]>
Commit | Line | Data |
---|---|---|
49ee6cdc CS |
1 | <!-- |
2 | ||
3 | lxc: linux Container library | |
4 | ||
5 | (C) Copyright IBM Corp. 2007, 2008 | |
6 | ||
7 | Authors: | |
9afe19d6 | 8 | Daniel Lezcano <daniel.lezcano at free.fr> |
49ee6cdc CS |
9 | |
10 | This library is free software; you can redistribute it and/or | |
11 | modify it under the terms of the GNU Lesser General Public | |
12 | License as published by the Free Software Foundation; either | |
13 | version 2.1 of the License, or (at your option) any later version. | |
14 | ||
15 | This library is distributed in the hope that it will be useful, | |
16 | but WITHOUT ANY WARRANTY; without even the implied warranty of | |
17 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
18 | Lesser General Public License for more details. | |
19 | ||
20 | You should have received a copy of the GNU Lesser General Public | |
21 | License along with this library; if not, write to the Free Software | |
250b1eec | 22 | Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA |
49ee6cdc CS |
23 | |
24 | --> | |
25 | ||
4d69b293 | 26 | |
7f951458 | 27 | <!DOCTYPE refentry PUBLIC @docdtd@ [ |
49ee6cdc CS |
28 | |
29 | <!ENTITY commonoptions SYSTEM "@builddir@/common_options.sgml"> | |
30 | <!ENTITY seealso SYSTEM "@builddir@/see_also.sgml"> | |
31 | ]> | |
32 | ||
33 | <refentry> | |
34 | ||
35 | <docinfo><date>@LXC_GENERATE_DATE@</date></docinfo> | |
36 | ||
37 | <refmeta> | |
38 | <refentrytitle>lxc-attach</refentrytitle> | |
39 | <manvolnum>1</manvolnum> | |
40 | </refmeta> | |
41 | ||
42 | <refnamediv> | |
43 | <refname>lxc-attach</refname> | |
44 | ||
45 | <refpurpose> | |
46 | start a process inside a running container. | |
47 | </refpurpose> | |
48 | </refnamediv> | |
49 | ||
50 | <refsynopsisdiv> | |
b4578c5b DE |
51 | <cmdsynopsis> |
52 | <command>lxc-attach</command> | |
03b03982 KY |
53 | <arg choice="req">-n, --name <replaceable>name</replaceable></arg> |
54 | <arg choice="opt">-f, --rcfile <replaceable>config_file</replaceable></arg> | |
55 | <arg choice="opt">-a, --arch <replaceable>arch</replaceable></arg> | |
56 | <arg choice="opt">-e, --elevated-privileges <replaceable>privileges</replaceable></arg> | |
57 | <arg choice="opt">-s, --namespaces <replaceable>namespaces</replaceable></arg> | |
58 | <arg choice="opt">-R, --remount-sys-proc</arg> | |
799f96fd CS |
59 | <arg choice="opt">--keep-env</arg> |
60 | <arg choice="opt">--clear-env</arg> | |
03b03982 KY |
61 | <arg choice="opt">-L, --pty-log <replaceable>file</replaceable></arg> |
62 | <arg choice="opt">-v, --set-var <replaceable>variable</replaceable></arg> | |
63 | <arg choice="opt">--keep-var <replaceable>variable</replaceable></arg> | |
b4578c5b DE |
64 | <arg choice="opt">-- <replaceable>command</replaceable></arg> |
65 | </cmdsynopsis> | |
49ee6cdc CS |
66 | </refsynopsisdiv> |
67 | ||
68 | <refsect1> | |
69 | <title>Description</title> | |
70 | ||
71 | <para> | |
72 | <command>lxc-attach</command> runs the specified | |
73 | <replaceable>command</replaceable> inside the container | |
74 | specified by <replaceable>name</replaceable>. The container | |
75 | has to be running already. | |
76 | </para> | |
77 | <para> | |
78 | If no <replaceable>command</replaceable> is specified, the | |
79 | current default shell of the user running | |
80 | <command>lxc-attach</command> will be looked up inside the | |
81 | container and executed. This will fail if no such user exists | |
82 | inside the container or the container does not have a working | |
83 | nsswitch mechanism. | |
84 | </para> | |
e986ea3d CB |
85 | <para> |
86 | Previous versions of <command>lxc-attach</command> simply attached to the | |
478dda76 CB |
87 | specified namespaces of a container and ran a shell or the specified command |
88 | without first allocating a pseudo terminal. This made them vulnerable to | |
e986ea3d | 89 | input faking via a TIOCSTI <command>ioctl</command> call after switching |
02e5d92b | 90 | between userspace execution contexts with different privilege levels. Newer |
e986ea3d | 91 | versions of <command>lxc-attach</command> will try to allocate a pseudo |
478dda76 CB |
92 | terminal master/slave pair on the host and attach any standard file |
93 | descriptors which refer to a terminal to the slave side of the pseudo | |
94 | terminal before executing a shell or command. Note, that if none of the | |
95 | standard file descriptors refer to a terminal <command>lxc-attach</command> | |
96 | will not try to allocate a pseudo terminal. Instead it will simply attach | |
97 | to the containers namespaces and run a shell or the specified command. | |
e986ea3d | 98 | </para> |
49ee6cdc CS |
99 | |
100 | </refsect1> | |
101 | ||
102 | <refsect1> | |
103 | ||
104 | <title>Options</title> | |
105 | ||
106 | <variablelist> | |
107 | ||
03b03982 KY |
108 | <varlistentry> |
109 | <term> | |
110 | <option>-f, --rcfile <replaceable>config_file</replaceable></option> | |
111 | </term> | |
112 | <listitem> | |
113 | <para> | |
114 | Specify the configuration file to configure the virtualization | |
115 | and isolation functionalities for the container. | |
116 | </para> | |
117 | <para> | |
118 | This configuration file if present will be used even if there is | |
119 | already a configuration file present in the previously created | |
120 | container (via lxc-create). | |
121 | </para> | |
122 | </listitem> | |
123 | </varlistentry> | |
124 | ||
49ee6cdc CS |
125 | <varlistentry> |
126 | <term> | |
127 | <option>-a, --arch <replaceable>arch</replaceable></option> | |
128 | </term> | |
129 | <listitem> | |
130 | <para> | |
131 | Specify the architecture which the kernel should appear to be | |
132 | running as to the command executed. This option will accept the | |
133 | same settings as the <option>lxc.arch</option> option in | |
134 | container configuration files, see | |
135 | <citerefentry> | |
136 | <refentrytitle><filename>lxc.conf</filename></refentrytitle> | |
137 | <manvolnum>5</manvolnum> | |
138 | </citerefentry>. By default, the current archictecture of the | |
139 | running container will be used. | |
140 | </para> | |
141 | </listitem> | |
142 | </varlistentry> | |
143 | ||
144 | <varlistentry> | |
145 | <term> | |
4d69b293 NK |
146 | <option> |
147 | -e, --elevated-privileges <replaceable>privileges</replaceable> | |
148 | </option> | |
49ee6cdc CS |
149 | </term> |
150 | <listitem> | |
151 | <para> | |
152 | Do not drop privileges when running | |
153 | <replaceable>command</replaceable> inside the container. If | |
154 | this option is specified, the new process will | |
155 | <emphasis>not</emphasis> be added to the container's cgroup(s) | |
156 | and it will not drop its capabilities before executing. | |
157 | </para> | |
4d69b293 NK |
158 | <para> |
159 | You may specify privileges, in case you do not want to elevate all of | |
160 | them, as a pipe-separated list, e.g. | |
161 | <replaceable>CGROUP|LSM</replaceable>. Allowed values are | |
162 | <replaceable>CGROUP</replaceable>, <replaceable>CAP</replaceable> and | |
163 | <replaceable>LSM</replaceable> representing cgroup, capabilities and | |
759d521b CB |
164 | restriction privileges respectively. (The pipe symbol needs to be escaped, |
165 | e.g. <replaceable>CGROUP\|LSM</replaceable> or quoted, e.g. | |
166 | <replaceable>"CGROUP|LSM"</replaceable>.) | |
4d69b293 | 167 | </para> |
49ee6cdc CS |
168 | <para> |
169 | <emphasis>Warning:</emphasis> This may leak privileges into the | |
170 | container if the command starts subprocesses that remain active | |
171 | after the main process that was attached is terminated. The | |
172 | (re-)starting of daemons inside the container is problematic, | |
173 | especially if the daemon starts a lot of subprocesses such as | |
174 | <command>cron</command> or <command>sshd</command>. | |
175 | <emphasis>Use with great care.</emphasis> | |
176 | </para> | |
177 | </listitem> | |
178 | </varlistentry> | |
179 | ||
e13eeea2 CS |
180 | <varlistentry> |
181 | <term> | |
182 | <option>-s, --namespaces <replaceable>namespaces</replaceable></option> | |
183 | </term> | |
184 | <listitem> | |
185 | <para> | |
037ba55c | 186 | Specify the namespaces to attach to, as a pipe-separated list, |
e13eeea2 CS |
187 | e.g. <replaceable>NETWORK|IPC</replaceable>. Allowed values are |
188 | <replaceable>MOUNT</replaceable>, <replaceable>PID</replaceable>, | |
189 | <replaceable>UTSNAME</replaceable>, <replaceable>IPC</replaceable>, | |
190 | <replaceable>USER </replaceable> and | |
191 | <replaceable>NETWORK</replaceable>. This allows one to change | |
192 | the context of the process to e.g. the network namespace of the | |
193 | container while retaining the other namespaces as those of the | |
759d521b CB |
194 | host. (The pipe symbol needs to be escaped, e.g. |
195 | <replaceable>MOUNT\|PID</replaceable> or quoted, e.g. | |
196 | <replaceable>"MOUNT|PID"</replaceable>.) | |
e13eeea2 CS |
197 | </para> |
198 | <para> | |
199 | <emphasis>Important:</emphasis> This option implies | |
200 | <option>-e</option>. | |
201 | </para> | |
202 | </listitem> | |
203 | </varlistentry> | |
204 | ||
7a0b0b56 CS |
205 | <varlistentry> |
206 | <term> | |
207 | <option>-R, --remount-sys-proc</option> | |
208 | </term> | |
209 | <listitem> | |
210 | <para> | |
211 | When using <option>-s</option> and the mount namespace is not | |
212 | included, this flag will cause <command>lxc-attach</command> | |
213 | to remount <replaceable>/proc</replaceable> and | |
214 | <replaceable>/sys</replaceable> to reflect the current other | |
215 | namespace contexts. | |
216 | </para> | |
217 | <para> | |
218 | Please see the <emphasis>Notes</emphasis> section for more | |
219 | details. | |
220 | </para> | |
221 | <para> | |
222 | This option will be ignored if one tries to attach to the | |
223 | mount namespace anyway. | |
224 | </para> | |
225 | </listitem> | |
226 | </varlistentry> | |
227 | ||
799f96fd CS |
228 | <varlistentry> |
229 | <term> | |
230 | <option>--keep-env</option> | |
231 | </term> | |
232 | <listitem> | |
233 | <para> | |
234 | Keep the current environment for attached programs. This is | |
235 | the current default behaviour (as of version 0.9), but is | |
236 | is likely to change in the future, since this may leak | |
237 | undesirable information into the container. If you rely on | |
238 | the environment being available for the attached program, | |
239 | please use this option to be future-proof. In addition to | |
240 | current environment variables, container=lxc will be set. | |
241 | </para> | |
242 | </listitem> | |
243 | </varlistentry> | |
244 | ||
245 | <varlistentry> | |
246 | <term> | |
247 | <option>--clear-env</option> | |
248 | </term> | |
249 | <listitem> | |
250 | <para> | |
251 | Clear the environment before attaching, so no undesired | |
252 | environment variables leak into the container. The variable | |
253 | container=lxc will be the only environment with which the | |
254 | attached program starts. | |
255 | </para> | |
256 | </listitem> | |
257 | </varlistentry> | |
258 | ||
f43d63bc CB |
259 | <varlistentry> |
260 | <term> | |
261 | <option>-L, --pty-log <replaceable>file</replaceable></option> | |
262 | </term> | |
263 | <listitem> | |
264 | <para> | |
265 | Specify a file where the output of <command>lxc-attach</command> will be | |
266 | logged. | |
267 | </para> | |
268 | <para> | |
269 | <emphasis>Important:</emphasis> When a standard file descriptor | |
3f3fd9e2 | 270 | does not refer to a pty output produced on it will not be logged. |
f43d63bc CB |
271 | </para> |
272 | </listitem> | |
273 | </varlistentry> | |
274 | ||
03b03982 KY |
275 | <varlistentry> |
276 | <term> | |
277 | <option>-v, --set-var <replaceable>variable</replaceable></option> | |
278 | </term> | |
279 | <listitem> | |
280 | <para> | |
281 | Set an additional environment variable that is seen by the | |
282 | attached program in the container. It is specified in the | |
283 | form of "VAR=VALUE", and can be specified multiple times. | |
284 | </para> | |
285 | </listitem> | |
286 | </varlistentry> | |
287 | ||
288 | <varlistentry> | |
289 | <term> | |
290 | <option>--keep-var <replaceable>variable</replaceable></option> | |
291 | </term> | |
292 | <listitem> | |
293 | <para> | |
294 | Keep a specified environment variable. It can only be | |
295 | specified in conjunction | |
296 | with <replaceable>--clear-env</replaceable>, and can be | |
297 | specified multiple times. | |
298 | </para> | |
299 | </listitem> | |
300 | </varlistentry> | |
301 | ||
7a0b0b56 | 302 | </variablelist> |
49ee6cdc CS |
303 | |
304 | </refsect1> | |
305 | ||
306 | &commonoptions; | |
307 | ||
308 | <refsect1> | |
309 | <title>Examples</title> | |
310 | <para> | |
311 | To spawn a new shell running inside an existing container, use | |
312 | <programlisting> | |
313 | lxc-attach -n container | |
314 | </programlisting> | |
315 | </para> | |
316 | <para> | |
317 | To restart the cron service of a running Debian container, use | |
318 | <programlisting> | |
319 | lxc-attach -n container -- /etc/init.d/cron restart | |
320 | </programlisting> | |
321 | </para> | |
322 | <para> | |
323 | To deactivate the network link eth1 of a running container that | |
e13eeea2 CS |
324 | does not have the NET_ADMIN capability, use either the |
325 | <option>-e</option> option to use increased capabilities, | |
326 | assuming the <command>ip</command> tool is installed: | |
49ee6cdc CS |
327 | <programlisting> |
328 | lxc-attach -n container -e -- /sbin/ip link delete eth1 | |
329 | </programlisting> | |
e13eeea2 CS |
330 | Or, alternatively, use the <option>-s</option> to use the |
331 | tools installed on the host outside the container: | |
332 | <programlisting> | |
333 | lxc-attach -n container -s NETWORK -- /sbin/ip link delete eth1 | |
334 | </programlisting> | |
49ee6cdc | 335 | </para> |
49ee6cdc CS |
336 | </refsect1> |
337 | ||
e13eeea2 CS |
338 | <refsect1> |
339 | <title>Compatibility</title> | |
340 | <para> | |
341 | Attaching completely (including the pid and mount namespaces) to a | |
a600d021 KY |
342 | container requires a kernel of version 3.8 or higher, or a |
343 | patched kernel, please see the lxc website for | |
e13eeea2 | 344 | details. <command>lxc-attach</command> will fail in that case if |
a600d021 | 345 | used with an unpatched kernel of version 3.7 and prior. |
e13eeea2 CS |
346 | </para> |
347 | <para> | |
348 | Nevertheless, it will succeed on an unpatched kernel of version 3.0 | |
349 | or higher if the <option>-s</option> option is used to restrict the | |
aa8d013e | 350 | namespaces that the process is to be attached to to one or more of |
e13eeea2 CS |
351 | <replaceable>NETWORK</replaceable>, <replaceable>IPC</replaceable> |
352 | and <replaceable>UTSNAME</replaceable>. | |
353 | </para> | |
354 | <para> | |
a600d021 KY |
355 | Attaching to user namespaces is supported by kernel 3.8 or higher |
356 | with enabling user namespace. | |
e13eeea2 CS |
357 | </para> |
358 | </refsect1> | |
359 | ||
360 | <refsect1> | |
361 | <title>Notes</title> | |
362 | <para> | |
363 | The Linux <replaceable>/proc</replaceable> and | |
364 | <replaceable>/sys</replaceable> filesystems contain information | |
365 | about some quantities that are affected by namespaces, such as | |
366 | the directories named after process ids in | |
36b33520 | 367 | <replaceable>/proc</replaceable> or the network interface information |
e13eeea2 CS |
368 | in <replaceable>/sys/class/net</replaceable>. The namespace of the |
369 | process mounting the pseudo-filesystems determines what information | |
370 | is shown, <emphasis>not</emphasis> the namespace of the process | |
371 | accessing <replaceable>/proc</replaceable> or | |
372 | <replaceable>/sys</replaceable>. | |
373 | </para> | |
374 | <para> | |
375 | If one uses the <option>-s</option> option to only attach to | |
376 | the pid namespace of a container, but not its mount namespace | |
377 | (which will contain the <replaceable>/proc</replaceable> of the | |
378 | container and not the host), the contents of <option>/proc</option> | |
379 | will reflect that of the host and not the container. Analogously, | |
380 | the same issue occurs when reading the contents of | |
381 | <replaceable>/sys/class/net</replaceable> and attaching to just | |
382 | the network namespace. | |
383 | </para> | |
384 | <para> | |
7a0b0b56 CS |
385 | To work around this problem, the <option>-R</option> flag provides |
386 | the option to remount <replaceable>/proc</replaceable> and | |
387 | <replaceable>/sys</replaceable> in order for them to reflect the | |
388 | network/pid namespace context of the attached process. In order | |
389 | not to interfere with the host's actual filesystem, the mount | |
390 | namespace will be unshared (like <command>lxc-unshare</command> | |
e9555a6b | 391 | does) before this is done, essentially giving the process a new |
7a0b0b56 CS |
392 | mount namespace, which is identical to the hosts's mount namespace |
393 | except for the <replaceable>/proc</replaceable> and | |
394 | <replaceable>/sys</replaceable> filesystems. | |
e13eeea2 | 395 | </para> |
e986ea3d CB |
396 | <para> |
397 | Previous versions of <command>lxc-attach</command> suffered a bug whereby | |
398 | a user could attach to a containers namespace without being placed in a | |
399 | writeable cgroup for some critical subsystems. Newer versions of | |
400 | <command>lxc-attach</command> will check whether a user is in a writeable | |
401 | cgroup for those critical subsystems. <command>lxc-attach</command> might | |
402 | thus fail unexpectedly for some users (E.g. on systems where an | |
403 | unprivileged user is not placed in a writeable cgroup in critical | |
404 | subsystems on login.). However, this behavior is correct and more secure. | |
405 | </para> | |
e13eeea2 CS |
406 | </refsect1> |
407 | ||
49ee6cdc CS |
408 | <refsect1> |
409 | <title>Security</title> | |
410 | <para> | |
e13eeea2 CS |
411 | The <option>-e</option> and <option>-s</option> options should |
412 | be used with care, as it may break the isolation of the containers | |
413 | if used improperly. | |
49ee6cdc CS |
414 | </para> |
415 | </refsect1> | |
416 | ||
417 | &seealso; | |
418 | ||
419 | <refsect1> | |
420 | <title>Author</title> | |
421 | <para>Daniel Lezcano <email>daniel.lezcano@free.fr</email></para> | |
422 | </refsect1> | |
423 | ||
424 | </refentry> | |
425 | ||
426 | <!-- Keep this comment at the end of the file | |
427 | Local variables: | |
428 | mode: sgml | |
429 | sgml-omittag:t | |
430 | sgml-shorttag:t | |
431 | sgml-minimize-attributes:nil | |
432 | sgml-always-quote-attributes:t | |
433 | sgml-indent-step:2 | |
434 | sgml-indent-data:t | |
435 | sgml-parent-document:nil | |
436 | sgml-default-dtd-file:nil | |
437 | sgml-exposed-tags:nil | |
438 | sgml-local-catalogs:nil | |
439 | sgml-local-ecat-files:nil | |
440 | End: | |
441 | --> |