doc: Add the Korean description that automount is ignored when cgroup namespaces...

Update for commit 4608594

Signed-off-by: Sungbae Yoo <sungbae.yoo@samsung.com>

diff --git a/doc/ko/lxc-attach.sgml.in b/doc/ko/lxc-attach.sgml.in
index cc244d16e51481cac89b4932cb0c845a6daf25f6..b863dd76ed19cb2612b9c9b53b7db16b083c1888 100644 (file)
--- a/doc/ko/lxc-attach.sgml.in
+++ b/doc/ko/lxc-attach.sgml.in
@@ -94,25 +94,22 @@ by Sungbae Yoo <sungbae.yoo at samsung.com>
     <para>
       <!--
       Previous versions of <command>lxc-attach</command> simply attached to the
-      specified namespaces of a container and ran a shell or the specified
-      command without allocating a pseudo terminal. This made them vulnerable to
+      specified namespaces of a container and ran a shell or the specified command
+      without first allocating a pseudo terminal. This made them vulnerable to
       input faking via a TIOCSTI <command>ioctl</command> call after switching
       between userspace execution contexts with different privilege levels. Newer
       versions of <command>lxc-attach</command> will try to allocate a pseudo
-      terminal master/slave pair and attach any standard file descriptors which
-      refer to a terminal to the slave side of the pseudo terminal before
-      executing a shell or command. <command>lxc-attach</command> will first try
-      to allocate a pseudo terminal in the container. Should this fail it will try
-      to allocate a pseudo terminal on the host before finally giving up. Note,
-      that if none of the standard file descriptors refer to a terminal
-      <command>lxc-attach</command> will not try to allocate a pseudo terminal.
-      Instead it will simply attach to the containers namespaces and run a shell
-      or the specified command.
+      terminal master/slave pair on the host and attach any standard file
+      descriptors which refer to a terminal to the slave side of the pseudo
+      terminal before executing a shell or command. Note, that if none of the
+      standard file descriptors refer to a terminal <command>lxc-attach</command>
+      will not try to allocate a pseudo terminal. Instead it will simply attach
+      to the containers namespaces and run a shell or the specified command.
       -->
-      이전 버전의 <command>lxc-attach</command>는 단순히 컨테이너의 특정 네임스페이스에 붙어, 쉘을 실행하거나 pseudo 터미널 할당 없이 특정 명령어를 실행하였다.
+      이전 버전의 <command>lxc-attach</command>는 단순히 컨테이너의 특정 네임스페이스에 붙어, 쉘을 실행하거나 첫 번째 pseudo 터미널 할당 없이 특정 명령어를 실행하였다.
       이는 다른 특권 수준을 갖는 사용자 영역 컨텍스트 간의 전환후 TIOCSTI <command>ioctl</command>를 호출하여 입력을 가로챌 수 있는 취약점이 있다.
-      ì\83\88ë¡\9cì\9a´ ë²\84ì \84ì\9d\98 <command>lxc-attach</command>ë\8a\94 ì\89\98ì\9d´ë\82\98 ëª\85ë ¹ì\96´ë¥¼ ì\8b¤í\96\89í\95\98기 ì \84ì\97\90, pseudo í\84°ë¯¸ë\84\90 ë§\88ì\8a¤í\84°/ì\8a¬ë \88ì\9d´ë¸\8c ì\8c\8dì\9d\84 í\95 ë\8b¹í\95\98ê³ , í\84°ë¯¸ë\84\90ì\9d\84 ê°\80리í\82¤ê³  ì\9e\88ë\8d\98 í\91\9cì¤\80 ì\9e\85ì¶\9cë ¥ í\8c\8cì\9d¼ ë\94\94ì\8a¤í\81¬ë¦½í\84°ë\93¤ì\9d\80 ì\8a¬ë \88ì\9d´ë¸\8c pseudo í\84°ë¯¸ë\84\90ë¡\9c ë¶\99ì\9d¸ë\8b¤. <command>lxc-attach</command>ë\8a\94 ì²\98ì\9d\8cì\97\90 컨í\85\8cì\9d´ë\84\88 ë\82´ë¶\80ì\97\90 pseudo í\84°ë¯¸ë\84\90ì\9d\84 í\95 ë\8b¹í\95\9cë\8b¤. ë§\8cì\95½ ì\9d´ê²\83ì\9d´ ì\8b¤í\8c¨í\95\98ë©´, í\98¸ì\8a¤í\8a¸ì\97\90 í\95 ë\8b¹í\95\98ê³ , ì\9d´ë§\88ì \80 ì\8b¤í\8c¨í\95\98ë©´ í\95 ë\8b¹ì\9d\84 í\8f¬ê¸°í\95\9c다.
-      터미널을 가리키고 있던 표준 입출력 파일 디스크립터가 아예 없었다면, <command>lxc-attach</command>는 pseudo 터미널 할당을 시도하지 않는다. 단순히 컨테이너 네임스페이스에 붙어 쉘이나 지정한 명령어만 실행할 뿐이다.
+      ì\83\88ë¡\9cì\9a´ ë²\84ì \84ì\9d\98 <command>lxc-attach</command>ë\8a\94 ì\89\98ì\9d´ë\82\98 ëª\85ë ¹ì\96´ë¥¼ ì\8b¤í\96\89í\95\98기 ì \84ì\97\90, pseudo í\84°ë¯¸ë\84\90 ë§\88ì\8a¤í\84°/ì\8a¬ë \88ì\9d´ë¸\8c ì\8c\8dì\9d\84 í\98¸ì\8a¤í\8a¸ì\97\90 í\95 ë\8b¹í\95\98ê³  í\84°ë¯¸ë\84\90ì\9d\84 ê°\80리í\82¤ê³  ì\9e\88ë\8d\98 í\91\9cì¤\80 ì\9e\85ì¶\9cë ¥ í\8c\8cì\9d¼ ë\94\94ì\8a¤í\81¬ë¦½í\84°ë\93¤ì\9d\80 ì\8a¬ë \88ì\9d´ë¸\8c pseudo í\84°ë¯¸ë\84\90ë¡\9c ë¶\99ì\9d¸다.
+      터미널을 가리키고 있던 표준 입출력 파일 디스크립터가 아예 없었다면, <command>lxc-attach</command>는 pseudo 터미널 할당을 시도하지 않음에 주의해야 한다. 단순히 컨테이너 네임스페이스에 붙어 쉘이나 지정한 명령어만 실행할 뿐이다.
     </para>
 
   </refsect1>

diff --git a/doc/ko/lxc.container.conf.sgml.in b/doc/ko/lxc.container.conf.sgml.in
index 4b168858a881ab37ebde3c029d22b0336e4080a9..7ea67c04b7b0ef405433630cf24ce8f635b4d2e3 100644 (file)
--- a/doc/ko/lxc.container.conf.sgml.in
+++ b/doc/ko/lxc.container.conf.sgml.in
@@ -1233,7 +1233,7 @@ proc proc proc nodev,noexec,nosuid 0 0
                  the container's own cgroup into that directory.
                  The container will be able to write to its own
                  cgroup directory, but not the parents, since they
-                 will be remounted read-only
+                 will be remounted read-only.
                </para>
                 -->
                 <para>
@@ -1360,6 +1360,15 @@ proc proc proc nodev,noexec,nosuid 0 0
                </para>
              </listitem>
            </itemizedlist>
+            <para>
+              <!--
+              If cgroup namespaces are enabled, then any <option>cgroup</option>
+              auto-mounting request will be ignored, since the container can
+              mount the filesystems itself, and automounting can confuse the
+              container init.
+              -->
+              cgroup 네임스페이스가 사용 가능한 경우, <option>cgroup</option> 마운트 옵션들은 전부 무시될 것이다. 컨테이너가 직접 파일시스템을 마운트하기 때문이며, 컨테이너 초기화시 해당 옵션이 혼란을 줄 수 있기 때문이다.
+            </para>
            <para>
               <!--
              Note that if automatic mounting of the cgroup filesystem