]>
Commit | Line | Data |
---|---|---|
49ee6cdc CS |
1 | <!-- |
2 | ||
3 | lxc: linux Container library | |
4 | ||
5 | (C) Copyright IBM Corp. 2007, 2008 | |
6 | ||
7 | Authors: | |
9afe19d6 | 8 | Daniel Lezcano <daniel.lezcano at free.fr> |
49ee6cdc CS |
9 | |
10 | This library is free software; you can redistribute it and/or | |
11 | modify it under the terms of the GNU Lesser General Public | |
12 | License as published by the Free Software Foundation; either | |
13 | version 2.1 of the License, or (at your option) any later version. | |
14 | ||
15 | This library is distributed in the hope that it will be useful, | |
16 | but WITHOUT ANY WARRANTY; without even the implied warranty of | |
17 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
18 | Lesser General Public License for more details. | |
19 | ||
20 | You should have received a copy of the GNU Lesser General Public | |
21 | License along with this library; if not, write to the Free Software | |
250b1eec | 22 | Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA |
49ee6cdc CS |
23 | |
24 | --> | |
25 | ||
4d69b293 | 26 | |
7f951458 | 27 | <!DOCTYPE refentry PUBLIC @docdtd@ [ |
49ee6cdc CS |
28 | |
29 | <!ENTITY commonoptions SYSTEM "@builddir@/common_options.sgml"> | |
30 | <!ENTITY seealso SYSTEM "@builddir@/see_also.sgml"> | |
31 | ]> | |
32 | ||
33 | <refentry> | |
34 | ||
35 | <docinfo><date>@LXC_GENERATE_DATE@</date></docinfo> | |
36 | ||
37 | <refmeta> | |
38 | <refentrytitle>lxc-attach</refentrytitle> | |
39 | <manvolnum>1</manvolnum> | |
40 | </refmeta> | |
41 | ||
42 | <refnamediv> | |
43 | <refname>lxc-attach</refname> | |
44 | ||
45 | <refpurpose> | |
46 | start a process inside a running container. | |
47 | </refpurpose> | |
48 | </refnamediv> | |
49 | ||
50 | <refsynopsisdiv> | |
b4578c5b DE |
51 | <cmdsynopsis> |
52 | <command>lxc-attach</command> | |
53 | <arg choice="req">-n <replaceable>name</replaceable></arg> | |
54 | <arg choice="opt">-a <replaceable>arch</replaceable></arg> | |
55 | <arg choice="opt">-e</arg> | |
e13eeea2 | 56 | <arg choice="opt">-s <replaceable>namespaces</replaceable></arg> |
7a0b0b56 | 57 | <arg choice="opt">-R</arg> |
799f96fd CS |
58 | <arg choice="opt">--keep-env</arg> |
59 | <arg choice="opt">--clear-env</arg> | |
b4578c5b DE |
60 | <arg choice="opt">-- <replaceable>command</replaceable></arg> |
61 | </cmdsynopsis> | |
49ee6cdc CS |
62 | </refsynopsisdiv> |
63 | ||
64 | <refsect1> | |
65 | <title>Description</title> | |
66 | ||
67 | <para> | |
68 | <command>lxc-attach</command> runs the specified | |
69 | <replaceable>command</replaceable> inside the container | |
70 | specified by <replaceable>name</replaceable>. The container | |
71 | has to be running already. | |
72 | </para> | |
73 | <para> | |
74 | If no <replaceable>command</replaceable> is specified, the | |
75 | current default shell of the user running | |
76 | <command>lxc-attach</command> will be looked up inside the | |
77 | container and executed. This will fail if no such user exists | |
78 | inside the container or the container does not have a working | |
79 | nsswitch mechanism. | |
80 | </para> | |
e986ea3d CB |
81 | <para> |
82 | Previous versions of <command>lxc-attach</command> simply attached to the | |
83 | specified namespaces of a container and ran a shell or the specified | |
84 | command without allocating a pseudo terminal. This made them vulnerable to | |
85 | input faking via a TIOCSTI <command>ioctl</command> call after switching | |
02e5d92b | 86 | between userspace execution contexts with different privilege levels. Newer |
e986ea3d CB |
87 | versions of <command>lxc-attach</command> will try to allocate a pseudo |
88 | terminal master/slave pair and attach any standard file descriptors which | |
89 | refer to a terminal to the slave side of the pseudo terminal before | |
90 | executing a shell or command. <command>lxc-attach</command> will first try | |
91 | to allocate a pseudo terminal in the container. Should this fail it will try | |
92 | to allocate a pseudo terminal on the host before finally giving up. Note, | |
93 | that if none of the standard file descriptors refer to a terminal | |
94 | <command>lxc-attach</command> will not try to allocate a pseudo terminal. | |
95 | Instead it will simply attach to the containers namespaces and run a shell | |
96 | or the specified command. | |
97 | </para> | |
49ee6cdc CS |
98 | |
99 | </refsect1> | |
100 | ||
101 | <refsect1> | |
102 | ||
103 | <title>Options</title> | |
104 | ||
105 | <variablelist> | |
106 | ||
107 | <varlistentry> | |
108 | <term> | |
109 | <option>-a, --arch <replaceable>arch</replaceable></option> | |
110 | </term> | |
111 | <listitem> | |
112 | <para> | |
113 | Specify the architecture which the kernel should appear to be | |
114 | running as to the command executed. This option will accept the | |
115 | same settings as the <option>lxc.arch</option> option in | |
116 | container configuration files, see | |
117 | <citerefentry> | |
118 | <refentrytitle><filename>lxc.conf</filename></refentrytitle> | |
119 | <manvolnum>5</manvolnum> | |
120 | </citerefentry>. By default, the current archictecture of the | |
121 | running container will be used. | |
122 | </para> | |
123 | </listitem> | |
124 | </varlistentry> | |
125 | ||
126 | <varlistentry> | |
127 | <term> | |
4d69b293 NK |
128 | <option> |
129 | -e, --elevated-privileges <replaceable>privileges</replaceable> | |
130 | </option> | |
49ee6cdc CS |
131 | </term> |
132 | <listitem> | |
133 | <para> | |
134 | Do not drop privileges when running | |
135 | <replaceable>command</replaceable> inside the container. If | |
136 | this option is specified, the new process will | |
137 | <emphasis>not</emphasis> be added to the container's cgroup(s) | |
138 | and it will not drop its capabilities before executing. | |
139 | </para> | |
4d69b293 NK |
140 | <para> |
141 | You may specify privileges, in case you do not want to elevate all of | |
142 | them, as a pipe-separated list, e.g. | |
143 | <replaceable>CGROUP|LSM</replaceable>. Allowed values are | |
144 | <replaceable>CGROUP</replaceable>, <replaceable>CAP</replaceable> and | |
145 | <replaceable>LSM</replaceable> representing cgroup, capabilities and | |
146 | restriction privileges respectively. | |
147 | </para> | |
49ee6cdc CS |
148 | <para> |
149 | <emphasis>Warning:</emphasis> This may leak privileges into the | |
150 | container if the command starts subprocesses that remain active | |
151 | after the main process that was attached is terminated. The | |
152 | (re-)starting of daemons inside the container is problematic, | |
153 | especially if the daemon starts a lot of subprocesses such as | |
154 | <command>cron</command> or <command>sshd</command>. | |
155 | <emphasis>Use with great care.</emphasis> | |
156 | </para> | |
157 | </listitem> | |
158 | </varlistentry> | |
159 | ||
e13eeea2 CS |
160 | <varlistentry> |
161 | <term> | |
162 | <option>-s, --namespaces <replaceable>namespaces</replaceable></option> | |
163 | </term> | |
164 | <listitem> | |
165 | <para> | |
037ba55c | 166 | Specify the namespaces to attach to, as a pipe-separated list, |
e13eeea2 CS |
167 | e.g. <replaceable>NETWORK|IPC</replaceable>. Allowed values are |
168 | <replaceable>MOUNT</replaceable>, <replaceable>PID</replaceable>, | |
169 | <replaceable>UTSNAME</replaceable>, <replaceable>IPC</replaceable>, | |
170 | <replaceable>USER </replaceable> and | |
171 | <replaceable>NETWORK</replaceable>. This allows one to change | |
172 | the context of the process to e.g. the network namespace of the | |
173 | container while retaining the other namespaces as those of the | |
174 | host. | |
175 | </para> | |
176 | <para> | |
177 | <emphasis>Important:</emphasis> This option implies | |
178 | <option>-e</option>. | |
179 | </para> | |
180 | </listitem> | |
181 | </varlistentry> | |
182 | ||
7a0b0b56 CS |
183 | <varlistentry> |
184 | <term> | |
185 | <option>-R, --remount-sys-proc</option> | |
186 | </term> | |
187 | <listitem> | |
188 | <para> | |
189 | When using <option>-s</option> and the mount namespace is not | |
190 | included, this flag will cause <command>lxc-attach</command> | |
191 | to remount <replaceable>/proc</replaceable> and | |
192 | <replaceable>/sys</replaceable> to reflect the current other | |
193 | namespace contexts. | |
194 | </para> | |
195 | <para> | |
196 | Please see the <emphasis>Notes</emphasis> section for more | |
197 | details. | |
198 | </para> | |
199 | <para> | |
200 | This option will be ignored if one tries to attach to the | |
201 | mount namespace anyway. | |
202 | </para> | |
203 | </listitem> | |
204 | </varlistentry> | |
205 | ||
799f96fd CS |
206 | <varlistentry> |
207 | <term> | |
208 | <option>--keep-env</option> | |
209 | </term> | |
210 | <listitem> | |
211 | <para> | |
212 | Keep the current environment for attached programs. This is | |
213 | the current default behaviour (as of version 0.9), but is | |
214 | is likely to change in the future, since this may leak | |
215 | undesirable information into the container. If you rely on | |
216 | the environment being available for the attached program, | |
217 | please use this option to be future-proof. In addition to | |
218 | current environment variables, container=lxc will be set. | |
219 | </para> | |
220 | </listitem> | |
221 | </varlistentry> | |
222 | ||
223 | <varlistentry> | |
224 | <term> | |
225 | <option>--clear-env</option> | |
226 | </term> | |
227 | <listitem> | |
228 | <para> | |
229 | Clear the environment before attaching, so no undesired | |
230 | environment variables leak into the container. The variable | |
231 | container=lxc will be the only environment with which the | |
232 | attached program starts. | |
233 | </para> | |
234 | </listitem> | |
235 | </varlistentry> | |
236 | ||
7a0b0b56 | 237 | </variablelist> |
49ee6cdc CS |
238 | |
239 | </refsect1> | |
240 | ||
241 | &commonoptions; | |
242 | ||
243 | <refsect1> | |
244 | <title>Examples</title> | |
245 | <para> | |
246 | To spawn a new shell running inside an existing container, use | |
247 | <programlisting> | |
248 | lxc-attach -n container | |
249 | </programlisting> | |
250 | </para> | |
251 | <para> | |
252 | To restart the cron service of a running Debian container, use | |
253 | <programlisting> | |
254 | lxc-attach -n container -- /etc/init.d/cron restart | |
255 | </programlisting> | |
256 | </para> | |
257 | <para> | |
258 | To deactivate the network link eth1 of a running container that | |
e13eeea2 CS |
259 | does not have the NET_ADMIN capability, use either the |
260 | <option>-e</option> option to use increased capabilities, | |
261 | assuming the <command>ip</command> tool is installed: | |
49ee6cdc CS |
262 | <programlisting> |
263 | lxc-attach -n container -e -- /sbin/ip link delete eth1 | |
264 | </programlisting> | |
e13eeea2 CS |
265 | Or, alternatively, use the <option>-s</option> to use the |
266 | tools installed on the host outside the container: | |
267 | <programlisting> | |
268 | lxc-attach -n container -s NETWORK -- /sbin/ip link delete eth1 | |
269 | </programlisting> | |
49ee6cdc | 270 | </para> |
49ee6cdc CS |
271 | </refsect1> |
272 | ||
e13eeea2 CS |
273 | <refsect1> |
274 | <title>Compatibility</title> | |
275 | <para> | |
276 | Attaching completely (including the pid and mount namespaces) to a | |
a600d021 KY |
277 | container requires a kernel of version 3.8 or higher, or a |
278 | patched kernel, please see the lxc website for | |
e13eeea2 | 279 | details. <command>lxc-attach</command> will fail in that case if |
a600d021 | 280 | used with an unpatched kernel of version 3.7 and prior. |
e13eeea2 CS |
281 | </para> |
282 | <para> | |
283 | Nevertheless, it will succeed on an unpatched kernel of version 3.0 | |
284 | or higher if the <option>-s</option> option is used to restrict the | |
aa8d013e | 285 | namespaces that the process is to be attached to to one or more of |
e13eeea2 CS |
286 | <replaceable>NETWORK</replaceable>, <replaceable>IPC</replaceable> |
287 | and <replaceable>UTSNAME</replaceable>. | |
288 | </para> | |
289 | <para> | |
a600d021 KY |
290 | Attaching to user namespaces is supported by kernel 3.8 or higher |
291 | with enabling user namespace. | |
e13eeea2 CS |
292 | </para> |
293 | </refsect1> | |
294 | ||
295 | <refsect1> | |
296 | <title>Notes</title> | |
297 | <para> | |
298 | The Linux <replaceable>/proc</replaceable> and | |
299 | <replaceable>/sys</replaceable> filesystems contain information | |
300 | about some quantities that are affected by namespaces, such as | |
301 | the directories named after process ids in | |
36b33520 | 302 | <replaceable>/proc</replaceable> or the network interface information |
e13eeea2 CS |
303 | in <replaceable>/sys/class/net</replaceable>. The namespace of the |
304 | process mounting the pseudo-filesystems determines what information | |
305 | is shown, <emphasis>not</emphasis> the namespace of the process | |
306 | accessing <replaceable>/proc</replaceable> or | |
307 | <replaceable>/sys</replaceable>. | |
308 | </para> | |
309 | <para> | |
310 | If one uses the <option>-s</option> option to only attach to | |
311 | the pid namespace of a container, but not its mount namespace | |
312 | (which will contain the <replaceable>/proc</replaceable> of the | |
313 | container and not the host), the contents of <option>/proc</option> | |
314 | will reflect that of the host and not the container. Analogously, | |
315 | the same issue occurs when reading the contents of | |
316 | <replaceable>/sys/class/net</replaceable> and attaching to just | |
317 | the network namespace. | |
318 | </para> | |
319 | <para> | |
7a0b0b56 CS |
320 | To work around this problem, the <option>-R</option> flag provides |
321 | the option to remount <replaceable>/proc</replaceable> and | |
322 | <replaceable>/sys</replaceable> in order for them to reflect the | |
323 | network/pid namespace context of the attached process. In order | |
324 | not to interfere with the host's actual filesystem, the mount | |
325 | namespace will be unshared (like <command>lxc-unshare</command> | |
326 | does) before this is done, esentially giving the process a new | |
327 | mount namespace, which is identical to the hosts's mount namespace | |
328 | except for the <replaceable>/proc</replaceable> and | |
329 | <replaceable>/sys</replaceable> filesystems. | |
e13eeea2 | 330 | </para> |
e986ea3d CB |
331 | <para> |
332 | Previous versions of <command>lxc-attach</command> suffered a bug whereby | |
333 | a user could attach to a containers namespace without being placed in a | |
334 | writeable cgroup for some critical subsystems. Newer versions of | |
335 | <command>lxc-attach</command> will check whether a user is in a writeable | |
336 | cgroup for those critical subsystems. <command>lxc-attach</command> might | |
337 | thus fail unexpectedly for some users (E.g. on systems where an | |
338 | unprivileged user is not placed in a writeable cgroup in critical | |
339 | subsystems on login.). However, this behavior is correct and more secure. | |
340 | </para> | |
e13eeea2 CS |
341 | </refsect1> |
342 | ||
49ee6cdc CS |
343 | <refsect1> |
344 | <title>Security</title> | |
345 | <para> | |
e13eeea2 CS |
346 | The <option>-e</option> and <option>-s</option> options should |
347 | be used with care, as it may break the isolation of the containers | |
348 | if used improperly. | |
49ee6cdc CS |
349 | </para> |
350 | </refsect1> | |
351 | ||
352 | &seealso; | |
353 | ||
354 | <refsect1> | |
355 | <title>Author</title> | |
356 | <para>Daniel Lezcano <email>daniel.lezcano@free.fr</email></para> | |
357 | </refsect1> | |
358 | ||
359 | </refentry> | |
360 | ||
361 | <!-- Keep this comment at the end of the file | |
362 | Local variables: | |
363 | mode: sgml | |
364 | sgml-omittag:t | |
365 | sgml-shorttag:t | |
366 | sgml-minimize-attributes:nil | |
367 | sgml-always-quote-attributes:t | |
368 | sgml-indent-step:2 | |
369 | sgml-indent-data:t | |
370 | sgml-parent-document:nil | |
371 | sgml-default-dtd-file:nil | |
372 | sgml-exposed-tags:nil | |
373 | sgml-local-catalogs:nil | |
374 | sgml-local-ecat-files:nil | |
375 | End: | |
376 | --> |