lxc.conf.sgml.in: fill in missing configuration file statements

doc/lxc.conf.sgml.in

@@ -76,6 +76,32 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
     </para>
 
     <refsect2>
+      <title>Configuration</title>
+      <para>
+	In order to ease administration of multiple related containers, it
+	is possible to have a container configuration file cause another
+	file to be loaded.  For instance, network configuration
+	can be defined in one common file which is included by multiple
+	containers.  Then, if the containers are moved to another host,
+	only one file may need to be updated.
+      </para>
+
+      <variablelist>
+	<varlistentry>
+	  <term>
+	    <option>lxc.include</option>
+	  </term>
+	  <listitem>
+	    <para>
+	      Specify the file to be included.  The included file must be
+	      in the same valid lxc configuration file format.
+	    </para>
+	  </listitem>
+	</varlistentry>
+      </variablelist>
+    </refsect2>
+
+    <refsect2>
       <title>Architecture</title>
       <para>
 	Allows to set the architecture for the container. For example,
@@ -395,6 +421,11 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
 	      type, other arguments may be passed:
 	      veth/macvlan/phys. And finally (host-sided) device name.
 	    </para>
+	    <para>
+	      Standard output from the script is logged at debug level.
+	      Standard error is not logged, but can be captured by the
+	      hook redirecting its standard error to standard output.
+	    </para>
 	  </listitem>
 	</varlistentry>
 
@@ -415,6 +446,11 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
 	      type, other arguments may be passed:
 	      veth/macvlan/phys. And finally (host-sided) device name.
 	    </para>
+	    <para>
+	      Standard output from the script is logged at debug level.
+	      Standard error is not logged, but can be captured by the
+	      hook redirecting its standard error to standard output.
+	    </para>
 	  </listitem>
 	</varlistentry>
       </variablelist>
@@ -739,6 +775,56 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
     </refsect2>
 
     <refsect2>
+      <title>Apparmor profile</title>
+      <para>
+	If lxc was compiled and installed with apparmor support, and the host
+	system has apparmor enabled, then the apparmor profile under which the
+	container should be run can be specified in the container
+	configuration.  The default is <command>lxc-container-default</command>.
+      </para>
+      <variablelist>
+	<varlistentry>
+	  <term>
+	    <option>lxc.aa_profile</option>
+	  </term>
+	  <listitem>
+	    <para>
+	      Specify the apparmor profile under which the container should
+	      be run.  To specify that the container should be unconfined,
+	      use
+	    </para>
+	      <programlisting>lxc.aa_profile = unconfined</programlisting>
+	  </listitem>
+	</varlistentry>
+      </variablelist>
+    </refsect2>
+
+    <refsect2>
+      <title>Seccomp configuration</title>
+      <para>
+        A container can be started with a reduced set of available
+	system calls by loading a seccomp profile at startup.  The
+	seccomp configuration file should begin with a version number
+	(which currently must be 1) on the first line, a policy type
+	(which must be 'whitelist') on the second line, followed by a
+	list of allowed system call numbers, one per line.
+      </para>
+      <variablelist>
+	<varlistentry>
+	  <term>
+	    <option>lxc.seccomp</option>
+	  </term>
+	  <listitem>
+	    <para>
+	      Specify a file containing the seccomp configuration to
+	      load before the container starts.
+	     </para>
+	  </listitem>
+	</varlistentry>
+      </variablelist>
+    </refsect2>
+
+    <refsect2>
       <title>UID mappings</title>
       <para>
         A container can be started in a private user namespace with
@@ -775,6 +861,11 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
         Container hooks are programs or scripts which can be executed
 	at various times in a container's lifetime.
       </para>
+      <para>
+        Standard output from the hooks is logged at debug level.
+        Standard error is not logged, but can be captured by the
+        hook redirecting its standard error to standard output.
+      </para>
       <variablelist>
 	<varlistentry>
 	  <term>
@@ -978,6 +1069,54 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
       </variablelist>
 
     </refsect2>
+    <refsect2>
+    <title> Logging</title>
+    <para>
+      Logging can be configured on a per-container basis.  By default,
+      depending upon how the lxc package was compiled, container startup
+      is logged only at the ERROR level, and logged to a file named after
+      the container (with '.log' appended) either under the container path,
+      or under @LOGPATH@.
+    </para>
+    <para>
+      Both the default log level and the log file can be specified in the
+      container configuration file, overriding the default behavior.  Note
+      that the configuration file entries can in turn be overridden by the
+      command line options to <command>lxc-start</command>.
+    </para>
+      <variablelist>
+	<varlistentry>
+	  <term>
+	    <option>lxc.loglevel</option>
+	  </term>
+	  <listitem>
+	    <para>
+	    The level at which to log.  The log level is an integer in
+	    the range of 0..8 inclusive, where a lower number means more
+	    verbose debugging.  In particular 0 = trace, 1 = debug, 2 =
+	    info, 3 = notice, 4 = warn, 5 = error, 6 = critical, 7 =
+	    alert, and 8 = fatal.  If unspecified, the level defaults
+	    to 5 (error), so that only errors and above are logged.
+	    </para>
+	    <para>
+	    Note that when a script (such as either a hook script or a
+	    network interface up or down script) is called, the script's
+	    standard output is logged at level 1, debug.
+	    </para>
+	  </listitem>
+	</varlistentry>
+	<varlistentry>
+	  <term>
+	    <option>lxc.logfile</option>
+	  </term>
+	  <listitem>
+	    <para>
+	    The file to which logging info should be written.
+	    </para>
+	  </listitem>
+	</varlistentry>
+      </variablelist>
+    </refsect2>
 
   </refsect1>