From: KATOH Yasufumi <karma@jazz.email.ne.jp>
Date: Wed, 21 Feb 2018 11:12:59 +0000 (+0900)
Subject: doc: add "force" option of lxc.mount.auto to Japanese lxc.container.conf(5)
X-Git-Tag: lxc-3.0.0.beta1~21^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3f163e459f85c7eee281f8a5f3491225686422de;p=thirdparty%2Flxc.git

doc: add "force" option of lxc.mount.auto to Japanese lxc.container.conf(5)

Update for commit 3f69fb1, and and reduce commentnized English line.

Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
---

diff --git a/doc/ja/lxc.container.conf.sgml.in b/doc/ja/lxc.container.conf.sgml.in
index 041fc6d75..20d912750 100644
--- a/doc/ja/lxc.container.conf.sgml.in
+++ b/doc/ja/lxc.container.conf.sgml.in
@@ -1440,138 +1440,159 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
             </para>
             <itemizedlist>
               <listitem>
-                <!--
                 <para>
                   <option>proc:mixed</option> (or <option>proc</option>):
+                <!--
                   mount <filename>/proc</filename> as read-write, but
                   remount <filename>/proc/sys</filename> and
                   <filename>/proc/sysrq-trigger</filename> read-only
                   for security / container isolation purposes.
-                </para>
                 -->
-                <para>
-                  <option>proc:mixed</option> (or <option>proc</option>):
                   <filename>/proc</filename> ãèª­ã¿æ¸ãå¯è½ã§ãã¦ã³ããã¾ãã
                   ãã ãã<filename>/proc/sys</filename> ã¨ <filename>/proc/sysrq-trigger</filename> ã¯ãã»ã­ã¥ãªãã£ã¨ã³ã³ããã®éé¢ã®ç®çã§ãªã¼ããªã³ãªã¼ã§åãã¦ã³ãããã¾ãã
                 </para>
               </listitem>
               <listitem>
-                <!--
                 <para>
-                  <option>proc:rw</option>: mount
+                  <option>proc:rw</option>:
+                <!--
                   <filename>/proc</filename> as read-write
-                </para>
                 -->
-                <para>
-                  <option>proc:rw</option>:
                   <filename>/proc</filename> ãèª­ã¿æ¸ãå¯è½ã§ãã¦ã³ããã¾ãã
                 </para>
               </listitem>
               <listitem>
-                <!--
                 <para>
                   <option>sys:mixed</option> (or <option>sys</option>):
+                <!--
                   mount <filename>/sys</filename> as read-only but with
                   /sys/devices/virtual/net writable.
-                </para>
                 -->
-                <para>
-                  <option>sys:mixed</option> (or <option>sys</option>):
                   /sys/devices/virtual/net ã®ã¿æ¸ãè¾¼ã¿å¯è½ã§ããã®ä»ã® <filename>/sys</filename> ã¯ãªã¼ããªã³ãªã¼ã§ãã¦ã³ããã¾ãã
                 </para>
               </listitem>
               <listitem>
-                <!--
                 <para>
-                  <option>sys:ro</option>
+                  <option>sys:ro</option>:
+                <!--
                   mount <filename>/sys</filename> as read-only
                   for security / container isolation purposes.
-                </para>
                 -->
-                <para>
-                  <option>sys:ro</option>:
                   <filename>/sys</filename> ããã»ã­ã¥ãªãã£ã¨ã³ã³ããã®éé¢ã®ç®çã§ãªã¼ããªã³ãªã¼ã§ãã¦ã³ããã¾ãã
                 </para>
               </listitem>
               <listitem>
-                <!--
                 <para>
-                  <option>sys:rw</option>: mount
+                  <option>sys:rw</option>:
+                <!--
                   <filename>/sys</filename> as read-write
-                </para>
                 -->
-                <para>
-                  <option>sys:rw</option>:
                   <filename>/sys</filename> ãèª­ã¿æ¸ãå¯è½ã§ãã¦ã³ããã¾ãã
                 </para>
               </listitem>
               <listitem>
-                <!--
                 <para>
                   <option>cgroup:mixed</option>:
-                  mount a tmpfs to <filename>/sys/fs/cgroup</filename>,
-                  create directories for all hierarchies to which
-                  the container is added, create subdirectories
-                  there with the name of the cgroup, and bind-mount
-                  the container's own cgroup into that directory.
-                  The container will be able to write to its own
-                  cgroup directory, but not the parents, since they
-                  will be remounted read-only
+                  <!--
+                  Mount a tmpfs to <filename>/sys/fs/cgroup</filename>,
+                  create directories for all hierarchies to which the container
+                  is added, create subdirectories in those hierarchies with the
+                  name of the cgroup, and bind-mount the container's own cgroup
+                  into that directory. The container will be able to write to
+                  its own cgroup directory, but not the parents, since they will
+                  be remounted read-only.
+                    -->
+                  <filename>/sys/fs/cgroup</filename> ã tmpfs ã§ãã¦ã³ããããã®ã³ã³ããã®è¿½å ãè¡ãããå¨ã¦ã®éå±¤ã«å¯¾ãããã£ã¬ã¯ããªãä½æãããããã®éå±¤åã« cgroup åã§ãµããã£ã¬ã¯ããªãä½æãããã®ã³ã³ããèªèº«ã® cgroup ããã®ãã£ã¬ã¯ããªã«ãã¤ã³ããã¦ã³ããã¾ããã³ã³ããã¯èªèº«ã® cgroup ãã£ã¬ã¯ããªã«æ¸ãè¾¼ã¿ãå¯è½ã§ãããè¦ªãã£ã¬ã¯ããªã¯ãªã¼ããªã³ãªã¼ã§åãã¦ã³ãããã¦ããããæ¸ãè¾¼ãã¾ããã
                 </para>
-                -->
+              </listitem>
+
+              <listitem>
                 <para>
-                  <option>cgroup:mixed</option>:
-                  <filename>/sys/fs/cgroup</filename> ã tmpfs ã§ãã¦ã³ããããã®ã³ã³ããã®è¿½å ãè¡ãããå¨ã¦ã®éå±¤æ§é ã«å¯¾ãããã£ã¬ã¯ããªãä½è£½ãããã® cgroup ã®ååã§ãã®ä¸­ã«ãµããã£ã¬ã¯ããªãä½è£½ãããã®ã³ã³ããèªèº«ã® cgroup ããã®ãã£ã¬ã¯ããªã«ãã¤ã³ããã¦ã³ããã¾ãã
-                  ã³ã³ããã¯èªèº«ã® cgroup ãã£ã¬ã¯ããªã«æ¸ãè¾¼ã¿ãå¯è½ã§ãããè¦ªãã£ã¬ã¯ããªã¯ãªã¼ããªã³ãªã¼ã§åãã¦ã³ãããã¦ããããæ¸ãè¾¼ãã¾ããã
+                  <option>cgroup:mixed:force</option>:
+                  <!--
+                  The <option>force</option> option will cause LXC to perform
+                  the cgroup mounts for the container under all circumstances.
+                  Otherwise it is similar to <option>cgroup:mixed</option>.
+                  This is mainly useful when the cgroup namespaces are enabled
+                  where LXC will normally leave mounting cgroups to the init
+                  binary of the container since it is perfectly safe to do so.
+                    -->
+                  <option>force</option> ãæå®ããã¨ãLXC ã¯ããããç¶æ³ã§ã³ã³ããã®ããã® cgroup ãã¦ã³ããå®è¡ãã¾ããããä»¥å¤ã¯ <option>cgroup:mixed</option> ã¨åæ§ã§ããããã¯ä¸»ã« cgroup ååç©ºéãæå¹ãªå ´åã«ä¾¿å©ã§ãããã®å ´åã¯å®å¨ã«å®å¨ã§ãã®ã§ãLXC ã¯éå¸¸ã³ã³ããã® init ãã¤ããªã cgroup ããã¦ã³ãããã¾ã¾ã«ãã¦ããã¾ãã
                 </para>
               </listitem>
+
               <listitem>
-                <!--
                 <para>
-                  <option>cgroup:ro</option>: similar to
+                  <option>cgroup:ro</option>:
+                <!--
                   <option>cgroup:mixed</option>, but everything will
                 be mounted read-only.
-                </para>
                 -->
-                <para>
-                  <option>cgroup:ro</option>:
                   <option>cgroup:mixed</option> ã¨åæ§ã«ãã¦ã³ãããã¾ãããå¨ã¦ãªã¼ããªã³ãªã¼ã§ãã¦ã³ãããã¾ãã
                 </para>
               </listitem>
+
               <listitem>
-                <!--
                 <para>
-                  <option>cgroup:rw</option>: similar to
-                  <option>cgroup:mixed</option>, but everything will
-                  be mounted read-write. Note that the paths leading
-                  up to the container's own cgroup will be writable,
-                  but will not be a cgroup filesystem but just part
-                  of the tmpfs of <filename>/sys/fs/cgroup</filename>
+                  <option>cgroup:ro:force</option>:
+                  <!--
+                  The <option>force</option> option will cause LXC to perform
+                  the cgroup mounts for the container under all circumstances.
+                  Otherwise it is similar to <option>cgroup:ro</option>.
+                  This is mainly useful when the cgroup namespaces are enabled
+                  where LXC will normally leave mounting cgroups to the init
+                  binary of the container since it is perfectly safe to do so.
+                    -->
+                  <option>force</option> ãæå®ããã¨ãLXC ã¯ããããç¶æ³ã§ã³ã³ããã®ããã® cgroup ãã¦ã³ããå®è¡ãã¾ããããä»¥å¤ã¯ <option>cgroup:ro</option> ã¨åæ§ã§ããããã¯ä¸»ã« cgroup ååç©ºéãæå¹ãªå ´åã«ä¾¿å©ã§ãããã®å ´åã¯å®å¨ã«å®å¨ã§ãã®ã§ãLXC ã¯éå¸¸ã³ã³ããã® init ãã¤ããªã cgroup ããã¦ã³ãããã¾ã¾ã«ãã¦ããã¾ãã
                 </para>
-                -->
+              </listitem>
+
+              <listitem>
                 <para>
                   <option>cgroup:rw</option>:
+                <!--
+                  <option>cgroup:mixed</option>, but everything will be mounted
+                  read-write. Note that the paths leading up to the container's
+                  own cgroup will be writable, but will not be a cgroup
+                  filesystem but just part of the tmpfs of
+                  <filename>/sys/fs/cgroup</filename>
+                -->
                   <option>cgroup:mixed</option> ã¨åæ§ã«ãã¦ã³ãããã¾ãããå¨ã¦èª­ã¿æ¸ãå¯è½ã§ãã¦ã³ãããã¾ãã
                   ã³ã³ããèªèº«ã® cgroup ã«è³ãã¾ã§ã®ãã¹ãæ¸ãè¾¼ã¿å¯è½ã«ãªããã¨ã«æ³¨æãå¿è¦ã§ãããcgroup ãã¡ã¤ã«ã·ã¹ãã ã«ã¯ãªããã
                   <filename>/sys/fs/cgroup</filename> ã® tmpfs ã®ä¸é¨åã«ãªãã§ãããã
                 </para>
               </listitem>
+
+              <listitem>
+                <para>
+                  <option>cgroup:rw:force</option>:
+                  <!--
+                  The <option>force</option> option will cause LXC to perform
+                  the cgroup mounts for the container under all circumstances.
+                  Otherwise it is similar to <option>cgroup:rw</option>.
+                  This is mainly useful when the cgroup namespaces are enabled
+                  where LXC will normally leave mounting cgroups to the init
+                  binary of the container since it is perfectly safe to do so.
+                    -->
+                  <option>force</option> ãæå®ããã¨ãLXC ã¯ããããç¶æ³ã§ã³ã³ããã®ããã® cgroup ãã¦ã³ããå®è¡ãã¾ããããä»¥å¤ã¯ <option>cgroup:rw</option> ã¨åæ§ã§ããããã¯ä¸»ã« cgroup ååç©ºéãæå¹ãªå ´åã«ä¾¿å©ã§ãããã®å ´åã¯å®å¨ã«å®å¨ã§ãã®ã§ãLXC ã¯éå¸¸ã³ã³ããã® init ãã¤ããªã cgroup ããã¦ã³ãããã¾ã¾ã«ãã¦ããã¾ãã
+                </para>
+              </listitem>
+
               <listitem>
                 <para>
+                  <option>cgroup</option> (ãã¦ã³ããªãã·ã§ã³ãªãã®å ´å):
                   <!--
-                  <option>cgroup</option> (without specifier):
                   defaults to <option>cgroup:rw</option> if the
                   container retains the CAP_SYS_ADMIN capability,
                   <option>cgroup:mixed</option> otherwise.
                   -->
-                  <option>cgroup</option> (ãã¦ã³ããªãã·ã§ã³ãªãã®å ´å):
                   ã³ã³ããã CAP_SYS_ADMIN ã±ã¼ãããªãã£ãä¿æãã¦ããå ´åã<option>cgroup:rw</option> ã¨ãªãã¾ããä¿æãã¦ããªãå ´åã<option>cgroup:mixed</option> ã¨ãªãã¾ãã
                 </para>
               </listitem>
               <listitem>
-                <!--
                 <para>
                   <option>cgroup-full:mixed</option>:
+                <!--
                   mount a tmpfs to <filename>/sys/fs/cgroup</filename>,
                   create directories for all hierarchies to which
                   the container is added, bind-mount the hierarchies
@@ -1586,42 +1607,35 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
                   albeit read-only outside the container's own cgroup.
                   This may leak quite a bit of information into the
                   container.
-                </para>
                 -->
-                <para>
-                  <option>cgroup-full:mixed</option>:
                   <filename>/sys/fs/cgroup</filename> ã tmpfs ã§ãã¦ã³ããããã®ã³ã³ããã®è¿½å ãè¡ãããå¨ã¦ã®éå±¤æ§é ã«å¯¾ãããã£ã¬ã¯ããªãä½è£½ãããã¹ãããã³ã³ããã¾ã§ã®éå±¤æ§é ãå¨ã¦ãã¤ã³ããã¦ã³ãããã³ã³ããèªèº«ã® cgroup ãé¤ãã¦ãªã¼ããªã³ãªã¼ã«ãã¾ãã
                   <option>cgroup</option> ã¨æ¯ã¹ãã¨ãã³ã³ããèªèº«ã® cgroup ã«è³ãã¾ã§ã®å¨ã¦ã®ãã¹ã tmpfs ã®ä¸å±¤ã®ã·ã³ãã«ãªãã£ã¬ã¯ããªã¨ãªããã³ã³ããèªèº«ã® cgroup ã®å¤ã§ã¯ãªã¼ããªã³ãªã¼ã«ãªãã¾ããã<filename>/sys/fs/cgroup/$hierarchy</filename> ã¯ãã¹ãã®å¨ã¦ã® cgroup éå±¤æ§é ãå«ã¿ã¾ãã
                   ããã«ãããã³ã³ããã«ã¯ããªãã®æå ±ãæ¼æ´©ãã¾ãã
                 </para>
               </listitem>
               <listitem>
-                <!--
                 <para>
-                  <option>cgroup-full:ro</option>: similar to
+                  <option>cgroup-full:ro</option>:
+                <!--
+                  similar to
                   <option>cgroup-full:mixed</option>, but everything
                   will be mounted read-only.
-                </para>
                 -->
-                <para>
-                  <option>cgroup-full:ro</option>:
                   <option>cgroup-full:mixed</option> ã¨åæ§ã«ãã¦ã³ãããã¾ãããå¨ã¦ãªã¼ããªã³ãªã¼ã§ãã¦ã³ãããã¾ãã
                 </para>
               </listitem>
               <listitem>
-                <!--
                 <para>
-                  <option>cgroup-full:rw</option>: similar to
+                  <option>cgroup-full:rw</option>:
+                <!--
+                  similar to
                   <option>cgroup-full:mixed</option>, but everything
                   will be mounted read-write. Note that in this case,
                   the container may escape its own cgroup. (Note also
                   that if the container has CAP_SYS_ADMIN support
                   and can mount the cgroup filesystem itself, it may
                   do so anyway.)
-                </para>
                 -->
-                <para>
-                  <option>cgroup-full:rw</option>:
                   <option>cgroup-full:mixed</option>ã¨åæ§ã«ãã¦ã³ãããã¾ãããå¨ã¦èª­ã¿æ¸ãå¯è½ã§ãã¦ã³ãããã¾ãã
                   ãã®å ´åãã³ã³ããã¯èªèº«ã® cgroup ããè±åºããå¯è½æ§ããããã¨ã«æ³¨æãã¦ãã ãã (ã³ã³ããã CAP_SYS_ADMIN ãæã¡ãèªèº«ã§ cgroup ãã¡ã¤ã«ã·ã¹ãã ããã¦ã³ãå¯è½ãªãããããã«ãããã®ããã«ãããããããªããã¨ã«ãæ³¨æãã¦ãã ãã)ã
                 </para>
