8 +184,8 @@ static struct lxc_arguments my_args = {
 lxc-ls list containers\n\
 \n\
 Options :\n\
-  -1, --line        show one entry per line\n\
-  -f, --fancy       column-based output\n\
+  -1, --line         show one entry per line\n\
+  -f, --fancy        column-based output\n\
   -F, --fancy-format column-based output\n\
   --active           list only active containers\n\
   --running          list only running containers\n\
diff --git a/src/lxc/tools/lxc_snapshot.c b/src/lxc/tools/lxc_snapshot.c
index a1166bc..1a79a7a 100644
--- a/src/lxc/tools/lxc_snapshot.c
+++ b/src/lxc/tools/lxc_snapshot.c
@@ -55,7 +55,7 @@ static struct lxc_arguments my_args = {
 lxc-snapshot snapshots a container\n\
 \n\
 Options :\n\
-  -n, --name=NAME       NAME of the container\n\
+  -n, --name=NAME        NAME of the container\n\
   -L, --list             list all snapshots\n\
   -r, --restore=NAME     restore snapshot NAME, e.g. 'snap0'\n\
   -N, --newname=NEWNAME  NEWNAME for the restored container\n\
diff --git a/src/lxc/tools/lxc_usernsexec.c b/src/lxc/tools/lxc_usernsexec.c
index d4c730a..9905d53 100644
--- a/src/lxc/tools/lxc_usernsexec.c
+++ b/src/lxc/tools/lxc_usernsexec.c
@@ -59,7 +59,7 @@ static void usage(const char *name)
 {
        printf("usage: %s [-h] [-m <uid-maps>] -- [command [arg ..]]\n", name);
        printf("\n");
-       printf("  -h            this message\n");
+       printf("  -h            this message\n");
        printf("\n");
        printf("  -m <uid-maps> uid maps to use\n");
        printf("\n");
-- 
2.9.3

++++++ lxc-2.0.3.tar.gz -> lxc-2.0.4.tar.gz ++++++
++++ 33525 lines of diff (skipped)


Reply via email to