]> git.proxmox.com Git - mirror_lxc.git/blame - doc/lxc.conf.sgml.in
projects / mirror_lxc.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
ubuntu templates cleanups
[mirror_lxc.git] / doc / lxc.conf.sgml.in
CommitLineData
8a67a2b2 1<!--
2
3lxc: linux Container library
4
5(C) Copyright IBM Corp. 2007, 2008
6
7Authors:
8Daniel Lezcano <dlezcano at fr.ibm.com>
9
10This library is free software; you can redistribute it and/or
11modify it under the terms of the GNU Lesser General Public
12License as published by the Free Software Foundation; either
13version 2.1 of the License, or (at your option) any later version.
14
15This library is distributed in the hope that it will be useful,
16but WITHOUT ANY WARRANTY; without even the implied warranty of
17MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
18Lesser General Public License for more details.
19
20You should have received a copy of the GNU Lesser General Public
21License along with this library; if not, write to the Free Software
22Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
23
24-->
25
99e4008c
MN		 26<!DOCTYPE refentry PUBLIC "-//Davenport//DTD DocBook V3.0//EN" [
27
28<!ENTITY seealso SYSTEM "@builddir@/see_also.sgml">
29]>
8a67a2b2 30
31<refentry>
32
33 <docinfo><date>@LXC_GENERATE_DATE@</date></docinfo>
34
35 <refmeta>
36 <refentrytitle>lxc.conf</refentrytitle>
37 <manvolnum>5</manvolnum>
38 </refmeta>
39
40 <refnamediv>
41 <refname>lxc.conf</refname>
42
43 <refpurpose>
44 linux container configuration file
45 </refpurpose>
46 </refnamediv>
47
48 <refsect1>
49 <title>Description</title>
50
51 <para>
52 The linux containers (<command>lxc</command>) are always created
53 before being used. This creation defines a set of system
54 resources to be virtualized / isolated when a process is using
55 the container. By default, the pids, sysv ipc and mount points
56 are virtualized and isolated. The other system resources are
57 shared across containers, until they are explicitly defined in
58 the configuration file. For example, if there is no network
59 configuration, the network will be shared between the creator of
60 the container and the container itself, but if the network is
61 specified, a new network stack is created for the container and
62 the container can no longer use the network of its ancestor.
63 </para>
64
65 <para>
66 The configuration file defines the different system resources to
67 be assigned for the container. At present, the utsname, the
68 network, the mount points, the root file system and the control
69 groups are supported.
70 </para>
71
72 <para>
73 Each option in the configuration file has the form <command>key
23a92fad 74 = value</command> fitting in one line. The '#' character means
8a67a2b2 75 the line is a comment.
76 </para>
77
cccc74b5
DL		 78 <refsect2>
79 <title>Architecture</title>
80 <para>
81 Allows to set the architecture for the container. For example,
82 set a 32bits architecture for a container running 32bits
83 binaries on a 64bits host. That fix the container scripts
84 which rely on the architecture to do some work like
85 downloading the packages.
86 </para>
87
88 <variablelist>
89 <varlistentry>
90 <term>
91 <option>lxc.arch</option>
92 </term>
93 <listitem>
94 <para>
95 Specify the architecture for the container.
96 </para>
97 <para>
98 Valid options are
99 <option>x86</option>,
100 <option>i686</option>,
101 <option>x86_64</option>,
102 <option>amd64</option>
103 </para>
104 </listitem>
105 </varlistentry>
106 </variablelist>
107
108 </refsect2>
109
8a67a2b2 110 <refsect2>
111 <title>Hostname</title>
112 <para>
113 The utsname section defines the hostname to be set for the
114 container. That means the container can set its own hostname
115 without changing the one from the system. That makes the
116 hostname private for the container.
117 </para>
118 <variablelist>
119 <varlistentry>
120 <term>
121 <option>lxc.utsname</option>
122 </term>
123 <listitem>
124 <para>
125 specify the hostname for the container
126 </para>
127 </listitem>
128 </varlistentry>
129 </variablelist>
130 </refsect2>
131
132 <refsect2>
133 <title>Network</title>
134 <para>
135 The network section defines how the network is virtualized in
23a92fad
PF		 136 the container. The network virtualization acts at layer
137 two. In order to use the network virtualization, parameters
138 must be specified to define the network interfaces of the
139 container. Several virtual interfaces can be assigned and used
140 in a container even if the system has only one physical
8a67a2b2 141 network interface.
142 </para>
143 <variablelist>
144 <varlistentry>
145 <term>
146 <option>lxc.network.type</option>
147 </term>
148 <listitem>
149 <para>
150 specify what kind of network virtualization to be used
151 for the container. Each time
152 a <option>lxc.network.type</option> field is found a new
23a92fad
PF		 153 round of network configuration begins. In this way,
154 several network virtualization types can be specified
155 for the same container, as well as assigning several
156 network interfaces for one container. The different
8a67a2b2 157 virtualization types can be:
158 </para>
159
160 <para>
23a92fad 161 <option>empty:</option> will create only the loopback
8a67a2b2 162 interface.
163 </para>
164
165 <para>
23a92fad
PF		 166 <option>veth:</option> a peer network device is created
167 with one side assigned to the container and the other
168 side is attached to a bridge specified by
169 the <option>lxc.network.link</option>. If the bridge is
170 not specified, then the veth pair device will be created
171 but not attached to any bridge. Otherwise, the bridge
172 has to be setup before on the
173 system, <command>lxc</command> won't handle any
174 configuration outside of the container. By
e892973e
DL		 175 default <command>lxc</command> choose a name for the
176 network device belonging to the outside of the
177 container, this name is handled
178 by <command>lxc</command>, but if you wish to handle
179 this name yourself, you can tell <command>lxc</command>
180 to set a specific name with
181 the <option>lxc.network.veth.pair</option> option.
182 </para>
183
184 <para>
23a92fad
PF		 185 <option>vlan:</option> a vlan interface is linked with
186 the interface specified by
e892973e
DL		 187 the <option>lxc.network.link</option> and assigned to
188 the container. The vlan identifier is specified with the
189 option <option>lxc.network.vlan.id</option>.
8a67a2b2 190 </para>
191
192 <para>
23a92fad
PF		 193 <option>macvlan:</option> a macvlan interface is linked
194 with the interface specified by
8a67a2b2 195 the <option>lxc.network.link</option> and assigned to
196 the container.
e892973e
DL		 197 <option>lxc.network.macvlan.mode</option> specifies the
198 mode the macvlan will use to communicate between
199 different macvlan on the same upper device. The accepted
200 modes are <option>private</option>, the device never
201 communicates with any other device on the same upper_dev (default),
202 <option>vepa</option>, the new Virtual Ethernet Port
203 Aggregator (VEPA) mode, it assumes that the adjacent
204 bridge returns all frames where both source and
205 destination are local to the macvlan port, i.e. the
206 bridge is set up as a reflective relay. Broadcast
207 frames coming in from the upper_dev get flooded to all
208 macvlan interfaces in VEPA mode, local frames are not
209 delivered locallay, or <option>bridge</option>, it
210 provides the behavior of a simple bridge between
211 different macvlan interfaces on the same port. Frames
212 from one interface to another one get delivered directly
213 and are not sent out externally. Broadcast frames get
214 flooded to all other bridge ports and to the external
215 interface, but when they come back from a reflective
216 relay, we don't deliver them again. Since we know all
217 the MAC addresses, the macvlan bridge mode does not
218 require learning or STP like the bridge module does.
8a67a2b2 219 </para>
220
221 <para>
23a92fad
PF		 222 <option>phys:</option> an already existing interface
223 specified by the <option>lxc.network.link</option> is
224 assigned to the container.
8a67a2b2 225 </para>
226 </listitem>
227 </varlistentry>
228
229 <varlistentry>
230 <term>
231 <option>lxc.network.flags</option>
232 </term>
233 <listitem>
234 <para>
235 specify an action to do for the
236 network.
237 </para>
238
239 <para><option>up:</option> activates the interface.
240 </para>
241 </listitem>
242 </varlistentry>
243
244 <varlistentry>
245 <term>
246 <option>lxc.network.link</option>
247 </term>
248 <listitem>
249 <para>
250 specify the interface to be used for real network
251 traffic.
252 </para>
253 </listitem>
254 </varlistentry>
255
256 <varlistentry>
257 <term>
258 <option>lxc.network.name</option>
259 </term>
260 <listitem>
261 <para>
23a92fad
PF		 262 the interface name is dynamically allocated, but if
263 another name is needed because the configuration files
8a67a2b2 264 being used by the container use a generic name,
265 eg. eth0, this option will rename the interface in the
266 container.
267 </para>
268 </listitem>
269 </varlistentry>
270
271 <varlistentry>
272 <term>
273 <option>lxc.network.hwaddr</option>
274 </term>
275 <listitem>
276 <para>
277 the interface mac address is dynamically allocated by
23a92fad
PF		 278 default to the virtual interface, but in some cases,
279 this is needed to resolve a mac address conflict or to
280 always have the same link-local ipv6 address
8a67a2b2 281 </para>
282 </listitem>
283 </varlistentry>
284
285 <varlistentry>
286 <term>
287 <option>lxc.network.ipv4</option>
288 </term>
289 <listitem>
290 <para>
291 specify the ipv4 address to assign to the virtualized
292 interface. Several lines specify several ipv4 addresses.
293 The address is in format x.y.z.t/m,
955f4ce6
DL		 294 eg. 192.168.1.123/24. The broadcast address should be
295 specified on the same line, right after the ipv4
296 address.
8a67a2b2 297 </para>
298 </listitem>
299 </varlistentry>
300
be58c6b5
MK		 301 <varlistentry>
302 <term>
303 <option>lxc.network.ipv4.gateway</option>
304 </term>
305 <listitem>
306 <para>
307 specify the ipv4 address to use as the gateway inside the
308 container. The address is in format x.y.z.t, eg.
309 192.168.1.123.
310
311 Can also have the special value <option>auto</option>,
312 which means to take the primary address from the bridge
313 interface (as specified by the
314 <option>lxc.network.link</option> option) and use that as
315 the gateway. <option>auto</option> is only available when
316 using the <option>veth</option> and
317 <option>macvlan</option> network types.
318 </para>
319 </listitem>
320 </varlistentry>
321
322
8a67a2b2 323 <varlistentry>
324 <term>
325 <option>lxc.network.ipv6</option>
326 </term>
327 <listitem>
328 <para>
329 specify the ipv6 address to assign to the virtualized
330 interface. Several lines specify several ipv6 addresses.
331 The address is in format x::y/m,
332 eg. 2003:db8:1:0:214:1234:fe0b:3596/64
333 </para>
334 </listitem>
335 </varlistentry>
336
be58c6b5
MK		 337 <varlistentry>
338 <term>
339 <option>lxc.network.ipv6.gateway</option>
340 </term>
341 <listitem>
342 <para>
343 specify the ipv6 address to use as the gateway inside the
344 container. The address is in format x::y,
345 eg. 2003:db8:1:0::1
346
347 Can also have the special value <option>auto</option>,
348 which means to take the primary address from the bridge
349 interface (as specified by the
350 <option>lxc.network.link</option> option) and use that as
351 the gateway. <option>auto</option> is only available when
352 using the <option>veth</option> and
353 <option>macvlan</option> network types.
354 </para>
355 </listitem>
356 </varlistentry>
357
6ecad93f
DL		 358 <varlistentry>
359 <term>
360 <option>lxc.network.script.up</option>
361 </term>
362 <listitem>
363 <para>
364 add a configuration option to specify a script to be
365 executed after creating and configuring the network used
366 from the host side. The following arguments are passed
367 to the script: container name and config section name
368 (net) Additional arguments depend on the config section
369 employing a script hook; the following are used by the
370 network system: execution context (up), network type
371 (empty/veth/macvlan/phys), Depending on the network
372 type, other arguments may be passed:
373 veth/macvlan/phys. And finally (host-sided) device name.
374 </para>
375 </listitem>
376 </varlistentry>
8a67a2b2 377 </variablelist>
8a67a2b2 378 </refsect2>
379
341a091c 380 <refsect2>
381 <title>New pseudo tty instance (devpts)</title>
382 <para>
383 For stricter isolation the container can have its own private
384 instance of the pseudo tty.
385 </para>
386 <variablelist>
387 <varlistentry>
388 <term>
389 <option>lxc.pts</option>
390 </term>
391 <listitem>
392 <para>
9f78081a 393 If set, the container will have a new pseudo tty
394 instance, making this private to it. The value specifies
395 the maximum number of pseudo ttys allowed for a pts
396 instance (this limitation is not implemented yet).
341a091c 397 </para>
398 </listitem>
399 </varlistentry>
400 </variablelist>
401 </refsect2>
402
765a4e07
DL		 403 <refsect2>
404 <title>Container system console</title>
405 <para>
406 If the container is configured with a root filesystem and the
407 inittab file is setup to use the console, you may want to specify
408 where goes the output of this console.
409 </para>
410 <variablelist>
411 <varlistentry>
412 <term>
413 <option>lxc.console</option>
414 </term>
415 <listitem>
416 <para>
417 Specify a path to a file where the console output will
dff21ef0
DL		 418 be written. The keyword 'none' will simply disable the
419 console. This is dangerous once if have a rootfs with a
420 console device file where the application can write, the
421 messages will fall in the host.
765a4e07
DL		 422 </para>
423 </listitem>
424 </varlistentry>
425 </variablelist>
426 </refsect2>
427
b0a33c1e 428 <refsect2>
429 <title>Console through the ttys</title>
430 <para>
431 If the container is configured with a root filesystem and the
432 inittab file is setup to launch a getty on the ttys. This
433 option will specify the number of ttys to be available for the
434 container. The number of getty in the inittab file of the
23a92fad
PF		 435 container should not be greater than the number of ttys
436 specified in this configuration file, otherwise the excess
437 getty sessions will die and respawn indefinitly giving
438 annoying messages on the console.
b0a33c1e 439 </para>
440 <variablelist>
441 <varlistentry>
442 <term>
443 <option>lxc.tty</option>
444 </term>
445 <listitem>
446 <para>
447 Specify the number of tty to make available to the
448 container.
449 </para>
450 </listitem>
451 </varlistentry>
452 </variablelist>
453 </refsect2>
454
8a67a2b2 455 <refsect2>
456 <title>Mount points</title>
457 <para>
458 The mount points section specifies the different places to be
459 mounted. These mount points will be private to the container
460 and won't be visible by the processes running outside of the
461 container. This is useful to mount /etc, /var or /home for
462 examples.
463 </para>
464 <variablelist>
465 <varlistentry>
466 <term>
467 <option>lxc.mount</option>
468 </term>
469 <listitem>
470 <para>
471 specify a file location in
472 the <filename>fstab</filename> format, containing the
49d3e78d
DL		 473 mount informations. If the rootfs is an image file or a
474 device block and the fstab is used to mount a point
475 somewhere in this rootfs, the path of the rootfs mount
476 point should be prefixed with the
477 <filename>@LXCROOTFSMOUNT@</filename> default path or
478 the value of <option>lxc.rootfs.mount</option> if
479 specified.
8a67a2b2 480 </para>
481 </listitem>
482 </varlistentry>
0f71d073
DL		 483
484 <varlistentry>
485 <term>
486 <option>lxc.mount.entry</option>
487 </term>
488 <listitem>
489 <para>
490 specify a mount point corresponding to a line in the
491 fstab format.
492 </para>
493 </listitem>
494 </varlistentry>
495
8a67a2b2 496 </variablelist>
497 </refsect2>
498
499 <refsect2>
500 <title>Root file system</title>
501 <para>
64b90b3d
FW		 502 The root file system of the container can be different than that
503 of the host system.
8a67a2b2 504 </para>
505 <variablelist>
506 <varlistentry>
507 <term>
508 <option>lxc.rootfs</option>
509 </term>
510 <listitem>
511 <para>
49d3e78d
DL		 512 specify the root file system for the container. It can
513 be an image file, a directory or a block device. If not
514 specified, the container shares its root file system
515 with the host.
64b90b3d
FW		 516 </para>
517 </listitem>
518 </varlistentry>
519
520 <varlistentry>
521 <term>
522 <option>lxc.rootfs.mount</option>
523 </term>
524 <listitem>
525 <para>
526 where to recursively bind <option>lxc.rootfs</option>
527 before pivoting. This is to ensure success of the
528 <citerefentry>
529 <refentrytitle><command>pivot_root</command></refentrytitle>
530 <manvolnum>8</manvolnum>
531 </citerefentry>
532 syscall. Any directory suffices, the default should
533 generally work.
534 </para>
535 </listitem>
536 </varlistentry>
537
538 <varlistentry>
539 <term>
540 <option>lxc.pivotdir</option>
541 </term>
542 <listitem>
543 <para>
544 where to pivot the original root file system under
545 <option>lxc.rootfs</option>, specified relatively to
3103609d 546 that. The default is <filename>mnt</filename>.
64b90b3d
FW		 547 It is created if necessary, and also removed after
548 unmounting everything from it during container setup.
8a67a2b2 549 </para>
550 </listitem>
551 </varlistentry>
552 </variablelist>
553 </refsect2>
554
555 <refsect2>
556 <title>Control group</title>
557 <para>
558 The control group section contains the configuration for the
559 different subsystem. <command>lxc</command> does not check the
23a92fad
PF		 560 correctness of the subsystem name. This has the disadvantage
561 of not detecting configuration errors until the container is
562 started, but has the advantage of permitting any future
563 subsystem.
8a67a2b2 564 </para>
565 <variablelist>
566 <varlistentry>
567 <term>
998dc19a 568 <option>lxc.cgroup.[subsystem name]</option>
8a67a2b2 569 </term>
570 <listitem>
571 <para>
23a92fad
PF		 572 specify the control group value to be set. The
573 subsystem name is the literal name of the control group
574 subsystem. The permitted names and the syntax of their
575 values is not dictated by LXC, instead it depends on the
576 features of the Linux kernel running at the time the
577 container is started,
8a67a2b2 578 eg. <option>lxc.cgroup.cpuset.cpus</option>
579 </para>
580 </listitem>
581 </varlistentry>
582 </variablelist>
583 </refsect2>
584
81810dd1
DL		 585 <refsect2>
586 <title>Capabilities</title>
587 <para>
588 The capabilities can be dropped in the container if this one
589 is run as root.
590 </para>
591 <variablelist>
592 <varlistentry>
593 <term>
594 <option>lxc.cap.drop</option>
595 </term>
596 <listitem>
597 <para>
9eb09f87
DL		 598 Specify the capability to be dropped in the container. A
599 single line defining several capabilities with a space
600 separation is allowed. The format is the lower case of
601 the capability definition without the "CAP_" prefix,
81810dd1
DL		 602 eg. CAP_SYS_MODULE should be specified as
603 sys_module. See
604 <citerefentry>
605 <refentrytitle><command>capabilities</command></refentrytitle>
9eb09f87 606 <manvolnum>7</manvolnum>
81810dd1
DL		 607 </citerefentry>,
608 </para>
609 </listitem>
610 </varlistentry>
611 </variablelist>
612 </refsect2>
613
8a67a2b2 614 </refsect1>
615
616 <refsect1>
617 <title>Examples</title>
b78b2125
MN		 618 <para>
619 In addition to the few examples given below, you will find
620 some other examples of configuration file in @DOCDIR@/examples
621 </para>
8a67a2b2 622 <refsect2>
623 <title>Network</title>
624 <para>This configuration sets up a container to use a veth pair
625 device with one side plugged to a bridge br0 (which has been
626 configured before on the system by the administrator). The
627 virtual network device visible in the container is renamed to
628 eth0.</para>
b78b2125
MN		 629 <programlisting>
630 lxc.utsname = myhostname
631 lxc.network.type = veth
632 lxc.network.flags = up
633 lxc.network.link = br0
634 lxc.network.name = eth0
635 lxc.network.hwaddr = 4a:49:43:49:79:bf
955f4ce6 636 lxc.network.ipv4 = 1.2.3.5/24 1.2.3.255
b78b2125
MN		 637 lxc.network.ipv6 = 2003:db8:1:0:214:1234:fe0b:3597
638 </programlisting>
8a67a2b2 639 </refsect2>
640
641 <refsect2>
642 <title>Control group</title>
643 <para>This configuration will setup several control groups for
644 the application, cpuset.cpus restricts usage of the defined cpu,
645 cpus.share prioritize the control group, devices.allow makes
646 usable the specified devices.</para>
b78b2125
MN		 647 <programlisting>
648 lxc.cgroup.cpuset.cpus = 0,1
649 lxc.cgroup.cpu.shares = 1234
650 lxc.cgroup.devices.deny = a
651 lxc.cgroup.devices.allow = c 1:3 rw
652 lxc.cgroup.devices.allow = b 8:0 rw
653 </programlisting>
8a67a2b2 654 </refsect2>
655
656 <refsect2>
657 <title>Complex configuration</title>
658 <para>This example show a complex configuration making a complex
659 network stack, using the control groups, setting a new hostname,
b78b2125
MN		 660 mounting some locations and a changing root file system.</para>
661 <programlisting>
662 lxc.utsname = complex
663 lxc.network.type = veth
664 lxc.network.flags = up
665 lxc.network.link = br0
666 lxc.network.hwaddr = 4a:49:43:49:79:bf
955f4ce6 667 lxc.network.ipv4 = 1.2.3.5/24 1.2.3.255
b78b2125
MN		 668 lxc.network.ipv6 = 2003:db8:1:0:214:1234:fe0b:3597
669 lxc.network.ipv6 = 2003:db8:1:0:214:5432:feab:3588
670 lxc.network.type = macvlan
671 lxc.network.flags = up
672 lxc.network.link = eth0
673 lxc.network.hwaddr = 4a:49:43:49:79:bd
674 lxc.network.ipv4 = 1.2.3.4/24
675 lxc.network.ipv4 = 192.168.10.125/24
676 lxc.network.ipv6 = 2003:db8:1:0:214:1234:fe0b:3596
677 lxc.network.type = phys
678 lxc.network.flags = up
679 lxc.network.link = dummy0
680 lxc.network.hwaddr = 4a:49:43:49:79:ff
681 lxc.network.ipv4 = 1.2.3.6/24
682 lxc.network.ipv6 = 2003:db8:1:0:214:1234:fe0b:3297
683 lxc.cgroup.cpuset.cpus = 0,1
684 lxc.cgroup.cpu.shares = 1234
685 lxc.cgroup.devices.deny = a
686 lxc.cgroup.devices.allow = c 1:3 rw
687 lxc.cgroup.devices.allow = b 8:0 rw
688 lxc.mount = /etc/fstab.complex
689 lxc.mount.entry = /lib /root/myrootfs/lib none ro,bind 0 0
690 lxc.rootfs = /mnt/rootfs.complex
691 lxc.cap.drop = sys_module mknod setuid net_raw
692 lxc.cap.drop = mac_override
693 </programlisting>
8a67a2b2 694 </refsect2>
695
696 </refsect1>
697
698 <refsect1>
699 <title>See Also</title>
700 <simpara>
8a67a2b2 701 <citerefentry>
702 <refentrytitle><command>chroot</command></refentrytitle>
703 <manvolnum>1</manvolnum>
704 </citerefentry>,
705
706 <citerefentry>
707 <refentrytitle><command>pivot_root</command></refentrytitle>
708 <manvolnum>8</manvolnum>
709 </citerefentry>,
710
711 <citerefentry>
712 <refentrytitle><filename>fstab</filename></refentrytitle>
713 <manvolnum>5</manvolnum>
714 </citerefentry>
715
716 </simpara>
717 </refsect1>
718
99e4008c
MN		 719 &seealso;
720
8a67a2b2 721 <refsect1>
722 <title>Author</title>
723 <para>Daniel Lezcano <email>daniel.lezcano@free.fr</email></para>
724 </refsect1>
725
726</refentry>
727
728<!-- Keep this comment at the end of the file
729Local variables:
730mode: sgml
731sgml-omittag:t
732sgml-shorttag:t
733sgml-minimize-attributes:nil
734sgml-always-quote-attributes:t
735sgml-indent-step:2
736sgml-indent-data:t
737sgml-parent-document:nil
738sgml-default-dtd-file:nil
739sgml-exposed-tags:nil
740sgml-local-catalogs:nil
741sgml-local-ecat-files:nil
742End:
743-->
LXC mirror