[mirror_lxc.git] / doc / lxc-attach.sgml.in

<!--

lxc: linux Container library

(C) Copyright IBM Corp. 2007, 2008

Authors:
Daniel Lezcano <daniel.lezcano at free.fr>

This library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
License as published by the Free Software Foundation; either
version 2.1 of the License, or (at your option) any later version.

This library is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
Lesser General Public License for more details.

You should have received a copy of the GNU Lesser General Public
License along with this library; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA

-->


<!DOCTYPE refentry PUBLIC @docdtd@ [

<!ENTITY commonoptions SYSTEM "@builddir@/common_options.sgml">
<!ENTITY seealso SYSTEM "@builddir@/see_also.sgml">
]>

<refentry>

  <docinfo><date>@LXC_GENERATE_DATE@</date></docinfo>

  <refmeta>
    <refentrytitle>lxc-attach</refentrytitle>
    <manvolnum>1</manvolnum>
  </refmeta>

  <refnamediv>
    <refname>lxc-attach</refname>

    <refpurpose>
      start a process inside a running container.
    </refpurpose>
  </refnamediv>

  <refsynopsisdiv>
    <cmdsynopsis>
      <command>lxc-attach</command>
      <arg choice="req">-n <replaceable>name</replaceable></arg>
      <arg choice="opt">-a <replaceable>arch</replaceable></arg>
      <arg choice="opt">-e</arg>
      <arg choice="opt">-s <replaceable>namespaces</replaceable></arg>
      <arg choice="opt">-R</arg>
      <arg choice="opt">--keep-env</arg>
      <arg choice="opt">--clear-env</arg>
      <arg choice="opt">-- <replaceable>command</replaceable></arg>
    </cmdsynopsis>
  </refsynopsisdiv>

  <refsect1>
    <title>Description</title>

    <para>
      <command>lxc-attach</command> runs the specified
      <replaceable>command</replaceable> inside the container
      specified by <replaceable>name</replaceable>. The container
      has to be running already.
    </para>
    <para>
      If no <replaceable>command</replaceable> is specified, the
      current default shell of the user running
      <command>lxc-attach</command> will be looked up inside the
      container and executed. This will fail if no such user exists
      inside the container or the container does not have a working
      nsswitch mechanism.
    </para>
    <para>
    Previous versions of <command>lxc-attach</command> simply attached to the
    specified namespaces of a container and ran a shell or the specified command
    without first allocating a pseudo terminal. This made them vulnerable to
    input faking via a TIOCSTI <command>ioctl</command> call after switching
    between userspace execution contexts with different privilege levels. Newer
    versions of <command>lxc-attach</command> will try to allocate a pseudo
    terminal master/slave pair on the host and attach any standard file
    descriptors which refer to a terminal to the slave side of the pseudo
    terminal before executing a shell or command. Note, that if none of the
    standard file descriptors refer to a terminal <command>lxc-attach</command>
    will not try to allocate a pseudo terminal. Instead it will simply attach
    to the containers namespaces and run a shell or the specified command.
    </para>

  </refsect1>

  <refsect1>

    <title>Options</title>

    <variablelist>

      <varlistentry>
	<term>
	  <option>-a, --arch <replaceable>arch</replaceable></option>
	</term>
	<listitem>
	  <para>
	    Specify the architecture which the kernel should appear to be
	    running as to the command executed. This option will accept the
	    same settings as the <option>lxc.arch</option> option in
	    container configuration files, see
	    <citerefentry>
	      <refentrytitle><filename>lxc.conf</filename></refentrytitle>
	      <manvolnum>5</manvolnum>
	    </citerefentry>. By default, the current archictecture of the
	    running container will be used.
	  </para>
	</listitem>
      </varlistentry>

      <varlistentry>
	<term>
	  <option>
      -e, --elevated-privileges <replaceable>privileges</replaceable>
    </option>
	</term>
	<listitem>
	  <para>
	    Do not drop privileges when running
	    <replaceable>command</replaceable> inside the container. If
	    this option is specified, the new process will
	    <emphasis>not</emphasis> be added to the container's cgroup(s)
	    and it will not drop its capabilities before executing.
	  </para>
    <para>
      You may specify privileges, in case you do not want to elevate all of
      them, as a pipe-separated list, e.g.
      <replaceable>CGROUP|LSM</replaceable>. Allowed values are
      <replaceable>CGROUP</replaceable>, <replaceable>CAP</replaceable> and
      <replaceable>LSM</replaceable> representing cgroup, capabilities and
      restriction privileges respectively. (The pipe symbol needs to be escaped,
      e.g. <replaceable>CGROUP\|LSM</replaceable> or quoted, e.g.
      <replaceable>"CGROUP|LSM"</replaceable>.)
    </para>
	  <para>
	    <emphasis>Warning:</emphasis> This may leak privileges into the
	    container if the command starts subprocesses that remain active
	    after the main process that was attached is terminated. The
	    (re-)starting of daemons inside the container is problematic,
	    especially if the daemon starts a lot of subprocesses such as
	    <command>cron</command> or <command>sshd</command>.
	    <emphasis>Use with great care.</emphasis>
	  </para>
	</listitem>
      </varlistentry>

      <varlistentry>
	<term>
	  <option>-s, --namespaces <replaceable>namespaces</replaceable></option>
	</term>
	<listitem>
	  <para>
	    Specify the namespaces to attach to, as a pipe-separated list,
	    e.g. <replaceable>NETWORK|IPC</replaceable>. Allowed values are
	    <replaceable>MOUNT</replaceable>, <replaceable>PID</replaceable>,
	    <replaceable>UTSNAME</replaceable>, <replaceable>IPC</replaceable>,
	    <replaceable>USER </replaceable> and
	    <replaceable>NETWORK</replaceable>. This allows one to change
	    the context of the process to e.g. the network namespace of the
	    container while retaining the other namespaces as those of the
            host. (The pipe symbol needs to be escaped, e.g.
            <replaceable>MOUNT\|PID</replaceable> or quoted, e.g.
            <replaceable>"MOUNT|PID"</replaceable>.)
	  </para>
	  <para>
	    <emphasis>Important:</emphasis> This option implies
	    <option>-e</option>.
	  </para>
	</listitem>
      </varlistentry>

      <varlistentry>
	<term>
	  <option>-R, --remount-sys-proc</option>
	</term>
	<listitem>
	  <para>
	    When using <option>-s</option> and the mount namespace is not
	    included, this flag will cause <command>lxc-attach</command>
	    to remount <replaceable>/proc</replaceable> and
	    <replaceable>/sys</replaceable> to reflect the current other
	    namespace contexts.
	  </para>
	  <para>
	    Please see the <emphasis>Notes</emphasis> section for more
	    details.
	  </para>
	  <para>
	    This option will be ignored if one tries to attach to the
	    mount namespace anyway.
	  </para>
	</listitem>
      </varlistentry>

      <varlistentry>
	<term>
	  <option>--keep-env</option>
	</term>
	<listitem>
	  <para>
	    Keep the current environment for attached programs. This is
	    the current default behaviour (as of version 0.9), but is
	    is likely to change in the future, since this may leak
	    undesirable information into the container. If you rely on
	    the environment being available for the attached program,
	    please use this option to be future-proof. In addition to
	    current environment variables, container=lxc will be set.
	  </para>
	</listitem>
      </varlistentry>

      <varlistentry>
	<term>
	  <option>--clear-env</option>
	</term>
	<listitem>
	  <para>
	    Clear the environment before attaching, so no undesired
	    environment variables leak into the container. The variable
	    container=lxc will be the only environment with which the
	    attached program starts.
	  </para>
	</listitem>
      </varlistentry>

     </variablelist>

  </refsect1>

  &commonoptions;

  <refsect1>
    <title>Examples</title>
      <para>
        To spawn a new shell running inside an existing container, use
        <programlisting>
          lxc-attach -n container
        </programlisting>
      </para>
      <para>
        To restart the cron service of a running Debian container, use
        <programlisting>
          lxc-attach -n container -- /etc/init.d/cron restart
        </programlisting>
      </para>
      <para>
        To deactivate the network link eth1 of a running container that
        does not have the NET_ADMIN capability, use either the
        <option>-e</option> option to use increased capabilities,
        assuming the <command>ip</command> tool is installed:
        <programlisting>
          lxc-attach -n container -e -- /sbin/ip link delete eth1
        </programlisting>
        Or, alternatively, use the <option>-s</option> to use the
        tools installed on the host outside the container:
        <programlisting>
          lxc-attach -n container -s NETWORK -- /sbin/ip link delete eth1
        </programlisting>
      </para>
  </refsect1>

  <refsect1>
    <title>Compatibility</title>
    <para>
      Attaching completely (including the pid and mount namespaces) to a
      container requires a kernel of version 3.8 or higher, or a
      patched kernel, please see the lxc website for
      details. <command>lxc-attach</command> will fail in that case if
      used with an unpatched kernel of version 3.7 and prior.
    </para>
    <para>
      Nevertheless, it will succeed on an unpatched kernel of version 3.0
      or higher if the <option>-s</option> option is used to restrict the
      namespaces that the process is to be attached to to one or more of
      <replaceable>NETWORK</replaceable>, <replaceable>IPC</replaceable>
      and <replaceable>UTSNAME</replaceable>.
    </para>
    <para>
      Attaching to user namespaces is supported by kernel 3.8 or higher
      with enabling user namespace.
    </para>
  </refsect1>

  <refsect1>
    <title>Notes</title>
    <para>
      The Linux <replaceable>/proc</replaceable> and
      <replaceable>/sys</replaceable> filesystems contain information
      about some quantities that are affected by namespaces, such as
      the directories named after process ids in
      <replaceable>/proc</replaceable> or the network interface information
      in <replaceable>/sys/class/net</replaceable>. The namespace of the
      process mounting the pseudo-filesystems determines what information
      is shown, <emphasis>not</emphasis> the namespace of the process
      accessing <replaceable>/proc</replaceable> or
      <replaceable>/sys</replaceable>.
    </para>
    <para>
      If one uses the <option>-s</option> option to only attach to
      the pid namespace of a container, but not its mount namespace
      (which will contain the <replaceable>/proc</replaceable> of the
      container and not the host), the contents of <option>/proc</option>
      will reflect that of the host and not the container. Analogously,
      the same issue occurs when reading the contents of
      <replaceable>/sys/class/net</replaceable> and attaching to just
      the network namespace.
    </para>
    <para>
      To work around this problem, the <option>-R</option> flag provides
      the option to remount <replaceable>/proc</replaceable> and
      <replaceable>/sys</replaceable> in order for them to reflect the
      network/pid namespace context of the attached process. In order
      not to interfere with the host's actual filesystem, the mount
      namespace will be unshared (like <command>lxc-unshare</command>
      does) before this is done, esentially giving the process a new
      mount namespace, which is identical to the hosts's mount namespace
      except for the <replaceable>/proc</replaceable> and
      <replaceable>/sys</replaceable> filesystems.
    </para>
    <para>
      Previous versions of <command>lxc-attach</command> suffered a bug whereby
      a user could attach to a containers namespace without being placed in a
      writeable cgroup for some critical subsystems. Newer versions of
      <command>lxc-attach</command> will check whether a user is in a writeable
      cgroup for those critical subsystems. <command>lxc-attach</command> might
      thus fail unexpectedly for some users (E.g. on systems where an
      unprivileged user is not placed in a writeable cgroup in critical
      subsystems on login.). However, this behavior is correct and more secure.
    </para>
  </refsect1>

  <refsect1>
    <title>Security</title>
    <para>
      The <option>-e</option> and <option>-s</option> options should
      be used with care, as it may break the isolation of the containers
      if used improperly.
    </para>
  </refsect1>

  &seealso;

  <refsect1>
    <title>Author</title>
    <para>Daniel Lezcano <email>daniel.lezcano@free.fr</email></para>
  </refsect1>

</refentry>

<!-- Keep this comment at the end of the file
Local variables:
mode: sgml
sgml-omittag:t
sgml-shorttag:t
sgml-minimize-attributes:nil
sgml-always-quote-attributes:t
sgml-indent-step:2
sgml-indent-data:t
sgml-parent-document:nil
sgml-default-dtd-file:nil
sgml-exposed-tags:nil
sgml-local-catalogs:nil
sgml-local-ecat-files:nil
End:
-->
Commit	Line	Data
49ee6cdc CS	1	<!--
	2
	3	lxc: linux Container library
	4
	5	(C) Copyright IBM Corp. 2007, 2008
	6
	7	Authors:
9afe19d6	8	Daniel Lezcano <daniel.lezcano at free.fr>
49ee6cdc CS	9
	10	This library is free software; you can redistribute it and/or
	11	modify it under the terms of the GNU Lesser General Public
	12	License as published by the Free Software Foundation; either
	13	version 2.1 of the License, or (at your option) any later version.
	14
	15	This library is distributed in the hope that it will be useful,
	16	but WITHOUT ANY WARRANTY; without even the implied warranty of
	17	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	18	Lesser General Public License for more details.
	19
	20	You should have received a copy of the GNU Lesser General Public
	21	License along with this library; if not, write to the Free Software
250b1eec	22	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
49ee6cdc CS	23
	24	-->
	25
4d69b293	26
7f951458	27	<!DOCTYPE refentry PUBLIC @docdtd@ [
49ee6cdc CS	28
	29	<!ENTITY commonoptions SYSTEM "@builddir@/common_options.sgml">
	30	<!ENTITY seealso SYSTEM "@builddir@/see_also.sgml">
	31	]>
	32
	33	<refentry>
	34
	35	<docinfo><date>@LXC_GENERATE_DATE@</date></docinfo>
	36
	37	<refmeta>
	38	<refentrytitle>lxc-attach</refentrytitle>
	39	<manvolnum>1</manvolnum>
	40	</refmeta>
	41
	42	<refnamediv>
	43	<refname>lxc-attach</refname>
	44
	45	<refpurpose>
	46	start a process inside a running container.
	47	</refpurpose>
	48	</refnamediv>
	49
	50	<refsynopsisdiv>
b4578c5b DE	51	<cmdsynopsis>
	52	<command>lxc-attach</command>
	53	<arg choice="req">-n <replaceable>name</replaceable></arg>
	54	<arg choice="opt">-a <replaceable>arch</replaceable></arg>
	55	<arg choice="opt">-e</arg>
e13eeea2	56	<arg choice="opt">-s <replaceable>namespaces</replaceable></arg>
7a0b0b56	57	<arg choice="opt">-R</arg>
799f96fd CS	58	<arg choice="opt">--keep-env</arg>
799f96fd CS	59	<arg choice="opt">--clear-env</arg>
b4578c5b DE	60	<arg choice="opt">-- <replaceable>command</replaceable></arg>
b4578c5b DE	61	</cmdsynopsis>
49ee6cdc CS	62	</refsynopsisdiv>
	63
	64	<refsect1>
	65	<title>Description</title>
	66
	67	<para>
	68	<command>lxc-attach</command> runs the specified
	69	<replaceable>command</replaceable> inside the container
	70	specified by <replaceable>name</replaceable>. The container
	71	has to be running already.
	72	</para>
	73	<para>
	74	If no <replaceable>command</replaceable> is specified, the
	75	current default shell of the user running
	76	<command>lxc-attach</command> will be looked up inside the
	77	container and executed. This will fail if no such user exists
	78	inside the container or the container does not have a working
	79	nsswitch mechanism.
	80	</para>
e986ea3d CB	81	<para>
e986ea3d CB	82	Previous versions of <command>lxc-attach</command> simply attached to the
478dda76 CB	83	specified namespaces of a container and ran a shell or the specified command
478dda76 CB	84	without first allocating a pseudo terminal. This made them vulnerable to
e986ea3d	85	input faking via a TIOCSTI <command>ioctl</command> call after switching
02e5d92b	86	between userspace execution contexts with different privilege levels. Newer
e986ea3d	87	versions of <command>lxc-attach</command> will try to allocate a pseudo
478dda76 CB	88	terminal master/slave pair on the host and attach any standard file
	89	descriptors which refer to a terminal to the slave side of the pseudo
	90	terminal before executing a shell or command. Note, that if none of the
	91	standard file descriptors refer to a terminal <command>lxc-attach</command>
	92	will not try to allocate a pseudo terminal. Instead it will simply attach
	93	to the containers namespaces and run a shell or the specified command.
e986ea3d	94	</para>
49ee6cdc CS	95
	96	</refsect1>
	97
	98	<refsect1>
	99
	100	<title>Options</title>
	101
	102	<variablelist>
	103
	104	<varlistentry>
	105	<term>
	106	<option>-a, --arch <replaceable>arch</replaceable></option>
	107	</term>
	108	<listitem>
	109	<para>
	110	Specify the architecture which the kernel should appear to be
	111	running as to the command executed. This option will accept the
	112	same settings as the <option>lxc.arch</option> option in
	113	container configuration files, see
	114	<citerefentry>
	115	<refentrytitle><filename>lxc.conf</filename></refentrytitle>
	116	<manvolnum>5</manvolnum>
	117	</citerefentry>. By default, the current archictecture of the
	118	running container will be used.
	119	</para>
	120	</listitem>
	121	</varlistentry>
	122
	123	<varlistentry>
	124	<term>
4d69b293 NK	125	<option>
	126	-e, --elevated-privileges <replaceable>privileges</replaceable>
	127	</option>
49ee6cdc CS	128	</term>
	129	<listitem>
	130	<para>
	131	Do not drop privileges when running
	132	<replaceable>command</replaceable> inside the container. If
	133	this option is specified, the new process will
	134	<emphasis>not</emphasis> be added to the container's cgroup(s)
	135	and it will not drop its capabilities before executing.
	136	</para>
4d69b293 NK	137	<para>
	138	You may specify privileges, in case you do not want to elevate all of
	139	them, as a pipe-separated list, e.g.
	140	<replaceable>CGROUP\|LSM</replaceable>. Allowed values are
	141	<replaceable>CGROUP</replaceable>, <replaceable>CAP</replaceable> and
	142	<replaceable>LSM</replaceable> representing cgroup, capabilities and
759d521b CB	143	restriction privileges respectively. (The pipe symbol needs to be escaped,
	144	e.g. <replaceable>CGROUP\\|LSM</replaceable> or quoted, e.g.
	145	<replaceable>"CGROUP\|LSM"</replaceable>.)
4d69b293	146	</para>
49ee6cdc CS	147	<para>
	148	<emphasis>Warning:</emphasis> This may leak privileges into the
	149	container if the command starts subprocesses that remain active
	150	after the main process that was attached is terminated. The
	151	(re-)starting of daemons inside the container is problematic,
	152	especially if the daemon starts a lot of subprocesses such as
	153	<command>cron</command> or <command>sshd</command>.
	154	<emphasis>Use with great care.</emphasis>
	155	</para>
	156	</listitem>
	157	</varlistentry>
	158
e13eeea2 CS	159	<varlistentry>
	160	<term>
	161	<option>-s, --namespaces <replaceable>namespaces</replaceable></option>
	162	</term>
	163	<listitem>
	164	<para>
037ba55c	165	Specify the namespaces to attach to, as a pipe-separated list,
e13eeea2 CS	166	e.g. <replaceable>NETWORK\|IPC</replaceable>. Allowed values are
	167	<replaceable>MOUNT</replaceable>, <replaceable>PID</replaceable>,
	168	<replaceable>UTSNAME</replaceable>, <replaceable>IPC</replaceable>,
	169	<replaceable>USER </replaceable> and
	170	<replaceable>NETWORK</replaceable>. This allows one to change
	171	the context of the process to e.g. the network namespace of the
	172	container while retaining the other namespaces as those of the
759d521b CB	173	host. (The pipe symbol needs to be escaped, e.g.
	174	<replaceable>MOUNT\\|PID</replaceable> or quoted, e.g.
	175	<replaceable>"MOUNT\|PID"</replaceable>.)
e13eeea2 CS	176	</para>
	177	<para>
	178	<emphasis>Important:</emphasis> This option implies
	179	<option>-e</option>.
	180	</para>
	181	</listitem>
	182	</varlistentry>
	183
7a0b0b56 CS	184	<varlistentry>
	185	<term>
	186	<option>-R, --remount-sys-proc</option>
	187	</term>
	188	<listitem>
	189	<para>
	190	When using <option>-s</option> and the mount namespace is not
	191	included, this flag will cause <command>lxc-attach</command>
	192	to remount <replaceable>/proc</replaceable> and
	193	<replaceable>/sys</replaceable> to reflect the current other
	194	namespace contexts.
	195	</para>
	196	<para>
	197	Please see the <emphasis>Notes</emphasis> section for more
	198	details.
	199	</para>
	200	<para>
	201	This option will be ignored if one tries to attach to the
	202	mount namespace anyway.
	203	</para>
	204	</listitem>
	205	</varlistentry>
	206
799f96fd CS	207	<varlistentry>
	208	<term>
	209	<option>--keep-env</option>
	210	</term>
	211	<listitem>
	212	<para>
	213	Keep the current environment for attached programs. This is
	214	the current default behaviour (as of version 0.9), but is
	215	is likely to change in the future, since this may leak
	216	undesirable information into the container. If you rely on
	217	the environment being available for the attached program,
	218	please use this option to be future-proof. In addition to
	219	current environment variables, container=lxc will be set.
	220	</para>
	221	</listitem>
	222	</varlistentry>
	223
	224	<varlistentry>
	225	<term>
	226	<option>--clear-env</option>
	227	</term>
	228	<listitem>
	229	<para>
	230	Clear the environment before attaching, so no undesired
	231	environment variables leak into the container. The variable
	232	container=lxc will be the only environment with which the
	233	attached program starts.
	234	</para>
	235	</listitem>
	236	</varlistentry>
	237
7a0b0b56	238	</variablelist>
49ee6cdc CS	239
	240	</refsect1>
	241
	242	&commonoptions;
	243
	244	<refsect1>
	245	<title>Examples</title>
	246	<para>
	247	To spawn a new shell running inside an existing container, use
	248	<programlisting>
	249	lxc-attach -n container
	250	</programlisting>
	251	</para>
	252	<para>
	253	To restart the cron service of a running Debian container, use
	254	<programlisting>
	255	lxc-attach -n container -- /etc/init.d/cron restart
	256	</programlisting>
	257	</para>
	258	<para>
	259	To deactivate the network link eth1 of a running container that
e13eeea2 CS	260	does not have the NET_ADMIN capability, use either the
	261	<option>-e</option> option to use increased capabilities,
	262	assuming the <command>ip</command> tool is installed:
49ee6cdc CS	263	<programlisting>
	264	lxc-attach -n container -e -- /sbin/ip link delete eth1
	265	</programlisting>
e13eeea2 CS	266	Or, alternatively, use the <option>-s</option> to use the
	267	tools installed on the host outside the container:
	268	<programlisting>
	269	lxc-attach -n container -s NETWORK -- /sbin/ip link delete eth1
	270	</programlisting>
49ee6cdc	271	</para>
49ee6cdc CS	272	</refsect1>
49ee6cdc CS	273
e13eeea2 CS	274	<refsect1>
	275	<title>Compatibility</title>
	276	<para>
	277	Attaching completely (including the pid and mount namespaces) to a
a600d021 KY	278	container requires a kernel of version 3.8 or higher, or a
a600d021 KY	279	patched kernel, please see the lxc website for
e13eeea2	280	details. <command>lxc-attach</command> will fail in that case if
a600d021	281	used with an unpatched kernel of version 3.7 and prior.
e13eeea2 CS	282	</para>
	283	<para>
	284	Nevertheless, it will succeed on an unpatched kernel of version 3.0
	285	or higher if the <option>-s</option> option is used to restrict the
aa8d013e	286	namespaces that the process is to be attached to to one or more of
e13eeea2 CS	287	<replaceable>NETWORK</replaceable>, <replaceable>IPC</replaceable>
	288	and <replaceable>UTSNAME</replaceable>.
	289	</para>
	290	<para>
a600d021 KY	291	Attaching to user namespaces is supported by kernel 3.8 or higher
a600d021 KY	292	with enabling user namespace.
e13eeea2 CS	293	</para>
	294	</refsect1>
	295
	296	<refsect1>
	297	<title>Notes</title>
	298	<para>
	299	The Linux <replaceable>/proc</replaceable> and
	300	<replaceable>/sys</replaceable> filesystems contain information
	301	about some quantities that are affected by namespaces, such as
	302	the directories named after process ids in
36b33520	303	<replaceable>/proc</replaceable> or the network interface information
e13eeea2 CS	304	in <replaceable>/sys/class/net</replaceable>. The namespace of the
	305	process mounting the pseudo-filesystems determines what information
	306	is shown, <emphasis>not</emphasis> the namespace of the process
	307	accessing <replaceable>/proc</replaceable> or
	308	<replaceable>/sys</replaceable>.
	309	</para>
	310	<para>
	311	If one uses the <option>-s</option> option to only attach to
	312	the pid namespace of a container, but not its mount namespace
	313	(which will contain the <replaceable>/proc</replaceable> of the
	314	container and not the host), the contents of <option>/proc</option>
	315	will reflect that of the host and not the container. Analogously,
	316	the same issue occurs when reading the contents of
	317	<replaceable>/sys/class/net</replaceable> and attaching to just
	318	the network namespace.
	319	</para>
	320	<para>
7a0b0b56 CS	321	To work around this problem, the <option>-R</option> flag provides
	322	the option to remount <replaceable>/proc</replaceable> and
	323	<replaceable>/sys</replaceable> in order for them to reflect the
	324	network/pid namespace context of the attached process. In order
	325	not to interfere with the host's actual filesystem, the mount
	326	namespace will be unshared (like <command>lxc-unshare</command>
	327	does) before this is done, esentially giving the process a new
	328	mount namespace, which is identical to the hosts's mount namespace
	329	except for the <replaceable>/proc</replaceable> and
	330	<replaceable>/sys</replaceable> filesystems.
e13eeea2	331	</para>
e986ea3d CB	332	<para>
	333	Previous versions of <command>lxc-attach</command> suffered a bug whereby
	334	a user could attach to a containers namespace without being placed in a
	335	writeable cgroup for some critical subsystems. Newer versions of
	336	<command>lxc-attach</command> will check whether a user is in a writeable
	337	cgroup for those critical subsystems. <command>lxc-attach</command> might
	338	thus fail unexpectedly for some users (E.g. on systems where an
	339	unprivileged user is not placed in a writeable cgroup in critical
	340	subsystems on login.). However, this behavior is correct and more secure.
	341	</para>
e13eeea2 CS	342	</refsect1>
e13eeea2 CS	343
49ee6cdc CS	344	<refsect1>
	345	<title>Security</title>
	346	<para>
e13eeea2 CS	347	The <option>-e</option> and <option>-s</option> options should
	348	be used with care, as it may break the isolation of the containers
	349	if used improperly.
49ee6cdc CS	350	</para>
	351	</refsect1>
	352
	353	&seealso;
	354
	355	<refsect1>
	356	<title>Author</title>
	357	<para>Daniel Lezcano <email>daniel.lezcano@free.fr</email></para>
	358	</refsect1>
	359
	360	</refentry>
	361
	362	<!-- Keep this comment at the end of the file
	363	Local variables:
	364	mode: sgml
	365	sgml-omittag:t
	366	sgml-shorttag:t
	367	sgml-minimize-attributes:nil
	368	sgml-always-quote-attributes:t
	369	sgml-indent-step:2
	370	sgml-indent-data:t
	371	sgml-parent-document:nil
	372	sgml-default-dtd-file:nil
	373	sgml-exposed-tags:nil
	374	sgml-local-catalogs:nil
	375	sgml-local-ecat-files:nil
	376	End:
	377	-->