]> git.proxmox.com Git - mirror_lxc.git/blame - doc/lxc.conf.sgml.in
projects / mirror_lxc.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
lxc-autostart: don't set timeout if user requested -s
[mirror_lxc.git] / doc / lxc.conf.sgml.in
CommitLineData
f79d43bb 1<!--
8a67a2b2 2
3lxc: linux Container library
4
5(C) Copyright IBM Corp. 2007, 2008
6
7Authors:
9afe19d6 8Daniel Lezcano <daniel.lezcano at free.fr>
8a67a2b2 9
10This library is free software; you can redistribute it and/or
11modify it under the terms of the GNU Lesser General Public
12License as published by the Free Software Foundation; either
13version 2.1 of the License, or (at your option) any later version.
14
15This library is distributed in the hope that it will be useful,
16but WITHOUT ANY WARRANTY; without even the implied warranty of
17MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
18Lesser General Public License for more details.
19
20You should have received a copy of the GNU Lesser General Public
21License along with this library; if not, write to the Free Software
250b1eec 22Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
8a67a2b2 23
24-->
25
7f951458 26<!DOCTYPE refentry PUBLIC @docdtd@ [
99e4008c
MN		 27
28<!ENTITY seealso SYSTEM "@builddir@/see_also.sgml">
29]>
8a67a2b2 30
31<refentry>
32
33 <docinfo><date>@LXC_GENERATE_DATE@</date></docinfo>
34
35 <refmeta>
36 <refentrytitle>lxc.conf</refentrytitle>
37 <manvolnum>5</manvolnum>
38 </refmeta>
39
40 <refnamediv>
41 <refname>lxc.conf</refname>
42
43 <refpurpose>
44 linux container configuration file
45 </refpurpose>
46 </refnamediv>
47
48 <refsect1>
49 <title>Description</title>
50
51 <para>
52 The linux containers (<command>lxc</command>) are always created
53 before being used. This creation defines a set of system
54 resources to be virtualized / isolated when a process is using
55 the container. By default, the pids, sysv ipc and mount points
56 are virtualized and isolated. The other system resources are
57 shared across containers, until they are explicitly defined in
58 the configuration file. For example, if there is no network
59 configuration, the network will be shared between the creator of
60 the container and the container itself, but if the network is
61 specified, a new network stack is created for the container and
62 the container can no longer use the network of its ancestor.
63 </para>
64
65 <para>
66 The configuration file defines the different system resources to
67 be assigned for the container. At present, the utsname, the
d9e80daf
DE		 68 network, the mount points, the root file system, the user namespace,
69 and the control groups are supported.
8a67a2b2 70 </para>
71
72 <para>
73 Each option in the configuration file has the form <command>key
23a92fad 74 = value</command> fitting in one line. The '#' character means
8a67a2b2 75 the line is a comment.
76 </para>
77
64f782ca
SH		 78 <refsect2>
79 <title>Configuration</title>
80 <para>
81 In order to ease administration of multiple related containers, it
82 is possible to have a container configuration file cause another
83 file to be loaded. For instance, network configuration
84 can be defined in one common file which is included by multiple
85 containers. Then, if the containers are moved to another host,
86 only one file may need to be updated.
87 </para>
88
89 <variablelist>
90 <varlistentry>
91 <term>
92 <option>lxc.include</option>
93 </term>
94 <listitem>
95 <para>
96 Specify the file to be included. The included file must be
97 in the same valid lxc configuration file format.
98 </para>
99 </listitem>
100 </varlistentry>
101 </variablelist>
102 </refsect2>
103
cccc74b5
DL		 104 <refsect2>
105 <title>Architecture</title>
106 <para>
36b33520 107 Allows one to set the architecture for the container. For example,
cccc74b5 108 set a 32bits architecture for a container running 32bits
d9e80daf 109 binaries on a 64bits host. This fixes the container scripts
cccc74b5
DL		 110 which rely on the architecture to do some work like
111 downloading the packages.
112 </para>
113
114 <variablelist>
115 <varlistentry>
116 <term>
117 <option>lxc.arch</option>
118 </term>
119 <listitem>
120 <para>
121 Specify the architecture for the container.
122 </para>
123 <para>
124 Valid options are
125 <option>x86</option>,
126 <option>i686</option>,
127 <option>x86_64</option>,
128 <option>amd64</option>
129 </para>
130 </listitem>
131 </varlistentry>
132 </variablelist>
133
134 </refsect2>
135
8a67a2b2 136 <refsect2>
137 <title>Hostname</title>
138 <para>
139 The utsname section defines the hostname to be set for the
140 container. That means the container can set its own hostname
141 without changing the one from the system. That makes the
142 hostname private for the container.
143 </para>
144 <variablelist>
145 <varlistentry>
146 <term>
147 <option>lxc.utsname</option>
148 </term>
149 <listitem>
150 <para>
151 specify the hostname for the container
152 </para>
153 </listitem>
154 </varlistentry>
a84b9932
AV		 155 </variablelist>
156 </refsect2>
157
158 <refsect2>
159 <title>Stop signal</title>
160 <para>
36b33520 161 Allows one to specify signal name or number, sent by lxc-stop to
a84b9932
AV		 162 shutdown the container. Different init systems could use
163 different signals to perform clean shutdown sequence. Option
164 allows signal to be specified in kill(1) fashion, e.g.
165 SIGKILL, SIGRTMIN+14, SIGRTMAX-10 or plain number.
166 </para>
167 <variablelist>
168 <varlistentry>
169 <term>
170 <option>lxc.stopsignal</option>
171 </term>
172 <listitem>
173 <para>
174 specify the signal used to stop the container
175 </para>
176 </listitem>
177 </varlistentry>
8a67a2b2 178 </variablelist>
179 </refsect2>
180
181 <refsect2>
182 <title>Network</title>
183 <para>
184 The network section defines how the network is virtualized in
23a92fad
PF		 185 the container. The network virtualization acts at layer
186 two. In order to use the network virtualization, parameters
187 must be specified to define the network interfaces of the
188 container. Several virtual interfaces can be assigned and used
189 in a container even if the system has only one physical
8a67a2b2 190 network interface.
191 </para>
192 <variablelist>
193 <varlistentry>
194 <term>
195 <option>lxc.network.type</option>
196 </term>
197 <listitem>
198 <para>
199 specify what kind of network virtualization to be used
200 for the container. Each time
201 a <option>lxc.network.type</option> field is found a new
23a92fad
PF		 202 round of network configuration begins. In this way,
203 several network virtualization types can be specified
204 for the same container, as well as assigning several
205 network interfaces for one container. The different
8a67a2b2 206 virtualization types can be:
207 </para>
208
209 <para>
23a92fad 210 <option>empty:</option> will create only the loopback
8a67a2b2 211 interface.
212 </para>
213
214 <para>
23a92fad
PF		 215 <option>veth:</option> a peer network device is created
216 with one side assigned to the container and the other
217 side is attached to a bridge specified by
218 the <option>lxc.network.link</option>. If the bridge is
219 not specified, then the veth pair device will be created
220 but not attached to any bridge. Otherwise, the bridge
221 has to be setup before on the
222 system, <command>lxc</command> won't handle any
223 configuration outside of the container. By
e892973e
DL		 224 default <command>lxc</command> choose a name for the
225 network device belonging to the outside of the
226 container, this name is handled
227 by <command>lxc</command>, but if you wish to handle
228 this name yourself, you can tell <command>lxc</command>
229 to set a specific name with
230 the <option>lxc.network.veth.pair</option> option.
231 </para>
232
233 <para>
23a92fad
PF		 234 <option>vlan:</option> a vlan interface is linked with
235 the interface specified by
e892973e
DL		 236 the <option>lxc.network.link</option> and assigned to
237 the container. The vlan identifier is specified with the
238 option <option>lxc.network.vlan.id</option>.
8a67a2b2 239 </para>
240
241 <para>
23a92fad
PF		 242 <option>macvlan:</option> a macvlan interface is linked
243 with the interface specified by
8a67a2b2 244 the <option>lxc.network.link</option> and assigned to
245 the container.
e892973e
DL		 246 <option>lxc.network.macvlan.mode</option> specifies the
247 mode the macvlan will use to communicate between
248 different macvlan on the same upper device. The accepted
249 modes are <option>private</option>, the device never
250 communicates with any other device on the same upper_dev (default),
251 <option>vepa</option>, the new Virtual Ethernet Port
252 Aggregator (VEPA) mode, it assumes that the adjacent
253 bridge returns all frames where both source and
254 destination are local to the macvlan port, i.e. the
255 bridge is set up as a reflective relay. Broadcast
256 frames coming in from the upper_dev get flooded to all
257 macvlan interfaces in VEPA mode, local frames are not
840295ff 258 delivered locally, or <option>bridge</option>, it
e892973e
DL		 259 provides the behavior of a simple bridge between
260 different macvlan interfaces on the same port. Frames
261 from one interface to another one get delivered directly
262 and are not sent out externally. Broadcast frames get
263 flooded to all other bridge ports and to the external
264 interface, but when they come back from a reflective
265 relay, we don't deliver them again. Since we know all
266 the MAC addresses, the macvlan bridge mode does not
267 require learning or STP like the bridge module does.
8a67a2b2 268 </para>
269
270 <para>
23a92fad
PF		 271 <option>phys:</option> an already existing interface
272 specified by the <option>lxc.network.link</option> is
273 assigned to the container.
8a67a2b2 274 </para>
275 </listitem>
276 </varlistentry>
277
278 <varlistentry>
279 <term>
280 <option>lxc.network.flags</option>
281 </term>
282 <listitem>
283 <para>
284 specify an action to do for the
285 network.
286 </para>
d9e80daf 287
8a67a2b2 288 <para><option>up:</option> activates the interface.
289 </para>
290 </listitem>
291 </varlistentry>
292
293 <varlistentry>
294 <term>
295 <option>lxc.network.link</option>
296 </term>
297 <listitem>
298 <para>
299 specify the interface to be used for real network
300 traffic.
301 </para>
302 </listitem>
303 </varlistentry>
304
305 <varlistentry>
306 <term>
307 <option>lxc.network.name</option>
308 </term>
309 <listitem>
310 <para>
23a92fad
PF		 311 the interface name is dynamically allocated, but if
312 another name is needed because the configuration files
8a67a2b2 313 being used by the container use a generic name,
314 eg. eth0, this option will rename the interface in the
315 container.
316 </para>
317 </listitem>
318 </varlistentry>
319
320 <varlistentry>
321 <term>
322 <option>lxc.network.hwaddr</option>
323 </term>
324 <listitem>
325 <para>
326 the interface mac address is dynamically allocated by
23a92fad
PF		 327 default to the virtual interface, but in some cases,
328 this is needed to resolve a mac address conflict or to
329 always have the same link-local ipv6 address
8a67a2b2 330 </para>
331 </listitem>
332 </varlistentry>
333
334 <varlistentry>
335 <term>
336 <option>lxc.network.ipv4</option>
337 </term>
338 <listitem>
339 <para>
340 specify the ipv4 address to assign to the virtualized
341 interface. Several lines specify several ipv4 addresses.
342 The address is in format x.y.z.t/m,
955f4ce6
DL		 343 eg. 192.168.1.123/24. The broadcast address should be
344 specified on the same line, right after the ipv4
345 address.
8a67a2b2 346 </para>
347 </listitem>
348 </varlistentry>
349
be58c6b5
MK		 350 <varlistentry>
351 <term>
352 <option>lxc.network.ipv4.gateway</option>
353 </term>
354 <listitem>
355 <para>
356 specify the ipv4 address to use as the gateway inside the
357 container. The address is in format x.y.z.t, eg.
358 192.168.1.123.
359
360 Can also have the special value <option>auto</option>,
361 which means to take the primary address from the bridge
362 interface (as specified by the
363 <option>lxc.network.link</option> option) and use that as
364 the gateway. <option>auto</option> is only available when
365 using the <option>veth</option> and
366 <option>macvlan</option> network types.
367 </para>
368 </listitem>
369 </varlistentry>
370
371
8a67a2b2 372 <varlistentry>
373 <term>
374 <option>lxc.network.ipv6</option>
375 </term>
376 <listitem>
377 <para>
378 specify the ipv6 address to assign to the virtualized
379 interface. Several lines specify several ipv6 addresses.
380 The address is in format x::y/m,
381 eg. 2003:db8:1:0:214:1234:fe0b:3596/64
382 </para>
383 </listitem>
384 </varlistentry>
385
be58c6b5
MK		 386 <varlistentry>
387 <term>
388 <option>lxc.network.ipv6.gateway</option>
389 </term>
390 <listitem>
391 <para>
392 specify the ipv6 address to use as the gateway inside the
393 container. The address is in format x::y,
394 eg. 2003:db8:1:0::1
395
396 Can also have the special value <option>auto</option>,
397 which means to take the primary address from the bridge
398 interface (as specified by the
399 <option>lxc.network.link</option> option) and use that as
400 the gateway. <option>auto</option> is only available when
401 using the <option>veth</option> and
402 <option>macvlan</option> network types.
403 </para>
404 </listitem>
405 </varlistentry>
406
6ecad93f
DL		 407 <varlistentry>
408 <term>
409 <option>lxc.network.script.up</option>
410 </term>
411 <listitem>
412 <para>
413 add a configuration option to specify a script to be
414 executed after creating and configuring the network used
415 from the host side. The following arguments are passed
416 to the script: container name and config section name
417 (net) Additional arguments depend on the config section
418 employing a script hook; the following are used by the
419 network system: execution context (up), network type
420 (empty/veth/macvlan/phys), Depending on the network
421 type, other arguments may be passed:
422 veth/macvlan/phys. And finally (host-sided) device name.
423 </para>
64f782ca
SH		 424 <para>
425 Standard output from the script is logged at debug level.
426 Standard error is not logged, but can be captured by the
427 hook redirecting its standard error to standard output.
428 </para>
6ecad93f
DL		 429 </listitem>
430 </varlistentry>
74a2b586
JK		 431
432 <varlistentry>
433 <term>
434 <option>lxc.network.script.down</option>
435 </term>
436 <listitem>
437 <para>
438 add a configuration option to specify a script to be
439 executed before destroying the network used from the
440 host side. The following arguments are passed to the
441 script: container name and config section name (net)
442 Additional arguments depend on the config section
443 employing a script hook; the following are used by the
444 network system: execution context (down), network type
445 (empty/veth/macvlan/phys), Depending on the network
446 type, other arguments may be passed:
447 veth/macvlan/phys. And finally (host-sided) device name.
448 </para>
64f782ca
SH		 449 <para>
450 Standard output from the script is logged at debug level.
451 Standard error is not logged, but can be captured by the
452 hook redirecting its standard error to standard output.
453 </para>
74a2b586
JK		 454 </listitem>
455 </varlistentry>
8a67a2b2 456 </variablelist>
8a67a2b2 457 </refsect2>
458
341a091c 459 <refsect2>
460 <title>New pseudo tty instance (devpts)</title>
461 <para>
462 For stricter isolation the container can have its own private
463 instance of the pseudo tty.
464 </para>
465 <variablelist>
466 <varlistentry>
467 <term>
468 <option>lxc.pts</option>
469 </term>
470 <listitem>
471 <para>
9f78081a 472 If set, the container will have a new pseudo tty
473 instance, making this private to it. The value specifies
474 the maximum number of pseudo ttys allowed for a pts
475 instance (this limitation is not implemented yet).
341a091c 476 </para>
477 </listitem>
478 </varlistentry>
479 </variablelist>
480 </refsect2>
481
765a4e07
DL		 482 <refsect2>
483 <title>Container system console</title>
484 <para>
485 If the container is configured with a root filesystem and the
486 inittab file is setup to use the console, you may want to specify
d9e80daf 487 where the output of this console goes.
765a4e07
DL		 488 </para>
489 <variablelist>
490 <varlistentry>
491 <term>
492 <option>lxc.console</option>
493 </term>
494 <listitem>
495 <para>
496 Specify a path to a file where the console output will
dff21ef0
DL		 497 be written. The keyword 'none' will simply disable the
498 console. This is dangerous once if have a rootfs with a
499 console device file where the application can write, the
500 messages will fall in the host.
765a4e07
DL		 501 </para>
502 </listitem>
503 </varlistentry>
504 </variablelist>
505 </refsect2>
506
b0a33c1e 507 <refsect2>
508 <title>Console through the ttys</title>
509 <para>
d9e80daf
DE		 510 This option is useful if the container is configured with a root
511 filesystem and the inittab file is setup to launch a getty on the
512 ttys. The option specifies the number of ttys to be available for
513 the container. The number of gettys in the inittab file of the
514 container should not be greater than the number of ttys specified
515 in this option, otherwise the excess getty sessions will die and
516 respawn indefinitely giving annoying messages on the console or in
517 <filename>/var/log/messages</filename>.
b0a33c1e 518 </para>
519 <variablelist>
520 <varlistentry>
521 <term>
522 <option>lxc.tty</option>
523 </term>
524 <listitem>
525 <para>
526 Specify the number of tty to make available to the
527 container.
528 </para>
529 </listitem>
530 </varlistentry>
531 </variablelist>
532 </refsect2>
533
1305dd24
SH		 534 <refsect2>
535 <title>Console devices location</title>
536 <para>
537 LXC consoles are provided through Unix98 PTYs created on the
538 host and bind-mounted over the expected devices in the container.
539 By default, they are bind-mounted over <filename>/dev/console</filename>
540 and <filename>/dev/ttyN</filename>. This can prevent package upgrades
541 in the guest. Therefore you can specify a directory location (under
542 <filename>/dev</filename> under which LXC will create the files and
543 bind-mount over them. These will then be symbolically linked to
544 <filename>/dev/console</filename> and <filename>/dev/ttyN</filename>.
545 A package upgrade can then succeed as it is able to remove and replace
546 the symbolic links.
547 </para>
548 <variablelist>
549 <varlistentry>
550 <term>
551 <option>lxc.devttydir</option>
552 </term>
553 <listitem>
554 <para>
555 Specify a directory under <filename>/dev</filename>
556 under which to create the container console devices.
557 </para>
558 </listitem>
559 </varlistentry>
560 </variablelist>
561 </refsect2>
562
c6883f38
SH		 563 <refsect2>
564 <title>/dev directory</title>
565 <para>
566 By default, lxc does nothing with the container's
567 <filename>/dev</filename>. This allows the container's
568 <filename>/dev</filename> to be set up as needed in the container
ad493d03 569 rootfs. If lxc.autodev is set to 1, then after mounting the container's
c6883f38
SH		 570 rootfs LXC will mount a fresh tmpfs under <filename>/dev</filename>
571 (limited to 100k) and fill in a minimal set of initial devices.
f7bee6c6 572 This is generally required when starting a container containing
840295ff 573 a "systemd" based "init" but may be optional at other times. Additional
f7bee6c6
MW		 574 devices in the containers /dev directory may be created through the
575 use of the <option>lxc.hook.autodev</option> hook.
c6883f38
SH		 576 </para>
577 <variablelist>
578 <varlistentry>
579 <term>
580 <option>lxc.autodev</option>
581 </term>
582 <listitem>
583 <para>
584 Set this to 1 to have LXC mount and populate a minimal
585 <filename>/dev</filename> when starting the container.
586 </para>
587 </listitem>
588 </varlistentry>
589 </variablelist>
590 </refsect2>
591
2f3f41d0
SH		 592 <refsect2>
593 <title>Enable kmsg symlink</title>
594 <para>
595 Enable creating /dev/kmsg as symlink to /dev/console. This defaults to 1.
596 </para>
597 <variablelist>
598 <varlistentry>
599 <term>
600 <option>lxc.kmsg</option>
601 </term>
602 <listitem>
603 <para>
604 Set this to 0 to disable /dev/kmsg symlinking.
605 </para>
606 </listitem>
607 </varlistentry>
608 </variablelist>
609 </refsect2>
610
8a67a2b2 611 <refsect2>
612 <title>Mount points</title>
613 <para>
614 The mount points section specifies the different places to be
615 mounted. These mount points will be private to the container
616 and won't be visible by the processes running outside of the
617 container. This is useful to mount /etc, /var or /home for
618 examples.
619 </para>
620 <variablelist>
621 <varlistentry>
622 <term>
623 <option>lxc.mount</option>
624 </term>
625 <listitem>
626 <para>
627 specify a file location in
628 the <filename>fstab</filename> format, containing the
d9e80daf
DE		 629 mount information. If the rootfs is an image file or a
630 block device and the fstab is used to mount a point
49d3e78d
DL		 631 somewhere in this rootfs, the path of the rootfs mount
632 point should be prefixed with the
633 <filename>@LXCROOTFSMOUNT@</filename> default path or
634 the value of <option>lxc.rootfs.mount</option> if
d9e80daf
DE		 635 specified. Note that when mounting a filesystem from an
636 image file or block device the third field (fs_vfstype)
637 cannot be auto as with
638 <citerefentry>
639 <refentrytitle>mount</refentrytitle>
640 <manvolnum>8</manvolnum>
641 </citerefentry>
642 but must be explicitly specified.
8a67a2b2 643 </para>
644 </listitem>
645 </varlistentry>
0f71d073
DL		 646
647 <varlistentry>
648 <term>
649 <option>lxc.mount.entry</option>
650 </term>
651 <listitem>
652 <para>
653 specify a mount point corresponding to a line in the
654 fstab format.
655 </para>
656 </listitem>
657 </varlistentry>
658
a2ff31c7
CS		 659 <varlistentry>
660 <term>
661 <option>lxc.mount.auto</option>
662 </term>
663 <listitem>
664 <para>
665 specify which standard kernel file systems should be
666 automatically mounted. This may dramatically simplify
667 the configuration. The file systems are:
668 </para>
669 <itemizedlist>
670 <listitem>
3157e673
DE		 671 <para>
672 <option>proc:mixed</option> (or <option>proc</option>):
673 mount <filename>/proc</filename> as read-write, but
674 remount <filename>/proc/sys</filename> and
675 <filename>/proc/sysrq-trigger</filename> read-only
676 for security / container isolation purposes.
677 </para>
a2ff31c7
CS		 678 </listitem>
679 <listitem>
3157e673
DE		 680 <para>
681 <option>proc:rw</option>: mount
682 <filename>/proc</filename> as read-write
683 </para>
a2ff31c7
CS		 684 </listitem>
685 <listitem>
3157e673
DE		 686 <para>
687 <option>sys:ro</option> (or <option>sys</option>):
688 mount <filename>/sys</filename> as read-only
689 for security / container isolation purposes.
690 </para>
a2ff31c7
CS		 691 </listitem>
692 <listitem>
3157e673
DE		 693 <para>
694 <option>sys:rw</option>: mount
695 <filename>/sys</filename> as read-write
696 </para>
a2ff31c7
CS		 697 </listitem>
698 <listitem>
3157e673
DE		 699 <para>
700 <option>cgroup:mixed</option> (or
701 <option>cgroup</option>):
702 mount a tmpfs to <filename>/sys/fs/cgroup</filename>,
703 create directories for all hierarchies to which
704 the container is added, create subdirectories
705 there with the name of the cgroup, and bind-mount
706 the container's own cgroup into that directory.
707 The container will be able to write to its own
708 cgroup directory, but not the parents, since they
709 will be remounted read-only
710 </para>
a2ff31c7
CS		 711 </listitem>
712 <listitem>
3157e673
DE		 713 <para>
714 <option>cgroup:ro</option>: similar to
715 <option>cgroup:mixed</option>, but everything will
a2ff31c7 716 be mounted read-only.
3157e673 717 </para>
a2ff31c7
CS		 718 </listitem>
719 <listitem>
3157e673
DE		 720 <para>
721 <option>cgroup:rw</option>: similar to
722 <option>cgroup:mixed</option>, but everything will
723 be mounted read-write. Note that the paths leading
724 up to the container's own cgroup will be writable,
725 but will not be a cgroup filesystem but just part
726 of the tmpfs of <filename>/sys/fs/cgroup</filename>
727 </para>
a2ff31c7
CS		 728 </listitem>
729 <listitem>
3157e673
DE		 730 <para>
731 <option>cgroup-full:mixed</option> (or
732 <option>cgroup-full</option>):
733 mount a tmpfs to <filename>/sys/fs/cgroup</filename>,
734 create directories for all hierarchies to which
735 the container is added, bind-mount the hierarchies
736 from the host to the container and make everything
737 read-only except the container's own cgroup. Note
738 that compared to <option>cgroup</option>, where
739 all paths leading up to the container's own cgroup
740 are just simple directories in the underlying
741 tmpfs, here
742 <filename>/sys/fs/cgroup/$hierarchy</filename>
743 will contain the host's full cgroup hierarchy,
744 albeit read-only outside the container's own cgroup.
745 This may leak quite a bit of information into the
746 container.
747 </para>
a2ff31c7
CS		 748 </listitem>
749 <listitem>
3157e673
DE		 750 <para>
751 <option>cgroup-full:ro</option>: similar to
752 <option>cgroup-full:mixed</option>, but everything
753 will be mounted read-only.
754 </para>
a2ff31c7
CS		 755 </listitem>
756 <listitem>
3157e673
DE		 757 <para>
758 <option>cgroup-full:rw</option>: similar to
759 <option>cgroup-full:mixed</option>, but everything
760 will be mounted read-write. Note that in this case,
761 the container may escape its own cgroup. (Note also
762 that if the container has CAP_SYS_ADMIN support
763 and can mount the cgroup filesystem itself, it may
764 do so anyway.)
765 </para>
a2ff31c7
CS		 766 </listitem>
767 </itemizedlist>
768 <para>
769 Examples:
770 </para>
771 <programlisting>
772 lxc.mount.auto = proc sys cgroup
773 lxc.mount.auto = proc:rw sys:rw cgroup-full:rw
774 </programlisting>
775 </listitem>
776 </varlistentry>
777
8a67a2b2 778 </variablelist>
779 </refsect2>
780
781 <refsect2>
782 <title>Root file system</title>
783 <para>
64b90b3d
FW		 784 The root file system of the container can be different than that
785 of the host system.
8a67a2b2 786 </para>
787 <variablelist>
788 <varlistentry>
789 <term>
790 <option>lxc.rootfs</option>
791 </term>
792 <listitem>
793 <para>
49d3e78d
DL		 794 specify the root file system for the container. It can
795 be an image file, a directory or a block device. If not
796 specified, the container shares its root file system
797 with the host.
64b90b3d
FW		 798 </para>
799 </listitem>
800 </varlistentry>
801
802 <varlistentry>
803 <term>
804 <option>lxc.rootfs.mount</option>
805 </term>
806 <listitem>
807 <para>
808 where to recursively bind <option>lxc.rootfs</option>
809 before pivoting. This is to ensure success of the
810 <citerefentry>
811 <refentrytitle><command>pivot_root</command></refentrytitle>
812 <manvolnum>8</manvolnum>
813 </citerefentry>
814 syscall. Any directory suffices, the default should
815 generally work.
816 </para>
817 </listitem>
818 </varlistentry>
819
820 <varlistentry>
821 <term>
822 <option>lxc.pivotdir</option>
823 </term>
824 <listitem>
825 <para>
826 where to pivot the original root file system under
827 <option>lxc.rootfs</option>, specified relatively to
3103609d 828 that. The default is <filename>mnt</filename>.
64b90b3d
FW		 829 It is created if necessary, and also removed after
830 unmounting everything from it during container setup.
8a67a2b2 831 </para>
832 </listitem>
833 </varlistentry>
834 </variablelist>
835 </refsect2>
836
837 <refsect2>
838 <title>Control group</title>
839 <para>
840 The control group section contains the configuration for the
841 different subsystem. <command>lxc</command> does not check the
23a92fad
PF		 842 correctness of the subsystem name. This has the disadvantage
843 of not detecting configuration errors until the container is
844 started, but has the advantage of permitting any future
845 subsystem.
8a67a2b2 846 </para>
847 <variablelist>
848 <varlistentry>
849 <term>
998dc19a 850 <option>lxc.cgroup.[subsystem name]</option>
8a67a2b2 851 </term>
852 <listitem>
853 <para>
23a92fad
PF		 854 specify the control group value to be set. The
855 subsystem name is the literal name of the control group
856 subsystem. The permitted names and the syntax of their
857 values is not dictated by LXC, instead it depends on the
858 features of the Linux kernel running at the time the
859 container is started,
8a67a2b2 860 eg. <option>lxc.cgroup.cpuset.cpus</option>
861 </para>
862 </listitem>
863 </varlistentry>
864 </variablelist>
865 </refsect2>
866
81810dd1
DL		 867 <refsect2>
868 <title>Capabilities</title>
869 <para>
870 The capabilities can be dropped in the container if this one
871 is run as root.
872 </para>
873 <variablelist>
874 <varlistentry>
875 <term>
876 <option>lxc.cap.drop</option>
877 </term>
878 <listitem>
879 <para>
9eb09f87
DL		 880 Specify the capability to be dropped in the container. A
881 single line defining several capabilities with a space
882 separation is allowed. The format is the lower case of
883 the capability definition without the "CAP_" prefix,
81810dd1
DL		 884 eg. CAP_SYS_MODULE should be specified as
885 sys_module. See
886 <citerefentry>
887 <refentrytitle><command>capabilities</command></refentrytitle>
9eb09f87 888 <manvolnum>7</manvolnum>
81810dd1
DL		 889 </citerefentry>,
890 </para>
891 </listitem>
892 </varlistentry>
1fb86a7c
SH		 893 <varlistentry>
894 <term>
895 <option>lxc.cap.keep</option>
896 </term>
897 <listitem>
898 <para>
899 Specify the capability to be kept in the container. All other
900 capabilities will be dropped.
901 </para>
902 </listitem>
903 </varlistentry>
81810dd1
DL		 904 </variablelist>
905 </refsect2>
906
64f782ca
SH		 907 <refsect2>
908 <title>Apparmor profile</title>
909 <para>
910 If lxc was compiled and installed with apparmor support, and the host
911 system has apparmor enabled, then the apparmor profile under which the
912 container should be run can be specified in the container
913 configuration. The default is <command>lxc-container-default</command>.
914 </para>
915 <variablelist>
916 <varlistentry>
917 <term>
918 <option>lxc.aa_profile</option>
919 </term>
920 <listitem>
921 <para>
922 Specify the apparmor profile under which the container should
923 be run. To specify that the container should be unconfined,
924 use
925 </para>
926 <programlisting>lxc.aa_profile = unconfined</programlisting>
927 </listitem>
928 </varlistentry>
929 </variablelist>
930 </refsect2>
931
fe4de9a6
DE		 932 <refsect2>
933 <title>SELinux context</title>
934 <para>
935 If lxc was compiled and installed with SELinux support, and the host
936 system has SELinux enabled, then the SELinux context under which the
937 container should be run can be specified in the container
938 configuration. The default is <command>unconfined_t</command>,
939 which means that lxc will not attempt to change contexts.
940 </para>
941 <variablelist>
942 <varlistentry>
943 <term>
944 <option>lxc.se_context</option>
945 </term>
946 <listitem>
947 <para>
948 Specify the SELinux context under which the container should
949 be run or <command>unconfined_t</command>. For example
950 </para>
951 <programlisting>lxc.se_context = unconfined_u:unconfined_r:lxc_t:s0-s0:c0.c1023</programlisting>
952 </listitem>
953 </varlistentry>
954 </variablelist>
955 </refsect2>
956
64f782ca
SH		 957 <refsect2>
958 <title>Seccomp configuration</title>
959 <para>
960 A container can be started with a reduced set of available
961 system calls by loading a seccomp profile at startup. The
962 seccomp configuration file should begin with a version number
963 (which currently must be 1) on the first line, a policy type
964 (which must be 'whitelist') on the second line, followed by a
965 list of allowed system call numbers, one per line.
966 </para>
967 <variablelist>
968 <varlistentry>
969 <term>
970 <option>lxc.seccomp</option>
971 </term>
972 <listitem>
973 <para>
974 Specify a file containing the seccomp configuration to
975 load before the container starts.
976 </para>
977 </listitem>
978 </varlistentry>
979 </variablelist>
980 </refsect2>
981
f6d3e3e4
SH		 982 <refsect2>
983 <title>UID mappings</title>
984 <para>
985 A container can be started in a private user namespace with
986 user and group id mappings. For instance, you can map userid
987 0 in the container to userid 200000 on the host. The root
988 user in the container will be privileged in the container,
989 but unprivileged on the host. Normally a system container
990 will want a range of ids, so you would map, for instance,
991 user and group ids 0 through 20,000 in the container to the
992 ids 200,000 through 220,000.
993 </para>
994 <variablelist>
995 <varlistentry>
996 <term>
997 <option>lxc.id_map</option>
998 </term>
999 <listitem>
1000 <para>
1001 Four values must be provided. First a character, either
ac7725e7
DE		 1002 'u', or 'g', to specify whether user or group ids are
1003 being mapped. Next is the first userid as seen in the
1004 user namespace of the container. Next is the userid as
1005 seen on the host. Finally, a range indicating the number
1006 of consecutive ids to map.
f6d3e3e4 1007 </para>
f6d3e3e4
SH		 1008 </listitem>
1009 </varlistentry>
1010 </variablelist>
1011 </refsect2>
1012
472c97e9 1013 <refsect2>
dc92f6c7 1014 <title>Container hooks</title>
472c97e9 1015 <para>
dc92f6c7 1016 Container hooks are programs or scripts which can be executed
472c97e9
SH		 1017 at various times in a container's lifetime.
1018 </para>
baece282
SH		 1019 <para>
1020 When a container hook is executed, information is passed both
1021 as command line arguments and through environment variables.
1022 The arguments are:
1023 <itemizedlist>
3157e673
DE		 1024 <listitem><para> Container name. </para></listitem>
1025 <listitem><para> Section (always 'lxc'). </para></listitem>
1026 <listitem><para> The hook type (i.e. 'clone' or 'pre-mount'). </para></listitem>
1027 <listitem><para> Additional arguments In the
baece282 1028 case of the clone hook, any extra arguments passed to
3157e673 1029 lxc-clone will appear as further arguments to the hook. </para></listitem>
baece282
SH		 1030 </itemizedlist>
1031 The following environment variables are set:
1032 <itemizedlist>
3157e673
DE		 1033 <listitem><para> LXC_NAME: is the container's name. </para></listitem>
1034 <listitem><para> LXC_ROOTFS_MOUNT: the path to the mounted root filesystem. </para></listitem>
1035 <listitem><para> LXC_CONFIG_FILE: the path to the container configuration file. </para></listitem>
1036 <listitem><para> LXC_SRC_NAME: in the case of the clone hook, this is the original container's name. </para></listitem>
1037 <listitem><para> LXC_ROOTFS_PATH: this is the lxc.rootfs entry for the container. Note this is likely not where the mounted rootfs is to be found, use LXC_ROOTFS_MOUNT for that. </para></listitem>
baece282
SH		 1038 </itemizedlist>
1039 </para>
64f782ca
SH		 1040 <para>
1041 Standard output from the hooks is logged at debug level.
1042 Standard error is not logged, but can be captured by the
1043 hook redirecting its standard error to standard output.
1044 </para>
472c97e9
SH		 1045 <variablelist>
1046 <varlistentry>
1047 <term>
1048 <option>lxc.hook.pre-start</option>
1049 </term>
1050 <listitem>
1051 <para>
1052 A hook to be run in the host's namespace before the
1053 container ttys, consoles, or mounts are up.
1054 </para>
1055 </listitem>
1056 </varlistentry>
1057 </variablelist>
1058 <variablelist>
1059 <varlistentry>
1060 <term>
1061 <option>lxc.hook.pre-mount</option>
1062 </term>
1063 <listitem>
1064 <para>
472c97e9
SH		 1065 A hook to be run in the container's fs namespace but before
1066 the rootfs has been set up. This allows for manipulation
1067 of the rootfs, i.e. to mount an encrypted filesystem. Mounts
1068 done in this hook will not be reflected on the host (apart from
1069 mounts propagation), so they will be automatically cleaned up
1070 when the container shuts down.
1071 </para>
1072 </listitem>
1073 </varlistentry>
1074 </variablelist>
1075 <variablelist>
1076 <varlistentry>
1077 <term>
1078 <option>lxc.hook.mount</option>
1079 </term>
1080 <listitem>
1081 <para>
1082 A hook to be run in the container's namespace after
1083 mounting has been done, but before the pivot_root.
1084 </para>
1085 </listitem>
1086 </varlistentry>
1087 </variablelist>
f7bee6c6
MW		 1088 <variablelist>
1089 <varlistentry>
1090 <term>
1091 <option>lxc.hook.autodev</option>
1092 </term>
1093 <listitem>
1094 <para>
1095 A hook to be run in the container's namespace after
1096 mounting has been done and after any mount hooks have
1097 run, but before the pivot_root, if
1098 <option>lxc.autodev</option> == 1.
1099 The purpose of this hook is to assist in populating the
1100 /dev directory of the container when using the autodev
1101 option for systemd based containers. The container's /dev
1102 directory is relative to the
1103 ${<option>LXC_ROOTFS_MOUNT</option>} environment
1104 variable available when the hook is run.
1105 </para>
1106 </listitem>
1107 </varlistentry>
1108 </variablelist>
472c97e9
SH		 1109 <variablelist>
1110 <varlistentry>
1111 <term>
1112 <option>lxc.hook.start</option>
1113 </term>
1114 <listitem>
1115 <para>
1116 A hook to be run in the container's namespace immediately
1117 before executing the container's init. This requires the
1118 program to be available in the container.
1119 </para>
1120 </listitem>
1121 </varlistentry>
1122 </variablelist>
1123 <variablelist>
1124 <varlistentry>
1125 <term>
1126 <option>lxc.hook.post-stop</option>
1127 </term>
1128 <listitem>
1129 <para>
1130 A hook to be run in the host's namespace after the
1131 container has been shut down.
1132 </para>
1133 </listitem>
1134 </varlistentry>
1135 </variablelist>
dc92f6c7
SH		 1136 <variablelist>
1137 <varlistentry>
1138 <term>
1139 <option>lxc.hook.clone</option>
1140 </term>
1141 <listitem>
1142 <para>
1143 A hook to be run when the container is cloned to a new one.
3157e673
DE		 1144 See <citerefentry><refentrytitle><command>lxc-clone</command></refentrytitle>
1145 <manvolnum>1</manvolnum></citerefentry> for more information.
dc92f6c7
SH		 1146 </para>
1147 </listitem>
1148 </varlistentry>
1149 </variablelist>
472c97e9
SH		 1150 </refsect2>
1151
f7bee6c6 1152 <refsect2>
dc92f6c7 1153 <title>Container hooks Environment Variables</title>
f7bee6c6
MW		 1154 <para>
1155 A number of environment variables are made available to the startup
1156 hooks to provide configuration information and assist in the
1157 functioning of the hooks. Not all variables are valid in all
1158 contexts. In particular, all paths are relative to the host system
1159 and, as such, not valid during the <option>lxc.hook.start</option> hook.
1160 </para>
1161 <variablelist>
1162 <varlistentry>
1163 <term>
1164 <option>LXC_NAME</option>
1165 </term>
1166 <listitem>
1167 <para>
1168 The LXC name of the container. Useful for logging messages
dd97408a 1169 in common log environments. [<option>-n</option>]
f7bee6c6
MW		 1170 </para>
1171 </listitem>
1172 </varlistentry>
1173 </variablelist>
1174 <variablelist>
1175 <varlistentry>
1176 <term>
1177 <option>LXC_CONFIG_FILE</option>
1178 </term>
1179 <listitem>
1180 <para>
1181 Host relative path to the container configuration file. This
1182 gives the container to reference the original, top level,
1183 configuration file for the container in order to locate any
840295ff 1184 additional configuration information not otherwise made
f7bee6c6
MW		 1185 available. [<option>-f</option>]
1186 </para>
1187 </listitem>
1188 </varlistentry>
1189 </variablelist>
1190 <variablelist>
1191 <varlistentry>
1192 <term>
1193 <option>LXC_CONSOLE</option>
1194 </term>
1195 <listitem>
1196 <para>
1197 The path to the console output of the container if not NULL.
1198 [<option>-c</option>] [<option>lxc.console</option>]
1199 </para>
1200 </listitem>
1201 </varlistentry>
1202 </variablelist>
1203 <variablelist>
1204 <varlistentry>
1205 <term>
1206 <option>LXC_CONSOLE_LOGPATH</option>
1207 </term>
1208 <listitem>
1209 <para>
1210 The path to the console log output of the container if not NULL.
1211 [<option>-L</option>]
1212 </para>
1213 </listitem>
1214 </varlistentry>
1215 </variablelist>
1216 <variablelist>
1217 <varlistentry>
1218 <term>
1219 <option>LXC_ROOTFS_MOUNT</option>
1220 </term>
1221 <listitem>
1222 <para>
1223 The mount location to which the container is initially bound.
1224 This will be the host relative path to the container rootfs
1225 for the container instance being started and is where changes
1226 should be made for that instance.
1227 [<option>lxc.rootfs.mount</option>]
1228 </para>
1229 </listitem>
1230 </varlistentry>
1231 </variablelist>
1232 <variablelist>
1233 <varlistentry>
1234 <term>
1235 <option>LXC_ROOTFS_PATH</option>
1236 </term>
1237 <listitem>
1238 <para>
1239 The host relative path to the container root which has been
1240 mounted to the rootfs.mount location.
1241 [<option>lxc.rootfs</option>]
1242 </para>
1243 </listitem>
1244 </varlistentry>
1245 </variablelist>
1246
1247 </refsect2>
64f782ca 1248 <refsect2>
ee1e7aa0 1249 <title>Logging</title>
64f782ca
SH		 1250 <para>
1251 Logging can be configured on a per-container basis. By default,
1252 depending upon how the lxc package was compiled, container startup
1253 is logged only at the ERROR level, and logged to a file named after
1254 the container (with '.log' appended) either under the container path,
1255 or under @LOGPATH@.
1256 </para>
1257 <para>
1258 Both the default log level and the log file can be specified in the
1259 container configuration file, overriding the default behavior. Note
1260 that the configuration file entries can in turn be overridden by the
1261 command line options to <command>lxc-start</command>.
1262 </para>
1263 <variablelist>
1264 <varlistentry>
1265 <term>
1266 <option>lxc.loglevel</option>
1267 </term>
1268 <listitem>
1269 <para>
1270 The level at which to log. The log level is an integer in
1271 the range of 0..8 inclusive, where a lower number means more
1272 verbose debugging. In particular 0 = trace, 1 = debug, 2 =
1273 info, 3 = notice, 4 = warn, 5 = error, 6 = critical, 7 =
1274 alert, and 8 = fatal. If unspecified, the level defaults
1275 to 5 (error), so that only errors and above are logged.
1276 </para>
1277 <para>
1278 Note that when a script (such as either a hook script or a
1279 network interface up or down script) is called, the script's
1280 standard output is logged at level 1, debug.
1281 </para>
1282 </listitem>
1283 </varlistentry>
1284 <varlistentry>
1285 <term>
1286 <option>lxc.logfile</option>
1287 </term>
1288 <listitem>
1289 <para>
1290 The file to which logging info should be written.
1291 </para>
1292 </listitem>
1293 </varlistentry>
1294 </variablelist>
1295 </refsect2>
f7bee6c6 1296
ee1e7aa0
SG		 1297 <refsect2>
1298 <title>Autostart</title>
1299 <para>
1300 The autostart options support marking which containers should be
1301 auto-started and in what order. These options may be used by LXC tools
1302 directly or by external tooling provided by the distributions.
1303 </para>
1304
1305 <variablelist>
1306 <varlistentry>
1307 <term>
1308 <option>lxc.start.auto</option>
1309 </term>
1310 <listitem>
1311 <para>
1312 Whether the container should be auto-started.
1313 Valid values are 0 (off) and 1 (on).
1314 </para>
1315 </listitem>
1316 </varlistentry>
1317 <varlistentry>
1318 <term>
1319 <option>lxc.start.delay</option>
1320 </term>
1321 <listitem>
1322 <para>
1323 How long to wait (in seconds) after the container is
1324 started before starting the next one.
1325 </para>
1326 </listitem>
1327 </varlistentry>
1328 <varlistentry>
1329 <term>
1330 <option>lxc.start.order</option>
1331 </term>
1332 <listitem>
1333 <para>
1334 An integer used to sort the containers when auto-starting
1335 a series of containers at once.
1336 </para>
1337 </listitem>
1338 </varlistentry>
1339 <varlistentry>
1340 <term>
1341 <option>lxc.group</option>
1342 </term>
1343 <listitem>
1344 <para>
1345 A multi-value key (can be used multiple times) to put the
1346 container in a container group. Those groups can then be
1347 used (amongst other things) to start a series of related
1348 containers.
1349 </para>
1350 </listitem>
1351 </varlistentry>
1352 </variablelist>
1353 </refsect2>
8a67a2b2 1354 </refsect1>
1355
1356 <refsect1>
1357 <title>Examples</title>
b78b2125
MN		 1358 <para>
1359 In addition to the few examples given below, you will find
1360 some other examples of configuration file in @DOCDIR@/examples
1361 </para>
8a67a2b2 1362 <refsect2>
1363 <title>Network</title>
1364 <para>This configuration sets up a container to use a veth pair
1365 device with one side plugged to a bridge br0 (which has been
1366 configured before on the system by the administrator). The
1367 virtual network device visible in the container is renamed to
1368 eth0.</para>
b78b2125
MN		 1369 <programlisting>
1370 lxc.utsname = myhostname
1371 lxc.network.type = veth
1372 lxc.network.flags = up
1373 lxc.network.link = br0
1374 lxc.network.name = eth0
1375 lxc.network.hwaddr = 4a:49:43:49:79:bf
5548f218 1376 lxc.network.ipv4 = 10.2.3.5/24 10.2.3.255
b78b2125
MN		 1377 lxc.network.ipv6 = 2003:db8:1:0:214:1234:fe0b:3597
1378 </programlisting>
8a67a2b2 1379 </refsect2>
1380
ac7725e7
DE		 1381 <refsect2>
1382 <title>UID/GID mapping</title>
1383 <para>This configuration will map both user and group ids in the
1384 range 0-9999 in the container to the ids 100000-109999 on the host.
1385 </para>
1386 <programlisting>
1387 lxc.id_map = u 0 100000 10000
1388 lxc.id_map = g 0 100000 10000
1389 </programlisting>
1390 </refsect2>
1391
8a67a2b2 1392 <refsect2>
1393 <title>Control group</title>
1394 <para>This configuration will setup several control groups for
1395 the application, cpuset.cpus restricts usage of the defined cpu,
1396 cpus.share prioritize the control group, devices.allow makes
1397 usable the specified devices.</para>
b78b2125
MN		 1398 <programlisting>
1399 lxc.cgroup.cpuset.cpus = 0,1
1400 lxc.cgroup.cpu.shares = 1234
1401 lxc.cgroup.devices.deny = a
1402 lxc.cgroup.devices.allow = c 1:3 rw
1403 lxc.cgroup.devices.allow = b 8:0 rw
1404 </programlisting>
8a67a2b2 1405 </refsect2>
1406
1407 <refsect2>
1408 <title>Complex configuration</title>
1409 <para>This example show a complex configuration making a complex
1410 network stack, using the control groups, setting a new hostname,
b78b2125
MN		 1411 mounting some locations and a changing root file system.</para>
1412 <programlisting>
1413 lxc.utsname = complex
1414 lxc.network.type = veth
1415 lxc.network.flags = up
1416 lxc.network.link = br0
1417 lxc.network.hwaddr = 4a:49:43:49:79:bf
5548f218 1418 lxc.network.ipv4 = 10.2.3.5/24 10.2.3.255
b78b2125
MN		 1419 lxc.network.ipv6 = 2003:db8:1:0:214:1234:fe0b:3597
1420 lxc.network.ipv6 = 2003:db8:1:0:214:5432:feab:3588
1421 lxc.network.type = macvlan
1422 lxc.network.flags = up
1423 lxc.network.link = eth0
1424 lxc.network.hwaddr = 4a:49:43:49:79:bd
5548f218 1425 lxc.network.ipv4 = 10.2.3.4/24
b78b2125
MN		 1426 lxc.network.ipv4 = 192.168.10.125/24
1427 lxc.network.ipv6 = 2003:db8:1:0:214:1234:fe0b:3596
1428 lxc.network.type = phys
1429 lxc.network.flags = up
1430 lxc.network.link = dummy0
1431 lxc.network.hwaddr = 4a:49:43:49:79:ff
5548f218 1432 lxc.network.ipv4 = 10.2.3.6/24
b78b2125
MN		 1433 lxc.network.ipv6 = 2003:db8:1:0:214:1234:fe0b:3297
1434 lxc.cgroup.cpuset.cpus = 0,1
1435 lxc.cgroup.cpu.shares = 1234
1436 lxc.cgroup.devices.deny = a
1437 lxc.cgroup.devices.allow = c 1:3 rw
1438 lxc.cgroup.devices.allow = b 8:0 rw
1439 lxc.mount = /etc/fstab.complex
1440 lxc.mount.entry = /lib /root/myrootfs/lib none ro,bind 0 0
1441 lxc.rootfs = /mnt/rootfs.complex
1442 lxc.cap.drop = sys_module mknod setuid net_raw
1443 lxc.cap.drop = mac_override
1444 </programlisting>
8a67a2b2 1445 </refsect2>
1446
1447 </refsect1>
1448
1449 <refsect1>
1450 <title>See Also</title>
f79d43bb 1451 <simpara>
8a67a2b2 1452 <citerefentry>
1453 <refentrytitle><command>chroot</command></refentrytitle>
1454 <manvolnum>1</manvolnum>
1455 </citerefentry>,
1456
1457 <citerefentry>
1458 <refentrytitle><command>pivot_root</command></refentrytitle>
1459 <manvolnum>8</manvolnum>
1460 </citerefentry>,
1461
1462 <citerefentry>
1463 <refentrytitle><filename>fstab</filename></refentrytitle>
1464 <manvolnum>5</manvolnum>
6320e494 1465 </citerefentry>,
8a67a2b2 1466
6320e494
SG		 1467 <citerefentry>
1468 <refentrytitle><filename>capabilities</filename></refentrytitle>
1469 <manvolnum>7</manvolnum>
1470 </citerefentry>
8a67a2b2 1471 </simpara>
1472 </refsect1>
f79d43bb 1473
99e4008c
MN		 1474 &seealso;
1475
8a67a2b2 1476 <refsect1>
1477 <title>Author</title>
1478 <para>Daniel Lezcano <email>daniel.lezcano@free.fr</email></para>
1479 </refsect1>
f79d43bb 1480
8a67a2b2 1481</refentry>
1482
1483<!-- Keep this comment at the end of the file
1484Local variables:
1485mode: sgml
1486sgml-omittag:t
1487sgml-shorttag:t
1488sgml-minimize-attributes:nil
1489sgml-always-quote-attributes:t
1490sgml-indent-step:2
1491sgml-indent-data:t
1492sgml-parent-document:nil
1493sgml-default-dtd-file:nil
1494sgml-exposed-tags:nil
1495sgml-local-catalogs:nil
1496sgml-local-ecat-files:nil
1497End:
1498-->
LXC mirror