[lxc-devel] [lxc/master] Update docs
tenforward on Github
lxc-bot at linuxcontainers.org
Wed Mar 27 08:06:06 UTC 2019
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 567 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20190327/de082eaf/attachment-0001.bin>
-------------- next part --------------
From c3b7fd80d9617bf60c0c8772dfb45da68b8d2e26 Mon Sep 17 00:00:00 2001
From: KATOH Yasufumi <karma at jazz.email.ne.jp>
Date: Wed, 27 Mar 2019 15:53:17 +0900
Subject: [PATCH 1/3] doc: Add lxc.cgroup.relative to lxc.container.conf(5)
Only English and Japanese man pages.
Signed-off-by: KATOH Yasufumi <karma at jazz.email.ne.jp>
---
doc/ja/lxc.container.conf.sgml.in | 19 +++++++++++++++++++
doc/lxc.container.conf.sgml.in | 14 ++++++++++++++
2 files changed, 33 insertions(+)
diff --git a/doc/ja/lxc.container.conf.sgml.in b/doc/ja/lxc.container.conf.sgml.in
index 65ebb44f4f..4a5905e4ee 100644
--- a/doc/ja/lxc.container.conf.sgml.in
+++ b/doc/ja/lxc.container.conf.sgml.in
@@ -1953,6 +1953,25 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>
+ <option>lxc.cgroup.relative</option>
+ </term>
+ <listitem>
+ <para>
+ <!--
+ Set this to 1 to instruct LXC to never escape to the
+ root cgroup. This makes it easy for users to adhere to
+ restrictions enforced by cgroup2 and
+ systemd. Specifically, this makes it possible to run LXC
+ containers as systemd services.
+ -->
+ LXC に root cgroup へのエスケープを行わないように指示するには、この値を 1 に設定してください。
+ これにより、ユーザは cgroup2 と systemd が強制する制限を遵守するのが容易になります。
+ 具体的には、これにより LXC コンテナを systemd のサービスとして実行できます。
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect2>
diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in
index 00b51a94aa..ba88587d49 100644
--- a/doc/lxc.container.conf.sgml.in
+++ b/doc/lxc.container.conf.sgml.in
@@ -1470,6 +1470,20 @@ dev/null proc/kcore none bind,relative 0 0
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>
+ <option>lxc.cgroup.relative</option>
+ </term>
+ <listitem>
+ <para>
+ Set this to 1 to instruct LXC to never escape to the
+ root cgroup. This makes it easy for users to adhere to
+ restrictions enforced by cgroup2 and
+ systemd. Specifically, this makes it possible to run LXC
+ containers as systemd services.
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect2>
From e31362893b2cca5de275311939430ca3fd6b3ea6 Mon Sep 17 00:00:00 2001
From: KATOH Yasufumi <karma at jazz.email.ne.jp>
Date: Wed, 27 Mar 2019 16:52:53 +0900
Subject: [PATCH 2/3] doc: Add lxc.rootfs.managed to lxc.container.conf(5)
Only add to English and Japanese man pages.
Signed-off-by: KATOH Yasufumi <karma at jazz.email.ne.jp>
---
doc/ja/lxc.container.conf.sgml.in | 17 +++++++++++++++++
doc/lxc.container.conf.sgml.in | 13 +++++++++++++
2 files changed, 30 insertions(+)
diff --git a/doc/ja/lxc.container.conf.sgml.in b/doc/ja/lxc.container.conf.sgml.in
index 4a5905e4ee..6671221e31 100644
--- a/doc/ja/lxc.container.conf.sgml.in
+++ b/doc/ja/lxc.container.conf.sgml.in
@@ -1869,6 +1869,23 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>
+ <option>lxc.rootfs.managed</option>
+ </term>
+ <listitem>
+ <para>
+ <!--
+ Set this to 0 to indicate that LXC is not managing the
+ container storage, then LXC will not modify the
+ container storage. The default is 1.
+ -->
+ LXC がコンテナのストレージを管理していない場合は、この値を 0 に設定します。
+ 0 に設定すると、LXC はコンテナのストレージを変更しません。デフォルト値は 1 です。
+ </para>
+ </listitem>
+ </varlistentry>
+
</variablelist>
</refsect2>
diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in
index ba88587d49..ff90d07b01 100644
--- a/doc/lxc.container.conf.sgml.in
+++ b/doc/lxc.container.conf.sgml.in
@@ -1407,6 +1407,19 @@ dev/null proc/kcore none bind,relative 0 0
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>
+ <option>lxc.rootfs.managed</option>
+ </term>
+ <listitem>
+ <para>
+ Set this to 0 to indicate that LXC is not managing the
+ container storage, then LXC will not modify the
+ container storage. The default is 1.
+ </para>
+ </listitem>
+ </varlistentry>
+
</variablelist>
</refsect2>
From 8dca2bd3aee03129db01e5d94a3686bcd886dba9 Mon Sep 17 00:00:00 2001
From: KATOH Yasufumi <karma at jazz.email.ne.jp>
Date: Wed, 27 Mar 2019 16:56:20 +0900
Subject: [PATCH 3/3] doc: Add the description of apparmor profile generation
to man pages
Only add to English and Japanese man pages.
Signed-off-by: KATOH Yasufumi <karma at jazz.email.ne.jp>
---
doc/ja/lxc.container.conf.sgml.in | 48 +++++++++++++++++++++++++++++++
doc/lxc.container.conf.sgml.in | 37 ++++++++++++++++++++++++
2 files changed, 85 insertions(+)
diff --git a/doc/ja/lxc.container.conf.sgml.in b/doc/ja/lxc.container.conf.sgml.in
index 6671221e31..7db396f450 100644
--- a/doc/ja/lxc.container.conf.sgml.in
+++ b/doc/ja/lxc.container.conf.sgml.in
@@ -2337,6 +2337,14 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
もし apparmor プロファイルが変更されないままでなくてはならない場合 (ネストしたコンテナである場合や、すでに confined されている場合) は以下のように設定します。
</para>
<programlisting>lxc.apparmor.profile = unchanged</programlisting>
+ <para>
+ <!--
+ If you instruct LXC to generate the apparmor profile,
+ then use
+ -->
+ もし LXC に AppArmor プロファイルを生成するように指示するには次のように設定します。
+ </para>
+ <programlisting>lxc.apparmor.profile = generated</programlisting>
</listitem>
</varlistentry>
<varlistentry>
@@ -2368,6 +2376,46 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
</para>
</listitem>
</varlistentry>
+
+ <varlistentry>
+ <term>
+ <option>lxc.apparmor.allow_nesting</option>
+ </term>
+ <listitem>
+ <para>
+ <!--
+ If set this to 1, causes the following changes. When
+ generated apparmor profiles are used, they will contain
+ the necessary changes to allow creating a nested
+ container. In addition to the usual mount points,
+ <filename>/dev/.lxc/proc</filename>
+ and <filename>/dev/.lxc/sys</filename> will contain
+ procfs and sysfs mount points without the lxcfs
+ overlays, which, if generated apparmor profiles are
+ being used, will not be read/writable directly.
+ -->
+ 1 に設定すると次のような変更が行われます。
+ generated な AppArmor プロファイルが使われる場合、ネストしたコンテナを使うのに必要な変更が含まれます。通常のマウントポイントに加えて、lxcfs のオーバーレイなしで、<filename>/dev/.lxc/proc</filename> と <filename>/dev/.lxc/sys</filename> が procfs と sysfs のマウントポイントに含まれます。
+ generated な AppArmor プロファイルが使われている場合は、直接読み書きはできません
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>
+ <option>lxc.apparmor.raw</option>
+ </term>
+ <listitem>
+ <para>
+ <!--
+ A list of raw AppArmor profile lines to append to the
+ profile. Only valid when using generated profiles.
+ -->
+ プロファイルに加える、生の AppArmor プロファイル行のリストです。generated なプロファイルを使っているときのみ有効です。
+ </para>
+ </listitem>
+ </varlistentry>
+
</variablelist>
</refsect2>
diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in
index ff90d07b01..ee78e49a3d 100644
--- a/doc/lxc.container.conf.sgml.in
+++ b/doc/lxc.container.conf.sgml.in
@@ -1751,6 +1751,11 @@ dev/null proc/kcore none bind,relative 0 0
are nesting containers and are already confined), then use
</para>
<programlisting>lxc.apparmor.profile = unchanged</programlisting>
+ <para>
+ If you instruct LXC to generate the apparmor profile,
+ then use
+ </para>
+ <programlisting>lxc.apparmor.profile = generated</programlisting>
</listitem>
</varlistentry>
<varlistentry>
@@ -1774,6 +1779,38 @@ dev/null proc/kcore none bind,relative 0 0
</para>
</listitem>
</varlistentry>
+
+ <varlistentry>
+ <term>
+ <option>lxc.apparmor.allow_nesting</option>
+ </term>
+ <listitem>
+ <para>
+ If set this to 1, causes the following changes. When
+ generated apparmor profiles are used, they will contain
+ the necessary changes to allow creating a nested
+ container. In addition to the usual mount points,
+ <filename>/dev/.lxc/proc</filename>
+ and <filename>/dev/.lxc/sys</filename> will contain
+ procfs and sysfs mount points without the lxcfs
+ overlays, which, if generated apparmor profiles are
+ being used, will not be read/writable directly.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>
+ <option>lxc.apparmor.raw</option>
+ </term>
+ <listitem>
+ <para>
+ A list of raw AppArmor profile lines to append to the
+ profile. Only valid when using generated profiles.
+ </para>
+ </listitem>
+ </varlistentry>
+
</variablelist>
</refsect2>
More information about the lxc-devel
mailing list