]>
Commit | Line | Data |
---|---|---|
49ee6cdc CS |
1 | <!-- |
2 | ||
3 | lxc: linux Container library | |
4 | ||
5 | (C) Copyright IBM Corp. 2007, 2008 | |
6 | ||
7 | Authors: | |
9afe19d6 | 8 | Daniel Lezcano <daniel.lezcano at free.fr> |
49ee6cdc CS |
9 | |
10 | This library is free software; you can redistribute it and/or | |
11 | modify it under the terms of the GNU Lesser General Public | |
12 | License as published by the Free Software Foundation; either | |
13 | version 2.1 of the License, or (at your option) any later version. | |
14 | ||
15 | This library is distributed in the hope that it will be useful, | |
16 | but WITHOUT ANY WARRANTY; without even the implied warranty of | |
17 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
18 | Lesser General Public License for more details. | |
19 | ||
20 | You should have received a copy of the GNU Lesser General Public | |
21 | License along with this library; if not, write to the Free Software | |
250b1eec | 22 | Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA |
49ee6cdc CS |
23 | |
24 | --> | |
25 | ||
4d69b293 | 26 | |
7f951458 | 27 | <!DOCTYPE refentry PUBLIC @docdtd@ [ |
49ee6cdc CS |
28 | |
29 | <!ENTITY commonoptions SYSTEM "@builddir@/common_options.sgml"> | |
30 | <!ENTITY seealso SYSTEM "@builddir@/see_also.sgml"> | |
31 | ]> | |
32 | ||
33 | <refentry> | |
34 | ||
35 | <docinfo><date>@LXC_GENERATE_DATE@</date></docinfo> | |
36 | ||
37 | <refmeta> | |
38 | <refentrytitle>lxc-attach</refentrytitle> | |
39 | <manvolnum>1</manvolnum> | |
40 | </refmeta> | |
41 | ||
42 | <refnamediv> | |
43 | <refname>lxc-attach</refname> | |
44 | ||
45 | <refpurpose> | |
46 | start a process inside a running container. | |
47 | </refpurpose> | |
48 | </refnamediv> | |
49 | ||
50 | <refsynopsisdiv> | |
b4578c5b DE |
51 | <cmdsynopsis> |
52 | <command>lxc-attach</command> | |
53 | <arg choice="req">-n <replaceable>name</replaceable></arg> | |
54 | <arg choice="opt">-a <replaceable>arch</replaceable></arg> | |
55 | <arg choice="opt">-e</arg> | |
e13eeea2 | 56 | <arg choice="opt">-s <replaceable>namespaces</replaceable></arg> |
7a0b0b56 | 57 | <arg choice="opt">-R</arg> |
799f96fd CS |
58 | <arg choice="opt">--keep-env</arg> |
59 | <arg choice="opt">--clear-env</arg> | |
b4578c5b DE |
60 | <arg choice="opt">-- <replaceable>command</replaceable></arg> |
61 | </cmdsynopsis> | |
49ee6cdc CS |
62 | </refsynopsisdiv> |
63 | ||
64 | <refsect1> | |
65 | <title>Description</title> | |
66 | ||
67 | <para> | |
68 | <command>lxc-attach</command> runs the specified | |
69 | <replaceable>command</replaceable> inside the container | |
70 | specified by <replaceable>name</replaceable>. The container | |
71 | has to be running already. | |
72 | </para> | |
73 | <para> | |
74 | If no <replaceable>command</replaceable> is specified, the | |
75 | current default shell of the user running | |
76 | <command>lxc-attach</command> will be looked up inside the | |
77 | container and executed. This will fail if no such user exists | |
78 | inside the container or the container does not have a working | |
79 | nsswitch mechanism. | |
80 | </para> | |
e986ea3d CB |
81 | <para> |
82 | Previous versions of <command>lxc-attach</command> simply attached to the | |
478dda76 CB |
83 | specified namespaces of a container and ran a shell or the specified command |
84 | without first allocating a pseudo terminal. This made them vulnerable to | |
e986ea3d | 85 | input faking via a TIOCSTI <command>ioctl</command> call after switching |
02e5d92b | 86 | between userspace execution contexts with different privilege levels. Newer |
e986ea3d | 87 | versions of <command>lxc-attach</command> will try to allocate a pseudo |
478dda76 CB |
88 | terminal master/slave pair on the host and attach any standard file |
89 | descriptors which refer to a terminal to the slave side of the pseudo | |
90 | terminal before executing a shell or command. Note, that if none of the | |
91 | standard file descriptors refer to a terminal <command>lxc-attach</command> | |
92 | will not try to allocate a pseudo terminal. Instead it will simply attach | |
93 | to the containers namespaces and run a shell or the specified command. | |
e986ea3d | 94 | </para> |
49ee6cdc CS |
95 | |
96 | </refsect1> | |
97 | ||
98 | <refsect1> | |
99 | ||
100 | <title>Options</title> | |
101 | ||
102 | <variablelist> | |
103 | ||
104 | <varlistentry> | |
105 | <term> | |
106 | <option>-a, --arch <replaceable>arch</replaceable></option> | |
107 | </term> | |
108 | <listitem> | |
109 | <para> | |
110 | Specify the architecture which the kernel should appear to be | |
111 | running as to the command executed. This option will accept the | |
112 | same settings as the <option>lxc.arch</option> option in | |
113 | container configuration files, see | |
114 | <citerefentry> | |
115 | <refentrytitle><filename>lxc.conf</filename></refentrytitle> | |
116 | <manvolnum>5</manvolnum> | |
117 | </citerefentry>. By default, the current archictecture of the | |
118 | running container will be used. | |
119 | </para> | |
120 | </listitem> | |
121 | </varlistentry> | |
122 | ||
123 | <varlistentry> | |
124 | <term> | |
4d69b293 NK |
125 | <option> |
126 | -e, --elevated-privileges <replaceable>privileges</replaceable> | |
127 | </option> | |
49ee6cdc CS |
128 | </term> |
129 | <listitem> | |
130 | <para> | |
131 | Do not drop privileges when running | |
132 | <replaceable>command</replaceable> inside the container. If | |
133 | this option is specified, the new process will | |
134 | <emphasis>not</emphasis> be added to the container's cgroup(s) | |
135 | and it will not drop its capabilities before executing. | |
136 | </para> | |
4d69b293 NK |
137 | <para> |
138 | You may specify privileges, in case you do not want to elevate all of | |
139 | them, as a pipe-separated list, e.g. | |
140 | <replaceable>CGROUP|LSM</replaceable>. Allowed values are | |
141 | <replaceable>CGROUP</replaceable>, <replaceable>CAP</replaceable> and | |
142 | <replaceable>LSM</replaceable> representing cgroup, capabilities and | |
759d521b CB |
143 | restriction privileges respectively. (The pipe symbol needs to be escaped, |
144 | e.g. <replaceable>CGROUP\|LSM</replaceable> or quoted, e.g. | |
145 | <replaceable>"CGROUP|LSM"</replaceable>.) | |
4d69b293 | 146 | </para> |
49ee6cdc CS |
147 | <para> |
148 | <emphasis>Warning:</emphasis> This may leak privileges into the | |
149 | container if the command starts subprocesses that remain active | |
150 | after the main process that was attached is terminated. The | |
151 | (re-)starting of daemons inside the container is problematic, | |
152 | especially if the daemon starts a lot of subprocesses such as | |
153 | <command>cron</command> or <command>sshd</command>. | |
154 | <emphasis>Use with great care.</emphasis> | |
155 | </para> | |
156 | </listitem> | |
157 | </varlistentry> | |
158 | ||
e13eeea2 CS |
159 | <varlistentry> |
160 | <term> | |
161 | <option>-s, --namespaces <replaceable>namespaces</replaceable></option> | |
162 | </term> | |
163 | <listitem> | |
164 | <para> | |
037ba55c | 165 | Specify the namespaces to attach to, as a pipe-separated list, |
e13eeea2 CS |
166 | e.g. <replaceable>NETWORK|IPC</replaceable>. Allowed values are |
167 | <replaceable>MOUNT</replaceable>, <replaceable>PID</replaceable>, | |
168 | <replaceable>UTSNAME</replaceable>, <replaceable>IPC</replaceable>, | |
169 | <replaceable>USER </replaceable> and | |
170 | <replaceable>NETWORK</replaceable>. This allows one to change | |
171 | the context of the process to e.g. the network namespace of the | |
172 | container while retaining the other namespaces as those of the | |
759d521b CB |
173 | host. (The pipe symbol needs to be escaped, e.g. |
174 | <replaceable>MOUNT\|PID</replaceable> or quoted, e.g. | |
175 | <replaceable>"MOUNT|PID"</replaceable>.) | |
e13eeea2 CS |
176 | </para> |
177 | <para> | |
178 | <emphasis>Important:</emphasis> This option implies | |
179 | <option>-e</option>. | |
180 | </para> | |
181 | </listitem> | |
182 | </varlistentry> | |
183 | ||
7a0b0b56 CS |
184 | <varlistentry> |
185 | <term> | |
186 | <option>-R, --remount-sys-proc</option> | |
187 | </term> | |
188 | <listitem> | |
189 | <para> | |
190 | When using <option>-s</option> and the mount namespace is not | |
191 | included, this flag will cause <command>lxc-attach</command> | |
192 | to remount <replaceable>/proc</replaceable> and | |
193 | <replaceable>/sys</replaceable> to reflect the current other | |
194 | namespace contexts. | |
195 | </para> | |
196 | <para> | |
197 | Please see the <emphasis>Notes</emphasis> section for more | |
198 | details. | |
199 | </para> | |
200 | <para> | |
201 | This option will be ignored if one tries to attach to the | |
202 | mount namespace anyway. | |
203 | </para> | |
204 | </listitem> | |
205 | </varlistentry> | |
206 | ||
799f96fd CS |
207 | <varlistentry> |
208 | <term> | |
209 | <option>--keep-env</option> | |
210 | </term> | |
211 | <listitem> | |
212 | <para> | |
213 | Keep the current environment for attached programs. This is | |
214 | the current default behaviour (as of version 0.9), but is | |
215 | is likely to change in the future, since this may leak | |
216 | undesirable information into the container. If you rely on | |
217 | the environment being available for the attached program, | |
218 | please use this option to be future-proof. In addition to | |
219 | current environment variables, container=lxc will be set. | |
220 | </para> | |
221 | </listitem> | |
222 | </varlistentry> | |
223 | ||
224 | <varlistentry> | |
225 | <term> | |
226 | <option>--clear-env</option> | |
227 | </term> | |
228 | <listitem> | |
229 | <para> | |
230 | Clear the environment before attaching, so no undesired | |
231 | environment variables leak into the container. The variable | |
232 | container=lxc will be the only environment with which the | |
233 | attached program starts. | |
234 | </para> | |
235 | </listitem> | |
236 | </varlistentry> | |
237 | ||
7a0b0b56 | 238 | </variablelist> |
49ee6cdc CS |
239 | |
240 | </refsect1> | |
241 | ||
242 | &commonoptions; | |
243 | ||
244 | <refsect1> | |
245 | <title>Examples</title> | |
246 | <para> | |
247 | To spawn a new shell running inside an existing container, use | |
248 | <programlisting> | |
249 | lxc-attach -n container | |
250 | </programlisting> | |
251 | </para> | |
252 | <para> | |
253 | To restart the cron service of a running Debian container, use | |
254 | <programlisting> | |
255 | lxc-attach -n container -- /etc/init.d/cron restart | |
256 | </programlisting> | |
257 | </para> | |
258 | <para> | |
259 | To deactivate the network link eth1 of a running container that | |
e13eeea2 CS |
260 | does not have the NET_ADMIN capability, use either the |
261 | <option>-e</option> option to use increased capabilities, | |
262 | assuming the <command>ip</command> tool is installed: | |
49ee6cdc CS |
263 | <programlisting> |
264 | lxc-attach -n container -e -- /sbin/ip link delete eth1 | |
265 | </programlisting> | |
e13eeea2 CS |
266 | Or, alternatively, use the <option>-s</option> to use the |
267 | tools installed on the host outside the container: | |
268 | <programlisting> | |
269 | lxc-attach -n container -s NETWORK -- /sbin/ip link delete eth1 | |
270 | </programlisting> | |
49ee6cdc | 271 | </para> |
49ee6cdc CS |
272 | </refsect1> |
273 | ||
e13eeea2 CS |
274 | <refsect1> |
275 | <title>Compatibility</title> | |
276 | <para> | |
277 | Attaching completely (including the pid and mount namespaces) to a | |
a600d021 KY |
278 | container requires a kernel of version 3.8 or higher, or a |
279 | patched kernel, please see the lxc website for | |
e13eeea2 | 280 | details. <command>lxc-attach</command> will fail in that case if |
a600d021 | 281 | used with an unpatched kernel of version 3.7 and prior. |
e13eeea2 CS |
282 | </para> |
283 | <para> | |
284 | Nevertheless, it will succeed on an unpatched kernel of version 3.0 | |
285 | or higher if the <option>-s</option> option is used to restrict the | |
aa8d013e | 286 | namespaces that the process is to be attached to to one or more of |
e13eeea2 CS |
287 | <replaceable>NETWORK</replaceable>, <replaceable>IPC</replaceable> |
288 | and <replaceable>UTSNAME</replaceable>. | |
289 | </para> | |
290 | <para> | |
a600d021 KY |
291 | Attaching to user namespaces is supported by kernel 3.8 or higher |
292 | with enabling user namespace. | |
e13eeea2 CS |
293 | </para> |
294 | </refsect1> | |
295 | ||
296 | <refsect1> | |
297 | <title>Notes</title> | |
298 | <para> | |
299 | The Linux <replaceable>/proc</replaceable> and | |
300 | <replaceable>/sys</replaceable> filesystems contain information | |
301 | about some quantities that are affected by namespaces, such as | |
302 | the directories named after process ids in | |
36b33520 | 303 | <replaceable>/proc</replaceable> or the network interface information |
e13eeea2 CS |
304 | in <replaceable>/sys/class/net</replaceable>. The namespace of the |
305 | process mounting the pseudo-filesystems determines what information | |
306 | is shown, <emphasis>not</emphasis> the namespace of the process | |
307 | accessing <replaceable>/proc</replaceable> or | |
308 | <replaceable>/sys</replaceable>. | |
309 | </para> | |
310 | <para> | |
311 | If one uses the <option>-s</option> option to only attach to | |
312 | the pid namespace of a container, but not its mount namespace | |
313 | (which will contain the <replaceable>/proc</replaceable> of the | |
314 | container and not the host), the contents of <option>/proc</option> | |
315 | will reflect that of the host and not the container. Analogously, | |
316 | the same issue occurs when reading the contents of | |
317 | <replaceable>/sys/class/net</replaceable> and attaching to just | |
318 | the network namespace. | |
319 | </para> | |
320 | <para> | |
7a0b0b56 CS |
321 | To work around this problem, the <option>-R</option> flag provides |
322 | the option to remount <replaceable>/proc</replaceable> and | |
323 | <replaceable>/sys</replaceable> in order for them to reflect the | |
324 | network/pid namespace context of the attached process. In order | |
325 | not to interfere with the host's actual filesystem, the mount | |
326 | namespace will be unshared (like <command>lxc-unshare</command> | |
327 | does) before this is done, esentially giving the process a new | |
328 | mount namespace, which is identical to the hosts's mount namespace | |
329 | except for the <replaceable>/proc</replaceable> and | |
330 | <replaceable>/sys</replaceable> filesystems. | |
e13eeea2 | 331 | </para> |
e986ea3d CB |
332 | <para> |
333 | Previous versions of <command>lxc-attach</command> suffered a bug whereby | |
334 | a user could attach to a containers namespace without being placed in a | |
335 | writeable cgroup for some critical subsystems. Newer versions of | |
336 | <command>lxc-attach</command> will check whether a user is in a writeable | |
337 | cgroup for those critical subsystems. <command>lxc-attach</command> might | |
338 | thus fail unexpectedly for some users (E.g. on systems where an | |
339 | unprivileged user is not placed in a writeable cgroup in critical | |
340 | subsystems on login.). However, this behavior is correct and more secure. | |
341 | </para> | |
e13eeea2 CS |
342 | </refsect1> |
343 | ||
49ee6cdc CS |
344 | <refsect1> |
345 | <title>Security</title> | |
346 | <para> | |
e13eeea2 CS |
347 | The <option>-e</option> and <option>-s</option> options should |
348 | be used with care, as it may break the isolation of the containers | |
349 | if used improperly. | |
49ee6cdc CS |
350 | </para> |
351 | </refsect1> | |
352 | ||
353 | &seealso; | |
354 | ||
355 | <refsect1> | |
356 | <title>Author</title> | |
357 | <para>Daniel Lezcano <email>daniel.lezcano@free.fr</email></para> | |
358 | </refsect1> | |
359 | ||
360 | </refentry> | |
361 | ||
362 | <!-- Keep this comment at the end of the file | |
363 | Local variables: | |
364 | mode: sgml | |
365 | sgml-omittag:t | |
366 | sgml-shorttag:t | |
367 | sgml-minimize-attributes:nil | |
368 | sgml-always-quote-attributes:t | |
369 | sgml-indent-step:2 | |
370 | sgml-indent-data:t | |
371 | sgml-parent-document:nil | |
372 | sgml-default-dtd-file:nil | |
373 | sgml-exposed-tags:nil | |
374 | sgml-local-catalogs:nil | |
375 | sgml-local-ecat-files:nil | |
376 | End: | |
377 | --> |