@@ -72,16 +72,6 @@ RUN cd /usr/local/lvm2 \

 	&& make install_device-mapper

 # see https://git.fedorahosted.org/cgit/lvm2.git/tree/INSTALL

-# Install lxc

-ENV LXC_VERSION 1.1.2

-RUN mkdir -p /usr/src/lxc \

-	&& curl -sSL https://linuxcontainers.org/downloads/lxc/lxc-${LXC_VERSION}.tar.gz | tar -v -C /usr/src/lxc/ -xz --strip-components=1

-RUN cd /usr/src/lxc \

-	&& ./configure \

-	&& make \

-	&& make install \

-	&& ldconfig

-

 # Install Go

 ENV GO_VERSION 1.5.1

 RUN curl -sSL  "https://storage.googleapis.com/golang/go${GO_VERSION}.linux-amd64.tar.gz" | tar -v -C /usr/local -xz

@@ -39,16 +39,6 @@ RUN cd /usr/local/lvm2 \

 	&& make install_device-mapper

 # see https://git.fedorahosted.org/cgit/lvm2.git/tree/INSTALL

-# Install lxc

-ENV LXC_VERSION 1.1.2

-RUN mkdir -p /usr/src/lxc \

-	&& curl -sSL https://linuxcontainers.org/downloads/lxc/lxc-${LXC_VERSION}.tar.gz | tar -v -C /usr/src/lxc/ -xz --strip-components=1

-RUN cd /usr/src/lxc \

-	&& ./configure \

-	&& make \

-	&& make install \

-	&& ldconfig

-

 ENV GOPATH /go:/go/src/github.com/docker/docker/vendor

 # Get the "docker-py" source so we can run their integration tests

@@ -26,7 +26,6 @@ RUN apt-get update && apt-get install -y --no-install-recommends \

 		xz-utils \

 		\

 		aufs-tools \

-		lxc \

 	&& rm -rf /var/lib/apt/lists/*

 ENV AUTO_GOPATH 1

@@ -264,7 +264,6 @@ type ContainerJSONBase struct {

 	Name            string

 	RestartCount    int

 	Driver          string

-	ExecDriver      string

 	MountLabel      string

 	ProcessLabel    string

 	AppArmorProfile string

@@ -40,7 +40,6 @@ RUN	apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -yq \

 	libapparmor-dev \

 	libcap-dev \

 	libsqlite3-dev \

-	lxc=1.0* \

 	mercurial \

 	pandoc \

 	parallel \

@@ -1,6 +1,6 @@

 (from "ubuntu:14.04")

 (maintainer "Tianon Gravi <admwiggin@gmail.com> (@tianon)")

-(run "apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -yq \tapt-utils \taufs-tools \tautomake \tbtrfs-tools \tbuild-essential \tcurl \tdpkg-sig \tgit \tiptables \tlibapparmor-dev \tlibcap-dev \tlibsqlite3-dev \tlxc=1.0* \tmercurial \tpandoc \tparallel \treprepro \truby1.9.1 \truby1.9.1-dev \ts3cmd=1.1.0* \t--no-install-recommends")

+(run "apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -yq \tapt-utils \taufs-tools \tautomake \tbtrfs-tools \tbuild-essential \tcurl \tdpkg-sig \tgit \tiptables \tlibapparmor-dev \tlibcap-dev \tlibsqlite3-dev \tmercurial \tpandoc \tparallel \treprepro \truby1.9.1 \truby1.9.1-dev \ts3cmd=1.1.0* \t--no-install-recommends")

 (run "git clone --no-checkout https://git.fedorahosted.org/git/lvm2.git /usr/local/lvm2 && cd /usr/local/lvm2 && git checkout -q v2_02_103")

 (run "cd /usr/local/lvm2 && ./configure --enable-static_link && make device-mapper && make install_device-mapper")

 (run "curl -sSL https://golang.org/dl/go1.3.src.tar.gz | tar -v -C /usr/local -xz")

@@ -659,7 +659,6 @@ _docker_daemon() {

 		--dns

 		--dns-search

 		--dns-opt

-		--exec-driver -e

 		--exec-opt

 		--exec-root

 		--fixed-cidr

@@ -1379,7 +1378,6 @@ _docker_run() {

 		--link

 		--log-driver

 		--log-opt

-		--lxc-conf

 		--mac-address

 		--memory -m

 		--memory-swap

@@ -51,7 +51,6 @@ complete -c docker -f -n '__fish_docker_no_subcommand' -s d -l daemon -d 'Enable

 complete -c docker -f -n '__fish_docker_no_subcommand' -l dns -d 'Force Docker to use specific DNS servers'

 complete -c docker -f -n '__fish_docker_no_subcommand' -l dns-opt -d 'Force Docker to use specific DNS options'

 complete -c docker -f -n '__fish_docker_no_subcommand' -l dns-search -d 'Force Docker to use specific DNS search domains'

-complete -c docker -f -n '__fish_docker_no_subcommand' -s e -l exec-driver -d 'Force the Docker runtime to use a specific exec driver'

 complete -c docker -f -n '__fish_docker_no_subcommand' -l exec-opt -d 'Set exec driver options'

 complete -c docker -f -n '__fish_docker_no_subcommand' -l fixed-cidr -d 'IPv4 subnet for fixed IPs (e.g. 10.20.0.0/16)'

 complete -c docker -f -n '__fish_docker_no_subcommand' -l fixed-cidr-v6 -d 'IPv6 subnet for fixed IPs (e.g.: 2001:a02b/48)'

@@ -135,7 +134,6 @@ complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l help -d 'Pri

 complete -c docker -A -f -n '__fish_seen_subcommand_from create' -s i -l interactive -d 'Keep STDIN open even if not attached'

 complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l ipc -d 'Default is to create a private IPC namespace (POSIX SysV IPC) for the container'

 complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l link -d 'Add link to another container in the form of <name|id>:alias'

-complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l lxc-conf -d '(lxc exec-driver only) Add custom lxc options --lxc-conf="lxc.cgroup.cpuset.cpus = 0,1"'

 complete -c docker -A -f -n '__fish_seen_subcommand_from create' -s m -l memory -d 'Memory limit (format: <number>[<unit>], where unit = b, k, m or g)'

 complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l mac-address -d 'Container MAC address (e.g. 92:d0:c6:0a:29:33)'

 complete -c docker -A -f -n '__fish_seen_subcommand_from create' -l memory-swap -d "Total memory usage (memory + swap), set '-1' to disable swap (format: <number>[<unit>], where unit = b, k, m or g)"

@@ -324,7 +322,6 @@ complete -c docker -A -f -n '__fish_seen_subcommand_from run' -l help -d 'Print

 complete -c docker -A -f -n '__fish_seen_subcommand_from run' -s i -l interactive -d 'Keep STDIN open even if not attached'

 complete -c docker -A -f -n '__fish_seen_subcommand_from run' -l ipc -d 'Default is to create a private IPC namespace (POSIX SysV IPC) for the container'

 complete -c docker -A -f -n '__fish_seen_subcommand_from run' -l link -d 'Add link to another container in the form of <name|id>:alias'

-complete -c docker -A -f -n '__fish_seen_subcommand_from run' -l lxc-conf -d '(lxc exec-driver only) Add custom lxc options --lxc-conf="lxc.cgroup.cpuset.cpus = 0,1"'

 complete -c docker -A -f -n '__fish_seen_subcommand_from run' -s m -l memory -d 'Memory limit (format: <number>[<unit>], where unit = b, k, m or g)'

 complete -c docker -A -f -n '__fish_seen_subcommand_from run' -l mac-address -d 'Container MAC address (e.g. 92:d0:c6:0a:29:33)'

 complete -c docker -A -f -n '__fish_seen_subcommand_from run' -l memory-swap -d "Total memory usage (memory + swap), set '-1' to disable swap (format: <number>[<unit>], where unit = b, k, m or g)"

@@ -438,7 +438,6 @@ __docker_subcommand() {

         "($help)*"{-l=,--label=}"[Set meta data on a container]:label: "

         "($help)--log-driver=[Default driver for container logs]:Logging driver:(json-file syslog journald gelf fluentd awslogs splunk none)"

         "($help)*--log-opt=[Log driver specific options]:log driver options: "

-        "($help)*--lxc-conf=[Add custom lxc options]:lxc options: "

         "($help)--mac-address=[Container MAC address]:MAC address: "

         "($help)--name=[Container name]:name: "

         "($help)--net=[Connect a container to a network]:network mode:(bridge none container host)"

@@ -541,7 +540,6 @@ __docker_subcommand() {

                 "($help)*--dns-opt=[DNS options to use]:DNS option: " \

                 "($help)*--default-ulimit=[Set default ulimit settings for containers]:ulimit: " \

                 "($help)--disable-legacy-registry[Do not contact legacy registries]" \

-                "($help -e --exec-driver)"{-e=,--exec-driver=}"[Exec driver to use]:driver:(native lxc windows)" \

                 "($help)*--exec-opt=[Set exec driver options]:exec driver options: " \

                 "($help)--exec-root=[Root of the Docker execdriver]:path:_directories" \

                 "($help)--fixed-cidr=[IPv4 subnet for fixed IPs]:IPv4 subnet: " \

@@ -14,10 +14,6 @@

 /var/run/docker\.sock		-s	gen_context(system_u:object_r:docker_var_run_t,s0)

 /var/run/docker-client(/.*)?		gen_context(system_u:object_r:docker_var_run_t,s0)

-/var/lock/lxc(/.*)?		gen_context(system_u:object_r:docker_lock_t,s0)

-

-/var/log/lxc(/.*)?		gen_context(system_u:object_r:docker_log_t,s0)

-

 /var/lib/docker/init(/.*)?		gen_context(system_u:object_r:docker_share_t,s0)

 /var/lib/docker/containers/.*/hosts		gen_context(system_u:object_r:docker_share_t,s0)

 /var/lib/docker/containers/.*/hostname		gen_context(system_u:object_r:docker_share_t,s0)

@@ -292,7 +292,6 @@ interface(`docker_filetrans_named_content',`

     files_pid_filetrans($1, docker_var_run_t, file, "docker.pid")

     files_pid_filetrans($1, docker_var_run_t, sock_file, "docker.sock")

     files_pid_filetrans($1, docker_var_run_t, dir, "docker-client")

-    logging_log_filetrans($1, docker_log_t, dir, "lxc")

     files_var_lib_filetrans($1, docker_var_lib_t, dir, "docker")

     filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "config.env")

     filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "hosts")

@@ -406,11 +405,6 @@ interface(`staff_stub',`

         type staff_t;

     ')

 ')

-interface(`virt_stub_lxc',`

-	gen_require(`

-		type virtd_lxc_t;

-	')

-')

 interface(`virt_stub_svirt_sandbox_domain',`

 	gen_require(`

 		attribute svirt_sandbox_domain;

@@ -90,7 +90,6 @@ files_etc_filetrans(docker_t, docker_config_t, dir, "docker")

 manage_dirs_pattern(docker_t, docker_lock_t, docker_lock_t)

 manage_files_pattern(docker_t, docker_lock_t, docker_lock_t)

-files_lock_filetrans(docker_t, docker_lock_t, { dir file }, "lxc")

 manage_dirs_pattern(docker_t, docker_log_t, docker_log_t)

 manage_files_pattern(docker_t, docker_log_t, docker_log_t)

@@ -213,10 +212,6 @@ optional_policy(`

 	openvswitch_stream_connect(docker_t)

 ')

-#

-# lxc rules

-#

-

 allow docker_t self:capability { dac_override setgid setpcap setuid sys_admin sys_boot sys_chroot sys_ptrace };

 allow docker_t self:process { getcap setcap setexec setpgid setsched signal_perms };

@@ -317,7 +312,6 @@ optional_policy(`

 	virt_exec_sandbox_files(docker_t)

 	virt_manage_sandbox_files(docker_t)

 	virt_relabel_sandbox_filesystem(docker_t)

-	# for lxc

 	virt_transition_svirt_sandbox(docker_t, system_r)

 	virt_mounton_sandbox_file(docker_t)

 #	virt_attach_sandbox_tun_iface(docker_t)

@@ -388,11 +382,6 @@ optional_policy(`

 ')

 optional_policy(`

-    virt_stub_lxc()

-    docker_exec_lib(virtd_lxc_t)

-')

-

-optional_policy(`

     virt_stub_svirt_sandbox_domain()

     virt_stub_svirt_sandbox_file()

     allow svirt_sandbox_domain self:netlink_kobject_uevent_socket create_socket_perms;

deleted file mode 100755

@@ -1,77 +0,0 @@

-#!/usr/bin/perl

-#

-# A simple helper script to help people build seccomp profiles for

-# Docker/LXC.  The goal is mostly to reduce the attack surface to the

-# kernel, by restricting access to rarely used, recently added or not used

-# syscalls.

-#

-# This script processes one or more files which contain the list of system

-# calls to be allowed.  See mkseccomp.sample for more information how you

-# can configure the list of syscalls.  When run, this script produces output

-# which, when stored in a file, can be passed to docker as follows:

-#

-# docker run --lxc-conf="lxc.seccomp=$file" <rest of arguments>

-#

-# The included sample file shows how to cut about a quarter of all syscalls,

-# which affecting most applications.

-#

-# For specific situations it is possible to reduce the list further. By

-# reducing the list to just those syscalls required by a certain application

-# you can make it difficult for unknown/unexpected code to run.

-#

-# Run this script as follows:

-#

-# ./mkseccomp.pl < mkseccomp.sample >syscalls.list

-# or

-# ./mkseccomp.pl mkseccomp.sample >syscalls.list

-#

-# Multiple files can be specified, in which case the lists of syscalls are

-# combined.

-#

-# By Martijn van Oosterhout <kleptog@svana.org> Nov 2013

-

-# How it works:

-#

-# This program basically spawns two processes to form a chain like:

-#

-# <process data section to prefix __NR_> | cpp | <add header and filter unknown syscalls>

-

-use strict;

-use warnings;

-

-if( -t ) {

-    print STDERR "Helper script to make seccomp filters for Docker/LXC.\n";

-    print STDERR "Usage: mkseccomp.pl < [files...]\n";

-    exit 1;

-}

-

-my $pid = open(my $in, "-|") // die "Couldn't fork1 ($!)\n";

-

-if($pid == 0) {  # Child

-    $pid = open(my $out, "|-") // die "Couldn't fork2 ($!)\n";

-

-    if($pid == 0) { # Child, which execs cpp

-        exec "cpp" or die "Couldn't exec cpp ($!)\n";

-        exit 1;

-    }

-

-    # Process the DATA section and output to cpp

-    print $out "#include <sys/syscall.h>\n";

-    while(<>) {

-        if(/^\w/) {

-            print $out "__NR_$_";

-        }

-    }

-    close $out;

-    exit 0;

-

-}

-

-# Print header and then process output from cpp.

-print "1\n";

-print "whitelist\n";

-

-while(<$in>) {

-    print if( /^[0-9]/ );

-}

-

deleted file mode 100644

@@ -1,444 +0,0 @@

-/* This sample file is an example for mkseccomp.pl to produce a seccomp file

- * which restricts syscalls that are only useful for an admin but allows the

- * vast majority of normal userspace programs to run normally.

- *

- * The format of this file is one line per syscall.  This is then processed

- * and passed to 'cpp' to convert the names to numbers using whatever is

- * correct for your platform.  As such C-style comments are permitted.  Note

- * this also means that C preprocessor macros are also allowed.  So it is

- * possible to create groups surrounded by #ifdef/#endif and control their

- * inclusion via #define (not #include).

- *

- * Syscalls that don't exist on your architecture are silently filtered out.

- * Syscalls marked with (*) are required for a container to spawn a bash

- * shell successfully (not necessarily full featured).  Listing the same

- * syscall multiple times is no problem.

- *

- * If you want to make a list specifically for one application the easiest

- * way is to run the application under strace, like so:

- *

- * $ strace -f -q -c -o strace.out application args...

- *

- * Once you have a reasonable sample of the execution of the program, exit

- * it.  The file strace.out will have a summary of the syscalls used.  Copy

- * that list into this file, comment out everything else except the starred

- * syscalls (which you need for the container to start) and you're done.

- *

- * To get the list of syscalls from the strace output this works well for

- * me

- *

- * $ cut -c52 < strace.out

- *

- * This sample list was compiled as a combination of all the syscalls

- * available on i386 and amd64 on Ubuntu Precise, as such it may not contain

- * everything and not everything may be relevant for your system.  This

- * shouldn't be a problem.

- */

-

-// Filesystem/File descriptor related

-access                 // (*)

-chdir                  // (*)

-chmod

-chown

-chown32

-close                  // (*)

-creat

-dup                    // (*)

-dup2                   // (*)

-dup3

-epoll_create

-epoll_create1

-epoll_ctl

-epoll_ctl_old

-epoll_pwait

-epoll_wait

-epoll_wait_old

-eventfd

-eventfd2

-faccessat              // (*)

-fadvise64

-fadvise64_64

-fallocate

-fanotify_init

-fanotify_mark

-ioctl                  // (*)

-fchdir

-fchmod

-fchmodat

-fchown

-fchown32

-fchownat

-fcntl                  // (*)

-fcntl64

-fdatasync

-fgetxattr

-flistxattr

-flock

-fremovexattr

-fsetxattr

-fstat                  // (*)

-fstat64

-fstatat64

-fstatfs

-fstatfs64

-fsync

-ftruncate

-ftruncate64

-getcwd                 // (*)

-getdents               // (*)

-getdents64

-getxattr

-inotify_add_watch

-inotify_init

-inotify_init1

-inotify_rm_watch

-io_cancel

-io_destroy

-io_getevents

-io_setup

-io_submit

-lchown

-lchown32

-lgetxattr

-link

-linkat

-listxattr

-llistxattr

-llseek

-_llseek

-lremovexattr

-lseek                  // (*)

-lsetxattr

-lstat

-lstat64

-mkdir

-mkdirat

-mknod

-mknodat

-newfstatat

-_newselect

-oldfstat

-oldlstat

-oldolduname

-oldstat

-olduname

-oldwait4

-open                   // (*)

-openat                 // (*)

-pipe                   // (*)

-pipe2

-poll

-ppoll

-pread64

-preadv

-futimesat

-pselect6

-pwrite64

-pwritev

-read                   // (*)

-readahead

-readdir

-readlink

-readlinkat

-readv

-removexattr

-rename

-renameat

-rmdir

-select

-sendfile

-sendfile64

-setxattr

-splice

-stat                   // (*)

-stat64

-statfs                 // (*)

-statfs64

-symlink

-symlinkat

-sync

-sync_file_range

-sync_file_range2

-syncfs

-tee

-truncate

-truncate64

-umask

-unlink

-unlinkat

-ustat

-utime

-utimensat

-utimes

-write                  // (*)

-writev

-

-// Network related

-accept

-accept4

-bind                   // (*)

-connect                // (*)

-getpeername

-getsockname            // (*)

-getsockopt

-listen

-recv

-recvfrom               // (*)

-recvmmsg

-recvmsg

-send

-sendmmsg

-sendmsg

-sendto                 // (*)

-setsockopt

-shutdown

-socket                 // (*)

-socketcall

-socketpair

-sethostname            // (*)

-

-// Signal related

-pause

-rt_sigaction           // (*)

-rt_sigpending

-rt_sigprocmask         // (*)

-rt_sigqueueinfo

-rt_sigreturn           // (*)

-rt_sigsuspend

-rt_sigtimedwait

-rt_tgsigqueueinfo

-sigaction

-sigaltstack            // (*)

-signal

-signalfd

-signalfd4

-sigpending

-sigprocmask

-sigreturn

-sigsuspend

-

-// Other needed POSIX

-alarm

-brk                    // (*)

-clock_adjtime

-clock_getres

-clock_gettime

-clock_nanosleep

-//clock_settime

-gettimeofday

-nanosleep

-nice

-sysinfo

-syslog

-time

-timer_create

-timer_delete

-timerfd_create

-timerfd_gettime

-timerfd_settime

-timer_getoverrun

-timer_gettime

-timer_settime

-times

-uname                  // (*)

-

-// Memory control

-madvise

-mbind

-mincore

-mlock

-mlockall

-mmap                   // (*)

-mmap2

-mprotect               // (*)

-mremap

-msync

-munlock

-munlockall

-munmap                 // (*)

-remap_file_pages

-set_mempolicy

-vmsplice

-

-// Process control

-capget

-capset                 // (*)

-clone                  // (*)

-execve                 // (*)

-exit                   // (*)

-exit_group             // (*)

-fork

-getcpu

-getpgid

-getpgrp                // (*)

-getpid                 // (*)

-getppid                // (*)

-getpriority

-getresgid

-getresgid32

-getresuid

-getresuid32

-getrlimit              // (*)

-getrusage

-getsid

-getuid                 // (*)

-getuid32

-getegid                // (*)

-getegid32

-geteuid                // (*)

-geteuid32

-getgid                 // (*)

-getgid32

-getgroups

-getgroups32

-getitimer

-get_mempolicy

-kill

-//personality

-prctl

-prlimit64

-sched_getaffinity

-sched_getparam

-sched_get_priority_max

-sched_get_priority_min

-sched_getscheduler

-sched_rr_get_interval

-//sched_setaffinity

-//sched_setparam

-//sched_setscheduler

-sched_yield

-setfsgid

-setfsgid32

-setfsuid

-setfsuid32

-setgid

-setgid32

-setgroups

-setgroups32

-setitimer

-setpgid                // (*)

-setpriority

-setregid

-setregid32

-setresgid

-setresgid32

-setresuid

-setresuid32

-setreuid

-setreuid32

-setrlimit

-setsid

-setuid

-setuid32

-ugetrlimit

-vfork

-wait4                  // (*)

-waitid

-waitpid

-

-// IPC

-ipc

-mq_getsetattr

-mq_notify

-mq_open

-mq_timedreceive

-mq_timedsend

-mq_unlink

-msgctl

-msgget

-msgrcv

-msgsnd

-semctl

-semget

-semop

-semtimedop

-shmat

-shmctl

-shmdt

-shmget

-

-// Linux specific, mostly needed for thread-related stuff

-arch_prctl             // (*)

-get_robust_list

-get_thread_area

-gettid

-futex                  // (*)

-restart_syscall        // (*)

-set_robust_list        // (*)

-set_thread_area

-set_tid_address        // (*)

-tgkill

-tkill

-

-// Admin syscalls, these are blocked

-//acct

-//adjtimex

-//bdflush

-//chroot

-//create_module

-//delete_module

-//get_kernel_syms      // Obsolete

-//idle                 // Obsolete

-//init_module

-//ioperm

-//iopl

-//ioprio_get

-//ioprio_set

-//kexec_load

-//lookup_dcookie       // oprofile only?

-//migrate_pages        // NUMA

-//modify_ldt

-//mount

-//move_pages           // NUMA

-//name_to_handle_at    // NFS server

-//nfsservctl           // NFS server

-//open_by_handle_at    // NFS server

-//perf_event_open

-//pivot_root

-//process_vm_readv     // For debugger

-//process_vm_writev    // For debugger

-//ptrace               // For debugger

-//query_module

-//quotactl

-//reboot

-//setdomainname

-//setns

-//settimeofday

-//sgetmask             // Obsolete

-//ssetmask             // Obsolete

-//stime

-//swapoff

-//swapon

-//_sysctl

-//sysfs

-//sys_setaltroot

-//umount

-//umount2

-//unshare

-//uselib

-//vhangup

-//vm86

-//vm86old

-

-// Kernel key management

-//add_key

-//keyctl

-//request_key

-

-// Unimplemented

-//afs_syscall

-//break

-//ftime

-//getpmsg

-//gtty

-//lock

-//madvise1

-//mpx

-//prof

-//profil

-//putpmsg

-//security

-//stty

-//tuxcall

-//ulimit

-//vserver

@@ -25,7 +25,7 @@ The initial Docker upstart script will not work because it runs on `127.0.0.1`,

 ```

 description     "Docker daemon"

-start on filesystem and started lxc-net

+start on filesystem

 stop on runlevel [!2345]

 respawn

@@ -21,7 +21,6 @@ type CommonConfig struct {

 	DNS            []string

 	DNSOptions     []string

 	DNSSearch      []string

-	ExecDriver     string

 	ExecOptions    []string

 	ExecRoot       string

 	GraphDriver    string

@@ -62,7 +61,6 @@ func (config *Config) InstallCommonFlags(cmd *flag.FlagSet, usageFn func(string)

 	cmd.StringVar(&config.ExecRoot, []string{"-exec-root"}, "/var/run/docker", usageFn("Root of the Docker execdriver"))

 	cmd.BoolVar(&config.AutoRestart, []string{"#r", "#-restart"}, true, usageFn("--restart on the daemon has been deprecated in favor of --restart policies on docker run"))

 	cmd.StringVar(&config.GraphDriver, []string{"s", "-storage-driver"}, "", usageFn("Storage driver to use"))

-	cmd.StringVar(&config.ExecDriver, []string{"e", "-exec-driver"}, defaultExec, usageFn("Exec driver to use"))

 	cmd.IntVar(&config.Mtu, []string{"#mtu", "-mtu"}, 0, usageFn("Set the containers network MTU"))

 	// FIXME: why the inconsistency between "hosts" and "sockets"?

 	cmd.Var(opts.NewListOptsRef(&config.DNS, opts.ValidateIPAddress), []string{"#dns", "-dns"}, usageFn("DNS server to use"))

@@ -17,8 +17,6 @@ var (

 )

 // Config defines the configuration of a docker daemon.

-// These are the configuration settings that you pass

-// to the docker daemon when you launch it with say: `docker daemon -e lxc`

 type Config struct {

 	CommonConfig

@@ -63,7 +63,6 @@ type CommonContainer struct {

 	LogPath         string

 	Name            string

 	Driver          string

-	ExecDriver      string

 	// MountLabel contains the options for the 'mount' command

 	MountLabel             string

 	ProcessLabel           string

@@ -258,7 +257,6 @@ func (container *Container) jsonPath() (string, error) {

 	return container.getRootResourcePath("config.json")

 }

-// This method must be exported to be used from the lxc template

 // This directory is only usable when the container is running

 func (container *Container) rootfsPath() string {

 	return container.basefs

@@ -255,12 +255,6 @@ func (daemon *Daemon) populateCommand(c *Container, env []string) error {

 	autoCreatedDevices := mergeDevices(configs.DefaultAutoCreatedDevices, userSpecifiedDevices)

-	// TODO: this can be removed after lxc-conf is fully deprecated

-	lxcConfig, err := mergeLxcConfIntoOptions(c.hostConfig)

-	if err != nil {

-		return err

-	}

-

 	var rlimits []*ulimit.Rlimit

 	ulimits := c.hostConfig.Ulimits

@@ -345,7 +339,6 @@ func (daemon *Daemon) populateCommand(c *Container, env []string) error {

 		GIDMapping:         gidMap,

 		GroupAdd:           c.hostConfig.GroupAdd,

 		Ipc:                ipc,

-		LxcConfig:          lxcConfig,

 		Pid:                pid,

 		ReadonlyRootfs:     c.hostConfig.ReadonlyRootfs,

 		RemappedRoot:       remappedRoot,

@@ -451,7 +451,6 @@ func (daemon *Daemon) generateNewName(id string) (string, error) {

 func (daemon *Daemon) generateHostname(id string, config *runconfig.Config) {

 	// Generate default hostname

-	// FIXME: the lxc template no longer needs to set a default hostname

 	if config.Hostname == "" {

 		config.Hostname = id[:12]

 	}

@@ -490,7 +489,6 @@ func (daemon *Daemon) newContainer(name string, config *runconfig.Config, imgID

 	base.NetworkSettings = &network.Settings{IsAnonymousEndpoint: noExplicitName}

 	base.Name = name

 	base.Driver = daemon.driver.String()

-	base.ExecDriver = daemon.execDriver.Name()

 	return base, err

 }

@@ -786,13 +784,6 @@ func NewDaemon(config *Config, registryService *registry.Service) (daemon *Daemo

 	d.containerGraphDB = graph

 	var sysInitPath string

-	if config.ExecDriver == "lxc" {

-		initPath, err := configureSysInit(config, rootUID, rootGID)

-		if err != nil {

-			return nil, err

-		}

-		sysInitPath = initPath

-	}

 	sysInfo := sysinfo.New(false)

 	// Check if Devices cgroup is mounted, it is hard requirement for container security,

@@ -801,7 +792,7 @@ func NewDaemon(config *Config, registryService *registry.Service) (daemon *Daemo

 		return nil, fmt.Errorf("Devices cgroup isn't mounted")

 	}

-	ed, err := execdrivers.NewDriver(config.ExecDriver, config.ExecOptions, config.ExecRoot, config.Root, sysInitPath, sysInfo)

+	ed, err := execdrivers.NewDriver(config.ExecOptions, config.ExecRoot, config.Root, sysInitPath, sysInfo)

 	if err != nil {

 		return nil, err

 	}

@@ -15,11 +15,8 @@ import (

 )

 func setupRemappedRoot(config *Config) ([]idtools.IDMap, []idtools.IDMap, error) {

-	if config.ExecDriver != "native" && config.RemappedRoot != "" {