]>
Commit | Line | Data |
---|---|---|
f79d43bb | 1 | <!-- |
8a67a2b2 | 2 | |
3 | lxc: linux Container library | |
4 | ||
5 | (C) Copyright IBM Corp. 2007, 2008 | |
6 | ||
7 | Authors: | |
9afe19d6 | 8 | Daniel Lezcano <daniel.lezcano at free.fr> |
8a67a2b2 | 9 | |
10 | This library is free software; you can redistribute it and/or | |
11 | modify it under the terms of the GNU Lesser General Public | |
12 | License as published by the Free Software Foundation; either | |
13 | version 2.1 of the License, or (at your option) any later version. | |
14 | ||
15 | This library is distributed in the hope that it will be useful, | |
16 | but WITHOUT ANY WARRANTY; without even the implied warranty of | |
17 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
18 | Lesser General Public License for more details. | |
19 | ||
20 | You should have received a copy of the GNU Lesser General Public | |
21 | License along with this library; if not, write to the Free Software | |
250b1eec | 22 | Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA |
8a67a2b2 | 23 | |
24 | --> | |
25 | ||
7f951458 | 26 | <!DOCTYPE refentry PUBLIC @docdtd@ [ |
99e4008c MN |
27 | |
28 | <!ENTITY seealso SYSTEM "@builddir@/see_also.sgml"> | |
29 | ]> | |
8a67a2b2 | 30 | |
31 | <refentry> | |
32 | ||
33 | <docinfo><date>@LXC_GENERATE_DATE@</date></docinfo> | |
34 | ||
35 | <refmeta> | |
36 | <refentrytitle>lxc.conf</refentrytitle> | |
37 | <manvolnum>5</manvolnum> | |
38 | </refmeta> | |
39 | ||
40 | <refnamediv> | |
41 | <refname>lxc.conf</refname> | |
42 | ||
43 | <refpurpose> | |
44 | linux container configuration file | |
45 | </refpurpose> | |
46 | </refnamediv> | |
47 | ||
48 | <refsect1> | |
49 | <title>Description</title> | |
50 | ||
51 | <para> | |
52 | The linux containers (<command>lxc</command>) are always created | |
53 | before being used. This creation defines a set of system | |
54 | resources to be virtualized / isolated when a process is using | |
55 | the container. By default, the pids, sysv ipc and mount points | |
56 | are virtualized and isolated. The other system resources are | |
57 | shared across containers, until they are explicitly defined in | |
58 | the configuration file. For example, if there is no network | |
59 | configuration, the network will be shared between the creator of | |
60 | the container and the container itself, but if the network is | |
61 | specified, a new network stack is created for the container and | |
62 | the container can no longer use the network of its ancestor. | |
63 | </para> | |
64 | ||
65 | <para> | |
66 | The configuration file defines the different system resources to | |
67 | be assigned for the container. At present, the utsname, the | |
d9e80daf DE |
68 | network, the mount points, the root file system, the user namespace, |
69 | and the control groups are supported. | |
8a67a2b2 | 70 | </para> |
71 | ||
72 | <para> | |
73 | Each option in the configuration file has the form <command>key | |
23a92fad | 74 | = value</command> fitting in one line. The '#' character means |
8a67a2b2 | 75 | the line is a comment. |
76 | </para> | |
77 | ||
64f782ca SH |
78 | <refsect2> |
79 | <title>Configuration</title> | |
80 | <para> | |
81 | In order to ease administration of multiple related containers, it | |
82 | is possible to have a container configuration file cause another | |
83 | file to be loaded. For instance, network configuration | |
84 | can be defined in one common file which is included by multiple | |
85 | containers. Then, if the containers are moved to another host, | |
86 | only one file may need to be updated. | |
87 | </para> | |
88 | ||
89 | <variablelist> | |
90 | <varlistentry> | |
91 | <term> | |
92 | <option>lxc.include</option> | |
93 | </term> | |
94 | <listitem> | |
95 | <para> | |
96 | Specify the file to be included. The included file must be | |
97 | in the same valid lxc configuration file format. | |
98 | </para> | |
99 | </listitem> | |
100 | </varlistentry> | |
101 | </variablelist> | |
102 | </refsect2> | |
103 | ||
cccc74b5 DL |
104 | <refsect2> |
105 | <title>Architecture</title> | |
106 | <para> | |
107 | Allows to set the architecture for the container. For example, | |
108 | set a 32bits architecture for a container running 32bits | |
d9e80daf | 109 | binaries on a 64bits host. This fixes the container scripts |
cccc74b5 DL |
110 | which rely on the architecture to do some work like |
111 | downloading the packages. | |
112 | </para> | |
113 | ||
114 | <variablelist> | |
115 | <varlistentry> | |
116 | <term> | |
117 | <option>lxc.arch</option> | |
118 | </term> | |
119 | <listitem> | |
120 | <para> | |
121 | Specify the architecture for the container. | |
122 | </para> | |
123 | <para> | |
124 | Valid options are | |
125 | <option>x86</option>, | |
126 | <option>i686</option>, | |
127 | <option>x86_64</option>, | |
128 | <option>amd64</option> | |
129 | </para> | |
130 | </listitem> | |
131 | </varlistentry> | |
132 | </variablelist> | |
133 | ||
134 | </refsect2> | |
135 | ||
8a67a2b2 | 136 | <refsect2> |
137 | <title>Hostname</title> | |
138 | <para> | |
139 | The utsname section defines the hostname to be set for the | |
140 | container. That means the container can set its own hostname | |
141 | without changing the one from the system. That makes the | |
142 | hostname private for the container. | |
143 | </para> | |
144 | <variablelist> | |
145 | <varlistentry> | |
146 | <term> | |
147 | <option>lxc.utsname</option> | |
148 | </term> | |
149 | <listitem> | |
150 | <para> | |
151 | specify the hostname for the container | |
152 | </para> | |
153 | </listitem> | |
154 | </varlistentry> | |
a84b9932 AV |
155 | </variablelist> |
156 | </refsect2> | |
157 | ||
158 | <refsect2> | |
159 | <title>Stop signal</title> | |
160 | <para> | |
161 | Allows to specify signal name or number, sent by lxc-stop to | |
162 | shutdown the container. Different init systems could use | |
163 | different signals to perform clean shutdown sequence. Option | |
164 | allows signal to be specified in kill(1) fashion, e.g. | |
165 | SIGKILL, SIGRTMIN+14, SIGRTMAX-10 or plain number. | |
166 | </para> | |
167 | <variablelist> | |
168 | <varlistentry> | |
169 | <term> | |
170 | <option>lxc.stopsignal</option> | |
171 | </term> | |
172 | <listitem> | |
173 | <para> | |
174 | specify the signal used to stop the container | |
175 | </para> | |
176 | </listitem> | |
177 | </varlistentry> | |
8a67a2b2 | 178 | </variablelist> |
179 | </refsect2> | |
180 | ||
181 | <refsect2> | |
182 | <title>Network</title> | |
183 | <para> | |
184 | The network section defines how the network is virtualized in | |
23a92fad PF |
185 | the container. The network virtualization acts at layer |
186 | two. In order to use the network virtualization, parameters | |
187 | must be specified to define the network interfaces of the | |
188 | container. Several virtual interfaces can be assigned and used | |
189 | in a container even if the system has only one physical | |
8a67a2b2 | 190 | network interface. |
191 | </para> | |
192 | <variablelist> | |
193 | <varlistentry> | |
194 | <term> | |
195 | <option>lxc.network.type</option> | |
196 | </term> | |
197 | <listitem> | |
198 | <para> | |
199 | specify what kind of network virtualization to be used | |
200 | for the container. Each time | |
201 | a <option>lxc.network.type</option> field is found a new | |
23a92fad PF |
202 | round of network configuration begins. In this way, |
203 | several network virtualization types can be specified | |
204 | for the same container, as well as assigning several | |
205 | network interfaces for one container. The different | |
8a67a2b2 | 206 | virtualization types can be: |
207 | </para> | |
208 | ||
209 | <para> | |
23a92fad | 210 | <option>empty:</option> will create only the loopback |
8a67a2b2 | 211 | interface. |
212 | </para> | |
213 | ||
214 | <para> | |
23a92fad PF |
215 | <option>veth:</option> a peer network device is created |
216 | with one side assigned to the container and the other | |
217 | side is attached to a bridge specified by | |
218 | the <option>lxc.network.link</option>. If the bridge is | |
219 | not specified, then the veth pair device will be created | |
220 | but not attached to any bridge. Otherwise, the bridge | |
221 | has to be setup before on the | |
222 | system, <command>lxc</command> won't handle any | |
223 | configuration outside of the container. By | |
e892973e DL |
224 | default <command>lxc</command> choose a name for the |
225 | network device belonging to the outside of the | |
226 | container, this name is handled | |
227 | by <command>lxc</command>, but if you wish to handle | |
228 | this name yourself, you can tell <command>lxc</command> | |
229 | to set a specific name with | |
230 | the <option>lxc.network.veth.pair</option> option. | |
231 | </para> | |
232 | ||
233 | <para> | |
23a92fad PF |
234 | <option>vlan:</option> a vlan interface is linked with |
235 | the interface specified by | |
e892973e DL |
236 | the <option>lxc.network.link</option> and assigned to |
237 | the container. The vlan identifier is specified with the | |
238 | option <option>lxc.network.vlan.id</option>. | |
8a67a2b2 | 239 | </para> |
240 | ||
241 | <para> | |
23a92fad PF |
242 | <option>macvlan:</option> a macvlan interface is linked |
243 | with the interface specified by | |
8a67a2b2 | 244 | the <option>lxc.network.link</option> and assigned to |
245 | the container. | |
e892973e DL |
246 | <option>lxc.network.macvlan.mode</option> specifies the |
247 | mode the macvlan will use to communicate between | |
248 | different macvlan on the same upper device. The accepted | |
249 | modes are <option>private</option>, the device never | |
250 | communicates with any other device on the same upper_dev (default), | |
251 | <option>vepa</option>, the new Virtual Ethernet Port | |
252 | Aggregator (VEPA) mode, it assumes that the adjacent | |
253 | bridge returns all frames where both source and | |
254 | destination are local to the macvlan port, i.e. the | |
255 | bridge is set up as a reflective relay. Broadcast | |
256 | frames coming in from the upper_dev get flooded to all | |
257 | macvlan interfaces in VEPA mode, local frames are not | |
840295ff | 258 | delivered locally, or <option>bridge</option>, it |
e892973e DL |
259 | provides the behavior of a simple bridge between |
260 | different macvlan interfaces on the same port. Frames | |
261 | from one interface to another one get delivered directly | |
262 | and are not sent out externally. Broadcast frames get | |
263 | flooded to all other bridge ports and to the external | |
264 | interface, but when they come back from a reflective | |
265 | relay, we don't deliver them again. Since we know all | |
266 | the MAC addresses, the macvlan bridge mode does not | |
267 | require learning or STP like the bridge module does. | |
8a67a2b2 | 268 | </para> |
269 | ||
270 | <para> | |
23a92fad PF |
271 | <option>phys:</option> an already existing interface |
272 | specified by the <option>lxc.network.link</option> is | |
273 | assigned to the container. | |
8a67a2b2 | 274 | </para> |
275 | </listitem> | |
276 | </varlistentry> | |
277 | ||
278 | <varlistentry> | |
279 | <term> | |
280 | <option>lxc.network.flags</option> | |
281 | </term> | |
282 | <listitem> | |
283 | <para> | |
284 | specify an action to do for the | |
285 | network. | |
286 | </para> | |
d9e80daf | 287 | |
8a67a2b2 | 288 | <para><option>up:</option> activates the interface. |
289 | </para> | |
290 | </listitem> | |
291 | </varlistentry> | |
292 | ||
293 | <varlistentry> | |
294 | <term> | |
295 | <option>lxc.network.link</option> | |
296 | </term> | |
297 | <listitem> | |
298 | <para> | |
299 | specify the interface to be used for real network | |
300 | traffic. | |
301 | </para> | |
302 | </listitem> | |
303 | </varlistentry> | |
304 | ||
305 | <varlistentry> | |
306 | <term> | |
307 | <option>lxc.network.name</option> | |
308 | </term> | |
309 | <listitem> | |
310 | <para> | |
23a92fad PF |
311 | the interface name is dynamically allocated, but if |
312 | another name is needed because the configuration files | |
8a67a2b2 | 313 | being used by the container use a generic name, |
314 | eg. eth0, this option will rename the interface in the | |
315 | container. | |
316 | </para> | |
317 | </listitem> | |
318 | </varlistentry> | |
319 | ||
320 | <varlistentry> | |
321 | <term> | |
322 | <option>lxc.network.hwaddr</option> | |
323 | </term> | |
324 | <listitem> | |
325 | <para> | |
326 | the interface mac address is dynamically allocated by | |
23a92fad PF |
327 | default to the virtual interface, but in some cases, |
328 | this is needed to resolve a mac address conflict or to | |
329 | always have the same link-local ipv6 address | |
8a67a2b2 | 330 | </para> |
331 | </listitem> | |
332 | </varlistentry> | |
333 | ||
334 | <varlistentry> | |
335 | <term> | |
336 | <option>lxc.network.ipv4</option> | |
337 | </term> | |
338 | <listitem> | |
339 | <para> | |
340 | specify the ipv4 address to assign to the virtualized | |
341 | interface. Several lines specify several ipv4 addresses. | |
342 | The address is in format x.y.z.t/m, | |
955f4ce6 DL |
343 | eg. 192.168.1.123/24. The broadcast address should be |
344 | specified on the same line, right after the ipv4 | |
345 | address. | |
8a67a2b2 | 346 | </para> |
347 | </listitem> | |
348 | </varlistentry> | |
349 | ||
be58c6b5 MK |
350 | <varlistentry> |
351 | <term> | |
352 | <option>lxc.network.ipv4.gateway</option> | |
353 | </term> | |
354 | <listitem> | |
355 | <para> | |
356 | specify the ipv4 address to use as the gateway inside the | |
357 | container. The address is in format x.y.z.t, eg. | |
358 | 192.168.1.123. | |
359 | ||
360 | Can also have the special value <option>auto</option>, | |
361 | which means to take the primary address from the bridge | |
362 | interface (as specified by the | |
363 | <option>lxc.network.link</option> option) and use that as | |
364 | the gateway. <option>auto</option> is only available when | |
365 | using the <option>veth</option> and | |
366 | <option>macvlan</option> network types. | |
367 | </para> | |
368 | </listitem> | |
369 | </varlistentry> | |
370 | ||
371 | ||
8a67a2b2 | 372 | <varlistentry> |
373 | <term> | |
374 | <option>lxc.network.ipv6</option> | |
375 | </term> | |
376 | <listitem> | |
377 | <para> | |
378 | specify the ipv6 address to assign to the virtualized | |
379 | interface. Several lines specify several ipv6 addresses. | |
380 | The address is in format x::y/m, | |
381 | eg. 2003:db8:1:0:214:1234:fe0b:3596/64 | |
382 | </para> | |
383 | </listitem> | |
384 | </varlistentry> | |
385 | ||
be58c6b5 MK |
386 | <varlistentry> |
387 | <term> | |
388 | <option>lxc.network.ipv6.gateway</option> | |
389 | </term> | |
390 | <listitem> | |
391 | <para> | |
392 | specify the ipv6 address to use as the gateway inside the | |
393 | container. The address is in format x::y, | |
394 | eg. 2003:db8:1:0::1 | |
395 | ||
396 | Can also have the special value <option>auto</option>, | |
397 | which means to take the primary address from the bridge | |
398 | interface (as specified by the | |
399 | <option>lxc.network.link</option> option) and use that as | |
400 | the gateway. <option>auto</option> is only available when | |
401 | using the <option>veth</option> and | |
402 | <option>macvlan</option> network types. | |
403 | </para> | |
404 | </listitem> | |
405 | </varlistentry> | |
406 | ||
6ecad93f DL |
407 | <varlistentry> |
408 | <term> | |
409 | <option>lxc.network.script.up</option> | |
410 | </term> | |
411 | <listitem> | |
412 | <para> | |
413 | add a configuration option to specify a script to be | |
414 | executed after creating and configuring the network used | |
415 | from the host side. The following arguments are passed | |
416 | to the script: container name and config section name | |
417 | (net) Additional arguments depend on the config section | |
418 | employing a script hook; the following are used by the | |
419 | network system: execution context (up), network type | |
420 | (empty/veth/macvlan/phys), Depending on the network | |
421 | type, other arguments may be passed: | |
422 | veth/macvlan/phys. And finally (host-sided) device name. | |
423 | </para> | |
64f782ca SH |
424 | <para> |
425 | Standard output from the script is logged at debug level. | |
426 | Standard error is not logged, but can be captured by the | |
427 | hook redirecting its standard error to standard output. | |
428 | </para> | |
6ecad93f DL |
429 | </listitem> |
430 | </varlistentry> | |
74a2b586 JK |
431 | |
432 | <varlistentry> | |
433 | <term> | |
434 | <option>lxc.network.script.down</option> | |
435 | </term> | |
436 | <listitem> | |
437 | <para> | |
438 | add a configuration option to specify a script to be | |
439 | executed before destroying the network used from the | |
440 | host side. The following arguments are passed to the | |
441 | script: container name and config section name (net) | |
442 | Additional arguments depend on the config section | |
443 | employing a script hook; the following are used by the | |
444 | network system: execution context (down), network type | |
445 | (empty/veth/macvlan/phys), Depending on the network | |
446 | type, other arguments may be passed: | |
447 | veth/macvlan/phys. And finally (host-sided) device name. | |
448 | </para> | |
64f782ca SH |
449 | <para> |
450 | Standard output from the script is logged at debug level. | |
451 | Standard error is not logged, but can be captured by the | |
452 | hook redirecting its standard error to standard output. | |
453 | </para> | |
74a2b586 JK |
454 | </listitem> |
455 | </varlistentry> | |
8a67a2b2 | 456 | </variablelist> |
8a67a2b2 | 457 | </refsect2> |
458 | ||
341a091c | 459 | <refsect2> |
460 | <title>New pseudo tty instance (devpts)</title> | |
461 | <para> | |
462 | For stricter isolation the container can have its own private | |
463 | instance of the pseudo tty. | |
464 | </para> | |
465 | <variablelist> | |
466 | <varlistentry> | |
467 | <term> | |
468 | <option>lxc.pts</option> | |
469 | </term> | |
470 | <listitem> | |
471 | <para> | |
9f78081a | 472 | If set, the container will have a new pseudo tty |
473 | instance, making this private to it. The value specifies | |
474 | the maximum number of pseudo ttys allowed for a pts | |
475 | instance (this limitation is not implemented yet). | |
341a091c | 476 | </para> |
477 | </listitem> | |
478 | </varlistentry> | |
479 | </variablelist> | |
480 | </refsect2> | |
481 | ||
765a4e07 DL |
482 | <refsect2> |
483 | <title>Container system console</title> | |
484 | <para> | |
485 | If the container is configured with a root filesystem and the | |
486 | inittab file is setup to use the console, you may want to specify | |
d9e80daf | 487 | where the output of this console goes. |
765a4e07 DL |
488 | </para> |
489 | <variablelist> | |
490 | <varlistentry> | |
491 | <term> | |
492 | <option>lxc.console</option> | |
493 | </term> | |
494 | <listitem> | |
495 | <para> | |
496 | Specify a path to a file where the console output will | |
dff21ef0 DL |
497 | be written. The keyword 'none' will simply disable the |
498 | console. This is dangerous once if have a rootfs with a | |
499 | console device file where the application can write, the | |
500 | messages will fall in the host. | |
765a4e07 DL |
501 | </para> |
502 | </listitem> | |
503 | </varlistentry> | |
504 | </variablelist> | |
505 | </refsect2> | |
506 | ||
b0a33c1e | 507 | <refsect2> |
508 | <title>Console through the ttys</title> | |
509 | <para> | |
d9e80daf DE |
510 | This option is useful if the container is configured with a root |
511 | filesystem and the inittab file is setup to launch a getty on the | |
512 | ttys. The option specifies the number of ttys to be available for | |
513 | the container. The number of gettys in the inittab file of the | |
514 | container should not be greater than the number of ttys specified | |
515 | in this option, otherwise the excess getty sessions will die and | |
516 | respawn indefinitely giving annoying messages on the console or in | |
517 | <filename>/var/log/messages</filename>. | |
b0a33c1e | 518 | </para> |
519 | <variablelist> | |
520 | <varlistentry> | |
521 | <term> | |
522 | <option>lxc.tty</option> | |
523 | </term> | |
524 | <listitem> | |
525 | <para> | |
526 | Specify the number of tty to make available to the | |
527 | container. | |
528 | </para> | |
529 | </listitem> | |
530 | </varlistentry> | |
531 | </variablelist> | |
532 | </refsect2> | |
533 | ||
1305dd24 SH |
534 | <refsect2> |
535 | <title>Console devices location</title> | |
536 | <para> | |
537 | LXC consoles are provided through Unix98 PTYs created on the | |
538 | host and bind-mounted over the expected devices in the container. | |
539 | By default, they are bind-mounted over <filename>/dev/console</filename> | |
540 | and <filename>/dev/ttyN</filename>. This can prevent package upgrades | |
541 | in the guest. Therefore you can specify a directory location (under | |
542 | <filename>/dev</filename> under which LXC will create the files and | |
543 | bind-mount over them. These will then be symbolically linked to | |
544 | <filename>/dev/console</filename> and <filename>/dev/ttyN</filename>. | |
545 | A package upgrade can then succeed as it is able to remove and replace | |
546 | the symbolic links. | |
547 | </para> | |
548 | <variablelist> | |
549 | <varlistentry> | |
550 | <term> | |
551 | <option>lxc.devttydir</option> | |
552 | </term> | |
553 | <listitem> | |
554 | <para> | |
555 | Specify a directory under <filename>/dev</filename> | |
556 | under which to create the container console devices. | |
557 | </para> | |
558 | </listitem> | |
559 | </varlistentry> | |
560 | </variablelist> | |
561 | </refsect2> | |
562 | ||
c6883f38 SH |
563 | <refsect2> |
564 | <title>/dev directory</title> | |
565 | <para> | |
566 | By default, lxc does nothing with the container's | |
567 | <filename>/dev</filename>. This allows the container's | |
568 | <filename>/dev</filename> to be set up as needed in the container | |
ad493d03 | 569 | rootfs. If lxc.autodev is set to 1, then after mounting the container's |
c6883f38 SH |
570 | rootfs LXC will mount a fresh tmpfs under <filename>/dev</filename> |
571 | (limited to 100k) and fill in a minimal set of initial devices. | |
f7bee6c6 | 572 | This is generally required when starting a container containing |
840295ff | 573 | a "systemd" based "init" but may be optional at other times. Additional |
f7bee6c6 MW |
574 | devices in the containers /dev directory may be created through the |
575 | use of the <option>lxc.hook.autodev</option> hook. | |
c6883f38 SH |
576 | </para> |
577 | <variablelist> | |
578 | <varlistentry> | |
579 | <term> | |
580 | <option>lxc.autodev</option> | |
581 | </term> | |
582 | <listitem> | |
583 | <para> | |
584 | Set this to 1 to have LXC mount and populate a minimal | |
585 | <filename>/dev</filename> when starting the container. | |
586 | </para> | |
587 | </listitem> | |
588 | </varlistentry> | |
589 | </variablelist> | |
590 | </refsect2> | |
591 | ||
2f3f41d0 SH |
592 | <refsect2> |
593 | <title>Enable kmsg symlink</title> | |
594 | <para> | |
595 | Enable creating /dev/kmsg as symlink to /dev/console. This defaults to 1. | |
596 | </para> | |
597 | <variablelist> | |
598 | <varlistentry> | |
599 | <term> | |
600 | <option>lxc.kmsg</option> | |
601 | </term> | |
602 | <listitem> | |
603 | <para> | |
604 | Set this to 0 to disable /dev/kmsg symlinking. | |
605 | </para> | |
606 | </listitem> | |
607 | </varlistentry> | |
608 | </variablelist> | |
609 | </refsect2> | |
610 | ||
8a67a2b2 | 611 | <refsect2> |
612 | <title>Mount points</title> | |
613 | <para> | |
614 | The mount points section specifies the different places to be | |
615 | mounted. These mount points will be private to the container | |
616 | and won't be visible by the processes running outside of the | |
617 | container. This is useful to mount /etc, /var or /home for | |
618 | examples. | |
619 | </para> | |
620 | <variablelist> | |
621 | <varlistentry> | |
622 | <term> | |
623 | <option>lxc.mount</option> | |
624 | </term> | |
625 | <listitem> | |
626 | <para> | |
627 | specify a file location in | |
628 | the <filename>fstab</filename> format, containing the | |
d9e80daf DE |
629 | mount information. If the rootfs is an image file or a |
630 | block device and the fstab is used to mount a point | |
49d3e78d DL |
631 | somewhere in this rootfs, the path of the rootfs mount |
632 | point should be prefixed with the | |
633 | <filename>@LXCROOTFSMOUNT@</filename> default path or | |
634 | the value of <option>lxc.rootfs.mount</option> if | |
d9e80daf DE |
635 | specified. Note that when mounting a filesystem from an |
636 | image file or block device the third field (fs_vfstype) | |
637 | cannot be auto as with | |
638 | <citerefentry> | |
639 | <refentrytitle>mount</refentrytitle> | |
640 | <manvolnum>8</manvolnum> | |
641 | </citerefentry> | |
642 | but must be explicitly specified. | |
8a67a2b2 | 643 | </para> |
644 | </listitem> | |
645 | </varlistentry> | |
0f71d073 DL |
646 | |
647 | <varlistentry> | |
648 | <term> | |
649 | <option>lxc.mount.entry</option> | |
650 | </term> | |
651 | <listitem> | |
652 | <para> | |
653 | specify a mount point corresponding to a line in the | |
654 | fstab format. | |
655 | </para> | |
656 | </listitem> | |
657 | </varlistentry> | |
658 | ||
8a67a2b2 | 659 | </variablelist> |
660 | </refsect2> | |
661 | ||
662 | <refsect2> | |
663 | <title>Root file system</title> | |
664 | <para> | |
64b90b3d FW |
665 | The root file system of the container can be different than that |
666 | of the host system. | |
8a67a2b2 | 667 | </para> |
668 | <variablelist> | |
669 | <varlistentry> | |
670 | <term> | |
671 | <option>lxc.rootfs</option> | |
672 | </term> | |
673 | <listitem> | |
674 | <para> | |
49d3e78d DL |
675 | specify the root file system for the container. It can |
676 | be an image file, a directory or a block device. If not | |
677 | specified, the container shares its root file system | |
678 | with the host. | |
64b90b3d FW |
679 | </para> |
680 | </listitem> | |
681 | </varlistentry> | |
682 | ||
683 | <varlistentry> | |
684 | <term> | |
685 | <option>lxc.rootfs.mount</option> | |
686 | </term> | |
687 | <listitem> | |
688 | <para> | |
689 | where to recursively bind <option>lxc.rootfs</option> | |
690 | before pivoting. This is to ensure success of the | |
691 | <citerefentry> | |
692 | <refentrytitle><command>pivot_root</command></refentrytitle> | |
693 | <manvolnum>8</manvolnum> | |
694 | </citerefentry> | |
695 | syscall. Any directory suffices, the default should | |
696 | generally work. | |
697 | </para> | |
698 | </listitem> | |
699 | </varlistentry> | |
700 | ||
701 | <varlistentry> | |
702 | <term> | |
703 | <option>lxc.pivotdir</option> | |
704 | </term> | |
705 | <listitem> | |
706 | <para> | |
707 | where to pivot the original root file system under | |
708 | <option>lxc.rootfs</option>, specified relatively to | |
3103609d | 709 | that. The default is <filename>mnt</filename>. |
64b90b3d FW |
710 | It is created if necessary, and also removed after |
711 | unmounting everything from it during container setup. | |
8a67a2b2 | 712 | </para> |
713 | </listitem> | |
714 | </varlistentry> | |
715 | </variablelist> | |
716 | </refsect2> | |
717 | ||
718 | <refsect2> | |
719 | <title>Control group</title> | |
720 | <para> | |
721 | The control group section contains the configuration for the | |
722 | different subsystem. <command>lxc</command> does not check the | |
23a92fad PF |
723 | correctness of the subsystem name. This has the disadvantage |
724 | of not detecting configuration errors until the container is | |
725 | started, but has the advantage of permitting any future | |
726 | subsystem. | |
8a67a2b2 | 727 | </para> |
728 | <variablelist> | |
729 | <varlistentry> | |
730 | <term> | |
998dc19a | 731 | <option>lxc.cgroup.[subsystem name]</option> |
8a67a2b2 | 732 | </term> |
733 | <listitem> | |
734 | <para> | |
23a92fad PF |
735 | specify the control group value to be set. The |
736 | subsystem name is the literal name of the control group | |
737 | subsystem. The permitted names and the syntax of their | |
738 | values is not dictated by LXC, instead it depends on the | |
739 | features of the Linux kernel running at the time the | |
740 | container is started, | |
8a67a2b2 | 741 | eg. <option>lxc.cgroup.cpuset.cpus</option> |
742 | </para> | |
743 | </listitem> | |
744 | </varlistentry> | |
745 | </variablelist> | |
746 | </refsect2> | |
747 | ||
81810dd1 DL |
748 | <refsect2> |
749 | <title>Capabilities</title> | |
750 | <para> | |
751 | The capabilities can be dropped in the container if this one | |
752 | is run as root. | |
753 | </para> | |
754 | <variablelist> | |
755 | <varlistentry> | |
756 | <term> | |
757 | <option>lxc.cap.drop</option> | |
758 | </term> | |
759 | <listitem> | |
760 | <para> | |
9eb09f87 DL |
761 | Specify the capability to be dropped in the container. A |
762 | single line defining several capabilities with a space | |
763 | separation is allowed. The format is the lower case of | |
764 | the capability definition without the "CAP_" prefix, | |
81810dd1 DL |
765 | eg. CAP_SYS_MODULE should be specified as |
766 | sys_module. See | |
767 | <citerefentry> | |
768 | <refentrytitle><command>capabilities</command></refentrytitle> | |
9eb09f87 | 769 | <manvolnum>7</manvolnum> |
81810dd1 DL |
770 | </citerefentry>, |
771 | </para> | |
772 | </listitem> | |
773 | </varlistentry> | |
1fb86a7c SH |
774 | <varlistentry> |
775 | <term> | |
776 | <option>lxc.cap.keep</option> | |
777 | </term> | |
778 | <listitem> | |
779 | <para> | |
780 | Specify the capability to be kept in the container. All other | |
781 | capabilities will be dropped. | |
782 | </para> | |
783 | </listitem> | |
784 | </varlistentry> | |
81810dd1 DL |
785 | </variablelist> |
786 | </refsect2> | |
787 | ||
64f782ca SH |
788 | <refsect2> |
789 | <title>Apparmor profile</title> | |
790 | <para> | |
791 | If lxc was compiled and installed with apparmor support, and the host | |
792 | system has apparmor enabled, then the apparmor profile under which the | |
793 | container should be run can be specified in the container | |
794 | configuration. The default is <command>lxc-container-default</command>. | |
795 | </para> | |
796 | <variablelist> | |
797 | <varlistentry> | |
798 | <term> | |
799 | <option>lxc.aa_profile</option> | |
800 | </term> | |
801 | <listitem> | |
802 | <para> | |
803 | Specify the apparmor profile under which the container should | |
804 | be run. To specify that the container should be unconfined, | |
805 | use | |
806 | </para> | |
807 | <programlisting>lxc.aa_profile = unconfined</programlisting> | |
808 | </listitem> | |
809 | </varlistentry> | |
810 | </variablelist> | |
811 | </refsect2> | |
812 | ||
fe4de9a6 DE |
813 | <refsect2> |
814 | <title>SELinux context</title> | |
815 | <para> | |
816 | If lxc was compiled and installed with SELinux support, and the host | |
817 | system has SELinux enabled, then the SELinux context under which the | |
818 | container should be run can be specified in the container | |
819 | configuration. The default is <command>unconfined_t</command>, | |
820 | which means that lxc will not attempt to change contexts. | |
821 | </para> | |
822 | <variablelist> | |
823 | <varlistentry> | |
824 | <term> | |
825 | <option>lxc.se_context</option> | |
826 | </term> | |
827 | <listitem> | |
828 | <para> | |
829 | Specify the SELinux context under which the container should | |
830 | be run or <command>unconfined_t</command>. For example | |
831 | </para> | |
832 | <programlisting>lxc.se_context = unconfined_u:unconfined_r:lxc_t:s0-s0:c0.c1023</programlisting> | |
833 | </listitem> | |
834 | </varlistentry> | |
835 | </variablelist> | |
836 | </refsect2> | |
837 | ||
64f782ca SH |
838 | <refsect2> |
839 | <title>Seccomp configuration</title> | |
840 | <para> | |
841 | A container can be started with a reduced set of available | |
842 | system calls by loading a seccomp profile at startup. The | |
843 | seccomp configuration file should begin with a version number | |
844 | (which currently must be 1) on the first line, a policy type | |
845 | (which must be 'whitelist') on the second line, followed by a | |
846 | list of allowed system call numbers, one per line. | |
847 | </para> | |
848 | <variablelist> | |
849 | <varlistentry> | |
850 | <term> | |
851 | <option>lxc.seccomp</option> | |
852 | </term> | |
853 | <listitem> | |
854 | <para> | |
855 | Specify a file containing the seccomp configuration to | |
856 | load before the container starts. | |
857 | </para> | |
858 | </listitem> | |
859 | </varlistentry> | |
860 | </variablelist> | |
861 | </refsect2> | |
862 | ||
f6d3e3e4 SH |
863 | <refsect2> |
864 | <title>UID mappings</title> | |
865 | <para> | |
866 | A container can be started in a private user namespace with | |
867 | user and group id mappings. For instance, you can map userid | |
868 | 0 in the container to userid 200000 on the host. The root | |
869 | user in the container will be privileged in the container, | |
870 | but unprivileged on the host. Normally a system container | |
871 | will want a range of ids, so you would map, for instance, | |
872 | user and group ids 0 through 20,000 in the container to the | |
873 | ids 200,000 through 220,000. | |
874 | </para> | |
875 | <variablelist> | |
876 | <varlistentry> | |
877 | <term> | |
878 | <option>lxc.id_map</option> | |
879 | </term> | |
880 | <listitem> | |
881 | <para> | |
882 | Four values must be provided. First a character, either | |
ac7725e7 DE |
883 | 'u', or 'g', to specify whether user or group ids are |
884 | being mapped. Next is the first userid as seen in the | |
885 | user namespace of the container. Next is the userid as | |
886 | seen on the host. Finally, a range indicating the number | |
887 | of consecutive ids to map. | |
f6d3e3e4 | 888 | </para> |
f6d3e3e4 SH |
889 | </listitem> |
890 | </varlistentry> | |
891 | </variablelist> | |
892 | </refsect2> | |
893 | ||
472c97e9 | 894 | <refsect2> |
dc92f6c7 | 895 | <title>Container hooks</title> |
472c97e9 | 896 | <para> |
dc92f6c7 | 897 | Container hooks are programs or scripts which can be executed |
472c97e9 SH |
898 | at various times in a container's lifetime. |
899 | </para> | |
baece282 SH |
900 | <para> |
901 | When a container hook is executed, information is passed both | |
902 | as command line arguments and through environment variables. | |
903 | The arguments are: | |
904 | <itemizedlist> | |
905 | <listitem> Container name. </listitem> | |
906 | <listitem> Section (always 'lxc'). </listitem> | |
907 | <listitem> The hook type (i.e. 'clone' or 'pre-mount'). </listitem> | |
908 | <listitem> Additional arguments In the | |
909 | case of the clone hook, any extra arguments passed to | |
55c76589 | 910 | lxc-clone will appear as further arguments to the hook. </listitem> |
baece282 SH |
911 | </itemizedlist> |
912 | The following environment variables are set: | |
913 | <itemizedlist> | |
914 | <listitem> LXC_NAME: is the container's name. </listitem> | |
915 | <listitem> LXC_ROOTFS_MOUNT: the path to the mounted root filesystem. </listitem> | |
916 | <listitem> LXC_CONFIG_FILE: the path to the container configuration file. </listitem> | |
917 | <listitem> LXC_SRC_NAME: in the case of the clone hook, this is the original container's name. </listitem> | |
918 | <listitem> LXC_ROOTFS_PATH: this is the lxc.rootfs enty for the container. Note this is likely not where the mounted rootfs is to be found, use LXC_ROOTFS_MOUNT for that. </listitem> | |
919 | </itemizedlist> | |
920 | </para> | |
64f782ca SH |
921 | <para> |
922 | Standard output from the hooks is logged at debug level. | |
923 | Standard error is not logged, but can be captured by the | |
924 | hook redirecting its standard error to standard output. | |
925 | </para> | |
472c97e9 SH |
926 | <variablelist> |
927 | <varlistentry> | |
928 | <term> | |
929 | <option>lxc.hook.pre-start</option> | |
930 | </term> | |
931 | <listitem> | |
932 | <para> | |
933 | A hook to be run in the host's namespace before the | |
934 | container ttys, consoles, or mounts are up. | |
935 | </para> | |
936 | </listitem> | |
937 | </varlistentry> | |
938 | </variablelist> | |
939 | <variablelist> | |
940 | <varlistentry> | |
941 | <term> | |
942 | <option>lxc.hook.pre-mount</option> | |
943 | </term> | |
944 | <listitem> | |
945 | <para> | |
472c97e9 SH |
946 | A hook to be run in the container's fs namespace but before |
947 | the rootfs has been set up. This allows for manipulation | |
948 | of the rootfs, i.e. to mount an encrypted filesystem. Mounts | |
949 | done in this hook will not be reflected on the host (apart from | |
950 | mounts propagation), so they will be automatically cleaned up | |
951 | when the container shuts down. | |
952 | </para> | |
953 | </listitem> | |
954 | </varlistentry> | |
955 | </variablelist> | |
956 | <variablelist> | |
957 | <varlistentry> | |
958 | <term> | |
959 | <option>lxc.hook.mount</option> | |
960 | </term> | |
961 | <listitem> | |
962 | <para> | |
963 | A hook to be run in the container's namespace after | |
964 | mounting has been done, but before the pivot_root. | |
965 | </para> | |
966 | </listitem> | |
967 | </varlistentry> | |
968 | </variablelist> | |
f7bee6c6 MW |
969 | <variablelist> |
970 | <varlistentry> | |
971 | <term> | |
972 | <option>lxc.hook.autodev</option> | |
973 | </term> | |
974 | <listitem> | |
975 | <para> | |
976 | A hook to be run in the container's namespace after | |
977 | mounting has been done and after any mount hooks have | |
978 | run, but before the pivot_root, if | |
979 | <option>lxc.autodev</option> == 1. | |
980 | The purpose of this hook is to assist in populating the | |
981 | /dev directory of the container when using the autodev | |
982 | option for systemd based containers. The container's /dev | |
983 | directory is relative to the | |
984 | ${<option>LXC_ROOTFS_MOUNT</option>} environment | |
985 | variable available when the hook is run. | |
986 | </para> | |
987 | </listitem> | |
988 | </varlistentry> | |
989 | </variablelist> | |
472c97e9 SH |
990 | <variablelist> |
991 | <varlistentry> | |
992 | <term> | |
993 | <option>lxc.hook.start</option> | |
994 | </term> | |
995 | <listitem> | |
996 | <para> | |
997 | A hook to be run in the container's namespace immediately | |
998 | before executing the container's init. This requires the | |
999 | program to be available in the container. | |
1000 | </para> | |
1001 | </listitem> | |
1002 | </varlistentry> | |
1003 | </variablelist> | |
1004 | <variablelist> | |
1005 | <varlistentry> | |
1006 | <term> | |
1007 | <option>lxc.hook.post-stop</option> | |
1008 | </term> | |
1009 | <listitem> | |
1010 | <para> | |
1011 | A hook to be run in the host's namespace after the | |
1012 | container has been shut down. | |
1013 | </para> | |
1014 | </listitem> | |
1015 | </varlistentry> | |
1016 | </variablelist> | |
dc92f6c7 SH |
1017 | <variablelist> |
1018 | <varlistentry> | |
1019 | <term> | |
1020 | <option>lxc.hook.clone</option> | |
1021 | </term> | |
1022 | <listitem> | |
1023 | <para> | |
1024 | A hook to be run when the container is cloned to a new one. | |
1025 | See <refentrytitle><command>lxc-clone</command></refentrytitle> | |
1026 | <manvolnum>1</manvolnum> for more information. | |
1027 | </para> | |
1028 | </listitem> | |
1029 | </varlistentry> | |
1030 | </variablelist> | |
472c97e9 SH |
1031 | </refsect2> |
1032 | ||
f7bee6c6 | 1033 | <refsect2> |
dc92f6c7 | 1034 | <title>Container hooks Environment Variables</title> |
f7bee6c6 MW |
1035 | <para> |
1036 | A number of environment variables are made available to the startup | |
1037 | hooks to provide configuration information and assist in the | |
1038 | functioning of the hooks. Not all variables are valid in all | |
1039 | contexts. In particular, all paths are relative to the host system | |
1040 | and, as such, not valid during the <option>lxc.hook.start</option> hook. | |
1041 | </para> | |
1042 | <variablelist> | |
1043 | <varlistentry> | |
1044 | <term> | |
1045 | <option>LXC_NAME</option> | |
1046 | </term> | |
1047 | <listitem> | |
1048 | <para> | |
1049 | The LXC name of the container. Useful for logging messages | |
dd97408a | 1050 | in common log environments. [<option>-n</option>] |
f7bee6c6 MW |
1051 | </para> |
1052 | </listitem> | |
1053 | </varlistentry> | |
1054 | </variablelist> | |
1055 | <variablelist> | |
1056 | <varlistentry> | |
1057 | <term> | |
1058 | <option>LXC_CONFIG_FILE</option> | |
1059 | </term> | |
1060 | <listitem> | |
1061 | <para> | |
1062 | Host relative path to the container configuration file. This | |
1063 | gives the container to reference the original, top level, | |
1064 | configuration file for the container in order to locate any | |
840295ff | 1065 | additional configuration information not otherwise made |
f7bee6c6 MW |
1066 | available. [<option>-f</option>] |
1067 | </para> | |
1068 | </listitem> | |
1069 | </varlistentry> | |
1070 | </variablelist> | |
1071 | <variablelist> | |
1072 | <varlistentry> | |
1073 | <term> | |
1074 | <option>LXC_CONSOLE</option> | |
1075 | </term> | |
1076 | <listitem> | |
1077 | <para> | |
1078 | The path to the console output of the container if not NULL. | |
1079 | [<option>-c</option>] [<option>lxc.console</option>] | |
1080 | </para> | |
1081 | </listitem> | |
1082 | </varlistentry> | |
1083 | </variablelist> | |
1084 | <variablelist> | |
1085 | <varlistentry> | |
1086 | <term> | |
1087 | <option>LXC_CONSOLE_LOGPATH</option> | |
1088 | </term> | |
1089 | <listitem> | |
1090 | <para> | |
1091 | The path to the console log output of the container if not NULL. | |
1092 | [<option>-L</option>] | |
1093 | </para> | |
1094 | </listitem> | |
1095 | </varlistentry> | |
1096 | </variablelist> | |
1097 | <variablelist> | |
1098 | <varlistentry> | |
1099 | <term> | |
1100 | <option>LXC_ROOTFS_MOUNT</option> | |
1101 | </term> | |
1102 | <listitem> | |
1103 | <para> | |
1104 | The mount location to which the container is initially bound. | |
1105 | This will be the host relative path to the container rootfs | |
1106 | for the container instance being started and is where changes | |
1107 | should be made for that instance. | |
1108 | [<option>lxc.rootfs.mount</option>] | |
1109 | </para> | |
1110 | </listitem> | |
1111 | </varlistentry> | |
1112 | </variablelist> | |
1113 | <variablelist> | |
1114 | <varlistentry> | |
1115 | <term> | |
1116 | <option>LXC_ROOTFS_PATH</option> | |
1117 | </term> | |
1118 | <listitem> | |
1119 | <para> | |
1120 | The host relative path to the container root which has been | |
1121 | mounted to the rootfs.mount location. | |
1122 | [<option>lxc.rootfs</option>] | |
1123 | </para> | |
1124 | </listitem> | |
1125 | </varlistentry> | |
1126 | </variablelist> | |
1127 | ||
1128 | </refsect2> | |
64f782ca SH |
1129 | <refsect2> |
1130 | <title> Logging</title> | |
1131 | <para> | |
1132 | Logging can be configured on a per-container basis. By default, | |
1133 | depending upon how the lxc package was compiled, container startup | |
1134 | is logged only at the ERROR level, and logged to a file named after | |
1135 | the container (with '.log' appended) either under the container path, | |
1136 | or under @LOGPATH@. | |
1137 | </para> | |
1138 | <para> | |
1139 | Both the default log level and the log file can be specified in the | |
1140 | container configuration file, overriding the default behavior. Note | |
1141 | that the configuration file entries can in turn be overridden by the | |
1142 | command line options to <command>lxc-start</command>. | |
1143 | </para> | |
1144 | <variablelist> | |
1145 | <varlistentry> | |
1146 | <term> | |
1147 | <option>lxc.loglevel</option> | |
1148 | </term> | |
1149 | <listitem> | |
1150 | <para> | |
1151 | The level at which to log. The log level is an integer in | |
1152 | the range of 0..8 inclusive, where a lower number means more | |
1153 | verbose debugging. In particular 0 = trace, 1 = debug, 2 = | |
1154 | info, 3 = notice, 4 = warn, 5 = error, 6 = critical, 7 = | |
1155 | alert, and 8 = fatal. If unspecified, the level defaults | |
1156 | to 5 (error), so that only errors and above are logged. | |
1157 | </para> | |
1158 | <para> | |
1159 | Note that when a script (such as either a hook script or a | |
1160 | network interface up or down script) is called, the script's | |
1161 | standard output is logged at level 1, debug. | |
1162 | </para> | |
1163 | </listitem> | |
1164 | </varlistentry> | |
1165 | <varlistentry> | |
1166 | <term> | |
1167 | <option>lxc.logfile</option> | |
1168 | </term> | |
1169 | <listitem> | |
1170 | <para> | |
1171 | The file to which logging info should be written. | |
1172 | </para> | |
1173 | </listitem> | |
1174 | </varlistentry> | |
1175 | </variablelist> | |
1176 | </refsect2> | |
f7bee6c6 | 1177 | |
8a67a2b2 | 1178 | </refsect1> |
1179 | ||
1180 | <refsect1> | |
1181 | <title>Examples</title> | |
b78b2125 MN |
1182 | <para> |
1183 | In addition to the few examples given below, you will find | |
1184 | some other examples of configuration file in @DOCDIR@/examples | |
1185 | </para> | |
8a67a2b2 | 1186 | <refsect2> |
1187 | <title>Network</title> | |
1188 | <para>This configuration sets up a container to use a veth pair | |
1189 | device with one side plugged to a bridge br0 (which has been | |
1190 | configured before on the system by the administrator). The | |
1191 | virtual network device visible in the container is renamed to | |
1192 | eth0.</para> | |
b78b2125 MN |
1193 | <programlisting> |
1194 | lxc.utsname = myhostname | |
1195 | lxc.network.type = veth | |
1196 | lxc.network.flags = up | |
1197 | lxc.network.link = br0 | |
1198 | lxc.network.name = eth0 | |
1199 | lxc.network.hwaddr = 4a:49:43:49:79:bf | |
5548f218 | 1200 | lxc.network.ipv4 = 10.2.3.5/24 10.2.3.255 |
b78b2125 MN |
1201 | lxc.network.ipv6 = 2003:db8:1:0:214:1234:fe0b:3597 |
1202 | </programlisting> | |
8a67a2b2 | 1203 | </refsect2> |
1204 | ||
ac7725e7 DE |
1205 | <refsect2> |
1206 | <title>UID/GID mapping</title> | |
1207 | <para>This configuration will map both user and group ids in the | |
1208 | range 0-9999 in the container to the ids 100000-109999 on the host. | |
1209 | </para> | |
1210 | <programlisting> | |
1211 | lxc.id_map = u 0 100000 10000 | |
1212 | lxc.id_map = g 0 100000 10000 | |
1213 | </programlisting> | |
1214 | </refsect2> | |
1215 | ||
8a67a2b2 | 1216 | <refsect2> |
1217 | <title>Control group</title> | |
1218 | <para>This configuration will setup several control groups for | |
1219 | the application, cpuset.cpus restricts usage of the defined cpu, | |
1220 | cpus.share prioritize the control group, devices.allow makes | |
1221 | usable the specified devices.</para> | |
b78b2125 MN |
1222 | <programlisting> |
1223 | lxc.cgroup.cpuset.cpus = 0,1 | |
1224 | lxc.cgroup.cpu.shares = 1234 | |
1225 | lxc.cgroup.devices.deny = a | |
1226 | lxc.cgroup.devices.allow = c 1:3 rw | |
1227 | lxc.cgroup.devices.allow = b 8:0 rw | |
1228 | </programlisting> | |
8a67a2b2 | 1229 | </refsect2> |
1230 | ||
1231 | <refsect2> | |
1232 | <title>Complex configuration</title> | |
1233 | <para>This example show a complex configuration making a complex | |
1234 | network stack, using the control groups, setting a new hostname, | |
b78b2125 MN |
1235 | mounting some locations and a changing root file system.</para> |
1236 | <programlisting> | |
1237 | lxc.utsname = complex | |
1238 | lxc.network.type = veth | |
1239 | lxc.network.flags = up | |
1240 | lxc.network.link = br0 | |
1241 | lxc.network.hwaddr = 4a:49:43:49:79:bf | |
5548f218 | 1242 | lxc.network.ipv4 = 10.2.3.5/24 10.2.3.255 |
b78b2125 MN |
1243 | lxc.network.ipv6 = 2003:db8:1:0:214:1234:fe0b:3597 |
1244 | lxc.network.ipv6 = 2003:db8:1:0:214:5432:feab:3588 | |
1245 | lxc.network.type = macvlan | |
1246 | lxc.network.flags = up | |
1247 | lxc.network.link = eth0 | |
1248 | lxc.network.hwaddr = 4a:49:43:49:79:bd | |
5548f218 | 1249 | lxc.network.ipv4 = 10.2.3.4/24 |
b78b2125 MN |
1250 | lxc.network.ipv4 = 192.168.10.125/24 |
1251 | lxc.network.ipv6 = 2003:db8:1:0:214:1234:fe0b:3596 | |
1252 | lxc.network.type = phys | |
1253 | lxc.network.flags = up | |
1254 | lxc.network.link = dummy0 | |
1255 | lxc.network.hwaddr = 4a:49:43:49:79:ff | |
5548f218 | 1256 | lxc.network.ipv4 = 10.2.3.6/24 |
b78b2125 MN |
1257 | lxc.network.ipv6 = 2003:db8:1:0:214:1234:fe0b:3297 |
1258 | lxc.cgroup.cpuset.cpus = 0,1 | |
1259 | lxc.cgroup.cpu.shares = 1234 | |
1260 | lxc.cgroup.devices.deny = a | |
1261 | lxc.cgroup.devices.allow = c 1:3 rw | |
1262 | lxc.cgroup.devices.allow = b 8:0 rw | |
1263 | lxc.mount = /etc/fstab.complex | |
1264 | lxc.mount.entry = /lib /root/myrootfs/lib none ro,bind 0 0 | |
1265 | lxc.rootfs = /mnt/rootfs.complex | |
1266 | lxc.cap.drop = sys_module mknod setuid net_raw | |
1267 | lxc.cap.drop = mac_override | |
1268 | </programlisting> | |
8a67a2b2 | 1269 | </refsect2> |
1270 | ||
1271 | </refsect1> | |
1272 | ||
1273 | <refsect1> | |
1274 | <title>See Also</title> | |
f79d43bb | 1275 | <simpara> |
8a67a2b2 | 1276 | <citerefentry> |
1277 | <refentrytitle><command>chroot</command></refentrytitle> | |
1278 | <manvolnum>1</manvolnum> | |
1279 | </citerefentry>, | |
1280 | ||
1281 | <citerefentry> | |
1282 | <refentrytitle><command>pivot_root</command></refentrytitle> | |
1283 | <manvolnum>8</manvolnum> | |
1284 | </citerefentry>, | |
1285 | ||
1286 | <citerefentry> | |
1287 | <refentrytitle><filename>fstab</filename></refentrytitle> | |
1288 | <manvolnum>5</manvolnum> | |
6320e494 | 1289 | </citerefentry>, |
8a67a2b2 | 1290 | |
6320e494 SG |
1291 | <citerefentry> |
1292 | <refentrytitle><filename>capabilities</filename></refentrytitle> | |
1293 | <manvolnum>7</manvolnum> | |
1294 | </citerefentry> | |
8a67a2b2 | 1295 | </simpara> |
1296 | </refsect1> | |
f79d43bb | 1297 | |
99e4008c MN |
1298 | &seealso; |
1299 | ||
8a67a2b2 | 1300 | <refsect1> |
1301 | <title>Author</title> | |
1302 | <para>Daniel Lezcano <email>daniel.lezcano@free.fr</email></para> | |
1303 | </refsect1> | |
f79d43bb | 1304 | |
8a67a2b2 | 1305 | </refentry> |
1306 | ||
1307 | <!-- Keep this comment at the end of the file | |
1308 | Local variables: | |
1309 | mode: sgml | |
1310 | sgml-omittag:t | |
1311 | sgml-shorttag:t | |
1312 | sgml-minimize-attributes:nil | |
1313 | sgml-always-quote-attributes:t | |
1314 | sgml-indent-step:2 | |
1315 | sgml-indent-data:t | |
1316 | sgml-parent-document:nil | |
1317 | sgml-default-dtd-file:nil | |
1318 | sgml-exposed-tags:nil | |
1319 | sgml-local-catalogs:nil | |
1320 | sgml-local-ecat-files:nil | |
1321 | End: | |
1322 | --> |