the tbl/ subdirectory

This is based on output from some scripts and basic sanity testing.

and external files are included with <...>

crashing child to do so, and then explicitly start it again.

avoid fixed sleeps waiting for the child process to start.

Fixes: #1024

1 thread is a bit on the low side, make the default on RPM based
distros 50.

Please let me know if any of them are way off

Tighten it up with use of semaphores and collapse s1/s2/s3 using
"accept" keyword.

everybody!) and tag them at generation, rather than having varnishapi
try to deduce each VSL's relationship.

Please yell if you have records in your varnishlog output which need
tagging or which are tagged wrong.

patch received from Nils Goroll <nils.goroll@uplex.de>

- [e0ee2a2e] adds the file_read
  privilege needed for onnv_140 and newer (see #912), but we also need
  the file_write privilege for stevedore access.

- If available, keep sys_resource in the permitted/limited set to
  allow cache_waiter_ports to raise the process.max-port-events
  resource control (feature to be added later).

- When starting varnish with euid 0 on Solaris, privilege seperation
  prohibited preserving additional privileges (in excess of the basic
  set) in the child, because, for a non privilege aware process,
  setuid() resets the effective, inheritable and permitted sets to the
  basic set.

  To achieve interoperability between solaris privileges and
  setuid()/setgid(), we now make the varnish child privilege aware
  before calling setuid() by trying to add all privileges we will need
  plus proc_setid.

- On solaris, check for proc_setid rather than checking the euid as a
  prerequisite for changing the uid/gid and only change the uid/gid if
  we need to (for a privilege aware process, [ers]uid 0 loose their
  magic powers).

  Note that setuid() will always set SNOCD on Solaris, which will
  prevent core dumps from being written, unless setuid core dumps are
  explicitly enabled using coreadm(1M).

  To avoid setuid() (and the SNOCD flag, consequently), start varnish
  as the user you intend to run the child as, but with additional
  privileges, e.g. using

  ppriv -e -s A=basic,net_privaddr,sys_resource varnishd ...

- setppriv(PRIV_SET, ...) failed when the privileges to be applied
  were not available in the permitted set.

  We change the logic to only clear the privileges which are not
  needed by inverting the sets and removing all unneeded privileges
  using setppriv(PRIV_OFF, ...).

  So the child might end up with less privileges than given initially,

instead of asserting.

Inspired by:	Patch from DocWilco

Fixes: #912

Solaris puts the ncurses header in /usr/include/ncurses, and we need
that to compile with -Werror.

Fixes: #889