[mirror_lxc.git] / doc / lxc-attach.sgml.in

<!--

lxc: linux Container library

(C) Copyright IBM Corp. 2007, 2008

Authors:
Daniel Lezcano <daniel.lezcano at free.fr>

This library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
License as published by the Free Software Foundation; either
version 2.1 of the License, or (at your option) any later version.

This library is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
Lesser General Public License for more details.

You should have received a copy of the GNU Lesser General Public
License along with this library; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA

-->

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY commonoptions SYSTEM "@builddir@/common_options.sgml">
<!ENTITY seealso SYSTEM "@builddir@/see_also.sgml">
]>

<refentry>

  <docinfo><date>@LXC_GENERATE_DATE@</date></docinfo>

  <refmeta>
    <refentrytitle>lxc-attach</refentrytitle>
    <manvolnum>1</manvolnum>
  </refmeta>

  <refnamediv>
    <refname>lxc-attach</refname>

    <refpurpose>
      start a process inside a running container.
    </refpurpose>
  </refnamediv>

  <refsynopsisdiv>
    <cmdsynopsis>
      <command>lxc-attach</command>
      <arg choice="req">-n <replaceable>name</replaceable></arg>
      <arg choice="opt">-a <replaceable>arch</replaceable></arg>
      <arg choice="opt">-e</arg>
      <arg choice="opt">-s <replaceable>namespaces</replaceable></arg>
      <arg choice="opt">-R</arg>
      <arg choice="opt">-- <replaceable>command</replaceable></arg>
    </cmdsynopsis>
  </refsynopsisdiv>

  <refsect1>
    <title>Description</title>

    <para>
      <command>lxc-attach</command> runs the specified
      <replaceable>command</replaceable> inside the container
      specified by <replaceable>name</replaceable>. The container
      has to be running already.
    </para>
    <para>
      If no <replaceable>command</replaceable> is specified, the
      current default shell of the user running
      <command>lxc-attach</command> will be looked up inside the
      container and executed. This will fail if no such user exists
      inside the container or the container does not have a working
      nsswitch mechanism.
    </para>

  </refsect1>

  <refsect1>

    <title>Options</title>

    <variablelist>

      <varlistentry>
	<term>
	  <option>-a, --arch <replaceable>arch</replaceable></option>
	</term>
	<listitem>
	  <para>
	    Specify the architecture which the kernel should appear to be
	    running as to the command executed. This option will accept the
	    same settings as the <option>lxc.arch</option> option in
	    container configuration files, see
	    <citerefentry>
	      <refentrytitle><filename>lxc.conf</filename></refentrytitle>
	      <manvolnum>5</manvolnum>
	    </citerefentry>. By default, the current archictecture of the
	    running container will be used.
	  </para>
	</listitem>
      </varlistentry>

      <varlistentry>
	<term>
	  <option>-e, --elevated-privileges</option>
	</term>
	<listitem>
	  <para>
	    Do not drop privileges when running
	    <replaceable>command</replaceable> inside the container. If
	    this option is specified, the new process will
	    <emphasis>not</emphasis> be added to the container's cgroup(s)
	    and it will not drop its capabilities before executing.
	  </para>
	  <para>
	    <emphasis>Warning:</emphasis> This may leak privileges into the
	    container if the command starts subprocesses that remain active
	    after the main process that was attached is terminated. The
	    (re-)starting of daemons inside the container is problematic,
	    especially if the daemon starts a lot of subprocesses such as
	    <command>cron</command> or <command>sshd</command>.
	    <emphasis>Use with great care.</emphasis>
	  </para>
	</listitem>
      </varlistentry>

      <varlistentry>
	<term>
	  <option>-s, --namespaces <replaceable>namespaces</replaceable></option>
	</term>
	<listitem>
	  <para>
	    Specify the namespaces to attach to, as a pipe-separated list,
	    e.g. <replaceable>NETWORK|IPC</replaceable>. Allowed values are
	    <replaceable>MOUNT</replaceable>, <replaceable>PID</replaceable>,
	    <replaceable>UTSNAME</replaceable>, <replaceable>IPC</replaceable>,
	    <replaceable>USER </replaceable> and
	    <replaceable>NETWORK</replaceable>. This allows one to change
	    the context of the process to e.g. the network namespace of the
	    container while retaining the other namespaces as those of the
	    host.
	  </para>
	  <para>
	    <emphasis>Important:</emphasis> This option implies
	    <option>-e</option>.
	  </para>
	</listitem>
      </varlistentry>

      <varlistentry>
	<term>
	  <option>-R, --remount-sys-proc</option>
	</term>
	<listitem>
	  <para>
	    When using <option>-s</option> and the mount namespace is not
	    included, this flag will cause <command>lxc-attach</command>
	    to remount <replaceable>/proc</replaceable> and
	    <replaceable>/sys</replaceable> to reflect the current other
	    namespace contexts.
	  </para>
	  <para>
	    Please see the <emphasis>Notes</emphasis> section for more
	    details.
	  </para>
	  <para>
	    This option will be ignored if one tries to attach to the
	    mount namespace anyway.
	  </para>
	</listitem>
      </varlistentry>

     </variablelist>

  </refsect1>

  &commonoptions;

  <refsect1>
    <title>Examples</title>
      <para>
        To spawn a new shell running inside an existing container, use
        <programlisting>
          lxc-attach -n container
        </programlisting>
      </para>
      <para>
        To restart the cron service of a running Debian container, use
        <programlisting>
          lxc-attach -n container -- /etc/init.d/cron restart
        </programlisting>
      </para>
      <para>
        To deactivate the network link eth1 of a running container that
        does not have the NET_ADMIN capability, use either the
        <option>-e</option> option to use increased capabilities,
        assuming the <command>ip</command> tool is installed:
        <programlisting>
          lxc-attach -n container -e -- /sbin/ip link delete eth1
        </programlisting>
        Or, alternatively, use the <option>-s</option> to use the
        tools installed on the host outside the container:
        <programlisting>
          lxc-attach -n container -s NETWORK -- /sbin/ip link delete eth1
        </programlisting>
      </para>
  </refsect1>

  <refsect1>
    <title>Compatibility</title>
    <para>
      Attaching completely (including the pid and mount namespaces) to a
      container requires a patched kernel, please see the lxc website for
      details. <command>lxc-attach</command> will fail in that case if
      used with an unpatched kernel.
    </para>
    <para>
      Nevertheless, it will succeed on an unpatched kernel of version 3.0
      or higher if the <option>-s</option> option is used to restrict the
      namespaces that the process is to be attached to to one or more of
      <replaceable>NETWORK</replaceable>, <replaceable>IPC</replaceable>
      and <replaceable>UTSNAME</replaceable>.
    </para>
    <para>
      Attaching to user namespaces is currently completely unsupported
      by the kernel. <command>lxc-attach</command> should however be able
      to do this once once future kernel versions implement this.
    </para>
  </refsect1>

  <refsect1>
    <title>Notes</title>
    <para>
      The Linux <replaceable>/proc</replaceable> and
      <replaceable>/sys</replaceable> filesystems contain information
      about some quantities that are affected by namespaces, such as
      the directories named after process ids in
      <replaceable>/proc</replaceable> or the network interface infromation
      in <replaceable>/sys/class/net</replaceable>. The namespace of the
      process mounting the pseudo-filesystems determines what information
      is shown, <emphasis>not</emphasis> the namespace of the process
      accessing <replaceable>/proc</replaceable> or
      <replaceable>/sys</replaceable>.
    </para>
    <para>
      If one uses the <option>-s</option> option to only attach to
      the pid namespace of a container, but not its mount namespace
      (which will contain the <replaceable>/proc</replaceable> of the
      container and not the host), the contents of <option>/proc</option>
      will reflect that of the host and not the container. Analogously,
      the same issue occurs when reading the contents of
      <replaceable>/sys/class/net</replaceable> and attaching to just
      the network namespace.
    </para>
    <para>
      To work around this problem, the <option>-R</option> flag provides
      the option to remount <replaceable>/proc</replaceable> and
      <replaceable>/sys</replaceable> in order for them to reflect the
      network/pid namespace context of the attached process. In order
      not to interfere with the host's actual filesystem, the mount
      namespace will be unshared (like <command>lxc-unshare</command>
      does) before this is done, esentially giving the process a new
      mount namespace, which is identical to the hosts's mount namespace
      except for the <replaceable>/proc</replaceable> and
      <replaceable>/sys</replaceable> filesystems.
    </para>
  </refsect1>

  <refsect1>
    <title>Security</title>
    <para>
      The <option>-e</option> and <option>-s</option> options should
      be used with care, as it may break the isolation of the containers
      if used improperly.
    </para>
  </refsect1>

  &seealso;

  <refsect1>
    <title>Author</title>
    <para>Daniel Lezcano <email>daniel.lezcano@free.fr</email></para>
  </refsect1>

</refentry>

<!-- Keep this comment at the end of the file
Local variables:
mode: sgml
sgml-omittag:t
sgml-shorttag:t
sgml-minimize-attributes:nil
sgml-always-quote-attributes:t
sgml-indent-step:2
sgml-indent-data:t
sgml-parent-document:nil
sgml-default-dtd-file:nil
sgml-exposed-tags:nil
sgml-local-catalogs:nil
sgml-local-ecat-files:nil
End:
-->
Commit	Line	Data
49ee6cdc CS	1	<!--
	2
	3	lxc: linux Container library
	4
	5	(C) Copyright IBM Corp. 2007, 2008
	6
	7	Authors:
9afe19d6	8	Daniel Lezcano <daniel.lezcano at free.fr>
49ee6cdc CS	9
	10	This library is free software; you can redistribute it and/or
	11	modify it under the terms of the GNU Lesser General Public
	12	License as published by the Free Software Foundation; either
	13	version 2.1 of the License, or (at your option) any later version.
	14
	15	This library is distributed in the hope that it will be useful,
	16	but WITHOUT ANY WARRANTY; without even the implied warranty of
	17	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	18	Lesser General Public License for more details.
	19
	20	You should have received a copy of the GNU Lesser General Public
	21	License along with this library; if not, write to the Free Software
	22	Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
	23
	24	-->
	25
aa8d013e	26	<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
49ee6cdc CS	27
	28	<!ENTITY commonoptions SYSTEM "@builddir@/common_options.sgml">
	29	<!ENTITY seealso SYSTEM "@builddir@/see_also.sgml">
	30	]>
	31
	32	<refentry>
	33
	34	<docinfo><date>@LXC_GENERATE_DATE@</date></docinfo>
	35
	36	<refmeta>
	37	<refentrytitle>lxc-attach</refentrytitle>
	38	<manvolnum>1</manvolnum>
	39	</refmeta>
	40
	41	<refnamediv>
	42	<refname>lxc-attach</refname>
	43
	44	<refpurpose>
	45	start a process inside a running container.
	46	</refpurpose>
	47	</refnamediv>
	48
	49	<refsynopsisdiv>
b4578c5b DE	50	<cmdsynopsis>
	51	<command>lxc-attach</command>
	52	<arg choice="req">-n <replaceable>name</replaceable></arg>
	53	<arg choice="opt">-a <replaceable>arch</replaceable></arg>
	54	<arg choice="opt">-e</arg>
e13eeea2	55	<arg choice="opt">-s <replaceable>namespaces</replaceable></arg>
7a0b0b56	56	<arg choice="opt">-R</arg>
b4578c5b DE	57	<arg choice="opt">-- <replaceable>command</replaceable></arg>
b4578c5b DE	58	</cmdsynopsis>
49ee6cdc CS	59	</refsynopsisdiv>
	60
	61	<refsect1>
	62	<title>Description</title>
	63
	64	<para>
	65	<command>lxc-attach</command> runs the specified
	66	<replaceable>command</replaceable> inside the container
	67	specified by <replaceable>name</replaceable>. The container
	68	has to be running already.
	69	</para>
	70	<para>
	71	If no <replaceable>command</replaceable> is specified, the
	72	current default shell of the user running
	73	<command>lxc-attach</command> will be looked up inside the
	74	container and executed. This will fail if no such user exists
	75	inside the container or the container does not have a working
	76	nsswitch mechanism.
	77	</para>
	78
	79	</refsect1>
	80
	81	<refsect1>
	82
	83	<title>Options</title>
	84
	85	<variablelist>
	86
	87	<varlistentry>
	88	<term>
	89	<option>-a, --arch <replaceable>arch</replaceable></option>
	90	</term>
	91	<listitem>
	92	<para>
	93	Specify the architecture which the kernel should appear to be
	94	running as to the command executed. This option will accept the
	95	same settings as the <option>lxc.arch</option> option in
	96	container configuration files, see
	97	<citerefentry>
	98	<refentrytitle><filename>lxc.conf</filename></refentrytitle>
	99	<manvolnum>5</manvolnum>
	100	</citerefentry>. By default, the current archictecture of the
	101	running container will be used.
	102	</para>
	103	</listitem>
	104	</varlistentry>
	105
	106	<varlistentry>
	107	<term>
	108	<option>-e, --elevated-privileges</option>
	109	</term>
	110	<listitem>
	111	<para>
	112	Do not drop privileges when running
	113	<replaceable>command</replaceable> inside the container. If
	114	this option is specified, the new process will
	115	<emphasis>not</emphasis> be added to the container's cgroup(s)
	116	and it will not drop its capabilities before executing.
	117	</para>
	118	<para>
	119	<emphasis>Warning:</emphasis> This may leak privileges into the
	120	container if the command starts subprocesses that remain active
	121	after the main process that was attached is terminated. The
	122	(re-)starting of daemons inside the container is problematic,
123	especially if the daemon starts a lot of subprocesses such as
124	<command>cron</command> or <command>sshd</command>.
125	<emphasis>Use with great care.</emphasis>
126	</para>
127	</listitem>
128	</varlistentry>
129
e13eeea2 CS	130	<varlistentry>
	131	<term>
	132	<option>-s, --namespaces <replaceable>namespaces</replaceable></option>
	133	</term>
	134	<listitem>
	135	<para>
037ba55c	136	Specify the namespaces to attach to, as a pipe-separated list,
e13eeea2 CS	137	e.g. <replaceable>NETWORK\|IPC</replaceable>. Allowed values are
	138	<replaceable>MOUNT</replaceable>, <replaceable>PID</replaceable>,
	139	<replaceable>UTSNAME</replaceable>, <replaceable>IPC</replaceable>,
	140	<replaceable>USER </replaceable> and
	141	<replaceable>NETWORK</replaceable>. This allows one to change
	142	the context of the process to e.g. the network namespace of the
	143	container while retaining the other namespaces as those of the
	144	host.
	145	</para>
	146	<para>
	147	<emphasis>Important:</emphasis> This option implies
	148	<option>-e</option>.
	149	</para>
	150	</listitem>
	151	</varlistentry>
	152
7a0b0b56 CS	153	<varlistentry>
	154	<term>
	155	<option>-R, --remount-sys-proc</option>
	156	</term>
	157	<listitem>
	158	<para>
	159	When using <option>-s</option> and the mount namespace is not
	160	included, this flag will cause <command>lxc-attach</command>
	161	to remount <replaceable>/proc</replaceable> and
	162	<replaceable>/sys</replaceable> to reflect the current other
	163	namespace contexts.
	164	</para>
	165	<para>
	166	Please see the <emphasis>Notes</emphasis> section for more
	167	details.
	168	</para>
	169	<para>
	170	This option will be ignored if one tries to attach to the
	171	mount namespace anyway.
	172	</para>
	173	</listitem>
	174	</varlistentry>
	175
	176	</variablelist>
49ee6cdc CS	177
	178	</refsect1>
	179
	180	&commonoptions;
	181
	182	<refsect1>
	183	<title>Examples</title>
	184	<para>
	185	To spawn a new shell running inside an existing container, use
	186	<programlisting>
	187	lxc-attach -n container
	188	</programlisting>
	189	</para>
	190	<para>
	191	To restart the cron service of a running Debian container, use
	192	<programlisting>
	193	lxc-attach -n container -- /etc/init.d/cron restart
	194	</programlisting>
	195	</para>
	196	<para>
	197	To deactivate the network link eth1 of a running container that
e13eeea2 CS	198	does not have the NET_ADMIN capability, use either the
	199	<option>-e</option> option to use increased capabilities,
	200	assuming the <command>ip</command> tool is installed:
49ee6cdc CS	201	<programlisting>
	202	lxc-attach -n container -e -- /sbin/ip link delete eth1
	203	</programlisting>
e13eeea2 CS	204	Or, alternatively, use the <option>-s</option> to use the
	205	tools installed on the host outside the container:
	206	<programlisting>
	207	lxc-attach -n container -s NETWORK -- /sbin/ip link delete eth1
	208	</programlisting>
49ee6cdc	209	</para>
49ee6cdc CS	210	</refsect1>
49ee6cdc CS	211
e13eeea2 CS	212	<refsect1>
	213	<title>Compatibility</title>
	214	<para>
	215	Attaching completely (including the pid and mount namespaces) to a
	216	container requires a patched kernel, please see the lxc website for
	217	details. <command>lxc-attach</command> will fail in that case if
	218	used with an unpatched kernel.
	219	</para>
	220	<para>
	221	Nevertheless, it will succeed on an unpatched kernel of version 3.0
	222	or higher if the <option>-s</option> option is used to restrict the
aa8d013e	223	namespaces that the process is to be attached to to one or more of
e13eeea2 CS	224	<replaceable>NETWORK</replaceable>, <replaceable>IPC</replaceable>
	225	and <replaceable>UTSNAME</replaceable>.
	226	</para>
	227	<para>
	228	Attaching to user namespaces is currently completely unsupported
	229	by the kernel. <command>lxc-attach</command> should however be able
	230	to do this once once future kernel versions implement this.
	231	</para>
	232	</refsect1>
	233
	234	<refsect1>
	235	<title>Notes</title>
	236	<para>
	237	The Linux <replaceable>/proc</replaceable> and
	238	<replaceable>/sys</replaceable> filesystems contain information
	239	about some quantities that are affected by namespaces, such as
	240	the directories named after process ids in
	241	<replaceable>/proc</replaceable> or the network interface infromation
	242	in <replaceable>/sys/class/net</replaceable>. The namespace of the
	243	process mounting the pseudo-filesystems determines what information
	244	is shown, <emphasis>not</emphasis> the namespace of the process
	245	accessing <replaceable>/proc</replaceable> or
	246	<replaceable>/sys</replaceable>.
	247	</para>
	248	<para>
	249	If one uses the <option>-s</option> option to only attach to
	250	the pid namespace of a container, but not its mount namespace
	251	(which will contain the <replaceable>/proc</replaceable> of the
	252	container and not the host), the contents of <option>/proc</option>
	253	will reflect that of the host and not the container. Analogously,
	254	the same issue occurs when reading the contents of
	255	<replaceable>/sys/class/net</replaceable> and attaching to just
	256	the network namespace.
	257	</para>
	258	<para>
7a0b0b56 CS	259	To work around this problem, the <option>-R</option> flag provides
	260	the option to remount <replaceable>/proc</replaceable> and
	261	<replaceable>/sys</replaceable> in order for them to reflect the
	262	network/pid namespace context of the attached process. In order
	263	not to interfere with the host's actual filesystem, the mount
	264	namespace will be unshared (like <command>lxc-unshare</command>
	265	does) before this is done, esentially giving the process a new
	266	mount namespace, which is identical to the hosts's mount namespace
	267	except for the <replaceable>/proc</replaceable> and
	268	<replaceable>/sys</replaceable> filesystems.
e13eeea2 CS	269	</para>
	270	</refsect1>
	271
49ee6cdc CS	272	<refsect1>
	273	<title>Security</title>
	274	<para>
e13eeea2 CS	275	The <option>-e</option> and <option>-s</option> options should
	276	be used with care, as it may break the isolation of the containers
	277	if used improperly.
49ee6cdc CS	278	</para>
	279	</refsect1>
	280
	281	&seealso;
	282
	283	<refsect1>
	284	<title>Author</title>
	285	<para>Daniel Lezcano <email>daniel.lezcano@free.fr</email></para>
	286	</refsect1>
	287
	288	</refentry>
	289
	290	<!-- Keep this comment at the end of the file
	291	Local variables:
	292	mode: sgml
	293	sgml-omittag:t
	294	sgml-shorttag:t
	295	sgml-minimize-attributes:nil
	296	sgml-always-quote-attributes:t
	297	sgml-indent-step:2
	298	sgml-indent-data:t
	299	sgml-parent-document:nil
	300	sgml-default-dtd-file:nil
	301	sgml-exposed-tags:nil
	302	sgml-local-catalogs:nil
	303	sgml-local-ecat-files:nil
	304	End:
	305	-->