[mirror_lxc.git] / doc / lxc-attach.sgml.in

<!--

lxc: linux Container library

(C) Copyright IBM Corp. 2007, 2008

Authors:
Daniel Lezcano <daniel.lezcano at free.fr>

This library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
License as published by the Free Software Foundation; either
version 2.1 of the License, or (at your option) any later version.

This library is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
Lesser General Public License for more details.

You should have received a copy of the GNU Lesser General Public
License along with this library; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA

-->


<!DOCTYPE refentry PUBLIC @docdtd@ [

<!ENTITY commonoptions SYSTEM "@builddir@/common_options.sgml">
<!ENTITY seealso SYSTEM "@builddir@/see_also.sgml">
]>

<refentry>

  <docinfo><date>@LXC_GENERATE_DATE@</date></docinfo>

  <refmeta>
    <refentrytitle>lxc-attach</refentrytitle>
    <manvolnum>1</manvolnum>
  </refmeta>

  <refnamediv>
    <refname>lxc-attach</refname>

    <refpurpose>
      start a process inside a running container.
    </refpurpose>
  </refnamediv>

  <refsynopsisdiv>
    <cmdsynopsis>
      <command>lxc-attach</command>
      <arg choice="req">-n <replaceable>name</replaceable></arg>
      <arg choice="opt">-a <replaceable>arch</replaceable></arg>
      <arg choice="opt">-e</arg>
      <arg choice="opt">-s <replaceable>namespaces</replaceable></arg>
      <arg choice="opt">-R</arg>
      <arg choice="opt">--keep-env</arg>
      <arg choice="opt">--clear-env</arg>
      <arg choice="opt">-- <replaceable>command</replaceable></arg>
    </cmdsynopsis>
  </refsynopsisdiv>

  <refsect1>
    <title>Description</title>

    <para>
      <command>lxc-attach</command> runs the specified
      <replaceable>command</replaceable> inside the container
      specified by <replaceable>name</replaceable>. The container
      has to be running already.
    </para>
    <para>
      If no <replaceable>command</replaceable> is specified, the
      current default shell of the user running
      <command>lxc-attach</command> will be looked up inside the
      container and executed. This will fail if no such user exists
      inside the container or the container does not have a working
      nsswitch mechanism.
    </para>
    <para>
    Previous versions of <command>lxc-attach</command> simply attached to the
    specified namespaces of a container and ran a shell or the specified
    command without allocating a pseudo terminal. This made them vulnerable to
    input faking via a TIOCSTI <command>ioctl</command> call after switching
    between userspace execution contexts with different privilege levels. Newer
    versions of <command>lxc-attach</command> will try to allocate a pseudo
    terminal master/slave pair and attach any standard file descriptors which
    refer to a terminal to the slave side of the pseudo terminal before
    executing a shell or command. <command>lxc-attach</command> will first try
    to allocate a pseudo terminal in the container. Should this fail it will try
    to allocate a pseudo terminal on the host before finally giving up. Note,
    that if none of the standard file descriptors refer to a terminal
    <command>lxc-attach</command> will not try to allocate a pseudo terminal.
    Instead it will simply attach to the containers namespaces and run a shell
    or the specified command.
    </para>

  </refsect1>

  <refsect1>

    <title>Options</title>

    <variablelist>

      <varlistentry>
	<term>
	  <option>-a, --arch <replaceable>arch</replaceable></option>
	</term>
	<listitem>
	  <para>
	    Specify the architecture which the kernel should appear to be
	    running as to the command executed. This option will accept the
	    same settings as the <option>lxc.arch</option> option in
	    container configuration files, see
	    <citerefentry>
	      <refentrytitle><filename>lxc.conf</filename></refentrytitle>
	      <manvolnum>5</manvolnum>
	    </citerefentry>. By default, the current archictecture of the
	    running container will be used.
	  </para>
	</listitem>
      </varlistentry>

      <varlistentry>
	<term>
	  <option>
      -e, --elevated-privileges <replaceable>privileges</replaceable>
    </option>
	</term>
	<listitem>
	  <para>
	    Do not drop privileges when running
	    <replaceable>command</replaceable> inside the container. If
	    this option is specified, the new process will
	    <emphasis>not</emphasis> be added to the container's cgroup(s)
	    and it will not drop its capabilities before executing.
	  </para>
    <para>
      You may specify privileges, in case you do not want to elevate all of
      them, as a pipe-separated list, e.g.
      <replaceable>CGROUP|LSM</replaceable>. Allowed values are
      <replaceable>CGROUP</replaceable>, <replaceable>CAP</replaceable> and
      <replaceable>LSM</replaceable> representing cgroup, capabilities and
      restriction privileges respectively.
    </para>
	  <para>
	    <emphasis>Warning:</emphasis> This may leak privileges into the
	    container if the command starts subprocesses that remain active
	    after the main process that was attached is terminated. The
	    (re-)starting of daemons inside the container is problematic,
	    especially if the daemon starts a lot of subprocesses such as
	    <command>cron</command> or <command>sshd</command>.
	    <emphasis>Use with great care.</emphasis>
	  </para>
	</listitem>
      </varlistentry>

      <varlistentry>
	<term>
	  <option>-s, --namespaces <replaceable>namespaces</replaceable></option>
	</term>
	<listitem>
	  <para>
	    Specify the namespaces to attach to, as a pipe-separated list,
	    e.g. <replaceable>NETWORK|IPC</replaceable>. Allowed values are
	    <replaceable>MOUNT</replaceable>, <replaceable>PID</replaceable>,
	    <replaceable>UTSNAME</replaceable>, <replaceable>IPC</replaceable>,
	    <replaceable>USER </replaceable> and
	    <replaceable>NETWORK</replaceable>. This allows one to change
	    the context of the process to e.g. the network namespace of the
	    container while retaining the other namespaces as those of the
	    host.
	  </para>
	  <para>
	    <emphasis>Important:</emphasis> This option implies
	    <option>-e</option>.
	  </para>
	</listitem>
      </varlistentry>

      <varlistentry>
	<term>
	  <option>-R, --remount-sys-proc</option>
	</term>
	<listitem>
	  <para>
	    When using <option>-s</option> and the mount namespace is not
	    included, this flag will cause <command>lxc-attach</command>
	    to remount <replaceable>/proc</replaceable> and
	    <replaceable>/sys</replaceable> to reflect the current other
	    namespace contexts.
	  </para>
	  <para>
	    Please see the <emphasis>Notes</emphasis> section for more
	    details.
	  </para>
	  <para>
	    This option will be ignored if one tries to attach to the
	    mount namespace anyway.
	  </para>
	</listitem>
      </varlistentry>

      <varlistentry>
	<term>
	  <option>--keep-env</option>
	</term>
	<listitem>
	  <para>
	    Keep the current environment for attached programs. This is
	    the current default behaviour (as of version 0.9), but is
	    is likely to change in the future, since this may leak
	    undesirable information into the container. If you rely on
	    the environment being available for the attached program,
	    please use this option to be future-proof. In addition to
	    current environment variables, container=lxc will be set.
	  </para>
	</listitem>
      </varlistentry>

      <varlistentry>
	<term>
	  <option>--clear-env</option>
	</term>
	<listitem>
	  <para>
	    Clear the environment before attaching, so no undesired
	    environment variables leak into the container. The variable
	    container=lxc will be the only environment with which the
	    attached program starts.
	  </para>
	</listitem>
      </varlistentry>

     </variablelist>

  </refsect1>

  &commonoptions;

  <refsect1>
    <title>Examples</title>
      <para>
        To spawn a new shell running inside an existing container, use
        <programlisting>
          lxc-attach -n container
        </programlisting>
      </para>
      <para>
        To restart the cron service of a running Debian container, use
        <programlisting>
          lxc-attach -n container -- /etc/init.d/cron restart
        </programlisting>
      </para>
      <para>
        To deactivate the network link eth1 of a running container that
        does not have the NET_ADMIN capability, use either the
        <option>-e</option> option to use increased capabilities,
        assuming the <command>ip</command> tool is installed:
        <programlisting>
          lxc-attach -n container -e -- /sbin/ip link delete eth1
        </programlisting>
        Or, alternatively, use the <option>-s</option> to use the
        tools installed on the host outside the container:
        <programlisting>
          lxc-attach -n container -s NETWORK -- /sbin/ip link delete eth1
        </programlisting>
      </para>
  </refsect1>

  <refsect1>
    <title>Compatibility</title>
    <para>
      Attaching completely (including the pid and mount namespaces) to a
      container requires a kernel of version 3.8 or higher, or a
      patched kernel, please see the lxc website for
      details. <command>lxc-attach</command> will fail in that case if
      used with an unpatched kernel of version 3.7 and prior.
    </para>
    <para>
      Nevertheless, it will succeed on an unpatched kernel of version 3.0
      or higher if the <option>-s</option> option is used to restrict the
      namespaces that the process is to be attached to to one or more of
      <replaceable>NETWORK</replaceable>, <replaceable>IPC</replaceable>
      and <replaceable>UTSNAME</replaceable>.
    </para>
    <para>
      Attaching to user namespaces is supported by kernel 3.8 or higher
      with enabling user namespace.
    </para>
  </refsect1>

  <refsect1>
    <title>Notes</title>
    <para>
      The Linux <replaceable>/proc</replaceable> and
      <replaceable>/sys</replaceable> filesystems contain information
      about some quantities that are affected by namespaces, such as
      the directories named after process ids in
      <replaceable>/proc</replaceable> or the network interface information
      in <replaceable>/sys/class/net</replaceable>. The namespace of the
      process mounting the pseudo-filesystems determines what information
      is shown, <emphasis>not</emphasis> the namespace of the process
      accessing <replaceable>/proc</replaceable> or
      <replaceable>/sys</replaceable>.
    </para>
    <para>
      If one uses the <option>-s</option> option to only attach to
      the pid namespace of a container, but not its mount namespace
      (which will contain the <replaceable>/proc</replaceable> of the
      container and not the host), the contents of <option>/proc</option>
      will reflect that of the host and not the container. Analogously,
      the same issue occurs when reading the contents of
      <replaceable>/sys/class/net</replaceable> and attaching to just
      the network namespace.
    </para>
    <para>
      To work around this problem, the <option>-R</option> flag provides
      the option to remount <replaceable>/proc</replaceable> and
      <replaceable>/sys</replaceable> in order for them to reflect the
      network/pid namespace context of the attached process. In order
      not to interfere with the host's actual filesystem, the mount
      namespace will be unshared (like <command>lxc-unshare</command>
      does) before this is done, esentially giving the process a new
      mount namespace, which is identical to the hosts's mount namespace
      except for the <replaceable>/proc</replaceable> and
      <replaceable>/sys</replaceable> filesystems.
    </para>
    <para>
      Previous versions of <command>lxc-attach</command> suffered a bug whereby
      a user could attach to a containers namespace without being placed in a
      writeable cgroup for some critical subsystems. Newer versions of
      <command>lxc-attach</command> will check whether a user is in a writeable
      cgroup for those critical subsystems. <command>lxc-attach</command> might
      thus fail unexpectedly for some users (E.g. on systems where an
      unprivileged user is not placed in a writeable cgroup in critical
      subsystems on login.). However, this behavior is correct and more secure.
    </para>
  </refsect1>

  <refsect1>
    <title>Security</title>
    <para>
      The <option>-e</option> and <option>-s</option> options should
      be used with care, as it may break the isolation of the containers
      if used improperly.
    </para>
  </refsect1>

  &seealso;

  <refsect1>
    <title>Author</title>
    <para>Daniel Lezcano <email>daniel.lezcano@free.fr</email></para>
  </refsect1>

</refentry>

<!-- Keep this comment at the end of the file
Local variables:
mode: sgml
sgml-omittag:t
sgml-shorttag:t
sgml-minimize-attributes:nil
sgml-always-quote-attributes:t
sgml-indent-step:2
sgml-indent-data:t
sgml-parent-document:nil
sgml-default-dtd-file:nil
sgml-exposed-tags:nil
sgml-local-catalogs:nil
sgml-local-ecat-files:nil
End:
-->
Commit	Line	Data
49ee6cdc CS	1	<!--
	2
	3	lxc: linux Container library
	4
	5	(C) Copyright IBM Corp. 2007, 2008
	6
	7	Authors:
9afe19d6	8	Daniel Lezcano <daniel.lezcano at free.fr>
49ee6cdc CS	9
	10	This library is free software; you can redistribute it and/or
	11	modify it under the terms of the GNU Lesser General Public
	12	License as published by the Free Software Foundation; either
	13	version 2.1 of the License, or (at your option) any later version.
	14
	15	This library is distributed in the hope that it will be useful,
	16	but WITHOUT ANY WARRANTY; without even the implied warranty of
	17	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	18	Lesser General Public License for more details.
	19
	20	You should have received a copy of the GNU Lesser General Public
	21	License along with this library; if not, write to the Free Software
250b1eec	22	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
49ee6cdc CS	23
	24	-->
	25
4d69b293	26
7f951458	27	<!DOCTYPE refentry PUBLIC @docdtd@ [
49ee6cdc CS	28
	29	<!ENTITY commonoptions SYSTEM "@builddir@/common_options.sgml">
	30	<!ENTITY seealso SYSTEM "@builddir@/see_also.sgml">
	31	]>
	32
	33	<refentry>
	34
	35	<docinfo><date>@LXC_GENERATE_DATE@</date></docinfo>
	36
	37	<refmeta>
	38	<refentrytitle>lxc-attach</refentrytitle>
	39	<manvolnum>1</manvolnum>
	40	</refmeta>
	41
	42	<refnamediv>
	43	<refname>lxc-attach</refname>
	44
	45	<refpurpose>
	46	start a process inside a running container.
	47	</refpurpose>
	48	</refnamediv>
	49
	50	<refsynopsisdiv>
b4578c5b DE	51	<cmdsynopsis>
	52	<command>lxc-attach</command>
	53	<arg choice="req">-n <replaceable>name</replaceable></arg>
	54	<arg choice="opt">-a <replaceable>arch</replaceable></arg>
	55	<arg choice="opt">-e</arg>
e13eeea2	56	<arg choice="opt">-s <replaceable>namespaces</replaceable></arg>
7a0b0b56	57	<arg choice="opt">-R</arg>
799f96fd CS	58	<arg choice="opt">--keep-env</arg>
799f96fd CS	59	<arg choice="opt">--clear-env</arg>
b4578c5b DE	60	<arg choice="opt">-- <replaceable>command</replaceable></arg>
b4578c5b DE	61	</cmdsynopsis>
49ee6cdc CS	62	</refsynopsisdiv>
	63
	64	<refsect1>
	65	<title>Description</title>
	66
	67	<para>
	68	<command>lxc-attach</command> runs the specified
	69	<replaceable>command</replaceable> inside the container
	70	specified by <replaceable>name</replaceable>. The container
	71	has to be running already.
	72	</para>
	73	<para>
	74	If no <replaceable>command</replaceable> is specified, the
	75	current default shell of the user running
	76	<command>lxc-attach</command> will be looked up inside the
	77	container and executed. This will fail if no such user exists
	78	inside the container or the container does not have a working
	79	nsswitch mechanism.
	80	</para>
e986ea3d CB	81	<para>
	82	Previous versions of <command>lxc-attach</command> simply attached to the
	83	specified namespaces of a container and ran a shell or the specified
	84	command without allocating a pseudo terminal. This made them vulnerable to
	85	input faking via a TIOCSTI <command>ioctl</command> call after switching
02e5d92b	86	between userspace execution contexts with different privilege levels. Newer
e986ea3d CB	87	versions of <command>lxc-attach</command> will try to allocate a pseudo
	88	terminal master/slave pair and attach any standard file descriptors which
	89	refer to a terminal to the slave side of the pseudo terminal before
	90	executing a shell or command. <command>lxc-attach</command> will first try
	91	to allocate a pseudo terminal in the container. Should this fail it will try
	92	to allocate a pseudo terminal on the host before finally giving up. Note,
	93	that if none of the standard file descriptors refer to a terminal
	94	<command>lxc-attach</command> will not try to allocate a pseudo terminal.
	95	Instead it will simply attach to the containers namespaces and run a shell
	96	or the specified command.
	97	</para>
49ee6cdc CS	98
	99	</refsect1>
	100
	101	<refsect1>
	102
	103	<title>Options</title>
	104
	105	<variablelist>
	106
	107	<varlistentry>
	108	<term>
	109	<option>-a, --arch <replaceable>arch</replaceable></option>
	110	</term>
	111	<listitem>
	112	<para>
	113	Specify the architecture which the kernel should appear to be
	114	running as to the command executed. This option will accept the
	115	same settings as the <option>lxc.arch</option> option in
	116	container configuration files, see
	117	<citerefentry>
	118	<refentrytitle><filename>lxc.conf</filename></refentrytitle>
	119	<manvolnum>5</manvolnum>
	120	</citerefentry>. By default, the current archictecture of the
	121	running container will be used.
	122	</para>
	123	</listitem>
	124	</varlistentry>
	125
	126	<varlistentry>
	127	<term>
4d69b293 NK	128	<option>
	129	-e, --elevated-privileges <replaceable>privileges</replaceable>
	130	</option>
49ee6cdc CS	131	</term>
	132	<listitem>
	133	<para>
	134	Do not drop privileges when running
	135	<replaceable>command</replaceable> inside the container. If
	136	this option is specified, the new process will
	137	<emphasis>not</emphasis> be added to the container's cgroup(s)
	138	and it will not drop its capabilities before executing.
	139	</para>
4d69b293 NK	140	<para>
	141	You may specify privileges, in case you do not want to elevate all of
	142	them, as a pipe-separated list, e.g.
	143	<replaceable>CGROUP\|LSM</replaceable>. Allowed values are
	144	<replaceable>CGROUP</replaceable>, <replaceable>CAP</replaceable> and
	145	<replaceable>LSM</replaceable> representing cgroup, capabilities and
	146	restriction privileges respectively.
	147	</para>
49ee6cdc CS	148	<para>
	149	<emphasis>Warning:</emphasis> This may leak privileges into the
	150	container if the command starts subprocesses that remain active
	151	after the main process that was attached is terminated. The
	152	(re-)starting of daemons inside the container is problematic,
	153	especially if the daemon starts a lot of subprocesses such as
	154	<command>cron</command> or <command>sshd</command>.
	155	<emphasis>Use with great care.</emphasis>
	156	</para>
	157	</listitem>
	158	</varlistentry>
	159
e13eeea2 CS	160	<varlistentry>
	161	<term>
	162	<option>-s, --namespaces <replaceable>namespaces</replaceable></option>
	163	</term>
	164	<listitem>
	165	<para>
037ba55c	166	Specify the namespaces to attach to, as a pipe-separated list,
e13eeea2 CS	167	e.g. <replaceable>NETWORK\|IPC</replaceable>. Allowed values are
	168	<replaceable>MOUNT</replaceable>, <replaceable>PID</replaceable>,
	169	<replaceable>UTSNAME</replaceable>, <replaceable>IPC</replaceable>,
	170	<replaceable>USER </replaceable> and
	171	<replaceable>NETWORK</replaceable>. This allows one to change
	172	the context of the process to e.g. the network namespace of the
	173	container while retaining the other namespaces as those of the
	174	host.
	175	</para>
	176	<para>
	177	<emphasis>Important:</emphasis> This option implies
	178	<option>-e</option>.
	179	</para>
	180	</listitem>
	181	</varlistentry>
	182
7a0b0b56 CS	183	<varlistentry>
	184	<term>
	185	<option>-R, --remount-sys-proc</option>
	186	</term>
	187	<listitem>
	188	<para>
	189	When using <option>-s</option> and the mount namespace is not
	190	included, this flag will cause <command>lxc-attach</command>
	191	to remount <replaceable>/proc</replaceable> and
	192	<replaceable>/sys</replaceable> to reflect the current other
	193	namespace contexts.
	194	</para>
	195	<para>
	196	Please see the <emphasis>Notes</emphasis> section for more
	197	details.
	198	</para>
	199	<para>
	200	This option will be ignored if one tries to attach to the
	201	mount namespace anyway.
	202	</para>
	203	</listitem>
	204	</varlistentry>
	205
799f96fd CS	206	<varlistentry>
	207	<term>
	208	<option>--keep-env</option>
	209	</term>
	210	<listitem>
	211	<para>
	212	Keep the current environment for attached programs. This is
	213	the current default behaviour (as of version 0.9), but is
	214	is likely to change in the future, since this may leak
	215	undesirable information into the container. If you rely on
	216	the environment being available for the attached program,
	217	please use this option to be future-proof. In addition to
	218	current environment variables, container=lxc will be set.
	219	</para>
	220	</listitem>
	221	</varlistentry>
	222
	223	<varlistentry>
	224	<term>
	225	<option>--clear-env</option>
	226	</term>
	227	<listitem>
	228	<para>
	229	Clear the environment before attaching, so no undesired
	230	environment variables leak into the container. The variable
	231	container=lxc will be the only environment with which the
	232	attached program starts.
	233	</para>
	234	</listitem>
	235	</varlistentry>
	236
7a0b0b56	237	</variablelist>
49ee6cdc CS	238
	239	</refsect1>
	240
	241	&commonoptions;
	242
	243	<refsect1>
	244	<title>Examples</title>
	245	<para>
	246	To spawn a new shell running inside an existing container, use
	247	<programlisting>
	248	lxc-attach -n container
	249	</programlisting>
	250	</para>
	251	<para>
	252	To restart the cron service of a running Debian container, use
	253	<programlisting>
	254	lxc-attach -n container -- /etc/init.d/cron restart
	255	</programlisting>
	256	</para>
	257	<para>
	258	To deactivate the network link eth1 of a running container that
e13eeea2 CS	259	does not have the NET_ADMIN capability, use either the
	260	<option>-e</option> option to use increased capabilities,
	261	assuming the <command>ip</command> tool is installed:
49ee6cdc CS	262	<programlisting>
	263	lxc-attach -n container -e -- /sbin/ip link delete eth1
	264	</programlisting>
e13eeea2 CS	265	Or, alternatively, use the <option>-s</option> to use the
	266	tools installed on the host outside the container:
	267	<programlisting>
	268	lxc-attach -n container -s NETWORK -- /sbin/ip link delete eth1
	269	</programlisting>
49ee6cdc	270	</para>
49ee6cdc CS	271	</refsect1>
49ee6cdc CS	272
e13eeea2 CS	273	<refsect1>
	274	<title>Compatibility</title>
	275	<para>
	276	Attaching completely (including the pid and mount namespaces) to a
a600d021 KY	277	container requires a kernel of version 3.8 or higher, or a
a600d021 KY	278	patched kernel, please see the lxc website for
e13eeea2	279	details. <command>lxc-attach</command> will fail in that case if
a600d021	280	used with an unpatched kernel of version 3.7 and prior.
e13eeea2 CS	281	</para>
	282	<para>
	283	Nevertheless, it will succeed on an unpatched kernel of version 3.0
	284	or higher if the <option>-s</option> option is used to restrict the
aa8d013e	285	namespaces that the process is to be attached to to one or more of
e13eeea2 CS	286	<replaceable>NETWORK</replaceable>, <replaceable>IPC</replaceable>
	287	and <replaceable>UTSNAME</replaceable>.
	288	</para>
	289	<para>
a600d021 KY	290	Attaching to user namespaces is supported by kernel 3.8 or higher
a600d021 KY	291	with enabling user namespace.
e13eeea2 CS	292	</para>
	293	</refsect1>
	294
	295	<refsect1>
	296	<title>Notes</title>
	297	<para>
	298	The Linux <replaceable>/proc</replaceable> and
	299	<replaceable>/sys</replaceable> filesystems contain information
	300	about some quantities that are affected by namespaces, such as
	301	the directories named after process ids in
36b33520	302	<replaceable>/proc</replaceable> or the network interface information
e13eeea2 CS	303	in <replaceable>/sys/class/net</replaceable>. The namespace of the
	304	process mounting the pseudo-filesystems determines what information
	305	is shown, <emphasis>not</emphasis> the namespace of the process
	306	accessing <replaceable>/proc</replaceable> or
	307	<replaceable>/sys</replaceable>.
	308	</para>
	309	<para>
	310	If one uses the <option>-s</option> option to only attach to
	311	the pid namespace of a container, but not its mount namespace
	312	(which will contain the <replaceable>/proc</replaceable> of the
	313	container and not the host), the contents of <option>/proc</option>
	314	will reflect that of the host and not the container. Analogously,
	315	the same issue occurs when reading the contents of
	316	<replaceable>/sys/class/net</replaceable> and attaching to just
	317	the network namespace.
	318	</para>
	319	<para>
7a0b0b56 CS	320	To work around this problem, the <option>-R</option> flag provides
	321	the option to remount <replaceable>/proc</replaceable> and
	322	<replaceable>/sys</replaceable> in order for them to reflect the
	323	network/pid namespace context of the attached process. In order
	324	not to interfere with the host's actual filesystem, the mount
	325	namespace will be unshared (like <command>lxc-unshare</command>
	326	does) before this is done, esentially giving the process a new
	327	mount namespace, which is identical to the hosts's mount namespace
	328	except for the <replaceable>/proc</replaceable> and
	329	<replaceable>/sys</replaceable> filesystems.
e13eeea2	330	</para>
e986ea3d CB	331	<para>
	332	Previous versions of <command>lxc-attach</command> suffered a bug whereby
	333	a user could attach to a containers namespace without being placed in a
	334	writeable cgroup for some critical subsystems. Newer versions of
	335	<command>lxc-attach</command> will check whether a user is in a writeable
	336	cgroup for those critical subsystems. <command>lxc-attach</command> might
	337	thus fail unexpectedly for some users (E.g. on systems where an
	338	unprivileged user is not placed in a writeable cgroup in critical
	339	subsystems on login.). However, this behavior is correct and more secure.
	340	</para>
e13eeea2 CS	341	</refsect1>
e13eeea2 CS	342
49ee6cdc CS	343	<refsect1>
	344	<title>Security</title>
	345	<para>
e13eeea2 CS	346	The <option>-e</option> and <option>-s</option> options should
	347	be used with care, as it may break the isolation of the containers
	348	if used improperly.
49ee6cdc CS	349	</para>
	350	</refsect1>
	351
	352	&seealso;
	353
	354	<refsect1>
	355	<title>Author</title>
	356	<para>Daniel Lezcano <email>daniel.lezcano@free.fr</email></para>
	357	</refsect1>
	358
	359	</refentry>
	360
	361	<!-- Keep this comment at the end of the file
	362	Local variables:
	363	mode: sgml
	364	sgml-omittag:t
	365	sgml-shorttag:t
	366	sgml-minimize-attributes:nil
	367	sgml-always-quote-attributes:t
	368	sgml-indent-step:2
	369	sgml-indent-data:t
	370	sgml-parent-document:nil
	371	sgml-default-dtd-file:nil
	372	sgml-exposed-tags:nil
	373	sgml-local-catalogs:nil
	374	sgml-local-ecat-files:nil
	375	End:
	376	-->