[mirror_lxc.git] / README

Please see the COPYING file for details on copying and usage.
Please refer to the INSTALL file for instructions on how to build.

What is lxc:

  The container technology is actively being pushed into the mainstream linux
  kernel. It provides the resource management through the control groups  aka
  process containers and resource isolation through the namespaces.

  The  linux  containers, lxc, aims to use these new functionalities to pro-
  vide an userspace container object which provides full  resource  isolation
  and resource control for an applications or a system.

  The first objective of this project is to make the life easier for the ker-
  nel developers involved in the containers project and  especially  to  con-
  tinue  working  on  the  Checkpoint/Restart  new features. The lxc is small
  enough to easily manage a container with simple command lines and  complete
  enough to be used for other purposes.

Using lxc:

  Refer the lxc* man pages (generated from doc/* files)

Downloading the current source code:

  Source for the latest released version can always be downloaded from
  http://linuxcontainers.org/downloads/

  You can browse the up to the minute source code and change history online.
  http://github.com/lxc/lxc

  For detailed build instruction refer to INSTALL and man lxc man page
  but a short command line should work:
  ./autogen.sh && ./configure && make && sudo make install
  preceded by ./autogen.sh if configure do not exist yet.

Troubleshooting:

  If the ./autogen.sh script shows the following message: "aclocal: not found",
  you are likely missing the "automake" package. Make sure it's installed and
  try again.

  If the ./configure script gives you the following message:
    "configure: error: Please install the libcap development files."
  you are likely missing the "libcap-dev" package.
  The configure script will usually give you hints as to what you are missing,
  looking for those in your package manager will usually give you the package
  that you need to install.

Getting help:

  when you find you need help, you can check out one of the two
  lxc mailing list archives and register if interested:
  https://lists.sourceforge.net/lists/listinfo/lxc-devel
  https://lists.sourceforge.net/lists/listinfo/lxc-users

Portability:

  lxc  is  still  in  development, so the command syntax and the API can
  change. The version 1.0.0 will be the frozen version.

  lxc is developed and tested on Linux since kernel mainline version 2.6.27
  (without network) and 2.6.29 with network isolation.
  It's compiled with gcc, and should work on most architectures as long as the
  required kernel features are available. This includes (but isn't limited to):
  i686, x86_64, ppc, ppc64, S390, armel and armhf.

AUTHOR
       Daniel Lezcano <daniel.lezcano@free.fr>

Seccomp with LXC
----------------

To restrict a container with seccomp, you must specify a profile which is
basically a whitelist of system calls it may execute.  In the container
config file, add a line like

lxc.seccomp = /var/lib/lxc/q1/seccomp.full

I created a usable (but basically worthless) seccomp.full file using

cat > seccomp.full << EOF
1
whitelist
EOF
for i in `seq 0 300`; do
    echo $i >> seccomp.full
done
for i in `seq 1024 1079`; do
    echo $i >> seccomp.full
done

 -- Serge Hallyn <serge.hallyn@ubuntu.com>  Fri, 27 Jul 2012 15:47:02 +0600
Commit	Line	Data
14a198d5 MN	1	Please see the COPYING file for details on copying and usage.
14a198d5 MN	2	Please refer to the INSTALL file for instructions on how to build.
7f989f01	3
14a198d5	4	What is lxc:
7f989f01	5
14a198d5 MN	6	The container technology is actively being pushed into the mainstream linux
	7	kernel. It provides the resource management through the control groups aka
	8	process containers and resource isolation through the namespaces.
7f989f01	9
e54d6cce	10	The linux containers, lxc, aims to use these new functionalities to pro-
14a198d5 MN	11	vide an userspace container object which provides full resource isolation
14a198d5 MN	12	and resource control for an applications or a system.
7f989f01	13
14a198d5 MN	14	The first objective of this project is to make the life easier for the ker-
	15	nel developers involved in the containers project and especially to con-
	16	tinue working on the Checkpoint/Restart new features. The lxc is small
	17	enough to easily manage a container with simple command lines and complete
	18	enough to be used for other purposes.
7f989f01	19
14a198d5	20	Using lxc:
7f989f01	21
14a198d5	22	Refer the lxc* man pages (generated from doc/* files)
7f989f01	23
14a198d5	24	Downloading the current source code:
7f989f01	25
14a198d5	26	Source for the latest released version can always be downloaded from
07520b2a	27	http://linuxcontainers.org/downloads/
5e97c3fc	28
14a198d5	29	You can browse the up to the minute source code and change history online.
e1483a02 SG	30	http://github.com/lxc/lxc
e1483a02 SG	31
14a198d5 MN	32	For detailed build instruction refer to INSTALL and man lxc man page
14a198d5 MN	33	but a short command line should work:
113c39bf	34	./autogen.sh && ./configure && make && sudo make install
14a198d5	35	preceded by ./autogen.sh if configure do not exist yet.
7f989f01	36
c5427d7d AW	37	Troubleshooting:
	38
	39	If the ./autogen.sh script shows the following message: "aclocal: not found",
	40	you are likely missing the "automake" package. Make sure it's installed and
	41	try again.
	42
	43	If the ./configure script gives you the following message:
	44	"configure: error: Please install the libcap development files."
	45	you are likely missing the "libcap-dev" package.
	46	The configure script will usually give you hints as to what you are missing,
	47	looking for those in your package manager will usually give you the package
	48	that you need to install.
	49
14a198d5	50	Getting help:
7f989f01	51
14a198d5 MN	52	when you find you need help, you can check out one of the two
	53	lxc mailing list archives and register if interested:
	54	https://lists.sourceforge.net/lists/listinfo/lxc-devel
	55	https://lists.sourceforge.net/lists/listinfo/lxc-users
7f989f01	56
14a198d5	57	Portability:
7f989f01	58
14a198d5 MN	59	lxc is still in development, so the command syntax and the API can
14a198d5 MN	60	change. The version 1.0.0 will be the frozen version.
7f989f01	61
14a198d5 MN	62	lxc is developed and tested on Linux since kernel mainline version 2.6.27
14a198d5 MN	63	(without network) and 2.6.29 with network isolation.
e1483a02 SG	64	It's compiled with gcc, and should work on most architectures as long as the
	65	required kernel features are available. This includes (but isn't limited to):
	66	i686, x86_64, ppc, ppc64, S390, armel and armhf.
5e97c3fc	67
7f989f01	68	AUTHOR
7f989f01	69	Daniel Lezcano <daniel.lezcano@free.fr>
8f2c3a70 SH	70
	71	Seccomp with LXC
	72	----------------
	73
	74	To restrict a container with seccomp, you must specify a profile which is
	75	basically a whitelist of system calls it may execute. In the container
	76	config file, add a line like
	77
	78	lxc.seccomp = /var/lib/lxc/q1/seccomp.full
	79
	80	I created a usable (but basically worthless) seccomp.full file using
	81
	82	cat > seccomp.full << EOF
	83	1
	84	whitelist
	85	EOF
	86	for i in `seq 0 300`; do
a02264fb	87	echo $i >> seccomp.full
8f2c3a70 SH	88	done
8f2c3a70 SH	89	for i in `seq 1024 1079`; do
14d9c0f0	90	echo $i >> seccomp.full
8f2c3a70 SH	91	done
	92
	93	-- Serge Hallyn <serge.hallyn@ubuntu.com> Fri, 27 Jul 2012 15:47:02 +0600