Skip to content

L
lxc
Commit cdb4bcc2 by Christian Brauner Committed by GitHub
Options

Merge pull request #1695 from 0x0916/2017-07-12/update-doc-and-test

update doc and test
parents 93e2c336 f30ab9fe
Showing with 82 additions and 82 deletions
config/selinux/lxc.te
...@@ -7,7 +7,7 @@ ...@@ -7,7 +7,7 @@
# semodule -i lxc.pp # semodule -i lxc.pp
# #
# In your container's lxc config: # In your container's lxc config:
# lxc.se_context = system_u:system_r:lxc_t:s0:c62,c86,c150,c228 # lxc.selinux.context = system_u:system_r:lxc_t:s0:c62,c86,c150,c228
# #
# Ensure your container's rootfs files are labeled: # Ensure your container's rootfs files are labeled:
# chcon -R system_u:object_r:lxc_file_t:s0:c62,c86,c150,c228 /path/to/rootfs # chcon -R system_u:object_r:lxc_file_t:s0:c62,c86,c150,c228 /path/to/rootfs
......
config/templates/debian.common.conf.in
...@@ -7,12 +7,12 @@ lxc.tty.dir = ...@@ -7,12 +7,12 @@ lxc.tty.dir =
# When using LXC with apparmor, the container will be confined by default. # When using LXC with apparmor, the container will be confined by default.
# If you wish for it to instead run unconfined, copy the following line # If you wish for it to instead run unconfined, copy the following line
# (uncommented) to the container's configuration file. # (uncommented) to the container's configuration file.
#lxc.aa_profile = unconfined #lxc.apparmor.profile = unconfined
# If you wish to allow mounting block filesystems, then use the following # If you wish to allow mounting block filesystems, then use the following
# line instead, and make sure to grant access to the block device and/or loop # line instead, and make sure to grant access to the block device and/or loop
# devices below in lxc.cgroup.devices.allow. # devices below in lxc.cgroup.devices.allow.
#lxc.aa_profile = lxc-container-default-with-mounting #lxc.apparmor.profile = lxc-container-default-with-mounting
# Extra cgroup device access # Extra cgroup device access
## rtc ## rtc
......
config/templates/nesting.conf.in
# Use a profile which allows nesting # Use a profile which allows nesting
lxc.aa_profile = lxc-container-default-with-nesting lxc.apparmor.profile = lxc-container-default-with-nesting
# Add uncovered mounts of proc and sys, else unprivileged users # Add uncovered mounts of proc and sys, else unprivileged users
# cannot remount those # cannot remount those
......
config/templates/ubuntu.common.conf.in
...@@ -10,7 +10,7 @@ lxc.mount.entry = mqueue dev/mqueue mqueue rw,relatime,create=dir,optional 0 0 ...@@ -10,7 +10,7 @@ lxc.mount.entry = mqueue dev/mqueue mqueue rw,relatime,create=dir,optional 0 0
# When using LXC with apparmor, the container will be confined by default. # When using LXC with apparmor, the container will be confined by default.
# If you wish for it to instead run unconfined, copy the following line # If you wish for it to instead run unconfined, copy the following line
# (uncommented) to the container's configuration file. # (uncommented) to the container's configuration file.
#lxc.aa_profile = unconfined #lxc.apparmor.profile = unconfined
# Uncomment the following line to autodetect squid-deb-proxy configuration on the # Uncomment the following line to autodetect squid-deb-proxy configuration on the
# host and forward it to the guest at start time. # host and forward it to the guest at start time.
...@@ -19,7 +19,7 @@ lxc.mount.entry = mqueue dev/mqueue mqueue rw,relatime,create=dir,optional 0 0 ...@@ -19,7 +19,7 @@ lxc.mount.entry = mqueue dev/mqueue mqueue rw,relatime,create=dir,optional 0 0
# If you wish to allow mounting block filesystems, then use the following # If you wish to allow mounting block filesystems, then use the following
# line instead, and make sure to grant access to the block device and/or loop # line instead, and make sure to grant access to the block device and/or loop
# devices below in lxc.cgroup.devices.allow. # devices below in lxc.cgroup.devices.allow.
#lxc.aa_profile = lxc-container-default-with-mounting #lxc.apparmor.profile = lxc-container-default-with-mounting
# Extra cgroup device access # Extra cgroup device access
## rtc ## rtc
......
doc/ja/lxc.container.conf.sgml.in
...@@ -1438,7 +1438,7 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp> ...@@ -1438,7 +1438,7 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term> <term>
<option>lxc.rootfs</option> <option>lxc.rootfs.path</option>
</term> </term>
<listitem> <listitem>
<para> <para>
...@@ -1486,7 +1486,7 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp> ...@@ -1486,7 +1486,7 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
<listitem> <listitem>
<para> <para>
<!-- <!--
where to recursively bind <option>lxc.rootfs</option> where to recursively bind <option>lxc.rootfs.path</option>
before pivoting. This is to ensure success of the before pivoting. This is to ensure success of the
<citerefentry> <citerefentry>
<refentrytitle><command>pivot_root</command></refentrytitle> <refentrytitle><command>pivot_root</command></refentrytitle>
...@@ -1495,7 +1495,7 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp> ...@@ -1495,7 +1495,7 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
syscall. Any directory suffices, the default should syscall. Any directory suffices, the default should
generally work. generally work.
--> -->
root ファイルシステムの変更の前に、<option>lxc.rootfs</option> を再帰的にどこにバインドするのかを指定します。これは root ファイルシステムの変更の前に、<option>lxc.rootfs.path</option> を再帰的にどこにバインドするのかを指定します。これは
<citerefentry> <citerefentry>
<refentrytitle><command>pivot_root</command></refentrytitle> <refentrytitle><command>pivot_root</command></refentrytitle>
<manvolnum>8</manvolnum> <manvolnum>8</manvolnum>
...@@ -1690,7 +1690,7 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp> ...@@ -1690,7 +1690,7 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term> <term>
<option>lxc.aa_profile</option> <option>lxc.apparmor.profile</option>
</term> </term>
<listitem> <listitem>
<para> <para>
...@@ -1702,7 +1702,7 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp> ...@@ -1702,7 +1702,7 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
コンテナが従うべき apparmor プロファイルを指定します。 コンテナが従うべき apparmor プロファイルを指定します。
コンテナが apparmor による制限を受けないように設定するには、以下のように設定します。 コンテナが apparmor による制限を受けないように設定するには、以下のように設定します。
</para> </para>
<programlisting>lxc.aa_profile = unconfined</programlisting> <programlisting>lxc.apparmor.profile = unconfined</programlisting>
<para> <para>
<!-- <!--
If the apparmor profile should remain unchanged (i.e. if you If the apparmor profile should remain unchanged (i.e. if you
...@@ -1710,12 +1710,12 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp> ...@@ -1710,12 +1710,12 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
--> -->
もし apparmor プロファイルが変更されないままでなくてはならない場合 (ネストしたコンテナである場合や、すでに confined されている場合) は以下のように設定します。 もし apparmor プロファイルが変更されないままでなくてはならない場合 (ネストしたコンテナである場合や、すでに confined されている場合) は以下のように設定します。
</para> </para>
<programlisting>lxc.aa_profile = unchanged</programlisting> <programlisting>lxc.apparmor.profile = unchanged</programlisting>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term> <term>
<option>lxc.aa_allow_incomplete</option> <option>lxc.apparmor.allow_incomplete</option>
</term> </term>
<listitem> <listitem>
<para> <para>
...@@ -1764,7 +1764,7 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp> ...@@ -1764,7 +1764,7 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term> <term>
<option>lxc.se_context</option> <option>lxc.selinux.context</option>
</term> </term>
<listitem> <listitem>
<para> <para>
...@@ -1774,7 +1774,7 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp> ...@@ -1774,7 +1774,7 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
--> -->
コンテナが従うべき SELinux コンテキストを指定するか、<command>unconfined_t</command> を指定します。例えば以下のように設定します。 コンテナが従うべき SELinux コンテキストを指定するか、<command>unconfined_t</command> を指定します。例えば以下のように設定します。
</para> </para>
<programlisting>lxc.se_context = system_u:system_r:lxc_t:s0:c22</programlisting> <programlisting>lxc.selinux.context = system_u:system_r:lxc_t:s0:c22</programlisting>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
...@@ -1958,7 +1958,7 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp> ...@@ -1958,7 +1958,7 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
<listitem><para> LXC_ROOTFS_MOUNT: the path to the mounted root filesystem. </para></listitem> <listitem><para> LXC_ROOTFS_MOUNT: the path to the mounted root filesystem. </para></listitem>
<listitem><para> LXC_CONFIG_FILE: the path to the container configuration file. </para></listitem> <listitem><para> LXC_CONFIG_FILE: the path to the container configuration file. </para></listitem>
<listitem><para> LXC_SRC_NAME: in the case of the clone hook, this is the original container's name. </para></listitem> <listitem><para> LXC_SRC_NAME: in the case of the clone hook, this is the original container's name. </para></listitem>
<listitem><para> LXC_ROOTFS_PATH: this is the lxc.rootfs entry for the container. Note this is likely not where the mounted rootfs is to be found, use LXC_ROOTFS_MOUNT for that. </para></listitem> <listitem><para> LXC_ROOTFS_PATH: this is the lxc.rootfs.path entry for the container. Note this is likely not where the mounted rootfs is to be found, use LXC_ROOTFS_MOUNT for that. </para></listitem>
</itemizedlist> </itemizedlist>
--> -->
コンテナのフックが実行されるとき、情報がコマンドライン引数と環境変数の両方を通して渡されます。引数は: コンテナのフックが実行されるとき、情報がコマンドライン引数と環境変数の両方を通して渡されます。引数は:
...@@ -1974,7 +1974,7 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp> ...@@ -1974,7 +1974,7 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
<listitem><para> LXC_ROOTFS_MOUNT: マウントされた root ファイルシステムへのパス</para></listitem> <listitem><para> LXC_ROOTFS_MOUNT: マウントされた root ファイルシステムへのパス</para></listitem>
<listitem><para> LXC_CONFIG_FILE: コンテナの設定ファイルのパス </para></listitem> <listitem><para> LXC_CONFIG_FILE: コンテナの設定ファイルのパス </para></listitem>
<listitem><para> LXC_SRC_NAME: clone フックの場合、元のコンテナの名前</para></listitem> <listitem><para> LXC_SRC_NAME: clone フックの場合、元のコンテナの名前</para></listitem>
<listitem><para> LXC_ROOTFS_PATH: コンテナの lxc.rootfs エントリ。これはマウントされた rootfs が存在する場所にはならないでしょう。それには LXC_ROOTFS_MOUNT を使用してください。</para></listitem> <listitem><para> LXC_ROOTFS_PATH: コンテナの lxc.rootfs.path エントリ。これはマウントされた rootfs が存在する場所にはならないでしょう。それには LXC_ROOTFS_MOUNT を使用してください。</para></listitem>
</itemizedlist> </itemizedlist>
</para> </para>
<para> <para>
...@@ -2280,10 +2280,10 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp> ...@@ -2280,10 +2280,10 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
<!-- <!--
The host relative path to the container root which has been The host relative path to the container root which has been
mounted to the rootfs.mount location. mounted to the rootfs.mount location.
[<option>lxc.rootfs</option>] [<option>lxc.rootfs.path</option>]
--> -->
rootfs.mount へマウントされるコンテナのルートへのホスト上のパスです。 rootfs.mount へマウントされるコンテナのルートへのホスト上のパスです。
[<option>lxc.rootfs</option>] [<option>lxc.rootfs.path</option>]
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
...@@ -2705,7 +2705,7 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp> ...@@ -2705,7 +2705,7 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
lxc.cgroup.devices.allow = b 8:0 rw lxc.cgroup.devices.allow = b 8:0 rw
lxc.mount.fstab = /etc/fstab.complex lxc.mount.fstab = /etc/fstab.complex
lxc.mount.entry = /lib /root/myrootfs/lib none ro,bind 0 0 lxc.mount.entry = /lib /root/myrootfs/lib none ro,bind 0 0
lxc.rootfs = /mnt/rootfs.complex lxc.rootfs.path = dir:/mnt/rootfs.complex
lxc.cap.drop = sys_module mknod setuid net_raw lxc.cap.drop = sys_module mknod setuid net_raw
lxc.cap.drop = mac_override lxc.cap.drop = mac_override
</programlisting> </programlisting>
......
doc/ko/lxc.container.conf.sgml.in
...@@ -658,7 +658,7 @@ by Sungbae Yoo <sungbae.yoo at samsung.com> ...@@ -658,7 +658,7 @@ by Sungbae Yoo <sungbae.yoo at samsung.com>
<varlistentry> <varlistentry>
<term> <term>
<option>lxc.net.[i].ipv4</option> <option>lxc.net.[i].ipv4.address</option>
</term> </term>
<listitem> <listitem>
<para> <para>
...@@ -709,7 +709,7 @@ by Sungbae Yoo <sungbae.yoo at samsung.com> ...@@ -709,7 +709,7 @@ by Sungbae Yoo <sungbae.yoo at samsung.com>
<varlistentry> <varlistentry>
<term> <term>
<option>lxc.net.[i].ipv6</option> <option>lxc.net.[i].ipv6.address</option>
</term> </term>
<listitem> <listitem>
<para> <para>
...@@ -837,7 +837,7 @@ by Sungbae Yoo <sungbae.yoo at samsung.com> ...@@ -837,7 +837,7 @@ by Sungbae Yoo <sungbae.yoo at samsung.com>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term> <term>
<option>lxc.pts</option> <option>lxc.pty.max</option>
</term> </term>
<listitem> <listitem>
<para> <para>
...@@ -881,7 +881,7 @@ by Sungbae Yoo <sungbae.yoo at samsung.com> ...@@ -881,7 +881,7 @@ by Sungbae Yoo <sungbae.yoo at samsung.com>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term> <term>
<option>lxc.console</option> <option>lxc.console.path</option>
</term> </term>
<listitem> <listitem>
<para> <para>
...@@ -920,7 +920,7 @@ by Sungbae Yoo <sungbae.yoo at samsung.com> ...@@ -920,7 +920,7 @@ by Sungbae Yoo <sungbae.yoo at samsung.com>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term> <term>
<option>lxc.tty</option> <option>lxc.tty.max</option>
</term> </term>
<listitem> <listitem>
<para> <para>
...@@ -957,7 +957,7 @@ by Sungbae Yoo <sungbae.yoo at samsung.com> ...@@ -957,7 +957,7 @@ by Sungbae Yoo <sungbae.yoo at samsung.com>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term> <term>
<option>lxc.devttydir</option> <option>lxc.tty.dir</option>
</term> </term>
<listitem> <listitem>
<para> <para>
...@@ -1069,7 +1069,7 @@ by Sungbae Yoo <sungbae.yoo at samsung.com> ...@@ -1069,7 +1069,7 @@ by Sungbae Yoo <sungbae.yoo at samsung.com>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term> <term>
<option>lxc.mount</option> <option>lxc.mount.fstab</option>
</term> </term>
<listitem> <listitem>
<para> <para>
...@@ -1426,7 +1426,7 @@ proc proc proc nodev,noexec,nosuid 0 0 ...@@ -1426,7 +1426,7 @@ proc proc proc nodev,noexec,nosuid 0 0
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term> <term>
<option>lxc.rootfs</option> <option>lxc.rootfs.path</option>
</term> </term>
<listitem> <listitem>
<para> <para>
...@@ -1471,7 +1471,7 @@ proc proc proc nodev,noexec,nosuid 0 0 ...@@ -1471,7 +1471,7 @@ proc proc proc nodev,noexec,nosuid 0 0
<listitem> <listitem>
<para> <para>
<!-- <!--
where to recursively bind <option>lxc.rootfs</option> where to recursively bind <option>lxc.rootfs.path</option>
before pivoting. This is to ensure success of the before pivoting. This is to ensure success of the
<citerefentry> <citerefentry>
<refentrytitle><command>pivot_root</command></refentrytitle> <refentrytitle><command>pivot_root</command></refentrytitle>
...@@ -1480,7 +1480,7 @@ proc proc proc nodev,noexec,nosuid 0 0 ...@@ -1480,7 +1480,7 @@ proc proc proc nodev,noexec,nosuid 0 0
syscall. Any directory suffices, the default should syscall. Any directory suffices, the default should
generally work. generally work.
--> -->
루트 파일시스템을 변경하기 전에, <option>lxc.rootfs</option>을 어디에 재귀적으로 바인드할지 정한다. 이는 루트 파일시스템을 변경하기 전에, <option>lxc.rootfs.path</option>을 어디에 재귀적으로 바인드할지 정한다. 이는
<citerefentry> <citerefentry>
<refentrytitle><command>pivot_root</command></refentrytitle> <refentrytitle><command>pivot_root</command></refentrytitle>
<manvolnum>8</manvolnum> <manvolnum>8</manvolnum>
...@@ -1630,7 +1630,7 @@ proc proc proc nodev,noexec,nosuid 0 0 ...@@ -1630,7 +1630,7 @@ proc proc proc nodev,noexec,nosuid 0 0
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term> <term>
<option>lxc.aa_profile</option> <option>lxc.apparmor.profile</option>
</term> </term>
<listitem> <listitem>
<para> <para>
...@@ -1642,7 +1642,7 @@ proc proc proc nodev,noexec,nosuid 0 0 ...@@ -1642,7 +1642,7 @@ proc proc proc nodev,noexec,nosuid 0 0
컨테이너가 따라야할 apparmor 프로파일을 지정한다. 컨테이너가 따라야할 apparmor 프로파일을 지정한다.
컨테이너가 apparmor로 인한 제한을 받지 않도록 하려면, 아래와 같이 지정하면 된다. 컨테이너가 apparmor로 인한 제한을 받지 않도록 하려면, 아래와 같이 지정하면 된다.
</para> </para>
<programlisting>lxc.aa_profile = unconfined</programlisting> <programlisting>lxc.apparmor.profile = unconfined</programlisting>
<para> <para>
<!-- <!--
If the apparmor profile should remain unchanged (i.e. if you If the apparmor profile should remain unchanged (i.e. if you
...@@ -1650,12 +1650,12 @@ proc proc proc nodev,noexec,nosuid 0 0 ...@@ -1650,12 +1650,12 @@ proc proc proc nodev,noexec,nosuid 0 0
--> -->
apparmor 프로파일이 변경되지 않아야 한다면(중첩 컨테이너 안에 있고, 이미 confined된 경우), 아래와 같이 지정하면 된다. apparmor 프로파일이 변경되지 않아야 한다면(중첩 컨테이너 안에 있고, 이미 confined된 경우), 아래와 같이 지정하면 된다.
</para> </para>
<programlisting>lxc.aa_profile = unchanged</programlisting> <programlisting>lxc.apparmor.profile = unchanged</programlisting>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term> <term>
<option>lxc.aa_allow_incomplete</option> <option>lxc.apparmor.allow_incomplete</option>
</term> </term>
<listitem> <listitem>
<para> <para>
...@@ -1704,7 +1704,7 @@ proc proc proc nodev,noexec,nosuid 0 0 ...@@ -1704,7 +1704,7 @@ proc proc proc nodev,noexec,nosuid 0 0
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term> <term>
<option>lxc.se_context</option> <option>lxc.selinux.context</option>
</term> </term>
<listitem> <listitem>
<para> <para>
...@@ -1714,7 +1714,7 @@ proc proc proc nodev,noexec,nosuid 0 0 ...@@ -1714,7 +1714,7 @@ proc proc proc nodev,noexec,nosuid 0 0
--> -->
컨테이너가 따라야할 SELinux 컨텍스트를 지정하거나, <command>unconfined_t</command>를 지정할 수 있다. 예를 들어 아래와 같이 지정 가능하다. 컨테이너가 따라야할 SELinux 컨텍스트를 지정하거나, <command>unconfined_t</command>를 지정할 수 있다. 예를 들어 아래와 같이 지정 가능하다.
</para> </para>
<programlisting>lxc.se_context = system_u:system_r:lxc_t:s0:c22</programlisting> <programlisting>lxc.selinux.context = system_u:system_r:lxc_t:s0:c22</programlisting>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
...@@ -1768,7 +1768,7 @@ mknod errno 0 ...@@ -1768,7 +1768,7 @@ mknod errno 0
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term> <term>
<option>lxc.seccomp</option> <option>lxc.seccomp.profile</option>
</term> </term>
<listitem> <listitem>
<para> <para>
...@@ -1889,7 +1889,7 @@ mknod errno 0 ...@@ -1889,7 +1889,7 @@ mknod errno 0
<listitem><para> LXC_ROOTFS_MOUNT: the path to the mounted root filesystem. </para></listitem> <listitem><para> LXC_ROOTFS_MOUNT: the path to the mounted root filesystem. </para></listitem>
<listitem><para> LXC_CONFIG_FILE: the path to the container configuration file. </para></listitem> <listitem><para> LXC_CONFIG_FILE: the path to the container configuration file. </para></listitem>
<listitem><para> LXC_SRC_NAME: in the case of the clone hook, this is the original container's name. </para></listitem> <listitem><para> LXC_SRC_NAME: in the case of the clone hook, this is the original container's name. </para></listitem>
<listitem><para> LXC_ROOTFS_PATH: this is the lxc.rootfs entry for the container. Note this is likely not where the mounted rootfs is to be found, use LXC_ROOTFS_MOUNT for that. </para></listitem> <listitem><para> LXC_ROOTFS_PATH: this is the lxc.rootfs.path entry for the container. Note this is likely not where the mounted rootfs is to be found, use LXC_ROOTFS_MOUNT for that. </para></listitem>
</itemizedlist> </itemizedlist>
--> -->
컨테이너 훅이 실행될 때, 정보는 명령어 인수나 환경 변수를 통해 넘겨진다. 컨테이너 훅이 실행될 때, 정보는 명령어 인수나 환경 변수를 통해 넘겨진다.
...@@ -1906,7 +1906,7 @@ mknod errno 0 ...@@ -1906,7 +1906,7 @@ mknod errno 0
<listitem><para> LXC_ROOTFS_MOUNT: 마운트될 루트 파일시스템의 경로</para></listitem> <listitem><para> LXC_ROOTFS_MOUNT: 마운트될 루트 파일시스템의 경로</para></listitem>
<listitem><para> LXC_CONFIG_FILE: 컨테이너 설정파일의 경로</para></listitem> <listitem><para> LXC_CONFIG_FILE: 컨테이너 설정파일의 경로</para></listitem>
<listitem><para> LXC_SRC_NAME: clone 훅의 경우, 원본 컨테이너의 이름</para></listitem> <listitem><para> LXC_SRC_NAME: clone 훅의 경우, 원본 컨테이너의 이름</para></listitem>
<listitem><para> LXC_ROOTFS_PATH: 컨테이너의 lxc.rootfs 항목. 이 것은 마운트된 루트 파일시스템을 가리키는 것이 아님에 주의해야한다. 그 목적을 위해서는 LXC_ROOTFS_MOUNT를 사용해야 한다.</para></listitem> <listitem><para> LXC_ROOTFS_PATH: 컨테이너의 lxc.rootfs.path 항목. 이 것은 마운트된 루트 파일시스템을 가리키는 것이 아님에 주의해야한다. 그 목적을 위해서는 LXC_ROOTFS_MOUNT를 사용해야 한다.</para></listitem>
</itemizedlist> </itemizedlist>
</para> </para>
<para> <para>
...@@ -2150,10 +2150,10 @@ mknod errno 0 ...@@ -2150,10 +2150,10 @@ mknod errno 0
<para> <para>
<!-- <!--
The path to the console output of the container if not NULL. The path to the console output of the container if not NULL.
[<option>-c</option>] [<option>lxc.console</option>] [<option>-c</option>] [<option>lxc.console.path</option>]
--> -->
NULL이 아니라면, 컨테이너의 콘솔의 출력이 저장될 경로. NULL이 아니라면, 컨테이너의 콘솔의 출력이 저장될 경로.
[<option>-c</option>] [<option>lxc.console</option>] [<option>-c</option>] [<option>lxc.console.path</option>]
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
...@@ -2206,10 +2206,10 @@ mknod errno 0 ...@@ -2206,10 +2206,10 @@ mknod errno 0
<!-- <!--
The host relative path to the container root which has been The host relative path to the container root which has been
mounted to the rootfs.mount location. mounted to the rootfs.mount location.
[<option>lxc.rootfs</option>] [<option>lxc.rootfs.path</option>]
--> -->
rootfs.mount에 마운트된 컨테이너 루트의 호스트에서의 경로이다. rootfs.mount에 마운트된 컨테이너 루트의 호스트에서의 경로이다.
[<option>lxc.rootfs</option>] [<option>lxc.rootfs.path</option>]
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
...@@ -2552,8 +2552,8 @@ mknod errno 0 ...@@ -2552,8 +2552,8 @@ mknod errno 0
lxc.net.0.link = br0 lxc.net.0.link = br0
lxc.net.0.name = eth0 lxc.net.0.name = eth0
lxc.net.0.hwaddr = 4a:49:43:49:79:bf lxc.net.0.hwaddr = 4a:49:43:49:79:bf
lxc.net.0.ipv4 = 1.2.3.5/24 1.2.3.255 lxc.net.0.ipv4.address = 1.2.3.5/24 1.2.3.255
lxc.net.0.ipv6 = 2003:db8:1:0:214:1234:fe0b:3597 lxc.net.0.ipv6.address = 2003:db8:1:0:214:1234:fe0b:3597
</programlisting> </programlisting>
</refsect2> </refsect2>
...@@ -2601,30 +2601,30 @@ mknod errno 0 ...@@ -2601,30 +2601,30 @@ mknod errno 0
lxc.net.0.flags = up lxc.net.0.flags = up
lxc.net.0.link = br0 lxc.net.0.link = br0
lxc.net.0.hwaddr = 4a:49:43:49:79:bf lxc.net.0.hwaddr = 4a:49:43:49:79:bf
lxc.net.0.ipv4 = 10.2.3.5/24 10.2.3.255 lxc.net.0.ipv4.address = 10.2.3.5/24 10.2.3.255
lxc.net.0.ipv6 = 2003:db8:1:0:214:1234:fe0b:3597 lxc.net.0.ipv6.address = 2003:db8:1:0:214:1234:fe0b:3597
lxc.net.0.ipv6 = 2003:db8:1:0:214:5432:feab:3588 lxc.net.0.ipv6.address = 2003:db8:1:0:214:5432:feab:3588
lxc.net.1.type = macvlan lxc.net.1.type = macvlan
lxc.net.1.flags = up lxc.net.1.flags = up
lxc.net.1.link = eth0 lxc.net.1.link = eth0
lxc.net.1.hwaddr = 4a:49:43:49:79:bd lxc.net.1.hwaddr = 4a:49:43:49:79:bd
lxc.net.1.ipv4 = 10.2.3.4/24 lxc.net.1.ipv4.address = 10.2.3.4/24
lxc.net.1.ipv4 = 192.168.10.125/24 lxc.net.1.ipv4.address = 192.168.10.125/24
lxc.net.1.ipv6 = 2003:db8:1:0:214:1234:fe0b:3596 lxc.net.1.ipv6.address = 2003:db8:1:0:214:1234:fe0b:3596
lxc.net.2.type = phys lxc.net.2.type = phys
lxc.net.2.flags = up lxc.net.2.flags = up
lxc.net.2.link = dummy0 lxc.net.2.link = dummy0
lxc.net.2.hwaddr = 4a:49:43:49:79:ff lxc.net.2.hwaddr = 4a:49:43:49:79:ff
lxc.net.2.ipv4 = 10.2.3.6/24 lxc.net.2.ipv4.address = 10.2.3.6/24
lxc.net.2.ipv6 = 2003:db8:1:0:214:1234:fe0b:3297 lxc.net.2.ipv6.address = 2003:db8:1:0:214:1234:fe0b:3297
lxc.cgroup.cpuset.cpus = 0,1 lxc.cgroup.cpuset.cpus = 0,1
lxc.cgroup.cpu.shares = 1234 lxc.cgroup.cpu.shares = 1234
lxc.cgroup.devices.deny = a lxc.cgroup.devices.deny = a
lxc.cgroup.devices.allow = c 1:3 rw lxc.cgroup.devices.allow = c 1:3 rw
lxc.cgroup.devices.allow = b 8:0 rw lxc.cgroup.devices.allow = b 8:0 rw
lxc.mount = /etc/fstab.complex lxc.mount.fstab = /etc/fstab.complex
lxc.mount.entry = /lib /root/myrootfs/lib none ro,bind 0 0 lxc.mount.entry = /lib /root/myrootfs/lib none ro,bind 0 0
lxc.rootfs = /mnt/rootfs.complex lxc.rootfs.path = dir:/mnt/rootfs.complex
lxc.cap.drop = sys_module mknod setuid net_raw lxc.cap.drop = sys_module mknod setuid net_raw
lxc.cap.drop = mac_override lxc.cap.drop = mac_override
</programlisting> </programlisting>
......
doc/lxc.container.conf.sgml.in
...@@ -1224,7 +1224,7 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA ...@@ -1224,7 +1224,7 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term> <term>
<option>lxc.aa_profile</option> <option>lxc.apparmor.profile</option>
</term> </term>
<listitem> <listitem>
<para> <para>
...@@ -1232,17 +1232,17 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA ...@@ -1232,17 +1232,17 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
be run. To specify that the container should be unconfined, be run. To specify that the container should be unconfined,
use use
</para> </para>
<programlisting>lxc.aa_profile = unconfined</programlisting> <programlisting>lxc.apparmor.profile = unconfined</programlisting>
<para> <para>
If the apparmor profile should remain unchanged (i.e. if you If the apparmor profile should remain unchanged (i.e. if you
are nesting containers and are already confined), then use are nesting containers and are already confined), then use
</para> </para>
<programlisting>lxc.aa_profile = unchanged</programlisting> <programlisting>lxc.apparmor.profile = unchanged</programlisting>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term> <term>
<option>lxc.aa_allow_incomplete</option> <option>lxc.apparmor.allow_incomplete</option>
</term> </term>
<listitem> <listitem>
<para> <para>
...@@ -1278,14 +1278,14 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA ...@@ -1278,14 +1278,14 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term> <term>
<option>lxc.se_context</option> <option>lxc.selinux.context</option>
</term> </term>
<listitem> <listitem>
<para> <para>
Specify the SELinux context under which the container should Specify the SELinux context under which the container should
be run or <command>unconfined_t</command>. For example be run or <command>unconfined_t</command>. For example
</para> </para>
<programlisting>lxc.se_context = system_u:system_r:lxc_t:s0:c22</programlisting> <programlisting>lxc.selinux.context = system_u:system_r:lxc_t:s0:c22</programlisting>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
......
src/lxc/confile.c
...@@ -1370,7 +1370,7 @@ static int set_config_apparmor_allow_incomplete(const char *key, ...@@ -1370,7 +1370,7 @@ static int set_config_apparmor_allow_incomplete(const char *key,
return -1; return -1;
if (lxc_conf->lsm_aa_allow_incomplete > 1) { if (lxc_conf->lsm_aa_allow_incomplete > 1) {
ERROR("Wrong value for lxc.lsm_aa_allow_incomplete. Can only " ERROR("Wrong value for lxc.apparmor.allow_incomplete. Can only "
"be set to 0 or 1"); "be set to 0 or 1");
return -1; return -1;
} }
......
src/lxc/lsm/apparmor.c
...@@ -218,7 +218,7 @@ static int apparmor_process_label_set(const char *inlabel, struct lxc_conf *conf ...@@ -218,7 +218,7 @@ static int apparmor_process_label_set(const char *inlabel, struct lxc_conf *conf
WARN("Incomplete AppArmor support in your kernel"); WARN("Incomplete AppArmor support in your kernel");
if (!conf->lsm_aa_allow_incomplete) { if (!conf->lsm_aa_allow_incomplete) {
ERROR("If you really want to start this container, set"); ERROR("If you really want to start this container, set");
ERROR("lxc.aa_allow_incomplete = 1"); ERROR("lxc.apparmor.allow_incomplete = 1");
ERROR("in your container configuration file"); ERROR("in your container configuration file");
return -1; return -1;
} }
......
src/tests/attach.c
...@@ -51,11 +51,11 @@ static void test_lsm_detect(void) ...@@ -51,11 +51,11 @@ static void test_lsm_detect(void)
{ {
if (lsm_enabled()) { if (lsm_enabled()) {
if (!strcmp(lsm_name(), "SELinux")) { if (!strcmp(lsm_name(), "SELinux")) {
lsm_config_key = "lxc.se_context"; lsm_config_key = "lxc.selinux.context";
lsm_label = "unconfined_u:unconfined_r:lxc_t:s0-s0:c0.c1023"; lsm_label = "unconfined_u:unconfined_r:lxc_t:s0-s0:c0.c1023";
} }
else if (!strcmp(lsm_name(), "AppArmor")) { else if (!strcmp(lsm_name(), "AppArmor")) {
lsm_config_key = "lxc.aa_profile"; lsm_config_key = "lxc.apparmor.profile";
if (file_exists("/proc/self/ns/cgroup")) if (file_exists("/proc/self/ns/cgroup"))
lsm_label = "lxc-container-default-cgns"; lsm_label = "lxc-container-default-cgns";
else else
......
src/tests/lxc-test-apparmor-mount
...@@ -170,7 +170,7 @@ fi ...@@ -170,7 +170,7 @@ fi
run_cmd lxc-stop -n $cname -k run_cmd lxc-stop -n $cname -k
echo "test regular unconfined container" echo "test regular unconfined container"
echo "lxc.aa_profile = unconfined" >> $HDIR/.local/share/lxc/$cname/config echo "lxc.apparmor.profile = unconfined" >> $HDIR/.local/share/lxc/$cname/config
run_cmd lxc-start -n $cname -d run_cmd lxc-start -n $cname -d
run_cmd lxc-wait -n $cname -s RUNNING run_cmd lxc-wait -n $cname -s RUNNING
pid=`run_cmd lxc-info -p -H -n $cname` pid=`run_cmd lxc-info -p -H -n $cname`
...@@ -185,7 +185,7 @@ echo "masking $MOUNTSR" ...@@ -185,7 +185,7 @@ echo "masking $MOUNTSR"
mount --bind $dnam $MOUNTSR mount --bind $dnam $MOUNTSR
echo "test default confined container" echo "test default confined container"
sed -i '/aa_profile/d' $HDIR/.local/share/lxc/$cname/config sed -i '/apparmor.profile/d' $HDIR/.local/share/lxc/$cname/config
run_cmd lxc-start -n $cname -d || true run_cmd lxc-start -n $cname -d || true
sleep 3 sleep 3
pid=`run_cmd lxc-info -p -H -n $cname` || true pid=`run_cmd lxc-info -p -H -n $cname` || true
...@@ -196,7 +196,7 @@ if [ -n "$pid" -a "$pid" != "-1" ]; then ...@@ -196,7 +196,7 @@ if [ -n "$pid" -a "$pid" != "-1" ]; then
fi fi
echo "test regular unconfined container" echo "test regular unconfined container"
echo "lxc.aa_profile = unconfined" >> $HDIR/.local/share/lxc/$cname/config echo "lxc.apparmor.profile = unconfined" >> $HDIR/.local/share/lxc/$cname/config
run_cmd lxc-start -n $cname -d run_cmd lxc-start -n $cname -d
run_cmd lxc-wait -n $cname -s RUNNING run_cmd lxc-wait -n $cname -s RUNNING
pid=`run_cmd lxc-info -p -H -n $cname` pid=`run_cmd lxc-info -p -H -n $cname`
...@@ -212,8 +212,8 @@ fi ...@@ -212,8 +212,8 @@ fi
run_cmd lxc-stop -n $cname -k run_cmd lxc-stop -n $cname -k
echo "testing override" echo "testing override"
sed -i '/aa_profile/d' $HDIR/.local/share/lxc/$cname/config sed -i '/apparmor.profile/d' $HDIR/.local/share/lxc/$cname/config
echo "lxc.aa_allow_incomplete = 1" >> $HDIR/.local/share/lxc/$cname/config echo "lxc.apparmor.allow_incomplete = 1" >> $HDIR/.local/share/lxc/$cname/config
run_cmd lxc-start -n $cname -d run_cmd lxc-start -n $cname -d
run_cmd lxc-wait -n $cname -s RUNNING run_cmd lxc-wait -n $cname -s RUNNING
pid=`run_cmd lxc-info -p -H -n $cname` pid=`run_cmd lxc-info -p -H -n $cname`
......
src/tests/parse_config_file.c
...@@ -371,7 +371,7 @@ int main(int argc, char *argv[]) ...@@ -371,7 +371,7 @@ int main(int argc, char *argv[])
*/ */
if (set_get_compare_clear_save_load(c, "lxc.se_context", "system_u:system_r:lxc_t:s0:c22", if (set_get_compare_clear_save_load(c, "lxc.se_context", "system_u:system_r:lxc_t:s0:c22",
tmpf, true) < 0) { tmpf, true) < 0) {
lxc_error("%s\n", "lxc.apparmor.se_context"); lxc_error("%s\n", "lxc.se_context");
goto non_test_error; goto non_test_error;
} }
...@@ -392,7 +392,7 @@ int main(int argc, char *argv[]) ...@@ -392,7 +392,7 @@ int main(int argc, char *argv[])
/* lxc.selinux.context */ /* lxc.selinux.context */
if (set_get_compare_clear_save_load(c, "lxc.selinux.context", "system_u:system_r:lxc_t:s0:c22", if (set_get_compare_clear_save_load(c, "lxc.selinux.context", "system_u:system_r:lxc_t:s0:c22",
tmpf, true) < 0) { tmpf, true) < 0) {
lxc_error("%s\n", "lxc.apparmor.selinux.context"); lxc_error("%s\n", "lxc.selinux.context");
goto non_test_error; goto non_test_error;
} }
......
templates/lxc-altlinux.in
...@@ -282,7 +282,7 @@ lxc.pty.max = 1024 ...@@ -282,7 +282,7 @@ lxc.pty.max = 1024
lxc.cap.drop = sys_module mac_admin mac_override sys_time lxc.cap.drop = sys_module mac_admin mac_override sys_time
# When using LXC with apparmor, uncomment the next line to run unconfined: # When using LXC with apparmor, uncomment the next line to run unconfined:
#lxc.aa_profile = unconfined #lxc.apparmor.profile = unconfined
#networking #networking
#lxc.net.0.type = $lxc_network_type #lxc.net.0.type = $lxc_network_type
......
templates/lxc-busybox.in
...@@ -349,7 +349,7 @@ lxc.pty.max = 1 ...@@ -349,7 +349,7 @@ lxc.pty.max = 1
lxc.cap.drop = sys_module mac_admin mac_override sys_time lxc.cap.drop = sys_module mac_admin mac_override sys_time
# When using LXC with apparmor, uncomment the next line to run unconfined: # When using LXC with apparmor, uncomment the next line to run unconfined:
#lxc.aa_profile = unconfined #lxc.apparmor.profile = unconfined
lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
lxc.mount.entry = shm /dev/shm tmpfs defaults 0 0 lxc.mount.entry = shm /dev/shm tmpfs defaults 0 0
......
templates/lxc-centos.in
...@@ -644,7 +644,7 @@ lxc.arch = $arch ...@@ -644,7 +644,7 @@ lxc.arch = $arch
lxc.uts.name = $utsname lxc.uts.name = $utsname
# When using LXC with apparmor, uncomment the next line to run unconfined: # When using LXC with apparmor, uncomment the next line to run unconfined:
#lxc.aa_profile = unconfined #lxc.apparmor.profile = unconfined
# example simple networking setup, uncomment to enable # example simple networking setup, uncomment to enable
#lxc.net.0.type = $lxc_network_type #lxc.net.0.type = $lxc_network_type
......
templates/lxc-cirros.in
...@@ -128,7 +128,7 @@ lxc.arch = $arch ...@@ -128,7 +128,7 @@ lxc.arch = $arch
lxc.cap.drop = sys_module mac_admin mac_override sys_time lxc.cap.drop = sys_module mac_admin mac_override sys_time
# When using LXC with apparmor, uncomment the next line to run unconfined: # When using LXC with apparmor, uncomment the next line to run unconfined:
#lxc.aa_profile = unconfined #lxc.apparmor.profile = unconfined
lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
lxc.cgroup.devices.deny = a lxc.cgroup.devices.deny = a
......
templates/lxc-fedora-legacy.in
...@@ -1130,7 +1130,7 @@ lxc.arch = $arch ...@@ -1130,7 +1130,7 @@ lxc.arch = $arch
lxc.uts.name = $utsname lxc.uts.name = $utsname
# When using LXC with apparmor, uncomment the next line to run unconfined: # When using LXC with apparmor, uncomment the next line to run unconfined:
#lxc.aa_profile = unconfined #lxc.apparmor.profile = unconfined
# example simple networking setup, uncomment to enable # example simple networking setup, uncomment to enable
#lxc.net.0.type = $lxc_network_type #lxc.net.0.type = $lxc_network_type
......
templates/lxc-fedora.in
...@@ -489,7 +489,7 @@ lxc.arch = ${basearch} ...@@ -489,7 +489,7 @@ lxc.arch = ${basearch}
lxc.uts.name = ${utsname} lxc.uts.name = ${utsname}
# When using LXC with apparmor, uncomment the next line to run unconfined: # When using LXC with apparmor, uncomment the next line to run unconfined:
#lxc.aa_profile = unconfined #lxc.apparmor.profile = unconfined
# example simple networking setup, uncomment to enable # example simple networking setup, uncomment to enable
#lxc.net.0.type = ${lxc_network_type} #lxc.net.0.type = ${lxc_network_type}
......
templates/lxc-openmandriva.in
...@@ -235,7 +235,7 @@ lxc.cap.drop = sys_module mac_admin mac_override sys_time ...@@ -235,7 +235,7 @@ lxc.cap.drop = sys_module mac_admin mac_override sys_time
lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
# When using LXC with apparmor, uncomment the next line to run unconfined: # When using LXC with apparmor, uncomment the next line to run unconfined:
#lxc.aa_profile = unconfined #lxc.apparmor.profile = unconfined
#networking #networking
lxc.net.0.type = $lxc_network_type lxc.net.0.type = $lxc_network_type
......
templates/lxc-opensuse.in
...@@ -355,7 +355,7 @@ lxc.uts.name = $name ...@@ -355,7 +355,7 @@ lxc.uts.name = $name
lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
# When using LXC with apparmor, uncomment the next line to run unconfined: # When using LXC with apparmor, uncomment the next line to run unconfined:
lxc.aa_profile = unconfined lxc.apparmor.profile = unconfined
# example simple networking setup, uncomment to enable # example simple networking setup, uncomment to enable
#lxc.net.0.type = $lxc_network_type #lxc.net.0.type = $lxc_network_type
......
templates/lxc-pld.in
...@@ -248,7 +248,7 @@ lxc.cap.drop = sys_module mac_admin mac_override sys_time ...@@ -248,7 +248,7 @@ lxc.cap.drop = sys_module mac_admin mac_override sys_time
lxc.autodev = $auto_dev lxc.autodev = $auto_dev
# When using LXC with apparmor, uncomment the next line to run unconfined: # When using LXC with apparmor, uncomment the next line to run unconfined:
#lxc.aa_profile = unconfined #lxc.apparmor.profile = unconfined
## Devices ## Devices
# Allow all devices # Allow all devices
......
templates/lxc-sshd.in
...@@ -134,7 +134,7 @@ lxc.pty.max = 1024 ...@@ -134,7 +134,7 @@ lxc.pty.max = 1024
lxc.cap.drop = sys_module mac_admin mac_override sys_time lxc.cap.drop = sys_module mac_admin mac_override sys_time
# When using LXC with apparmor, uncomment the next line to run unconfined: # When using LXC with apparmor, uncomment the next line to run unconfined:
#lxc.aa_profile = unconfined #lxc.apparmor.profile = unconfined
lxc.mount.entry = /dev dev none ro,bind 0 0 lxc.mount.entry = /dev dev none ro,bind 0 0
lxc.mount.entry = /lib lib none ro,bind 0 0 lxc.mount.entry = /lib lib none ro,bind 0 0
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment