[mirror_lxc.git] / README

Please see the COPYING file for details on copying and usage.
Please refer to the INSTALL file for instructions on how to build.

What is lxc:

  The container technology is actively being pushed into the mainstream linux
  kernel. It provides the resource management through the control groups  aka
  process containers and resource isolation through the namespaces.

  The  linux  containers, lxc, aims to use these new functionalities to pro-
  vide an userspace container object which provides full  resource  isolation
  and resource control for an applications or a system.

  The first objective of this project is to make the life easier for the ker-
  nel developers involved in the containers project and  especially  to  con-
  tinue  working  on  the  Checkpoint/Restart  new features. The lxc is small
  enough to easily manage a container with simple command lines and  complete
  enough to be used for other purposes.

Using lxc:

  Refer the lxc* man pages (generated from doc/* files)

Downloading the current source code:

  Source for the latest released version can always be downloaded from
  http://lxc.sourceforge.net/download/lxc

  You can browse the up to the minute source code and change history online.
  http://lxc.git.sourceforge.net

  For an even more bleeding edge experience, you may want to look at the
  staging branch where all changes aimed at the next release land before
  getting pulled into the master branch.
  http://github.com/lxc/lxc

  For detailed build instruction refer to INSTALL and man lxc man page
  but a short command line should work:
  ./autogen.sh && ./configure && make && sudo make install && sudo lxc-setcap
  preceded by ./autogen.sh if configure do not exist yet.

Getting help:

  when you find you need help, you can check out one of the two
  lxc mailing list archives and register if interested:
  https://lists.sourceforge.net/lists/listinfo/lxc-devel
  https://lists.sourceforge.net/lists/listinfo/lxc-users

Portability:

  lxc  is  still  in  development, so the command syntax and the API can
  change. The version 1.0.0 will be the frozen version.

  lxc is developed and tested on Linux since kernel mainline version 2.6.27
  (without network) and 2.6.29 with network isolation.
  It's compiled with gcc, and should work on most architectures as long as the
  required kernel features are available. This includes (but isn't limited to):
  i686, x86_64, ppc, ppc64, S390, armel and armhf.

AUTHOR
       Daniel Lezcano <daniel.lezcano@free.fr>

Seccomp with LXC
----------------

To restrict a container with seccomp, you must specify a profile which is
basically a whitelist of system calls it may execute.  In the container
config file, add a line like

lxc.seccomp = /var/lib/lxc/q1/seccomp.full

I created a usable (but basically worthless) seccomp.full file using

cat > seccomp.full << EOF
1
whitelist
EOF
for i in `seq 0 300`; do
    echo $i >> secomp.full
done
for i in `seq 1024 1079`; do
    echo $i >> seccomp.full
done

 -- Serge Hallyn <serge.hallyn@ubuntu.com>  Fri, 27 Jul 2012 15:47:02 +0600
Commit	Line	Data
14a198d5 MN	1	Please see the COPYING file for details on copying and usage.
14a198d5 MN	2	Please refer to the INSTALL file for instructions on how to build.
7f989f01	3
14a198d5	4	What is lxc:
7f989f01	5
14a198d5 MN	6	The container technology is actively being pushed into the mainstream linux
	7	kernel. It provides the resource management through the control groups aka
	8	process containers and resource isolation through the namespaces.
7f989f01	9
e54d6cce	10	The linux containers, lxc, aims to use these new functionalities to pro-
14a198d5 MN	11	vide an userspace container object which provides full resource isolation
14a198d5 MN	12	and resource control for an applications or a system.
7f989f01	13
14a198d5 MN	14	The first objective of this project is to make the life easier for the ker-
	15	nel developers involved in the containers project and especially to con-
	16	tinue working on the Checkpoint/Restart new features. The lxc is small
	17	enough to easily manage a container with simple command lines and complete
	18	enough to be used for other purposes.
7f989f01	19
14a198d5	20	Using lxc:
7f989f01	21
14a198d5	22	Refer the lxc* man pages (generated from doc/* files)
7f989f01	23
14a198d5	24	Downloading the current source code:
7f989f01	25
14a198d5 MN	26	Source for the latest released version can always be downloaded from
14a198d5 MN	27	http://lxc.sourceforge.net/download/lxc
5e97c3fc	28
14a198d5 MN	29	You can browse the up to the minute source code and change history online.
14a198d5 MN	30	http://lxc.git.sourceforge.net
7f989f01	31
e1483a02 SG	32	For an even more bleeding edge experience, you may want to look at the
	33	staging branch where all changes aimed at the next release land before
	34	getting pulled into the master branch.
	35	http://github.com/lxc/lxc
	36
14a198d5 MN	37	For detailed build instruction refer to INSTALL and man lxc man page
14a198d5 MN	38	but a short command line should work:
e54d6cce	39	./autogen.sh && ./configure && make && sudo make install && sudo lxc-setcap
14a198d5	40	preceded by ./autogen.sh if configure do not exist yet.
7f989f01	41
14a198d5	42	Getting help:
7f989f01	43
14a198d5 MN	44	when you find you need help, you can check out one of the two
	45	lxc mailing list archives and register if interested:
	46	https://lists.sourceforge.net/lists/listinfo/lxc-devel
	47	https://lists.sourceforge.net/lists/listinfo/lxc-users
7f989f01	48
14a198d5	49	Portability:
7f989f01	50
14a198d5 MN	51	lxc is still in development, so the command syntax and the API can
14a198d5 MN	52	change. The version 1.0.0 will be the frozen version.
7f989f01	53
14a198d5 MN	54	lxc is developed and tested on Linux since kernel mainline version 2.6.27
14a198d5 MN	55	(without network) and 2.6.29 with network isolation.
e1483a02 SG	56	It's compiled with gcc, and should work on most architectures as long as the
	57	required kernel features are available. This includes (but isn't limited to):
	58	i686, x86_64, ppc, ppc64, S390, armel and armhf.
5e97c3fc	59
7f989f01	60	AUTHOR
7f989f01	61	Daniel Lezcano <daniel.lezcano@free.fr>
8f2c3a70 SH	62
	63	Seccomp with LXC
	64	----------------
	65
	66	To restrict a container with seccomp, you must specify a profile which is
	67	basically a whitelist of system calls it may execute. In the container
	68	config file, add a line like
	69
	70	lxc.seccomp = /var/lib/lxc/q1/seccomp.full
	71
	72	I created a usable (but basically worthless) seccomp.full file using
	73
	74	cat > seccomp.full << EOF
	75	1
	76	whitelist
	77	EOF
	78	for i in `seq 0 300`; do
14d9c0f0	79	echo $i >> secomp.full
8f2c3a70 SH	80	done
8f2c3a70 SH	81	for i in `seq 1024 1079`; do
14d9c0f0	82	echo $i >> seccomp.full
8f2c3a70 SH	83	done
	84
	85	-- Serge Hallyn <serge.hallyn@ubuntu.com> Fri, 27 Jul 2012 15:47:02 +0600