doc/ko/lxc-attach.sgml.in

2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo<!--
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoolxc: linux Container library
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo(C) Copyright IBM Corp. 2007, 2008
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae YooAuthors:
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae YooDaniel Lezcano <daniel.lezcano at free.fr>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae YooThis library is free software; you can redistribute it and/or
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoomodify it under the terms of the GNU Lesser General Public
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae YooLicense as published by the Free Software Foundation; either
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yooversion 2.1 of the License, or (at your option) any later version.
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae YooThis library is distributed in the hope that it will be useful,
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoobut WITHOUT ANY WARRANTY; without even the implied warranty of
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae YooMERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae YooLesser General Public License for more details.
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae YooYou should have received a copy of the GNU Lesser General Public
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae YooLicense along with this library; if not, write to the Free Software
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae YooFoundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae YooTranslated into Korean
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yooby Sungbae Yoo <sungbae.yoo at samsung.com>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo-->
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo<!DOCTYPE refentry PUBLIC @docdtd@ [
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo<!ENTITY commonoptions SYSTEM "@builddir@/common_options.sgml">
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo<!ENTITY seealso SYSTEM "@builddir@/see_also.sgml">
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo]>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo<refentry>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo  <docinfo><date>@LXC_GENERATE_DATE@</date></docinfo>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo  <refmeta>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo    <refentrytitle>lxc-attach</refentrytitle>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo    <manvolnum>1</manvolnum>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo  </refmeta>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo  <refnamediv>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo    <refname>lxc-attach</refname>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo    <refpurpose>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      <!--
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      start a process inside a running container.
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      -->
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      실행 중인 컨테이너 내에 프로세스를 실행
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo    </refpurpose>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo  </refnamediv>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo  <refsynopsisdiv>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo    <cmdsynopsis>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      <command>lxc-attach</command>
d2fc8f3bac94504ff99c26bdbb31007703c8ac43Sungbae Yoo      <arg choice="req">-n, --name <replaceable>name</replaceable></arg>
d2fc8f3bac94504ff99c26bdbb31007703c8ac43Sungbae Yoo      <arg choice="opt">-f, --rcfile <replaceable>config_file</replaceable></arg>
d2fc8f3bac94504ff99c26bdbb31007703c8ac43Sungbae Yoo      <arg choice="opt">-a, --arch <replaceable>arch</replaceable></arg>
d2fc8f3bac94504ff99c26bdbb31007703c8ac43Sungbae Yoo      <arg choice="opt">-e, --elevated-privileges <replaceable>privileges</replaceable></arg>
d2fc8f3bac94504ff99c26bdbb31007703c8ac43Sungbae Yoo      <arg choice="opt">-s, --namespaces <replaceable>namespaces</replaceable></arg>
d2fc8f3bac94504ff99c26bdbb31007703c8ac43Sungbae Yoo      <arg choice="opt">-R, --remount-sys-proc</arg>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      <arg choice="opt">--keep-env</arg>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      <arg choice="opt">--clear-env</arg>
d2fc8f3bac94504ff99c26bdbb31007703c8ac43Sungbae Yoo      <arg choice="opt">-L, --pty-log <replaceable>file</replaceable></arg>
d2fc8f3bac94504ff99c26bdbb31007703c8ac43Sungbae Yoo      <arg choice="opt">-v, --set-var <replaceable>variable</replaceable></arg>
d2fc8f3bac94504ff99c26bdbb31007703c8ac43Sungbae Yoo      <arg choice="opt">--keep-var <replaceable>variable</replaceable></arg>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      <arg choice="opt">-- <replaceable>command</replaceable></arg>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo    </cmdsynopsis>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo  </refsynopsisdiv>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo  <refsect1>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo    <title><!-- Description -->설명</title>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo    <para>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      <!--
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      <command>lxc-attach</command> runs the specified
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      <replaceable>command</replaceable> inside the container
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      specified by <replaceable>name</replaceable>. The container
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      has to be running already.
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      -->
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      <command>lxc-attach</command>는  <replaceable>name</replaceable>으로 지정한 컨테이너 내에  <replaceable>command</replaceable>를 실행한다.
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      해당 컨테이너는 실행중이어야 한다.
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo    </para>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo    <para>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      <!--
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      If no <replaceable>command</replaceable> is specified, the
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      current default shell of the user running
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      <command>lxc-attach</command> will be looked up inside the
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      container and executed. This will fail if no such user exists
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      inside the container or the container does not have a working
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      nsswitch mechanism.
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      -->
4ff8fb6cae48bc4cd376fffa70c69a7cd72425bcSungbae Yoo      만약 <replaceable>command</replaceable>가 지정되지 않았다면, <command>lxc-attach</command>가 현재 실행 중인 쉘이 컨테이너 안에도 있는지 검사하고 이를 실행한다.
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      만약 컨테이너 안에 사용자가 존재하지 않거나, nsswitch가 제대로 동작하지 않는 경우에는 이 명령이 실패하게 된다.
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo    </para>
eae7ec6edca67f6b7cb53818cce41290b6cd7138Sungbae Yoo    <para>
eae7ec6edca67f6b7cb53818cce41290b6cd7138Sungbae Yoo      <!--
eae7ec6edca67f6b7cb53818cce41290b6cd7138Sungbae Yoo      Previous versions of <command>lxc-attach</command> simply attached to the
bcd7520a48f77dad266b4a78575cf791439d5c73Sungbae Yoo      specified namespaces of a container and ran a shell or the specified command
bcd7520a48f77dad266b4a78575cf791439d5c73Sungbae Yoo      without first allocating a pseudo terminal. This made them vulnerable to
eae7ec6edca67f6b7cb53818cce41290b6cd7138Sungbae Yoo      input faking via a TIOCSTI <command>ioctl</command> call after switching
eae7ec6edca67f6b7cb53818cce41290b6cd7138Sungbae Yoo      between userspace execution contexts with different privilege levels. Newer
eae7ec6edca67f6b7cb53818cce41290b6cd7138Sungbae Yoo      versions of <command>lxc-attach</command> will try to allocate a pseudo
bcd7520a48f77dad266b4a78575cf791439d5c73Sungbae Yoo      terminal master/slave pair on the host and attach any standard file
bcd7520a48f77dad266b4a78575cf791439d5c73Sungbae Yoo      descriptors which refer to a terminal to the slave side of the pseudo
bcd7520a48f77dad266b4a78575cf791439d5c73Sungbae Yoo      terminal before executing a shell or command. Note, that if none of the
bcd7520a48f77dad266b4a78575cf791439d5c73Sungbae Yoo      standard file descriptors refer to a terminal <command>lxc-attach</command>
bcd7520a48f77dad266b4a78575cf791439d5c73Sungbae Yoo      will not try to allocate a pseudo terminal. Instead it will simply attach
bcd7520a48f77dad266b4a78575cf791439d5c73Sungbae Yoo      to the containers namespaces and run a shell or the specified command.
eae7ec6edca67f6b7cb53818cce41290b6cd7138Sungbae Yoo      -->
d2fc8f3bac94504ff99c26bdbb31007703c8ac43Sungbae Yoo      이전 버전의 <command>lxc-attach</command>는 단순히 컨테이너의 특정 네임스페이스 내에서 쉘이나 명령어를 pseudo 터미널 할당 없이 실행하였다.
eae7ec6edca67f6b7cb53818cce41290b6cd7138Sungbae Yoo      이는 다른 특권 수준을 갖는 사용자 영역 컨텍스트 간의 전환후 TIOCSTI <command>ioctl</command>를 호출하여 입력을 가로챌 수 있는 취약점이 있다.
d2fc8f3bac94504ff99c26bdbb31007703c8ac43Sungbae Yoo      새로운 버전의 <command>lxc-attach</command>는 쉘이나 명령어를 실행하기 전, 호스트에서 pseudo 터미널 마스터/슬레이브 쌍을 할당하고, 터미널을 가리키고 있던 표준 입출력 파일 디스크립터들을 pseudo 터미널의 슬레이브로 연결한다.
d2fc8f3bac94504ff99c26bdbb31007703c8ac43Sungbae Yoo      터미널을 가리키고 있던 표준 입출력 파일 디스크립터가 아예 없었다면, <command>lxc-attach</command>는 pseudo 터미널 할당을 시도하지 않음에 주의해야 한다. 단순히 컨테이너 네임스페이스 내부에서 쉘이나 지정한 명령어를 실행할 뿐이다.
eae7ec6edca67f6b7cb53818cce41290b6cd7138Sungbae Yoo    </para>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo  </refsect1>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo  <refsect1>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo    <title><!-- Options -->옵션</title>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo    <variablelist>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo
d2fc8f3bac94504ff99c26bdbb31007703c8ac43Sungbae Yoo      <varlistentry>
d2fc8f3bac94504ff99c26bdbb31007703c8ac43Sungbae Yoo    <term>
d2fc8f3bac94504ff99c26bdbb31007703c8ac43Sungbae Yoo       <option>-f, --rcfile <replaceable>config_file</replaceable></option>
d2fc8f3bac94504ff99c26bdbb31007703c8ac43Sungbae Yoo    </term>
d2fc8f3bac94504ff99c26bdbb31007703c8ac43Sungbae Yoo    <listitem>
d2fc8f3bac94504ff99c26bdbb31007703c8ac43Sungbae Yoo      <para>
d2fc8f3bac94504ff99c26bdbb31007703c8ac43Sungbae Yoo         <!--
d2fc8f3bac94504ff99c26bdbb31007703c8ac43Sungbae Yoo        Specify the configuration file to configure the virtualization
d2fc8f3bac94504ff99c26bdbb31007703c8ac43Sungbae Yoo        and isolation functionalities for the container.
d2fc8f3bac94504ff99c26bdbb31007703c8ac43Sungbae Yoo        -->
d2fc8f3bac94504ff99c26bdbb31007703c8ac43Sungbae Yoo        컨테이너의 가상화 및 고립 기능들을 설정할 파일을 지정한다.
d2fc8f3bac94504ff99c26bdbb31007703c8ac43Sungbae Yoo      </para>
d2fc8f3bac94504ff99c26bdbb31007703c8ac43Sungbae Yoo      <para>
d2fc8f3bac94504ff99c26bdbb31007703c8ac43Sungbae Yoo        <!--
d2fc8f3bac94504ff99c26bdbb31007703c8ac43Sungbae Yoo        This configuration file if present will be used even if there is
d2fc8f3bac94504ff99c26bdbb31007703c8ac43Sungbae Yoo        already a configuration file present in the previously created
d2fc8f3bac94504ff99c26bdbb31007703c8ac43Sungbae Yoo        container (via lxc-create).
d2fc8f3bac94504ff99c26bdbb31007703c8ac43Sungbae Yoo        -->
d2fc8f3bac94504ff99c26bdbb31007703c8ac43Sungbae Yoo       이전에 만들어졌던 컨테이너에 설정 파일이 이미 있더라도, 이 옵션이 지정되어 있다면 해당 파일을 사용한다.
d2fc8f3bac94504ff99c26bdbb31007703c8ac43Sungbae Yoo      </para>
d2fc8f3bac94504ff99c26bdbb31007703c8ac43Sungbae Yoo    </listitem>
d2fc8f3bac94504ff99c26bdbb31007703c8ac43Sungbae Yoo      </varlistentry>
d2fc8f3bac94504ff99c26bdbb31007703c8ac43Sungbae Yoo
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      <varlistentry>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo    <term>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      <option>-a, --arch <replaceable>arch</replaceable></option>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo    </term>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo    <listitem>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      <para>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo            <!--
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        Specify the architecture which the kernel should appear to be
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        running as to the command executed. This option will accept the
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        same settings as the <option>lxc.arch</option> option in
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        container configuration files, see
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        <citerefentry>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo          <refentrytitle><filename>lxc.conf</filename></refentrytitle>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo          <manvolnum>5</manvolnum>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        </citerefentry>. By default, the current archictecture of the
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        running container will be used.
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo            -->
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo            명령어를 실행하는 컨테이너의 아키텍처를 지정한다.
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo            이 옵션은 컨테이너의 설정파일에서 지정한 <option>lxc.arch</option> 옵션과 같은 것만 사용할 수 있다.
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo            <citerefentry>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo          <refentrytitle><filename>lxc.conf</filename></refentrytitle>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo          <manvolnum>5</manvolnum>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        </citerefentry>를 참조 바란다. 기본값은 실행 중인 컨테이너의 아키텍처이다.
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      </para>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo    </listitem>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      </varlistentry>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      <varlistentry>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo    <term>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      <option>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        -e, --elevated-privileges <replaceable>privileges</replaceable>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      </option>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo    </term>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo    <listitem>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      <para>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo            <!--
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        Do not drop privileges when running
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        <replaceable>command</replaceable> inside the container. If
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        this option is specified, the new process will
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        <emphasis>not</emphasis> be added to the container's cgroup(s)
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        and it will not drop its capabilities before executing.
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo            -->
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo            컨테이너 내부에서 <replaceable>command</replaceable>를 실행할 때 privilege를 제거하지 않는다.
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo            만약 이 옵션이 지정되었다면, 새로운 프로세스는 컨테이너의 cgroup에 추가되지 <emphasis>않는다</emphasis>. 그리고 실행 전 capability도 제거하지 않는다.
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      </para>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo          <para>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        <!--
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        You may specify privileges, in case you do not want to elevate all of
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        them, as a pipe-separated list, e.g.
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        <replaceable>CGROUP|LSM</replaceable>. Allowed values are
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        <replaceable>CGROUP</replaceable>, <replaceable>CAP</replaceable> and
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        <replaceable>LSM</replaceable> representing cgroup, capabilities and
aef119a3fa1054044f405c660008cb7ababbba08Sungbae Yoo        restriction privileges respectively. (The pipe symbol needs to be escaped,
aef119a3fa1054044f405c660008cb7ababbba08Sungbae Yoo        e.g. <replaceable>CGROUP\|LSM</replaceable> or quoted, e.g.
aef119a3fa1054044f405c660008cb7ababbba08Sungbae Yoo        <replaceable>"CGROUP|LSM"</replaceable>.)
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        -->
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo            만약 모든 privilege를 얻고 싶지 않을 경우에는 <replaceable>CGROUP|LSM</replaceable>와 같이 파이프(|)로 구분된 리스트를 사용할 수 있다. 허용되는 값은 <replaceable>CGROUP</replaceable>、<replaceable>CAP</replaceable>、<replaceable>LSM</replaceable>이다. 각각 cgroup, capability, MAC label을 나타낸다.
aef119a3fa1054044f405c660008cb7ababbba08Sungbae Yoo            (파이프 기호는 <replaceable>CGROUP\|LSM</replaceable>처럼 \로 처리를 해주거나, <replaceable>"CGROUP|LSM"</replaceable>처럼 따옴표를 붙여야 한다.)
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo          </para>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      <para>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo            <!--
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        <emphasis>Warning:</emphasis> This may leak privileges into the
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        container if the command starts subprocesses that remain active
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        after the main process that was attached is terminated. The
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        (re-)starting of daemons inside the container is problematic,
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        especially if the daemon starts a lot of subprocesses such as
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        <command>cron</command> or <command>sshd</command>.
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        <emphasis>Use with great care.</emphasis>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo            -->
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo            <emphasis>경고 :</emphasis>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo            만약 명령어가 attach된 메인프로세스가 종료된 후에, 실행 상태로 남아있는 서브프로세스를 시작하려고 한다면, 컨테이너 내부로 privilege 누수가 발생할 수 있다.
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo            컨테이너 내에서 데몬을 시작(또는 재시작)하는 것은 문제가 될 수 있다.            특히 만약 데몬이 많은 서브프로세스 를 실행하는 경우라면, 예를 들어  <command>cron</command>와 <command>sshd</command>와 같은 경우는 문제가 될 수 있다.
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo            <emphasis>충분한 주의를 기울여서 사용하여야 한다.</emphasis>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      </para>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo    </listitem>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      </varlistentry>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      <varlistentry>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo    <term>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      <option>-s, --namespaces <replaceable>namespaces</replaceable></option>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo    </term>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo    <listitem>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      <para>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo            <!--
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        Specify the namespaces to attach to, as a pipe-separated list,
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        e.g. <replaceable>NETWORK|IPC</replaceable>. Allowed values are
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        <replaceable>MOUNT</replaceable>, <replaceable>PID</replaceable>,
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        <replaceable>UTSNAME</replaceable>, <replaceable>IPC</replaceable>,
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        <replaceable>USER </replaceable> and
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        <replaceable>NETWORK</replaceable>. This allows one to change
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        the context of the process to e.g. the network namespace of the
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        container while retaining the other namespaces as those of the
aef119a3fa1054044f405c660008cb7ababbba08Sungbae Yoo            host. (The pipe symbol needs to be escaped, e.g.
aef119a3fa1054044f405c660008cb7ababbba08Sungbae Yoo            <replaceable>MOUNT\|PID</replaceable> or quoted, e.g.
aef119a3fa1054044f405c660008cb7ababbba08Sungbae Yoo            <replaceable>"MOUNT|PID"</replaceable>.)
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo            -->
d2fc8f3bac94504ff99c26bdbb31007703c8ac43Sungbae Yoo           컨테이너의 어떤 네임스페이스와 연결할지 지정한다. <replaceable>NETWORK|IPC</replaceable>와 같이 파이프(|)로 구분된 리스트를 사용할 수 있다. 허용되는 값은 <replaceable>MOUNT</replaceable>, <replaceable>PID</replaceable>, <replaceable>UTSNAME</replaceable>, <replaceable>IPC</replaceable>, <replaceable>USER </replaceable>, <replaceable>NETWORK</replaceable>이다. 이를 사용하여, 컨테이너의 네트워크 네임스페이스를 사용하면서도 다른 네임스페이스는 호스트의 것을 그대로 사용하는 등의 조작이 가능하다.
aef119a3fa1054044f405c660008cb7ababbba08Sungbae Yoo            (파이프 기호는 <replaceable>MOUNT\|PID</replaceable>처럼 \로 처리를 해주거나, <replaceable>"MOUNT|PID"</replaceable>처럼 따옴표를 붙여야 한다.)
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      </para>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      <para>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo            <!--
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        <emphasis>Important:</emphasis> This option implies
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        <option>&#045;e</option>.
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo            -->
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo            <emphasis>중요 :</emphasis> 이 옵션은 <option>-e</option> 옵션을 포함하고 있다.
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      </para>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo    </listitem>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      </varlistentry>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      <varlistentry>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo    <term>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      <option>-R, --remount-sys-proc</option>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo    </term>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo    <listitem>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      <para>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo            <!--
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        When using <option>&#045;s</option> and the mount namespace is not
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        included, this flag will cause <command>lxc-attach</command>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        to remount <replaceable>/proc</replaceable> and
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        <replaceable>/sys</replaceable> to reflect the current other
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        namespace contexts.
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo            -->
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo            <option>-s</option>를 사용하여 마운트 네임스페이스를 포함하지 않았을 때, 이 플래그는 <command>lxc-attach</command>가 <replaceable>/proc</replaceable>와 <replaceable>/sys</replaceable>를 remount 하게 만든다.
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo            이는 현재와 다른 네임스페이스 컨텍스트를 반영시키기 위함이다.
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      </para>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      <para>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo            <!--
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        Please see the <emphasis>Notes</emphasis> section for more
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        details.
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo            -->
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo            좀더 자세한 설명은 <emphasis>주의</emphasis>섹션을 참고하면 된다.
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      </para>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      <para>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo            <!--
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        This option will be ignored if one tries to attach to the
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        mount namespace anyway.
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo            -->
d2fc8f3bac94504ff99c26bdbb31007703c8ac43Sungbae Yoo            만약 마운트 네임스페이스에 연결하려고 한다면, 이 옵션은 무시된다.
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      </para>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo    </listitem>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      </varlistentry>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      <varlistentry>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo    <term>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      <option>--keep-env</option>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo    </term>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo    <listitem>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      <para>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo            <!--
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        Keep the current environment for attached programs. This is
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        the current default behaviour (as of version 0.9), but is
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        is likely to change in the future, since this may leak
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        undesirable information into the container. If you rely on
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        the environment being available for the attached program,
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        please use this option to be future-proof. In addition to
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        current environment variables, container=lxc will be set.
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo            -->
d2fc8f3bac94504ff99c26bdbb31007703c8ac43Sungbae Yoo            현재의 환경변수를 실행할 프로그램에도 그대로 적용한다. 이것은 현재 기본 동작이지만 (버전 0.9에서), 향후에 충분히 바뀔 수도 있다. 왜냐하면, 이것은 컨테이너에게 바람직하지 않은 정보를 넘겨줄 수 있는 위험성이 있기 때문이다. 따라서 이 기능에 의존하고 있다면, 향후에도 이를 보장할 수 있도록 이 옵션을 사용하는 것이 좋다. 또한 현재 환경 변수와 더불어, container=lxc도 설정된다.
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      </para>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo    </listitem>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      </varlistentry>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      <varlistentry>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo    <term>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      <option>--clear-env</option>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo    </term>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo    <listitem>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      <para>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo            <!--
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        Clear the environment before attaching, so no undesired
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        environment variables leak into the container. The variable
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        container=lxc will be the only environment with which the
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        attached program starts.
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo            -->
d2fc8f3bac94504ff99c26bdbb31007703c8ac43Sungbae Yoo            프로그램을 실행하기 전에 모든 환경변수를 지운다.
d2fc8f3bac94504ff99c26bdbb31007703c8ac43Sungbae Yoo            이를 통해 바람직하지 않은 환경변수 누출을 막을 수 있다. container=lxc 만이 프로그램이 실행되기 전에 설정되는 유일한 환경변수이다.
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      </para>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo    </listitem>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      </varlistentry>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo
2da19674b645f89c5114274afe8266f28ede328eSungbae Yoo      <varlistentry>
2da19674b645f89c5114274afe8266f28ede328eSungbae Yoo        <term>
2da19674b645f89c5114274afe8266f28ede328eSungbae Yoo          <option>-L, --pty-log <replaceable>file</replaceable></option>
2da19674b645f89c5114274afe8266f28ede328eSungbae Yoo        </term>
2da19674b645f89c5114274afe8266f28ede328eSungbae Yoo        <listitem>
2da19674b645f89c5114274afe8266f28ede328eSungbae Yoo          <para>
2da19674b645f89c5114274afe8266f28ede328eSungbae Yoo            <!--
2da19674b645f89c5114274afe8266f28ede328eSungbae Yoo            Specify a file where the output of <command>lxc-attach</command> will be
2da19674b645f89c5114274afe8266f28ede328eSungbae Yoo            logged.
2da19674b645f89c5114274afe8266f28ede328eSungbae Yoo              -->
2da19674b645f89c5114274afe8266f28ede328eSungbae Yoo            <command>lxc-attach</command>의 출력을 기록할 파일을 지정한다.
2da19674b645f89c5114274afe8266f28ede328eSungbae Yoo          </para>
2da19674b645f89c5114274afe8266f28ede328eSungbae Yoo          <para>
2da19674b645f89c5114274afe8266f28ede328eSungbae Yoo            <!--
2da19674b645f89c5114274afe8266f28ede328eSungbae Yoo            <emphasis>Important:</emphasis>  When a standard file descriptor
659ce93a2e405f928cd4e1a457270572571a8db8Stéphane Graber            does not refer to a pty output produced on it will not be logged.
2da19674b645f89c5114274afe8266f28ede328eSungbae Yoo            -->
2da19674b645f89c5114274afe8266f28ede328eSungbae Yoo            <emphasis>중요:</emphasis> 표준 입출력 파일 디스크립터가 pty를 참조하지 않으면, 기록되지 않는다.
2da19674b645f89c5114274afe8266f28ede328eSungbae Yoo          </para>
2da19674b645f89c5114274afe8266f28ede328eSungbae Yoo        </listitem>
2da19674b645f89c5114274afe8266f28ede328eSungbae Yoo      </varlistentry>
d2fc8f3bac94504ff99c26bdbb31007703c8ac43Sungbae Yoo     <varlistentry>
d2fc8f3bac94504ff99c26bdbb31007703c8ac43Sungbae Yoo    <term>
d2fc8f3bac94504ff99c26bdbb31007703c8ac43Sungbae Yoo      <option>-v, --set-var <replaceable>variable</replaceable></option>
d2fc8f3bac94504ff99c26bdbb31007703c8ac43Sungbae Yoo    </term>
d2fc8f3bac94504ff99c26bdbb31007703c8ac43Sungbae Yoo    <listitem>
d2fc8f3bac94504ff99c26bdbb31007703c8ac43Sungbae Yoo      <para>
d2fc8f3bac94504ff99c26bdbb31007703c8ac43Sungbae Yoo        <!--
d2fc8f3bac94504ff99c26bdbb31007703c8ac43Sungbae Yoo        Set an additional environment variable that is seen by the
d2fc8f3bac94504ff99c26bdbb31007703c8ac43Sungbae Yoo        attached program in the container. It is specified in the
d2fc8f3bac94504ff99c26bdbb31007703c8ac43Sungbae Yoo        form of "VAR=VALUE", and can be specified multiple times.
d2fc8f3bac94504ff99c26bdbb31007703c8ac43Sungbae Yoo        -->
d2fc8f3bac94504ff99c26bdbb31007703c8ac43Sungbae Yoo        컨테이너 내에서 실행되는 프로그램이 볼 수 있는 환경변수를 추가한다.
d2fc8f3bac94504ff99c26bdbb31007703c8ac43Sungbae Yoo        이는 "VAR=VALUE" 형태로 지정되며, 여러 번 지정할 수 있다.
d2fc8f3bac94504ff99c26bdbb31007703c8ac43Sungbae Yoo      </para>
d2fc8f3bac94504ff99c26bdbb31007703c8ac43Sungbae Yoo    </listitem>
d2fc8f3bac94504ff99c26bdbb31007703c8ac43Sungbae Yoo      </varlistentry>
d2fc8f3bac94504ff99c26bdbb31007703c8ac43Sungbae Yoo
d2fc8f3bac94504ff99c26bdbb31007703c8ac43Sungbae Yoo      <varlistentry>
d2fc8f3bac94504ff99c26bdbb31007703c8ac43Sungbae Yoo    <term>
d2fc8f3bac94504ff99c26bdbb31007703c8ac43Sungbae Yoo      <option>--keep-var <replaceable>variable</replaceable></option>
d2fc8f3bac94504ff99c26bdbb31007703c8ac43Sungbae Yoo    </term>
d2fc8f3bac94504ff99c26bdbb31007703c8ac43Sungbae Yoo    <listitem>
d2fc8f3bac94504ff99c26bdbb31007703c8ac43Sungbae Yoo      <para>
d2fc8f3bac94504ff99c26bdbb31007703c8ac43Sungbae Yoo        <!--
d2fc8f3bac94504ff99c26bdbb31007703c8ac43Sungbae Yoo        Keep a specified environment variable. It can only be
d2fc8f3bac94504ff99c26bdbb31007703c8ac43Sungbae Yoo        specified in conjunction
d2fc8f3bac94504ff99c26bdbb31007703c8ac43Sungbae Yoo        with <replaceable>\-\-clear-env</replaceable>, and can be
d2fc8f3bac94504ff99c26bdbb31007703c8ac43Sungbae Yoo        specified multiple times.
d2fc8f3bac94504ff99c26bdbb31007703c8ac43Sungbae Yoo        -->
d2fc8f3bac94504ff99c26bdbb31007703c8ac43Sungbae Yoo        <replaceable>\-\-clear-env</replaceable>와 함께 사용되며, 지정한 환경변수를 지우지 않고 그대로 유지한다. 여러 번 지정할 수 있다.
d2fc8f3bac94504ff99c26bdbb31007703c8ac43Sungbae Yoo      </para>
d2fc8f3bac94504ff99c26bdbb31007703c8ac43Sungbae Yoo    </listitem>
d2fc8f3bac94504ff99c26bdbb31007703c8ac43Sungbae Yoo      </varlistentry>
2da19674b645f89c5114274afe8266f28ede328eSungbae Yoo
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo    </variablelist>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo  </refsect1>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo  &commonoptions;
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo  <refsect1>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo    <title><!-- Examples -->예제</title>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      <para>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        <!--
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        To spawn a new shell running inside an existing container, use
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        <programlisting>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo          lxc-attach -n container
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        </programlisting>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        -->
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        존재하는 컨테이너의 내부에 새로운 쉘을 실행한다.
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        <programlisting>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo          lxc-attach -n container
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        </programlisting>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      </para>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      <para>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        <!--
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        To restart the cron service of a running Debian container, use
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        <programlisting>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo          lxc-attach -n container &#045;&#045; /etc/init.d/cron restart
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        </programlisting>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        -->
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        실행중인 Debian 컨테이너의 cron 서비스를 재시작한다.
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        <programlisting>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo          lxc-attach -n container -- /etc/init.d/cron restart
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        </programlisting>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      </para>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      <para>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        <!--
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        To deactivate the network link eth1 of a running container that
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        does not have the NET_ADMIN capability, use either the
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        <option>-e</option> option to use increased capabilities,
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        assuming the <command>ip</command> tool is installed:
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        <programlisting>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo          lxc-attach -n container -e &#045;&#045; /sbin/ip link delete eth1
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        </programlisting>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        -->
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        NET_ADMIN capability없이 실행중인 컨테이너의 네트워크 링크 eth1을 비활성화하였다. <option>-e</option> 옵션을 사용하여 capability를 높였고, <command>ip</command> 툴이 설치되어있다고 가정하였다.
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        <programlisting>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo          lxc-attach -n container -e -- /sbin/ip link delete eth1
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo        </programlisting>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      </para>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo  </refsect1>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo  <refsect1>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo    <title><!-- Compatibility -->호환성</title>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo    <para>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      <!--
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      Attaching completely (including the pid and mount namespaces) to a
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      container requires a kernel of version 3.8 or higher, or a
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      patched kernel, please see the lxc website for
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      details. <command>lxc-attach</command> will fail in that case if
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      used with an unpatched kernel of version 3.7 and prior.
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      -->
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      (pid와 마운트 네임스페이스를 포함한) attach가 동작하기 위해서는 커널의 버전이 3.8 이상이거나 패치가 적용된 커널이어야 한다. 좀더 자세히 보려면 lxc 웹사이트를 참고하면 된다. <command>lxc-attach</command>는 패치되지 않은 커널 버전 3.7 이하면 실패된다.
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo    </para>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo    <para>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      <!--
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      Nevertheless, it will succeed on an unpatched kernel of version 3.0
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      or higher if the <option>-s</option> option is used to restrict the
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      namespaces that the process is to be attached to to one or more of
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      <replaceable>NETWORK</replaceable>, <replaceable>IPC</replaceable>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      and <replaceable>UTSNAME</replaceable>.
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      -->
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      그러나 <option>-s</option>를 사용하여 <replaceable>NETWORK</replaceable>, <replaceable>IPC</replaceable>, <replaceable>UTSNAME</replaceable> 네임스페이스 들만 지정한다면, 패치되지 않은 커널 3.0 이상에서도 성공적으로 동작한다.
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo    </para>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo    <para>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      <!--
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      Attaching to user namespaces is supported by kernel 3.8 or higher
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      with enabling user namespace.
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      -->
d2fc8f3bac94504ff99c26bdbb31007703c8ac43Sungbae Yoo      사용자 네임스페이스와 연결되기 위해서는 커널 버전이 3.8 이상이어야 하고 사용자 네임스페이스가 활성화되어야 한다.
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo    </para>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo  </refsect1>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo  <refsect1>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo    <title><!-- Notes -->주의</title>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo    <para>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      <!--
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      The Linux <replaceable>/proc</replaceable> and
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      <replaceable>/sys</replaceable> filesystems contain information
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      about some quantities that are affected by namespaces, such as
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      the directories named after process ids in
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      <replaceable>/proc</replaceable> or the network interface information
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      in <replaceable>/sys/class/net</replaceable>. The namespace of the
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      process mounting the pseudo-filesystems determines what information
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      is shown, <emphasis>not</emphasis> the namespace of the process
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      accessing <replaceable>/proc</replaceable> or
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      <replaceable>/sys</replaceable>.
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      -->
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      리눅스의 <replaceable>/proc</replaceable>와 <replaceable>/sys</replaceable> 파일시스템은 네임스페이스의해 영향받는 몇가지 정보들을 포함하고 있다. 예를 들어 <replaceable>/proc</replaceable>의 프로세스 id로 된 폴더들이나 <replaceable>/sys/class/net</replaceable>의 네트워크 인터페이스 정보 등이다.
d2fc8f3bac94504ff99c26bdbb31007703c8ac43Sungbae Yoopseudo 파일시스템을 마운트하는 프로세스의 네임스페이스가 여기에 어떤 정보를 표시할지 결정하는 것이지, <replaceable>/proc</replaceable> 또는 <replaceable>/sys</replaceable>에 접근하는 프로세스의 네임스페이스가 결정하는 것은 <emphasis>아니다.</emphasis>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo    </para>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo    <para>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      <!--
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      If one uses the <option>-s</option> option to only attach to
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      the pid namespace of a container, but not its mount namespace
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      (which will contain the <replaceable>/proc</replaceable> of the
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      container and not the host), the contents of <option>/proc</option>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      will reflect that of the host and not the container. Analogously,
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      the same issue occurs when reading the contents of
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      <replaceable>/sys/class/net</replaceable> and attaching to just
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      the network namespace.
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      -->
4ff8fb6cae48bc4cd376fffa70c69a7cd72425bcSungbae Yoo      <option>-s</option> 를 사용하여 컨테이너의 pid 네임스페이스에만 attach 시키고 마운트 네임스페이스(컨테이너의 <replaceable>/proc</replaceable>는 포함하고, 호스트의 것은 포함하지 않는)는 attach 시키지 않는 경우, <option>/proc</option>의 내용은 컨테이너의 것이 아닌 호스트의 것이 된다.
4ff8fb6cae48bc4cd376fffa70c69a7cd72425bcSungbae Yoo네트워크 네임스페이스만을 연결하고  <replaceable>/sys/class/net</replaceable>의 내용을 읽을 때도 같은 현상이 있다.
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo    </para>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo    <para>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      <!--
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      To work around this problem, the <option>-R</option> flag provides
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      the option to remount <replaceable>/proc</replaceable> and
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      <replaceable>/sys</replaceable> in order for them to reflect the
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      network/pid namespace context of the attached process. In order
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      not to interfere with the host's actual filesystem, the mount
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      namespace will be unshared (like <command>lxc-unshare</command>
e9555a6bc7056cd887ee19c80b6c59627ac61255Evgeni Golov      does) before this is done, essentially giving the process a new
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      mount namespace, which is identical to the hosts's mount namespace
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      except for the <replaceable>/proc</replaceable> and
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      <replaceable>/sys</replaceable> filesystems.
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      -->
4ff8fb6cae48bc4cd376fffa70c69a7cd72425bcSungbae Yoo      이러한 문제를 해결하기 위해, <option>-R</option> 옵션이 제공된다. 해당 옵션은 attach되는 프로세스의 네트워크/pid 네임스페이스를 반영하기 위해 <replaceable>/proc</replaceable>와 <replaceable>/sys</replaceable>를 다시 마운트한다.
4ff8fb6cae48bc4cd376fffa70c69a7cd72425bcSungbae Yoo호스트의 실제 파일시스템에 방해가 되지 않기 위해 마운트 네임스페이스는 공유되지 않는다(<command>lxc-unshare</command>의 동작과 비슷). <replaceable>/proc</replaceable>와 <replaceable>/sys</replaceable> 파일시스템을 제외하고 호스트 마운트 네임스페이스와 동일한 새로운 마운트 네임스페이스가 주어지게 된다.
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo    </para>
eae7ec6edca67f6b7cb53818cce41290b6cd7138Sungbae Yoo
eae7ec6edca67f6b7cb53818cce41290b6cd7138Sungbae Yoo    <para>
eae7ec6edca67f6b7cb53818cce41290b6cd7138Sungbae Yoo      <!--
eae7ec6edca67f6b7cb53818cce41290b6cd7138Sungbae Yoo      Previous versions of <command>lxc-attach</command> suffered a bug whereby
eae7ec6edca67f6b7cb53818cce41290b6cd7138Sungbae Yoo      a user could attach to a containers namespace without being placed in a
eae7ec6edca67f6b7cb53818cce41290b6cd7138Sungbae Yoo      writeable cgroup for some critical subsystems. Newer versions of
eae7ec6edca67f6b7cb53818cce41290b6cd7138Sungbae Yoo      <command>lxc-attach</command> will check whether a user is in a writeable
eae7ec6edca67f6b7cb53818cce41290b6cd7138Sungbae Yoo      cgroup for those critical subsystems. <command>lxc-attach</command> might
eae7ec6edca67f6b7cb53818cce41290b6cd7138Sungbae Yoo      thus fail unexpectedly for some users (E.g. on systems where an
eae7ec6edca67f6b7cb53818cce41290b6cd7138Sungbae Yoo      unprivileged user is not placed in a writeable cgroup in critical
eae7ec6edca67f6b7cb53818cce41290b6cd7138Sungbae Yoo      subsystems on login.). However, this behavior is correct and more secure.
eae7ec6edca67f6b7cb53818cce41290b6cd7138Sungbae Yoo      -->
eae7ec6edca67f6b7cb53818cce41290b6cd7138Sungbae Yoo      이전 버전의 <command>lxc-attach</command>는 몇몇 중요한 서브시스템에 쓰기가 가능한 cgroup 내에 없더라도, 사용자가 컨테이너의 네임스페이스에 연결할 수 있는 버그가 있었다.
eae7ec6edca67f6b7cb53818cce41290b6cd7138Sungbae Yoo      새로운 버전의 <command>lxc-attach</command>는 현재 사용자가 몇몇 중요한 서브시스템에 쓰기 권한이 있는 cgroup에 속하는지 여부를 검사한다. 그러므로 <command>lxc-attach</command>는 사용자에 따라 실패하는 경우도 있다. (예를 들어, 로그인 시 비특권 사용자가 중요 서브시스템에 쓰기가 가능한 cgroup에 위치하지 않은 경우) 하지만 이러한 동작은 정확한 것이고 더 안전한 것이다.
eae7ec6edca67f6b7cb53818cce41290b6cd7138Sungbae Yoo    </para>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo  </refsect1>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo  <refsect1>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo    <title><!-- Security -->보안</title>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo    <para>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      <!--
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      The <option>-e</option> and <option>-s</option> options should
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      be used with care, as it may break the isolation of the containers
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      if used improperly.
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo      -->
4ff8fb6cae48bc4cd376fffa70c69a7cd72425bcSungbae Yoo      <option>-e</option>와 <option>-s</option> 옵션을 사용할때는 주의해야 한다. 잘못 사용하게 하면 컨테이너들 간의 고립(isolation)을 깨트릴 수 있다.
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo    </para>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo  </refsect1>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo  &seealso;
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo  <refsect1>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo    <title><!-- Author -->저자</title>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo    <para>Daniel Lezcano <email>daniel.lezcano@free.fr</email></para>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo  </refsect1>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo</refentry>
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo<!-- Keep this comment at the end of the file
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae YooLocal variables:
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoomode: sgml
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoosgml-omittag:t
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoosgml-shorttag:t
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoosgml-minimize-attributes:nil
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoosgml-always-quote-attributes:t
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoosgml-indent-step:2
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoosgml-indent-data:t
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoosgml-parent-document:nil
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoosgml-default-dtd-file:nil
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoosgml-exposed-tags:nil
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoosgml-local-catalogs:nil
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoosgml-local-ecat-files:nil
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae YooEnd:
2b371b262f7272266ff18cc2aff65176a2c16383Sungbae Yoo-->