Skip to content

L
lxc
Commit 2cf7a66c by Stéphane Graber Committed by GitHub
Options

Merge pull request #1789 from brauner/2017-09-06/fix_documentation

doc: adapt + update
parents e6ecdcbe bdcbb6b3
Showing with 74 additions and 27 deletions
doc/ja/lxc.container.conf.sgml.in
......@@ -105,11 +105,11 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
example, a process running as UID and GID 0 inside the container might
appear as UID and GID 100000 on the host. The implementation and working
details can be gathered from the corresponding user namespace man page.
UID and GID mappings can be defined with the <option>lxc.id_map</option>
UID and GID mappings can be defined with the <option>lxc.idmap</option>
key.
-->
本質的には、ユーザ名前空間は与えられた UID、GID の組を隔離します。ユーザ名前空間は、ホスト上の UID、GID のある範囲を、それとは異なるコンテナ上の UID、GID の範囲へマッピングすることで実現します。カーネルは、ホスト上では実際には UID、GID は特権を持たないにも関わらず、コンテナ内ではすべての UID、GID が期待されるように見えるように変換を行います。
例えば、コンテナ内では UID、GID が 0 として実行中のプロセスは、ホスト上では UID、GID が 100000 として見えるでしょう。実装と動作の詳細は、ユーザ名前空間の man ページから得られます。UID と GID のマッピングは <option>lxc.id_map</option> を使って定義できます。
例えば、コンテナ内では UID、GID が 0 として実行中のプロセスは、ホスト上では UID、GID が 100000 として見えるでしょう。実装と動作の詳細は、ユーザ名前空間の man ページから得られます。UID と GID のマッピングは <option>lxc.idmap</option> を使って定義できます。
</para>
<para>
......@@ -1904,7 +1904,7 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
<variablelist>
<varlistentry>
<term>
<option>lxc.id_map</option>
<option>lxc.idmap</option>
</term>
<listitem>
<para>
......@@ -2642,8 +2642,8 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
この設定は、コンテナ内のユーザとグループ両方の id 0-9999 の範囲を、ホスト上の 100000-109999 へマッピングします。
</para>
<programlisting>
lxc.id_map = u 0 100000 10000
lxc.id_map = g 0 100000 10000
lxc.idmap = u 0 100000 10000
lxc.idmap = g 0 100000 10000
</programlisting>
</refsect2>
......
doc/ko/lxc.container.conf.sgml.in
......@@ -1839,7 +1839,7 @@ mknod errno 0
<variablelist>
<varlistentry>
<term>
<option>lxc.id_map</option>
<option>lxc.idmap</option>
</term>
<listitem>
<para>
......@@ -2564,8 +2564,8 @@ mknod errno 0
이 설정은 UID와 GID 둘다를 컨테이너의 0 ~ 9999를 호스트의 100000 ~ 109999로 매핑한다.
</para>
<programlisting>
lxc.id_map = u 0 100000 10000
lxc.id_map = g 0 100000 10000
lxc.idmap = u 0 100000 10000
lxc.idmap = g 0 100000 10000
</programlisting>
</refsect2>
......
doc/lxc.container.conf.sgml.in
......@@ -86,7 +86,7 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
example, a process running as UID and GID 0 inside the container might
appear as UID and GID 100000 on the host. The implementation and working
details can be gathered from the corresponding user namespace man page.
UID and GID mappings can be defined with the <option>lxc.id_map</option>
UID and GID mappings can be defined with the <option>lxc.idmap</option>
key.
</para>
......@@ -1129,6 +1129,25 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
<option>lxc.cgroup.dir</option>
</term>
<listitem>
<para>
specify a directory or path in which the container's cgroup will
be created. For example, setting
<option>lxc.cgroup.dir = my-cgroup/first</option> for a container
named "c1" will create the container's cgroup as a sub-cgroup of
"my-cgroup". For example, if the user's current cgroup "my-user"
is located in the root cgroup of the cpuset controllerin in a
cgroup v1 hierarchy this would create the cgroup
"/sys/fs/cgroup/cpuset/my-user/my-cgroup/first/c1" for the
container. Any missing cgroups will be created by LXC. This
presupposes that the user has write access to its current cgroup.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect2>
......@@ -1383,7 +1402,7 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
<variablelist>
<varlistentry>
<term>
<option>lxc.id_map</option>
<option>lxc.idmap</option>
</term>
<listitem>
<para>
......@@ -1935,8 +1954,8 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
range 0-9999 in the container to the ids 100000-109999 on the host.
</para>
<programlisting>
lxc.id_map = u 0 100000 10000
lxc.id_map = g 0 100000 10000
lxc.idmap = u 0 100000 10000
lxc.idmap = g 0 100000 10000
</programlisting>
</refsect2>
......
src/lxc/cgroups/cgmanager.c
......@@ -1559,7 +1559,7 @@ static bool cgm_chown(void *hdata, struct lxc_conf *conf)
}
/*
* TODO: this should be re-written to use the get_config_item("lxc.id_map")
* TODO: this should be re-written to use the get_config_item("lxc.idmap")
* cmd api instead of getting the idmap from c->lxc_conf. The reason is
* that the id_maps may be different if the container was started with a
* -f or -s argument.
......
src/lxc/conf.c
......@@ -3972,8 +3972,8 @@ void suggest_default_idmap(void)
ERROR("To pass uid mappings to lxc-create, you could create");
ERROR("~/.config/lxc/default.conf:");
ERROR("lxc.include = %s", LXC_DEFAULT_CONFIG);
ERROR("lxc.id_map = u 0 %u %u", uid, urange);
ERROR("lxc.id_map = g 0 %u %u", gid, grange);
ERROR("lxc.idmap = u 0 %u %u", uid, urange);
ERROR("lxc.idmap = g 0 %u %u", gid, grange);
free(gname);
free(uname);
......
src/lxc/conf.h
......@@ -96,10 +96,10 @@ enum idtype {
/*
* id_map is an id map entry. Form in confile is:
* lxc.id_map = u 0 9800 100
* lxc.id_map = u 1000 9900 100
* lxc.id_map = g 0 9800 100
* lxc.id_map = g 1000 9900 100
* lxc.idmap = u 0 9800 100
* lxc.idmap = u 1000 9900 100
* lxc.idmap = g 0 9800 100
* lxc.idmap = g 1000 9900 100
* meaning the container can use uids and gids 0-99 and 1000-1099,
* with [ug]id 0 mapping to [ug]id 9800 on the host, and [ug]id 1000 to
* [ug]id 9900 on the host.
......
src/tests/lxc-test-apparmor-mount
......@@ -102,8 +102,8 @@ mkdir -p $HDIR/.config/lxc/
cat > $HDIR/.config/lxc/default.conf << EOF
lxc.net.0.type = veth
lxc.net.0.link = lxcbr0
lxc.id_map = u 0 910000 9999
lxc.id_map = g 0 910000 9999
lxc.idmap = u 0 910000 9999
lxc.idmap = g 0 910000 9999
EOF
chown -R $TUSER: $HDIR
......
src/tests/lxc-test-unpriv
......@@ -118,8 +118,8 @@ mkdir -p $HDIR/.config/lxc/
cat > $HDIR/.config/lxc/default.conf << EOF
lxc.net.0.type = veth
lxc.net.0.link = lxcbr0
lxc.id_map = u 0 910000 9999
lxc.id_map = g 0 910000 9999
lxc.idmap = u 0 910000 9999
lxc.idmap = g 0 910000 9999
EOF
chown -R $TUSER: $HDIR
......
src/tests/lxc-test-usernic.in
......@@ -81,8 +81,8 @@ usermod -v 910000-919999 -w 910000-919999 usernic-user
mkdir -p /home/usernic-user/.config/lxc/
cat > /home/usernic-user/.config/lxc/default.conf << EOF
lxc.net.0.type = empty
lxc.id_map = u 0 910000 10000
lxc.id_map = g 0 910000 10000
lxc.idmap = u 0 910000 10000
lxc.idmap = g 0 910000 10000
EOF
if which cgm >/dev/null 2>&1; then
......
src/tests/parse_config_file.c
......@@ -455,6 +455,34 @@ int main(int argc, char *argv[])
return -1;
}
/* lxc.idmap
* We can't really save the config here since save_config() wants to
* chown the container's directory but we haven't created an on-disk
* container. So let's test set-get-clear.
*/
if (set_get_compare_clear_save_load(
c, "lxc.idmap", "u 0 100000 1000000000", NULL, false) < 0) {
lxc_error("%s\n", "lxc.idmap");
goto non_test_error;
}
if (!c->set_config_item(c, "lxc.idmap", "u 1 100000 10000000")) {
lxc_error("%s\n", "failed to set config item "
"\"lxc.idmap\" to \"u 1 100000 10000000\"");
return -1;
}
if (!c->set_config_item(c, "lxc.idmap", "g 1 100000 10000000")) {
lxc_error("%s\n", "failed to set config item "
"\"lxc.idmap\" to \"g 1 100000 10000000\"");
return -1;
}
if (!c->get_config_item(c, "lxc.idmap", retval, sizeof(retval))) {
lxc_error("%s\n", "failed to get config item \"lxc.cgroup\"");
return -1;
}
c->clear_config(c);
c->lxc_conf = NULL;
......
templates/lxc-sabayon.in
......@@ -287,8 +287,8 @@ configure_container() {
if [[ $unprivileged && $unprivileged == true ]] ; then
if [[ $flush_owner == true ]] ; then
unprivileged_options="
lxc.id_map = u 0 ${mapped_uid} 65536
lxc.id_map = g 0 ${mapped_gid} 65536
lxc.idmap = u 0 ${mapped_uid} 65536
lxc.idmap = g 0 ${mapped_gid} 65536
"
fi
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment