github: Update for main branch

Signed-off-by: Stéphane Graber <stgraber@stgraber.org>

.github/dependabot.yml

@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"

.github/workflows/build.yml

@@ -0,0 +1,56 @@
+name: Simple test build
+on:
+  - push
+  - pull_request
+permissions:
+  contents: read
+
+jobs:
+  test:
+    strategy:
+      fail-fast: false
+      matrix:
+        compiler:
+          - gcc
+          - clang
+        os:
+          - ubuntu-22.04
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Install dependencies
+        run: |
+          sudo apt-get update -qq
+          sudo apt-get install -qq gcc clang meson llvm
+          sudo apt-get install -qq libapparmor-dev libcap-dev libseccomp-dev libselinux1-dev linux-libc-dev libpam0g-dev docbook2x libdbus-1-dev
+
+      - name: Compiler version
+        env:
+          CC: ${{ matrix.compiler }}
+        run: |
+          ${CC} --version
+
+      - name: Kernel version
+        run: |
+          uname -a
+
+      - name: Mount table
+        run: |
+          findmnt
+
+      - name: Build
+        env:
+          CC: ${{ matrix.compiler }}
+        run: |
+          # Standard build
+          meson setup build \
+                -Dtests=true \
+                -Dpam-cgroup=true \
+                -Dwerror=true \
+                -Db_lto_mode=default
+          ninja -C build
+          DESTDIR=build_install ninja -C build install

.github/workflows/cifuzz.yml

@@ -0,0 +1,46 @@
+name: Fuzzing with OSS-fuzz
+on:
+  push:
+  pull_request:
+    paths:
+      - '**/meson.build'
+      - '.github/workflows/**'
+      - 'meson_options.txt'
+      - 'src/**'
+    branches:
+      - master
+permissions:
+  contents: read
+jobs:
+  Fuzzing:
+    runs-on: ubuntu-22.04
+    if: github.repository == 'lxc/lxc'
+    strategy:
+      fail-fast: false
+      matrix:
+        sanitizer: [address, undefined, memory]
+    steps:
+      - name: Install dependencies not yet listed in ubuntu pkg source
+        run: |
+          sudo apt-get install -qq libdbus-1-dev
+      - name: Build Fuzzers (${{ matrix.sanitizer }})
+        id: build
+        uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master
+        with:
+          oss-fuzz-project-name: 'lxc'
+          dry-run: false
+          allowed-broken-targets-percentage: 0
+          sanitizer: ${{ matrix.sanitizer }}
+      - name: Run Fuzzers (${{ matrix.sanitizer }})
+        uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master
+        with:
+          oss-fuzz-project-name: 'lxc'
+          fuzz-seconds: 360
+          dry-run: false
+          sanitizer: ${{ matrix.sanitizer }}
+      - name: Upload Crash
+        uses: actions/upload-artifact@v3
+        if: failure() && steps.build.outcome == 'success'
+        with:
+          name: ${{ matrix.sanitizer }}-artifacts
+          path: ./out/artifacts

.github/workflows/commits.yml

@@ -0,0 +1,40 @@
+name: Commits
+on:
+  - pull_request
+
+permissions:
+  contents: read
+
+jobs:
+  dco-check:
+    permissions:
+      pull-requests: read  # for tim-actions/get-pr-commits to get list of commits from the PR
+    name: Signed-off-by (DCO)
+    runs-on: ubuntu-22.04
+    steps:
+    - name: Get PR Commits
+      id: 'get-pr-commits'
+      uses: tim-actions/get-pr-commits@master
+      with:
+        token: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Check that all commits are signed-off
+      uses: tim-actions/dco@master
+      with:
+        commits: ${{ steps.get-pr-commits.outputs.commits }}
+
+  target-branch:
+    permissions:
+      contents: none
+    name: Branch target
+    runs-on: ubuntu-22.04
+    steps:
+    - name: Check branch target
+      env:
+        TARGET: ${{ github.event.pull_request.base.ref }}
+      run: |
+        set -x
+        [ "${TARGET}" = "main" ] && exit 0
+
+        echo "Invalid branch target: ${TARGET}"
+        exit 1

.github/workflows/coverity.yml

@@ -0,0 +1,66 @@
+name: Coverity build and upload
+on:
+  push:
+    branches:
+      - master
+permissions:
+  contents: read
+
+jobs:
+  test:
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Download Coverity Build Tool
+        run: |
+          wget -q https://scan.coverity.com/download/cxx/linux64 --post-data "token=$TOKEN&project=lxc/lxc" -O cov-analysis-linux64.tar.gz
+          mkdir cov-analysis-linux64
+          tar xzf cov-analysis-linux64.tar.gz --strip 1 -C cov-analysis-linux64
+        env:
+          TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }}
+
+      - name: Install dependencies
+        run: |
+          sudo apt-get update -qq
+          sudo apt-get install -qq gcc clang meson
+          sudo apt-get install -qq libapparmor-dev libcap-dev libseccomp-dev libselinux1-dev linux-libc-dev libpam0g-dev docbook2x libdbus-1-dev
+
+      - name: Compiler version
+        run: |
+          gcc --version
+
+      - name: Kernel version
+        run: |
+          uname -a
+
+      - name: Mount table
+        run: |
+          findmnt
+
+      - name: Run coverity
+        run: |
+          # Configure
+          export PATH="$(pwd)/cov-analysis-linux64/bin:${PATH}"
+          export CFLAGS="-Wall -Werror"
+          export LDFLAGS="-pthread -lpthread"
+
+          BUILD="$(pwd)/build"
+          meson setup -Dtests=true -Dpam-cgroup=true -Dcoverity-build=true build/
+
+          # Build
+          cov-build --dir cov-int ninja -C ${BUILD}
+          tar czvf lxc.tgz cov-int
+
+          # Submit the results
+          curl \
+            --form project=lxc/lxc \
+            --form token=${TOKEN} \
+            --form email=lxc-devel@lists.linuxcontainers.org \
+            --form file=@lxc.tgz \
+            --form version=master \
+            --form description="${GITHUB_SHA}" \
+            https://scan.coverity.com/builds?project=lxc/lxc
+        env:
+          TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }}

.github/workflows/sanitizers.sh

@@ -0,0 +1,54 @@
+#!/bin/bash
+set -eux
+set -o pipefail
+
+export ASAN_OPTIONS=detect_stack_use_after_return=1:check_initialization_order=1:strict_init_order=1:strict_string_checks=1
+
+# https://github.com/lxc/lxc/issues/3757
+ASAN_OPTIONS="$ASAN_OPTIONS:detect_odr_violation=0"
+
+export UBSAN_OPTIONS=print_stacktrace=1:print_summary=1:halt_on_error=1
+
+apt-get update -qq
+apt-get install --yes --no-install-recommends \
+    apparmor bash-completion bridge-utils build-essential \
+    busybox-static clang cloud-image-utils curl dbus debhelper debootstrap \
+    devscripts dnsmasq-base docbook2x doxygen ed fakeroot file gcc graphviz \
+    git iptables meson net-tools libapparmor-dev libcap-dev libgnutls28-dev liblua5.2-dev \
+    libpam0g-dev libseccomp-dev libselinux1-dev libtool linux-libc-dev \
+    llvm lsb-release make openssl pkg-config python3-all-dev \
+    python3-setuptools rsync squashfs-tools uidmap unzip uuid-runtime \
+    wget xz-utils systemd-coredump libdbus-1-dev
+apt-get remove --yes lxc-utils liblxc-common liblxc1 liblxc-dev
+
+ARGS="-Dprefix=/usr -Dtests=true -Dpam-cgroup=false -Dwerror=true -Dio-uring-event-loop=false -Db_lto_mode=default -Db_lundef=false"
+case "$CC" in clang*)
+	ARGS="$ARGS -Db_sanitize=address,undefined"
+esac
+meson setup san_build $ARGS
+ninja -C san_build
+ninja -C san_build install
+
+cat <<'EOF' >/usr/bin/lxc-test-share-ns
+#!/bin/bash
+printf "The test is skipped due to https://github.com/lxc/lxc/issues/3798.\n"
+EOF
+
+mv /usr/bin/{lxc-test-concurrent,test-concurrent.orig}
+cat <<EOF >/usr/bin/lxc-test-concurrent
+#!/bin/bash
+printf "Memory leaks are ignored due to https://github.com/lxc/lxc/issues/3788.\n"
+ASAN_OPTIONS=$ASAN_OPTIONS:detect_leaks=0 UBSAN_OPTIONS=$UBSAN_OPTIONS /usr/bin/test-concurrent.orig
+EOF
+chmod +x /usr/bin/lxc-test-concurrent
+
+sed -i 's/USE_LXC_BRIDGE="false"/USE_LXC_BRIDGE="true"/' /etc/default/lxc
+systemctl daemon-reload
+systemctl restart apparmor
+systemctl restart lxc-net
+
+# Undo default ACLs from Github
+setfacl -b -R /home
+
+git clone --depth=1 https://github.com/lxc/lxc-ci
+timeout 30m bash -x lxc-ci/deps/lxc-exercise

.github/workflows/sanitizers.yml

@@ -0,0 +1,43 @@
+name: Sanitizers build
+on:
+  - push
+  - pull_request
+permissions:
+  contents: read
+
+jobs:
+  sanitizers:
+    strategy:
+      fail-fast: false
+      matrix:
+        compiler:
+          - gcc
+          - clang
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Install dependencies
+        run: |
+          sudo apt-get update -qq
+          sudo apt-get install -qq gcc clang meson llvm
+          sudo apt-get install -qq libapparmor-dev libcap-dev libseccomp-dev libselinux1-dev linux-libc-dev libpam0g-dev docbook2x libdbus-1-dev
+
+      - name: Compiler version
+        env:
+          CC: ${{ matrix.compiler }}
+        run: |
+          ${CC} --version
+
+      - name: Kernel version
+        run: |
+          uname -a
+
+      - name: Mount table
+        run: |
+          findmnt
+
+      - name: Build
+        run: |
+          sudo CC=${{ matrix.compiler }} CXX=${{ matrix.compiler }}++ .github/workflows/sanitizers.sh

.github/workflows/static-analysis.yml

@@ -0,0 +1,29 @@
+name: Static analysis
+on:
+  - push
+  - pull_request
+permissions:
+  contents: read
+
+jobs:
+  test:
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Install dependencies
+        run: |
+          sudo apt-get update -qq
+          sudo apt-get install -qq coccinelle
+
+      - name: Confirm coccinelle output is clean
+        run: |
+          ./coccinelle/run-coccinelle.sh -i
+          git diff --exit-code
+
+      - name: Confirm apparmor profile is up to date
+        run: |
+          cd config/apparmor/
+          ./lxc-generate-aa-rules.py container-rules.base > container-rules
+          git diff --exit-code

.gitignore

@@ -1,162 +1,8 @@
-*.o
-*.a
-*.lo
-*.la
-*.so
-*.so.*
-*.sgml
-*.conf
+# Temporarily files.
 *~
-*.gz
 *.swp
-
-.deps
-.libs
-.dirstamp
-
-Makefile.in
-Makefile
-
-aclocal.m4
-autom4te.cache
-configure
-config.log
-config.status
-libtool
-
-lxc.spec
-lxc.pc
-
-templates/*
-!templates/*.in
-templates/Makefile.in
-
-src/lxc/init.lxc
-src/lxc/init.lxc.static
-src/lxc/lxc-attach
-src/lxc/lxc-autostart
-src/lxc/lxc-cgroup
-src/lxc/tools/lxc-checkconfig
-src/lxc/tools/lxc-update-config
-src/lxc/lxc-checkpoint
-src/lxc/lxc-console
-src/lxc/lxc-config
-src/lxc/lxc-copy
-src/lxc/lxc-create
-src/lxc/lxc-destroy
-src/lxc/lxc-device
-src/lxc/lxc-execute
-src/lxc/lxc-freeze
-src/lxc/lxc.functions
-src/lxc/lxc-info
-src/lxc/lxc-init
-src/lxc/lxc-ls
-src/lxc/lxc-monitor
-src/lxc/lxc-monitord
-src/lxc/lxc-shutdown
-src/lxc/lxc-snapshot
-src/lxc/lxc-start
-src/lxc/lxc-stop
-src/lxc/lxc-top
-src/lxc/lxc-unfreeze
-src/lxc/lxc-unshare
-src/lxc/lxc-usernsexec
-src/lxc/lxc-wait
-src/lxc/lxc-user-nic
-src/lxc/version.h
-src/lxc/cmd/lxc-checkconfig
-src/lxc/cmd/lxc-update-config
-
-src/tests/lxc-test-device-add-remove
-src/tests/lxc-test-attach
-src/tests/lxc-test-apparmor
-src/tests/lxc-test-cgpath
-src/tests/lxc-test-clonetest
-src/tests/lxc-test-concurrent
-src/tests/lxc-test-console
-src/tests/lxc-test-console-log
-src/tests/lxc-test-containertests
-src/tests/lxc-test-createtest
-src/tests/lxc-test-destroytest
-src/tests/lxc-test-get_item
-src/tests/lxc-test-getkeys
-src/tests/lxc-test-list
-src/tests/lxc-test-livepatch
-src/tests/lxc-test-locktests
-src/tests/lxc-test-lxcpath
-src/tests/lxc-test-may-control
-src/tests/lxc-test-reboot
-src/tests/lxc-test-saveconfig
-src/tests/lxc-test-shutdowntest
-src/tests/lxc-test-snapshot
-src/tests/lxc-test-startone
-src/tests/lxc-test-usernic
-src/tests/lxc-test-utils*
-src/tests/lxc-usernic-test
-src/tests/lxc-test-config-jump-table
-src/tests/lxc-test-parse-config-file
-src/tests/lxc-test-shortlived
-src/tests/lxc-test-api-reboot
-src/tests/lxc-test-criu-check-feature
-src/tests/lxc-test-raw-clone
-src/tests/lxc-test-share-ns
-src/tests/lxc-test-state-server
-src/tests/lxc-test-basic
-src/tests/lxc-test-cve-2019-5736
-src/tests/lxc-test-mount-injection
-
-config/compile
-config/config.guess
-config/config.sub
-config/depcomp
-config/install-sh
-config/ltmain.sh
-config/missing
-config/libtool.m4
-config/lt*.m4
-config/apparmor/abstractions/start-container
-config/bash/lxc
-config/init/common/lxc-containers
-config/init/common/lxc-net
-config/init/systemd/lxc-autostart-helper
-config/init/systemd/lxc-net.service
-config/init/systemd/lxc.service
-config/init/systemd/lxc@.service
-config/init/sysvinit/lxc
-config/init/sysvinit/lxc-containers
-config/init/sysvinit/lxc-net
-config/sysconfig/lxc
-
-doc/*.1
-doc/*.5
-doc/*.7
-doc/*.8
-doc/ja/*.1
-doc/ja/*.5
-doc/ja/*.7
-doc/ja/*.8
-doc/ko/*.1
-doc/ko/*.5
-doc/ko/*.7
-doc/manpage.links
-doc/manpage.refs
-doc/api/html/*
-
-hooks/unmount-namespace
-hooks/dhclient
-
-m4/
-
-src/config.h
-src/config.h.in
-src/stamp-h1
-
-.pc
-patches
 *.orig
 *.rej
-tags
-TAGS
 
-doc/api/doxygen_sqlite3.db
-doc/api/*.tmp
+# Release tarballs.
+lxc-*.tar.gz*

.travis.yml

@@ -1,24 +0,0 @@
-dist: bionic
-sudo: required
-language: c
-
-compiler:
- - gcc
- - clang
-
-arch:
- - amd64
- - arm64
- - ppc64le
- - s390x
-
-before_install:
- - sudo add-apt-repository ppa:ubuntu-lxc/daily -y
- - sudo apt-get update -qq
- - sudo apt-get install -qq coccinelle parallel libapparmor-dev libcap-dev libseccomp-dev python3-dev python3-setuptools docbook2x libselinux1-dev linux-libc-dev
-script: src/tests/travis.sh
-notifications:
-  email:
-    recipients:
-      - lxc-devel@lists.linuxcontainers.org
-  webhooks: https://linuxcontainers.org/webhook-lxcbot/

AUTHORS

@@ -1 +1,2 @@
-IBM Corporation.
+The list of authors and contributors can be retrieved from the git
+commit history and in some cases, the file headers.

CODING_STYLE.md

@@ -689,6 +689,8 @@ int lxc_attach_run_command(void *payload)
 		case ENOEXEC:
 			ret = 126;
 			break;
+		case ENOTDIR:
+			__fallthrough;
 		case ENOENT:
 			ret = 127;
 			break;
@@ -733,11 +735,11 @@ __do_closedir __attribute__((__cleanup__(__auto_closedir__)))
 ```
 For example:
 ```c
-void remount_all_slave(void)
+void turn_into_dependent_mounts(void)
 {
 	__do_free char *line = NULL;
 	__do_fclose FILE *f = NULL;
-	__do_close_prot_errno int memfd = -EBADF, mntinfo_fd = -EBADF;
+	__do_close int memfd = -EBADF, mntinfo_fd = -EBADF;
 	int ret;
 	ssize_t copied;
 	size_t len = 0;
@@ -780,7 +782,7 @@ again:
 		return;
 	}
 
-	f = fdopen(memfd, "r");
+	f = fdopen(memfd, "re");
 	if (!f) {
 		SYSERROR("Failed to open copy of \"/proc/self/mountinfo\" to mark all shared. Continuing");
 		return;
@@ -810,12 +812,11 @@ again:
 		null_endofword(target);
 		ret = mount(NULL, target, NULL, MS_SLAVE, NULL);
 		if (ret < 0) {
-			SYSERROR("Failed to make \"%s\" MS_SLAVE", target);
-			ERROR("Continuing...");
+			SYSERROR("Failed to recursively turn old root mount tree into dependent mount. Continuing...");
 			continue;
 		}
-		TRACE("Remounted \"%s\" as MS_SLAVE", target);
+		TRACE("Recursively turned old root mount tree into dependent mount");
 	}
-	TRACE("Remounted all mount table entries as MS_SLAVE");
+	TRACE("Turned all mount table entries into dependent mount");
 }
 ```

CONTRIBUTING

@@ -107,3 +107,15 @@ that it cannot be reasonably attributed to a single developer please use:
 
     Co-developed-by: Random J Developer 1 <random_1@developer.org>
     Co-developed-by: Random J Developer 2 <random_1@developer.org>
+
+AI Generated Code:
+------------------
+
+Substantially AI generated code is not welcome.  There are several
+reasons for this.  First, it violates the "The contribution was created
+in whole or in part by me" statement of DCO.  Second, the licensing
+implications are not yet clear.  Thirdly, we expect anyone who submits
+code to fully understand what they are submitting.  Finally, we put
+a lot of time into reviewing patch submissions.  Increasing the
+volume of code to be reviewed with autogenerated boilerplate drivel
+will take away time from more important reviews.

COPYING

@@ -0,0 +1,2 @@
+All files have SPDX headers that declare what license applies. The applicable
+licenses are included in the code repository. 

INSTALL

@@ -1,239 +0,0 @@
-Installation Instructions
-*************************
-
-Copyright (C) 1994, 1995, 1996, 1999, 2000, 2001, 2002, 2004, 2005,
-2006 Free Software Foundation, Inc.
-
-This file is free documentation; the Free Software Foundation gives
-unlimited permission to copy, distribute and modify it.
-
-Basic Installation
-==================
-
-Briefly, the shell commands `./autogen.sh; ./configure; make; make install'
-should configure, build, and install this package.  The following
-more-detailed instructions are generic; see the `README' file for
-instructions specific to this package.
-
-   The `configure' shell script attempts to guess correct values for
-various system-dependent variables used during compilation.  It uses
-those values to create a `Makefile' in each directory of the package.
-It may also create one or more `.h' files containing system-dependent
-definitions.  Finally, it creates a shell script `config.status' that
-you can run in the future to recreate the current configuration, and a
-file `config.log' containing compiler output (useful mainly for
-debugging `configure').
-
-   It can also use an optional file (typically called `config.cache'
-and enabled with `--cache-file=config.cache' or simply `-C') that saves
-the results of its tests to speed up reconfiguring.  Caching is
-disabled by default to prevent problems with accidental use of stale
-cache files.
-
-   If you need to do unusual things to compile the package, please try
-to figure out how `configure' could check whether to do them, and mail
-diffs or instructions to the address given in the `README' so they can
-be considered for the next release.  If you are using the cache, and at
-some point `config.cache' contains results you don't want to keep, you
-may remove or edit it.
-
-   The file `configure.ac' (or `configure.in') is used to create
-`configure' by a program called `autoconf'.  You need `configure.ac' if
-you want to change it or regenerate `configure' using a newer version
-of `autoconf'.
-
-The simplest way to compile this package is:
-
-  0. If the sources are not coming from a package maintainer and the
-     'configure' file does not exist, you should run './autogen.sh' in
-     the directory containing the package's source code in order to
-     generate the 'configure' file from the 'configure.ac' file.
-
-  1. `cd' to the directory containing the package's source code and type
-     `./configure' to configure the package for your system.
-
-     Running `configure' might take a while.  While running, it prints
-     some messages telling which features it is checking for.
-
-  2. Type `make' to compile the package.
-
-  3. Optionally, type `make check' to run any self-tests that come with
-     the package.
-
-  4. Type `make install' to install the programs and any data files and
-     documentation.
-
-  5. You can remove the program binaries and object files from the
-     source code directory by typing `make clean'.  To also remove the
-     files that `configure' created (so you can compile the package for
-     a different kind of computer), type `make distclean'.  There is
-     also a `make maintainer-clean' target, but that is intended mainly
-     for the package's developers.  If you use it, you may have to get
-     all sorts of other programs in order to regenerate files that came
-     with the distribution.
-
-Compilers and Options
-=====================
-
-Some systems require unusual options for compilation or linking that the
-`configure' script does not know about.  Run `./configure --help' for
-details on some of the pertinent environment variables.
-
-   You can give `configure' initial values for configuration parameters
-by setting variables in the command line or in the environment.  Here
-is an example:
-
-     ./configure CC=c99 CFLAGS=-g LIBS=-lposix
-
-   *Note Defining Variables::, for more details.
-
-Compiling For Multiple Architectures
-====================================
-
-You can compile the package for more than one kind of computer at the
-same time, by placing the object files for each architecture in their
-own directory.  To do this, you can use GNU `make'.  `cd' to the
-directory where you want the object files and executables to go and run
-the `configure' script.  `configure' automatically checks for the
-source code in the directory that `configure' is in and in `..'.
-
-   With a non-GNU `make', it is safer to compile the package for one
-architecture at a time in the source code directory.  After you have
-installed the package for one architecture, use `make distclean' before
-reconfiguring for another architecture.
-
-Installation Names
-==================
-
-By default, `make install' installs the package's commands under
-`/usr/local/bin', include files under `/usr/local/include', etc.  You
-can specify an installation prefix other than `/usr/local' by giving
-`configure' the option `--prefix=PREFIX'.
-
-   You can specify separate installation prefixes for
-architecture-specific files and architecture-independent files.  If you
-pass the option `--exec-prefix=PREFIX' to `configure', the package uses
-PREFIX as the prefix for installing programs and libraries.
-Documentation and other data files still use the regular prefix.
-
-   In addition, if you use an unusual directory layout you can give
-options like `--bindir=DIR' to specify different values for particular
-kinds of files.  Run `configure --help' for a list of the directories
-you can set and what kinds of files go in them.
-
-   If the package supports it, you can cause programs to be installed
-with an extra prefix or suffix on their names by giving `configure' the
-option `--program-prefix=PREFIX' or `--program-suffix=SUFFIX'.
-
-Optional Features
-=================
-
-Some packages pay attention to `--enable-FEATURE' options to
-`configure', where FEATURE indicates an optional part of the package.
-They may also pay attention to `--with-PACKAGE' options, where PACKAGE
-is something like `gnu-as' or `x' (for the X Window System).  The
-`README' should mention any `--enable-' and `--with-' options that the
-package recognizes.
-
-   For packages that use the X Window System, `configure' can usually
-find the X include and library files automatically, but if it doesn't,
-you can use the `configure' options `--x-includes=DIR' and
-`--x-libraries=DIR' to specify their locations.
-
-Specifying the System Type
-==========================
-
-There may be some features `configure' cannot figure out automatically,
-but needs to determine by the type of machine the package will run on.
-Usually, assuming the package is built to be run on the _same_
-architectures, `configure' can figure that out, but if it prints a
-message saying it cannot guess the machine type, give it the
-`--build=TYPE' option.  TYPE can either be a short name for the system
-type, such as `sun4', or a canonical name which has the form:
-
-     CPU-COMPANY-SYSTEM
-
-where SYSTEM can have one of these forms:
-
-     OS KERNEL-OS
-
-   See the file `config.sub' for the possible values of each field.  If
-`config.sub' isn't included in this package, then this package doesn't
-need to know the machine type.
-
-   If you are _building_ compiler tools for cross-compiling, you should
-use the option `--target=TYPE' to select the type of system they will
-produce code for.
-
-   If you want to _use_ a cross compiler, that generates code for a
-platform different from the build platform, you should specify the
-"host" platform (i.e., that on which the generated programs will
-eventually be run) with `--host=TYPE'.
-
-Sharing Defaults
-================
-
-If you want to set default values for `configure' scripts to share, you
-can create a site shell script called `config.site' that gives default
-values for variables like `CC', `cache_file', and `prefix'.
-`configure' looks for `PREFIX/share/config.site' if it exists, then
-`PREFIX/etc/config.site' if it exists.  Or, you can set the
-`CONFIG_SITE' environment variable to the location of the site script.
-A warning: not all `configure' scripts look for a site script.
-
-Defining Variables
-==================
-
-Variables not defined in a site shell script can be set in the
-environment passed to `configure'.  However, some packages may run
-configure again during the build, and the customized values of these
-variables may be lost.  In order to avoid this problem, you should set
-them in the `configure' command line, using `VAR=value'.  For example:
-
-     ./configure CC=/usr/local2/bin/gcc
-
-causes the specified `gcc' to be used as the C compiler (unless it is
-overridden in the site shell script).
-
-Unfortunately, this technique does not work for `CONFIG_SHELL' due to
-an Autoconf bug.  Until the bug is fixed you can use this workaround:
-
-     CONFIG_SHELL=/bin/bash /bin/bash ./configure CONFIG_SHELL=/bin/bash
-
-`configure' Invocation
-======================
-
-`configure' recognizes the following options to control how it operates.
-
-`--help'
-`-h'
-     Print a summary of the options to `configure', and exit.
-
-`--version'
-`-V'
-     Print the version of Autoconf used to generate the `configure'
-     script, and exit.
-
-`--cache-file=FILE'
-     Enable the cache: use and save the results of the tests in FILE,
-     traditionally `config.cache'.  FILE defaults to `/dev/null' to
-     disable caching.
-
-`--config-cache'
-`-C'
-     Alias for `--cache-file=config.cache'.
-
-`--quiet'
-`--silent'
-`-q'
-     Do not print messages saying which checks are being made.  To
-     suppress all normal output, redirect it to `/dev/null' (any error
-     messages will still be shown).
-
-`--srcdir=DIR'
-     Look for the package's source code in directory DIR.  Usually
-     `configure' can determine that directory automatically.
-
-`configure' also accepts some other, not widely useful, options.  Run
-`configure --help' for more details.
-

MAINTAINERS

@@ -9,4 +9,4 @@ Mail patches to         : lxc-devel@lists.linuxcontainers.org
 Send pull requests at   : https://github.com/lxc/lxc
 Mailing lists           : lxc-devel@lists.linuxcontainers.org, lxc-users@lists.linuxcontainers.org
 Web page                : https://linuxcontainers.org/lxc
-GIT location            : git://github.com/lxc/lxc
+Git location            : https://github.com/lxc/lxc

Makefile

@@ -0,0 +1,18 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+.PHONY: all
+all: meson
+	ninja -C build
+
+.PHONY: meson
+meson:
+	[ -d build ] || meson setup build/
+
+.PHONY: dist
+dist: meson
+	meson dist -C build/ --formats=gztar
+	cp build/meson-dist/*.tar.gz .
+
+.PHONY: install
+install:
+	DESTDIR=$(DESTDIR) ninja -C build install

Makefile.am

@@ -1,33 +0,0 @@
-# Makefile.am
-
-ACLOCAL_AMFLAGS = -I config
-
-LIBTOOL_DEPS = @LIBTOOL_DEPS@
-SUBDIRS = config coccinelle src templates doc hooks
-DIST_SUBDIRS = config coccinelle  src templates doc hooks
-EXTRA_DIST = autogen.sh \
-	     lxc.spec \
-	     CONTRIBUTING \
-	     CODING_STYLE.md \
-	     LICENSE.GPL2 \
-	     LICENSE.LGPL2.1 \
-	     MAINTAINERS \
-	     README.md
-
-RPMARGS =
-
-pcdatadir = $(libdir)/pkgconfig
-pcdata_DATA = lxc.pc
-
-libtool: $(LIBTOOL_DEPS)
-	$(SHELL) ./config.status libtool
-
-install-data-local:
-	$(MKDIR_P) $(DESTDIR)$(LXCPATH)
-	$(MKDIR_P) $(DESTDIR)$(localstatedir)/cache/lxc
-
-ChangeLog::
-	@touch ChangeLog
-
-rpm: dist
-	rpmbuild --clean -ta ${distdir}.tar.gz $(RPMARGS)

README.md

@@ -10,10 +10,11 @@ inside the Linux kernel.
 ## Status
 Type            | Service               | Status
 ---             | ---                   | ---
+CI (Linux)      | GitHub                | [![Build Status](https://github.com/lxc/lxc/actions/workflows/build.yml/badge.svg)](https://github.com/lxc/lxc/actions)
 CI (Linux)      | Jenkins               | [![Build Status](https://jenkins.linuxcontainers.org/job/lxc-github-commit/badge/icon)](https://jenkins.linuxcontainers.org/job/lxc-github-commit/)
-CI (Linux)      | Travis                | [![Build Status](https://travis-ci.org/lxc/lxc.svg?branch=master)](https://travis-ci.org/lxc/lxc/)
 Project status  | CII Best Practices    | [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/1087/badge)](https://bestpractices.coreinfrastructure.org/projects/1087)
-Code Quality    | LGTM                  | [![Language grade: C/C++](https://img.shields.io/lgtm/grade/cpp/g/lxc/lxc.svg?logo=lgtm&logoWidth=18)](https://lgtm.com/projects/g/lxc/lxc/context:cpp)
+Fuzzing         | OSS-Fuzz              | [![Fuzzing Status](https://oss-fuzz-build-logs.storage.googleapis.com/badges/lxc.svg)](https://oss-fuzz-build-logs.storage.googleapis.com/index.html#lxc)
+Fuzzing         | CIFuzz                | [![CIFuzz](https://github.com/lxc/lxc/actions/workflows/cifuzz.yml/badge.svg)](https://github.com/lxc/lxc/actions/workflows/cifuzz.yml)
 
 ## System Containers
 
@@ -106,6 +107,7 @@ features. This includes (but isn't limited to):
 - i686
 - x86_64
 - ppc, ppc64, ppc64le
+- riscv64
 - s390x
 - armvl7, arm64
 
@@ -119,7 +121,7 @@ LXC also supports at least the following C standard libraries:
 
 LXC has always focused on strong backwards compatibility. In fact, the API
 hasn't been broken from release `1.0.0` onwards. Main LXC is currently at
-version `2.*.*`.
+version `4.*.*`.
 
 ## Reporting Security Issues
 
@@ -129,7 +131,7 @@ report it by e-mail to all of the following persons:
 
 - serge (at) hallyn (dot) com
 - stgraber (at) ubuntu (dot) com
-- christian.brauner (at) ubuntu (dot) com
+- brauner (at) kernel (dot) org
 
 For further details please have a look at
 
@@ -149,7 +151,7 @@ and should also take a look at the [CONTRIBUTING](CONTRIBUTING) file in this
 repo.
 
 If you want to become more active it is usually also a good idea to show up in
-the LXC IRC channel `#lxc-dev` on `Freenode`. We try to do all development out
+the LXC IRC channel [#lxc-dev](https://kiwiirc.com/client/irc.libera.chat/#lxc-dev) on irc.libera.chat. We try to do all development out
 in the open and discussion of new features or bugs is done either in
 appropriate GitHub issues or on IRC.
 
@@ -166,7 +168,7 @@ versioning](http://semver.org/) scheme.
 
 Source for the latest released version can always be downloaded from
 
-- https://linuxcontainers.org/downloads/
+- https://linuxcontainers.org/lxc/downloads/
 
 You can browse the up to the minute source code and change history online
 
@@ -176,31 +178,25 @@ You can browse the up to the minute source code and change history online
 
 Without considering distribution specific details a simple
 
-    ./autogen.sh && ./configure && make && sudo make install
+    meson setup -Dprefix=/usr build
+    meson compile -C build
 
 is usually sufficient.
 
-In order to test current git master of LXC it is usually a good idea to compile with
-
-    ./autogen.sh && ./configure && make
-
-in a convenient directory and set `LD_LIBRARY_PATH="${BUILD_DIR}"/lxc/src/lxc/.libs`.
-
 ## Getting help
 
 When you find you need help, the LXC projects provides you with several options.
 
 ### Discuss Forum
 
-We maintain an discuss forum at
+We maintain a discuss forum at
 
 - https://discuss.linuxcontainers.org/
 
 where you can get support.
 
 ### IRC
-
-You can find support by joining `#lxcontainers` on `Freenode`.
+You can find us in [#lxc](https://kiwiirc.com/client/irc.libera.chat/#lxc) on irc.libera.chat.
 
 ### Mailing Lists
 

coccinelle/Makefile.am

@@ -1,7 +0,0 @@
-# Makefile.am
-
-EXTRA_DIST = exit.cocci \
-	     run-coccinelle.sh \
-	     while-true.cocci
-
-bin_SCRIPTS = run-coccinelle.sh

coccinelle/run-coccinelle.sh

@@ -18,7 +18,7 @@ fi
 
 for SCRIPT in ${@-$top/coccinelle/*.cocci} ; do
         echo "--x-- Processing $SCRIPT --x--"
-        TMPFILE=`mktemp`
+        TMPFILE=$(mktemp)
         echo "+ spatch --sp-file $SCRIPT $args ..."
         parallel --halt now,fail=1 --keep-order --noswap --max-args=20 \
                  spatch --sp-file $SCRIPT $args ::: $files \

config/Makefile.am

@@ -1 +0,0 @@
-SUBDIRS = apparmor bash etc init selinux templates yum sysconfig

config/acinclude.m4

@@ -1,137 +0,0 @@
-dnl as-ac-expand.m4 0.2.0
-dnl autostars m4 macro for expanding directories using configure's prefix
-dnl thomas@apestaart.org
-dnl
-
-dnl AS_AC_EXPAND(VAR, CONFIGURE_VAR)
-dnl example
-dnl AS_AC_EXPAND(SYSCONFDIR, $sysconfdir)
-dnl will set SYSCONFDIR to /usr/local/etc if prefix=/usr/local
-
-AC_DEFUN([AS_AC_EXPAND],
-[
-    EXP_VAR=[$1]
-    FROM_VAR=[$2]
-
-    dnl first expand prefix and exec_prefix if necessary
-    prefix_save=$prefix
-    exec_prefix_save=$exec_prefix
-
-    dnl if no prefix given, then use /usr/local, the default prefix
-    if test "x$prefix" = "xNONE"; then
-        prefix="$ac_default_prefix"
-    fi
-    dnl if no exec_prefix given, then use prefix
-    if test "x$exec_prefix" = "xNONE"; then
-        exec_prefix=$prefix
-    fi
-
-    full_var="$FROM_VAR"
-    dnl loop until it doesn't change anymore
-    while true; do
-        new_full_var="`eval echo $full_var`"
-        if test "x$new_full_var" = "x$full_var"; then break; fi
-        full_var=$new_full_var
-    done
-
-    dnl clean up
-    full_var=$new_full_var
-    AC_SUBST([$1], "$full_var")
-
-    dnl restore prefix and exec_prefix
-    prefix=$prefix_save
-    exec_prefix=$exec_prefix_save
-])
-
-dnl Available from the GNU Autoconf Macro Archive at:
-dnl http://www.gnu.org/software/ac-archive/htmldoc/ax_compare_version.html
-AC_DEFUN([AX_COMPARE_VERSION], [
-# Used to indicate true or false condition
-ax_compare_version=false
-	  # Convert the two version strings to be compared into a format that
-  # allows a simple string comparison.  The end result is that a version
-  # string of the form 1.12.5-r617 will be converted to the form
-  # 0001001200050617.  In other words, each number is zero padded to four
-  # digits, and non digits are removed.
-  AS_VAR_PUSHDEF([A],[ax_compare_version_A])
-  A=`echo "$1" | sed -e 's/\([[0-9]]*\)/Z\1Z/g' \
-                     -e 's/Z\([[0-9]]\)Z/Z0\1Z/g' \
-                     -e 's/Z\([[0-9]][[0-9]]\)Z/Z0\1Z/g' \
-                     -e 's/Z\([[0-9]][[0-9]][[0-9]]\)Z/Z0\1Z/g' \
-                     -e 's/[[^0-9]]//g'`
-
-  AS_VAR_PUSHDEF([B],[ax_compare_version_B])
-  B=`echo "$3" | sed -e 's/\([[0-9]]*\)/Z\1Z/g' \
-                     -e 's/Z\([[0-9]]\)Z/Z0\1Z/g' \
-                     -e 's/Z\([[0-9]][[0-9]]\)Z/Z0\1Z/g' \
-                     -e 's/Z\([[0-9]][[0-9]][[0-9]]\)Z/Z0\1Z/g' \
-                     -e 's/[[^0-9]]//g'`
-
-  dnl # In the case of le, ge, lt, and gt, the strings are sorted as necessary
-  dnl # then the first line is used to determine if the condition is true.
-  dnl # The sed right after the echo is to remove any indented white space.
-  m4_case(m4_tolower($2),
-  [lt],[
-    ax_compare_version=`echo "x$A
-x$B" | sed 's/^ *//' | sort -r | sed "s/x${A}/false/;s/x${B}/true/;1q"`
-  ],
-  [gt],[
-    ax_compare_version=`echo "x$A
-x$B" | sed 's/^ *//' | sort | sed "s/x${A}/false/;s/x${B}/true/;1q"`
-  ],
-  [le],[
-    ax_compare_version=`echo "x$A
-x$B" | sed 's/^ *//' | sort | sed "s/x${A}/true/;s/x${B}/false/;1q"`
-  ],
-  [ge],[
-    ax_compare_version=`echo "x$A
-x$B" | sed 's/^ *//' | sort -r | sed "s/x${A}/true/;s/x${B}/false/;1q"`
-  ],[
-    dnl Split the operator from the subversion count if present.
-    m4_bmatch(m4_substr($2,2),
-    [0],[
-      # A count of zero means use the length of the shorter version.
-      # Determine the number of characters in A and B.
-      ax_compare_version_len_A=`echo "$A" | awk '{print(length)}'`
-      ax_compare_version_len_B=`echo "$B" | awk '{print(length)}'`
-
-      # Set A to no more than B's length and B to no more than A's length.
-      A=`echo "$A" | sed "s/\(.\{$ax_compare_version_len_B\}\).*/\1/"`
-      B=`echo "$B" | sed "s/\(.\{$ax_compare_version_len_A\}\).*/\1/"`
-    ],
-    [[0-9]+],[
-      # A count greater than zero means use only that many subversions
-      A=`echo "$A" | sed "s/\(\([[0-9]]\{4\}\)\{m4_substr($2,2)\}\).*/\1/"`
-      B=`echo "$B" | sed "s/\(\([[0-9]]\{4\}\)\{m4_substr($2,2)\}\).*/\1/"`
-    ],
-    [.+],[
-      AC_WARNING(
-        [illegal OP numeric parameter: $2])
-    ],[])
-
-    # Pad zeros at end of numbers to make same length.
-    ax_compare_version_tmp_A="$A`echo $B | sed 's/./0/g'`"
-    B="$B`echo $A | sed 's/./0/g'`"
-    A="$ax_compare_version_tmp_A"
-
-    # Check for equality or inequality as necessary.
-    m4_case(m4_tolower(m4_substr($2,0,2)),
-    [eq],[
-      test "x$A" = "x$B" && ax_compare_version=true
-    ],
-    [ne],[
-      test "x$A" != "x$B" && ax_compare_version=true
-    ],[
-      AC_WARNING([illegal OP parameter: $2])
-    ])
-  ])
-
-  AS_VAR_POPDEF([A])dnl
-  AS_VAR_POPDEF([B])dnl
-
-  dnl # Execute ACTION-IF-TRUE / ACTION-IF-FALSE.
-  if test "$ax_compare_version" = "true" ; then
-    m4_ifvaln([$4],[$4],[:])dnl
-    m4_ifvaln([$5],[else $5])dnl
-  fi
-]) dnl AX_COMPARE_VERSION

config/apparmor/Makefile.am

@@ -1,45 +0,0 @@
-EXTRA_DIST = \
-	abstractions/container-base \
-	abstractions/container-base.in \
-	abstractions/start-container \
-	container-rules \
-	container-rules.base \
-	lxc-containers \
-	lxc-generate-aa-rules.py \
-	profiles/lxc-default \
-	profiles/lxc-default-cgns \
-	profiles/lxc-default-with-mounting \
-	profiles/lxc-default-with-nesting \
-	usr.bin.lxc-start
-
-
-if ENABLE_APPARMOR
-install-apparmor:
-	$(MKDIR_P) $(DESTDIR)$(sysconfdir)/apparmor.d/
-	$(MKDIR_P) $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/lxc/
-	$(MKDIR_P) $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/
-	$(INSTALL_DATA) $(srcdir)/abstractions/container-base $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/lxc/
-	$(INSTALL_DATA) abstractions/start-container $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/lxc/
-	$(INSTALL_DATA) $(srcdir)/profiles/lxc-default $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/
-	$(INSTALL_DATA) $(srcdir)/profiles/lxc-default-cgns $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/
-	$(INSTALL_DATA) $(srcdir)/profiles/lxc-default-with-mounting $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/
-	$(INSTALL_DATA) $(srcdir)/profiles/lxc-default-with-nesting $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/
-	$(INSTALL_DATA) $(srcdir)/lxc-containers $(DESTDIR)$(sysconfdir)/apparmor.d/
-	$(INSTALL_DATA) $(srcdir)/usr.bin.lxc-start $(DESTDIR)$(sysconfdir)/apparmor.d/
-
-uninstall-apparmor:
-	rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/usr.bin.lxc-start
-	rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/lxc-containers
-	rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/lxc-default-with-nesting
-	rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/lxc-default-with-mounting
-	rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/lxc-default-cgns
-	rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/lxc-default
-	rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/lxc/start-container
-	rm -f $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/lxc/container-base
-	rmdir $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/ || :
-	rmdir $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/lxc/ || :
-	rmdir $(DESTDIR)$(sysconfdir)/apparmor.d/ || :
-
-install-data-local: install-apparmor
-uninstall-local: uninstall-apparmor
-endif

config/apparmor/abstractions/meson.build

@@ -0,0 +1,17 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+if libapparmor.found()
+    configure_file(
+        configuration: conf,
+        input: 'container-base',
+        output: 'container-base',
+        install: true,
+        install_dir: join_paths(sysconfdir, 'apparmor.d', 'abstractions', 'lxc'))
+
+    configure_file(
+        configuration: conf,
+        input: 'start-container.in',
+        output: 'start-container',
+        install: true,
+        install_dir: join_paths(sysconfdir, 'apparmor.d', 'abstractions', 'lxc'))
+endif

config/apparmor/abstractions/start-container.in

@@ -17,10 +17,16 @@
   mount options=bind /dev/pts/** -> /dev/**,
   mount options=(rw, make-slave) -> **,
   mount options=(rw, make-rslave) -> **,
+  mount options=(rw, make-shared) -> **,
+  mount options=(rw, make-rshared) -> **,
   mount fstype=debugfs,
+  mount fstype=fuse.*,
   # allow pre-mount hooks to stage mounts under /var/lib/lxc/<container>/
   mount -> /var/lib/lxc/{**,},
 
+  mount /dev/.lxc-boot-id -> /proc/sys/kernel/random/boot_id,
+  mount options=(ro, nosuid, nodev, noexec, remount, bind) -> /proc/sys/kernel/random/boot_id,
+
   # required for some pre-mount hooks
   mount fstype=overlayfs,
   mount fstype=aufs,

config/apparmor/meson.build

@@ -0,0 +1,17 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+if libapparmor.found()
+    configure_file(
+        configuration: dummy_config_data,
+        input: 'lxc-containers',
+        output: 'lxc-containers',
+        install: true,
+        install_dir: join_paths(sysconfdir, 'apparmor.d'))
+
+    configure_file(
+        configuration: dummy_config_data,
+        input: 'usr.bin.lxc-start',
+        output: 'usr.bin.lxc-start',
+        install: true,
+        install_dir: join_paths(sysconfdir, 'apparmor.d'))
+endif

config/apparmor/profiles/lxc-default-cgns

@@ -10,4 +10,5 @@ profile lxc-container-default-cgns flags=(attach_disconnected,mediate_deleted) {
   deny mount fstype=devpts,
   mount fstype=cgroup -> /sys/fs/cgroup/**,
   mount fstype=cgroup2 -> /sys/fs/cgroup/**,
+  mount fstype=overlay,
 }

config/apparmor/profiles/meson.build

@@ -0,0 +1,31 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+if libapparmor.found()
+    configure_file(
+        configuration: dummy_config_data,
+        input: 'lxc-default',
+        output: 'lxc-default',
+        install: true,
+        install_dir: join_paths(sysconfdir, 'apparmor.d', 'lxc'))
+
+    configure_file(
+        configuration: dummy_config_data,
+        input: 'lxc-default-cgns',
+        output: 'lxc-default-cgns',
+        install: true,
+        install_dir: join_paths(sysconfdir, 'apparmor.d', 'lxc'))
+
+    configure_file(
+        configuration: dummy_config_data,
+        input: 'lxc-default-with-mounting',
+        output: 'lxc-default-with-mounting',
+        install: true,
+        install_dir: join_paths(sysconfdir, 'apparmor.d', 'lxc'))
+
+    configure_file(
+        configuration: dummy_config_data,
+        input: 'lxc-default-with-nesting',
+        output: 'lxc-default-with-nesting',
+        install: true,
+        install_dir: join_paths(sysconfdir, 'apparmor.d', 'lxc'))
+endif

config/ax_check_compile_flag.m4

@@ -1,53 +0,0 @@
-# ===========================================================================
-#  https://www.gnu.org/software/autoconf-archive/ax_check_compile_flag.html
-# ===========================================================================
-#
-# SYNOPSIS
-#
-#   AX_CHECK_COMPILE_FLAG(FLAG, [ACTION-SUCCESS], [ACTION-FAILURE], [EXTRA-FLAGS], [INPUT])
-#
-# DESCRIPTION
-#
-#   Check whether the given FLAG works with the current language's compiler
-#   or gives an error.  (Warnings, however, are ignored)
-#
-#   ACTION-SUCCESS/ACTION-FAILURE are shell commands to execute on
-#   success/failure.
-#
-#   If EXTRA-FLAGS is defined, it is added to the current language's default
-#   flags (e.g. CFLAGS) when the check is done.  The check is thus made with
-#   the flags: "CFLAGS EXTRA-FLAGS FLAG".  This can for example be used to
-#   force the compiler to issue an error when a bad flag is given.
-#
-#   INPUT gives an alternative input source to AC_COMPILE_IFELSE.
-#
-#   NOTE: Implementation based on AX_CFLAGS_GCC_OPTION. Please keep this
-#   macro in sync with AX_CHECK_{PREPROC,LINK}_FLAG.
-#
-# LICENSE
-#
-#   Copyright (c) 2008 Guido U. Draheim <guidod@gmx.de>
-#   Copyright (c) 2011 Maarten Bosmans <mkbosmans@gmail.com>
-#
-#   Copying and distribution of this file, with or without modification, are
-#   permitted in any medium without royalty provided the copyright notice
-#   and this notice are preserved.  This file is offered as-is, without any
-#   warranty.
-
-#serial 6
-
-AC_DEFUN([AX_CHECK_COMPILE_FLAG],
-[AC_PREREQ(2.64)dnl for _AC_LANG_PREFIX and AS_VAR_IF
-AS_VAR_PUSHDEF([CACHEVAR],[ax_cv_check_[]_AC_LANG_ABBREV[]flags_$4_$1])dnl
-AC_CACHE_CHECK([whether _AC_LANG compiler accepts $1], CACHEVAR, [
-  ax_check_save_flags=$[]_AC_LANG_PREFIX[]FLAGS
-  _AC_LANG_PREFIX[]FLAGS="$[]_AC_LANG_PREFIX[]FLAGS $4 $1"
-  AC_COMPILE_IFELSE([m4_default([$5],[AC_LANG_PROGRAM()])],
-    [AS_VAR_SET(CACHEVAR,[yes])],
-    [AS_VAR_SET(CACHEVAR,[no])])
-  _AC_LANG_PREFIX[]FLAGS=$ax_check_save_flags])
-AS_VAR_IF(CACHEVAR,yes,
-  [m4_default([$2], :)],
-  [m4_default([$3], :)])
-AS_VAR_POPDEF([CACHEVAR])dnl
-])dnl AX_CHECK_COMPILE_FLAGS

config/ax_check_link_flag.m4

@@ -1,53 +0,0 @@
-# ===========================================================================
-#    https://www.gnu.org/software/autoconf-archive/ax_check_link_flag.html
-# ===========================================================================
-#
-# SYNOPSIS
-#
-#   AX_CHECK_LINK_FLAG(FLAG, [ACTION-SUCCESS], [ACTION-FAILURE], [EXTRA-FLAGS], [INPUT])
-#
-# DESCRIPTION
-#
-#   Check whether the given FLAG works with the linker or gives an error.
-#   (Warnings, however, are ignored)
-#
-#   ACTION-SUCCESS/ACTION-FAILURE are shell commands to execute on
-#   success/failure.
-#
-#   If EXTRA-FLAGS is defined, it is added to the linker's default flags
-#   when the check is done.  The check is thus made with the flags: "LDFLAGS
-#   EXTRA-FLAGS FLAG".  This can for example be used to force the linker to
-#   issue an error when a bad flag is given.
-#
-#   INPUT gives an alternative input source to AC_LINK_IFELSE.
-#
-#   NOTE: Implementation based on AX_CFLAGS_GCC_OPTION. Please keep this
-#   macro in sync with AX_CHECK_{PREPROC,COMPILE}_FLAG.
-#
-# LICENSE
-#
-#   Copyright (c) 2008 Guido U. Draheim <guidod@gmx.de>
-#   Copyright (c) 2011 Maarten Bosmans <mkbosmans@gmail.com>
-#
-#   Copying and distribution of this file, with or without modification, are
-#   permitted in any medium without royalty provided the copyright notice
-#   and this notice are preserved.  This file is offered as-is, without any
-#   warranty.
-
-#serial 6
-
-AC_DEFUN([AX_CHECK_LINK_FLAG],
-[AC_PREREQ(2.64)dnl for _AC_LANG_PREFIX and AS_VAR_IF
-AS_VAR_PUSHDEF([CACHEVAR],[ax_cv_check_ldflags_$4_$1])dnl
-AC_CACHE_CHECK([whether the linker accepts $1], CACHEVAR, [
-  ax_check_save_flags=$LDFLAGS
-  LDFLAGS="$LDFLAGS $4 $1"
-  AC_LINK_IFELSE([m4_default([$5],[AC_LANG_PROGRAM()])],
-    [AS_VAR_SET(CACHEVAR,[yes])],
-    [AS_VAR_SET(CACHEVAR,[no])])
-  LDFLAGS=$ax_check_save_flags])
-AS_VAR_IF(CACHEVAR,yes,
-  [m4_default([$2], :)],
-  [m4_default([$3], :)])
-AS_VAR_POPDEF([CACHEVAR])dnl
-])dnl AX_CHECK_LINK_FLAGS

config/ax_pthread.m4

@@ -1,485 +0,0 @@
-# ===========================================================================
-#        https://www.gnu.org/software/autoconf-archive/ax_pthread.html
-# ===========================================================================
-#
-# SYNOPSIS
-#
-#   AX_PTHREAD([ACTION-IF-FOUND[, ACTION-IF-NOT-FOUND]])
-#
-# DESCRIPTION
-#
-#   This macro figures out how to build C programs using POSIX threads. It
-#   sets the PTHREAD_LIBS output variable to the threads library and linker
-#   flags, and the PTHREAD_CFLAGS output variable to any special C compiler
-#   flags that are needed. (The user can also force certain compiler
-#   flags/libs to be tested by setting these environment variables.)
-#
-#   Also sets PTHREAD_CC to any special C compiler that is needed for
-#   multi-threaded programs (defaults to the value of CC otherwise). (This
-#   is necessary on AIX to use the special cc_r compiler alias.)
-#
-#   NOTE: You are assumed to not only compile your program with these flags,
-#   but also to link with them as well. For example, you might link with
-#   $PTHREAD_CC $CFLAGS $PTHREAD_CFLAGS $LDFLAGS ... $PTHREAD_LIBS $LIBS
-#
-#   If you are only building threaded programs, you may wish to use these
-#   variables in your default LIBS, CFLAGS, and CC:
-#
-#     LIBS="$PTHREAD_LIBS $LIBS"
-#     CFLAGS="$CFLAGS $PTHREAD_CFLAGS"
-#     CC="$PTHREAD_CC"
-#
-#   In addition, if the PTHREAD_CREATE_JOINABLE thread-attribute constant
-#   has a nonstandard name, this macro defines PTHREAD_CREATE_JOINABLE to
-#   that name (e.g. PTHREAD_CREATE_UNDETACHED on AIX).
-#
-#   Also HAVE_PTHREAD_PRIO_INHERIT is defined if pthread is found and the
-#   PTHREAD_PRIO_INHERIT symbol is defined when compiling with
-#   PTHREAD_CFLAGS.
-#
-#   ACTION-IF-FOUND is a list of shell commands to run if a threads library
-#   is found, and ACTION-IF-NOT-FOUND is a list of commands to run it if it
-#   is not found. If ACTION-IF-FOUND is not specified, the default action
-#   will define HAVE_PTHREAD.
-#
-#   Please let the authors know if this macro fails on any platform, or if
-#   you have any other suggestions or comments. This macro was based on work
-#   by SGJ on autoconf scripts for FFTW (http://www.fftw.org/) (with help
-#   from M. Frigo), as well as ac_pthread and hb_pthread macros posted by
-#   Alejandro Forero Cuervo to the autoconf macro repository. We are also
-#   grateful for the helpful feedback of numerous users.
-#
-#   Updated for Autoconf 2.68 by Daniel Richard G.
-#
-# LICENSE
-#
-#   Copyright (c) 2008 Steven G. Johnson <stevenj@alum.mit.edu>
-#   Copyright (c) 2011 Daniel Richard G. <skunk@iSKUNK.ORG>
-#
-#   This program is free software: you can redistribute it and/or modify it
-#   under the terms of the GNU General Public License as published by the
-#   Free Software Foundation, either version 3 of the License, or (at your
-#   option) any later version.
-#
-#   This program is distributed in the hope that it will be useful, but
-#   WITHOUT ANY WARRANTY; without even the implied warranty of
-#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
-#   Public License for more details.
-#
-#   You should have received a copy of the GNU General Public License along
-#   with this program. If not, see <https://www.gnu.org/licenses/>.
-#
-#   As a special exception, the respective Autoconf Macro's copyright owner
-#   gives unlimited permission to copy, distribute and modify the configure
-#   scripts that are the output of Autoconf when processing the Macro. You
-#   need not follow the terms of the GNU General Public License when using
-#   or distributing such scripts, even though portions of the text of the
-#   Macro appear in them. The GNU General Public License (GPL) does govern
-#   all other use of the material that constitutes the Autoconf Macro.
-#
-#   This special exception to the GPL applies to versions of the Autoconf
-#   Macro released by the Autoconf Archive. When you make and distribute a
-#   modified version of the Autoconf Macro, you may extend this special
-#   exception to the GPL to apply to your modified version as well.
-
-#serial 24
-
-AU_ALIAS([ACX_PTHREAD], [AX_PTHREAD])
-AC_DEFUN([AX_PTHREAD], [
-AC_REQUIRE([AC_CANONICAL_HOST])
-AC_REQUIRE([AC_PROG_CC])
-AC_REQUIRE([AC_PROG_SED])
-AC_LANG_PUSH([C])
-ax_pthread_ok=no
-
-# We used to check for pthread.h first, but this fails if pthread.h
-# requires special compiler flags (e.g. on Tru64 or Sequent).
-# It gets checked for in the link test anyway.
-
-# First of all, check if the user has set any of the PTHREAD_LIBS,
-# etcetera environment variables, and if threads linking works using
-# them:
-if test "x$PTHREAD_CFLAGS$PTHREAD_LIBS" != "x"; then
-        ax_pthread_save_CC="$CC"
-        ax_pthread_save_CFLAGS="$CFLAGS"
-        ax_pthread_save_LIBS="$LIBS"
-        AS_IF([test "x$PTHREAD_CC" != "x"], [CC="$PTHREAD_CC"])
-        CFLAGS="$CFLAGS $PTHREAD_CFLAGS"
-        LIBS="$PTHREAD_LIBS $LIBS"
-        AC_MSG_CHECKING([for pthread_join using $CC $PTHREAD_CFLAGS $PTHREAD_LIBS])
-        AC_LINK_IFELSE([AC_LANG_CALL([], [pthread_join])], [ax_pthread_ok=yes])
-        AC_MSG_RESULT([$ax_pthread_ok])
-        if test "x$ax_pthread_ok" = "xno"; then
-                PTHREAD_LIBS=""
-                PTHREAD_CFLAGS=""
-        fi
-        CC="$ax_pthread_save_CC"
-        CFLAGS="$ax_pthread_save_CFLAGS"
-        LIBS="$ax_pthread_save_LIBS"
-fi
-
-# We must check for the threads library under a number of different
-# names; the ordering is very important because some systems
-# (e.g. DEC) have both -lpthread and -lpthreads, where one of the
-# libraries is broken (non-POSIX).
-
-# Create a list of thread flags to try.  Items starting with a "-" are
-# C compiler flags, and other items are library names, except for "none"
-# which indicates that we try without any flags at all, and "pthread-config"
-# which is a program returning the flags for the Pth emulation library.
-
-ax_pthread_flags="pthreads none -Kthread -pthread -pthreads -mthreads pthread --thread-safe -mt pthread-config"
-
-# The ordering *is* (sometimes) important.  Some notes on the
-# individual items follow:
-
-# pthreads: AIX (must check this before -lpthread)
-# none: in case threads are in libc; should be tried before -Kthread and
-#       other compiler flags to prevent continual compiler warnings
-# -Kthread: Sequent (threads in libc, but -Kthread needed for pthread.h)
-# -pthread: Linux/gcc (kernel threads), BSD/gcc (userland threads), Tru64
-#           (Note: HP C rejects this with "bad form for `-t' option")
-# -pthreads: Solaris/gcc (Note: HP C also rejects)
-# -mt: Sun Workshop C (may only link SunOS threads [-lthread], but it
-#      doesn't hurt to check since this sometimes defines pthreads and
-#      -D_REENTRANT too), HP C (must be checked before -lpthread, which
-#      is present but should not be used directly; and before -mthreads,
-#      because the compiler interprets this as "-mt" + "-hreads")
-# -mthreads: Mingw32/gcc, Lynx/gcc
-# pthread: Linux, etcetera
-# --thread-safe: KAI C++
-# pthread-config: use pthread-config program (for GNU Pth library)
-
-case $host_os in
-
-        freebsd*)
-
-        # -kthread: FreeBSD kernel threads (preferred to -pthread since SMP-able)
-        # lthread: LinuxThreads port on FreeBSD (also preferred to -pthread)
-
-        ax_pthread_flags="-kthread lthread $ax_pthread_flags"
-        ;;
-
-        hpux*)
-
-        # From the cc(1) man page: "[-mt] Sets various -D flags to enable
-        # multi-threading and also sets -lpthread."
-
-        ax_pthread_flags="-mt -pthread pthread $ax_pthread_flags"
-        ;;
-
-        openedition*)
-
-        # IBM z/OS requires a feature-test macro to be defined in order to
-        # enable POSIX threads at all, so give the user a hint if this is
-        # not set. (We don't define these ourselves, as they can affect
-        # other portions of the system API in unpredictable ways.)
-
-        AC_EGREP_CPP([AX_PTHREAD_ZOS_MISSING],
-            [
-#            if !defined(_OPEN_THREADS) && !defined(_UNIX03_THREADS)
-             AX_PTHREAD_ZOS_MISSING
-#            endif
-            ],
-            [AC_MSG_WARN([IBM z/OS requires -D_OPEN_THREADS or -D_UNIX03_THREADS to enable pthreads support.])])
-        ;;
-
-        solaris*)
-
-        # On Solaris (at least, for some versions), libc contains stubbed
-        # (non-functional) versions of the pthreads routines, so link-based
-        # tests will erroneously succeed. (N.B.: The stubs are missing
-        # pthread_cleanup_push, or rather a function called by this macro,
-        # so we could check for that, but who knows whether they'll stub
-        # that too in a future libc.)  So we'll check first for the
-        # standard Solaris way of linking pthreads (-mt -lpthread).
-
-        ax_pthread_flags="-mt,pthread pthread $ax_pthread_flags"
-        ;;
-esac
-
-# GCC generally uses -pthread, or -pthreads on some platforms (e.g. SPARC)
-
-AS_IF([test "x$GCC" = "xyes"],
-      [ax_pthread_flags="-pthread -pthreads $ax_pthread_flags"])
-
-# The presence of a feature test macro requesting re-entrant function
-# definitions is, on some systems, a strong hint that pthreads support is
-# correctly enabled
-
-case $host_os in
-        darwin* | hpux* | linux* | osf* | solaris*)
-        ax_pthread_check_macro="_REENTRANT"
-        ;;
-
-        aix*)
-        ax_pthread_check_macro="_THREAD_SAFE"
-        ;;
-
-        *)
-        ax_pthread_check_macro="--"
-        ;;
-esac
-AS_IF([test "x$ax_pthread_check_macro" = "x--"],
-      [ax_pthread_check_cond=0],
-      [ax_pthread_check_cond="!defined($ax_pthread_check_macro)"])
-
-# Are we compiling with Clang?
-
-AC_CACHE_CHECK([whether $CC is Clang],
-    [ax_cv_PTHREAD_CLANG],
-    [ax_cv_PTHREAD_CLANG=no
-     # Note that Autoconf sets GCC=yes for Clang as well as GCC
-     if test "x$GCC" = "xyes"; then
-        AC_EGREP_CPP([AX_PTHREAD_CC_IS_CLANG],
-            [/* Note: Clang 2.7 lacks __clang_[a-z]+__ */
-#            if defined(__clang__) && defined(__llvm__)
-             AX_PTHREAD_CC_IS_CLANG
-#            endif
-            ],
-            [ax_cv_PTHREAD_CLANG=yes])
-     fi
-    ])
-ax_pthread_clang="$ax_cv_PTHREAD_CLANG"
-
-ax_pthread_clang_warning=no
-
-# Clang needs special handling, because older versions handle the -pthread
-# option in a rather... idiosyncratic way
-
-if test "x$ax_pthread_clang" = "xyes"; then
-
-        # Clang takes -pthread; it has never supported any other flag
-
-        # (Note 1: This will need to be revisited if a system that Clang
-        # supports has POSIX threads in a separate library.  This tends not
-        # to be the way of modern systems, but it's conceivable.)
-
-        # (Note 2: On some systems, notably Darwin, -pthread is not needed
-        # to get POSIX threads support; the API is always present and
-        # active.  We could reasonably leave PTHREAD_CFLAGS empty.  But
-        # -pthread does define _REENTRANT, and while the Darwin headers
-        # ignore this macro, third-party headers might not.)
-
-        PTHREAD_CFLAGS="-pthread"
-        PTHREAD_LIBS=
-
-        ax_pthread_ok=yes
-
-        # However, older versions of Clang make a point of warning the user
-        # that, in an invocation where only linking and no compilation is
-        # taking place, the -pthread option has no effect ("argument unused
-        # during compilation").  They expect -pthread to be passed in only
-        # when source code is being compiled.
-        #
-        # Problem is, this is at odds with the way Automake and most other
-        # C build frameworks function, which is that the same flags used in
-        # compilation (CFLAGS) are also used in linking.  Many systems
-        # supported by AX_PTHREAD require exactly this for POSIX threads
-        # support, and in fact it is often not straightforward to specify a
-        # flag that is used only in the compilation phase and not in
-        # linking.  Such a scenario is extremely rare in practice.
-        #
-        # Even though use of the -pthread flag in linking would only print
-        # a warning, this can be a nuisance for well-run software projects
-        # that build with -Werror.  So if the active version of Clang has
-        # this misfeature, we search for an option to squash it.
-
-        AC_CACHE_CHECK([whether Clang needs flag to prevent "argument unused" warning when linking with -pthread],
-            [ax_cv_PTHREAD_CLANG_NO_WARN_FLAG],
-            [ax_cv_PTHREAD_CLANG_NO_WARN_FLAG=unknown
-             # Create an alternate version of $ac_link that compiles and
-             # links in two steps (.c -> .o, .o -> exe) instead of one
-             # (.c -> exe), because the warning occurs only in the second
-             # step
-             ax_pthread_save_ac_link="$ac_link"
-             ax_pthread_sed='s/conftest\.\$ac_ext/conftest.$ac_objext/g'
-             ax_pthread_link_step=`$as_echo "$ac_link" | sed "$ax_pthread_sed"`
-             ax_pthread_2step_ac_link="($ac_compile) && (echo ==== >&5) && ($ax_pthread_link_step)"
-             ax_pthread_save_CFLAGS="$CFLAGS"
-             for ax_pthread_try in '' -Qunused-arguments -Wno-unused-command-line-argument unknown; do
-                AS_IF([test "x$ax_pthread_try" = "xunknown"], [break])
-                CFLAGS="-Werror -Wunknown-warning-option $ax_pthread_try -pthread $ax_pthread_save_CFLAGS"
-                ac_link="$ax_pthread_save_ac_link"
-                AC_LINK_IFELSE([AC_LANG_SOURCE([[int main(void){return 0;}]])],
-                    [ac_link="$ax_pthread_2step_ac_link"
-                     AC_LINK_IFELSE([AC_LANG_SOURCE([[int main(void){return 0;}]])],
-                         [break])
-                    ])
-             done
-             ac_link="$ax_pthread_save_ac_link"
-             CFLAGS="$ax_pthread_save_CFLAGS"
-             AS_IF([test "x$ax_pthread_try" = "x"], [ax_pthread_try=no])
-             ax_cv_PTHREAD_CLANG_NO_WARN_FLAG="$ax_pthread_try"
-            ])
-
-        case "$ax_cv_PTHREAD_CLANG_NO_WARN_FLAG" in
-                no | unknown) ;;
-                *) PTHREAD_CFLAGS="$ax_cv_PTHREAD_CLANG_NO_WARN_FLAG $PTHREAD_CFLAGS" ;;
-        esac
-
-fi # $ax_pthread_clang = yes
-
-if test "x$ax_pthread_ok" = "xno"; then
-for ax_pthread_try_flag in $ax_pthread_flags; do
-
-        case $ax_pthread_try_flag in
-                none)
-                AC_MSG_CHECKING([whether pthreads work without any flags])
-                ;;
-
-                -mt,pthread)
-                AC_MSG_CHECKING([whether pthreads work with -mt -lpthread])
-                PTHREAD_CFLAGS="-mt"
-                PTHREAD_LIBS="-lpthread"
-                ;;
-
-                -*)
-                AC_MSG_CHECKING([whether pthreads work with $ax_pthread_try_flag])
-                PTHREAD_CFLAGS="$ax_pthread_try_flag"
-                ;;
-
-                pthread-config)
-                AC_CHECK_PROG([ax_pthread_config], [pthread-config], [yes], [no])
-                AS_IF([test "x$ax_pthread_config" = "xno"], [continue])
-                PTHREAD_CFLAGS="`pthread-config --cflags`"
-                PTHREAD_LIBS="`pthread-config --ldflags` `pthread-config --libs`"
-                ;;
-
-                *)
-                AC_MSG_CHECKING([for the pthreads library -l$ax_pthread_try_flag])
-                PTHREAD_LIBS="-l$ax_pthread_try_flag"
-                ;;
-        esac
-
-        ax_pthread_save_CFLAGS="$CFLAGS"
-        ax_pthread_save_LIBS="$LIBS"
-        CFLAGS="$CFLAGS $PTHREAD_CFLAGS"
-        LIBS="$PTHREAD_LIBS $LIBS"
-
-        # Check for various functions.  We must include pthread.h,
-        # since some functions may be macros.  (On the Sequent, we
-        # need a special flag -Kthread to make this header compile.)
-        # We check for pthread_join because it is in -lpthread on IRIX
-        # while pthread_create is in libc.  We check for pthread_attr_init
-        # due to DEC craziness with -lpthreads.  We check for
-        # pthread_cleanup_push because it is one of the few pthread
-        # functions on Solaris that doesn't have a non-functional libc stub.
-        # We try pthread_create on general principles.
-
-        AC_LINK_IFELSE([AC_LANG_PROGRAM([#include <pthread.h>
-#                       if $ax_pthread_check_cond
-#                        error "$ax_pthread_check_macro must be defined"
-#                       endif
-                        static void routine(void *a) { a = 0; }
-                        static void *start_routine(void *a) { return a; }],
-                       [pthread_t th; pthread_attr_t attr;
-                        pthread_create(&th, 0, start_routine, 0);
-                        pthread_join(th, 0);
-                        pthread_attr_init(&attr);
-                        pthread_cleanup_push(routine, 0);
-                        pthread_cleanup_pop(0) /* ; */])],
-            [ax_pthread_ok=yes],
-            [])
-
-        CFLAGS="$ax_pthread_save_CFLAGS"
-        LIBS="$ax_pthread_save_LIBS"
-
-        AC_MSG_RESULT([$ax_pthread_ok])
-        AS_IF([test "x$ax_pthread_ok" = "xyes"], [break])
-
-        PTHREAD_LIBS=""
-        PTHREAD_CFLAGS=""
-done
-fi
-
-# Various other checks:
-if test "x$ax_pthread_ok" = "xyes"; then
-        ax_pthread_save_CFLAGS="$CFLAGS"
-        ax_pthread_save_LIBS="$LIBS"
-        CFLAGS="$CFLAGS $PTHREAD_CFLAGS"
-        LIBS="$PTHREAD_LIBS $LIBS"
-
-        # Detect AIX lossage: JOINABLE attribute is called UNDETACHED.
-        AC_CACHE_CHECK([for joinable pthread attribute],
-            [ax_cv_PTHREAD_JOINABLE_ATTR],
-            [ax_cv_PTHREAD_JOINABLE_ATTR=unknown
-             for ax_pthread_attr in PTHREAD_CREATE_JOINABLE PTHREAD_CREATE_UNDETACHED; do
-                 AC_LINK_IFELSE([AC_LANG_PROGRAM([#include <pthread.h>],
-                                                 [int attr = $ax_pthread_attr; return attr /* ; */])],
-                                [ax_cv_PTHREAD_JOINABLE_ATTR=$ax_pthread_attr; break],
-                                [])
-             done
-            ])
-        AS_IF([test "x$ax_cv_PTHREAD_JOINABLE_ATTR" != "xunknown" && \
-               test "x$ax_cv_PTHREAD_JOINABLE_ATTR" != "xPTHREAD_CREATE_JOINABLE" && \
-               test "x$ax_pthread_joinable_attr_defined" != "xyes"],
-              [AC_DEFINE_UNQUOTED([PTHREAD_CREATE_JOINABLE],
-                                  [$ax_cv_PTHREAD_JOINABLE_ATTR],
-                                  [Define to necessary symbol if this constant
-                                   uses a non-standard name on your system.])
-               ax_pthread_joinable_attr_defined=yes
-              ])
-
-        AC_CACHE_CHECK([whether more special flags are required for pthreads],
-            [ax_cv_PTHREAD_SPECIAL_FLAGS],
-            [ax_cv_PTHREAD_SPECIAL_FLAGS=no
-             case $host_os in
-             solaris*)
-             ax_cv_PTHREAD_SPECIAL_FLAGS="-D_POSIX_PTHREAD_SEMANTICS"
-             ;;
-             esac
-            ])
-        AS_IF([test "x$ax_cv_PTHREAD_SPECIAL_FLAGS" != "xno" && \
-               test "x$ax_pthread_special_flags_added" != "xyes"],
-              [PTHREAD_CFLAGS="$ax_cv_PTHREAD_SPECIAL_FLAGS $PTHREAD_CFLAGS"
-               ax_pthread_special_flags_added=yes])
-
-        AC_CACHE_CHECK([for PTHREAD_PRIO_INHERIT],
-            [ax_cv_PTHREAD_PRIO_INHERIT],
-            [AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <pthread.h>]],
-                                             [[int i = PTHREAD_PRIO_INHERIT;]])],
-                            [ax_cv_PTHREAD_PRIO_INHERIT=yes],
-                            [ax_cv_PTHREAD_PRIO_INHERIT=no])
-            ])
-        AS_IF([test "x$ax_cv_PTHREAD_PRIO_INHERIT" = "xyes" && \
-               test "x$ax_pthread_prio_inherit_defined" != "xyes"],
-              [AC_DEFINE([HAVE_PTHREAD_PRIO_INHERIT], [1], [Have PTHREAD_PRIO_INHERIT.])
-               ax_pthread_prio_inherit_defined=yes
-              ])
-
-        CFLAGS="$ax_pthread_save_CFLAGS"
-        LIBS="$ax_pthread_save_LIBS"
-
-        # More AIX lossage: compile with *_r variant
-        if test "x$GCC" != "xyes"; then
-            case $host_os in
-                aix*)
-                AS_CASE(["x/$CC"],
-                    [x*/c89|x*/c89_128|x*/c99|x*/c99_128|x*/cc|x*/cc128|x*/xlc|x*/xlc_v6|x*/xlc128|x*/xlc128_v6],
-                    [#handle absolute path differently from PATH based program lookup
-                     AS_CASE(["x$CC"],
-                         [x/*],
-                         [AS_IF([AS_EXECUTABLE_P([${CC}_r])],[PTHREAD_CC="${CC}_r"])],
-                         [AC_CHECK_PROGS([PTHREAD_CC],[${CC}_r],[$CC])])])
-                ;;
-            esac
-        fi
-fi
-
-test -n "$PTHREAD_CC" || PTHREAD_CC="$CC"
-
-AC_SUBST([PTHREAD_LIBS])
-AC_SUBST([PTHREAD_CFLAGS])
-AC_SUBST([PTHREAD_CC])
-
-# Finally, execute ACTION-IF-FOUND/ACTION-IF-NOT-FOUND:
-if test "x$ax_pthread_ok" = "xyes"; then
-        ifelse([$1],,[AC_DEFINE([HAVE_PTHREAD],[1],[Define if you have POSIX threads libraries and header files.])],[$1])
-        :
-else
-        ax_pthread_ok=no
-        $2
-fi
-AC_LANG_POP
-])dnl AX_PTHREAD

config/bash/Makefile.am

@@ -1,5 +0,0 @@
-EXTRA_DIST = lxc
-
-if ENABLE_BASH
-dist_bashcomp_DATA = lxc
-endif

config/bash/lxc.in

@@ -1,111 +0,0 @@
-_have lxc-start && {
-    _lxc_names() {
-        COMPREPLY=( $( compgen -W "$( lxc-ls )" "$cur" ) )
-    }
-
-    _lxc_states() {
-        COMPREPLY=( $( compgen -W "STOPPED STARTING RUNNING STOPPING ABORTING FREEZING FROZEN THAWED" "$cur" ) )
-    }
-
-    _lxc_templates() {
-        COMPREPLY=( $( compgen -W "$(ls @LXCTEMPLATEDIR@/ | sed -e 's|^lxc-||' )" "$cur" ) )
-    }
-
-    _lxc_backing_stores() {
-        COMPREPLY=( $( compgen -W "dir lvm loop btrfs zfs rbd best" "$cur" ) )
-    }
-
-    _lxc_generic_n() {
-        local cur prev
-
-        COMPREPLY=()
-        _get_comp_words_by_ref cur prev
-
-        case $prev in
-            -n)
-                _lxc_names "$cur"
-                return 0
-            ;;
-        esac
-
-        return 1
-    }
-
-    _lxc_generic_ns() {
-        local cur prev
-
-        COMPREPLY=()
-        _get_comp_words_by_ref cur prev
-
-        case $prev in
-            -n)
-                _lxc_names "$cur"
-                return 0
-            ;;
-
-            -s)
-                _lxc_states "$cur"
-                return 0
-            ;;
-        esac
-
-        return 1
-    }
-
-    _lxc_generic_t() {
-        local cur prev
-
-        COMPREPLY=()
-        _get_comp_words_by_ref cur prev
-
-        case $prev in
-            -t)
-                _lxc_templates "$cur"
-                return 0
-            ;;
-
-            -B)
-                _lxc_backing_stores "$cur"
-                return 0
-            ;;
-        esac
-
-        return 1
-    }
-
-    _lxc_generic_o() {
-        local cur prev
-
-        COMPREPLY=()
-        _get_comp_words_by_ref cur prev
-
-        case $prev in
-            -o)
-                _lxc_names "$cur"
-                return 0
-            ;;
-        esac
-
-        return 1
-    }
-
-    complete -o default -F _lxc_generic_n lxc-attach
-    complete -o default -F _lxc_generic_n lxc-cgroup
-    complete -o default -F _lxc_generic_n lxc-console
-    complete -o default -F _lxc_generic_n lxc-destroy
-    complete -o default -F _lxc_generic_n lxc-device
-    complete -o default -F _lxc_generic_n lxc-execute
-    complete -o default -F _lxc_generic_n lxc-freeze
-    complete -o default -F _lxc_generic_n lxc-info
-    complete -o default -F _lxc_generic_n lxc-monitor
-    complete -o default -F _lxc_generic_n lxc-snapshot
-    complete -o default -F _lxc_generic_n lxc-start
-    complete -o default -F _lxc_generic_n lxc-stop
-    complete -o default -F _lxc_generic_n lxc-unfreeze
-
-    complete -o default -F _lxc_generic_ns lxc-wait
-
-    complete -o default -F _lxc_generic_t lxc-create
-
-    complete -o default -F _lxc_generic_o lxc-copy
-}

config/bash/meson.build

@@ -0,0 +1,39 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+bash_completion = configure_file(
+    configuration: conf,
+    input: '_lxc.in',
+    output: '_lxc',
+    install: true,
+    install_dir: bashcompletiondir)
+
+
+foreach cmd: [
+    'lxc-attach',
+    'lxc-autostart',
+    'lxc-cgroup',
+    'lxc-checkpoint',
+    'lxc-config',
+    'lxc-console',
+    'lxc-copy',
+    'lxc-create',
+    'lxc-destroy',
+    'lxc-device',
+    'lxc-execute',
+    'lxc-freeze',
+    'lxc-info',
+    'lxc-ls',
+    'lxc-monitor',
+    'lxc-snapshot',
+    'lxc-start',
+    'lxc-stop',
+    'lxc-top',
+    'lxc-unfreeze',
+    'lxc-unshare',
+    'lxc-usernsexec',
+    'lxc-wait',
+]
+    install_symlink(cmd,
+        pointing_to: '_lxc',
+        install_dir: bashcompletiondir)
+endforeach

config/etc/Makefile.am

@@ -1,8 +0,0 @@
-configdir = $(sysconfdir)/lxc
-config_DATA = default.conf
-
-EXTRA_DIST = default.conf.lxcbr default.conf.libvirt default.conf.unknown
-
-distclean-local:
-	@$(RM) -f default.conf
-	@$(RM) -f compile config.guess config.sub depcomp install-sh ltmain.sh missing Makefile.in Makefile

config/etc/meson.build

@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+lxc_system_config = configure_file(
+    configuration: dummy_config_data,
+    input: 'default.conf.lxcbr',
+    output: 'default.conf',
+    install: true,
+    install_dir: lxcconfdir)

config/init/Makefile.am

@@ -1 +0,0 @@
-SUBDIRS = common systemd sysvinit upstart

config/init/common/Makefile.am

@@ -1,2 +0,0 @@
-EXTRA_DIST = lxc-containers.in lxc-net.in
-pkglibexec_SCRIPTS = lxc-containers lxc-net

config/init/common/lxc-containers.in

@@ -56,12 +56,12 @@ wait_for_bridge()
     local BRNAME try flags br
     [ -f "$sysconfdir"/lxc/default.conf ] || { return 0; }
 
-    BRNAME=`grep '^[ 	]*lxc.net.0.link' "$sysconfdir"/lxc/default.conf | sed 's/^.*=[ 	]*//'`
+    BRNAME=$(grep '^[ 	]*lxc.net.0.link' "$sysconfdir"/lxc/default.conf | sed 's/^.*=[ 	]*//')
     if [ -z "$BRNAME" ]; then
         return 0
     fi
 
-    for try in `seq 1 30`; do
+    for try in $(seq 1 30); do
         for br in ${BRNAME}; do
              [ -r /sys/class/net/${br}/flags ] || { sleep 1; continue 2; }
              read flags < /sys/class/net/${br}/flags

config/init/common/lxc-net.in

@@ -18,6 +18,7 @@ LXC_DHCP_MAX="253"
 LXC_DHCP_CONFILE=""
 LXC_DHCP_PING="true"
 LXC_DOMAIN=""
+LXC_USE_NFT="true"
 
 LXC_IPV6_ADDR=""
 LXC_IPV6_MASK=""
@@ -26,8 +27,15 @@ LXC_IPV6_NAT="false"
 
 [ ! -f $distrosysconfdir/lxc ] || . $distrosysconfdir/lxc
 
-use_iptables_lock="-w"
-iptables -w -L -n > /dev/null 2>&1 || use_iptables_lock=""
+use_nft() {
+    [ -n "$NFT" ] && nft list ruleset > /dev/null 2>&1 && [ "$LXC_USE_NFT" = "true" ]
+}
+
+NFT="$(command -v nft)"
+if ! use_nft; then
+    use_iptables_lock="-w"
+    iptables -w -L -n > /dev/null 2>&1 || use_iptables_lock=""
+fi
 
 _netmask2cidr ()
 {
@@ -44,13 +52,65 @@ _ifdown() {
 }
 
 _ifup() {
-    MASK=`_netmask2cidr ${LXC_NETMASK}`
+    MASK=$(_netmask2cidr ${LXC_NETMASK})
     CIDR_ADDR="${LXC_ADDR}/${MASK}"
-    ip addr add ${CIDR_ADDR} dev ${LXC_BRIDGE}
+    ip addr add ${CIDR_ADDR} broadcast + dev ${LXC_BRIDGE}
     ip link set dev ${LXC_BRIDGE} address $LXC_BRIDGE_MAC
     ip link set dev ${LXC_BRIDGE} up
 }
 
+start_ipv6() {
+    LXC_IPV6_ARG=""
+    if [ -n "$LXC_IPV6_ADDR" ] && [ -n "$LXC_IPV6_MASK" ] && [ -n "$LXC_IPV6_NETWORK" ]; then
+        echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
+        echo 0 > /proc/sys/net/ipv6/conf/${LXC_BRIDGE}/autoconf
+        ip -6 addr add dev ${LXC_BRIDGE} ${LXC_IPV6_ADDR}/${LXC_IPV6_MASK}
+        LXC_IPV6_ARG="--dhcp-range=${LXC_IPV6_ADDR},ra-only --listen-address ${LXC_IPV6_ADDR}"
+    fi
+}
+
+start_iptables() {
+    start_ipv6
+    if [ -n "$LXC_IPV6_ARG" ] && [ "$LXC_IPV6_NAT" = "true" ]; then
+        ip6tables $use_iptables_lock -t nat -A POSTROUTING -s ${LXC_IPV6_NETWORK} ! -d ${LXC_IPV6_NETWORK} -j MASQUERADE
+    fi
+    iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p udp --dport 67 -j ACCEPT
+    iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p tcp --dport 67 -j ACCEPT
+    iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p udp --dport 53 -j ACCEPT
+    iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p tcp --dport 53 -j ACCEPT
+    iptables $use_iptables_lock -I FORWARD -i ${LXC_BRIDGE} -j ACCEPT
+    iptables $use_iptables_lock -I FORWARD -o ${LXC_BRIDGE} -j ACCEPT
+    iptables $use_iptables_lock -t nat -A POSTROUTING -s ${LXC_NETWORK} ! -d ${LXC_NETWORK} -j MASQUERADE
+    iptables $use_iptables_lock -t mangle -A POSTROUTING -o ${LXC_BRIDGE} -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
+}
+
+start_nftables() {
+    start_ipv6
+    NFT_RULESET=""
+    if [ -n "$LXC_IPV6_ARG" ] && [ "$LXC_IPV6_NAT" = "true" ]; then
+        NFT_RULESET="${NFT_RULESET}
+add table ip6 lxc;
+flush table ip6 lxc;
+add chain ip6 lxc postrouting { type nat hook postrouting priority 100; };
+add rule ip6 lxc postrouting ip6 saddr ${LXC_IPV6_NETWORK} ip6 daddr != ${LXC_IPV6_NETWORK} counter masquerade;
+"
+    fi
+    NFT_RULESET="${NFT_RULESET};
+add table inet lxc;
+flush table inet lxc;
+add chain inet lxc input { type filter hook input priority 0; };
+add rule inet lxc input iifname ${LXC_BRIDGE} udp dport { 53, 67 } accept;
+add rule inet lxc input iifname ${LXC_BRIDGE} tcp dport { 53, 67 } accept;
+add chain inet lxc forward { type filter hook forward priority 0; };
+add rule inet lxc forward iifname ${LXC_BRIDGE} accept;
+add rule inet lxc forward oifname ${LXC_BRIDGE} accept;
+add table ip lxc;
+flush table ip lxc;
+add chain ip lxc postrouting { type nat hook postrouting priority 100; };
+add rule ip lxc postrouting ip saddr ${LXC_NETWORK} ip daddr != ${LXC_NETWORK} counter masquerade"
+    nft "${NFT_RULESET}"
+}
+
 start() {
     [ "x$USE_LXC_BRIDGE" = "xtrue" ] || { exit 0; }
 
@@ -84,41 +144,27 @@ start() {
     # can't write its pid into, so we restorecon it (to var_run_t)
     if [ ! -d "${varrun}" ]; then
         mkdir -p "${varrun}"
-        if which restorecon >/dev/null 2>&1; then
+        if command -v restorecon >/dev/null 2>&1; then
             restorecon "${varrun}"
         fi
     fi
 
     _ifup
 
-    LXC_IPV6_ARG=""
-    if [ -n "$LXC_IPV6_ADDR" ] && [ -n "$LXC_IPV6_MASK" ] && [ -n "$LXC_IPV6_NETWORK" ]; then
-        echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-        echo 0 > /proc/sys/net/ipv6/conf/${LXC_BRIDGE}/autoconf
-        ip -6 addr add dev ${LXC_BRIDGE} ${LXC_IPV6_ADDR}/${LXC_IPV6_MASK}
-        if [ "$LXC_IPV6_NAT" = "true" ]; then
-            ip6tables $use_iptables_lock -t nat -A POSTROUTING -s ${LXC_IPV6_NETWORK} ! -d ${LXC_IPV6_NETWORK} -j MASQUERADE
-        fi
-        LXC_IPV6_ARG="--dhcp-range=${LXC_IPV6_ADDR},ra-only --listen-address ${LXC_IPV6_ADDR}"
+    if use_nft; then
+        start_nftables
+    else
+        start_iptables
     fi
-    iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p udp --dport 67 -j ACCEPT
-    iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p tcp --dport 67 -j ACCEPT
-    iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p udp --dport 53 -j ACCEPT
-    iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p tcp --dport 53 -j ACCEPT
-    iptables $use_iptables_lock -I FORWARD -i ${LXC_BRIDGE} -j ACCEPT
-    iptables $use_iptables_lock -I FORWARD -o ${LXC_BRIDGE} -j ACCEPT
-    iptables $use_iptables_lock -t nat -A POSTROUTING -s ${LXC_NETWORK} ! -d ${LXC_NETWORK} -j MASQUERADE
-    iptables $use_iptables_lock -t mangle -A POSTROUTING -o ${LXC_BRIDGE} -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
 
     LXC_DOMAIN_ARG=""
     if [ -n "$LXC_DOMAIN" ]; then
         LXC_DOMAIN_ARG="-s $LXC_DOMAIN -S /$LXC_DOMAIN/"
     fi
 
-    LXC_DHCP_CONFILE_ARG=""
-    if [ -n "$LXC_DHCP_CONFILE" ]; then
-        LXC_DHCP_CONFILE_ARG="--conf-file=${LXC_DHCP_CONFILE}"
-    fi
+    # lxc's dnsmasq should be hermetic and not read `/etc/dnsmasq.conf` (which
+    # it does by default if `--conf-file` is not present
+    LXC_DHCP_CONFILE_ARG="--conf-file=${LXC_DHCP_CONFILE:-/dev/null}"
 
     # https://lists.linuxcontainers.org/pipermail/lxc-devel/2014-October/010561.html
     for DNSMASQ_USER in lxc-dnsmasq dnsmasq nobody
@@ -133,39 +179,67 @@ start() {
         LXC_DHCP_PING_ARG="--no-ping"
     fi
 
+    DNSMASQ_MISC_DIR="$varlib/misc"
+    if [ ! -d "$DNSMASQ_MISC_DIR" ]; then
+        mkdir -p "$DNSMASQ_MISC_DIR"
+    fi
+
     dnsmasq $LXC_DHCP_CONFILE_ARG $LXC_DOMAIN_ARG $LXC_DHCP_PING_ARG -u ${DNSMASQ_USER} \
             --strict-order --bind-interfaces --pid-file="${varrun}"/dnsmasq.pid \
             --listen-address ${LXC_ADDR} --dhcp-range ${LXC_DHCP_RANGE} \
             --dhcp-lease-max=${LXC_DHCP_MAX} --dhcp-no-override \
             --except-interface=lo --interface=${LXC_BRIDGE} \
-            --dhcp-leasefile="${varlib}"/misc/dnsmasq.${LXC_BRIDGE}.leases \
+            --dhcp-leasefile="${DNSMASQ_MISC_DIR}"/dnsmasq.${LXC_BRIDGE}.leases \
             --dhcp-authoritative $LXC_IPV6_ARG || cleanup
 
     touch "${varrun}"/network_up
     FAILED=0
 }
 
+stop_iptables() {
+    iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p udp --dport 67 -j ACCEPT
+    iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p tcp --dport 67 -j ACCEPT
+    iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p udp --dport 53 -j ACCEPT
+    iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p tcp --dport 53 -j ACCEPT
+    iptables $use_iptables_lock -D FORWARD -i ${LXC_BRIDGE} -j ACCEPT
+    iptables $use_iptables_lock -D FORWARD -o ${LXC_BRIDGE} -j ACCEPT
+    iptables $use_iptables_lock -t nat -D POSTROUTING -s ${LXC_NETWORK} ! -d ${LXC_NETWORK} -j MASQUERADE
+    iptables $use_iptables_lock -t mangle -D POSTROUTING -o ${LXC_BRIDGE} -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
+    if [ "$LXC_IPV6_NAT" = "true" ]; then
+        ip6tables $use_iptables_lock -t nat -D POSTROUTING -s ${LXC_IPV6_NETWORK} ! -d ${LXC_IPV6_NETWORK} -j MASQUERADE
+    fi
+}
+
+stop_nftables() {
+    # Adding table before removing them is just to avoid
+    # delete error for non-existent table
+    NFT_RULESET="add table inet lxc;
+delete table inet lxc;
+add table ip lxc;
+delete table ip lxc;
+"
+    if [ "$LXC_IPV6_NAT" = "true" ]; then
+        NFT_RULESET="${NFT_RULESET};
+add table ip6 lxc;
+delete table ip6 lxc;"
+    fi
+    nft "${NFT_RULESET}"
+}
+
 stop() {
     [ "x$USE_LXC_BRIDGE" = "xtrue" ] || { exit 0; }
 
     [ -f "${varrun}/network_up" ] || [ "$1" = "force" ] || { echo "lxc-net isn't running"; exit 1; }
 
     if [ -d /sys/class/net/${LXC_BRIDGE} ]; then
-        _ifdown 
-        iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p udp --dport 67 -j ACCEPT
-        iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p tcp --dport 67 -j ACCEPT
-        iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p udp --dport 53 -j ACCEPT
-        iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p tcp --dport 53 -j ACCEPT
-        iptables $use_iptables_lock -D FORWARD -i ${LXC_BRIDGE} -j ACCEPT
-        iptables $use_iptables_lock -D FORWARD -o ${LXC_BRIDGE} -j ACCEPT
-        iptables $use_iptables_lock -t nat -D POSTROUTING -s ${LXC_NETWORK} ! -d ${LXC_NETWORK} -j MASQUERADE
-        iptables $use_iptables_lock -t mangle -D POSTROUTING -o ${LXC_BRIDGE} -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-
-        if [ "$LXC_IPV6_NAT" = "true" ]; then
-            ip6tables $use_iptables_lock -t nat -D POSTROUTING -s ${LXC_IPV6_NETWORK} ! -d ${LXC_IPV6_NETWORK} -j MASQUERADE
+        _ifdown
+        if use_nft; then
+            stop_nftables
+        else
+            stop_iptables
         fi
 
-        pid=`cat "${varrun}"/dnsmasq.pid 2>/dev/null` && kill -9 $pid
+        pid=$(cat "${varrun}"/dnsmasq.pid 2>/dev/null) && kill -9 $pid
         rm -f "${varrun}"/dnsmasq.pid
         # if $LXC_BRIDGE has attached interfaces, don't destroy the bridge
         ls /sys/class/net/${LXC_BRIDGE}/brif/* > /dev/null 2>&1 || ip link delete ${LXC_BRIDGE}

config/init/common/meson.build

@@ -0,0 +1,15 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+lxc_containers = configure_file(
+    configuration: conf,
+    input: 'lxc-containers.in',
+    output: 'lxc-containers',
+    install: true,
+    install_dir: lxclibexec)
+
+lxc_net = configure_file(
+    configuration: conf,
+    input: 'lxc-net.in',
+    output: 'lxc-net',
+    install: true,
+    install_dir: lxclibexec)

config/init/systemd/Makefile.am

@@ -1,24 +0,0 @@
-EXTRA_DIST = \
-	lxc-apparmor-load \
-	lxc.service.in \
-	lxc@.service.in \
-	lxc-net.service.in
-
-if INIT_SCRIPT_SYSTEMD
-BUILT_SOURCES = lxc.service lxc@.service lxc-net.service
-
-install-systemd: lxc.service lxc@.service lxc-net.service lxc-apparmor-load
-	$(MKDIR_P) $(DESTDIR)$(SYSTEMD_UNIT_DIR)
-	$(INSTALL_DATA) lxc.service lxc@.service lxc-net.service $(DESTDIR)$(SYSTEMD_UNIT_DIR)/
-
-uninstall-systemd:
-	rm -f $(DESTDIR)$(SYSTEMD_UNIT_DIR)/lxc.service
-	rm -f $(DESTDIR)$(SYSTEMD_UNIT_DIR)/lxc@.service
-	rm -f $(DESTDIR)$(SYSTEMD_UNIT_DIR)/lxc-net.service
-	rmdir $(DESTDIR)$(SYSTEMD_UNIT_DIR) || :
-
-pkglibexec_SCRIPTS = lxc-apparmor-load
-
-install-data-local: install-systemd
-uninstall-local: uninstall-systemd
-endif

config/init/systemd/lxc-monitord.service.in

@@ -0,0 +1,11 @@
+[Unit]
+Description=LXC Container Monitoring Daemon
+After=syslog.service network.target
+Documentation=man:lxc
+
+[Service]
+Type=simple
+ExecStart=@LIBEXECDIR@/lxc/lxc-monitord --daemon
+
+[Install]
+WantedBy=multi-user.target

config/init/systemd/lxc-net.service.in

@@ -2,6 +2,8 @@
 Description=LXC network bridge setup
 After=network-online.target
 Before=lxc.service
+Documentation=man:lxc
+ConditionVirtualization=!lxc
 
 [Service]
 Type=oneshot

config/init/systemd/lxc.service.in

@@ -1,6 +1,6 @@
 [Unit]
 Description=LXC Container Initialization and Autoboot Code
-After=network.target lxc-net.service
+After=network.target lxc-net.service remote-fs.target
 Wants=lxc-net.service
 Documentation=man:lxc-autostart man:lxc
 
@@ -10,11 +10,10 @@ RemainAfterExit=yes
 ExecStartPre=@LIBEXECDIR@/lxc/lxc-apparmor-load
 ExecStart=@LIBEXECDIR@/lxc/lxc-containers start
 ExecStop=@LIBEXECDIR@/lxc/lxc-containers stop
+ExecReload=@LIBEXECDIR@/lxc/lxc-apparmor-load
 # Environment=BOOTUP=serial
 # Environment=CONSOLETYPE=serial
 Delegate=yes
-StandardOutput=syslog
-StandardError=syslog
 
 [Install]
 WantedBy=multi-user.target

config/init/systemd/lxc@.service.in

@@ -14,8 +14,6 @@ ExecStop=@BINDIR@/lxc-stop -n %i
 # Environment=BOOTUP=serial
 # Environment=CONSOLETYPE=serial
 Delegate=yes
-StandardOutput=syslog
-StandardError=syslog
 
 [Install]
 WantedBy=multi-user.target

config/init/systemd/meson.build

@@ -0,0 +1,44 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+lxc_apparmor_load = configure_file(
+    configuration: dummy_config_data,
+    input: 'lxc-apparmor-load',
+    output: 'lxc-apparmor-load',
+    install: true,
+    install_dir: lxclibexec)
+
+if 'systemd' in init_script
+    systemd_system_unit_dir = get_option('systemd-unitdir')
+    if systemd_system_unit_dir == ''
+        systemd = dependency('systemd')
+        systemd_system_unit_dir = systemd.get_variable('systemdsystemunitdir')
+    endif
+
+    configure_file(
+        configuration: conf,
+        input: 'lxc-monitord.service.in',
+        output: 'lxc-monitord.service',
+        install: true,
+        install_dir: systemd_system_unit_dir)
+
+    configure_file(
+        configuration: conf,
+        input: 'lxc-net.service.in',
+        output: 'lxc-net.service',
+        install: true,
+        install_dir: systemd_system_unit_dir)
+
+    configure_file(
+        configuration: conf,
+        input: 'lxc.service.in',
+        output: 'lxc.service',
+        install: true,
+        install_dir: systemd_system_unit_dir)
+
+    configure_file(
+        configuration: conf,
+        input: 'lxc@.service.in',
+        output: 'lxc@.service',
+        install: true,
+        install_dir: systemd_system_unit_dir)
+endif

config/init/sysvinit/Makefile.am

@@ -1,25 +0,0 @@
-EXTRA_DIST = lxc-containers.in lxc-net.in
-
-if INIT_SCRIPT_SYSV
-# If we're installing for sysv init, install the helper scripts
-# directly to the rc directory under the appropriate name.
-
-if HAVE_DEBIAN
-initdir = "init.d"
-else
-initdir = "rc.d/init.d"
-endif
-
-install-sysvinit: lxc-containers lxc-net
-	$(MKDIR_P) $(DESTDIR)$(sysconfdir)/$(initdir)
-	$(INSTALL_SCRIPT) lxc-containers $(DESTDIR)$(sysconfdir)/$(initdir)/lxc
-	$(INSTALL_SCRIPT) lxc-net $(DESTDIR)$(sysconfdir)/$(initdir)/lxc-net
-
-uninstall-sysvinit:
-	rm -f $(DESTDIR)$(sysconfdir)/$(initdir)/lxc
-	rm -f $(DESTDIR)$(sysconfdir)/$(initdir)/lxc-net
-	rmdir $(DESTDIR)$(sysconfdir)/$(initdir) || :
-
-install-data-local: install-sysvinit
-uninstall-local: uninstall-sysvinit
-endif

config/init/sysvinit/meson.build

@@ -0,0 +1,17 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+if 'sysvinit' in init_script
+    configure_file(
+        configuration: conf,
+        input: 'lxc-containers.in',
+        output: 'lxc-containers',
+        install: true,
+        install_dir: join_paths(sysconfdir, 'init.d'))
+
+    configure_file(
+        configuration: conf,
+        input: 'lxc-net.in',
+        output: 'lxc-net',
+        install: true,
+        install_dir: join_paths(sysconfdir, 'init.d'))
+endif

config/init/upstart/Makefile.am

@@ -1,18 +0,0 @@
-EXTRA_DIST = lxc.conf lxc-instance.conf lxc-net.conf.in
-
-if INIT_SCRIPT_UPSTART
-install-upstart: lxc.conf lxc-instance.conf lxc-net.conf
-	$(MKDIR_P) $(DESTDIR)$(sysconfdir)/init/
-	$(INSTALL_DATA) lxc.conf $(DESTDIR)$(sysconfdir)/init/
-	$(INSTALL_DATA) $(srcdir)/lxc-instance.conf $(DESTDIR)$(sysconfdir)/init/
-	$(INSTALL_DATA) lxc-net.conf $(DESTDIR)$(sysconfdir)/init/
-
-uninstall-upstart:
-	rm -f $(DESTDIR)$(sysconfdir)/init/lxc.conf
-	rm -f $(DESTDIR)$(sysconfdir)/init/lxc-instance.conf
-	rm -f $(DESTDIR)$(sysconfdir)/init/lxc-net.conf
-	rmdir $(DESTDIR)$(sysconfdir)/init || :
-
-install-data-local: install-upstart
-uninstall-local: uninstall-upstart
-endif

config/init/upstart/meson.build

@@ -0,0 +1,24 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+if 'upstart' in init_script
+    configure_file(
+        configuration: conf,
+        input: 'lxc.conf.in',
+        output: 'lxc.conf',
+        install: true,
+        install_dir: join_paths(sysconfdir, 'init'))
+
+    configure_file(
+        configuration: conf,
+        input: 'lxc-instance.conf',
+        output: 'lxc-instance.conf',
+        install: true,
+        install_dir: join_paths(sysconfdir, 'init'))
+
+    configure_file(
+        configuration: conf,
+        input: 'lxc-net.conf.in',
+        output: 'lxc-net.conf',
+        install: true,
+        install_dir: join_paths(sysconfdir, 'init'))
+endif

config/selinux/Makefile.am

@@ -1,8 +0,0 @@
-selinuxdir=@DATADIR@/lxc/selinux
-
-EXTRA_DIST = \
-	lxc.if lxc.te
-
-selinux_DATA = \
-	lxc.if \
-	lxc.te

config/selinux/meson.build

@@ -0,0 +1,15 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+lxc_selinux_if = configure_file(
+    configuration: dummy_config_data,
+    input: 'lxc.if',
+    output: 'lxc.if',
+    install: libselinux.found(),
+    install_dir: lxcselinuxdir)
+
+lxc_selinux_te = configure_file(
+    configuration: dummy_config_data,
+    input: 'lxc.te',
+    output: 'lxc.te',
+    install: libselinux.found(),
+    install_dir: lxcselinuxdir)

config/sysconfig/Makefile.am

@@ -1,6 +0,0 @@
-sysconfigdir="@LXC_DISTRO_SYSCONF@"
-
-sysconfig_DATA = \
-	lxc
-
-EXTRA_DIST = $(sysconfig_DATA)

config/sysconfig/meson.build

@@ -0,0 +1,10 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+if distrosysconfdir != ''
+    configure_file(
+        configuration: conf,
+        input: 'lxc.in',
+        output: 'lxc',
+        install: true,
+        install_dir: distrosysconfdir)
+endif

config/templates/Makefile.am

@@ -1,11 +0,0 @@
-templatesconfigdir=@LXCTEMPLATECONFIG@
-
-EXTRA_DIST = common.seccomp
-
-SUBDIRS = common.conf.d
-
-templatesconfig_DATA = common.conf \
-		       common.seccomp \
-		       nesting.conf \
-		       oci.common.conf \
-		       userns.conf

config/templates/common.conf.d/Makefile.am

@@ -1,6 +0,0 @@
-templatesconfigdir=@LXCTEMPLATECONFIG@/common.conf.d/
-
-EXTRA_DIST = README
-
-templatesconfig_DATA = \
-	README

config/templates/common.conf.d/meson.build

@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+lxc_conf_common_readme = configure_file(
+    configuration: dummy_config_data,
+    input: 'README',
+    output: 'README',
+    install: true,
+    install_dir: lxctemplateconfcommondir)

config/templates/common.conf.in

@@ -15,7 +15,9 @@ lxc.cap.drop = mac_admin mac_override sys_time sys_module sys_rawio
 # Ensure hostname is changed on clone
 lxc.hook.clone = @LXCHOOKDIR@/clonehostname
 
-# CGroup whitelist
+# Default legacy cgroup configuration
+#
+# CGroup allowlist
 lxc.cgroup.devices.deny = a
 ## Allow any mknod (but not reading/writing the node)
 lxc.cgroup.devices.allow = c *:* m
@@ -42,11 +44,40 @@ lxc.cgroup.devices.allow = c 136:* rwm
 ### fuse
 lxc.cgroup.devices.allow = c 10:229 rwm
 
+# Default unified cgroup configuration
+#
+# CGroup allowlist
+lxc.cgroup2.devices.deny = a
+## Allow any mknod (but not reading/writing the node)
+lxc.cgroup2.devices.allow = c *:* m
+lxc.cgroup2.devices.allow = b *:* m
+## Allow specific devices
+### /dev/null
+lxc.cgroup2.devices.allow = c 1:3 rwm
+### /dev/zero
+lxc.cgroup2.devices.allow = c 1:5 rwm
+### /dev/full
+lxc.cgroup2.devices.allow = c 1:7 rwm
+### /dev/tty
+lxc.cgroup2.devices.allow = c 5:0 rwm
+### /dev/console
+lxc.cgroup2.devices.allow = c 5:1 rwm
+### /dev/ptmx
+lxc.cgroup2.devices.allow = c 5:2 rwm
+### /dev/random
+lxc.cgroup2.devices.allow = c 1:8 rwm
+### /dev/urandom
+lxc.cgroup2.devices.allow = c 1:9 rwm
+### /dev/pts/*
+lxc.cgroup2.devices.allow = c 136:* rwm
+### fuse
+lxc.cgroup2.devices.allow = c 10:229 rwm
+
 # Setup the default mounts
 lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
 lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0
 
-# Blacklist some syscalls which are not safe in privileged
+# Block some syscalls which are not safe in privileged
 # containers
 lxc.seccomp.profile = @LXCTEMPLATECONFIG@/common.seccomp
 

config/templates/common.seccomp

@@ -1,5 +1,5 @@
 2
-blacklist
+denylist
 reject_force_umount  # comment this to allow umount -f;  not recommended
 [all]
 kexec_load errno 1

config/templates/meson.build

@@ -0,0 +1,36 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+lxc_conf_common_seccomp = configure_file(
+    configuration: conf,
+    input: 'common.seccomp',
+    output: 'common.seccomp',
+    install: true,
+    install_dir: lxctemplateconfdir)
+
+lxc_conf_common_main = configure_file(
+    configuration: conf,
+    input: 'common.conf.in',
+    output: 'common.conf',
+    install: true,
+    install_dir: lxctemplateconfdir)
+
+lxc_conf_common_nesting = configure_file(
+    configuration: conf,
+    input: 'nesting.conf.in',
+    output: 'nesting.conf',
+    install: true,
+    install_dir: lxctemplateconfdir)
+
+lxc_conf_common_oci = configure_file(
+    configuration: conf,
+    input: 'oci.common.conf.in',
+    output: 'oci.common.conf',
+    install: true,
+    install_dir: lxctemplateconfdir)
+
+lxc_conf_common_userns = configure_file(
+    configuration: conf,
+    input: 'userns.conf.in',
+    output: 'userns.conf',
+    install: true,
+    install_dir: lxctemplateconfdir)

config/templates/userns.conf.in

@@ -1,7 +1,15 @@
 # CAP_SYS_ADMIN in init-user-ns is required for cgroup.devices
+#
+# Default legacy cgroup configuration
+#
 lxc.cgroup.devices.deny =
 lxc.cgroup.devices.allow =
 
+# Default unified cgroup configuration
+#
+lxc.cgroup2.devices.deny =
+lxc.cgroup2.devices.allow =
+
 # Start with a full set of capabilities in user namespaces.
 lxc.cap.drop =
 lxc.cap.keep =
@@ -11,3 +19,6 @@ lxc.tty.dir =
 
 # Setup the default mounts
 lxc.mount.auto = sys:rw
+
+# Lastly, include all the configs from @LXCTEMPLATECONFIG@/userns.conf.d/
+lxc.include = @LXCTEMPLATECONFIG@/userns.conf.d/

config/tls.m4

@@ -1,14 +0,0 @@
-# See if we have working TLS.  We only check to see if it compiles, and that
-# the resulting program actually runs, not whether the resulting TLS variables
-# work properly; that check is done at runtime, since we can run binaries
-# compiled with __thread on systems without TLS.
-AC_DEFUN([LXC_CHECK_TLS],
-[
-    AC_MSG_CHECKING(for TLS)
-    AC_COMPILE_IFELSE([AC_LANG_SOURCE([[ static __thread int val; int main() { return 0; } ]])],[have_tls=yes],[have_tls=no],[have_tls=no ])
-    AC_MSG_RESULT($have_tls)
-    if test "$have_tls" = "yes"; then
-        AC_DEFINE([HAVE_TLS],[1],[Define if the compiler supports __thread])
-        AC_DEFINE([thread_local],[__thread],[Define to the compiler TLS keyword])
-    fi
-])

config/yum/Makefile.am

@@ -1,6 +0,0 @@
-yumpluginsdir=$(datadir)/lxc
-
-yumplugins_DATA = \
-	lxc-patch.py
-
-EXTRA_DIST = $(yumplugins_DATA)

config/yum/lxc-patch.py

@@ -24,7 +24,6 @@
 import os
 from fnmatch import fnmatch
 from yum.plugins import TYPE_INTERACTIVE
-from yum.plugins import PluginYumExit
 
 requires_api_version = '2.0'
 plugin_type = (TYPE_INTERACTIVE,)

config/yum/meson.build

@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+lxc_patch = configure_file(
+    configuration: dummy_config_data,
+    input: 'lxc-patch.py',
+    output: 'lxc-patch.py',
+    install: true,
+    install_dir: lxcdatadir)

doc/FAQ.txt

@@ -38,30 +38,3 @@ Answer:
 read the lxc man page about kernel version prereq :) most probably
 your kernel is not configured to support the container options you
 want to use.
-
-
-Error:
-------
-
-On Ubuntu 8.10, if using the cvs source code rather than
-the provided tarball. Then make is failing with many errors
-similar to the line below:
-==========
-../../libtool: line 810: X--tag=CC: command not found
-==========
-
-Answer:
--------
-
-This is related to a compatibility problem between the shipped
-config/ltmain.sh and the libtool version installed on your
-Ubuntu 8.10 machine.
-You have to replace the config/ltmain.sh from cvs head by the one
-from your libtool package, make some cleaning and reissue all
-the build process:
-==========
-cd <your_lxc_working_dir>
-cp -f /usr/share/libtool/config/ltmain.sh config/
-rm -f libtool
-./bootstrap && ./configure && make && sudo make install
-==========

doc/Makefile.am

@@ -1,79 +0,0 @@
-SUBDIRS = examples rootfs
-DIST_SUBDIRS = examples rootfs ja ko api
-
-if USE_DOCBOOK2X
-SUBDIRS += ja ko
-endif
-
-if ENABLE_API_DOCS
-SUBDIRS += api
-endif
-
-EXTRA_DIST = api-extensions.md \
-	     lxc.container.conf \
-	     lxc.system.conf \
-	     FAQ.txt
-
-if ENABLE_DOCBOOK
-man_MANS = lxc.conf.5 \
-	   lxc.container.conf.5 \
-	   lxc.system.conf.5 \
-	   lxc-usernet.5 \
-	   lxc.7
-if ENABLE_TOOLS
-man_MANS += lxc-attach.1 \
-	    lxc-autostart.1 \
-	    lxc-cgroup.1 \
-	    lxc-checkconfig.1 \
-	    lxc-checkpoint.1 \
-	    lxc-config.1 \
-	    lxc-console.1 \
-	    lxc-copy.1 \
-	    lxc-create.1 \
-	    lxc-destroy.1 \
-	    lxc-device.1 \
-	    lxc-execute.1 \
-	    lxc-freeze.1 \
-	    lxc-info.1 \
-	    lxc-ls.1 \
-	    lxc-monitor.1 \
-	    lxc-snapshot.1 \
-	    lxc-start.1 \
-	    lxc-stop.1 \
-	    lxc-top.1 \
-	    lxc-unfreeze.1 \
-	    lxc-unshare.1 \
-	    lxc-wait.1
-endif
-
-if ENABLE_PAM
-man_MANS += pam_cgfs.8
-endif
-
-if ENABLE_COMMANDS
-man_MANS += lxc-update-config.1 \
-	    lxc-user-nic.1 \
-	    lxc-usernsexec.1
-endif
-
-%.1 : %.sgml
-	$(db2xman) $<
-	test "$(shell basename $@)" != "$@" && mv $(shell basename $@) $@ || true
-
-%.5 : %.sgml
-	$(db2xman) $<
-	test "$(shell basename $@)" != "$@" && mv $(shell basename $@) $@ || true
-
-%.7 : %.sgml
-	$(db2xman) $<
-	test "$(shell basename $@)" != "$@" && mv $(shell basename $@) $@ || true
-
-%.8 : %.sgml
-	$(db2xman) $<
-	test "$(shell basename $@)" != "$@" && mv $(shell basename $@) $@ || true
-
-lxc-%.sgml : common_options.sgml see_also.sgml
-
-clean-local:
-	$(RM) manpage.* *.7 *.5 *.1 *.8 $(man_MANS)
-endif

doc/api-extensions.md

@@ -113,8 +113,50 @@ This enables `LXC` to make complete use of the unified cgroup hierarchy. With th
 
 ## init\_pidfd
 
-This adds a new API function `init_pidfd()` which allows to retrieve a pidfd for the container's init process allowing process management interactions such as sending signal to be completely reliable and rac-e free.
+This adds a new API function `init_pidfd()` which allows one to retrieve a pidfd for the container's init process allowing process management interactions such as sending signals to be completely reliable and race free.
 
 ## pidfd
 
 When running on kernels that support pidfds LXC will rely on them for most operations. This makes interacting with containers not just more reliable it also makes it significantly safer and eliminates various races inherent to PID-based kernel APIs. LXC will require that the running kernel at least support `pidfd_send_signal()`, `CLONE_PIDFD`, `P_PIDFD`, and pidfd polling support. Any kernel starting with `Linux 5.4` should have full support for pidfds.
+
+## cgroup\_advanced\_isolation
+
+Privileged containers will usually be able to override the cgroup limits given to them. This introduces three new configuration keys `lxc.cgroup.dir.monitor`, `lxc.cgroup.dir.container`, and `lxc.cgroup.dir.container.inner`. The `lxc.cgroup.dir.monitor` and `lxc.cgroup.dir.container` keys can be used to set to place the `monitor` and the `container` into different cgroups. The `lxc.cgroup.dir.container.inner` key can be set to a cgroup that is concatenated with `lxc.cgroup.dir.container`. When `lxc.cgroup.dir.container.inner` is set the container will be placed into the `lxc.cgroup.dir.container.inner` cgroup but the limits will be set in the `lxc.cgroup.dir.container` cgroup. This way privileged containers cannot escape their cgroup limits.
+
+
+## time\_namespace
+
+This adds time namespace support to LXC.
+
+## seccomp\_allow\_deny\_syntax
+
+This adds the ability to use "denylist" and "allowlist" in seccomp v2 policies.
+
+## devpts\_fd
+
+This adds the ability to allocate a file descriptor for the devpts instance of
+the container.
+
+## seccomp\_notify\_fd\_active
+
+Retrieve the seccomp notifier fd from a running container.
+
+## seccomp\_proxy\_send\_notify\_fd
+
+Whether the seccomp notify proxy sends a long a notify fd file descriptor.
+
+## idmapped\_mounts
+
+Whether this LXC instance can handle idmapped mounts for the rootfs.
+
+## idmapped\_mounts\_v2
+
+Whether this LXC instance can handle idmapped mounts for lxc.mount.entry
+entries.
+
+## cgroup2\_auto_mounting
+
+This adds the new options `cgroup2`, `cgroup2:ro`, `cgroup2:force`,
+`cgroup2:ro:force` for the `lxc.mount.auto` configuration key. For example, if
+a user specifies `cgroup2:force` LXC will pre-mount a pure `cgroup2` layout for
+the container even if the host is running with a hybrid layout.

doc/api/Makefile.am

@@ -1,13 +0,0 @@
-EXTRA_DIST = Doxyfile
-
-if ENABLE_API_DOCS
-html: Doxyfile
-	doxygen $<
-endif
-
-.PHONY: html
-
-all-local: html
-
-clean-local:
-	$(RM) -rf html

doc/common_options.sgml.in

@@ -83,10 +83,11 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
 	  Set log priority to
 	  <replaceable>LEVEL</replaceable>. The default log
 	  priority is <literal>ERROR</literal>. Possible values are :
-	  <literal>FATAL</literal>, <literal>CRIT</literal>,
+	  <literal>FATAL</literal>, <literal>ALERT</literal>,
+	  <literal>CRIT</literal>,
 	  <literal>WARN</literal>, <literal>ERROR</literal>,
 	  <literal>NOTICE</literal>, <literal>INFO</literal>,
-	  <literal>DEBUG</literal>.
+	  <literal>DEBUG</literal>, <literal>TRACE</literal>.
 	</para>
 	<para>
 	Note that this option is setting the priority of the events

doc/examples/Makefile.am

@@ -1,32 +0,0 @@
-if ENABLE_EXAMPLES
-pkgexamplesdir=$(docdir)/examples
-
-pkgexamples_DATA = \
-	lxc-macvlan.conf \
-	lxc-vlan.conf \
-	lxc-no-netns.conf \
-	lxc-empty-netns.conf \
-	lxc-phys.conf \
-	lxc-veth.conf \
-	lxc-complex.conf \
-	seccomp-v1.conf \
-	seccomp-v2-blacklist.conf \
-	seccomp-v2.conf
-endif
-
-noinst_DATA = \
-	lxc-macvlan.conf.in \
-	lxc-vlan.conf.in \
-	lxc-empty-netns.conf.in \
-	lxc-no-netns.conf.in \
-	lxc-phys.conf.in \
-	lxc-veth.conf.in \
-	lxc-complex.conf.in \
-	seccomp-v1.conf \
-	seccomp-v2-blacklist.conf \
-	seccomp-v2.conf
-
-EXTRA_DIST = \
-	seccomp-v1.conf \
-	seccomp-v2-blacklist.conf \
-	seccomp-v2.conf

doc/examples/lxc-complex.conf.in

@@ -17,7 +17,7 @@ lxc.net.0.ipv6.address = 2003:db8:1:0:214:1234:fe0b:3596
 
 lxc.net.0.type = phys
 lxc.net.0.flags = up
-lxc.net.0.link = dummy0
+lxc.net.0.link = random0
 lxc.net.0.hwaddr = 4a:49:43:49:79:ff
 lxc.net.0.ipv4.address = 10.2.3.6/24
 lxc.net.0.ipv6.address = 2003:db8:1:0:214:1234:fe0b:3297

doc/examples/meson.build

@@ -0,0 +1,71 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+example_lxc_complex = configure_file(
+    configuration: dummy_config_data,
+    input: 'lxc-complex.conf.in',
+    output: 'lxc-complex.conf',
+    install: want_examples,
+    install_dir: lxcexamplesdir)
+
+example_lxc_empty_netns = configure_file(
+    configuration: dummy_config_data,
+    input: 'lxc-empty-netns.conf.in',
+    output: 'lxc-empty-netns.conf',
+    install: want_examples,
+    install_dir: lxcexamplesdir)
+
+example_lxc_macvlan = configure_file(
+    configuration: dummy_config_data,
+    input: 'lxc-macvlan.conf.in',
+    output: 'lxc-macvlan.conf',
+    install: want_examples,
+    install_dir: lxcexamplesdir)
+
+example_lxc_no_netns = configure_file(
+    configuration: dummy_config_data,
+    input: 'lxc-no-netns.conf.in',
+    output: 'lxc-no-netns.conf',
+    install: want_examples,
+    install_dir: lxcexamplesdir)
+
+example_lxc_phys = configure_file(
+    configuration: dummy_config_data,
+    input: 'lxc-phys.conf.in',
+    output: 'lxc-phys.conf',
+    install: want_examples,
+    install_dir: lxcexamplesdir)
+
+example_lxc_veth = configure_file(
+    configuration: dummy_config_data,
+    input: 'lxc-veth.conf.in',
+    output: 'lxc-veth.conf',
+    install: want_examples,
+    install_dir: lxcexamplesdir)
+
+example_lxc_vlan = configure_file(
+    configuration: dummy_config_data,
+    input: 'lxc-vlan.conf.in',
+    output: 'lxc-vlan.conf',
+    install: want_examples,
+    install_dir: lxcexamplesdir)
+
+example_lxc_seccomp_v1 = configure_file(
+    configuration: dummy_config_data,
+    input: 'seccomp-v1.conf',
+    output: 'seccomp-v1.conf',
+    install: want_examples,
+    install_dir: lxcexamplesdir)
+
+example_lxc_seccomp_v2 = configure_file(
+    configuration: dummy_config_data,
+    input: 'seccomp-v2.conf',
+    output: 'seccomp-v2.conf',
+    install: want_examples,
+    install_dir: lxcexamplesdir)
+
+example_lxc_seccomp_v2 = configure_file(
+    configuration: dummy_config_data,
+    input: 'seccomp-v2-denylist.conf',
+    output: 'seccomp-v2-denylist.conf',
+    install: want_examples,
+    install_dir: lxcexamplesdir)

doc/examples/seccomp-v1.conf

@@ -1,5 +1,5 @@
 1
-whitelist
+allowlist
 0
 1
 2

doc/examples/seccomp-v2-denylist.conf

@@ -1,7 +1,7 @@
 2
-blacklist
+denylist
 # v2 allows comments after the second line, with '#' in first column,
-# blacklist will allow syscalls by default
+# denylist will allow syscalls by default
 # if 'errno 0' was not appended to 'mknod' below, then the task would
 # simply be killed when it tried to mknod.  'errno 0' means do not allow
 # the container to mknod, but immediately return 0.

doc/examples/seccomp-v2.conf

@@ -1,7 +1,7 @@
 2
-whitelist trap
-# 'whitelist' would normally mean kill a task doing any syscall which is not
-# whitelisted below.  By appending 'trap' to the line, we will cause a SIGSYS
+allowlist trap
+# 'allowlist' would normally mean kill a task doing any syscall which is not
+# allowlisted below.  By appending 'trap' to the line, we will cause a SIGSYS
 # to be sent to the task instead.  'errno 0' would  mean don't allow the system
 # call but immediately return 0.  'errno 22' would mean return EINVAL immediately.
 [x86_64]
@@ -20,5 +20,5 @@ read
 write
 mount
 umount2
-# Do note that this policy does not whitelist enough system calls to allow a
+# Do note that this policy does not allowlist enough system calls to allow a
 # system container to boot.

doc/ja/FAQ.txt

@@ -38,30 +38,3 @@ Answer:
 read the lxc man page about kernel version prereq :) most probably
 your kernel is not configured to support the container options you
 want to use.
-
-
-Error:
-------
-
-On Ubuntu 8.10, if using the cvs source code rather than
-the provided tarball. Then make is failing with many errors
-similar to the line below:
-==========
-../../libtool: line 810: X--tag=CC: command not found
-==========
-
-Answer:
--------
-
-This is related to a compatibility problem between the shipped
-config/ltmain.sh and the libtool version installed on your
-Ubuntu 8.10 machine.
-You have to replace the config/ltmain.sh from cvs head by the one
-from your libtool package, make some cleaning and reissue all
-the build process:
-==========
-cd <your_lxc_working_dir>
-cp -f /usr/share/libtool/config/ltmain.sh config/
-rm -f libtool
-./bootstrap && ./configure && make && sudo make install
-==========

doc/ja/Makefile.am

@@ -1,72 +0,0 @@
-mandir = @mandir@/ja
-
-SUBDIRS =
-DIST_SUBDIRS =
-
-EXTRA_DIST = \
-	FAQ.txt
-
-if ENABLE_DOCBOOK
-man_MANS = lxc.conf.5 \
-	   lxc.container.conf.5 \
-	   lxc.system.conf.5 \
-	   lxc-usernet.5 \
-	   lxc.7
-
-if ENABLE_TOOLS
-man_MANS += lxc-attach.1 \
-	    lxc-autostart.1 \
-	    lxc-cgroup.1 \
-	    lxc-checkconfig.1 \
-	    lxc-checkpoint.1 \
-	    lxc-config.1 \
-	    lxc-console.1 \
-	    lxc-copy.1 \
-	    lxc-create.1 \
-	    lxc-destroy.1 \
-	    lxc-device.1 \
-	    lxc-execute.1 \
-	    lxc-freeze.1 \
-	    lxc-info.1 \
-	    lxc-ls.1 \
-	    lxc-monitor.1 \
-	    lxc-snapshot.1 \
-	    lxc-start.1 \
-	    lxc-stop.1 \
-	    lxc-top.1 \
-	    lxc-unfreeze.1 \
-	    lxc-unshare.1 \
-	    lxc-wait.1
-endif
-
-if ENABLE_PAM
-man_MANS += pam_cgfs.8
-endif
-
-if ENABLE_COMMANDS
-man_MANS += lxc-update-config.1 \
-	    lxc-user-nic.1 \
-	    lxc-usernsexec.1
-endif
-
-%.1 : %.sgml
-	$(db2xman) --encoding=UTF-8 $<
-	test "$(shell basename $@)" != "$@" && mv $(shell basename $@) $@ || true
-
-%.5 : %.sgml
-	$(db2xman) --encoding=UTF-8 $<
-	test "$(shell basename $@)" != "$@" && mv $(shell basename $@) $@ || true
-
-%.7 : %.sgml
-	$(db2xman) --encoding=UTF-8 $<
-	test "$(shell basename $@)" != "$@" && mv $(shell basename $@) $@ || true
-
-%.8 : %.sgml
-	$(db2xman) --encoding=UTF-8 $<
-	test "$(shell basename $@)" != "$@" && mv $(shell basename $@) $@ || true
-
-lxc-%.sgml : common_options.sgml see_also.sgml
-
-clean-local:
-	$(RM) manpage.* *.7 *.5 *.1 *.8 $(man_MANS)
-endif

doc/ja/common_options.sgml.in

@@ -105,16 +105,18 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
 	  Set log priority to
 	  <replaceable>LEVEL</replaceable>. The default log
 	  priority is <literal>ERROR</literal>. Possible values are :
-	  <literal>FATAL</literal>, <literal>CRIT</literal>,
+	  <literal>FATAL</literal>, <literal>ALERT</literal>,
+	  <literal>CRIT</literal>,
 	  <literal>WARN</literal>, <literal>ERROR</literal>,
 	  <literal>NOTICE</literal>, <literal>INFO</literal>,
-	  <literal>DEBUG</literal>.
+	  <literal>DEBUG</literal>, <literal>TRACE</literal>.
           -->
           ログの優先度を <replaceable>LEVEL</replaceable> に設定します。デフォルトの優先度は <literal>ERROR</literal> です。以下の値を設定可能です:
-	  <literal>FATAL</literal>, <literal>CRIT</literal>,
+	  <literal>FATAL</literal>, <literal>ALERT</literal>,
+	  <literal>CRIT</literal>,
 	  <literal>WARN</literal>, <literal>ERROR</literal>,
 	  <literal>NOTICE</literal>, <literal>INFO</literal>,
-	  <literal>DEBUG</literal>。
+	  <literal>DEBUG</literal>, <literal>TRACE</literal>。
 	</para>
 	<para>
           <!--

doc/ja/lxc-attach.sgml.in

@@ -374,7 +374,7 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
 
       <varlistentry>
 	<term>
-	  <option>--u, --uid <replaceable>uid</replaceable></option>
+	  <option>-u, --uid <replaceable>uid</replaceable></option>
 	</term>
 	<listitem>
 	  <para>

doc/ja/lxc-autostart.sgml.in

@@ -182,7 +182,7 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
 
             <varlistentry>
                 <term>
-                    <option>-g,--group <replaceable>GROUP</replaceable></option>
+                    <option>-g,--groups <replaceable>GROUP</replaceable></option>
                 </term>
                 <listitem>
                     <para>

doc/ja/lxc-execute.sgml.in

@@ -179,7 +179,7 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
 
       <varlistentry>
 	<term>
-	  <option>--u, --uid <replaceable>uid</replaceable></option>
+	  <option>-u, --uid <replaceable>uid</replaceable></option>
 	</term>
 	<listitem>
 	  <para>

doc/ja/lxc-user-nic.sgml.in

@@ -91,12 +91,12 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
       <!--
       It will consult the configuration file <filename>@LXC_USERNIC_CONF@</filename>
       to determine the number of interfaces which the calling user is allowed to
-      create, and which bridge he may attach them to.  It tracks the
+      create, and which bridge they may attach them to.  It tracks the
       number of interfaces each user has created using the file
       <filename>@LXC_USERNIC_DB@</filename>.  It ensures that the calling
       user is privileged over the network namespace to which the interface
       will be attached.
-      <command>lxc-user-nic</command> also allows to delete network devices.
+      <command>lxc-user-nic</command> also allows one to delete network devices.
       Currently only ovs ports can be deleted.
       -->
       このプログラムは、<filename>@LXC_USERNIC_CONF@</filename> という設定ファイルを参照して、呼び出したユーザが作成することができるインターフェースの数と、どのブリッジに接続するかを決定します。

doc/ja/lxc.container.conf.sgml.in

@@ -445,6 +445,42 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
       </variablelist>
     </refsect2>
 
+    <refsect2>
+      <title><!-- Core Scheduling -->コアスケジューリング</title>
+      <para>
+        <!--
+        Core scheduling defines if the container payload
+        is marked as being schedulable on the same core. Doing so will cause
+        the kernel scheduler to ensure that tasks that are not in the same
+        group never run simultaneously on a core. This can serve as an extra
+        security measure to prevent the container payload from using
+        cross hyper thread attacks.
+        -->
+        コアスケジューリングは、コンテナのペイロードが同じコアでスケジュール可能であるとマークするかどうかを指定します。
+        これによりカーネルスケジューラーは、同じグループに属さないタスクが同一コア上で同時に実行されないようにします。
+        これは、コンテナペイロードがクロスハイパースレッド攻撃を受けることを防ぐための、追加のセキュリティ対策として機能させることができます。
+      </para>
+      <variablelist>
+        <varlistentry>
+          <term>
+            <option>lxc.sched.core</option>
+          </term>
+          <listitem>
+            <para>
+              <!--
+              The only allowed values are 0 and 1. Set this to 1 to create a
+              core scheduling domain for the container or 0 to not create one.
+              If not set explicitly no core scheduling domain will be created
+              for the container.
+                -->
+              0 または 1 のみ指定できます。1 を設定すると、コンテナに対するコアスケジューリングドメインを作成し、0 を設定すると作成しません。
+              明示的に指定していない場合は、コンテナに対するコアスケジューリングドメインは作成されません。
+            </para>
+          </listitem>
+        </varlistentry>
+      </variablelist>
+    </refsect2>
+
     <refsect2>
       <title>Proc</title>
       <para>
@@ -543,6 +579,7 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
               <!--
               specify what kind of network virtualization to be used
               for the container.
+              Must be specified before any other option(s) on the net device.
               Multiple networks can be specified by using an additional index
               <option>i</option>
               after all <option>lxc.net.*</option> keys. For example,
@@ -554,7 +591,8 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
               will belong to <option>lxc.net.0.type</option>.
               Currently, the different virtualization types can be:
               -->
-              コンテナがどの種類のネットワーク仮想化を使うかを指定します。すべての <option>lxc.net.*</option> キーに、追加のインデックス <option>i</option> を使うと、複数のネットワークを指定できます。例えば、<option>lxc.net.0.type = veth</option> と <option>lxc.net.1.type = veth</option> は、同じタイプの異なるネットワークを 2 つ指定します。
+              コンテナがどの種類のネットワーク仮想化を使うかを指定します。ネットワークデバイスの他のオプションを設定する前に指定しなければいけません。
+              すべての <option>lxc.net.*</option> キーに、追加のインデックス <option>i</option> を使うと、複数のネットワークを指定できます。例えば、<option>lxc.net.0.type = veth</option> と <option>lxc.net.1.type = veth</option> は、同じタイプの異なるネットワークを 2 つ指定します。
               同じインデックスを指定したキーはすべて同じネットワークの指定になります。例えば、<option>lxc.net.0.link = br0</option> は <option>lxc.net.0.type</option> と同じネットワークの設定になります。
               現時点では、以下のネットワーク仮想化のタイプが使えます:
             </para>
@@ -619,6 +657,12 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
               <option>lxc.net.[i].veth.ipv6.route</option> options.
               Several lines specify several routes.
               The route is in format x.y.z.t/m, eg. 192.168.1.0/24.
+
+              In <option>bridge</option> mode untagged VLAN membership can be set with the
+              <option>lxc.net.[i].veth.vlan.id</option> option. It accepts a special value of 'none' indicating
+              that the container port should be removed from the bridge's default untagged VLAN.
+              The <option>lxc.net.[i].veth.vlan.tagged.id</option> option can be specified multiple times to set
+              the container's bridge port membership to one or more tagged VLANs.
               -->
               <option>veth:</option> 一方がコンテナに、もう一方がホストに接続されるペアの仮想イーサネットデバイスを作成します。
               <option>lxc.net.[i].veth.mode</option> は、veth の親（ホスト側）がホスト上で使うモードを指定します。
@@ -636,6 +680,8 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
               <option>lxc.net.[i].veth.ipv4.route</option>、<option>lxc.net.[i].veth.ipv6.route</option> オプションを使って、静的ルーティングをコンテナを指し示すホスト上に追加できます。
               複数のルートがある場合は複数の設定を指定します。
               ルートは x.y.z.t/m の形式です。例: 192.168.1.0/24
+
+	      <option>bridge</option> モードでは、タグなし VLAN は <option>lxc.net.[i].veth.vlan.id</option> で設定できます。このオプションでは、コンテナポートをブリッジのデフォルトのタグなし VLAN から削除するための特別な値 'none' が指定できます。コンテナのブリッジポートを複数のタグ付き VLAN に所属させるために、<option>lxc.net.[i].veth.vlan.tagged.id</option> を複数回指定できます。
             </para>
 
             <para>
@@ -713,25 +759,25 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
               modes are <option>l3</option>, <option>l3s</option> and
               <option>l2</option>. It defaults to <option>l3</option> mode.
               In <option>l3</option> mode TX processing up to L3 happens on the stack instance
-              attached to the slave device and packets are switched to the stack instance of the
-              master device for the L2 processing and routing from that instance will be
-              used before packets are queued on the outbound device. In this mode the slaves
+              attached to the dependent device and packets are switched to the stack instance of the
+              parent device for the L2 processing and routing from that instance will be
+              used before packets are queued on the outbound device. In this mode the dependent devices
               will not receive nor can send multicast / broadcast traffic.
               In <option>l3s</option> mode TX processing is very similar to the L3 mode except that
               iptables (conn-tracking) works in this mode and hence it is L3-symmetric (L3s).
               This will have slightly less performance but that shouldn't matter since you are
               choosing this mode over plain-L3 mode to make conn-tracking work.
               In <option>l2</option> mode TX processing happens on the stack instance attached to
-              the slave device and packets are switched and queued to the master device to send
-              out. In this mode the slaves will RX/TX multicast and broadcast (if applicable) as well.
+              the dependent device and packets are switched and queued to the parent device to send
+              out. In this mode the dependent devices will RX/TX multicast and broadcast (if applicable) as well.
               <option>lxc.net.[i].ipvlan.isolation</option> specifies the isolation mode.
               The accepted isolation values are <option>bridge</option>,
               <option>private</option> and <option>vepa</option>.
               It defaults to <option>bridge</option>.
-              In <option>bridge</option> isolation mode slaves can cross-talk among themselves
-              apart from talking through the master device.
+              In <option>bridge</option> isolation mode dependent devices can cross-talk among themselves
+              apart from talking through the parent device.
               In <option>private</option> isolation mode the port is set in private mode.
-              i.e. port won't allow cross communication between slaves.
+              i.e. port won't allow cross communication between dependent devices.
               In <option>vepa</option> isolation mode the port is set in VEPA mode.
               i.e. port will offload switching functionality to the external entity as
               described in 802.1Qbg.
@@ -884,8 +930,13 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
               Specify the ipv4 address to assign to the virtualized interface.
               Several lines specify several ipv4 addresses. The address is in
               format x.y.z.t/m, eg. 192.168.1.123/24.
+              You can optionally specify the broadcast address after the IP adress,
+              e.g. 192.168.1.123/24 255.255.255.255.
+              Otherwise it is automatically calculated from the IP address.
               -->
               仮想インターフェースに割り当てる ipv4 アドレスを指定します。複数行により複数の ipv4 アドレスを指定します。このアドレスは x.y.z.t/m というフォーマットで指定します。例) 192.168.1.123/24
+              IP アドレスのあとにオプションでブロードキャストアドレスを指定できます。例）192.168.1.123/24 255.255.255.255
+              指定しなければ IP アドレスから自動的に計算されます。
             </para>
           </listitem>
         </varlistentry>
@@ -1144,11 +1195,11 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
               <!--
               If set, the container will have a new pseudo tty
               instance, making this private to it. The value specifies
-              the maximum number of pseudo ttys allowed for a pts
+              the maximum number of pseudo ttys allowed for a pty
               instance (this limitation is not implemented yet).
               -->
               もし設定された場合、コンテナは新しい pseudo tty インスタンスを持ち、それを自身のプライベートとします。
-              この値は pts インスタンスに許可される pseudo tty の最大数を指定します (この制限はまだ実装されていません)。
+              この値は pty インスタンスに許可される pseudo tty の最大数を指定します (この制限はまだ実装されていません)。
             </para>
           </listitem>
         </varlistentry>
@@ -1479,7 +1530,7 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
         the container at some <filename>path</filename>, and then mounts
         under <filename>path</filename>, then a TOCTTOU attack would be
         possible where the container user modifies a symbolic link under
-        his home directory at just the right time.
+        their home directory at just the right time.
           -->
         注意: 通常 LXC は、マウント対象と相対パス指定のバインドマウントを、適切にコンテナルート以下に閉じ込めます。
         これは、ホストのディレクトリやファイルに対して重ね合わせを行うようなマウントによる攻撃を防ぎます。(絶対パス指定のマウントソース中の各パスがシンボリックリンクである場合は無視されます。)
@@ -1548,7 +1599,7 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
               fstab フォーマットの一行と同じフォーマットのマウントポイントの指定をします。
 
               <!--
-              Moreover lxc supports mount propagation, such as rslave or
+              Moreover lxc supports mount propagation, such as rshared or
               rprivate, and adds three additional mount options.
               <option>optional</option> don't fail if mount does not work.
               <option>create=dir</option> or <option>create=file</option>
@@ -1556,7 +1607,7 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
               <option>relative</option> source path is taken to be relative to
               the mounted container root. For instance,
               -->
-              加えて、LXC では rslave や rprivate といったマウント・プロパゲーションオプションと、独自の 3 つのマウントオプションが使えます。
+              加えて、LXC では rshared や rprivate といったマウント・プロパゲーションオプションと、独自の 3 つのマウントオプションが使えます。
               <option>optional</option> は、マウントが失敗しても失敗を返さずに無視します。
               <option>create=dir</option> と <option>create=file</option> は、マウントポイントをマウントする際にディレクトリもしくはファイルを作成します。
               <option>relative</option> を指定すると、マウントされたコンテナルートからの相対パスとして取得されます。
@@ -1991,9 +2042,26 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
           <listitem>
             <para>
               <!--
-              extra mount options to use when mounting the rootfs.
-              -->
-              rootfs をマウントするときに追加したいマウントオプション。
+              Specify extra mount options to use when mounting the rootfs.
+                The format of the mount options corresponds to the
+                format used in fstab. In addition, LXC supports the custom
+                <option>idmap=</option> mount option. This option can be used
+                to tell LXC to create an idmapped mount for the container's
+                rootfs. This is useful when the user doesn't want to recursively
+                chown the rootfs of the container to match the idmapping of the
+                user namespace the container is going to use. Instead an
+                idmapped mount can be used to handle this.
+                The argument for
+                <option>idmap=</option>
+                can either be a path pointing to a user namespace file that
+                LXC will open and use to idmap the rootfs or the special value
+                "container" which will instruct LXC to use
+                the container's user namespace to idmap the rootfs.
+                -->
+                rootfs をマウントするときに使うマウントオプション。マウントオプションのフォーマットは fstab で使うフォーマットと同じです。
+                加えて、LXC では独自の <option>idmap=</option> マウントオプションが使えます。このオプションを使うと、LXC に対してコンテナの rootfs を idmapped マウントするように指示できます。
+                これは、コンテナが使うユーザー名前空間の ID マッピングと一致させるために、コンテナの rootfs を再帰的に chown したくない場合に役に立ちます。代わりに idmapped マウントが使えます。
+                <option>idmap=</option> の引数は、LXC が開いて rootfs を idmap するのに使うユーザー名前空間ファイルを指すパス、もしくは "container" という特別な値のどちらかです。"container" という値は、コンテナのユーザー名前空間を使って rootfs を idmap するように LXC に指示します。
             </para>
           </listitem>
         </varlistentry>
@@ -2019,7 +2087,7 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
     </refsect2>
 
     <refsect2>
-      <title>Control group</title>
+      <title>Control group ("cgroup")</title>
       <para>
         <!--
         The control group section contains the configuration for the
@@ -2033,10 +2101,281 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
         <command>lxc</command> は、このサブシステム名の正しさはチェックしません。
         実行時のエラーを検出するのに不便ですが、別の将来のサブシステムをサポート出来るという有利な点もあります。
       </para>
+
+      <para>
+        <!--
+        The kernel implementation of cgroups has changed significantly over the
+        years. With Linux 4.5 support for a new cgroup filesystem was added
+        usually referred to as "cgroup2" or "unified hierarchy". Since then the
+        old cgroup filesystem is usually referred to as "cgroup1" or the
+        "legacy hierarchies". Please see the cgroups manual page for a detailed
+        explanation of the differences between the two versions.
+          -->
+        カーネルにおける cgroup 実装は長年にわたって大きく変化してきました。
+        Linux 4.5 で新しい cgroup ファイルシステムのサポートが追加されました。通常は "cgroup2" や "unified hierarchy"（単一階層構造） と呼ばれています。
+        それ以来、通常は古い cgroup ファイルシステムは "cgroup1" や "legacy hierarchies"（レガシー階層構造）と呼ばれています。
+        この 2 つのバージョンの違いについての詳細な説明は、cgroup のマニュアルページをご覧ください。
+      </para>
+
+      <para>
+        <!--
+        LXC distinguishes settings for the legacy and the unified hierarchy by
+        using different configuration key prefixes. To alter settings for
+        controllers in a legacy hierarchy the key prefix
+        <option>lxc.cgroup.</option> must be used and in order to alter the
+        settings for a controller in the unified hierarchy the
+        <option>lxc.cgroup2.</option> key must be used. Note that LXC will
+        ignore <option>lxc.cgroup.</option> settings on systems that only use
+        the unified hierarchy. Conversely, it will ignore
+        <option>lxc.cgroup2.</option> options on systems that only use legacy
+        hierarchies.
+        -->
+        LXC は cgroup1（レガシー階層構造）と cgroup2（単一階層構造）に対する設定を、異なる設定プレフィックスを使って区別しています。
+        cgroup1 に対する設定を変更するには <option>lxc.cgroup.</option> というプレフィックスを使う必要があり、cgroup2 の設定を変更するには <option>lxc.cgroup2.</option> を使う必要があります。
+        LXC は、cgroup2 だけが使われているシステム上の <option>lxc.cgroup.</option> を無視します。逆に cgroup1 だけが使われているシステム上の <option>lxc.cgroup2.</option> を無視します。
+      </para>
+
+      <para>
+        <!--
+        At its core a cgroup hierarchy is a way to hierarchically organize
+        processes. Usually a cgroup hierarchy will have one or more
+        "controllers" enabled. A "controller" in a cgroup hierarchy is usually
+        responsible for distributing a specific type of system resource along
+        the hierarchy. Controllers include the "pids" controller, the "cpu"
+        controller, the "memory" controller and others. Some controllers
+        however do not fall into the category of distributing a system
+        resource, instead they are often referred to as "utility" controllers.
+        One utility controller is the device controller. Instead of
+        distributing a system resource it allows one to manage device access.
+        -->
+        cgroup 階層の本質は、プロセスを階層的に構造化する方法です。通常は、cgroup 階層では 1 つ以上の「コントローラー」が有効になっています。
+        通常、cgroup 階層の「コントローラー」は階層に従って特定のタイプのシステムリソースを分配する役割を果たします。
+        コントローラーには "pids" コントローラー、"cpu" コントローラー、"memory" コントローラーなどがあります。
+        しかし、システムリソースの分配するという役割に該当しないコントローラーもあります。このようなコントローラーは「ユーティリティー」コントローラーと呼ばれたりします。
+        ユーティリティーコントローラーの 1 つにデバイスコントローラーがあります。このコントローラーはシステムリソースを分配する代わりにデバイスへのアクセスを管理できます。
+      </para>
+
+      <para>
+        <!--
+        In the legacy hierarchy the device controller was implemented like most
+        other controllers as a set of files that could be written to. These
+        files where named "devices.allow" and "devices.deny". The legacy device
+        controller allowed the implementation of both "allowlists" and
+        "denylists".
+        -->
+        cgroup1 では、デバイスコントローラーは他の多くのコントローラーと同様に、書き込みできるファイルのセットとして実装されていました。
+        これらのファイルは "devices.allow" と "devices.deny" という名前のファイルでした。レガシーデバイスコントローラーは「許可リスト（allowlists）」と「拒否リスト（denylists）」の両方を実装できました。
+      </para>
+
+      <para>
+        <!--
+        An allowlist is a device program that by default blocks access to all
+        devices. In order to access specific devices "allow rules" for
+        particular devices or device classes must be specified. In contrast, a
+        denylist is a device program that by default allows access to all
+        devices. In order to restrict access to specific devices "deny rules"
+        for particular devices or device classes must be specified.
+        -->
+        許可リスト（allowlist）とは、すべてのデバイスへのアクセスをブロックするデバイスプログラムです。特定のデバイスへのアクセスを行うには、特定のデバイスもしくはデバイスクラスに対する「許可ルール（allow rules）」を指定する必要があります。
+        一方、拒否リスト（denylist）はデフォルトですべてのデバイスへのアクセスを許可するデバイスプログラムです。特定のデバイスへのアクセスを拒否するには、特定のデバイスもしくはデバイスクラスに対する「拒否ルール（deny rules）」を指定する必要があります。
+      </para>
+
+      <para>
+        <!--
+        In the unified cgroup hierarchy the implementation of the device
+        controller has completely changed. Instead of files to read from and
+        write to a eBPF program of
+        <option>BPF_PROG_TYPE_CGROUP_DEVICE</option> can be attached to a
+        cgroup. Even though the kernel implementation has changed completely
+        LXC tries to allow for the same semantics to be followed in the legacy
+        device cgroup and the unified eBPF-based device controller. The
+        following paragraphs explain the semantics for the unified eBPF-based
+        device controller.
+        -->
+        cgroup2 では、デバイスコントローラーの実装が完全に変わりました。読み書きするファイルの代わりに、<option>BPF_PROG_TYPE_CGROUP_DEVICE</option> の eBPF プログラムを cgroup にアタッチできます。
+        カーネルの実装が完全に変わったのにもかかわらず、LXC は cgroup1 のデバイスコントローラーと cgroup2 の eBPF ベースのデバイスコントローラーで同じセマンティクスに従えるようにしています。
+        このあとの段落では、cgroup2 の eBPF デバイスコントローラーに対するセマンティクスを説明します。
+      </para>
+
+      <para>
+        <!--
+        As mentioned the format for specifying device rules for the unified
+        eBPF-based device controller is the same as for the legacy cgroup
+        device controller; only the configuration key prefix has changed.
+        Specifically, device rules for the legacy cgroup device controller are
+        specified via <option>lxc.cgroup.devices.allow</option> and
+        <option>lxc.cgroup.devices.deny</option> whereas for the
+        cgroup2 eBPF-based device controller
+        <option>lxc.cgroup2.devices.allow</option> and
+        <option>lxc.cgroup2.devices.deny</option> must be used.
+        -->
+        先に述べたように、cgroup2 の eBPF ベースのデバイスコントローラーに対するデバイスルールを指定するフォーマットは、cgroup1 のデバイスコントローラーと同じです。ただし、設定キーのプレフィックスは変更されています。
+        具体的には、cgroup1 のデバイスコントローラーに対するデバイスルールは <option>lxc.cgroup.devices.allow</option> と <option>lxc.cgroup.devices.deny</option> を使って指定します。一方、cgroup2 の eBPF ベースのコントローラーでは <option>lxc.cgroup2.devices.allow</option> と <option>lxc.cgroup2.devices.deny</option> を使わなければなりません。
+      </para>
+      <para>
+        <itemizedlist>
+          <listitem>
+            <para>
+              <!--
+              A denylist device rule
+              <programlisting>
+                lxc.cgroup2.devices.deny = a
+              </programlisting>
+              will cause LXC to instruct the kernel to block access to all
+              devices by default. To grant access to devices allow device rules
+              must be added via the <option>lxc.cgroup2.devices.allow</option>
+              key. This is referred to as a "allowlist" device program.
+              -->
+              拒否リスト（denylist）のデバイスルール
+              <programlisting>
+                lxc.cgroup2.devices.deny = a
+              </programlisting>
+              は、カーネルに対してデフォルトですべてのデバイスへのアクセスをブロックするように LXC が指示します。
+              デバイスへのアクセスを許可するには、デバイスに対する許可ルールを <option>lxc.cgroup2.devices.allow</option> を使って追加する必要があります。これは「許可リスト」デバイスプログラムとして参照されます。
+            </para>
+          </listitem>
+
+          <listitem>
+            <para>
+              <!--
+              An allowlist device rule
+              <programlisting>
+                lxc.cgroup2.devices.allow = a
+              </programlisting>
+              will cause LXC to instruct the kernel to allow access to all
+              devices by default. To deny access to devices deny device rules
+              must be added via <option>lxc.cgroup2.devices.deny</option> key.
+              This is referred to as a "denylist" device program.
+              -->
+              許可リスト（allowlist）のデバイスルール
+              <programlisting>
+                lxc.cgroup2.devices.allow = a
+              </programlisting>
+              は、カーネルに対してすべてのデバイスへのアクセスをデフォルトで許可するように LXC が指示します。
+              デバイスへのアクセスを拒否するには、デバイスに対する拒否ルールを <option>lxc.cgroup2.devices.deny</option> を使って追加する必要があります。これは「拒否リスト」デバイスプログラムとして参照されます。
+            </para>
+          </listitem>
+
+          <listitem>
+            <para>
+              <!--
+              Specifying any of the aforementioned two rules will cause all
+              previous rules to be cleared, i.e. the device list will be reset.
+              -->
+              前述の 2 つのルールのいずれかを指定すると、それ以前に指定していたルールがすべてクリアされます。つまり、デバイスリストがリセットされます。
+            </para>
+          </listitem>
+
+          <listitem>
+            <para>
+              <!--
+            When an allowlist program is requested, i.e. access to all devices
+            is blocked by default, specific deny rules for individual devices
+            or device classes are ignored.
+                -->
+              許可リストプログラムが要求される場合、つまりデフォルトですべてのデバイスへのアクセスがブロックされている場合、個別のデバイスやデバイスクラスへの拒否ルールを指定しても無視されます。
+            </para>
+          </listitem>
+
+          <listitem>
+            <para>
+              <!--
+            When a denylist program is requested, i.e. access to all devices
+            is allowed by default, specific allow rules for individual devices
+            or device classes are ignored.
+                -->
+              拒否リストプログラムが要求される場合、つまりデフォルトですべてのデバイスへのアクセスが許可されている場合、個別のデバイスやデバイスクラスへの許可ルールを指定しても無視されます。
+            </para>
+          </listitem>
+        </itemizedlist>
+      </para>
+
+      <para>
+        <!--
+        For example the set of rules:
+          -->
+        例えば、次のようなルールの組
+        <programlisting>
+          lxc.cgroup2.devices.deny = a
+          lxc.cgroup2.devices.allow = c *:* m
+          lxc.cgroup2.devices.allow = b *:* m
+          lxc.cgroup2.devices.allow = c 1:3 rwm
+        </programlisting>
+        <!--
+        implements an allowlist device program, i.e. the kernel will block
+        access to all devices not specifically allowed in this list. This
+        particular program states that all character and block devices may be
+        created but only /dev/null might be read or written.
+          -->
+        は、許可リスト（allowlist）デバイスプログラムを実装します。つまり、カーネルはこのリストで許可されるように設定されていないすべてのデバイスへのアクセスをブロックします。
+        このプログラムでは、すべてのキャラクターデバイスとブロックデバイスが作成できますが、読み書きは /dev/null に対してしか行なえません。
+      </para>
+
+      <para>
+        <!--
+        If we instead switch to the following set of rules:
+          -->
+        代わりに先のルールから次のようなルールの組に変更したとすると、
+        <programlisting>
+          lxc.cgroup2.devices.allow = a
+          lxc.cgroup2.devices.deny = c *:* m
+          lxc.cgroup2.devices.deny = b *:* m
+          lxc.cgroup2.devices.deny = c 1:3 rwm
+        </programlisting>
+         <!--
+         then LXC would instruct the kernel to implement a denylist, i.e. the
+         kernel will allow access to all devices not specifically denied in
+         this list. This particular program states that no character devices or
+         block devices might be created and that /dev/null is not allow allowed
+         to be read, written, or created.
+           -->
+        LXC はカーネルに拒否リスト（denylist）の実装を指示します。つまりカーネルはこのリストで拒否を指定していないすべてのデバイスへのアクセスを許可します。
+        このプログラムでは、キャラクターデバイスとブロックデバイスは作成できません。そして /dev/null の読み書きと作成は許可されません。
+      </para>
+
+      <para>
+        <!--
+         Now consider the same program but followed by a "global rule"
+         which determines the type of device program (allowlist or
+         denylist) as explained above:
+          -->
+        ここで、同じプログラムでも、前述のようにデバイスのプログラムタイプを決定するような「グローバルルール」が続いている場合を考えてみましょう。
+        <programlisting>
+          lxc.cgroup2.devices.allow = a
+          lxc.cgroup2.devices.deny = c *:* m
+          lxc.cgroup2.devices.deny = b *:* m
+          lxc.cgroup2.devices.deny = c 1:3 rwm
+          lxc.cgroup2.devices.allow = a
+        </programlisting>
+        <!--
+        The last line will cause LXC to reset the device list without changing
+        the type of device program.
+          -->
+        最後の行は、デバイスプログラムのタイプを変更せずに、LXC がデバイスリストをリセットしてしまいます。
+      </para>
+
+      <para>
+        <!--
+        If we specify:
+          -->
+        次のように指定した場合、
+        <programlisting>
+          lxc.cgroup2.devices.allow = a
+          lxc.cgroup2.devices.deny = c *:* m
+          lxc.cgroup2.devices.deny = b *:* m
+          lxc.cgroup2.devices.deny = c 1:3 rwm
+          lxc.cgroup2.devices.deny = a
+        </programlisting>
+        <!--
+        instead then the last line will cause LXC to reset the device list and
+        switch from an allowlist program to a denylist program.
+          -->
+        前の例と違って最後の行によって、LXC はデバイスリストをリセットし、許可リスト（allowlist）から拒否リスト（denylist）にプログラムを変更してしまいます。
+      </para>
       <variablelist>
         <varlistentry>
           <term>
-            <option>lxc.cgroup.[control name]</option>
+            <option>lxc.cgroup.[control name].[controller file]</option>
           </term>
           <listitem>
             <para>
@@ -2048,7 +2387,7 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
               kernel running at the time the container is started, eg.
               <option>lxc.cgroup.cpuset.cpus</option>
               -->
-              legacy な cgroup 階層 (cgroup v1) に設定する値を指定します。コントローラー名は control group そのままの名前です。
+              レガシー cgroup 階層 (cgroup v1) に設定する値を指定します。コントローラー名は control group そのままの名前です。
               許される名前や値の書式は LXC が指定することはなく、コンテナが実行された時に実行されている Linux カーネルの機能に依存します。
               例えば <option>lxc.cgroup.cpuset.cpus</option> のようになります。
             </para>
@@ -2056,7 +2395,7 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
         </varlistentry>
         <varlistentry>
           <term>
-            <option>lxc.cgroup2.[controller name]</option>
+            <option>lxc.cgroup2.[controller name].[controller file]</option>
           </term>
           <listitem>
             <para>
@@ -2099,6 +2438,79 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
             </para>
           </listitem>
         </varlistentry>
+        <varlistentry>
+          <term>
+            <option>lxc.cgroup.dir.container</option>
+          </term>
+          <listitem>
+            <para>
+	      <!--
+              This is similar to <option>lxc.cgroup.dir</option>, but must be
+              used together with <option>lxc.cgroup.dir.monitor</option> and
+              affects only the container's cgroup path. This option is mutually
+              exclusive with <option>lxc.cgroup.dir</option>.
+              Note that the final path the container attaches to may be
+              extended further by the
+              <option>lxc.cgroup.dir.container.inner</option> option.
+	      -->
+	      これは <option>lxc.cgroup.dir</option> と同様の設定ですが、かならず <option>lxc.cgroup.dir.monitor</option> と同時に使わなければなりません。そして、設定はコンテナの cgroup パスにのみ影響を与えます。このオプションは <option>lxc.cgroup.dir</option> と同時に設定できません。コンテナがアタッチされる最終的なパスは <option>lxc.cgroup.dir.container.inner</option> オプションによりさらに変更される可能性があります。
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term>
+            <option>lxc.cgroup.dir.monitor</option>
+          </term>
+          <listitem>
+            <para>
+	      <!--
+              This is the monitor process counterpart to
+              <option>lxc.cgroup.dir.container</option>.
+	      -->
+	      このオプションは、モニタプロセスに対して<option>lxc.cgroup.dir.container</option> と同様の働きをします。
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term>
+            <option>lxc.cgroup.dir.monitor.pivot</option>
+          </term>
+          <listitem>
+            <para>
+              <!--
+              On container termination the PID of the monitor process is attached to this cgroup.
+              This path should not be a subpath of any other configured cgroup dir to ensure
+              proper removal of other cgroup paths on container termination.
+              -->
+              コンテナ終了時に、モニタープロセスの PID がここで指定した cgroup にアタッチされます。
+              コンテナ終了時に、他の cgroup パスが確実に適切に削除されるように、ここに設定するパスは他で設定した cgroup ディレクトリのサブパスにすべきではありません。
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term>
+            <option>lxc.cgroup.dir.container.inner</option>
+          </term>
+          <listitem>
+            <para>
+	      <!--
+              Specify an additional subdirectory where the cgroup namespace
+              will be created. With this option, the cgroup limits will be
+              applied to the outer path specified in
+              <option>lxc.cgroup.dir.container</option>, which is not accessible
+              from within the container, making it possible to better enforce
+              limits for privileged containers in a way they cannot override
+              them.
+              This only works in conjunction with the
+              <option>lxc.cgroup.dir.container</option> and
+              <option>lxc.cgroup.dir.monitor</option> options and has otherwise
+              no effect.
+	      -->
+	      cgroup 名前空間が作られる追加のサブディレクトリを指定します。このオプションを使うと、cgroup の制限は <option>lxc.cgroup.dir.container</option> で指定した外部パスに適用されます。<option>lxc.cgroup.dir.container</option> はコンテナ内部からアクセスできないため、特権コンテナに対する制限を上書きできない方法でよりよい方法で強制できます。
+	      このオプションは <option>lxc.cgroup.dir.container</option> と <option>lxc.cgroup.dir.monitor</option> と同時に指定したときのみ機能し、それ以外の場合は効果がありません。
+            </para>
+          </listitem>
+        </varlistentry>
         <varlistentry>
           <term>
             <option>lxc.cgroup.relative</option>
@@ -2239,7 +2651,7 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
             standard namespace identifiers as seen in the
             <filename>/proc/PID/ns</filename> directory.
             The <option>lxc.namespace.keep</option> is a
-            blacklist option, i.e. it is useful when enforcing that containers
+            denylist option, i.e. it is useful when enforcing that containers
             must keep a specific set of namespaces.
             -->
               コンテナが、作成元のプロセスから継承する (新しい名前空間を作らずに元のプロセスの名前空間のまま実行する) 名前空間を指定します。継承する名前空間はスペース区切りのリストで指定します。指定する名前空間名は、<filename>/proc/PID/ns</filename> ディレクトリ内に存在する標準の名前空間指示子でなければなりません。<option>lxc.namespace.keep</option> はブラックリストを指定するオプションです。つまり、コンテナに特定の名前空間を使い続けることを強制したい場合に便利です。
@@ -2352,6 +2764,39 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
 
           </listitem>
         </varlistentry>
+
+        <varlistentry>
+          <term>
+            <option>lxc.time.offset.boot</option>
+          </term>
+          <listitem>
+            <para>
+              <!--
+            Specify a positive or negative offset for the boottime clock. The
+            format accepts hours (h), minutes (m), seconds (s),
+            milliseconds (ms), microseconds (us), and nanoseconds (ns).
+                -->
+              ブートタイム(boottime)クロックの正または負のオフセット値を指定します。フォーマットは、時(h)、分(m)、秒(s)、ミリ秒(ms)、マイクロ秒(us)、ナノ秒(ns)を指定できます。
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>
+            <option>lxc.time.offset.monotonic</option>
+          </term>
+          <listitem>
+            <para>
+              <!--
+            Specify a positive or negative offset for the montonic clock. The
+            format accepts hours (h), minutes (m), seconds (s),
+            milliseconds (ms), microseconds (us), and nanoseconds (ns).
+                -->
+              monotonicクロックの正または負のオフセット値を指定します。フォーマットは、時(h)、分(m)、秒(s)、ミリ秒(ms)、マイクロ秒(us)、ナノ秒(ns)を指定できます。
+            </para>
+          </listitem>
+        </varlistentry>
+
       </variablelist>
     </refsect2>
 
@@ -2660,18 +3105,18 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
       <para>
         <!--
         Versions 1 and 2 are currently supported.  In version 1, the
-        policy is a simple whitelist.  The second line therefore must
-        read "whitelist", with the rest of the file containing one (numeric)
-        syscall number per line.  Each syscall number is whitelisted,
-        while every unlisted number is blacklisted for use in the container
+        policy is a simple allowlist.  The second line therefore must
+        read "allowlist", with the rest of the file containing one (numeric)
+        syscall number per line.  Each syscall number is allowlisted,
+        while every unlisted number is denylisted for use in the container
         -->
-        現時点では、バージョン番号は 1 と 2 をサポートしています。バージョン 1 では、ポリシーはシンプルなホワイトリストですので、2 行目は "whitelist" でなければなりません。
+        現時点では、バージョン番号は 1 と 2 をサポートしています。バージョン 1 では、ポリシーはシンプルなホワイトリストですので、2 行目は "allowlist" でなければなりません。
         そして残りの行には 1 行に 1 つずつ、システムコール番号を書きます。各行のシステムコール番号がホワイトリスト化され、リストにない番号は、そのコンテナではブラックリストに入ります。
       </para>
 
       <para>
         <!--
-       In version 2, the policy may be blacklist or whitelist,
+       In version 2, the policy may be denylist or allowlist,
        supports per-rule and per-policy default actions, and supports
        per-architecture system call resolution from textual names.
           -->
@@ -2679,7 +3124,7 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
       </para>
       <para>
         <!--
-       An example blacklist policy, in which all system calls are
+       An example denylist policy, in which all system calls are
        allowed except for mknod, which will simply do nothing and
        return 0 (success), looks like:
        -->
@@ -2688,7 +3133,7 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
 
       <programlisting>
       2
-      blacklist
+      denylist
       mknod errno 0
       ioctl notify
       </programlisting>
@@ -3730,7 +4175,7 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
         lxc.net.1.ipv6.address = 2003:db8:1:0:214:1234:fe0b:3596
         lxc.net.2.type = phys
         lxc.net.2.flags = up
-        lxc.net.2.link = dummy0
+        lxc.net.2.link = random0
         lxc.net.2.hwaddr = 4a:49:43:49:79:ff
         lxc.net.2.ipv4.address = 10.2.3.6/24
         lxc.net.2.ipv6.address = 2003:db8:1:0:214:1234:fe0b:3297
@@ -3742,6 +4187,7 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
         lxc.mount.fstab = /etc/fstab.complex
         lxc.mount.entry = /lib /root/myrootfs/lib none ro,bind 0 0
         lxc.rootfs.path = dir:/mnt/rootfs.complex
+        lxc.rootfs.options = idmap=container
         lxc.cap.drop = sys_module mknod setuid net_raw
         lxc.cap.drop = mac_override
       </programlisting>

doc/ja/meson.build

@@ -0,0 +1,74 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+if want_mans
+    PAGES = [
+        ['lxc', '7'],
+        ['lxc.conf', '5'],
+        ['lxc.container.conf', '5'],
+        ['lxc.system.conf', '5'],
+        ['lxc-update-config', '1'],
+        ['lxc-usernet', '5'],
+        ['lxc-user-nic', '1'],
+        ['lxc-usernsexec', '1'],
+    ]
+
+    if want_tools
+        PAGES += [
+            ['lxc-attach', '1'],
+            ['lxc-autostart', '1'],
+            ['lxc-cgroup', '1'],
+            ['lxc-checkconfig', '1'],
+            ['lxc-checkpoint', '1'],
+            ['lxc-config', '1'],
+            ['lxc-console', '1'],
+            ['lxc-copy', '1'],
+            ['lxc-create', '1'],
+            ['lxc-destroy', '1'],
+            ['lxc-device', '1'],
+            ['lxc-execute', '1'],
+            ['lxc-freeze', '1'],
+            ['lxc-info', '1'],
+            ['lxc-ls', '1'],
+            ['lxc-monitor', '1'],
+            ['lxc-snapshot', '1'],
+            ['lxc-start', '1'],
+            ['lxc-stop', '1'],
+            ['lxc-top', '1'],
+            ['lxc-unfreeze', '1'],
+            ['lxc-unshare', '1'],
+            ['lxc-wait', '1'],
+        ]
+    endif
+
+    if want_pam_cgroup
+        PAGES += [
+            ['pam_cgfs', '8'],
+        ]
+    endif
+
+    # Common files.
+    configure_file(
+        configuration: docconf,
+        input: 'common_options.sgml.in',
+        output: 'common_options.sgml')
+
+    configure_file(
+        configuration: docconf,
+        input: 'see_also.sgml.in',
+        output: 'see_also.sgml')
+
+    # Initial templating.
+    foreach page : PAGES
+        sgml = configure_file(
+            configuration: docconf,
+            input: page[0] + '.sgml.in',
+            output: page[0] + '.sgml')
+
+        configure_file(
+            input: sgml,
+            output: page[0] + '.' + page[1],
+            command: [sgml2man, '--encoding=UTF-8', page[0] + '.sgml'],
+            install: true,
+            install_dir: join_paths(mandir, 'ja', 'man' + page[1]))
+    endforeach
+endif

doc/ja/pam_cgfs.sgml.in

@@ -93,17 +93,18 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
 
     <para>
       <!--
-      The <command>pam_cgfs.so</command> module can handle both pure cgroupfs v1
-      (<filename>/sys/fs/cgroup/$controller</filename>) and pure cgroupfs
-      v2 (<filename>/sys/fs/cgroup</filename>), as well as mixed mounts,
+      The <command>pam_cgfs.so</command> module can handle pure cgroupfs v1
+      (<filename>/sys/fs/cgroup/$controller</filename>) and mixed mounts,
       where some controllers are mounted in a standard cgroupfs v1 hierarchy
       (<filename>/sys/fs/cgroup/$controller</filename>) and others in
       cgroupfs v2 hierarchy (<filename>/sys/fs/cgroup/unified</filename>).
       Writeable cgroups are either created for all controllers or, if specified,
-      for only controllers listed as arguments on the command line.
-      -->
-      <command>pam_cgfs.so</command> モジュールは、cgroupfs v1 (<filename>/sys/fs/cgroup/$controller</filename>) と cgroupfs v2 (<filename>/sys/fs/cgroup</filename>) のいずれも扱えます。また、コントローラのいくつかが cgroupfs v1 ツリー (<filename>/sys/fs/cgroup/$controller</filename>) で、それ以外が cgroupfs v2 (<filename>/sys/fs/cgroup/unified</filename>) ツリーと言ったようなミックスでも扱えます。
+      for only controllers listed as arguments on the command line. 
+      Pure cgroup v2 mount is not covered by the pam_cgfs.so module.
+	-->
+      <command>pam_cgfs.so</command> モジュールは、純粋な cgroupfs v1 (<filename>/sys/fs/cgroup/$controller</filename>) ツリーと、コントローラのいくつかが cgroupfs v1 ツリー (<filename>/sys/fs/cgroup/$controller</filename>) で、それ以外が cgroupfs v2 (<filename>/sys/fs/cgroup/unified</filename>) ツリーと言ったようなミックスマウントを扱えます。
       書き込み可能な cgroup がすべてのコントローラ用に作られます。また、引数で指定すれば、指定したコントローラのみ書き込み可能な cgroup が作られます。
+      純粋な cgroup v2 のみのマウントは pam_cgfs.so モジュールでは対象外です。
     </para>
 
     <para>

doc/ko/FAQ.txt

@@ -38,30 +38,3 @@ Answer:
 read the lxc man page about kernel version prereq :) most probably
 your kernel is not configured to support the container options you
 want to use.
-
-
-Error:
-------
-
-On Ubuntu 8.10, if using the cvs source code rather than
-the provided tarball. Then make is failing with many errors
-similar to the line below:
-==========
-../../libtool: line 810: X--tag=CC: command not found
-==========
-
-Answer:
--------
-
-This is related to a compatibility problem between the shipped
-config/ltmain.sh and the libtool version installed on your
-Ubuntu 8.10 machine.
-You have to replace the config/ltmain.sh from cvs head by the one
-from your libtool package, make some cleaning and reissue all
-the build process:
-==========
-cd <your_lxc_working_dir>
-cp -f /usr/share/libtool/config/ltmain.sh config/
-rm -f libtool
-./bootstrap && ./configure && make && sudo make install
-==========

doc/ko/Makefile.am

@@ -1,60 +0,0 @@
-mandir = @mandir@/ko
-
-SUBDIRS =
-DIST_SUBDIRS =
-
-EXTRA_DIST = \
-	FAQ.txt
-
-if ENABLE_DOCBOOK
-man_MANS = \
-	lxc-attach.1 \
-	lxc-autostart.1 \
-	lxc-cgroup.1 \
-	lxc-checkconfig.1 \
-	lxc-checkpoint.1 \
-	lxc-config.1 \
-	lxc-console.1 \
-	lxc-copy.1 \
-	lxc-create.1 \
-	lxc-destroy.1 \
-	lxc-device.1 \
-	lxc-execute.1 \
-	lxc-freeze.1 \
-	lxc-info.1 \
-	lxc-ls.1 \
-	lxc-monitor.1 \
-	lxc-snapshot.1 \
-	lxc-start.1 \
-	lxc-stop.1 \
-	lxc-top.1 \
-	lxc-unfreeze.1 \
-	lxc-unshare.1 \
-	lxc-user-nic.1 \
-	lxc-usernsexec.1 \
-	lxc-wait.1 \
-	\
-	lxc.conf.5 \
-	lxc.container.conf.5 \
-	lxc.system.conf.5 \
-	lxc-usernet.5 \
-	\
-	lxc.7
-
-%.1 : %.sgml
-	$(db2xman) --encoding=UTF-8 $<
-	test "$(shell basename $@)" != "$@" && mv $(shell basename $@) $@ || true
-
-%.5 : %.sgml
-	$(db2xman) --encoding=UTF-8 $<
-	test "$(shell basename $@)" != "$@" && mv $(shell basename $@) $@ || true
-
-%.7 : %.sgml
-	$(db2xman) --encoding=UTF-8 $<
-	test "$(shell basename $@)" != "$@" && mv $(shell basename $@) $@ || true
-
-lxc-%.sgml : common_options.sgml see_also.sgml
-
-clean-local:
-	$(RM) manpage.* *.7 *.5 *.1 $(man_MANS)
-endif

doc/ko/common_options.sgml.in

@@ -105,16 +105,18 @@ by Sungbae Yoo <sungbae.yoo at samsung.com>
 	  Set log priority to
 	  <replaceable>LEVEL</replaceable>. The default log
 	  priority is <literal>ERROR</literal>. Possible values are :
-	  <literal>FATAL</literal>, <literal>CRIT</literal>,
+	  <literal>FATAL</literal>, <literal>ALERT</literal>,
+	  <literal>CRIT</literal>,
 	  <literal>WARN</literal>, <literal>ERROR</literal>,
 	  <literal>NOTICE</literal>, <literal>INFO</literal>,
-	  <literal>DEBUG</literal>.
+	  <literal>DEBUG</literal>, <literal>TRACE</literal>.
           -->
           로그 수준을 <replaceable>LEVEL</replaceable>로 지정한다. 기본값은 <literal>ERROR</literal>이다. 사용 가능한 값 :
-	  <literal>FATAL</literal>, <literal>CRIT</literal>,
+	  <literal>FATAL</literal>, <literal>ALERT</literal>,
+	  <literal>CRIT</literal>,
 	  <literal>WARN</literal>, <literal>ERROR</literal>,
 	  <literal>NOTICE</literal>, <literal>INFO</literal>,
-	  <literal>DEBUG</literal>.
+	  <literal>DEBUG</literal>, <literal>TRACE</literal>.
 	</para>
 	<para>
           <!--

doc/ko/lxc-attach.sgml.in

@@ -391,7 +391,7 @@ by Sungbae Yoo <sungbae.yoo at samsung.com>
 
       <varlistentry>
 	<term>
-	  <option>--u, --uid <replaceable>uid</replaceable></option>
+	  <option>-u, --uid <replaceable>uid</replaceable></option>
 	</term>
 	<listitem>
 	  <para>

doc/ko/lxc-autostart.sgml.in

@@ -182,7 +182,7 @@ by Sungbae Yoo <sungbae.yoo at samsung.com>
 
             <varlistentry>
                 <term>
-                    <option>-g,--group <replaceable>GROUP</replaceable></option>
+                    <option>-g,--groups <replaceable>GROUP</replaceable></option>
                 </term>
                 <listitem>
                     <para>

doc/ko/lxc-execute.sgml.in

@@ -180,7 +180,7 @@ by Sungbae Yoo <sungbae.yoo at samsung.com>
 
       <varlistentry>
 	<term>
-	  <option>--u, --uid <replaceable>uid</replaceable></option>
+	  <option>-u, --uid <replaceable>uid</replaceable></option>
 	</term>
 	<listitem>
 	  <para>

doc/ko/lxc-user-nic.sgml.in

@@ -76,7 +76,7 @@ by Sungbae Yoo <sungbae.yoo at samsung.com>
       <!--
       It will consult the configuration file <filename>@LXC_USERNIC_CONF@</filename>
       to determine the number of interfaces which the calling user is allowed to
-      create, and which bridge he may attach them to.  It tracks the
+      create, and which bridge they may attach them to.  It tracks the
       number of interfaces each user has created using the file
       <filename>@LXC_USERNIC_DB@</filename>.  It ensures that the calling
       user is privileged over the network namespace to which the interface

doc/ko/lxc.container.conf.sgml.in

@@ -844,7 +844,7 @@ by Sungbae Yoo <sungbae.yoo at samsung.com>
               <!--
 	      If set, the container will have a new pseudo tty
 	      instance, making this private to it. The value specifies
-              the maximum number of pseudo ttys allowed for a pts
+              the maximum number of pseudo ttys allowed for a pty
               instance (this limitation is not implemented yet).
               -->
               만약 지정되었다면, 컨테이너는 새 pseudo tty 인스턴스를 갖는다. 그리고 이것을 자기자신 전용으로 만든다. 지정하는 값은 pseudo tty의 최대 개수를 지정한다. (이 제한은 아직 구현되지 않았다)
@@ -1060,7 +1060,7 @@ by Sungbae Yoo <sungbae.yoo at samsung.com>
         the container at some <filename>path</filename>, and then mounts
         under <filename>path</filename>, then a TOCTTOU attack would be
         possible where the container user modifies a symbolic link under
-        his home directory at just the right time.
+        their home directory at just the right time.
         -->
         주의 - 보통 LXC는 마운트 대상과 상대 경로로 된 바인드 마운트 소스들이 컨테이너의 루트 아래에 있도록 보장할 것이다. 이는 호스트 디렉토리와 파일들을 겹쳐서 마운트하는 유형의 공격을 피하기 위한 것이다. (절대 경로로 된 마운트 소스 내에 존재하는 심볼릭 링크들은 무시될 것이다.)
         하지만, 만약 컨테이너 설정에서 컨테이너 사용자가 제어할 수 있는, 예를 들어 /home/joe와 같은 디렉토리를 컨테이너 내의 <filename>path</filename>에 먼저 마운트 하고 나서,  <filename>path</filename> 내에 또 마운트를 하는 경우가 있다면,
@@ -1736,17 +1736,17 @@ proc proc proc nodev,noexec,nosuid 0 0
       <para>
         <!--
         Versions 1 and 2 are currently supported.  In version 1, the
-	policy is a simple whitelist.  The second line therefore must
-	read "whitelist", with the rest of the file containing one (numeric)
-	syscall number per line.  Each syscall number is whitelisted,
-	while every unlisted number is blacklisted for use in the container
+	policy is a simple allowlist.  The second line therefore must
+	read "allowlist", with the rest of the file containing one (numeric)
+	syscall number per line.  Each syscall number is allowlisted,
+	while every unlisted number is denylisted for use in the container
         -->
-        현재는 버전1과 2만 지원된다. 버전 1에서는 정책은 단순한 화이트리스트이다. 그러므로 두번째 라인은 반드시 "whitelist"여야 한다. 파일의 나머지 내용은 한 줄에 하나의 시스템콜 번호로 채워진다. 화이트리스트에 없는 번호는 컨테이너에서 블랙리스트로 들어간다.
+        현재는 버전1과 2만 지원된다. 버전 1에서는 정책은 단순한 화이트리스트이다. 그러므로 두번째 라인은 반드시 "allowlist"여야 한다. 파일의 나머지 내용은 한 줄에 하나의 시스템콜 번호로 채워진다. 화이트리스트에 없는 번호는 컨테이너에서 블랙리스트로 들어간다.
       </para>
 
       <para>
         <!--
-       In version 2, the policy may be blacklist or whitelist,
+       In version 2, the policy may be denylist or allowlist,
        supports per-rule and per-policy default actions, and supports
        per-architecture system call resolution from textual names.
           -->
@@ -1754,7 +1754,7 @@ proc proc proc nodev,noexec,nosuid 0 0
       </para>
       <para>
         <!--
-       An example blacklist policy, in which all system calls are
+       An example denylist policy, in which all system calls are
        allowed except for mknod, which will simply do nothing and
        return 0 (success), looks like:
        -->
@@ -1762,7 +1762,7 @@ proc proc proc nodev,noexec,nosuid 0 0
       </para>
 <screen>
 2
-blacklist
+denylist
 mknod errno 0
 </screen>
       <variablelist>
@@ -2613,7 +2613,7 @@ mknod errno 0
 	lxc.net.1.ipv6.address = 2003:db8:1:0:214:1234:fe0b:3596
 	lxc.net.2.type = phys
 	lxc.net.2.flags = up
-	lxc.net.2.link = dummy0
+	lxc.net.2.link = random0
 	lxc.net.2.hwaddr = 4a:49:43:49:79:ff
 	lxc.net.2.ipv4.address = 10.2.3.6/24
 	lxc.net.2.ipv6.address = 2003:db8:1:0:214:1234:fe0b:3297