The following pull request was submitted through Github. It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/2920
This e-mail was sent by the LXC bot, direct replies will not reach the author unless they happen to be subscribed to this list. === Description (from pull-request) === This is the patch that adds configuration items added in LXC 3.1 to the man pages. Each description is based on a release announcement. If there is an incorrect part, please correct it. (And I'm not good at English, so if incorrect, please touch up. :sweat_smile: )
From c3b7fd80d9617bf60c0c8772dfb45da68b8d2e26 Mon Sep 17 00:00:00 2001 From: KATOH Yasufumi <ka...@jazz.email.ne.jp> Date: Wed, 27 Mar 2019 15:53:17 +0900 Subject: [PATCH 1/3] doc: Add lxc.cgroup.relative to lxc.container.conf(5) Only English and Japanese man pages. Signed-off-by: KATOH Yasufumi <ka...@jazz.email.ne.jp> --- doc/ja/lxc.container.conf.sgml.in | 19 +++++++++++++++++++ doc/lxc.container.conf.sgml.in | 14 ++++++++++++++ 2 files changed, 33 insertions(+) diff --git a/doc/ja/lxc.container.conf.sgml.in b/doc/ja/lxc.container.conf.sgml.in index 65ebb44f4f..4a5905e4ee 100644 --- a/doc/ja/lxc.container.conf.sgml.in +++ b/doc/ja/lxc.container.conf.sgml.in @@ -1953,6 +1953,25 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp> </para> </listitem> </varlistentry> + <varlistentry> + <term> + <option>lxc.cgroup.relative</option> + </term> + <listitem> + <para> + <!-- + Set this to 1 to instruct LXC to never escape to the + root cgroup. This makes it easy for users to adhere to + restrictions enforced by cgroup2 and + systemd. Specifically, this makes it possible to run LXC + containers as systemd services. + --> + LXC に root cgroup へのエスケープを行わないように指示するには、この値を 1 に設定してください。 + これにより、ユーザは cgroup2 と systemd が強制する制限を遵守するのが容易になります。 + 具体的には、これにより LXC コンテナを systemd のサービスとして実行できます。 + </para> + </listitem> + </varlistentry> </variablelist> </refsect2> diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in index 00b51a94aa..ba88587d49 100644 --- a/doc/lxc.container.conf.sgml.in +++ b/doc/lxc.container.conf.sgml.in @@ -1470,6 +1470,20 @@ dev/null proc/kcore none bind,relative 0 0 </para> </listitem> </varlistentry> + <varlistentry> + <term> + <option>lxc.cgroup.relative</option> + </term> + <listitem> + <para> + Set this to 1 to instruct LXC to never escape to the + root cgroup. This makes it easy for users to adhere to + restrictions enforced by cgroup2 and + systemd. Specifically, this makes it possible to run LXC + containers as systemd services. + </para> + </listitem> + </varlistentry> </variablelist> </refsect2> From e31362893b2cca5de275311939430ca3fd6b3ea6 Mon Sep 17 00:00:00 2001 From: KATOH Yasufumi <ka...@jazz.email.ne.jp> Date: Wed, 27 Mar 2019 16:52:53 +0900 Subject: [PATCH 2/3] doc: Add lxc.rootfs.managed to lxc.container.conf(5) Only add to English and Japanese man pages. Signed-off-by: KATOH Yasufumi <ka...@jazz.email.ne.jp> --- doc/ja/lxc.container.conf.sgml.in | 17 +++++++++++++++++ doc/lxc.container.conf.sgml.in | 13 +++++++++++++ 2 files changed, 30 insertions(+) diff --git a/doc/ja/lxc.container.conf.sgml.in b/doc/ja/lxc.container.conf.sgml.in index 4a5905e4ee..6671221e31 100644 --- a/doc/ja/lxc.container.conf.sgml.in +++ b/doc/ja/lxc.container.conf.sgml.in @@ -1869,6 +1869,23 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp> </listitem> </varlistentry> + <varlistentry> + <term> + <option>lxc.rootfs.managed</option> + </term> + <listitem> + <para> + <!-- + Set this to 0 to indicate that LXC is not managing the + container storage, then LXC will not modify the + container storage. The default is 1. + --> + LXC がコンテナのストレージを管理していない場合は、この値を 0 に設定します。 + 0 に設定すると、LXC はコンテナのストレージを変更しません。デフォルト値は 1 です。 + </para> + </listitem> + </varlistentry> + </variablelist> </refsect2> diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in index ba88587d49..ff90d07b01 100644 --- a/doc/lxc.container.conf.sgml.in +++ b/doc/lxc.container.conf.sgml.in @@ -1407,6 +1407,19 @@ dev/null proc/kcore none bind,relative 0 0 </listitem> </varlistentry> + <varlistentry> + <term> + <option>lxc.rootfs.managed</option> + </term> + <listitem> + <para> + Set this to 0 to indicate that LXC is not managing the + container storage, then LXC will not modify the + container storage. The default is 1. + </para> + </listitem> + </varlistentry> + </variablelist> </refsect2> From 8dca2bd3aee03129db01e5d94a3686bcd886dba9 Mon Sep 17 00:00:00 2001 From: KATOH Yasufumi <ka...@jazz.email.ne.jp> Date: Wed, 27 Mar 2019 16:56:20 +0900 Subject: [PATCH 3/3] doc: Add the description of apparmor profile generation to man pages Only add to English and Japanese man pages. Signed-off-by: KATOH Yasufumi <ka...@jazz.email.ne.jp> --- doc/ja/lxc.container.conf.sgml.in | 48 +++++++++++++++++++++++++++++++ doc/lxc.container.conf.sgml.in | 37 ++++++++++++++++++++++++ 2 files changed, 85 insertions(+) diff --git a/doc/ja/lxc.container.conf.sgml.in b/doc/ja/lxc.container.conf.sgml.in index 6671221e31..7db396f450 100644 --- a/doc/ja/lxc.container.conf.sgml.in +++ b/doc/ja/lxc.container.conf.sgml.in @@ -2337,6 +2337,14 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp> もし apparmor プロファイルが変更されないままでなくてはならない場合 (ネストしたコンテナである場合や、すでに confined されている場合) は以下のように設定します。 </para> <programlisting>lxc.apparmor.profile = unchanged</programlisting> + <para> + <!-- + If you instruct LXC to generate the apparmor profile, + then use + --> + もし LXC に AppArmor プロファイルを生成するように指示するには次のように設定します。 + </para> + <programlisting>lxc.apparmor.profile = generated</programlisting> </listitem> </varlistentry> <varlistentry> @@ -2368,6 +2376,46 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp> </para> </listitem> </varlistentry> + + <varlistentry> + <term> + <option>lxc.apparmor.allow_nesting</option> + </term> + <listitem> + <para> + <!-- + If set this to 1, causes the following changes. When + generated apparmor profiles are used, they will contain + the necessary changes to allow creating a nested + container. In addition to the usual mount points, + <filename>/dev/.lxc/proc</filename> + and <filename>/dev/.lxc/sys</filename> will contain + procfs and sysfs mount points without the lxcfs + overlays, which, if generated apparmor profiles are + being used, will not be read/writable directly. + --> + 1 に設定すると次のような変更が行われます。 + generated な AppArmor プロファイルが使われる場合、ネストしたコンテナを使うのに必要な変更が含まれます。通常のマウントポイントに加えて、lxcfs のオーバーレイなしで、<filename>/dev/.lxc/proc</filename> と <filename>/dev/.lxc/sys</filename> が procfs と sysfs のマウントポイントに含まれます。 + generated な AppArmor プロファイルが使われている場合は、直接読み書きはできません + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>lxc.apparmor.raw</option> + </term> + <listitem> + <para> + <!-- + A list of raw AppArmor profile lines to append to the + profile. Only valid when using generated profiles. + --> + プロファイルに加える、生の AppArmor プロファイル行のリストです。generated なプロファイルを使っているときのみ有効です。 + </para> + </listitem> + </varlistentry> + </variablelist> </refsect2> diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in index ff90d07b01..ee78e49a3d 100644 --- a/doc/lxc.container.conf.sgml.in +++ b/doc/lxc.container.conf.sgml.in @@ -1751,6 +1751,11 @@ dev/null proc/kcore none bind,relative 0 0 are nesting containers and are already confined), then use </para> <programlisting>lxc.apparmor.profile = unchanged</programlisting> + <para> + If you instruct LXC to generate the apparmor profile, + then use + </para> + <programlisting>lxc.apparmor.profile = generated</programlisting> </listitem> </varlistentry> <varlistentry> @@ -1774,6 +1779,38 @@ dev/null proc/kcore none bind,relative 0 0 </para> </listitem> </varlistentry> + + <varlistentry> + <term> + <option>lxc.apparmor.allow_nesting</option> + </term> + <listitem> + <para> + If set this to 1, causes the following changes. When + generated apparmor profiles are used, they will contain + the necessary changes to allow creating a nested + container. In addition to the usual mount points, + <filename>/dev/.lxc/proc</filename> + and <filename>/dev/.lxc/sys</filename> will contain + procfs and sysfs mount points without the lxcfs + overlays, which, if generated apparmor profiles are + being used, will not be read/writable directly. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>lxc.apparmor.raw</option> + </term> + <listitem> + <para> + A list of raw AppArmor profile lines to append to the + profile. Only valid when using generated profiles. + </para> + </listitem> + </varlistentry> + </variablelist> </refsect2>
_______________________________________________ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel