diff -Nru lxc-1.0.8/debian/changelog lxc-1.0.8/debian/changelog
--- lxc-1.0.8/debian/changelog	2015-11-13 17:53:35.000000000 +0000
+++ lxc-1.0.8/debian/changelog	2015-11-18 18:42:24.000000000 +0000
@@ -1,3 +1,10 @@
+lxc (1.0.8-0ubuntu0.3) trusty; urgency=medium
+
+  * Cherry-pick from upstream:
+    - Fix preserve_ns to work on < 3.8 kernels. (LP: #1516971)
+
+ -- Stéphane Graber <stgraber@ubuntu.com>  Wed, 18 Nov 2015 13:42:07 -0500
+
 lxc (1.0.8-0ubuntu0.2) trusty; urgency=medium
 
   * Cherry-pick from upstream:
diff -Nru lxc-1.0.8/debian/.git-dpm lxc-1.0.8/debian/.git-dpm
--- lxc-1.0.8/debian/.git-dpm	2015-11-13 17:53:07.000000000 +0000
+++ lxc-1.0.8/debian/.git-dpm	2015-11-18 18:41:56.000000000 +0000
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-2452a0458c96ebbf0b14b8f9b71c581036e8fad9
-2452a0458c96ebbf0b14b8f9b71c581036e8fad9
+3d3ff990d7ed8f30ac1fc5508cb7c81b14d5c235
+3d3ff990d7ed8f30ac1fc5508cb7c81b14d5c235
 4d4ae2d76b719cb54dbdeea8f371aedb309b820a
 4d4ae2d76b719cb54dbdeea8f371aedb309b820a
 lxc_1.0.8.orig.tar.gz
diff -Nru lxc-1.0.8/debian/patches/0003-Better-handle-preserve_ns-behavior.patch lxc-1.0.8/debian/patches/0003-Better-handle-preserve_ns-behavior.patch
--- lxc-1.0.8/debian/patches/0003-Better-handle-preserve_ns-behavior.patch	1970-01-01 00:00:00.000000000 +0000
+++ lxc-1.0.8/debian/patches/0003-Better-handle-preserve_ns-behavior.patch	2015-11-18 18:41:56.000000000 +0000
@@ -0,0 +1,121 @@
+From 3d3ff990d7ed8f30ac1fc5508cb7c81b14d5c235 Mon Sep 17 00:00:00 2001
+From: Serge Hallyn <serge.hallyn@ubuntu.com>
+Date: Tue, 17 Nov 2015 12:59:05 -0600
+Subject: Better handle preserve_ns behavior
+
+Commit b6b2b194a8 preserves the container's namespaces for
+possible later use in stop hook.  But some kernels don't have
+/proc/pid/ns/ns for all the namespaces we may be interested in.
+So warn but continue if this is the case.
+
+Implement stgraber's suggested semantics.
+
+ - User requests some namespaces be preserved:
+    - If /proc/self/ns is missing => fail (saying kernel misses setns)
+    - If /proc/self/ns/<namespace> entry is missing => fail (saying kernel misses setns for <namespace>)
+ - User doesn't request some namespaces be preserved:
+    - If /proc/self/ns is missing => log an INFO message (kernel misses setns) and continue
+    - If /proc/self/ns/<namespace> entry is missing => log an INFO message (kernel misses setns for <namespace>) and continue
+
+Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
+---
+ src/lxc/start.c | 47 ++++++++++++++++++++++++++++++++++-------------
+ 1 file changed, 34 insertions(+), 13 deletions(-)
+
+diff --git a/src/lxc/start.c b/src/lxc/start.c
+index 3cbb049..c481630 100644
+--- a/src/lxc/start.c
++++ b/src/lxc/start.c
+@@ -117,8 +117,15 @@ static void close_ns(int ns_fd[LXC_NS_MAX]) {
+ 	}
+ }
+ 
+-static int preserve_ns(int ns_fd[LXC_NS_MAX], int clone_flags, pid_t pid) {
+-	int i, saved_errno;
++/*
++ * preserve_ns: open /proc/@pid/ns/@ns for each namespace specified
++ * in clone_flags.
++ * Return true on success, false on failure.  On failure, leave an error
++ * message in *errmsg, which caller must free.
++ */
++static
++bool preserve_ns(int ns_fd[LXC_NS_MAX], int clone_flags, pid_t pid, char **errmsg) {
++	int i, ret;
+ 	char path[MAXPATHLEN];
+ 
+ 	for (i = 0; i < LXC_NS_MAX; i++)
+@@ -126,8 +133,9 @@ static int preserve_ns(int ns_fd[LXC_NS_MAX], int clone_flags, pid_t pid) {
+ 
+ 	snprintf(path, MAXPATHLEN, "/proc/%d/ns", pid);
+ 	if (access(path, X_OK)) {
+-		WARN("Kernel does not support attach; preserve_ns ignored");
+-		return 0;
++		if (asprintf(errmsg, "Kernel does not support setns.") == -1)
++			*errmsg = NULL;
++		return false;
+ 	}
+ 
+ 	for (i = 0; i < LXC_NS_MAX; i++) {
+@@ -140,14 +148,20 @@ static int preserve_ns(int ns_fd[LXC_NS_MAX], int clone_flags, pid_t pid) {
+ 			goto error;
+ 	}
+ 
+-	return 0;
++	return true;
+ 
+ error:
+-	saved_errno = errno;
++	if (errno == ENOENT) {
++		ret = asprintf(errmsg, "Kernel does not support setns for %s",
++			ns_info[i].proc_name);
++	} else {
++		ret = asprintf(errmsg, "Failed to open %s: %s",
++			path, strerror(errno));
++	}
++	if (ret == -1)
++		*errmsg = NULL;
+ 	close_ns(ns_fd);
+-	errno = saved_errno;
+-	SYSERROR("failed to open '%s'", path);
+-	return -1;
++	return false;
+ }
+ 
+ static int attach_ns(const int ns_fd[LXC_NS_MAX]) {
+@@ -798,6 +812,7 @@ static int lxc_spawn(struct lxc_handler *handler)
+ {
+ 	int failed_before_rename = 0;
+ 	const char *name = handler->name;
++	char *errmsg = NULL;
+ 	bool cgroups_connected = false;
+ 	int saved_ns_fd[LXC_NS_MAX];
+ 	int preserve_mask = 0, i;
+@@ -889,8 +904,12 @@ static int lxc_spawn(struct lxc_handler *handler)
+ 			INFO("failed to pin the container's rootfs");
+ 	}
+ 
+-	if (preserve_ns(saved_ns_fd, preserve_mask, getpid()) < 0)
++	if (!preserve_ns(saved_ns_fd, preserve_mask, getpid(), &errmsg)) {
++		SYSERROR("Failed to preserve requested namespaces: %s",
++			errmsg ? errmsg : "(Out of memory)");
++		free(errmsg);
+ 		goto out_delete_net;
++	}
+ 	if (attach_ns(handler->conf->inherit_ns_fd) < 0)
+ 		goto out_delete_net;
+ 
+@@ -910,9 +929,11 @@ static int lxc_spawn(struct lxc_handler *handler)
+ 		goto out_delete_net;
+ 	}
+ 
+-	if (preserve_ns(handler->nsfd, handler->clone_flags, handler->pid) < 0) {
+-	    ERROR("failed to store namespace references");
+-	    goto out_delete_net;
++	if (preserve_ns(handler->nsfd, handler->clone_flags, handler->pid,
++				&errmsg) < 0) {
++		INFO("Failed to store namespace references for stop hook: %s",
++			errmsg ? errmsg : "(Out of memory)");
++		free(errmsg);
+ 	}
+ 
+ 	if (attach_ns(saved_ns_fd))
diff -Nru lxc-1.0.8/debian/patches/series lxc-1.0.8/debian/patches/series
--- lxc-1.0.8/debian/patches/series	2015-11-13 17:53:07.000000000 +0000
+++ lxc-1.0.8/debian/patches/series	2015-11-18 18:41:56.000000000 +0000
@@ -1,2 +1,3 @@
 0001-Trusty-Swap-out-the-CVE-2015-1335-fix-with-the-trust.patch
 0002-ubuntu-cloud-Various-fixes.patch
+0003-Better-handle-preserve_ns-behavior.patch