Ubuntu
lxc package

Merge lp:~ubuntu-branches/ubuntu/quantal/lxc/quantal-201209142015 into lp:ubuntu/quantal/lxc

Proposed by Ubuntu Package Importer on 2012-09-14

Status:	Rejected
Rejected by:	James Westby on 2012-09-19
Proposed branch:	lp:~ubuntu-branches/ubuntu/quantal/lxc/quantal-201209142015
Merge into:	lp:ubuntu/quantal/lxc
Diff against target:	5346 lines (+5305/-0) (has conflicts) 6 files modified .pc/0220-getitem-per-hook-type/src/lxc/conf.c (+2522/-0) .pc/0220-getitem-per-hook-type/src/lxc/conf.h (+262/-0) .pc/0220-getitem-per-hook-type/src/lxc/confile.c (+1673/-0) .pc/0221-make-nonflush-upgrades-robust/templates/lxc-ubuntu.in (+713/-0) debian/patches/0220-getitem-per-hook-type (+84/-0) debian/patches/0221-make-nonflush-upgrades-robust (+51/-0) Conflict adding file .pc/0220-getitem-per-hook-type. Moved existing file to .pc/0220-getitem-per-hook-type.moved. Conflict adding file .pc/0221-make-nonflush-upgrades-robust. Moved existing file to .pc/0221-make-nonflush-upgrades-robust.moved. Conflict adding file debian/patches/0220-getitem-per-hook-type. Moved existing file to debian/patches/0220-getitem-per-hook-type.moved. Conflict adding file debian/patches/0221-make-nonflush-upgrades-robust. Moved existing file to debian/patches/0221-make-nonflush-upgrades-robust.moved.
To merge this branch:	bzr merge lp:~ubuntu-branches/ubuntu/quantal/lxc/quantal-201209142015
Related bugs:	Link a bug report

Reviewer	Review Type	Date Requested	Status
Ubuntu branches		2012-09-14	Pending
Review via email: mp+124511@code.launchpad.net

Description of the change

The package importer has detected a possible inconsistency between the package history in the archive and the history in bzr. As the archive is authoritative the importer has made lp:ubuntu/quantal/lxc reflect what is in the archive and the old bzr branch has been pushed to lp:~ubuntu-branches/ubuntu/quantal/lxc/quantal-201209142015. This merge proposal was created so that an Ubuntu developer can review the situations and perform a merge/upload if necessary. There are three typical cases where this can happen.
  1. Where someone pushes a change to bzr and someone else uploads the package without that change. This is the reason that this check is done by the importer. If this appears to be the case then a merge/upload should be done if the changes that were in bzr are still desirable.
  2. The importer incorrectly detected the above situation when someone made a change in bzr and then uploaded it.
  3. The importer incorrectly detected the above situation when someone just uploaded a package and didn't touch bzr.

If this case doesn't appear to be the first situation then set the status of the merge proposal to "Rejected" and help avoid the problem in future by filing a bug at https://bugs.launchpad.net/udd linking to this merge proposal.

(this is an automatically generated message)

Unmerged revisions

167. By Serge Hallyn on 2012-09-14: add DEP5 tags to 0220. Release.
166. By Serge Hallyn on 2012-09-14: add ; after 'false'
165. By Serge Hallyn on 2012-09-14: undo the fedora update.
164. By Serge Hallyn on 2012-09-14: 0222-update-fedora-template: update the download links in the fedora
template (LP: #1005951)
163. By Serge Hallyn on 2012-09-14: 0221-make-nonflush-upgrades-robust: be more robust about out of date
container caches. (LP: #942862)
162. By Serge Hallyn on 2012-09-14: fix off by one in check for subhook.
161. By Serge Hallyn on 2012-09-14: update a caller of lxc_clear_hooks() which i missed before.
160. By Serge Hallyn on 2012-09-14: 0220-getitem-per-hook-type: support clear_item for specific hooks.
(LP: #1050719)

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

The diff has been truncated for viewing.

Subscribers

People subscribed via source and target branches

to all changes:

Christian Kampka

Ubuntu branches

 === added directory '.pc/0220-getitem-per-hook-type'
 === renamed directory '.pc/0220-getitem-per-hook-type' => '.pc/0220-getitem-per-hook-type.moved'
 === added file '.pc/0220-getitem-per-hook-type/.timestamp'
 === added directory '.pc/0220-getitem-per-hook-type/src'
 === added directory '.pc/0220-getitem-per-hook-type/src/lxc'
 === added file '.pc/0220-getitem-per-hook-type/src/lxc/conf.c'
 --- .pc/0220-getitem-per-hook-type/src/lxc/conf.c	1970-01-01 00:00:00 +0000
 +++ .pc/0220-getitem-per-hook-type/src/lxc/conf.c	2012-09-14 20:24:18 +0000
@@ -0,0 +1,2522 @@
++/*
++ * lxc: linux Container library
++ *
++ * (C) Copyright IBM Corp. 2007, 2008
++ *
++ * Authors:
++ * Daniel Lezcano <dlezcano at fr.ibm.com>
++ *
++ * This library is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU Lesser General Public
++ * License as published by the Free Software Foundation; either
++ * version 2.1 of the License, or (at your option) any later version.
++ *
++ * This library is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++ * Lesser General Public License for more details.
++ *
++ * You should have received a copy of the GNU Lesser General Public
++ * License along with this library; if not, write to the Free Software
++ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
++ */
++#define _GNU_SOURCE
++#include <stdio.h>
++#undef _GNU_SOURCE
++#include <stdlib.h>
++#include <stdarg.h>
++#include <errno.h>
++#include <string.h>
++#include <dirent.h>
++#include <mntent.h>
++#include <unistd.h>
++#include <sys/wait.h>
++#include <pty.h>
++
++#include <linux/loop.h>
++
++#include <sys/types.h>
++#include <sys/utsname.h>
++#include <sys/param.h>
++#include <sys/stat.h>
++#include <sys/socket.h>
++#include <sys/mount.h>
++#include <sys/mman.h>
++#include <sys/prctl.h>
++#include <sys/capability.h>
++#include <sys/personality.h>
++
++#include <arpa/inet.h>
++#include <fcntl.h>
++#include <netinet/in.h>
++#include <net/if.h>
++#include <libgen.h>
++
++#include "network.h"
++#include "error.h"
++#include "parse.h"
++#include "config.h"
++#include "utils.h"
++#include "conf.h"
++#include "log.h"
++#include "lxc.h"	/* for lxc_cgroup_set() */
++#include "caps.h"       /* for lxc_caps_last_cap() */
++
++lxc_log_define(lxc_conf, lxc);
++
++#define MAXHWLEN    18
++#define MAXINDEXLEN 20
++#define MAXMTULEN   16
++#define MAXLINELEN  128
++
++#ifndef MS_DIRSYNC
++#define MS_DIRSYNC  128
++#endif
++
++#ifndef MS_REC
++#define MS_REC 16384
++#endif
++
++#ifndef MNT_DETACH
++#define MNT_DETACH 2
++#endif
++
++#ifndef MS_RELATIME
++#define MS_RELATIME (1 << 21)
++#endif
++
++#ifndef MS_STRICTATIME
++#define MS_STRICTATIME (1 << 24)
++#endif
++
++#ifndef CAP_SETFCAP
++#define CAP_SETFCAP 31
++#endif
++
++#ifndef CAP_MAC_OVERRIDE
++#define CAP_MAC_OVERRIDE 32
++#endif
++
++#ifndef CAP_MAC_ADMIN
++#define CAP_MAC_ADMIN 33
++#endif
++
++#ifndef PR_CAPBSET_DROP
++#define PR_CAPBSET_DROP 24
++#endif
++
++char *lxchook_names[NUM_LXC_HOOKS] = {
++	"pre-start", "pre-mount", "mount", "start", "post-stop" };
++
++extern int pivot_root(const char * new_root, const char * put_old);
++
++typedef int (*instanciate_cb)(struct lxc_handler *, struct lxc_netdev *);
++
++struct mount_opt {
++	char *name;
++	int clear;
++	int flag;
++};
++
++struct caps_opt {
++	char *name;
++	int value;
++};
++
++static int instanciate_veth(struct lxc_handler *, struct lxc_netdev *);
++static int instanciate_macvlan(struct lxc_handler *, struct lxc_netdev *);
++static int instanciate_vlan(struct lxc_handler *, struct lxc_netdev *);
++static int instanciate_phys(struct lxc_handler *, struct lxc_netdev *);
++static int instanciate_empty(struct lxc_handler *, struct lxc_netdev *);
++
++static  instanciate_cb netdev_conf[LXC_NET_MAXCONFTYPE + 1] = {
++	[LXC_NET_VETH]    = instanciate_veth,
++	[LXC_NET_MACVLAN] = instanciate_macvlan,
++	[LXC_NET_VLAN]    = instanciate_vlan,
++	[LXC_NET_PHYS]    = instanciate_phys,
++	[LXC_NET_EMPTY]   = instanciate_empty,
++};
++
++static struct mount_opt mount_opt[] = {
++	{ "defaults",      0, 0              },
++	{ "ro",            0, MS_RDONLY      },
++	{ "rw",            1, MS_RDONLY      },
++	{ "suid",          1, MS_NOSUID      },
++	{ "nosuid",        0, MS_NOSUID      },
++	{ "dev",           1, MS_NODEV       },
++	{ "nodev",         0, MS_NODEV       },
++	{ "exec",          1, MS_NOEXEC      },
++	{ "noexec",        0, MS_NOEXEC      },
++	{ "sync",          0, MS_SYNCHRONOUS },
++	{ "async",         1, MS_SYNCHRONOUS },
++	{ "dirsync",       0, MS_DIRSYNC     },
++	{ "remount",       0, MS_REMOUNT     },
++	{ "mand",          0, MS_MANDLOCK    },
++	{ "nomand",        1, MS_MANDLOCK    },
++	{ "atime",         1, MS_NOATIME     },
++	{ "noatime",       0, MS_NOATIME     },
++	{ "diratime",      1, MS_NODIRATIME  },
++	{ "nodiratime",    0, MS_NODIRATIME  },
++	{ "bind",          0, MS_BIND        },
++	{ "rbind",         0, MS_BIND|MS_REC },
++	{ "relatime",      0, MS_RELATIME    },
++	{ "norelatime",    1, MS_RELATIME    },
++	{ "strictatime",   0, MS_STRICTATIME },
++	{ "nostrictatime", 1, MS_STRICTATIME },
++	{ NULL,            0, 0              },
++};
++
++static struct caps_opt caps_opt[] = {
++	{ "chown",             CAP_CHOWN             },
++	{ "dac_override",      CAP_DAC_OVERRIDE      },
++	{ "dac_read_search",   CAP_DAC_READ_SEARCH   },
++	{ "fowner",            CAP_FOWNER            },
++	{ "fsetid",            CAP_FSETID            },
++	{ "kill",              CAP_KILL              },
++	{ "setgid",            CAP_SETGID            },
++	{ "setuid",            CAP_SETUID            },
++	{ "setpcap",           CAP_SETPCAP           },
++	{ "linux_immutable",   CAP_LINUX_IMMUTABLE   },
++	{ "net_bind_service",  CAP_NET_BIND_SERVICE  },
++	{ "net_broadcast",     CAP_NET_BROADCAST     },
++	{ "net_admin",         CAP_NET_ADMIN         },
++	{ "net_raw",           CAP_NET_RAW           },
++	{ "ipc_lock",          CAP_IPC_LOCK          },
++	{ "ipc_owner",         CAP_IPC_OWNER         },
++	{ "sys_module",        CAP_SYS_MODULE        },
++	{ "sys_rawio",         CAP_SYS_RAWIO         },
++	{ "sys_chroot",        CAP_SYS_CHROOT        },
++	{ "sys_ptrace",        CAP_SYS_PTRACE        },
++	{ "sys_pacct",         CAP_SYS_PACCT         },
++	{ "sys_admin",         CAP_SYS_ADMIN         },
++	{ "sys_boot",          CAP_SYS_BOOT          },
++	{ "sys_nice",          CAP_SYS_NICE          },
++	{ "sys_resource",      CAP_SYS_RESOURCE      },
++	{ "sys_time",          CAP_SYS_TIME          },
++	{ "sys_tty_config",    CAP_SYS_TTY_CONFIG    },
++	{ "mknod",             CAP_MKNOD             },
++	{ "lease",             CAP_LEASE             },
++#ifdef CAP_AUDIT_WRITE
++	{ "audit_write",       CAP_AUDIT_WRITE       },
++#endif
++#ifdef CAP_AUDIT_CONTROL
++	{ "audit_control",     CAP_AUDIT_CONTROL     },
++#endif
++	{ "setfcap",           CAP_SETFCAP           },
++	{ "mac_override",      CAP_MAC_OVERRIDE      },
++	{ "mac_admin",         CAP_MAC_ADMIN         },
++#ifdef CAP_SYSLOG
++	{ "syslog",            CAP_SYSLOG            },
++#endif
++#ifdef CAP_WAKE_ALARM
++	{ "wake_alarm",        CAP_WAKE_ALARM        },
++#endif
++};
++
++static int run_script(const char *name, const char *section,
++		      const char *script, ...)
++{
++	int ret;
++	FILE *f;
++	char *buffer, *p, *output;
++	size_t size = 0;
++	va_list ap;
++
++	INFO("Executing script '%s' for container '%s', config section '%s'",
++	     script, name, section);
++
++	va_start(ap, script);
++	while ((p = va_arg(ap, char *)))
++		size += strlen(p) + 1;
++	va_end(ap);
++
++	size += strlen(script);
++	size += strlen(name);
++	size += strlen(section);
++	size += 3;
++
++	if (size > INT_MAX)
++		return -1;
++
++	buffer = alloca(size);
++	if (!buffer) {
++		ERROR("failed to allocate memory");
++		return -1;
++	}
++
++	ret = snprintf(buffer, size, "%s %s %s", script, name, section);
++	if (ret < 0 || ret >= size) {
++		ERROR("Script name too long");
++		free(buffer);
++		return -1;
++	}
++
++	va_start(ap, script);
++	while ((p = va_arg(ap, char *))) {
++		int len = size-ret;
++		int rc;
++		rc = snprintf(buffer + ret, len, " %s", p);
++		if (rc < 0 || rc >= len) {
++			free(buffer);
++			ERROR("Script args too long");
++			return -1;
++		}
++		ret += rc;
++	}
++	va_end(ap);
++
++	f = popen(buffer, "r");
++	if (!f) {
++		SYSERROR("popen failed");
++		return -1;
++	}
++
++	output = malloc(LXC_LOG_BUFFER_SIZE);
++	if (!output) {
++		ERROR("failed to allocate memory for script output");
++		return -1;
++	}
++
++	while(fgets(output, LXC_LOG_BUFFER_SIZE, f))
++		DEBUG("script output: %s", output);
++
++	free(output);
++
++	if (pclose(f) == -1) {
++		SYSERROR("Script exited on error");
++		return -1;
++	}
++
++	return 0;
++}
++
++static int find_fstype_cb(char* buffer, void *data)
++{
++	struct cbarg {
++		const char *rootfs;
++		const char *target;
++		int mntopt;
++	} *cbarg = data;
++
++	char *fstype;
++
++	/* we don't try 'nodev' entries */
++	if (strstr(buffer, "nodev"))
++		return 0;
++
++	fstype = buffer;
++	fstype += lxc_char_left_gc(fstype, strlen(fstype));
++	fstype[lxc_char_right_gc(fstype, strlen(fstype))] = '\0';
++
++	DEBUG("trying to mount '%s'->'%s' with fstype '%s'",
++	      cbarg->rootfs, cbarg->target, fstype);
++
++	if (mount(cbarg->rootfs, cbarg->target, fstype, cbarg->mntopt, NULL)) {
++		DEBUG("mount failed with error: %s", strerror(errno));
++		return 0;
++	}
++
++	INFO("mounted '%s' on '%s', with fstype '%s'",
++	     cbarg->rootfs, cbarg->target, fstype);
++
++	return 1;
++}
++
++static int mount_unknow_fs(const char *rootfs, const char *target, int mntopt)
++{
++	int i;
++
++	struct cbarg {
++		const char *rootfs;
++		const char *target;
++		int mntopt;
++	} cbarg = {
++		.rootfs = rootfs,
++		.target = target,
++		.mntopt = mntopt,
++	};
++
++	/*
++	 * find the filesystem type with brute force:
++	 * first we check with /etc/filesystems, in case the modules
++	 * are auto-loaded and fall back to the supported kernel fs
++	 */
++	char *fsfile[] = {
++		"/etc/filesystems",
++		"/proc/filesystems",
++	};
++
++	for (i = 0; i < sizeof(fsfile)/sizeof(fsfile[0]); i++) {
++
++		int ret;
++
++		if (access(fsfile[i], F_OK))
++			continue;
++
++		ret = lxc_file_for_each_line(fsfile[i], find_fstype_cb, &cbarg);
++		if (ret < 0) {
++			ERROR("failed to parse '%s'", fsfile[i]);
++			return -1;
++		}
++
++		if (ret)
++			return 0;
++	}
++
++	ERROR("failed to determine fs type for '%s'", rootfs);
++	return -1;
++}
++
++static int mount_rootfs_dir(const char *rootfs, const char *target)
++{
++	return mount(rootfs, target, "none", MS_BIND | MS_REC, NULL);
++}
++
++static int setup_lodev(const char *rootfs, int fd, struct loop_info64 *loinfo)
++{
++	int rfd;
++	int ret = -1;
++
++	rfd = open(rootfs, O_RDWR);
++	if (rfd < 0) {
++		SYSERROR("failed to open '%s'", rootfs);
++		return -1;
++	}
++
++	memset(loinfo, 0, sizeof(*loinfo));
++
++	loinfo->lo_flags = LO_FLAGS_AUTOCLEAR;
++
++	if (ioctl(fd, LOOP_SET_FD, rfd)) {
++		SYSERROR("failed to LOOP_SET_FD");
++		goto out;
++	}
++
++	if (ioctl(fd, LOOP_SET_STATUS64, loinfo)) {
++		SYSERROR("failed to LOOP_SET_STATUS64");
++		goto out;
++	}
++
++	ret = 0;
++out:
++	close(rfd);
++
++	return ret;
++}
++
++static int mount_rootfs_file(const char *rootfs, const char *target)
++{
++	struct dirent dirent, *direntp;
++	struct loop_info64 loinfo;
++	int ret = -1, fd = -1, rc;
++	DIR *dir;
++	char path[MAXPATHLEN];
++
++	dir = opendir("/dev");
++	if (!dir) {
++		SYSERROR("failed to open '/dev'");
++		return -1;
++	}
++
++	while (!readdir_r(dir, &dirent, &direntp)) {
++
++		if (!direntp)
++			break;
++
++		if (!strcmp(direntp->d_name, "."))
++			continue;
++
++		if (!strcmp(direntp->d_name, ".."))
++			continue;
++
++		if (strncmp(direntp->d_name, "loop", 4))
++			continue;
++
++		rc = snprintf(path, MAXPATHLEN, "/dev/%s", direntp->d_name);
++		if (rc < 0 || rc >= MAXPATHLEN)
++			continue;
++
++		fd = open(path, O_RDWR);
++		if (fd < 0)
++			continue;
++
++		if (ioctl(fd, LOOP_GET_STATUS64, &loinfo) == 0) {
++			close(fd);
++			continue;
++		}
++
++		if (errno != ENXIO) {
++			WARN("unexpected error for ioctl on '%s': %m",
++			     direntp->d_name);
++			continue;
++		}
++
++		DEBUG("found '%s' free lodev", path);
++
++		ret = setup_lodev(rootfs, fd, &loinfo);
++		if (!ret)
++			ret = mount_unknow_fs(path, target, 0);
++		close(fd);
++
++		break;
++	}
++
++	if (closedir(dir))
++		WARN("failed to close directory");
++
++	return ret;
++}
++
++static int mount_rootfs_block(const char *rootfs, const char *target)
++{
++	return mount_unknow_fs(rootfs, target, 0);
++}
++
++/*
++ * pin_rootfs
++ * if rootfs is a directory, then open ${rootfs}.hold for writing for the
++ * duration of the container run, to prevent the container from marking the
++ * underlying fs readonly on shutdown.
++ * return -1 on error.
++ * return -2 if nothing needed to be pinned.
++ * return an open fd (>=0) if we pinned it.
++ */
++int pin_rootfs(const char *rootfs)
++{
++	char absrootfs[MAXPATHLEN];
++	char absrootfspin[MAXPATHLEN];
++	struct stat s;
++	int ret, fd;
++
++	if (rootfs == NULL || strlen(rootfs) == 0)
++		return 0;
++
++	if (!realpath(rootfs, absrootfs)) {
++		SYSERROR("failed to get real path for '%s'", rootfs);
++		return -1;
++	}
++
++	if (access(absrootfs, F_OK)) {
++		SYSERROR("'%s' is not accessible", absrootfs);
++		return -1;
++	}
++
++	if (stat(absrootfs, &s)) {
++		SYSERROR("failed to stat '%s'", absrootfs);
++		return -1;
++	}
++
++	if (!__S_ISTYPE(s.st_mode, S_IFDIR))
++		return -2;
++
++	ret = snprintf(absrootfspin, MAXPATHLEN, "%s%s", absrootfs, ".hold");
++	if (ret >= MAXPATHLEN) {
++		SYSERROR("pathname too long for rootfs hold file");
++		return -1;
++	}
++
++	fd = open(absrootfspin, O_CREAT | O_RDWR, S_IWUSR|S_IRUSR);
++	INFO("opened %s as fd %d\n", absrootfspin, fd);
++	return fd;
++}
++
++static int mount_rootfs(const char *rootfs, const char *target)
++{
++	char absrootfs[MAXPATHLEN];
++	struct stat s;
++	int i;
++
++	typedef int (*rootfs_cb)(const char *, const char *);
++
++	struct rootfs_type {
++		int type;
++		rootfs_cb cb;
++	} rtfs_type[] = {
++		{ S_IFDIR, mount_rootfs_dir },
++		{ S_IFBLK, mount_rootfs_block },
++		{ S_IFREG, mount_rootfs_file },
++	};
++
++	if (!realpath(rootfs, absrootfs)) {
++		SYSERROR("failed to get real path for '%s'", rootfs);
++		return -1;
++	}
++
++	if (access(absrootfs, F_OK)) {
++		SYSERROR("'%s' is not accessible", absrootfs);
++		return -1;
++	}
++
++	if (stat(absrootfs, &s)) {
++		SYSERROR("failed to stat '%s'", absrootfs);
++		return -1;
++	}
++
++	for (i = 0; i < sizeof(rtfs_type)/sizeof(rtfs_type[0]); i++) {
++
++		if (!__S_ISTYPE(s.st_mode, rtfs_type[i].type))
++			continue;
++
++		return rtfs_type[i].cb(absrootfs, target);
++	}
++
++	ERROR("unsupported rootfs type for '%s'", absrootfs);
++	return -1;
++}
++
++static int setup_utsname(struct utsname *utsname)
++{
++	if (!utsname)
++		return 0;
++
++	if (sethostname(utsname->nodename, strlen(utsname->nodename))) {
++		SYSERROR("failed to set the hostname to '%s'", utsname->nodename);
++		return -1;
++	}
++
++	INFO("'%s' hostname has been setup", utsname->nodename);
++
++	return 0;
++}
++
++static int setup_tty(const struct lxc_rootfs *rootfs,
++		     const struct lxc_tty_info *tty_info, char *ttydir)
++{
++	char path[MAXPATHLEN], lxcpath[MAXPATHLEN];
++	int i, ret;
++
++	if (!rootfs->path)
++		return 0;
++
++	for (i = 0; i < tty_info->nbtty; i++) {
++
++		struct lxc_pty_info *pty_info = &tty_info->pty_info[i];
++
++		ret = snprintf(path, sizeof(path), "%s/dev/tty%d",
++			 rootfs->mount, i + 1);
++		if (ret >= sizeof(path)) {
++			ERROR("pathname too long for ttys");
++			return -1;
++		}
++		if (ttydir) {
++			/* create dev/lxc/tty%d" */
++			ret = snprintf(lxcpath, sizeof(lxcpath), "%s/dev/%s/tty%d",
++				 rootfs->mount, ttydir, i + 1);
++			if (ret >= sizeof(lxcpath)) {
++				ERROR("pathname too long for ttys");
++				return -1;
++			}
++			ret = creat(lxcpath, 0660);
++			if (ret==-1 && errno != EEXIST) {
++				SYSERROR("error creating %s\n", lxcpath);
++				return -1;
++			}
++			close(ret);
++			ret = unlink(path);
++			if (ret && errno != ENOENT) {
++				SYSERROR("error unlinking %s\n", path);
++				return -1;
++			}
++
++			if (mount(pty_info->name, lxcpath, "none", MS_BIND, 0)) {
++				WARN("failed to mount '%s'->'%s'",
++				     pty_info->name, path);
++				continue;
++			}
++
++			ret = snprintf(lxcpath, sizeof(lxcpath), "%s/tty%d", ttydir, i+1);
++			if (ret >= sizeof(lxcpath)) {
++				ERROR("tty pathname too long");
++				return -1;
++			}
++			ret = symlink(lxcpath, path);
++			if (ret) {
++				SYSERROR("failed to create symlink for tty %d\n", i+1);
++				return -1;
++			}
++		} else {
++			if (mount(pty_info->name, path, "none", MS_BIND, 0)) {
++				WARN("failed to mount '%s'->'%s'",
++						pty_info->name, path);
++				continue;
++			}
++		}
++	}
++
++	INFO("%d tty(s) has been setup", tty_info->nbtty);
++
++	return 0;
++}
++
++static int setup_rootfs_pivot_root_cb(char *buffer, void *data)
++{
++	struct lxc_list	*mountlist, *listentry, *iterator;
++	char *pivotdir, *mountpoint, *mountentry;
++	int found;
++	void **cbparm;
++
++	mountentry = buffer;
++	cbparm = (void **)data;
++
++	mountlist = cbparm[0];
++	pivotdir  = cbparm[1];
++
++	/* parse entry, first field is mountname, ignore */
++	mountpoint = strtok(mountentry, " ");
++	if (!mountpoint)
++		return -1;
++
++	/* second field is mountpoint */
++	mountpoint = strtok(NULL, " ");
++	if (!mountpoint)
++		return -1;
++
++	/* only consider mountpoints below old root fs */
++	if (strncmp(mountpoint, pivotdir, strlen(pivotdir)))
++		return 0;
++
++	/* filter duplicate mountpoints */
++	found = 0;
++	lxc_list_for_each(iterator, mountlist) {
++		if (!strcmp(iterator->elem, mountpoint)) {
++			found = 1;
++			break;
++		}
++	}
++	if (found)
++		return 0;
++
++	/* add entry to list */
++	listentry = malloc(sizeof(*listentry));
++	if (!listentry) {
++		SYSERROR("malloc for mountpoint listentry failed");
++		return -1;
++	}
++
++	listentry->elem = strdup(mountpoint);
++	if (!listentry->elem) {
++		SYSERROR("strdup failed");
++		return -1;
++	}
++	lxc_list_add_tail(mountlist, listentry);
++
++	return 0;
++}
++
++static int umount_oldrootfs(const char *oldrootfs)
++{
++	char path[MAXPATHLEN];
++	void *cbparm[2];
++	struct lxc_list mountlist, *iterator;
++	int ok, still_mounted, last_still_mounted;
++	int rc;
++
++	/* read and parse /proc/mounts in old root fs */
++	lxc_list_init(&mountlist);
++
++	/* oldrootfs is on the top tree directory now */
++	rc = snprintf(path, sizeof(path), "/%s", oldrootfs);
++	if (rc >= sizeof(path)) {
++		ERROR("rootfs name too long");
++		return -1;
++	}
++	cbparm[0] = &mountlist;
++
++	cbparm[1] = strdup(path);
++	if (!cbparm[1]) {
++		SYSERROR("strdup failed");
++		return -1;
++	}
++
++	rc = snprintf(path, sizeof(path), "%s/proc/mounts", oldrootfs);
++	if (rc >= sizeof(path)) {
++		ERROR("container proc/mounts name too long");
++		return -1;
++	}
++
++	ok = lxc_file_for_each_line(path,
++				    setup_rootfs_pivot_root_cb, &cbparm);
++	if (ok < 0) {
++		SYSERROR("failed to read or parse mount list '%s'", path);
++		return -1;
++	}
++
++	/* umount filesystems until none left or list no longer shrinks */
++	still_mounted = 0;
++	do {
++		last_still_mounted = still_mounted;
++		still_mounted = 0;
++
++		lxc_list_for_each(iterator, &mountlist) {
++
++			/* umount normally */
++			if (!umount(iterator->elem)) {
++				DEBUG("umounted '%s'", (char *)iterator->elem);
++				lxc_list_del(iterator);
++				continue;
++			}
++
++			still_mounted++;
++		}
++
++	} while (still_mounted > 0 && still_mounted != last_still_mounted);
++
++
++	lxc_list_for_each(iterator, &mountlist) {
++
++		/* let's try a lazy umount */
++		if (!umount2(iterator->elem, MNT_DETACH)) {
++			INFO("lazy unmount of '%s'", (char *)iterator->elem);
++			continue;
++		}
++
++		/* be more brutal (nfs) */
++		if (!umount2(iterator->elem, MNT_FORCE)) {
++			INFO("forced unmount of '%s'", (char *)iterator->elem);
++			continue;
++		}
++
++		WARN("failed to unmount '%s'", (char *)iterator->elem);
++	}
++
++	return 0;
++}
++
++static int setup_rootfs_pivot_root(const char *rootfs, const char *pivotdir)
++{
++	char path[MAXPATHLEN];
++	int remove_pivotdir = 0;
++	int rc;
++
++	/* change into new root fs */
++	if (chdir(rootfs)) {
++		SYSERROR("can't chdir to new rootfs '%s'", rootfs);
++		return -1;
++	}
++
++	if (!pivotdir)
++		pivotdir = "mnt";
++
++	/* compute the full path to pivotdir under rootfs */
++	rc = snprintf(path, sizeof(path), "%s/%s", rootfs, pivotdir);
++	if (rc >= sizeof(path)) {
++		ERROR("pivot dir name too long");
++		return -1;
++	}
++
++	if (access(path, F_OK)) {
++
++		if (mkdir_p(path, 0755)) {
++			SYSERROR("failed to create pivotdir '%s'", path);
++			return -1;
++		}
++
++		remove_pivotdir = 1;
++		DEBUG("created '%s' directory", path);
++	}
++
++	DEBUG("mountpoint for old rootfs is '%s'", path);
++
++	/* pivot_root into our new root fs */
++	if (pivot_root(".", path)) {
++		SYSERROR("pivot_root syscall failed");
++		return -1;
++	}
++
++	if (chdir("/")) {
++		SYSERROR("can't chdir to / after pivot_root");
++		return -1;
++	}
++
++	DEBUG("pivot_root syscall to '%s' successful", rootfs);
++
++	/* we switch from absolute path to relative path */
++	if (umount_oldrootfs(pivotdir))
++		return -1;
++
++	/* remove temporary mount point, we don't consider the removing
++	 * as fatal */
++	if (remove_pivotdir && rmdir(pivotdir))
++		WARN("can't remove mountpoint '%s': %m", pivotdir);
++
++	return 0;
++}
++
++static int setup_rootfs(const struct lxc_rootfs *rootfs)
++{
++	if (!rootfs->path)
++		return 0;
++
++	if (access(rootfs->mount, F_OK)) {
++		SYSERROR("failed to access to '%s', check it is present",
++			 rootfs->mount);
++		return -1;
++	}
++
++	if (mount_rootfs(rootfs->path, rootfs->mount)) {
++		ERROR("failed to mount rootfs");
++		return -1;
++	}
++
++	DEBUG("mounted '%s' on '%s'", rootfs->path, rootfs->mount);
++
++	return 0;
++}
++
++int setup_pivot_root(const struct lxc_rootfs *rootfs)
++{
++	if (!rootfs->path)
++		return 0;
++
++	if (setup_rootfs_pivot_root(rootfs->mount, rootfs->pivot)) {
++		ERROR("failed to setup pivot root");
++		return -1;
++	}
++
++	return 0;
++}
++
++static int setup_pts(int pts)
++{
++	char target[PATH_MAX];
++
++	if (!pts)
++		return 0;
++
++	if (!access("/dev/pts/ptmx", F_OK) && umount("/dev/pts")) {
++		SYSERROR("failed to umount 'dev/pts'");
++		return -1;
++	}
++
++	if (mount("devpts", "/dev/pts", "devpts", MS_MGC_VAL,
++		  "newinstance,ptmxmode=0666")) {
++		SYSERROR("failed to mount a new instance of '/dev/pts'");
++		return -1;
++	}
++
++	if (access("/dev/ptmx", F_OK)) {
++		if (!symlink("/dev/pts/ptmx", "/dev/ptmx"))
++			goto out;
++		SYSERROR("failed to symlink '/dev/pts/ptmx'->'/dev/ptmx'");
++		return -1;
++	}
++
++	if (realpath("/dev/ptmx", target) && !strcmp(target, "/dev/pts/ptmx"))
++		goto out;
++
++	/* fallback here, /dev/pts/ptmx exists just mount bind */
++	if (mount("/dev/pts/ptmx", "/dev/ptmx", "none", MS_BIND, 0)) {
++		SYSERROR("mount failed '/dev/pts/ptmx'->'/dev/ptmx'");
++		return -1;
++	}
++
++	INFO("created new pts instance");
++
++out:
++	return 0;
++}
++
++static int setup_personality(int persona)
++{
++	if (persona == -1)
++		return 0;
++
++	if (personality(persona) < 0) {
++		SYSERROR("failed to set personality to '0x%x'", persona);
++		return -1;
++	}
++
++	INFO("set personality to '0x%x'", persona);
++
++	return 0;
++}
++
++static int setup_dev_console(const struct lxc_rootfs *rootfs,
++			 const struct lxc_console *console)
++{
++	char path[MAXPATHLEN];
++	struct stat s;
++	int ret;
++
++	ret = snprintf(path, sizeof(path), "%s/dev/console", rootfs->mount);
++	if (ret >= sizeof(path)) {
++		ERROR("console path too long\n");
++		return -1;
++	}
++
++	if (access(path, F_OK)) {
++		WARN("rootfs specified but no console found at '%s'", path);
++		return 0;
++	}
++
++	if (console->peer == -1) {
++		INFO("no console output required");
++		return 0;
++	}
++
++	if (stat(path, &s)) {
++		SYSERROR("failed to stat '%s'", path);
++		return -1;
++	}
++
++	if (chmod(console->name, s.st_mode)) {
++		SYSERROR("failed to set mode '0%o' to '%s'",
++			 s.st_mode, console->name);
++		return -1;
++	}
++
++	if (mount(console->name, path, "none", MS_BIND, 0)) {
++		ERROR("failed to mount '%s' on '%s'", console->name, path);
++		return -1;
++	}
++
++	INFO("console has been setup");
++	return 0;
++}
++
++static int setup_ttydir_console(const struct lxc_rootfs *rootfs,
++			 const struct lxc_console *console,
++			 char *ttydir)
++{
++	char path[MAXPATHLEN], lxcpath[MAXPATHLEN];
++	int ret;
++
++	/* create rootfs/dev/<ttydir> directory */
++	ret = snprintf(path, sizeof(path), "%s/dev/%s", rootfs->mount,
++		       ttydir);
++	if (ret >= sizeof(path))
++		return -1;
++	ret = mkdir(path, 0755);
++	if (ret && errno != EEXIST) {
++		SYSERROR("failed with errno %d to create %s\n", errno, path);
++		return -1;
++	}
++	INFO("created %s\n", path);
++
++	ret = snprintf(lxcpath, sizeof(lxcpath), "%s/dev/%s/console",
++		       rootfs->mount, ttydir);
++	if (ret >= sizeof(lxcpath)) {
++		ERROR("console path too long\n");
++		return -1;
++	}
++
++	snprintf(path, sizeof(path), "%s/dev/console", rootfs->mount);
++	ret = unlink(path);
++	if (ret && errno != ENOENT) {
++		SYSERROR("error unlinking %s\n", path);
++		return -1;
++	}
++
++	ret = creat(lxcpath, 0660);
++	if (ret==-1 && errno != EEXIST) {
++		SYSERROR("error %d creating %s\n", errno, lxcpath);
++		return -1;
++	}
++	close(ret);
++
++	if (console->peer == -1) {
++		INFO("no console output required");
++		return 0;
++	}
++
++	if (mount(console->name, lxcpath, "none", MS_BIND, 0)) {
++		ERROR("failed to mount '%s' on '%s'", console->name, lxcpath);
++		return -1;
++	}
++
++	/* create symlink from rootfs/dev/console to 'lxc/console' */
++	ret = snprintf(lxcpath, sizeof(lxcpath), "%s/console", ttydir);
++	if (ret >= sizeof(lxcpath)) {
++		ERROR("lxc/console path too long");
++		return -1;
++	}
++	ret = symlink(lxcpath, path);
++	if (ret) {
++		SYSERROR("failed to create symlink for console");
++		return -1;
++	}
++
++	INFO("console has been setup on %s", lxcpath);
++
++	return 0;
++}
++
++static int setup_console(const struct lxc_rootfs *rootfs,
++			 const struct lxc_console *console,
++			 char *ttydir)
++{
++	/* We don't have a rootfs, /dev/console will be shared */
++	if (!rootfs->path)
++		return 0;
++	if (!ttydir)
++		return setup_dev_console(rootfs, console);
++
++	return setup_ttydir_console(rootfs, console, ttydir);
++}
++
++static int setup_kmsg(const struct lxc_rootfs *rootfs,
++		       const struct lxc_console *console)
++{
++	char kpath[MAXPATHLEN];
++	int ret;
++
++	ret = snprintf(kpath, sizeof(kpath), "%s/dev/kmsg", rootfs->mount);
++	if (ret < 0 || ret >= sizeof(kpath))
++		return -1;
++
++	ret = unlink(kpath);
++	if (ret && errno != ENOENT) {
++		SYSERROR("error unlinking %s\n", kpath);
++		return -1;
++	}
++
++	ret = symlink("console", kpath);
++	if (ret) {
++		SYSERROR("failed to create symlink for kmsg");
++		return -1;
++	}
++
++	return 0;
++}
++
++static int setup_cgroup(const char *name, struct lxc_list *cgroups)
++{
++	struct lxc_list *iterator;
++	struct lxc_cgroup *cg;
++	int ret = -1;
++
++	if (lxc_list_empty(cgroups))
++		return 0;
++
++	lxc_list_for_each(iterator, cgroups) {
++
++		cg = iterator->elem;
++
++		if (lxc_cgroup_set(name, cg->subsystem, cg->value))
++			goto out;
++
++		DEBUG("cgroup '%s' set to '%s'", cg->subsystem, cg->value);
++	}
++
++	ret = 0;
++	INFO("cgroup has been setup");
++out:
++	return ret;
++}
++
++static void parse_mntopt(char *opt, unsigned long *flags, char **data)
++{
++	struct mount_opt *mo;
++
++	/* If opt is found in mount_opt, set or clear flags.
++	 * Otherwise append it to data. */
++
++	for (mo = &mount_opt[0]; mo->name != NULL; mo++) {
++		if (!strncmp(opt, mo->name, strlen(mo->name))) {
++			if (mo->clear)
++				*flags &= ~mo->flag;
++			else
++				*flags |= mo->flag;
++			return;
++		}
++	}
++
++	if (strlen(*data))
++		strcat(*data, ",");
++	strcat(*data, opt);
++}
++
++static int parse_mntopts(const char *mntopts, unsigned long *mntflags,
++			 char **mntdata)
++{
++	char *s, *data;
++	char *p, *saveptr = NULL;
++
++	*mntdata = NULL;
++	*mntflags = 0L;
++
++	if (!mntopts)
++		return 0;
++
++	s = strdup(mntopts);
++	if (!s) {
++		SYSERROR("failed to allocate memory");
++		return -1;
++	}
++
++	data = malloc(strlen(s) + 1);
++	if (!data) {
++		SYSERROR("failed to allocate memory");
++		free(s);
++		return -1;
++	}
++	*data = 0;
++
++	for (p = strtok_r(s, ",", &saveptr); p != NULL;
++	     p = strtok_r(NULL, ",", &saveptr))
++		parse_mntopt(p, mntflags, &data);
++
++	if (*data)
++		*mntdata = data;
++	else
++		free(data);
++	free(s);
++
++	return 0;
++}
++
++static int mount_entry(const char *fsname, const char *target,
++		       const char *fstype, unsigned long mountflags,
++		       const char *data)
++{
++	if (mount(fsname, target, fstype, mountflags & ~MS_REMOUNT, data)) {
++		SYSERROR("failed to mount '%s' on '%s'", fsname, target);
++		return -1;
++	}
++
++	if ((mountflags & MS_REMOUNT) || (mountflags & MS_BIND)) {
++
++		DEBUG("remounting %s on %s to respect bind or remount options",
++		      fsname, target);
++
++		if (mount(fsname, target, fstype,
++			  mountflags | MS_REMOUNT, data)) {
++			SYSERROR("failed to mount '%s' on '%s'",
++				 fsname, target);
++			return -1;
++		}
++	}
++
++	DEBUG("mounted '%s' on '%s', type '%s'", fsname, target, fstype);
++
++	return 0;
++}
++
++static inline int mount_entry_on_systemfs(struct mntent *mntent)
++{
++	unsigned long mntflags;
++	char *mntdata;
++	int ret;
++
++	if (parse_mntopts(mntent->mnt_opts, &mntflags, &mntdata) < 0) {
++		ERROR("failed to parse mount option '%s'", mntent->mnt_opts);
++		return -1;
++	}
++
++	ret = mount_entry(mntent->mnt_fsname, mntent->mnt_dir,
++			  mntent->mnt_type, mntflags, mntdata);
++
++	free(mntdata);
++
++	return ret;
++}
++
++static int mount_entry_on_absolute_rootfs(struct mntent *mntent,
++					  const struct lxc_rootfs *rootfs,
++					  const char *lxc_name)
++{
++	char *aux;
++	char path[MAXPATHLEN];
++	unsigned long mntflags;
++	char *mntdata;
++	int r, ret = 0, offset;
++
++	if (parse_mntopts(mntent->mnt_opts, &mntflags, &mntdata) < 0) {
++		ERROR("failed to parse mount option '%s'", mntent->mnt_opts);
++		return -1;
++	}
++
++	/* if rootfs->path is a blockdev path, allow container fstab to
++	 * use /var/lib/lxc/CN/rootfs as the target prefix */
++	r = snprintf(path, MAXPATHLEN, "/var/lib/lxc/%s/rootfs", lxc_name);
++	if (r < 0 || r >= MAXPATHLEN)
++		goto skipvarlib;
++
++	aux = strstr(mntent->mnt_dir, path);
++	if (aux) {
++		offset = strlen(path);
++		goto skipabs;
++	}
++
++skipvarlib:
++	aux = strstr(mntent->mnt_dir, rootfs->path);
++	if (!aux) {
++		WARN("ignoring mount point '%s'", mntent->mnt_dir);
++		goto out;
++	}
++	offset = strlen(rootfs->path);
++
++skipabs:
++
++	r = snprintf(path, MAXPATHLEN, "%s/%s", rootfs->mount,
++		 aux + offset);
++	if (r < 0 || r >= MAXPATHLEN) {
++		WARN("pathnme too long for '%s'", mntent->mnt_dir);
++		ret = -1;
++		goto out;
++	}
++
++
++	ret = mount_entry(mntent->mnt_fsname, path, mntent->mnt_type,
++			  mntflags, mntdata);
++
++out:
++	free(mntdata);
++	return ret;
++}
++
++static int mount_entry_on_relative_rootfs(struct mntent *mntent,
++					  const char *rootfs)
++{
++	char path[MAXPATHLEN];
++	unsigned long mntflags;
++	char *mntdata;
++	int ret;
++
++	if (parse_mntopts(mntent->mnt_opts, &mntflags, &mntdata) < 0) {
++		ERROR("failed to parse mount option '%s'", mntent->mnt_opts);
++		return -1;
++	}
++
++        /* relative to root mount point */
++	ret = snprintf(path, sizeof(path), "%s/%s", rootfs, mntent->mnt_dir);
++	if (ret >= sizeof(path)) {
++		ERROR("path name too long");
++		return -1;
++	}
++
++	ret = mount_entry(mntent->mnt_fsname, path, mntent->mnt_type,
++			  mntflags, mntdata);
++
++	free(mntdata);
++
++	return ret;
++}
++
++static int mount_file_entries(const struct lxc_rootfs *rootfs, FILE *file,
++	const char *lxc_name)
++{
++	struct mntent *mntent;
++	int ret = -1;
++
++	while ((mntent = getmntent(file))) {
++
++		if (!rootfs->path) {
++			if (mount_entry_on_systemfs(mntent))
++				goto out;
++			continue;
++		}
++
++		/* We have a separate root, mounts are relative to it */
++		if (mntent->mnt_dir[0] != '/') {
++			if (mount_entry_on_relative_rootfs(mntent,
++							   rootfs->mount))
++				goto out;
++			continue;
++		}
++
++		if (mount_entry_on_absolute_rootfs(mntent, rootfs, lxc_name))
++			goto out;
++	}
++
++	ret = 0;
++
++	INFO("mount points have been setup");
++out:
++	return ret;
++}
++
++static int setup_mount(const struct lxc_rootfs *rootfs, const char *fstab,
++	const char *lxc_name)
++{
++	FILE *file;
++	int ret;
++
++	if (!fstab)
++		return 0;
++
++	file = setmntent(fstab, "r");
++	if (!file) {
++		SYSERROR("failed to use '%s'", fstab);
++		return -1;
++	}
++
++	ret = mount_file_entries(rootfs, file, lxc_name);
++
++	endmntent(file);
++	return ret;
++}
++
++static int setup_mount_entries(const struct lxc_rootfs *rootfs, struct lxc_list *mount,
++	const char *lxc_name)
++{
++	FILE *file;
++	struct lxc_list *iterator;
++	char *mount_entry;
++	int ret;
++
++	file = tmpfile();
++	if (!file) {
++		ERROR("tmpfile error: %m");
++		return -1;
++	}
++
++	lxc_list_for_each(iterator, mount) {
++		mount_entry = iterator->elem;
++		fprintf(file, "%s\n", mount_entry);
++	}
++
++	rewind(file);
++
++	ret = mount_file_entries(rootfs, file, lxc_name);
++
++	fclose(file);
++	return ret;
++}
++
++static int setup_caps(struct lxc_list *caps)
++{
++	struct lxc_list *iterator;
++	char *drop_entry;
++	char *ptr;
++	int i, capid;
++
++	lxc_list_for_each(iterator, caps) {
++
++		drop_entry = iterator->elem;
++
++		capid = -1;
++
++		for (i = 0; i < sizeof(caps_opt)/sizeof(caps_opt[0]); i++) {
++
++			if (strcmp(drop_entry, caps_opt[i].name))
++				continue;
++
++			capid = caps_opt[i].value;
++			break;
++		}
++
++		if (capid < 0) {
++			/* try to see if it's numeric, so the user may specify
++			* capabilities  that the running kernel knows about but
++			* we don't */
++			capid = strtol(drop_entry, &ptr, 10);
++			if (!ptr || *ptr != '\0' ||
++			capid == LONG_MIN || capid == LONG_MAX)
++				/* not a valid number */
++				capid = -1;
++			else if (capid > lxc_caps_last_cap())
++				/* we have a number but it's not a valid
++				* capability */
++				capid = -1;
++		}
++
++	        if (capid < 0) {
++			ERROR("unknown capability %s", drop_entry);
++			return -1;
++		}
++
++		DEBUG("drop capability '%s' (%d)", drop_entry, capid);
++
++		if (prctl(PR_CAPBSET_DROP, capid, 0, 0, 0)) {
++                       SYSERROR("failed to remove %s capability", drop_entry);
++                       return -1;
++                }
++
++	}
++
++	DEBUG("capabilities has been setup");
++
++	return 0;
++}
++
++static int setup_hw_addr(char *hwaddr, const char *ifname)
++{
++	struct sockaddr sockaddr;
++	struct ifreq ifr;
++	int ret, fd;
++
++	ret = lxc_convert_mac(hwaddr, &sockaddr);
++	if (ret) {
++		ERROR("mac address '%s' conversion failed : %s",
++		      hwaddr, strerror(-ret));
++		return -1;
++	}
++
++	memcpy(ifr.ifr_name, ifname, IFNAMSIZ);
++	memcpy((char *) &ifr.ifr_hwaddr, (char *) &sockaddr, sizeof(sockaddr));
++
++	fd = socket(AF_INET, SOCK_DGRAM, 0);
++	if (fd < 0) {
++		ERROR("socket failure : %s", strerror(errno));
++		return -1;
++	}
++
++	ret = ioctl(fd, SIOCSIFHWADDR, &ifr);
++	close(fd);
++	if (ret)
++		ERROR("ioctl failure : %s", strerror(errno));
++
++	DEBUG("mac address '%s' on '%s' has been setup", hwaddr, ifname);
++
++	return ret;
++}
++
++static int setup_ipv4_addr(struct lxc_list *ip, int ifindex)
++{
++	struct lxc_list *iterator;
++	struct lxc_inetdev *inetdev;
++	int err;
++
++	lxc_list_for_each(iterator, ip) {
++
++		inetdev = iterator->elem;
++
++		err = lxc_ipv4_addr_add(ifindex, &inetdev->addr,
++					&inetdev->bcast, inetdev->prefix);
++		if (err) {
++			ERROR("failed to setup_ipv4_addr ifindex %d : %s",
++			      ifindex, strerror(-err));
++			return -1;
++		}
++	}
++
++	return 0;
++}
++
++static int setup_ipv6_addr(struct lxc_list *ip, int ifindex)
++{
++	struct lxc_list *iterator;
++	struct lxc_inet6dev *inet6dev;
++	int err;
++
++	lxc_list_for_each(iterator, ip) {
++
++		inet6dev = iterator->elem;
++
++		err = lxc_ipv6_addr_add(ifindex, &inet6dev->addr,
++					&inet6dev->mcast, &inet6dev->acast,
++					inet6dev->prefix);
++		if (err) {
++			ERROR("failed to setup_ipv6_addr ifindex %d : %s",
++			      ifindex, strerror(-err));
++			return -1;
++		}
++	}
++
++	return 0;
++}
++
++static int setup_netdev(struct lxc_netdev *netdev)
++{
++	char ifname[IFNAMSIZ];
++	char *current_ifname = ifname;
++	int err;
++
++	/* empty network namespace */
++	if (!netdev->ifindex) {
++		if (netdev->flags & IFF_UP) {
++			err = lxc_netdev_up("lo");
++			if (err) {
++				ERROR("failed to set the loopback up : %s",
++				      strerror(-err));
++				return -1;
++			}
++		}
++		return 0;
++	}
++
++	/* retrieve the name of the interface */
++	if (!if_indextoname(netdev->ifindex, current_ifname)) {
++		ERROR("no interface corresponding to index '%d'",
++		      netdev->ifindex);
++		return -1;
++	}
++
++	/* default: let the system to choose one interface name */
++	if (!netdev->name)
++		netdev->name = netdev->type == LXC_NET_PHYS ?
++			netdev->link : "eth%d";
++
++	/* rename the interface name */
++	err = lxc_netdev_rename_by_name(ifname, netdev->name);
++	if (err) {
++		ERROR("failed to rename %s->%s : %s", ifname, netdev->name,
++		      strerror(-err));
++		return -1;
++	}
++
++	/* Re-read the name of the interface because its name has changed
++	 * and would be automatically allocated by the system
++	 */
++	if (!if_indextoname(netdev->ifindex, current_ifname)) {
++		ERROR("no interface corresponding to index '%d'",
++		      netdev->ifindex);
++		return -1;
++	}
++
++	/* set a mac address */
++	if (netdev->hwaddr) {
++		if (setup_hw_addr(netdev->hwaddr, current_ifname)) {
++			ERROR("failed to setup hw address for '%s'",
++			      current_ifname);
++			return -1;
++		}
++	}
++
++	/* setup ipv4 addresses on the interface */
++	if (setup_ipv4_addr(&netdev->ipv4, netdev->ifindex)) {
++		ERROR("failed to setup ip addresses for '%s'",
++			      ifname);
++		return -1;
++	}
++
++	/* setup ipv6 addresses on the interface */
++	if (setup_ipv6_addr(&netdev->ipv6, netdev->ifindex)) {
++		ERROR("failed to setup ipv6 addresses for '%s'",
++			      ifname);
++		return -1;
++	}
++
++	/* set the network device up */
++	if (netdev->flags & IFF_UP) {
++		int err;
++
++		err = lxc_netdev_up(current_ifname);
++		if (err) {
++			ERROR("failed to set '%s' up : %s", current_ifname,
++			      strerror(-err));
++			return -1;
++		}
++
++		/* the network is up, make the loopback up too */
++		err = lxc_netdev_up("lo");
++		if (err) {
++			ERROR("failed to set the loopback up : %s",
++			      strerror(-err));
++			return -1;
++		}
++	}
++
++	/* We can only set up the default routes after bringing
++	 * up the interface, sine bringing up the interface adds
++	 * the link-local routes and we can't add a default
++	 * route if the gateway is not reachable. */
++
++	/* setup ipv4 gateway on the interface */
++	if (netdev->ipv4_gateway) {
++		if (!(netdev->flags & IFF_UP)) {
++			ERROR("Cannot add ipv4 gateway for %s when not bringing up the interface", ifname);
++			return -1;
++		}
++
++		if (lxc_list_empty(&netdev->ipv4)) {
++			ERROR("Cannot add ipv4 gateway for %s when not assigning an address", ifname);
++			return -1;
++		}
++
++		err = lxc_ipv4_gateway_add(netdev->ifindex, netdev->ipv4_gateway);
++		if (err) {
++			ERROR("failed to setup ipv4 gateway for '%s': %s",
++				      ifname, strerror(-err));
++			if (netdev->ipv4_gateway_auto) {
++				char buf[INET_ADDRSTRLEN];
++				inet_ntop(AF_INET, netdev->ipv4_gateway, buf, sizeof(buf));
++				ERROR("tried to set autodetected ipv4 gateway '%s'", buf);
++			}
++			return -1;
++		}
++	}
++
++	/* setup ipv6 gateway on the interface */
++	if (netdev->ipv6_gateway) {
++		if (!(netdev->flags & IFF_UP)) {
++			ERROR("Cannot add ipv6 gateway for %s when not bringing up the interface", ifname);
++			return -1;
++		}
++
++		if (lxc_list_empty(&netdev->ipv6) && !IN6_IS_ADDR_LINKLOCAL(netdev->ipv6_gateway)) {
++			ERROR("Cannot add ipv6 gateway for %s when not assigning an address", ifname);
++			return -1;
++		}
++
++		err = lxc_ipv6_gateway_add(netdev->ifindex, netdev->ipv6_gateway);
++		if (err) {
++			ERROR("failed to setup ipv6 gateway for '%s': %s",
++				      ifname, strerror(-err));
++			if (netdev->ipv6_gateway_auto) {
++				char buf[INET6_ADDRSTRLEN];
++				inet_ntop(AF_INET6, netdev->ipv6_gateway, buf, sizeof(buf));
++				ERROR("tried to set autodetected ipv6 gateway '%s'", buf);
++			}
++			return -1;
++		}
++	}
++
++	DEBUG("'%s' has been setup", current_ifname);
++
++	return 0;
++}
++
++static int setup_network(struct lxc_list *network)
++{
++	struct lxc_list *iterator;
++	struct lxc_netdev *netdev;
++
++	lxc_list_for_each(iterator, network) {
++
++		netdev = iterator->elem;
++
++		if (setup_netdev(netdev)) {
++			ERROR("failed to setup netdev");
++			return -1;
++		}
++	}
++
++	if (!lxc_list_empty(network))
++		INFO("network has been setup");
++
++	return 0;
++}
++
++static int setup_private_host_hw_addr(char *veth1)
++{
++	struct ifreq ifr;
++	int err;
++	int sockfd;
++
++	sockfd = socket(AF_INET, SOCK_DGRAM, 0);
++	if (sockfd < 0)
++		return -errno;
++
++	snprintf((char *)ifr.ifr_name, IFNAMSIZ, "%s", veth1);
++	err = ioctl(sockfd, SIOCGIFHWADDR, &ifr);
++	if (err < 0) {
++		close(sockfd);
++		return -errno;
++	}
++
++	ifr.ifr_hwaddr.sa_data[0] = 0xfe;
++	err = ioctl(sockfd, SIOCSIFHWADDR, &ifr);
++	close(sockfd);
++	if (err < 0)
++		return -errno;
++
++	DEBUG("mac address of host interface '%s' changed to private "
++	      "%02x:%02x:%02x:%02x:%02x:%02x", veth1,
++	      ifr.ifr_hwaddr.sa_data[0] & 0xff,
++	      ifr.ifr_hwaddr.sa_data[1] & 0xff,
++	      ifr.ifr_hwaddr.sa_data[2] & 0xff,
++	      ifr.ifr_hwaddr.sa_data[3] & 0xff,
++	      ifr.ifr_hwaddr.sa_data[4] & 0xff,
++	      ifr.ifr_hwaddr.sa_data[5] & 0xff);
++
++	return 0;
++}
++
++struct lxc_conf *lxc_conf_init(void)
++{
++	struct lxc_conf *new;
++	int i;
++
++	new = 	malloc(sizeof(*new));
++	if (!new) {
++		ERROR("lxc_conf_init : %m");
++		return NULL;
++	}
++	memset(new, 0, sizeof(*new));
++
++	new->umount_proc = 0;
++	new->personality = -1;
++	new->console.path = NULL;
++	new->console.peer = -1;
++	new->console.master = -1;
++	new->console.slave = -1;
++	new->console.name[0] = '\0';
++	new->rootfs.mount = LXCROOTFSMOUNT;
++	lxc_list_init(&new->cgroup);
++	lxc_list_init(&new->network);
++	lxc_list_init(&new->mount_list);
++	lxc_list_init(&new->caps);
++	new->aa_profile = NULL;
++	for (i=0; i<NUM_LXC_HOOKS; i++)
++		lxc_list_init(&new->hooks[i]);
++
++	return new;
++}
++
++static int instanciate_veth(struct lxc_handler *handler, struct lxc_netdev *netdev)
++{
++	char veth1buf[IFNAMSIZ], *veth1;
++	char veth2buf[IFNAMSIZ], *veth2;
++	int err;
++
++	if (netdev->priv.veth_attr.pair)
++		veth1 = netdev->priv.veth_attr.pair;
++	else {
++		err = snprintf(veth1buf, sizeof(veth1buf), "vethXXXXXX");
++		if (err >= sizeof(veth1buf)) { /* can't *really* happen, but... */
++			ERROR("veth1 name too long");
++			return -1;
++		}
++		veth1 = mktemp(veth1buf);
++	}
++
++	snprintf(veth2buf, sizeof(veth2buf), "vethXXXXXX");
++	veth2 = mktemp(veth2buf);
++
++	if (!strlen(veth1) || !strlen(veth2)) {
++		ERROR("failed to allocate a temporary name");
++		return -1;
++	}
++
++	err = lxc_veth_create(veth1, veth2);
++	if (err) {
++		ERROR("failed to create %s-%s : %s", veth1, veth2,
++		      strerror(-err));
++		return -1;
++	}
++
++	/* changing the high byte of the mac address to 0xfe, the bridge interface
++	 * will always keep the host's mac address and not take the mac address
++	 * of a container */
++	err = setup_private_host_hw_addr(veth1);
++	if (err) {
++		ERROR("failed to change mac address of host interface '%s' : %s",
++			veth1, strerror(-err));
++		goto out_delete;
++	}
++
++	if (netdev->mtu) {
++		err = lxc_netdev_set_mtu(veth1, atoi(netdev->mtu));
++		if (!err)
++			err = lxc_netdev_set_mtu(veth2, atoi(netdev->mtu));
++		if (err) {
++			ERROR("failed to set mtu '%s' for %s-%s : %s",
++			      netdev->mtu, veth1, veth2, strerror(-err));
++			goto out_delete;
++		}
++	}
++
++	if (netdev->link) {
++		err = lxc_bridge_attach(netdev->link, veth1);
++		if (err) {
++			ERROR("failed to attach '%s' to the bridge '%s' : %s",
++				      veth1, netdev->link, strerror(-err));
++			goto out_delete;
++		}
++	}
++
++	netdev->ifindex = if_nametoindex(veth2);
++	if (!netdev->ifindex) {
++		ERROR("failed to retrieve the index for %s", veth2);
++		goto out_delete;
++	}
++
++	err = lxc_netdev_up(veth1);
++	if (err) {
++		ERROR("failed to set %s up : %s", veth1, strerror(-err));
++		goto out_delete;
++	}
++
++	if (netdev->upscript) {
++		err = run_script(handler->name, "net", netdev->upscript, "up",
++				 "veth", veth1, (char*) NULL);
++		if (err)
++			goto out_delete;
++	}
++
++	DEBUG("instanciated veth '%s/%s', index is '%d'",
++	      veth1, veth2, netdev->ifindex);
++
++	return 0;
++
++out_delete:
++	lxc_netdev_delete_by_name(veth1);
++	return -1;
++}
++
++static int instanciate_macvlan(struct lxc_handler *handler, struct lxc_netdev *netdev)
++{
++	char peerbuf[IFNAMSIZ], *peer;
++	int err;
++
++	if (!netdev->link) {
++		ERROR("no link specified for macvlan netdev");
++		return -1;
++	}
++
++	err = snprintf(peerbuf, sizeof(peerbuf), "mcXXXXXX");
++	if (err >= sizeof(peerbuf))
++		return -1;
++
++	peer = mktemp(peerbuf);
++	if (!strlen(peer)) {
++		ERROR("failed to make a temporary name");
++		return -1;
++	}
++
++	err = lxc_macvlan_create(netdev->link, peer,
++				 netdev->priv.macvlan_attr.mode);
++	if (err) {
++		ERROR("failed to create macvlan interface '%s' on '%s' : %s",
++		      peer, netdev->link, strerror(-err));
++		return -1;
++	}
++
++	netdev->ifindex = if_nametoindex(peer);
++	if (!netdev->ifindex) {
++		ERROR("failed to retrieve the index for %s", peer);
++		lxc_netdev_delete_by_name(peer);
++		return -1;
++	}
++
++	if (netdev->upscript) {
++		err = run_script(handler->name, "net", netdev->upscript, "up",
++				 "macvlan", netdev->link, (char*) NULL);
++		if (err)
++			return -1;
++	}
++
++	DEBUG("instanciated macvlan '%s', index is '%d' and mode '%d'",
++	      peer, netdev->ifindex, netdev->priv.macvlan_attr.mode);
++
++	return 0;
++}
++
++/* XXX: merge with instanciate_macvlan */
++static int instanciate_vlan(struct lxc_handler *handler, struct lxc_netdev *netdev)
++{
++	char peer[IFNAMSIZ];
++	int err;
++
++	if (!netdev->link) {
++		ERROR("no link specified for vlan netdev");
++		return -1;
++	}
++
++	err = snprintf(peer, sizeof(peer), "vlan%d", netdev->priv.vlan_attr.vid);
++	if (err >= sizeof(peer)) {
++		ERROR("peer name too long");
++		return -1;
++	}
++
++	err = lxc_vlan_create(netdev->link, peer, netdev->priv.vlan_attr.vid);
++	if (err) {
++		ERROR("failed to create vlan interface '%s' on '%s' : %s",
++		      peer, netdev->link, strerror(-err));
++		return -1;
++	}
++
++	netdev->ifindex = if_nametoindex(peer);
++	if (!netdev->ifindex) {
++		ERROR("failed to retrieve the ifindex for %s", peer);
++		lxc_netdev_delete_by_name(peer);
++		return -1;
++	}
++
++	DEBUG("instanciated vlan '%s', ifindex is '%d'", " vlan1000",
++	      netdev->ifindex);
++
++	return 0;
++}
++
++static int instanciate_phys(struct lxc_handler *handler, struct lxc_netdev *netdev)
++{
++	if (!netdev->link) {
++		ERROR("no link specified for the physical interface");
++		return -1;
++	}
++
++	netdev->ifindex = if_nametoindex(netdev->link);
++	if (!netdev->ifindex) {
++		ERROR("failed to retrieve the index for %s", netdev->link);
++		return -1;
++	}
++
++	if (netdev->upscript) {
++		int err;
++		err = run_script(handler->name, "net", netdev->upscript,
++				 "up", "phys", netdev->link, (char*) NULL);
++		if (err)
++			return -1;
++	}
++
++	return 0;
++}
++
++static int instanciate_empty(struct lxc_handler *handler, struct lxc_netdev *netdev)
++{
++	netdev->ifindex = 0;
++	if (netdev->upscript) {
++		int err;
++		err = run_script(handler->name, "net", netdev->upscript,
++				 "up", "empty", (char*) NULL);
++		if (err)
++			return -1;
++	}
++	return 0;
++}
++
++int lxc_create_network(struct lxc_handler *handler)
++{
++	struct lxc_list *network = &handler->conf->network;
++	struct lxc_list *iterator;
++	struct lxc_netdev *netdev;
++
++	lxc_list_for_each(iterator, network) {
++
++		netdev = iterator->elem;
++
++		if (netdev->type < 0 || netdev->type > LXC_NET_MAXCONFTYPE) {
++			ERROR("invalid network configuration type '%d'",
++			      netdev->type);
++			return -1;
++		}
++
++		if (netdev_conf[netdev->type](handler, netdev)) {
++			ERROR("failed to create netdev");
++			return -1;
++		}
++
++	}
++
++	return 0;
++}
++
++void lxc_delete_network(struct lxc_list *network)
++{
++	struct lxc_list *iterator;
++	struct lxc_netdev *netdev;
++
++	lxc_list_for_each(iterator, network) {
++		netdev = iterator->elem;
++		if (netdev->ifindex == 0)
++			continue;
++
++		if (netdev->type == LXC_NET_PHYS) {
++			if (lxc_netdev_rename_by_index(netdev->ifindex, netdev->link))
++				WARN("failed to rename to the initial name the " \
++				     "netdev '%s'", netdev->link);
++			continue;
++		}
++
++		/* Recent kernel remove the virtual interfaces when the network
++		 * namespace is destroyed but in case we did not moved the
++		 * interface to the network namespace, we have to destroy it
++		 */
++		if (lxc_netdev_delete_by_index(netdev->ifindex))
++			WARN("failed to remove interface '%s'", netdev->name);
++	}
++}
++
++int lxc_assign_network(struct lxc_list *network, pid_t pid)
++{
++	struct lxc_list *iterator;
++	struct lxc_netdev *netdev;
++	int err;
++
++	lxc_list_for_each(iterator, network) {
++
++		netdev = iterator->elem;
++
++		/* empty network namespace, nothing to move */
++		if (!netdev->ifindex)
++			continue;
++
++		err = lxc_netdev_move_by_index(netdev->ifindex, pid);
++		if (err) {
++			ERROR("failed to move '%s' to the container : %s",
++			      netdev->link, strerror(-err));
++			return -1;
++		}
++
++		DEBUG("move '%s' to '%d'", netdev->name, pid);
++	}
++
++	return 0;
++}
++
++int lxc_find_gateway_addresses(struct lxc_handler *handler)
++{
++	struct lxc_list *network = &handler->conf->network;
++	struct lxc_list *iterator;
++	struct lxc_netdev *netdev;
++	int link_index;
++
++	lxc_list_for_each(iterator, network) {
++		netdev = iterator->elem;
++
++		if (!netdev->ipv4_gateway_auto && !netdev->ipv6_gateway_auto)
++			continue;
++
++		if (netdev->type != LXC_NET_VETH && netdev->type != LXC_NET_MACVLAN) {
++			ERROR("gateway = auto only supported for "
++			      "veth and macvlan");
++			return -1;
++		}
++
++		if (!netdev->link) {
++			ERROR("gateway = auto needs a link interface");
++			return -1;
++		}
++
++		link_index = if_nametoindex(netdev->link);
++		if (!link_index)
++			return -EINVAL;
++
++		if (netdev->ipv4_gateway_auto) {
++			if (lxc_ipv4_addr_get(link_index, &netdev->ipv4_gateway)) {
++				ERROR("failed to automatically find ipv4 gateway "
++				      "address from link interface '%s'", netdev->link);
++				return -1;
++			}
++		}
++
++		if (netdev->ipv6_gateway_auto) {
++			if (lxc_ipv6_addr_get(link_index, &netdev->ipv6_gateway)) {
++				ERROR("failed to automatically find ipv6 gateway "
++				      "address from link interface '%s'", netdev->link);
++				return -1;
++			}
++		}
++	}
++
++	return 0;
++}
++
++int lxc_create_tty(const char *name, struct lxc_conf *conf)
++{
++	struct lxc_tty_info *tty_info = &conf->tty_info;
++	int i;
++
++	/* no tty in the configuration */
++	if (!conf->tty)
++		return 0;
++
++	tty_info->pty_info =
++		malloc(sizeof(*tty_info->pty_info)*conf->tty);
++	if (!tty_info->pty_info) {
++		SYSERROR("failed to allocate pty_info");
++		return -1;
++	}
++
++	for (i = 0; i < conf->tty; i++) {
++
++		struct lxc_pty_info *pty_info = &tty_info->pty_info[i];
++
++		if (openpty(&pty_info->master, &pty_info->slave,
++			    pty_info->name, NULL, NULL)) {
++			SYSERROR("failed to create pty #%d", i);
++			tty_info->nbtty = i;
++			lxc_delete_tty(tty_info);
++			return -1;
++		}
++
++		DEBUG("allocated pty '%s' (%d/%d)",
++		      pty_info->name, pty_info->master, pty_info->slave);
++
++                /* Prevent leaking the file descriptors to the container */
++		fcntl(pty_info->master, F_SETFD, FD_CLOEXEC);
++		fcntl(pty_info->slave, F_SETFD, FD_CLOEXEC);
++
++		pty_info->busy = 0;
++	}
++
++	tty_info->nbtty = conf->tty;
++
++	INFO("tty's configured");
++
++	return 0;
++}
++
++void lxc_delete_tty(struct lxc_tty_info *tty_info)
++{
++	int i;
++
++	for (i = 0; i < tty_info->nbtty; i++) {
++		struct lxc_pty_info *pty_info = &tty_info->pty_info[i];
++
++		close(pty_info->master);
++		close(pty_info->slave);
++	}
++
++	free(tty_info->pty_info);
++	tty_info->nbtty = 0;
++}
++
++/*
++ * make sure /proc/self exists, and points to '1', since we are the
++ * container init.
++ * Else mount /proc.  Return 0 if proc was
++ * already mounted, 1 if we mounted it, -1 if we failed.
++ */
++static int mount_proc_if_needed(char *root_src, char *rootfs_tgt)
++{
++	char path[MAXPATHLEN];
++	char link[20];
++	int linklen, ret;
++
++	ret = snprintf(path, MAXPATHLEN, "%s/proc/self", root_src ? rootfs_tgt : "");
++	if (ret < 0 || ret >= MAXPATHLEN) {
++		SYSERROR("proc path name too long");
++		return -1;
++	}
++	memset(link, 0, 20);
++	linklen = readlink(path, link, 20);
++	INFO("I am %d, /proc/self points to %s\n", getpid(), link);
++	ret = snprintf(path, MAXPATHLEN, "%s/proc", root_src ? rootfs_tgt : "");
++	if (linklen < 0) /* /proc not mounted */
++		goto domount;
++	/* can't be longer than rootfs/proc/1 */
++	if (strncmp(link, "1", linklen) != 0) {
++		/* wrong /procs mounted */
++		umount2(path, MNT_DETACH); /* ignore failure */
++		goto domount;
++	}
++	/* the right proc is already mounted */
++	return 0;
++
++domount:
++	if (mount("proc", path, "proc", 0, NULL))
++		return -1;
++	INFO("Mounted /proc for the container\n");
++	return 1;
++}
++
++int lxc_setup(const char *name, struct lxc_conf *lxc_conf)
++{
++	int mounted;
++
++	if (setup_utsname(lxc_conf->utsname)) {
++		ERROR("failed to setup the utsname for '%s'", name);
++		return -1;
++	}
++
++	if (setup_network(&lxc_conf->network)) {
++		ERROR("failed to setup the network for '%s'", name);
++		return -1;
++	}
++
++	if (run_lxc_hooks(name, "pre-mount", lxc_conf)) {
++		ERROR("failed to run pre-mount hooks for container '%s'.", name);
++		return -1;
++	}
++
++	if (setup_rootfs(&lxc_conf->rootfs)) {
++		ERROR("failed to setup rootfs for '%s'", name);
++		return -1;
++	}
++
++	if (setup_mount(&lxc_conf->rootfs, lxc_conf->fstab, name)) {
++		ERROR("failed to setup the mounts for '%s'", name);
++		return -1;
++	}
++
++	if (setup_mount_entries(&lxc_conf->rootfs, &lxc_conf->mount_list, name)) {
++		ERROR("failed to setup the mount entries for '%s'", name);
++		return -1;
++	}
++
++	if (setup_cgroup(name, &lxc_conf->cgroup)) {
++		ERROR("failed to setup the cgroups for '%s'", name);
++		return -1;
++	}
++	if (run_lxc_hooks(name, "mount", lxc_conf)) {
++		ERROR("failed to run mount hooks for container '%s'.", name);
++		return -1;
++	}
++
++	if (setup_console(&lxc_conf->rootfs, &lxc_conf->console, lxc_conf->ttydir)) {
++		ERROR("failed to setup the console for '%s'", name);
++		return -1;
++	}
++
++	if (setup_kmsg(&lxc_conf->rootfs, &lxc_conf->console)) {
++		ERROR("failed to setup kmsg for '%s'", name);
++		return -1;
++	}
++
++	if (setup_tty(&lxc_conf->rootfs, &lxc_conf->tty_info, lxc_conf->ttydir)) {
++		ERROR("failed to setup the ttys for '%s'", name);
++		return -1;
++	}
++
++	/* aa_change_onexec makes more sense since we want to transition when
++	 * /sbin/init is exec'd.  But the transitions doesn't seem to work
++	 * then (refused).  aa_change_onexec will work since we're doing it
++	 * right before the exec, so we'll just use that for now.
++	 * In case the container fstab didn't mount /proc, we mount it.
++	 */
++	INFO("rootfs path is .%s., mount is .%s.", lxc_conf->rootfs.path,
++		lxc_conf->rootfs.mount);
++
++	mounted = mount_proc_if_needed(lxc_conf->rootfs.path, lxc_conf->rootfs.mount);
++	if (mounted == -1) {
++		SYSERROR("failed to mount /proc in the container.");
++		return -1;
++	} else if (mounted == 1) {
++		lxc_conf->umount_proc = 1;
++	}
++
++	if (setup_pivot_root(&lxc_conf->rootfs)) {
++		ERROR("failed to set rootfs for '%s'", name);
++		return -1;
++	}
++
++	if (setup_pts(lxc_conf->pts)) {
++		ERROR("failed to setup the new pts instance");
++		return -1;
++	}
++
++	if (setup_personality(lxc_conf->personality)) {
++		ERROR("failed to setup personality");
++		return -1;
++	}
++
++	if (setup_caps(&lxc_conf->caps)) {
++		ERROR("failed to drop capabilities");
++		return -1;
++	}
++
++	NOTICE("'%s' is setup.", name);
++
++	return 0;
++}
++
++int run_lxc_hooks(const char *name, char *hook, struct lxc_conf *conf)
++{
++	int which = -1;
++	struct lxc_list *it;
++
++	if (strcmp(hook, "pre-start") == 0)
++		which = LXCHOOK_PRESTART;
++	else if (strcmp(hook, "pre-mount") == 0)
++		which = LXCHOOK_PREMOUNT;
++	else if (strcmp(hook, "mount") == 0)
++		which = LXCHOOK_MOUNT;
++	else if (strcmp(hook, "start") == 0)
++		which = LXCHOOK_START;
++	else if (strcmp(hook, "post-stop") == 0)
++		which = LXCHOOK_POSTSTOP;
++	else
++		return -1;
++	lxc_list_for_each(it, &conf->hooks[which]) {
++		int ret;
++		char *hookname = it->elem;
++		ret = run_script(name, "lxc", hookname, hook, NULL);
++		if (ret)
++			return ret;
++	}
++	return 0;
++}
++
++static void lxc_remove_nic(struct lxc_list *it)
++{
++	struct lxc_netdev *netdev = it->elem;
++	struct lxc_list *it2;
++
++	lxc_list_del(it);
++
++	if (netdev->link)
++		free(netdev->link);
++	if (netdev->name)
++		free(netdev->name);
++	if (netdev->upscript)
++		free(netdev->upscript);
++	if (netdev->hwaddr)
++		free(netdev->hwaddr);
++	if (netdev->mtu)
++		free(netdev->mtu);
++	if (netdev->ipv4_gateway)
++		free(netdev->ipv4_gateway);
++	if (netdev->ipv6_gateway)
++		free(netdev->ipv6_gateway);
++	lxc_list_for_each(it2, &netdev->ipv4) {
++		lxc_list_del(it2);
++		free(it2->elem);
++		free(it2);
++	}
++	lxc_list_for_each(it2, &netdev->ipv6) {
++		lxc_list_del(it2);
++		free(it2->elem);
++		free(it2);
++	}
++	free(it);
++}
++
++/* we get passed in something like '0', '0.ipv4' or '1.ipv6' */
++int lxc_clear_nic(struct lxc_conf *c, char *key)
++{
++	char *p1;
++	int ret, idx, i;
++	struct lxc_list *it;
++	struct lxc_netdev *netdev;
++
++	p1 = index(key, '.');
++	if (!p1 || *(p1+1) == '\0')
++		p1 = NULL;
++
++	ret = sscanf(key, "%d", &idx);
++	if (ret != 1) return -1;
++	if (idx < 0)
++		return -1;
++
++	i = 0;
++	lxc_list_for_each(it, &c->network) {
++		if (i == idx)
++			break;
++		i++;
++	}
++	if (i < idx)  // we don't have that many nics defined
++		return -1;
++
++	if (!it || !it->elem)
++		return -1;
++
++	netdev = it->elem;
++
++	if (!p1) {
++		lxc_remove_nic(it);
++	} else if (strcmp(p1, "ipv4") == 0) {
++		struct lxc_list *it2;
++		lxc_list_for_each(it2, &netdev->ipv4) {
++			lxc_list_del(it2);
++			free(it2->elem);
++			free(it2);
++		}
++	} else if (strcmp(p1, "ipv6") == 0) {
++		struct lxc_list *it2;
++		lxc_list_for_each(it2, &netdev->ipv6) {
++			lxc_list_del(it2);
++			free(it2->elem);
++			free(it2);
++		}
++	} else if (strcmp(p1, "link") == 0) {
++		if (netdev->link) {
++			free(netdev->link);
++			netdev->link = NULL;
++		}
++	} else if (strcmp(p1, "name") == 0) {
++		if (netdev->name) {
++			free(netdev->name);
++			netdev->name = NULL;
++		}
++	} else if (strcmp(p1, "script.up") == 0) {
++		if (netdev->upscript) {
++			free(netdev->upscript);
++			netdev->upscript = NULL;
++		}
++	} else if (strcmp(p1, "hwaddr") == 0) {
++		if (netdev->hwaddr) {
++			free(netdev->hwaddr);
++			netdev->hwaddr = NULL;
++		}
++	} else if (strcmp(p1, "mtu") == 0) {
++		if (netdev->mtu) {
++			free(netdev->mtu);
++			netdev->mtu = NULL;
++		}
++	} else if (strcmp(p1, "ipv4_gateway") == 0) {
++		if (netdev->ipv4_gateway) {
++			free(netdev->ipv4_gateway);
++			netdev->ipv4_gateway = NULL;
++		}
++	} else if (strcmp(p1, "ipv6_gateway") == 0) {
++		if (netdev->ipv6_gateway) {
++			free(netdev->ipv6_gateway);
++			netdev->ipv6_gateway = NULL;
++		}
++	}
++		else return -1;
++
++	return 0;
++}
++
++int lxc_clear_config_network(struct lxc_conf *c)
++{
++	struct lxc_list *it;
++	lxc_list_for_each(it, &c->network) {
++		lxc_remove_nic(it);
++	}
++	return 0;
++}
++
++int lxc_clear_config_caps(struct lxc_conf *c)
++{
++	struct lxc_list *it;
++
++	lxc_list_for_each(it, &c->caps) {
++		lxc_list_del(it);
++		free(it->elem);
++		free(it);
++	}
++	return 0;
++}
++
++int lxc_clear_cgroups(struct lxc_conf *c, char *key)
++{
++	struct lxc_list *it;
++	bool all = false;
++	char *k = key + 11;
++
++	if (strcmp(key, "lxc.cgroup") == 0)
++		all = true;
++
++	lxc_list_for_each(it, &c->cgroup) {
++		struct lxc_cgroup *cg = it->elem;
++		if (!all && strcmp(cg->subsystem, k) != 0)
++			continue;
++		lxc_list_del(it);
++		free(cg->subsystem);
++		free(cg->value);
++		free(cg);
++		free(it);
++	}
++	return 0;
++}
++
++int lxc_clear_mount_entries(struct lxc_conf *c)
++{
++	struct lxc_list *it;
++
++	lxc_list_for_each(it, &c->mount_list) {
++		lxc_list_del(it);
++		free(it->elem);
++		free(it);
++	}
++	return 0;
++}
++
++int lxc_clear_hooks(struct lxc_conf *c)
++{
++	struct lxc_list *it;
++	int i;
++
++	for (i=0; i<NUM_LXC_HOOKS; i++) {
++		lxc_list_for_each(it, &c->hooks[i]) {
++			lxc_list_del(it);
++			free(it->elem);
++			free(it);
++		}
++	}
++	return 0;
++}
++
++void lxc_conf_free(struct lxc_conf *conf)
++{
++	if (!conf)
++		return;
++	if (conf->console.path)
++		free(conf->console.path);
++	if (conf->rootfs.mount != LXCROOTFSMOUNT)
++		free(conf->rootfs.mount);
++	lxc_clear_config_network(conf);
++	if (conf->aa_profile)
++		free(conf->aa_profile);
++	lxc_clear_config_caps(conf);
++	lxc_clear_cgroups(conf, "lxc.cgroup");
++	lxc_clear_hooks(conf);
++	lxc_clear_mount_entries(conf);
++	free(conf);
++}
 === added file '.pc/0220-getitem-per-hook-type/src/lxc/conf.h'
 --- .pc/0220-getitem-per-hook-type/src/lxc/conf.h	1970-01-01 00:00:00 +0000
 +++ .pc/0220-getitem-per-hook-type/src/lxc/conf.h	2012-09-14 20:24:18 +0000
@@ -0,0 +1,262 @@
++/*
++ * lxc: linux Container library
++ *
++ * (C) Copyright IBM Corp. 2007, 2008
++ *
++ * Authors:
++ * Daniel Lezcano <dlezcano at fr.ibm.com>
++ *
++ * This library is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU Lesser General Public
++ * License as published by the Free Software Foundation; either
++ * version 2.1 of the License, or (at your option) any later version.
++ *
++ * This library is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++ * Lesser General Public License for more details.
++ *
++ * You should have received a copy of the GNU Lesser General Public
++ * License along with this library; if not, write to the Free Software
++ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
++ */
++#ifndef _conf_h
++#define _conf_h
++
++#include <netinet/in.h>
++#include <sys/param.h>
++#include <stdbool.h>
++
++#include <lxc/list.h>
++
++#include <lxc/start.h> /* for lxc_handler */
++
++enum {
++	LXC_NET_EMPTY,
++	LXC_NET_VETH,
++	LXC_NET_MACVLAN,
++	LXC_NET_PHYS,
++	LXC_NET_VLAN,
++	LXC_NET_MAXCONFTYPE,
++};
++
++/*
++ * Defines the structure to configure an ipv4 address
++ * @address   : ipv4 address
++ * @broadcast : ipv4 broadcast address
++ * @mask      : network mask
++ */
++struct lxc_inetdev {
++	struct in_addr addr;
++	struct in_addr bcast;
++	int prefix;
++};
++
++struct lxc_route {
++	struct in_addr addr;
++};
++
++/*
++ * Defines the structure to configure an ipv6 address
++ * @flags     : set the address up
++ * @address   : ipv6 address
++ * @broadcast : ipv6 broadcast address
++ * @mask      : network mask
++ */
++struct lxc_inet6dev {
++	struct in6_addr addr;
++	struct in6_addr mcast;
++	struct in6_addr acast;
++	int prefix;
++};
++
++struct lxc_route6 {
++	struct in6_addr addr;
++};
++
++struct ifla_veth {
++	char *pair; /* pair name */
++};
++
++struct ifla_vlan {
++	uint   flags;
++	uint   fmask;
++	ushort   vid;
++	ushort   pad;
++};
++
++struct ifla_macvlan {
++	int mode; /* private, vepa, bridge */
++};
++
++union netdev_p {
++	struct ifla_veth veth_attr;
++	struct ifla_vlan vlan_attr;
++	struct ifla_macvlan macvlan_attr;
++};
++
++/*
++ * Defines a structure to configure a network device
++ * @link       : lxc.network.link, name of bridge or host iface to attach if any
++ * @name       : lxc.network.name, name of iface on the container side
++ * @flags      : flag of the network device (IFF_UP, ... )
++ * @ipv4       : a list of ipv4 addresses to be set on the network device
++ * @ipv6       : a list of ipv6 addresses to be set on the network device
++ * @upscript   : a script filename to be executed during interface configuration
++ */
++struct lxc_netdev {
++	int type;
++	int flags;
++	int ifindex;
++	char *link;
++	char *name;
++	char *hwaddr;
++	char *mtu;
++	union netdev_p priv;
++	struct lxc_list ipv4;
++	struct lxc_list ipv6;
++	struct in_addr *ipv4_gateway;
++	bool ipv4_gateway_auto;
++	struct in6_addr *ipv6_gateway;
++	bool ipv6_gateway_auto;
++	char *upscript;
++};
++
++/*
++ * Defines a generic struct to configure the control group.
++ * It is up to the programmer to specify the right subsystem.
++ * @subsystem : the targetted subsystem
++ * @value     : the value to set
++ */
++struct lxc_cgroup {
++	char *subsystem;
++	char *value;
++};
++
++/*
++ * Defines a structure containing a pty information for
++ * virtualizing a tty
++ * @name   : the path name of the slave pty side
++ * @master : the file descriptor of the master
++ * @slave  : the file descriptor of the slave
++ */
++struct lxc_pty_info {
++	char name[MAXPATHLEN];
++	int master;
++	int slave;
++	int busy;
++};
++
++/*
++ * Defines the number of tty configured and contains the
++ * instanciated ptys
++ * @nbtty = number of configured ttys
++ */
++struct lxc_tty_info {
++	int nbtty;
++	struct lxc_pty_info *pty_info;
++};
++
++/*
++ * Defines the structure to store the console information
++ * @peer   : the file descriptor put/get console traffic
++ * @name   : the file name of the slave pty
++ */
++struct lxc_console {
++	int slave;
++	int master;
++	int peer;
++	char *path;
++	char name[MAXPATHLEN];
++	struct termios *tios;
++};
++
++/*
++ * Defines a structure to store the rootfs location, the
++ * optionals pivot_root, rootfs mount paths
++ * @rootfs     : a path to the rootfs
++ * @pivot_root : a path to a pivot_root location to be used
++ */
++struct lxc_rootfs {
++	char *path;
++	char *mount;
++	char *pivot;
++};
++
++/*
++ * Defines the global container configuration
++ * @rootfs     : root directory to run the container
++ * @pivotdir   : pivotdir path, if not set default will be used
++ * @mount      : list of mount points
++ * @tty        : numbers of tty
++ * @pts        : new pts instance
++ * @mount_list : list of mount point (alternative to fstab file)
++ * @network    : network configuration
++ * @utsname    : container utsname
++ * @fstab      : path to a fstab file format
++ * @caps       : list of the capabilities
++ * @tty_info   : tty data
++ * @console    : console data
++ * @ttydir     : directory (under /dev) in which to create console and ttys
++ * @aa_profile : apparmor profile to switch to
++ */
++enum lxchooks {
++	LXCHOOK_PRESTART, LXCHOOK_PREMOUNT, LXCHOOK_MOUNT, LXCHOOK_START,
++	LXCHOOK_POSTSTOP, NUM_LXC_HOOKS};
++extern char *lxchook_names[NUM_LXC_HOOKS];
++
++struct lxc_conf {
++	char *fstab;
++	int tty;
++	int pts;
++	int reboot;
++	int need_utmp_watch;
++	int personality;
++	struct utsname *utsname;
++	struct lxc_list cgroup;
++	struct lxc_list network;
++	struct lxc_list mount_list;
++	struct lxc_list caps;
++	struct lxc_tty_info tty_info;
++	struct lxc_console console;
++	struct lxc_rootfs rootfs;
++	char *ttydir;
++	int close_all_fds;
++	char *aa_profile;
++	int umount_proc;
++	struct lxc_list hooks[NUM_LXC_HOOKS];
++	char *seccomp;  // filename with the seccomp rules
++	int maincmd_fd;
++};
++
++int run_lxc_hooks(const char *name, char *hook, struct lxc_conf *conf);
++
++/*
++ * Initialize the lxc configuration structure
++ */
++extern struct lxc_conf *lxc_conf_init(void);
++extern void lxc_conf_free(struct lxc_conf *conf);
++
++extern int pin_rootfs(const char *rootfs);
++
++extern int lxc_create_network(struct lxc_handler *handler);
++extern void lxc_delete_network(struct lxc_list *networks);
++extern int lxc_assign_network(struct lxc_list *networks, pid_t pid);
++extern int lxc_find_gateway_addresses(struct lxc_handler *handler);
++
++extern int lxc_create_tty(const char *name, struct lxc_conf *conf);
++extern void lxc_delete_tty(struct lxc_tty_info *tty_info);
++
++extern int lxc_clear_config_network(struct lxc_conf *c);
++extern int lxc_clear_nic(struct lxc_conf *c, char *key);
++extern int lxc_clear_config_caps(struct lxc_conf *c);
++extern int lxc_clear_cgroups(struct lxc_conf *c, char *key);
++extern int lxc_clear_mount_entries(struct lxc_conf *c);
++extern int lxc_clear_hooks(struct lxc_conf *c);
++
++/*
++ * Configure the container from inside
++ */
++
++extern int lxc_setup(const char *name, struct lxc_conf *lxc_conf);
++#endif
 === added file '.pc/0220-getitem-per-hook-type/src/lxc/confile.c'
 --- .pc/0220-getitem-per-hook-type/src/lxc/confile.c	1970-01-01 00:00:00 +0000
 +++ .pc/0220-getitem-per-hook-type/src/lxc/confile.c	2012-09-14 20:24:18 +0000
@@ -0,0 +1,1673 @@
++/*
++ * lxc: linux Container library
++ *
++ * (C) Copyright IBM Corp. 2007, 2008
++ *
++ * Authors:
++ * Daniel Lezcano <dlezcano at fr.ibm.com>
++ *
++ * This library is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU Lesser General Public
++ * License as published by the Free Software Foundation; either
++ * version 2.1 of the License, or (at your option) any later version.
++ *
++ * This library is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++ * Lesser General Public License for more details.
++ *
++ * You should have received a copy of the GNU Lesser General Public
++ * License along with this library; if not, write to the Free Software
++ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
++ */
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++#include <unistd.h>
++#include <errno.h>
++#include <fcntl.h>
++#include <pty.h>
++#include <sys/stat.h>
++#include <sys/types.h>
++#include <sys/param.h>
++#include <sys/utsname.h>
++#include <sys/personality.h>
++#include <arpa/inet.h>
++#include <netinet/in.h>
++#include <net/if.h>
++
++#include "parse.h"
++#include "confile.h"
++#include "utils.h"
++
++#include <lxc/log.h>
++#include <lxc/conf.h>
++#include "network.h"
++
++lxc_log_define(lxc_confile, lxc);
++
++static int config_personality(const char *, char *, struct lxc_conf *);
++static int config_pts(const char *, char *, struct lxc_conf *);
++static int config_tty(const char *, char *, struct lxc_conf *);
++static int config_ttydir(const char *, char *, struct lxc_conf *);
++static int config_aa_profile(const char *, char *, struct lxc_conf *);
++static int config_cgroup(const char *, char *, struct lxc_conf *);
++static int config_mount(const char *, char *, struct lxc_conf *);
++static int config_rootfs(const char *, char *, struct lxc_conf *);
++static int config_rootfs_mount(const char *, char *, struct lxc_conf *);
++static int config_pivotdir(const char *, char *, struct lxc_conf *);
++static int config_utsname(const char *, char *, struct lxc_conf *);
++static int config_hook(const char *key, char *value, struct lxc_conf *lxc_conf);
++static int config_network_type(const char *, char *, struct lxc_conf *);
++static int config_network_flags(const char *, char *, struct lxc_conf *);
++static int config_network_link(const char *, char *, struct lxc_conf *);
++static int config_network_name(const char *, char *, struct lxc_conf *);
++static int config_network_veth_pair(const char *, char *, struct lxc_conf *);
++static int config_network_macvlan_mode(const char *, char *, struct lxc_conf *);
++static int config_network_hwaddr(const char *, char *, struct lxc_conf *);
++static int config_network_vlan_id(const char *, char *, struct lxc_conf *);
++static int config_network_mtu(const char *, char *, struct lxc_conf *);
++static int config_network_ipv4(const char *, char *, struct lxc_conf *);
++static int config_network_ipv4_gateway(const char *, char *, struct lxc_conf *);
++static int config_network_script(const char *, char *, struct lxc_conf *);
++static int config_network_ipv6(const char *, char *, struct lxc_conf *);
++static int config_network_ipv6_gateway(const char *, char *, struct lxc_conf *);
++static int config_cap_drop(const char *, char *, struct lxc_conf *);
++static int config_console(const char *, char *, struct lxc_conf *);
++static int config_seccomp(const char *, char *, struct lxc_conf *);
++static int config_includefile(const char *, char *, struct lxc_conf *);
++static int config_network_nic(const char *, char *, struct lxc_conf *);
++
++typedef int (*config_cb)(const char *, char *, struct lxc_conf *);
++
++static struct lxc_config_t config[] = {
++
++	{ "lxc.arch",                 config_personality          },
++	{ "lxc.pts",                  config_pts                  },
++	{ "lxc.tty",                  config_tty                  },
++	{ "lxc.devttydir",            config_ttydir               },
++	{ "lxc.aa_profile",            config_aa_profile          },
++	{ "lxc.cgroup",               config_cgroup               },
++	{ "lxc.mount",                config_mount                },
++	{ "lxc.rootfs.mount",         config_rootfs_mount         },
++	{ "lxc.rootfs",               config_rootfs               },
++	{ "lxc.pivotdir",             config_pivotdir             },
++	{ "lxc.utsname",              config_utsname              },
++	{ "lxc.hook.pre-start",       config_hook                 },
++	{ "lxc.hook.pre-mount",       config_hook                 },
++	{ "lxc.hook.mount",           config_hook                 },
++	{ "lxc.hook.start",           config_hook                 },
++	{ "lxc.hook.post-stop",       config_hook                 },
++	{ "lxc.network.type",         config_network_type         },
++	{ "lxc.network.flags",        config_network_flags        },
++	{ "lxc.network.link",         config_network_link         },
++	{ "lxc.network.name",         config_network_name         },
++	{ "lxc.network.macvlan.mode", config_network_macvlan_mode },
++	{ "lxc.network.veth.pair",    config_network_veth_pair    },
++	{ "lxc.network.script.up",    config_network_script       },
++	{ "lxc.network.hwaddr",       config_network_hwaddr       },
++	{ "lxc.network.mtu",          config_network_mtu          },
++	{ "lxc.network.vlan.id",      config_network_vlan_id      },
++	{ "lxc.network.ipv4.gateway", config_network_ipv4_gateway },
++	{ "lxc.network.ipv4",         config_network_ipv4         },
++	{ "lxc.network.ipv6.gateway", config_network_ipv6_gateway },
++	{ "lxc.network.ipv6",         config_network_ipv6         },
++	/* config_network_nic must come after all other 'lxc.network.*' entries */
++	{ "lxc.network.",             config_network_nic          },
++	{ "lxc.cap.drop",             config_cap_drop             },
++	{ "lxc.console",              config_console              },
++	{ "lxc.seccomp",              config_seccomp              },
++	{ "lxc.include",              config_includefile          },
++};
++
++static const size_t config_size = sizeof(config)/sizeof(struct lxc_config_t);
++
++extern struct lxc_config_t *lxc_getconfig(const char *key)
++{
++	int i;
++
++	for (i = 0; i < config_size; i++)
++		if (!strncmp(config[i].name, key,
++			     strlen(config[i].name)))
++			return &config[i];
++	return NULL;
++}
++
++#define strprint(str, inlen, ...) \
++	do { \
++		len = snprintf(str, inlen, ##__VA_ARGS__); \
++		if (len < 0) { SYSERROR("snprintf"); return -1; }; \
++		fulllen += len; \
++		if (inlen > 0) { \
++			if (str) str += len; \
++			inlen -= len; \
++			if (inlen < 0) inlen = 0; \
++		} \
++	} while (0);
++
++int lxc_listconfigs(char *retv, int inlen)
++{
++	int i, fulllen = 0, len;
++
++	if (!retv)
++		inlen = 0;
++	else
++		memset(retv, 0, inlen);
++	for (i = 0; i < config_size; i++) {
++		char *s = config[i].name;
++		if (s[strlen(s)-1] == '.')
++			continue;
++		strprint(retv, inlen, "%s\n", s);
++	}
++	return fulllen;
++}
++
++/*
++ * config entry is something like "lxc.network.0.ipv4"
++ * the key 'lxc.network.' was found.  So we make sure next
++ * comes an integer, find the right callback (by rewriting
++ * the key), and call it.
++ */
++static int config_network_nic(const char *key, char *value,
++			       struct lxc_conf *lxc_conf)
++{
++	char *copy = strdup(key), *p;
++	int ret = -1;
++	struct lxc_config_t *config;
++
++	if (!copy) {
++		SYSERROR("failed to allocate memory");
++		return -1;
++	}
++	/*
++	 * ok we know that to get here we've got "lxc.network."
++	 * and it isn't any of the other network entries.  So
++	 * after the second . should come an integer (# of defined
++	 * nic) followed by a valid entry.
++	 */
++	if (*(key+12) < '0' || *(key+12) > '9')
++		goto out;
++	p = index(key+12, '.');
++	if (!p)
++		goto out;
++	strcpy(copy+12, p+1);
++	config = lxc_getconfig(copy);
++	if (!config) {
++		ERROR("unknown key %s", key);
++		goto out;
++	}
++	ret = config->cb(key, value, lxc_conf);
++
++out:
++	free(copy);
++	return ret;
++}
++
++static int config_network_type(const char *key, char *value,
++			       struct lxc_conf *lxc_conf)
++{
++	struct lxc_list *network = &lxc_conf->network;
++	struct lxc_netdev *netdev;
++	struct lxc_list *list;
++
++	netdev = malloc(sizeof(*netdev));
++	if (!netdev) {
++		SYSERROR("failed to allocate memory");
++		return -1;
++	}
++
++	memset(netdev, 0, sizeof(*netdev));
++	lxc_list_init(&netdev->ipv4);
++	lxc_list_init(&netdev->ipv6);
++
++	list = malloc(sizeof(*list));
++	if (!list) {
++		SYSERROR("failed to allocate memory");
++		return -1;
++	}
++
++	lxc_list_init(list);
++	list->elem = netdev;
++
++	lxc_list_add_tail(network, list);
++
++	if (!strcmp(value, "veth"))
++		netdev->type = LXC_NET_VETH;
++	else if (!strcmp(value, "macvlan"))
++		netdev->type = LXC_NET_MACVLAN;
++	else if (!strcmp(value, "vlan"))
++		netdev->type = LXC_NET_VLAN;
++	else if (!strcmp(value, "phys"))
++		netdev->type = LXC_NET_PHYS;
++	else if (!strcmp(value, "empty"))
++		netdev->type = LXC_NET_EMPTY;
++	else {
++		ERROR("invalid network type %s", value);
++		return -1;
++	}
++	return 0;
++}
++
++static int config_ip_prefix(struct in_addr *addr)
++{
++	if (IN_CLASSA(addr->s_addr))
++		return 32 - IN_CLASSA_NSHIFT;
++	if (IN_CLASSB(addr->s_addr))
++		return 32 - IN_CLASSB_NSHIFT;
++	if (IN_CLASSC(addr->s_addr))
++		return 32 - IN_CLASSC_NSHIFT;
++
++	return 0;
++}
++
++/*
++ * if you have p="lxc.network.0.link", pass it p+12
++ * to get back '0' (the index of the nic)
++ */
++static int get_network_netdev_idx(const char *key)
++{
++	int ret, idx;
++
++	if (*key < '0' || *key > '9')
++		return -1;
++	ret = sscanf(key, "%d", &idx);
++	if (ret != 1)
++		return -1;
++	return idx;
++}
++
++/*
++ * if you have p="lxc.network.0", pass this p+12 and it will return
++ * the netdev of the first configured nic
++ */
++static struct lxc_netdev *get_netdev_from_key(const char *key,
++					      struct lxc_list *network)
++{
++	int i = 0, idx = get_network_netdev_idx(key);
++	struct lxc_netdev *netdev = NULL;
++	struct lxc_list *it;
++	if (idx == -1)
++		return NULL;
++	lxc_list_for_each(it, network) {
++		if (idx == i++) {
++			netdev = it->elem;
++			break;
++		}
++	}
++	return netdev;
++}
++
++extern int lxc_list_nicconfigs(struct lxc_conf *c, char *key, char *retv, int inlen)
++{
++	struct lxc_netdev *netdev;
++	int fulllen = 0, len;
++
++	netdev = get_netdev_from_key(key+12, &c->network);
++	if (!netdev)
++		return -1;
++
++	if (!retv)
++		inlen = 0;
++	else
++		memset(retv, 0, inlen);
++
++	strprint(retv, inlen, "script.up\n");
++	if (netdev->type != LXC_NET_EMPTY) {
++		strprint(retv, inlen, "flags\n");
++		strprint(retv, inlen, "link\n");
++		strprint(retv, inlen, "name\n");
++		strprint(retv, inlen, "hwaddr\n");
++		strprint(retv, inlen, "mtu\n");
++		strprint(retv, inlen, "ipv6\n");
++		strprint(retv, inlen, "ipv6_gateway\n");
++		strprint(retv, inlen, "ipv4\n");
++		strprint(retv, inlen, "ipv4_gateway\n");
++	}
++	switch(netdev->type) {
++	case LXC_NET_VETH:
++		strprint(retv, inlen, "veth.pair\n");
++		break;
++	case LXC_NET_MACVLAN:
++		strprint(retv, inlen, "macvlan.mode\n");
++		break;
++	case LXC_NET_VLAN:
++		strprint(retv, inlen, "vlan.id\n");
++		break;
++	case LXC_NET_PHYS:
++		break;
++	}
++	return fulllen;
++}
++
++static struct lxc_netdev *network_netdev(const char *key, const char *value,
++					 struct lxc_list *network)
++{
++	struct lxc_netdev *netdev = NULL;
++
++	if (lxc_list_empty(network)) {
++		ERROR("network is not created for '%s' = '%s' option",
++		      key, value);
++		return NULL;
++	}
++
++	if (get_network_netdev_idx(key+12) == -1)
++		netdev = lxc_list_last_elem(network);
++	else
++		netdev = get_netdev_from_key(key+12, network);
++
++	if (!netdev) {
++		ERROR("no network device defined for '%s' = '%s' option",
++		      key, value);
++		return NULL;
++	}
++
++	return netdev;
++}
++
++static int network_ifname(char **valuep, char *value)
++{
++	if (strlen(value) >= IFNAMSIZ) {
++		ERROR("invalid interface name: %s", value);
++		return -1;
++	}
++
++	*valuep = strdup(value);
++	if (!*valuep) {
++		ERROR("failed to dup string '%s'", value);
++		return -1;
++	}
++
++	return 0;
++}
++
++#ifndef MACVLAN_MODE_PRIVATE
++#  define MACVLAN_MODE_PRIVATE 1
++#endif
++
++#ifndef MACVLAN_MODE_VEPA
++#  define MACVLAN_MODE_VEPA 2
++#endif
++
++#ifndef MACVLAN_MODE_BRIDGE
++#  define MACVLAN_MODE_BRIDGE 4
++#endif
++
++static int macvlan_mode(int *valuep, char *value)
++{
++	struct mc_mode {
++		char *name;
++		int mode;
++	} m[] = {
++		{ "private", MACVLAN_MODE_PRIVATE },
++		{ "vepa", MACVLAN_MODE_VEPA },
++		{ "bridge", MACVLAN_MODE_BRIDGE },
++	};
++
++	int i;
++
++	for (i = 0; i < sizeof(m)/sizeof(m[0]); i++) {
++		if (strcmp(m[i].name, value))
++			continue;
++
++		*valuep = m[i].mode;
++		return 0;
++	}
++
++	return -1;
++}
++
++static int config_network_flags(const char *key, char *value,
++				struct lxc_conf *lxc_conf)
++{
++	struct lxc_netdev *netdev;
++
++	netdev = network_netdev(key, value, &lxc_conf->network);
++	if (!netdev)
++		return -1;
++
++	netdev->flags |= IFF_UP;
++
++	return 0;
++}
++
++static int config_network_link(const char *key, char *value,
++			       struct lxc_conf *lxc_conf)
++{
++	struct lxc_netdev *netdev;
++
++	netdev = network_netdev(key, value, &lxc_conf->network);
++	if (!netdev)
++		return -1;
++
++	return network_ifname(&netdev->link, value);
++}
++
++static int config_network_name(const char *key, char *value,
++			       struct lxc_conf *lxc_conf)
++{
++	struct lxc_netdev *netdev;
++
++	netdev = network_netdev(key, value, &lxc_conf->network);
++	if (!netdev)
++		return -1;
++
++	return network_ifname(&netdev->name, value);
++}
++
++static int config_network_veth_pair(const char *key, char *value,
++				    struct lxc_conf *lxc_conf)
++{
++	struct lxc_netdev *netdev;
++
++	netdev = network_netdev(key, value, &lxc_conf->network);
++	if (!netdev)
++		return -1;
++
++	return network_ifname(&netdev->priv.veth_attr.pair, value);
++}
++
++static int config_network_macvlan_mode(const char *key, char *value,
++				       struct lxc_conf *lxc_conf)
++{
++	struct lxc_netdev *netdev;
++
++	netdev = network_netdev(key, value, &lxc_conf->network);
++	if (!netdev)
++		return -1;
++
++	return macvlan_mode(&netdev->priv.macvlan_attr.mode, value);
++}
++
++static int config_network_hwaddr(const char *key, char *value,
++				 struct lxc_conf *lxc_conf)
++{
++	struct lxc_netdev *netdev;
++
++	netdev = network_netdev(key, value, &lxc_conf->network);
++	if (!netdev)
++		return -1;
++
++	netdev->hwaddr = strdup(value);
++	if (!netdev->hwaddr) {
++		SYSERROR("failed to dup string '%s'", value);
++		return -1;
++	}
++
++	return 0;
++}
++
++static int config_network_vlan_id(const char *key, char *value,
++			       struct lxc_conf *lxc_conf)
++{
++	struct lxc_netdev *netdev;
++
++	netdev = network_netdev(key, value, &lxc_conf->network);
++	if (!netdev)
++		return -1;
++
++	if (get_u16(&netdev->priv.vlan_attr.vid, value, 0))
++		return -1;
++
++	return 0;
++}
++
++static int config_network_mtu(const char *key, char *value,
++			      struct lxc_conf *lxc_conf)
++{
++	struct lxc_netdev *netdev;
++
++	netdev = network_netdev(key, value, &lxc_conf->network);
++	if (!netdev)
++		return -1;
++
++	netdev->mtu = strdup(value);
++	if (!netdev->mtu) {
++		SYSERROR("failed to dup string '%s'", value);
++		return -1;
++	}
++
++	return 0;
++}
++
++static int config_network_ipv4(const char *key, char *value,
++			       struct lxc_conf *lxc_conf)
++{
++	struct lxc_netdev *netdev;
++	struct lxc_inetdev *inetdev;
++	struct lxc_list *list;
++	char *cursor, *slash, *addr = NULL, *bcast = NULL, *prefix = NULL;
++
++	netdev = network_netdev(key, value, &lxc_conf->network);
++	if (!netdev)
++		return -1;
++
++	inetdev = malloc(sizeof(*inetdev));
++	if (!inetdev) {
++		SYSERROR("failed to allocate ipv4 address");
++		return -1;
++	}
++	memset(inetdev, 0, sizeof(*inetdev));
++
++	list = malloc(sizeof(*list));
++	if (!list) {
++		SYSERROR("failed to allocate memory");
++		return -1;
++	}
++
++	lxc_list_init(list);
++	list->elem = inetdev;
++
++	addr = value;
++
++	cursor = strstr(addr, " ");
++	if (cursor) {
++		*cursor = '\0';
++		bcast = cursor + 1;
++	}
++
++	slash = strstr(addr, "/");
++	if (slash) {
++		*slash = '\0';
++		prefix = slash + 1;
++	}
++
++	if (!addr) {
++		ERROR("no address specified");
++		return -1;
++	}
++
++	if (!inet_pton(AF_INET, addr, &inetdev->addr)) {
++		SYSERROR("invalid ipv4 address: %s", value);
++		return -1;
++	}
++
++	if (bcast && !inet_pton(AF_INET, bcast, &inetdev->bcast)) {
++		SYSERROR("invalid ipv4 broadcast address: %s", value);
++		return -1;
++	}
++
++	/* no prefix specified, determine it from the network class */
++	inetdev->prefix = prefix ? atoi(prefix) :
++		config_ip_prefix(&inetdev->addr);
++
++	/* if no broadcast address, let compute one from the
++	 * prefix and address
++	 */
++	if (!bcast) {
++		inetdev->bcast.s_addr = inetdev->addr.s_addr;
++		inetdev->bcast.s_addr |=
++			htonl(INADDR_BROADCAST >>  inetdev->prefix);
++	}
++
++	lxc_list_add(&netdev->ipv4, list);
++
++	return 0;
++}
++
++static int config_network_ipv4_gateway(const char *key, char *value,
++			               struct lxc_conf *lxc_conf)
++{
++	struct lxc_netdev *netdev;
++	struct in_addr *gw;
++
++	netdev = network_netdev(key, value, &lxc_conf->network);
++	if (!netdev)
++		return -1;
++
++	gw = malloc(sizeof(*gw));
++	if (!gw) {
++		SYSERROR("failed to allocate ipv4 gateway address");
++		return -1;
++	}
++
++	if (!value) {
++		ERROR("no ipv4 gateway address specified");
++		return -1;
++	}
++
++	if (!strcmp(value, "auto")) {
++		netdev->ipv4_gateway = NULL;
++		netdev->ipv4_gateway_auto = true;
++	} else {
++		if (!inet_pton(AF_INET, value, gw)) {
++			SYSERROR("invalid ipv4 gateway address: %s", value);
++			return -1;
++		}
++
++		netdev->ipv4_gateway = gw;
++		netdev->ipv4_gateway_auto = false;
++	}
++
++	return 0;
++}
++
++static int config_network_ipv6(const char *key, char *value,
++			       struct lxc_conf *lxc_conf)
++{
++	struct lxc_netdev *netdev;
++	struct lxc_inet6dev *inet6dev;
++	struct lxc_list *list;
++	char *slash;
++	char *netmask;
++
++	netdev = network_netdev(key, value, &lxc_conf->network);
++	if (!netdev)
++		return -1;
++
++	inet6dev = malloc(sizeof(*inet6dev));
++	if (!inet6dev) {
++		SYSERROR("failed to allocate ipv6 address");
++		return -1;
++	}
++	memset(inet6dev, 0, sizeof(*inet6dev));
++
++	list = malloc(sizeof(*list));
++	if (!list) {
++		SYSERROR("failed to allocate memory");
++		return -1;
++	}
++
++	lxc_list_init(list);
++	list->elem = inet6dev;
++
++	inet6dev->prefix = 64;
++	slash = strstr(value, "/");
++	if (slash) {
++		*slash = '\0';
++		netmask = slash + 1;
++		inet6dev->prefix = atoi(netmask);
++	}
++
++	if (!inet_pton(AF_INET6, value, &inet6dev->addr)) {
++		SYSERROR("invalid ipv6 address: %s", value);
++		return -1;
++	}
++
++	lxc_list_add(&netdev->ipv6, list);
++
++	return 0;
++}
++
++static int config_network_ipv6_gateway(const char *key, char *value,
++			               struct lxc_conf *lxc_conf)
++{
++	struct lxc_netdev *netdev;
++	struct in6_addr *gw;
++
++	netdev = network_netdev(key, value, &lxc_conf->network);
++	if (!netdev)
++		return -1;
++
++	gw = malloc(sizeof(*gw));
++	if (!gw) {
++		SYSERROR("failed to allocate ipv6 gateway address");
++		return -1;
++	}
++
++	if (!value) {
++		ERROR("no ipv6 gateway address specified");
++		return -1;
++	}
++
++	if (!strcmp(value, "auto")) {
++		netdev->ipv6_gateway = NULL;
++		netdev->ipv6_gateway_auto = true;
++	} else {
++		if (!inet_pton(AF_INET6, value, gw)) {
++			SYSERROR("invalid ipv6 gateway address: %s", value);
++			return -1;
++		}
++
++		netdev->ipv6_gateway = gw;
++		netdev->ipv6_gateway_auto = false;
++	}
++
++	return 0;
++}
++
++static int config_network_script(const char *key, char *value,
++				 struct lxc_conf *lxc_conf)
++{
++	struct lxc_netdev *netdev;
++
++	netdev = network_netdev(key, value, &lxc_conf->network);
++	if (!netdev)
++	return -1;
++
++	char *copy = strdup(value);
++	if (!copy) {
++		SYSERROR("failed to dup string '%s'", value);
++		return -1;
++	}
++	if (strstr(key, "script.up") != NULL) {
++		netdev->upscript = copy;
++		return 0;
++	}
++	SYSERROR("Unknown key: %s", key);
++	free(copy);
++	return -1;
++}
++
++static int add_hook(struct lxc_conf *lxc_conf, int which, char *hook)
++{
++	struct lxc_list *hooklist;
++
++	hooklist = malloc(sizeof(*hooklist));
++	if (!hooklist) {
++		free(hook);
++		return -1;
++	}
++	hooklist->elem = hook;
++	lxc_list_add_tail(&lxc_conf->hooks[which], hooklist);
++	return 0;
++}
++
++static int config_seccomp(const char *key, char *value,
++				 struct lxc_conf *lxc_conf)
++{
++	char *path;
++
++	if (lxc_conf->seccomp) {
++		ERROR("seccomp already defined");
++		return -1;
++	}
++	path = strdup(value);
++	if (!path) {
++		SYSERROR("failed to strdup '%s': %m", value);
++		return -1;
++	}
++
++	lxc_conf->seccomp = path;
++
++	return 0;
++}
++
++static int config_hook(const char *key, char *value,
++				 struct lxc_conf *lxc_conf)
++{
++	char *copy = strdup(value);
++	if (!copy) {
++		SYSERROR("failed to dup string '%s'", value);
++		return -1;
++	}
++	if (strcmp(key, "lxc.hook.pre-start") == 0)
++		return add_hook(lxc_conf, LXCHOOK_PRESTART, copy);
++	else if (strcmp(key, "lxc.hook.pre-mount") == 0)
++		return add_hook(lxc_conf, LXCHOOK_PREMOUNT, copy);
++	else if (strcmp(key, "lxc.hook.mount") == 0)
++		return add_hook(lxc_conf, LXCHOOK_MOUNT, copy);
++	else if (strcmp(key, "lxc.hook.start") == 0)
++		return add_hook(lxc_conf, LXCHOOK_START, copy);
++	else if (strcmp(key, "lxc.hook.post-stop") == 0)
++		return add_hook(lxc_conf, LXCHOOK_POSTSTOP, copy);
++	SYSERROR("Unknown key: %s", key);
++	free(copy);
++	return -1;
++}
++
++static int config_personality(const char *key, char *value,
++			      struct lxc_conf *lxc_conf)
++{
++	signed long personality = lxc_config_parse_arch(value);
++
++	if (personality >= 0)
++		lxc_conf->personality = personality;
++	else
++		WARN("unsupported personality '%s'", value);
++
++	return 0;
++}
++
++static int config_pts(const char *key, char *value, struct lxc_conf *lxc_conf)
++{
++	int maxpts = atoi(value);
++
++	lxc_conf->pts = maxpts;
++
++	return 0;
++}
++
++static int config_tty(const char *key, char *value, struct lxc_conf *lxc_conf)
++{
++	int nbtty = atoi(value);
++
++	lxc_conf->tty = nbtty;
++
++	return 0;
++}
++
++static int config_ttydir(const char *key, char *value,
++			  struct lxc_conf *lxc_conf)
++{
++	char *path;
++
++	if (!value || strlen(value) == 0)
++		return 0;
++	path = strdup(value);
++	if (!path) {
++		SYSERROR("failed to strdup '%s': %m", value);
++		return -1;
++	}
++
++	lxc_conf->ttydir = path;
++
++	return 0;
++}
++
++static int config_aa_profile(const char *key, char *value,
++			  struct lxc_conf *lxc_conf)
++{
++	char *path;
++
++	if (!value || strlen(value) == 0)
++		return 0;
++	path = strdup(value);
++	if (!path) {
++		SYSERROR("failed to strdup '%s': %m", value);
++		return -1;
++	}
++
++	lxc_conf->aa_profile = path;
++
++	return 0;
++}
++
++static int config_cgroup(const char *key, char *value, struct lxc_conf *lxc_conf)
++{
++	char *token = "lxc.cgroup.";
++	char *subkey;
++	struct lxc_list *cglist = NULL;
++	struct lxc_cgroup *cgelem = NULL;
++
++	subkey = strstr(key, token);
++
++	if (!subkey)
++		return -1;
++
++	if (!strlen(subkey))
++		return -1;
++
++	if (strlen(subkey) == strlen(token))
++		return -1;
++
++	subkey += strlen(token);
++
++	cglist = malloc(sizeof(*cglist));
++	if (!cglist)
++		goto out;
++
++	cgelem = malloc(sizeof(*cgelem));
++	if (!cgelem)
++		goto out;
++	memset(cgelem, 0, sizeof(*cgelem));
++
++	cgelem->subsystem = strdup(subkey);
++	cgelem->value = strdup(value);
++
++	if (!cgelem->subsystem || !cgelem->value)
++		goto out;
++
++	cglist->elem = cgelem;
++
++	lxc_list_add_tail(&lxc_conf->cgroup, cglist);
++
++	return 0;
++
++out:
++	if (cglist)
++		free(cglist);
++
++	if (cgelem) {
++		if (cgelem->subsystem)
++			free(cgelem->subsystem);
++
++		if (cgelem->value)
++			free(cgelem->value);
++
++		free(cgelem);
++	}
++
++	return -1;
++}
++
++static int config_fstab(const char *key, char *value, struct lxc_conf *lxc_conf)
++{
++	if (strlen(value) >= MAXPATHLEN) {
++		ERROR("%s path is too long", value);
++		return -1;
++	}
++
++	lxc_conf->fstab = strdup(value);
++	if (!lxc_conf->fstab) {
++		SYSERROR("failed to duplicate string %s", value);
++		return -1;
++	}
++
++	return 0;
++}
++
++static int config_mount(const char *key, char *value, struct lxc_conf *lxc_conf)
++{
++	char *fstab_token = "lxc.mount";
++	char *token = "lxc.mount.entry";
++	char *subkey;
++	char *mntelem;
++	struct lxc_list *mntlist;
++
++	subkey = strstr(key, token);
++
++	if (!subkey) {
++		subkey = strstr(key, fstab_token);
++
++		if (!subkey)
++			return -1;
++
++		return config_fstab(key, value, lxc_conf);
++	}
++
++	if (!strlen(subkey))
++		return -1;
++
++	mntlist = malloc(sizeof(*mntlist));
++	if (!mntlist)
++		return -1;
++
++	mntelem = strdup(value);
++	if (!mntelem)
++		return -1;
++	mntlist->elem = mntelem;
++
++	lxc_list_add_tail(&lxc_conf->mount_list, mntlist);
++
++	return 0;
++}
++
++static int config_cap_drop(const char *key, char *value,
++			   struct lxc_conf *lxc_conf)
++{
++	char *dropcaps, *sptr, *token;
++	struct lxc_list *droplist;
++	int ret = -1;
++
++	if (!strlen(value))
++		return -1;
++
++	dropcaps = strdup(value);
++	if (!dropcaps) {
++		SYSERROR("failed to dup '%s'", value);
++		return -1;
++	}
++
++	/* in case several capability drop is specified in a single line
++	 * split these caps in a single element for the list */
++	for (;;) {
++                token = strtok_r(dropcaps, " \t", &sptr);
++                if (!token) {
++			ret = 0;
++                        break;
++		}
++		dropcaps = NULL;
++
++		droplist = malloc(sizeof(*droplist));
++		if (!droplist) {
++			SYSERROR("failed to allocate drop list");
++			break;
++		}
++
++		/* note - i do believe we're losing memory here,
++		   note that token is already pointing into dropcaps
++		   which is strdup'd.  we never free that bit.
++		 */
++		droplist->elem = strdup(token);
++		if (!droplist->elem) {
++			SYSERROR("failed to dup '%s'", token);
++			free(droplist);
++			break;
++		}
++
++		lxc_list_add_tail(&lxc_conf->caps, droplist);
++        }
++
++	free(dropcaps);
++
++	return ret;
++}
++
++static int config_console(const char *key, char *value,
++			  struct lxc_conf *lxc_conf)
++{
++	char *path;
++
++	path = strdup(value);
++	if (!path) {
++		SYSERROR("failed to strdup '%s': %m", value);
++		return -1;
++	}
++
++	lxc_conf->console.path = path;
++
++	return 0;
++}
++
++static int config_includefile(const char *key, char *value,
++			  struct lxc_conf *lxc_conf)
++{
++	return lxc_config_read(value, lxc_conf);
++}
++
++static int config_rootfs(const char *key, char *value, struct lxc_conf *lxc_conf)
++{
++	if (strlen(value) >= MAXPATHLEN) {
++		ERROR("%s path is too long", value);
++		return -1;
++	}
++
++	lxc_conf->rootfs.path = strdup(value);
++	if (!lxc_conf->rootfs.path) {
++		SYSERROR("failed to duplicate string %s", value);
++		return -1;
++	}
++
++	return 0;
++}
++
++static int config_rootfs_mount(const char *key, char *value, struct lxc_conf *lxc_conf)
++{
++	if (strlen(value) >= MAXPATHLEN) {
++		ERROR("%s path is too long", value);
++		return -1;
++	}
++
++	lxc_conf->rootfs.mount = strdup(value);
++	if (!lxc_conf->rootfs.mount) {
++		SYSERROR("failed to duplicate string '%s'", value);
++		return -1;
++	}
++
++	return 0;
++}
++
++static int config_pivotdir(const char *key, char *value, struct lxc_conf *lxc_conf)
++{
++	if (strlen(value) >= MAXPATHLEN) {
++		ERROR("%s path is too long", value);
++		return -1;
++	}
++
++	lxc_conf->rootfs.pivot = strdup(value);
++	if (!lxc_conf->rootfs.pivot) {
++		SYSERROR("failed to duplicate string %s", value);
++		return -1;
++	}
++
++	return 0;
++}
++
++static int config_utsname(const char *key, char *value, struct lxc_conf *lxc_conf)
++{
++	struct utsname *utsname;
++
++	utsname = malloc(sizeof(*utsname));
++	if (!utsname) {
++		SYSERROR("failed to allocate memory");
++		return -1;
++	}
++
++	if (strlen(value) >= sizeof(utsname->nodename)) {
++		ERROR("node name '%s' is too long",
++			      utsname->nodename);
++		return -1;
++	}
++
++	strcpy(utsname->nodename, value);
++	lxc_conf->utsname = utsname;
++
++	return 0;
++}
++
++static int parse_line(char *buffer, void *data)
++{
++	struct lxc_config_t *config;
++	char *line, *linep;
++	char *dot;
++	char *key;
++	char *value;
++	int ret = 0;
++
++	if (lxc_is_line_empty(buffer))
++		return 0;
++
++	/* we have to dup the buffer otherwise, at the re-exec for
++	 * reboot we modified the original string on the stack by
++	 * replacing '=' by '\0' below
++	 */
++	linep = line = strdup(buffer);
++	if (!line) {
++		SYSERROR("failed to allocate memory for '%s'", buffer);
++		return -1;
++	}
++
++	line += lxc_char_left_gc(line, strlen(line));
++
++	/* martian option - ignoring it, the commented lines beginning by '#'
++	 * fall in this case
++	 */
++	if (strncmp(line, "lxc.", 4))
++		goto out;
++
++	ret = -1;
++
++	dot = strstr(line, "=");
++	if (!dot) {
++		ERROR("invalid configuration line: %s", line);
++		goto out;
++	}
++
++	*dot = '\0';
++	value = dot + 1;
++
++	key = line;
++	key[lxc_char_right_gc(key, strlen(key))] = '\0';
++
++	value += lxc_char_left_gc(value, strlen(value));
++	value[lxc_char_right_gc(value, strlen(value))] = '\0';
++
++	config = lxc_getconfig(key);
++	if (!config) {
++		ERROR("unknown key %s", key);
++		goto out;
++	}
++
++	ret = config->cb(key, value, data);
++
++out:
++	free(linep);
++	return ret;
++}
++
++int lxc_config_readline(char *buffer, struct lxc_conf *conf)
++{
++	return parse_line(buffer, conf);
++}
++
++int lxc_config_read(const char *file, struct lxc_conf *conf)
++{
++	return lxc_file_for_each_line(file, parse_line, conf);
++}
++
++int lxc_config_define_add(struct lxc_list *defines, char* arg)
++{
++	struct lxc_list *dent;
++
++	dent = malloc(sizeof(struct lxc_list));
++	if (!dent)
++		return -1;
++
++	dent->elem = arg;
++	lxc_list_add_tail(defines, dent);
++	return 0;
++}
++
++int lxc_config_define_load(struct lxc_list *defines, struct lxc_conf *conf)
++{
++	struct lxc_list *it;
++	int ret = 0;
++
++	lxc_list_for_each(it, defines) {
++		ret = lxc_config_readline(it->elem, conf);
++		if (ret)
++			break;
++	}
++
++	lxc_list_for_each(it, defines) {
++		lxc_list_del(it);
++		free(it);
++	}
++
++	return ret;
++}
++
++signed long lxc_config_parse_arch(const char *arch)
++{
++	struct per_name {
++		char *name;
++		unsigned long per;
++	} pername[4] = {
++		{ "x86", PER_LINUX32 },
++		{ "i686", PER_LINUX32 },
++		{ "x86_64", PER_LINUX },
++		{ "amd64", PER_LINUX },
++	};
++	size_t len = sizeof(pername) / sizeof(pername[0]);
++
++	int i;
++
++	for (i = 0; i < len; i++) {
++		if (!strcmp(pername[i].name, arch))
++		    return pername[i].per;
++	}
++
++	return -1;
++}
++
++static int lxc_get_conf_int(struct lxc_conf *c, char *retv, int inlen, int v)
++{
++	if (!retv)
++		inlen = 0;
++	else
++		memset(retv, 0, inlen);
++	return snprintf(retv, inlen, "%d", v);
++}
++
++static int lxc_get_arch_entry(struct lxc_conf *c, char *retv, int inlen)
++{
++	int len, fulllen = 0;
++
++	if (!retv)
++		inlen = 0;
++	else
++		memset(retv, 0, inlen);
++
++	switch(c->personality) {
++	case PER_LINUX32: strprint(retv, inlen, "x86"); break;
++	case PER_LINUX: strprint(retv, inlen, "x86_64"); break;
++	default: break;
++	}
++
++	return fulllen;
++}
++
++/*
++ * If you ask for a specific cgroup value, i.e. lxc.cgroup.devices.list,
++ * then just the value(s) will be printed.  Since there still could be
++ * more than one, it is newline-separated.
++ * (Maybe that's ambigous, since some values, i.e. devices.list, will
++ * already have newlines?)
++ * If you ask for 'lxc.cgroup", then all cgroup entries will be printed,
++ * in 'lxc.cgroup.subsystem.key = value' format.
++ */
++static int lxc_get_cgroup_entry(struct lxc_conf *c, char *retv, int inlen, char *key)
++{
++	int fulllen = 0, len;
++	int all = 0;
++	struct lxc_list *it;
++
++	if (!retv)
++		inlen = 0;
++	else
++		memset(retv, 0, inlen);
++
++	if (strcmp(key, "all") == 0)
++		all = 1;
++
++	lxc_list_for_each(it, &c->cgroup) {
++		struct lxc_cgroup *cg = it->elem;
++		if (all) {
++			strprint(retv, inlen, "lxc.cgroup.%s = %s\n", cg->subsystem, cg->value);
++		} else if (strcmp(cg->subsystem, key) == 0) {
++			strprint(retv, inlen, "%s\n", cg->value);
++		}
++	}
++	return fulllen;
++}
++
++static int lxc_get_item_hooks(struct lxc_conf *c, char *retv, int inlen, char *key)
++{
++	char *subkey;
++	int len, fulllen = 0, found = -1;
++	struct lxc_list *it;
++	int i;
++
++	/* "lxc.hook.mount" */
++	subkey = index(key, '.');
++	if (subkey) subkey = index(subkey+1, '.');
++	if (!subkey)
++		return -1;
++	subkey++;
++	if (!*subkey)
++		return -1;
++	for (i=0; i<NUM_LXC_HOOKS; i++) {
++		if (strcmp(lxchook_names[i], subkey) == 0) {
++			found=i;
++			break;
++		}
++	}
++	if (found == -1)
++		return -1;
++
++	if (!retv)
++		inlen = 0;
++	else
++		memset(retv, 0, inlen);
++
++	lxc_list_for_each(it, &c->hooks[found]) {
++		strprint(retv, inlen, "%s\n", (char *)it->elem);
++	}
++	return fulllen;
++}
++
++static int lxc_get_item_cap_drop(struct lxc_conf *c, char *retv, int inlen)
++{
++	int len, fulllen = 0;
++	struct lxc_list *it;
++
++	if (!retv)
++		inlen = 0;
++	else
++		memset(retv, 0, inlen);
++
++	lxc_list_for_each(it, &c->caps) {
++		strprint(retv, inlen, "%s\n", (char *)it->elem);
++	}
++	return fulllen;
++}
++
++static int lxc_get_mount_entries(struct lxc_conf *c, char *retv, int inlen)
++{
++	int len, fulllen = 0;
++	struct lxc_list *it;
++
++	if (!retv)
++		inlen = 0;
++	else
++		memset(retv, 0, inlen);
++
++	lxc_list_for_each(it, &c->mount_list) {
++		strprint(retv, inlen, "%s\n", (char *)it->elem);
++	}
++	return fulllen;
++}
++
++/*
++ * lxc.network.0.XXX, where XXX can be: name, type, link, flags, type,
++ * macvlan.mode, veth.pair, vlan, ipv4, ipv6, upscript, hwaddr, mtu,
++ * ipv4_gateway, ipv6_gateway.  ipvX_gateway can return 'auto' instead
++ * of an address.  ipv4 and ipv6 return lists (newline-separated).
++ * things like veth.pair return '' if invalid (i.e. if called for vlan
++ * type).
++ */
++static int lxc_get_item_nic(struct lxc_conf *c, char *retv, int inlen, char *key)
++{
++	char *p1;
++	int len, fulllen = 0;
++	struct lxc_netdev *netdev;
++
++	if (!retv)
++		inlen = 0;
++	else
++		memset(retv, 0, inlen);
++
++	p1 = index(key, '.');
++	if (!p1 || *(p1+1) == '\0') return -1;
++	p1++;
++
++	netdev = get_netdev_from_key(key, &c->network);
++	if (!netdev)
++		return -1;
++	if (strcmp(p1, "name") == 0) {
++		if (netdev->name)
++			strprint(retv, inlen, "%s", netdev->name);
++	} else if (strcmp(p1, "type") == 0) {
++		strprint(retv, inlen, "%s", lxc_net_type_to_str(netdev->type));
++	} else if (strcmp(p1, "link") == 0) {
++		if (netdev->link)
++			strprint(retv, inlen, "%s", netdev->link);
++	} else if (strcmp(p1, "flags") == 0) {
++		if (netdev->flags & IFF_UP)
++			strprint(retv, inlen, "up");
++	} else if (strcmp(p1, "upscript") == 0) {
++		if (netdev->upscript)
++			strprint(retv, inlen, "%s", netdev->upscript);
++	} else if (strcmp(p1, "hwaddr") == 0) {
++		if (netdev->hwaddr)
++			strprint(retv, inlen, "%s", netdev->hwaddr);
++	} else if (strcmp(p1, "mtu") == 0) {
++		if (netdev->mtu)
++			strprint(retv, inlen, "%s", netdev->mtu);
++	} else if (strcmp(p1, "macvlan.mode") == 0) {
++		if (netdev->type == LXC_NET_MACVLAN) {
++			const char *mode;
++			switch (netdev->priv.macvlan_attr.mode) {
++			case MACVLAN_MODE_PRIVATE: mode = "private"; break;
++			case MACVLAN_MODE_VEPA: mode = "vepa"; break;
++			case MACVLAN_MODE_BRIDGE: mode = "bridge"; break;
++			default: mode = "(invalid)"; break;
++			}
++			strprint(retv, inlen, "%s", mode);
++		}
++	} else if (strcmp(p1, "veth.pair") == 0) {
++		if (netdev->type == LXC_NET_VETH && netdev->priv.veth_attr.pair)
++			strprint(retv, inlen, "%s", netdev->priv.veth_attr.pair);
++	} else if (strcmp(p1, "vlan") == 0) {
++		if (netdev->type == LXC_NET_VLAN) {
++			strprint(retv, inlen, "%d", netdev->priv.vlan_attr.vid);
++		}
++	} else if (strcmp(p1, "ipv4_gateway") == 0) {
++		if (netdev->ipv4_gateway_auto) {
++			strprint(retv, inlen, "auto");
++		} else if (netdev->ipv4_gateway) {
++			char buf[INET_ADDRSTRLEN];
++			inet_ntop(AF_INET, netdev->ipv4_gateway, buf, sizeof(buf));
++			strprint(retv, inlen, "%s", buf);
++		}
++	} else if (strcmp(p1, "ipv4") == 0) {
++		struct lxc_list *it2;
++		lxc_list_for_each(it2, &netdev->ipv4) {
++			struct lxc_inetdev *i = it2->elem;
++			char buf[INET_ADDRSTRLEN];
++			inet_ntop(AF_INET, &i->addr, buf, sizeof(buf));
++			strprint(retv, inlen, "%s\n", buf);
++		}
++	} else if (strcmp(p1, "ipv6_gateway") == 0) {
++		if (netdev->ipv6_gateway_auto) {
++			strprint(retv, inlen, "auto");
++		} else if (netdev->ipv6_gateway) {
++			char buf[INET_ADDRSTRLEN];
++			inet_ntop(AF_INET, netdev->ipv6_gateway, buf, sizeof(buf));
++			strprint(retv, inlen, "%s", buf);
++		}
++	} else if (strcmp(p1, "ipv6") == 0) {
++		struct lxc_list *it2;
++		lxc_list_for_each(it2, &netdev->ipv6) {
++			struct lxc_inetdev *i = it2->elem;
++			char buf[INET_ADDRSTRLEN];
++			inet_ntop(AF_INET6, &i->addr, buf, sizeof(buf));
++			strprint(retv, inlen, "%s\n", buf);
++		}
++	}
++	return fulllen;
++}
++
++static int lxc_get_item_network(struct lxc_conf *c, char *retv, int inlen)
++{
++	int len, fulllen = 0;
++	struct lxc_list *it;
++
++	if (!retv)
++		inlen = 0;
++	else
++		memset(retv, 0, inlen);
++
++	lxc_list_for_each(it, &c->network) {
++		struct lxc_netdev *n = it->elem;
++		const char *t = lxc_net_type_to_str(n->type);
++		strprint(retv, inlen, "%s\n", t ? t : "(invalid)");
++	}
++	return fulllen;
++}
++
++int lxc_get_config_item(struct lxc_conf *c, char *key, char *retv, int inlen)
++{
++	char *v = NULL;
++
++	if (strcmp(key, "lxc.mount.entry") == 0)
++		return lxc_get_mount_entries(c, retv, inlen);
++	else if (strcmp(key, "lxc.mount") == 0)
++		v = c->fstab;
++	else if (strcmp(key, "lxc.tty") == 0)
++		return lxc_get_conf_int(c, retv, inlen, c->tty);
++	else if (strcmp(key, "lxc.pts") == 0)
++		return lxc_get_conf_int(c, retv, inlen, c->pts);
++	else if (strcmp(key, "lxc.devttydir") == 0)
++		v = c->ttydir;
++	else if (strcmp(key, "lxc.arch") == 0)
++		return lxc_get_arch_entry(c, retv, inlen);
++	else if (strcmp(key, "lxc.aa_profile") == 0)
++		v = c->aa_profile;
++	else if (strcmp(key, "lxc.cgroup") == 0) // all cgroup info
++		return lxc_get_cgroup_entry(c, retv, inlen, "all");
++	else if (strncmp(key, "lxc.cgroup.", 11) == 0) // specific cgroup info
++		return lxc_get_cgroup_entry(c, retv, inlen, key + 11);
++	else if (strcmp(key, "lxc.utsname") == 0)
++		v = c->utsname ? c->utsname->nodename : NULL;
++	else if (strcmp(key, "lxc.console") == 0)
++		v = c->console.path;
++	else if (strcmp(key, "lxc.rootfs.mount") == 0)
++		v = c->rootfs.mount;
++	else if (strcmp(key, "lxc.rootfs") == 0)
++		v = c->rootfs.path;
++	else if (strcmp(key, "lxc.pivotdir") == 0)
++		v = c->rootfs.pivot;
++	else if (strcmp(key, "lxc.cap.drop") == 0)
++		return lxc_get_item_cap_drop(c, retv, inlen);
++	else if (strncmp(key, "lxc.hook", 8) == 0)
++		return lxc_get_item_hooks(c, retv, inlen, key);
++	else if (strcmp(key, "lxc.network") == 0)
++		return lxc_get_item_network(c, retv, inlen);
++	else if (strncmp(key, "lxc.network.", 12) == 0)
++		return lxc_get_item_nic(c, retv, inlen, key + 12);
++	else return -1;
++
++	if (!v)
++		return 0;
++	if (retv && inlen >= strlen(v) + 1)
++		strncpy(retv, v, strlen(v)+1);
++	return strlen(v);
++}
++
++int lxc_clear_config_item(struct lxc_conf *c, char *key)
++{
++	if (strcmp(key, "lxc.network") == 0)
++		return lxc_clear_config_network(c);
++	else if (strncmp(key, "lxc.network.", 12) == 0)
++		return lxc_clear_nic(c, key + 12);
++	else if (strcmp(key, "lxc.cap.drop") == 0)
++		return lxc_clear_config_caps(c);
++	else if (strncmp(key, "lxc.cgroup", 10) == 0)
++		return lxc_clear_cgroups(c, key);
++	else if (strcmp(key, "lxc.mount.entries") == 0)
++		return lxc_clear_mount_entries(c);
++	else if (strcmp(key, "lxc.hook") == 0)
++		return lxc_clear_hooks(c);
++
++	return -1;
++}
++
++/*
++ * writing out a confile.
++ */
++void write_config(FILE *fout, struct lxc_conf *c)
++{
++	struct lxc_list *it;
++	int i;
++
++	if (c->fstab)
++		fprintf(fout, "lxc.mount = %s\n", c->fstab);
++	lxc_list_for_each(it, &c->mount_list) {
++		fprintf(fout, "lxc.mount.entry = %s\n", (char *)it->elem);
++	}
++	if (c->tty)
++		fprintf(fout, "lxc.tty = %d\n", c->tty);
++	if (c->pts)
++		fprintf(fout, "lxc.pts = %d\n", c->pts);
++	if (c->ttydir)
++		fprintf(fout, "lxc.devttydir = %s\n", c->ttydir);
++	switch(c->personality) {
++	case PER_LINUX32: fprintf(fout, "lxc.arch = x86\n"); break;
++	case PER_LINUX: fprintf(fout, "lxc.arch = x86_64\n"); break;
++	default: break;
++	}
++	if (c->aa_profile)
++		fprintf(fout, "lxc.aa_profile = %s\n", c->aa_profile);
++	lxc_list_for_each(it, &c->cgroup) {
++		struct lxc_cgroup *cg = it->elem;
++		fprintf(fout, "lxc.cgroup.%s = %s\n", cg->subsystem, cg->value);
++	}
++	if (c->utsname)
++		fprintf(fout, "lxc.utsname = %s\n", c->utsname->nodename);
++	lxc_list_for_each(it, &c->network) {
++		struct lxc_netdev *n = it->elem;
++		const char *t = lxc_net_type_to_str(n->type);
++		struct lxc_list *it2;
++		fprintf(fout, "lxc.network.type = %s\n", t ? t : "(invalid)");
++		if (n->flags & IFF_UP)
++			fprintf(fout, "lxc.network.flags = up\n");
++		if (n->link)
++			fprintf(fout, "lxc.network.link = %s\n", n->link);
++		if (n->name)
++			fprintf(fout, "lxc.network.name = %s\n", n->name);
++		if (n->type == LXC_NET_MACVLAN) {
++			const char *mode;
++			switch (n->priv.macvlan_attr.mode) {
++			case MACVLAN_MODE_PRIVATE: mode = "private"; break;
++			case MACVLAN_MODE_VEPA: mode = "vepa"; break;
++			case MACVLAN_MODE_BRIDGE: mode = "bridge"; break;
++			default: mode = "(invalid)"; break;
++			}
++			fprintf(fout, "lxc.network.macvlan.mode = %s\n", mode);
++		} else if (n->type == LXC_NET_VETH) {
++			if (n->priv.veth_attr.pair)
++				fprintf(fout, "lxc.network.veth.pair = %s\n",
++					n->priv.veth_attr.pair);
++		} else if (n->type == LXC_NET_VLAN) {
++			fprintf(fout, "lxc.network.vlan.id = %d\n", n->priv.vlan_attr.vid);
++		}
++		if (n->upscript)
++			fprintf(fout, "lxc.network.script.up = %s\n", n->upscript);
++		if (n->hwaddr)
++			fprintf(fout, "lxc.network.hwaddr = %s\n", n->hwaddr);
++		if (n->mtu)
++			fprintf(fout, "lxc.network.mtu = %s\n", n->mtu);
++		if (n->ipv4_gateway_auto)
++			fprintf(fout, "lxc.network.ipv4.gateway = auto\n");
++		else if (n->ipv4_gateway) {
++			char buf[INET_ADDRSTRLEN];
++			inet_ntop(AF_INET, n->ipv4_gateway, buf, sizeof(buf));
++			fprintf(fout, "lxc.network.ipv4.gateway = %s\n", buf);
++		}
++		lxc_list_for_each(it2, &n->ipv4) {
++			struct lxc_inetdev *i = it2->elem;
++			char buf[INET_ADDRSTRLEN];
++			inet_ntop(AF_INET, &i->addr, buf, sizeof(buf));
++			fprintf(fout, "lxc.network.ipv4 = %s\n", buf);
++		}
++		if (n->ipv6_gateway_auto)
++			fprintf(fout, "lxc.network.ipv6.gateway = auto\n");
++		else if (n->ipv6_gateway) {
++			char buf[INET6_ADDRSTRLEN];
++			inet_ntop(AF_INET6, n->ipv6_gateway, buf, sizeof(buf));
++			fprintf(fout, "lxc.network.ipv6.gateway = %s\n", buf);
++		}
++		lxc_list_for_each(it2, &n->ipv6) {
++			struct lxc_inet6dev *i = it2->elem;
++			char buf[INET6_ADDRSTRLEN];
++			inet_ntop(AF_INET, &i->addr, buf, sizeof(buf));
++			fprintf(fout, "lxc.network.ipv6 = %s\n", buf);
++		}
++	}
++	lxc_list_for_each(it, &c->caps)
++		fprintf(fout, "lxc.cap.drop = %s\n", (char *)it->elem);
++	for (i=0; i<NUM_LXC_HOOKS; i++) {
++		lxc_list_for_each(it, &c->hooks[i])
++			fprintf(fout, "lxc.hook.%s = %s\n",
++				lxchook_names[i], (char *)it->elem);
++	}
++	if (c->console.path)
++		fprintf(fout, "lxc.console = %s\n", c->console.path);
++	if (c->rootfs.path)
++		fprintf(fout, "lxc.rootfs = %s\n", c->rootfs.path);
++	if (c->rootfs.mount && strcmp(c->rootfs.mount, LXCROOTFSMOUNT) != 0)
++		fprintf(fout, "lxc.rootfs.mount = %s\n", c->rootfs.mount);
++	if (c->rootfs.pivot)
++		fprintf(fout, "lxc.pivotdir = %s\n", c->rootfs.pivot);
++}
 === added directory '.pc/0221-make-nonflush-upgrades-robust'
 === renamed directory '.pc/0221-make-nonflush-upgrades-robust' => '.pc/0221-make-nonflush-upgrades-robust.moved'
 === added file '.pc/0221-make-nonflush-upgrades-robust/.timestamp'
 === added directory '.pc/0221-make-nonflush-upgrades-robust/templates'
 === added file '.pc/0221-make-nonflush-upgrades-robust/templates/lxc-ubuntu.in'
 --- .pc/0221-make-nonflush-upgrades-robust/templates/lxc-ubuntu.in	1970-01-01 00:00:00 +0000
 +++ .pc/0221-make-nonflush-upgrades-robust/templates/lxc-ubuntu.in	2012-09-14 20:24:18 +0000
@@ -0,0 +1,713 @@
++#!/bin/bash
++
++#
++# template script for generating ubuntu container for LXC
++#
++# This script consolidates and extends the existing lxc ubuntu scripts
++#
++
++# Copyright © 2011 Serge Hallyn <serge.hallyn@canonical.com>
++# Copyright © 2010 Wilhelm Meier
++# Author: Wilhelm Meier <wilhelm.meier@fh-kl.de>
++#
++# This program is free software; you can redistribute it and/or modify
++# it under the terms of the GNU General Public License version 2, as
++# published by the Free Software Foundation.
++
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU General Public License for more details.
++
++# You should have received a copy of the GNU General Public License along
++# with this program; if not, write to the Free Software Foundation, Inc.,
++# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
++#
++
++set -e
++
++if [ -r /etc/default/lxc ]; then
++    . /etc/default/lxc
++fi
++
++configure_ubuntu()
++{
++    rootfs=$1
++    hostname=$2
++    release=$3
++
++   # configure the network using the dhcp
++    cat <<EOF > $rootfs/etc/network/interfaces
++# This file describes the network interfaces available on your system
++# and how to activate them. For more information, see interfaces(5).
++
++# The loopback network interface
++auto lo
++iface lo inet loopback
++
++auto eth0
++iface eth0 inet dhcp
++EOF
++
++    # set the hostname
++    cat <<EOF > $rootfs/etc/hostname
++$hostname
++EOF
++    # set minimal hosts
++    cat <<EOF > $rootfs/etc/hosts
++127.0.0.1   localhost
++127.0.1.1   $hostname
++
++# The following lines are desirable for IPv6 capable hosts
++::1     ip6-localhost ip6-loopback
++fe00::0 ip6-localnet
++ff00::0 ip6-mcastprefix
++ff02::1 ip6-allnodes
++ff02::2 ip6-allrouters
++EOF
++
++    if [ ! -f $rootfs/etc/init/container-detect.conf ]; then
++        # suppress log level output for udev
++        sed -i "s/=\"err\"/=0/" $rootfs/etc/udev/udev.conf
++
++        # remove jobs for consoles 5 and 6 since we only create 4 consoles in
++        # this template
++        rm -f $rootfs/etc/init/tty{5,6}.conf
++    fi
++
++    if [ -z "$bindhome" ]; then
++        chroot $rootfs useradd --create-home -s /bin/bash ubuntu
++        echo "ubuntu:ubuntu" | chroot $rootfs chpasswd
++    fi
++
++    return 0
++}
++
++# finish setting up the user in the container by injecting ssh key and
++# adding sudo group membership.
++# passed-in user is either 'ubuntu' or the user to bind in from host.
++finalize_user()
++{
++    user=$1
++
++    sudo_version=$(chroot $rootfs dpkg-query -W -f='${Version}' sudo)
++
++    if chroot $rootfs dpkg --compare-versions $sudo_version gt "1.8.3p1-1"; then
++        groups="sudo"
++    else
++        groups="sudo admin"
++    fi
++
++    for group in $groups; do
++        chroot $rootfs groupadd --system $group >/dev/null 2>&1 || true
++        chroot $rootfs adduser ${user} $group >/dev/null 2>&1 || true
++    done
++
++    if [ -n "$auth_key" -a -f "$auth_key" ]; then
++        u_path="/home/${user}/.ssh"
++        root_u_path="$rootfs/$u_path"
++
++        mkdir -p $root_u_path
++        cp $auth_key "$root_u_path/authorized_keys"
++        chroot $rootfs chown -R ${user}: "$u_path"
++
++        echo "Inserted SSH public key from $auth_key into /home/${user}/.ssh/authorized_keys"
++    fi
++    return 0
++}
++
++write_sourceslist()
++{
++    # $1 => path to the rootfs
++    # $2 => architecture we want to add
++    # $3 => whether to use the multi-arch syntax or not
++
++    case $2 in
++      amd64|i386)
++            MIRROR=${MIRROR:-http://archive.ubuntu.com/ubuntu}
++            SECURITY_MIRROR=${SECURITY_MIRROR:-http://security.ubuntu.com/ubuntu}
++            ;;
++      *)
++            MIRROR=${MIRROR:-http://ports.ubuntu.com/ubuntu-ports}
++            SECURITY_MIRROR=${SECURITY_MIRROR:-http://ports.ubuntu.com/ubuntu-ports}
++            ;;
++    esac
++    if [ -n "$3" ]; then
++        cat >> "$1/etc/apt/sources.list" << EOF
++deb [arch=$2] $MIRROR ${release} main restricted universe multiverse
++deb [arch=$2] $MIRROR ${release}-updates main restricted universe multiverse
++deb [arch=$2] $SECURITY_MIRROR ${release}-security main restricted universe multiverse
++EOF
++    else
++        cat >> "$1/etc/apt/sources.list" << EOF
++deb $MIRROR ${release} main restricted universe multiverse
++deb $MIRROR ${release}-updates main restricted universe multiverse
++deb $SECURITY_MIRROR ${release}-security main restricted universe multiverse
++EOF
++    fi
++}
++
++cleanup()
++{
++    rm -rf $cache/partial-$arch
++    rm -rf $cache/rootfs-$arch
++}
++
++download_ubuntu()
++{
++    cache=$1
++    arch=$2
++    release=$3
++
++    packages=vim,ssh
++    echo "installing packages: $packages"
++
++    trap cleanup EXIT SIGHUP SIGINT SIGTERM
++    # check the mini ubuntu was not already downloaded
++    mkdir -p "$cache/partial-$arch"
++    if [ $? -ne 0 ]; then
++        echo "Failed to create '$cache/partial-$arch' directory"
++        return 1
++    fi
++
++    # download a mini ubuntu into a cache
++    echo "Downloading ubuntu $release minimal ..."
++    if [ -n "$(which qemu-debootstrap)" ]; then
++        qemu-debootstrap --verbose --components=main,universe --arch=$arch --include=$packages $release $cache/partial-$arch $MIRROR
++    else
++        debootstrap --verbose --components=main,universe --arch=$arch --include=$packages $release $cache/partial-$arch $MIRROR
++    fi
++
++    if [ $? -ne 0 ]; then
++        echo "Failed to download the rootfs, aborting."
++            return 1
++    fi
++
++    # Serge isn't sure whether we should avoid doing this when
++    # $release == `distro-info -d`
++    echo "Installing updates"
++    > $cache/partial-$arch/etc/apt/sources.list
++    write_sourceslist $cache/partial-$arch/ $arch
++
++    chroot "$1/partial-${arch}" apt-get update
++    if [ $? -ne 0 ]; then
++        echo "Failed to update the apt cache"
++        return 1
++    fi
++    cat > "$1/partial-${arch}"/usr/sbin/policy-rc.d << EOF
++#!/bin/sh
++exit 101
++EOF
++    chmod +x "$1/partial-${arch}"/usr/sbin/policy-rc.d
++
++    lxc-unshare -s MOUNT -- chroot "$1/partial-${arch}" apt-get dist-upgrade -y
++    ret=$?
++    rm -f "$1/partial-${arch}"/usr/sbin/policy-rc.d
++
++    if [ $ret -ne 0 ]; then
++        echo "Failed to upgrade the cache"
++        return 1
++    fi
++
++    chroot "$1/partial-${arch}" apt-get clean
++
++    mv "$1/partial-$arch" "$1/rootfs-$arch"
++    trap EXIT
++    trap SIGINT
++    trap SIGTERM
++    trap SIGHUP
++    echo "Download complete"
++    return 0
++}
++
++copy_ubuntu()
++{
++    cache=$1
++    arch=$2
++    rootfs=$3
++
++    # make a local copy of the miniubuntu
++    echo "Copying rootfs to $rootfs ..."
++    mkdir -p $rootfs
++    rsync -a $cache/rootfs-$arch/ $rootfs/ || return 1
++    return 0
++}
++
++install_ubuntu()
++{
++    rootfs=$1
++    release=$2
++    flushcache=$3
++    cache="/var/cache/lxc/$release"
++    mkdir -p /var/lock/subsys/
++
++    (
++        flock -x 200
++        if [ $? -ne 0 ]; then
++            echo "Cache repository is busy."
++            return 1
++        fi
++
++
++        if [ $flushcache -eq 1 ]; then
++            echo "Flushing cache..."
++            rm -rf "$cache/partial-$arch"
++            rm -rf "$cache/rootfs-$arch"
++        fi
++
++        echo "Checking cache download in $cache/rootfs-$arch ... "
++        if [ ! -e "$cache/rootfs-$arch" ]; then
++            download_ubuntu $cache $arch $release
++            if [ $? -ne 0 ]; then
++                echo "Failed to download 'ubuntu $release base'"
++                return 1
++            fi
++        fi
++
++        echo "Copy $cache/rootfs-$arch to $rootfs ... "
++        copy_ubuntu $cache $arch $rootfs
++        if [ $? -ne 0 ]; then
++            echo "Failed to copy rootfs"
++            return 1
++        fi
++
++        return 0
++
++    ) 200>/var/lock/subsys/lxc
++
++    return $?
++}
++
++copy_configuration()
++{
++    path=$1
++    rootfs=$2
++    name=$3
++    arch=$4
++    release=$5
++
++    if [ $arch = "i386" ]; then
++        arch="i686"
++    fi
++
++    ttydir=""
++    if [ -f $rootfs/etc/init/container-detect.conf ]; then
++        ttydir=" lxc"
++    fi
++
++    # if there is exactly one veth network entry, make sure it has an
++    # associated hwaddr.
++    nics=`grep -e '^lxc\.network\.type[ \t]*=[ \t]*veth' $path/config | wc -l`
++    if [ $nics -eq 1 ]; then
++        grep -q "^lxc.network.hwaddr" $path/config || cat <<EOF >> $path/config
++lxc.network.hwaddr = 00:16:3e:$(openssl rand -hex 3| sed 's/\(..\)/\1:/g; s/.$//')
++EOF
++    fi
++
++    grep -q "^lxc.rootfs" $path/config 2>/dev/null || echo "lxc.rootfs = $rootfs" >> $path/config
++    cat <<EOF >> $path/config
++lxc.utsname = $name
++
++lxc.devttydir =$ttydir
++lxc.tty = 4
++lxc.pts = 1024
++lxc.mount  = $path/fstab
++lxc.arch = $arch
++lxc.cap.drop = sys_module mac_admin mac_override
++lxc.pivotdir = lxc_putold
++
++# uncomment the next line to run the container unconfined:
++#lxc.aa_profile = unconfined
++
++lxc.cgroup.devices.deny = a
++# Allow any mknod (but not using the node)
++lxc.cgroup.devices.allow = c *:* m
++lxc.cgroup.devices.allow = b *:* m
++# /dev/null and zero
++lxc.cgroup.devices.allow = c 1:3 rwm
++lxc.cgroup.devices.allow = c 1:5 rwm
++# consoles
++lxc.cgroup.devices.allow = c 5:1 rwm
++lxc.cgroup.devices.allow = c 5:0 rwm
++#lxc.cgroup.devices.allow = c 4:0 rwm
++#lxc.cgroup.devices.allow = c 4:1 rwm
++# /dev/{,u}random
++lxc.cgroup.devices.allow = c 1:9 rwm
++lxc.cgroup.devices.allow = c 1:8 rwm
++lxc.cgroup.devices.allow = c 136:* rwm
++lxc.cgroup.devices.allow = c 5:2 rwm
++# rtc
++lxc.cgroup.devices.allow = c 254:0 rwm
++#fuse
++lxc.cgroup.devices.allow = c 10:229 rwm
++#tun
++lxc.cgroup.devices.allow = c 10:200 rwm
++#full
++lxc.cgroup.devices.allow = c 1:7 rwm
++#hpet
++lxc.cgroup.devices.allow = c 10:228 rwm
++#kvm
++lxc.cgroup.devices.allow = c 10:232 rwm
++EOF
++
++    cat <<EOF > $path/fstab
++proc            proc         proc    nodev,noexec,nosuid 0 0
++sysfs           sys          sysfs defaults  0 0
++EOF
++
++    if [ $? -ne 0 ]; then
++        echo "Failed to add configuration"
++        return 1
++    fi
++
++    return 0
++}
++
++trim()
++{
++    rootfs=$1
++    release=$2
++
++    # provide the lxc service
++    cat <<EOF > $rootfs/etc/init/lxc.conf
++# fake some events needed for correct startup other services
++
++description     "Container Upstart"
++
++start on startup
++
++script
++        rm -rf /var/run/*.pid
++        rm -rf /var/run/network/*
++        /sbin/initctl emit stopped JOB=udevtrigger --no-wait
++        /sbin/initctl emit started JOB=udev --no-wait
++end script
++EOF
++
++    # fix buggus runlevel with sshd
++    cat <<EOF > $rootfs/etc/init/ssh.conf
++# ssh - OpenBSD Secure Shell server
++#
++# The OpenSSH server provides secure shell access to the system.
++
++description	"OpenSSH server"
++
++start on filesystem
++stop on runlevel [!2345]
++
++expect fork
++respawn
++respawn limit 10 5
++umask 022
++# replaces SSHD_OOM_ADJUST in /etc/default/ssh
++oom never
++
++pre-start script
++    test -x /usr/sbin/sshd || { stop; exit 0; }
++    test -e /etc/ssh/sshd_not_to_be_run && { stop; exit 0; }
++    test -c /dev/null || { stop; exit 0; }
++
++    mkdir -p -m0755 /var/run/sshd
++end script
++
++# if you used to set SSHD_OPTS in /etc/default/ssh, you can change the
++# 'exec' line here instead
++exec /usr/sbin/sshd
++EOF
++
++    cat <<EOF > $rootfs/etc/init/console.conf
++# console - getty
++#
++# This service maintains a console on tty1 from the point the system is
++# started until it is shut down again.
++
++start on stopped rc RUNLEVEL=[2345]
++stop on runlevel [!2345]
++
++respawn
++exec /sbin/getty -8 38400 /dev/console
++EOF
++
++    cat <<EOF > $rootfs/lib/init/fstab
++# /lib/init/fstab: cleared out for bare-bones lxc
++EOF
++
++    # reconfigure some services
++    if [ -z "$LANG" ]; then
++        chroot $rootfs locale-gen en_US.UTF-8
++        chroot $rootfs update-locale LANG=en_US.UTF-8
++    else
++        chroot $rootfs locale-gen $LANG
++        chroot $rootfs update-locale LANG=$LANG
++    fi
++
++    # remove pointless services in a container
++    chroot $rootfs /usr/sbin/update-rc.d -f ondemand remove
++
++    chroot $rootfs /bin/bash -c 'cd /etc/init; for f in $(ls u*.conf); do mv $f $f.orig; done'
++    chroot $rootfs /bin/bash -c 'cd /etc/init; for f in $(ls tty[2-9].conf); do mv $f $f.orig; done'
++    chroot $rootfs /bin/bash -c 'cd /etc/init; for f in $(ls plymouth*.conf); do mv $f $f.orig; done'
++    chroot $rootfs /bin/bash -c 'cd /etc/init; for f in $(ls hwclock*.conf); do mv $f $f.orig; done'
++    chroot $rootfs /bin/bash -c 'cd /etc/init; for f in $(ls module*.conf); do mv $f $f.orig; done'
++
++    # if this isn't lucid, then we need to twiddle the network upstart bits :(
++    if [ $release != "lucid" ]; then
++        sed -i 's/^.*emission handled.*$/echo Emitting lo/' $rootfs/etc/network/if-up.d/upstart
++    fi
++}
++
++post_process()
++{
++    rootfs=$1
++    release=$2
++    trim_container=$3
++
++    if [ $trim_container -eq 1 ]; then
++        trim $rootfs $release
++    elif [ ! -f $rootfs/etc/init/container-detect.conf ]; then
++        # Make sure we have a working resolv.conf
++        cresolvonf="${rootfs}/etc/resolv.conf"
++        mv $cresolvonf ${cresolvonf}.lxcbak
++        cat /etc/resolv.conf > ${cresolvonf}
++
++        # for lucid, if not trimming, then add the ubuntu-virt
++        # ppa and install lxcguest
++        if [ $release = "lucid" ]; then
++            chroot $rootfs apt-get install --force-yes -y python-software-properties
++            chroot $rootfs add-apt-repository ppa:ubuntu-virt/ppa
++        fi
++
++        chroot $rootfs apt-get update
++        chroot $rootfs apt-get install --force-yes -y lxcguest
++
++        # Restore old resolv.conf
++        rm -f ${cresolvonf}
++        mv ${cresolvonf}.lxcbak ${cresolvonf}
++    fi
++
++    # If the container isn't running a native architecture, setup multiarch
++    if [ -x "$(ls -1 ${rootfs}/usr/bin/qemu-*-static 2>/dev/null)" ]; then
++        dpkg_version=$(chroot $rootfs dpkg-query -W -f='${Version}' dpkg)
++        if chroot $rootfs dpkg --compare-versions $dpkg_version ge "1.16.2"; then
++            chroot $rootfs dpkg --add-architecture ${hostarch}
++        else
++            mkdir -p ${rootfs}/etc/dpkg/dpkg.cfg.d
++            echo "foreign-architecture ${hostarch}" > ${rootfs}/etc/dpkg/dpkg.cfg.d/lxc-multiarch
++        fi
++
++        # Save existing value of MIRROR and SECURITY_MIRROR
++        DEFAULT_MIRROR=$MIRROR
++        DEFAULT_SECURITY_MIRROR=$SECURITY_MIRROR
++
++        # Write a new sources.list containing both native and multiarch entries
++        > ${rootfs}/etc/apt/sources.list
++        write_sourceslist $rootfs $arch "native"
++
++        MIRROR=$DEFAULT_MIRROR
++        SECURITY_MIRROR=$DEFAULT_SECURITY_MIRROR
++        write_sourceslist $rootfs $hostarch "multiarch"
++
++        # Finally update the lists and install upstart using the host architecture
++        chroot $rootfs apt-get update
++        chroot $rootfs apt-get install --force-yes -y --no-install-recommends upstart:${hostarch} mountall:${hostarch} iproute:${hostarch} isc-dhcp-client:${hostarch}
++    fi
++
++    # rmdir /dev/shm for containers that have /run/shm

Ubuntulxc package