[mirror_lxc.git] / doc / lxc-attach.sgml.in

<!--

lxc: linux Container library

(C) Copyright IBM Corp. 2007, 2008

Authors:
Daniel Lezcano <daniel.lezcano at free.fr>

This library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
License as published by the Free Software Foundation; either
version 2.1 of the License, or (at your option) any later version.

This library is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
Lesser General Public License for more details.

You should have received a copy of the GNU Lesser General Public
License along with this library; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA

-->

<!DOCTYPE refentry PUBLIC @docdtd@ [

<!ENTITY commonoptions SYSTEM "@builddir@/common_options.sgml">
<!ENTITY seealso SYSTEM "@builddir@/see_also.sgml">
]>

<refentry>

  <docinfo><date>@LXC_GENERATE_DATE@</date></docinfo>

  <refmeta>
    <refentrytitle>lxc-attach</refentrytitle>
    <manvolnum>1</manvolnum>
  </refmeta>

  <refnamediv>
    <refname>lxc-attach</refname>

    <refpurpose>
      start a process inside a running container.
    </refpurpose>
  </refnamediv>

  <refsynopsisdiv>
    <cmdsynopsis>
      <command>lxc-attach</command>
      <arg choice="req">-n <replaceable>name</replaceable></arg>
      <arg choice="opt">-a <replaceable>arch</replaceable></arg>
      <arg choice="opt">-e</arg>
      <arg choice="opt">-s <replaceable>namespaces</replaceable></arg>
      <arg choice="opt">-R</arg>
      <arg choice="opt">--keep-env</arg>
      <arg choice="opt">--clear-env</arg>
      <arg choice="opt">-- <replaceable>command</replaceable></arg>
    </cmdsynopsis>
  </refsynopsisdiv>

  <refsect1>
    <title>Description</title>

    <para>
      <command>lxc-attach</command> runs the specified
      <replaceable>command</replaceable> inside the container
      specified by <replaceable>name</replaceable>. The container
      has to be running already.
    </para>
    <para>
      If no <replaceable>command</replaceable> is specified, the
      current default shell of the user running
      <command>lxc-attach</command> will be looked up inside the
      container and executed. This will fail if no such user exists
      inside the container or the container does not have a working
      nsswitch mechanism.
    </para>

  </refsect1>

  <refsect1>

    <title>Options</title>

    <variablelist>

      <varlistentry>
	<term>
	  <option>-a, --arch <replaceable>arch</replaceable></option>
	</term>
	<listitem>
	  <para>
	    Specify the architecture which the kernel should appear to be
	    running as to the command executed. This option will accept the
	    same settings as the <option>lxc.arch</option> option in
	    container configuration files, see
	    <citerefentry>
	      <refentrytitle><filename>lxc.conf</filename></refentrytitle>
	      <manvolnum>5</manvolnum>
	    </citerefentry>. By default, the current archictecture of the
	    running container will be used.
	  </para>
	</listitem>
      </varlistentry>

      <varlistentry>
	<term>
	  <option>-e, --elevated-privileges</option>
	</term>
	<listitem>
	  <para>
	    Do not drop privileges when running
	    <replaceable>command</replaceable> inside the container. If
	    this option is specified, the new process will
	    <emphasis>not</emphasis> be added to the container's cgroup(s)
	    and it will not drop its capabilities before executing.
	  </para>
	  <para>
	    <emphasis>Warning:</emphasis> This may leak privileges into the
	    container if the command starts subprocesses that remain active
	    after the main process that was attached is terminated. The
	    (re-)starting of daemons inside the container is problematic,
	    especially if the daemon starts a lot of subprocesses such as
	    <command>cron</command> or <command>sshd</command>.
	    <emphasis>Use with great care.</emphasis>
	  </para>
	</listitem>
      </varlistentry>

      <varlistentry>
	<term>
	  <option>-s, --namespaces <replaceable>namespaces</replaceable></option>
	</term>
	<listitem>
	  <para>
	    Specify the namespaces to attach to, as a pipe-separated list,
	    e.g. <replaceable>NETWORK|IPC</replaceable>. Allowed values are
	    <replaceable>MOUNT</replaceable>, <replaceable>PID</replaceable>,
	    <replaceable>UTSNAME</replaceable>, <replaceable>IPC</replaceable>,
	    <replaceable>USER </replaceable> and
	    <replaceable>NETWORK</replaceable>. This allows one to change
	    the context of the process to e.g. the network namespace of the
	    container while retaining the other namespaces as those of the
	    host.
	  </para>
	  <para>
	    <emphasis>Important:</emphasis> This option implies
	    <option>-e</option>.
	  </para>
	</listitem>
      </varlistentry>

      <varlistentry>
	<term>
	  <option>-R, --remount-sys-proc</option>
	</term>
	<listitem>
	  <para>
	    When using <option>-s</option> and the mount namespace is not
	    included, this flag will cause <command>lxc-attach</command>
	    to remount <replaceable>/proc</replaceable> and
	    <replaceable>/sys</replaceable> to reflect the current other
	    namespace contexts.
	  </para>
	  <para>
	    Please see the <emphasis>Notes</emphasis> section for more
	    details.
	  </para>
	  <para>
	    This option will be ignored if one tries to attach to the
	    mount namespace anyway.
	  </para>
	</listitem>
      </varlistentry>

      <varlistentry>
	<term>
	  <option>--keep-env</option>
	</term>
	<listitem>
	  <para>
	    Keep the current environment for attached programs. This is
	    the current default behaviour (as of version 0.9), but is
	    is likely to change in the future, since this may leak
	    undesirable information into the container. If you rely on
	    the environment being available for the attached program,
	    please use this option to be future-proof. In addition to
	    current environment variables, container=lxc will be set.
	  </para>
	</listitem>
      </varlistentry>

      <varlistentry>
	<term>
	  <option>--clear-env</option>
	</term>
	<listitem>
	  <para>
	    Clear the environment before attaching, so no undesired
	    environment variables leak into the container. The variable
	    container=lxc will be the only environment with which the
	    attached program starts.
	  </para>
	</listitem>
      </varlistentry>

     </variablelist>

  </refsect1>

  &commonoptions;

  <refsect1>
    <title>Examples</title>
      <para>
        To spawn a new shell running inside an existing container, use
        <programlisting>
          lxc-attach -n container
        </programlisting>
      </para>
      <para>
        To restart the cron service of a running Debian container, use
        <programlisting>
          lxc-attach -n container -- /etc/init.d/cron restart
        </programlisting>
      </para>
      <para>
        To deactivate the network link eth1 of a running container that
        does not have the NET_ADMIN capability, use either the
        <option>-e</option> option to use increased capabilities,
        assuming the <command>ip</command> tool is installed:
        <programlisting>
          lxc-attach -n container -e -- /sbin/ip link delete eth1
        </programlisting>
        Or, alternatively, use the <option>-s</option> to use the
        tools installed on the host outside the container:
        <programlisting>
          lxc-attach -n container -s NETWORK -- /sbin/ip link delete eth1
        </programlisting>
      </para>
  </refsect1>

  <refsect1>
    <title>Compatibility</title>
    <para>
      Attaching completely (including the pid and mount namespaces) to a
      container requires a patched kernel, please see the lxc website for
      details. <command>lxc-attach</command> will fail in that case if
      used with an unpatched kernel.
    </para>
    <para>
      Nevertheless, it will succeed on an unpatched kernel of version 3.0
      or higher if the <option>-s</option> option is used to restrict the
      namespaces that the process is to be attached to to one or more of
      <replaceable>NETWORK</replaceable>, <replaceable>IPC</replaceable>
      and <replaceable>UTSNAME</replaceable>.
    </para>
    <para>
      Attaching to user namespaces is currently completely unsupported
      by the kernel. <command>lxc-attach</command> should however be able
      to do this once once future kernel versions implement this.
    </para>
  </refsect1>

  <refsect1>
    <title>Notes</title>
    <para>
      The Linux <replaceable>/proc</replaceable> and
      <replaceable>/sys</replaceable> filesystems contain information
      about some quantities that are affected by namespaces, such as
      the directories named after process ids in
      <replaceable>/proc</replaceable> or the network interface information
      in <replaceable>/sys/class/net</replaceable>. The namespace of the
      process mounting the pseudo-filesystems determines what information
      is shown, <emphasis>not</emphasis> the namespace of the process
      accessing <replaceable>/proc</replaceable> or
      <replaceable>/sys</replaceable>.
    </para>
    <para>
      If one uses the <option>-s</option> option to only attach to
      the pid namespace of a container, but not its mount namespace
      (which will contain the <replaceable>/proc</replaceable> of the
      container and not the host), the contents of <option>/proc</option>
      will reflect that of the host and not the container. Analogously,
      the same issue occurs when reading the contents of
      <replaceable>/sys/class/net</replaceable> and attaching to just
      the network namespace.
    </para>
    <para>
      To work around this problem, the <option>-R</option> flag provides
      the option to remount <replaceable>/proc</replaceable> and
      <replaceable>/sys</replaceable> in order for them to reflect the
      network/pid namespace context of the attached process. In order
      not to interfere with the host's actual filesystem, the mount
      namespace will be unshared (like <command>lxc-unshare</command>
      does) before this is done, esentially giving the process a new
      mount namespace, which is identical to the hosts's mount namespace
      except for the <replaceable>/proc</replaceable> and
      <replaceable>/sys</replaceable> filesystems.
    </para>
  </refsect1>

  <refsect1>
    <title>Security</title>
    <para>
      The <option>-e</option> and <option>-s</option> options should
      be used with care, as it may break the isolation of the containers
      if used improperly.
    </para>
  </refsect1>

  &seealso;

  <refsect1>
    <title>Author</title>
    <para>Daniel Lezcano <email>daniel.lezcano@free.fr</email></para>
  </refsect1>

</refentry>

<!-- Keep this comment at the end of the file
Local variables:
mode: sgml
sgml-omittag:t
sgml-shorttag:t
sgml-minimize-attributes:nil
sgml-always-quote-attributes:t
sgml-indent-step:2
sgml-indent-data:t
sgml-parent-document:nil
sgml-default-dtd-file:nil
sgml-exposed-tags:nil
sgml-local-catalogs:nil
sgml-local-ecat-files:nil
End:
-->
Commit	Line	Data
49ee6cdc CS	1	<!--
	2
	3	lxc: linux Container library
	4
	5	(C) Copyright IBM Corp. 2007, 2008
	6
	7	Authors:
9afe19d6	8	Daniel Lezcano <daniel.lezcano at free.fr>
49ee6cdc CS	9
	10	This library is free software; you can redistribute it and/or
	11	modify it under the terms of the GNU Lesser General Public
	12	License as published by the Free Software Foundation; either
	13	version 2.1 of the License, or (at your option) any later version.
	14
	15	This library is distributed in the hope that it will be useful,
	16	but WITHOUT ANY WARRANTY; without even the implied warranty of
	17	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	18	Lesser General Public License for more details.
	19
	20	You should have received a copy of the GNU Lesser General Public
	21	License along with this library; if not, write to the Free Software
250b1eec	22	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
49ee6cdc CS	23
	24	-->
	25
7f951458	26	<!DOCTYPE refentry PUBLIC @docdtd@ [
49ee6cdc CS	27
	28	<!ENTITY commonoptions SYSTEM "@builddir@/common_options.sgml">
	29	<!ENTITY seealso SYSTEM "@builddir@/see_also.sgml">
	30	]>
	31
	32	<refentry>
	33
	34	<docinfo><date>@LXC_GENERATE_DATE@</date></docinfo>
	35
	36	<refmeta>
	37	<refentrytitle>lxc-attach</refentrytitle>
	38	<manvolnum>1</manvolnum>
	39	</refmeta>
	40
	41	<refnamediv>
	42	<refname>lxc-attach</refname>
	43
	44	<refpurpose>
	45	start a process inside a running container.
	46	</refpurpose>
	47	</refnamediv>
	48
	49	<refsynopsisdiv>
b4578c5b DE	50	<cmdsynopsis>
	51	<command>lxc-attach</command>
	52	<arg choice="req">-n <replaceable>name</replaceable></arg>
	53	<arg choice="opt">-a <replaceable>arch</replaceable></arg>
	54	<arg choice="opt">-e</arg>
e13eeea2	55	<arg choice="opt">-s <replaceable>namespaces</replaceable></arg>
7a0b0b56	56	<arg choice="opt">-R</arg>
799f96fd CS	57	<arg choice="opt">--keep-env</arg>
799f96fd CS	58	<arg choice="opt">--clear-env</arg>
b4578c5b DE	59	<arg choice="opt">-- <replaceable>command</replaceable></arg>
b4578c5b DE	60	</cmdsynopsis>
49ee6cdc CS	61	</refsynopsisdiv>
	62
	63	<refsect1>
	64	<title>Description</title>
	65
	66	<para>
	67	<command>lxc-attach</command> runs the specified
	68	<replaceable>command</replaceable> inside the container
	69	specified by <replaceable>name</replaceable>. The container
	70	has to be running already.
	71	</para>
	72	<para>
	73	If no <replaceable>command</replaceable> is specified, the
	74	current default shell of the user running
	75	<command>lxc-attach</command> will be looked up inside the
	76	container and executed. This will fail if no such user exists
	77	inside the container or the container does not have a working
	78	nsswitch mechanism.
	79	</para>
	80
	81	</refsect1>
	82
	83	<refsect1>
	84
	85	<title>Options</title>
	86
	87	<variablelist>
	88
	89	<varlistentry>
	90	<term>
	91	<option>-a, --arch <replaceable>arch</replaceable></option>
	92	</term>
	93	<listitem>
	94	<para>
	95	Specify the architecture which the kernel should appear to be
	96	running as to the command executed. This option will accept the
	97	same settings as the <option>lxc.arch</option> option in
	98	container configuration files, see
	99	<citerefentry>
	100	<refentrytitle><filename>lxc.conf</filename></refentrytitle>
	101	<manvolnum>5</manvolnum>
	102	</citerefentry>. By default, the current archictecture of the
	103	running container will be used.
	104	</para>
	105	</listitem>
	106	</varlistentry>
	107
	108	<varlistentry>
	109	<term>
	110	<option>-e, --elevated-privileges</option>
	111	</term>
	112	<listitem>
	113	<para>
	114	Do not drop privileges when running
	115	<replaceable>command</replaceable> inside the container. If
	116	this option is specified, the new process will
	117	<emphasis>not</emphasis> be added to the container's cgroup(s)
	118	and it will not drop its capabilities before executing.
	119	</para>
	120	<para>
	121	<emphasis>Warning:</emphasis> This may leak privileges into the
	122	container if the command starts subprocesses that remain active
	123	after the main process that was attached is terminated. The
	124	(re-)starting of daemons inside the container is problematic,
125	especially if the daemon starts a lot of subprocesses such as
126	<command>cron</command> or <command>sshd</command>.
127	<emphasis>Use with great care.</emphasis>
128	</para>
129	</listitem>
130	</varlistentry>
131
e13eeea2 CS	132	<varlistentry>
	133	<term>
	134	<option>-s, --namespaces <replaceable>namespaces</replaceable></option>
	135	</term>
	136	<listitem>
	137	<para>
037ba55c	138	Specify the namespaces to attach to, as a pipe-separated list,
e13eeea2 CS	139	e.g. <replaceable>NETWORK\|IPC</replaceable>. Allowed values are
	140	<replaceable>MOUNT</replaceable>, <replaceable>PID</replaceable>,
	141	<replaceable>UTSNAME</replaceable>, <replaceable>IPC</replaceable>,
	142	<replaceable>USER </replaceable> and
	143	<replaceable>NETWORK</replaceable>. This allows one to change
	144	the context of the process to e.g. the network namespace of the
	145	container while retaining the other namespaces as those of the
	146	host.
	147	</para>
	148	<para>
	149	<emphasis>Important:</emphasis> This option implies
	150	<option>-e</option>.
	151	</para>
	152	</listitem>
	153	</varlistentry>
	154
7a0b0b56 CS	155	<varlistentry>
	156	<term>
	157	<option>-R, --remount-sys-proc</option>
	158	</term>
	159	<listitem>
	160	<para>
	161	When using <option>-s</option> and the mount namespace is not
	162	included, this flag will cause <command>lxc-attach</command>
	163	to remount <replaceable>/proc</replaceable> and
	164	<replaceable>/sys</replaceable> to reflect the current other
	165	namespace contexts.
	166	</para>
	167	<para>
	168	Please see the <emphasis>Notes</emphasis> section for more
	169	details.
	170	</para>
	171	<para>
	172	This option will be ignored if one tries to attach to the
	173	mount namespace anyway.
	174	</para>
	175	</listitem>
	176	</varlistentry>
	177
799f96fd CS	178	<varlistentry>
	179	<term>
	180	<option>--keep-env</option>
	181	</term>
	182	<listitem>
	183	<para>
	184	Keep the current environment for attached programs. This is
	185	the current default behaviour (as of version 0.9), but is
	186	is likely to change in the future, since this may leak
	187	undesirable information into the container. If you rely on
	188	the environment being available for the attached program,
	189	please use this option to be future-proof. In addition to
	190	current environment variables, container=lxc will be set.
	191	</para>
	192	</listitem>
	193	</varlistentry>
	194
	195	<varlistentry>
	196	<term>
	197	<option>--clear-env</option>
	198	</term>
	199	<listitem>
	200	<para>
	201	Clear the environment before attaching, so no undesired
	202	environment variables leak into the container. The variable
	203	container=lxc will be the only environment with which the
	204	attached program starts.
	205	</para>
	206	</listitem>
	207	</varlistentry>
	208
7a0b0b56	209	</variablelist>
49ee6cdc CS	210
	211	</refsect1>
	212
	213	&commonoptions;
	214
	215	<refsect1>
	216	<title>Examples</title>
	217	<para>
	218	To spawn a new shell running inside an existing container, use
	219	<programlisting>
	220	lxc-attach -n container
	221	</programlisting>
	222	</para>
	223	<para>
	224	To restart the cron service of a running Debian container, use
	225	<programlisting>
	226	lxc-attach -n container -- /etc/init.d/cron restart
	227	</programlisting>
	228	</para>
	229	<para>
	230	To deactivate the network link eth1 of a running container that
e13eeea2 CS	231	does not have the NET_ADMIN capability, use either the
	232	<option>-e</option> option to use increased capabilities,
	233	assuming the <command>ip</command> tool is installed:
49ee6cdc CS	234	<programlisting>
	235	lxc-attach -n container -e -- /sbin/ip link delete eth1
	236	</programlisting>
e13eeea2 CS	237	Or, alternatively, use the <option>-s</option> to use the
	238	tools installed on the host outside the container:
	239	<programlisting>
	240	lxc-attach -n container -s NETWORK -- /sbin/ip link delete eth1
	241	</programlisting>
49ee6cdc	242	</para>
49ee6cdc CS	243	</refsect1>
49ee6cdc CS	244
e13eeea2 CS	245	<refsect1>
	246	<title>Compatibility</title>
	247	<para>
	248	Attaching completely (including the pid and mount namespaces) to a
	249	container requires a patched kernel, please see the lxc website for
	250	details. <command>lxc-attach</command> will fail in that case if
	251	used with an unpatched kernel.
	252	</para>
	253	<para>
	254	Nevertheless, it will succeed on an unpatched kernel of version 3.0
	255	or higher if the <option>-s</option> option is used to restrict the
aa8d013e	256	namespaces that the process is to be attached to to one or more of
e13eeea2 CS	257	<replaceable>NETWORK</replaceable>, <replaceable>IPC</replaceable>
	258	and <replaceable>UTSNAME</replaceable>.
	259	</para>
	260	<para>
	261	Attaching to user namespaces is currently completely unsupported
	262	by the kernel. <command>lxc-attach</command> should however be able
	263	to do this once once future kernel versions implement this.
	264	</para>
	265	</refsect1>
	266
	267	<refsect1>
	268	<title>Notes</title>
	269	<para>
	270	The Linux <replaceable>/proc</replaceable> and
	271	<replaceable>/sys</replaceable> filesystems contain information
	272	about some quantities that are affected by namespaces, such as
	273	the directories named after process ids in
36b33520	274	<replaceable>/proc</replaceable> or the network interface information
e13eeea2 CS	275	in <replaceable>/sys/class/net</replaceable>. The namespace of the
	276	process mounting the pseudo-filesystems determines what information
	277	is shown, <emphasis>not</emphasis> the namespace of the process
	278	accessing <replaceable>/proc</replaceable> or
	279	<replaceable>/sys</replaceable>.
	280	</para>
	281	<para>
	282	If one uses the <option>-s</option> option to only attach to
	283	the pid namespace of a container, but not its mount namespace
	284	(which will contain the <replaceable>/proc</replaceable> of the
	285	container and not the host), the contents of <option>/proc</option>
	286	will reflect that of the host and not the container. Analogously,
	287	the same issue occurs when reading the contents of
	288	<replaceable>/sys/class/net</replaceable> and attaching to just
	289	the network namespace.
	290	</para>
	291	<para>
7a0b0b56 CS	292	To work around this problem, the <option>-R</option> flag provides
	293	the option to remount <replaceable>/proc</replaceable> and
	294	<replaceable>/sys</replaceable> in order for them to reflect the
	295	network/pid namespace context of the attached process. In order
	296	not to interfere with the host's actual filesystem, the mount
	297	namespace will be unshared (like <command>lxc-unshare</command>
	298	does) before this is done, esentially giving the process a new
	299	mount namespace, which is identical to the hosts's mount namespace
	300	except for the <replaceable>/proc</replaceable> and
	301	<replaceable>/sys</replaceable> filesystems.
e13eeea2 CS	302	</para>
	303	</refsect1>
	304
49ee6cdc CS	305	<refsect1>
	306	<title>Security</title>
	307	<para>
e13eeea2 CS	308	The <option>-e</option> and <option>-s</option> options should
	309	be used with care, as it may break the isolation of the containers
	310	if used improperly.
49ee6cdc CS	311	</para>
	312	</refsect1>
	313
	314	&seealso;
	315
	316	<refsect1>
	317	<title>Author</title>
	318	<para>Daniel Lezcano <email>daniel.lezcano@free.fr</email></para>
	319	</refsect1>
	320
	321	</refentry>
	322
	323	<!-- Keep this comment at the end of the file
	324	Local variables:
	325	mode: sgml
	326	sgml-omittag:t
	327	sgml-shorttag:t
	328	sgml-minimize-attributes:nil
	329	sgml-always-quote-attributes:t
	330	sgml-indent-step:2
	331	sgml-indent-data:t
	332	sgml-parent-document:nil
	333	sgml-default-dtd-file:nil
	334	sgml-exposed-tags:nil
	335	sgml-local-catalogs:nil
	336	sgml-local-ecat-files:nil
	337	End:
	338	-->