]> git.proxmox.com Git - mirror_lxc.git/blame - doc/lxc.container.conf.sgml.in
projects / mirror_lxc.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
seccomp: don't support v2 if seccomp_syscall_resolve_name_arch is not avilable
[mirror_lxc.git] / doc / lxc.container.conf.sgml.in
CommitLineData
55fc19a1
SG		 1<!--
2
3lxc: linux Container library
4
5(C) Copyright IBM Corp. 2007, 2008
6
7Authors:
8Daniel Lezcano <daniel.lezcano at free.fr>
9
10This library is free software; you can redistribute it and/or
11modify it under the terms of the GNU Lesser General Public
12License as published by the Free Software Foundation; either
13version 2.1 of the License, or (at your option) any later version.
14
15This library is distributed in the hope that it will be useful,
16but WITHOUT ANY WARRANTY; without even the implied warranty of
17MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
18Lesser General Public License for more details.
19
20You should have received a copy of the GNU Lesser General Public
21License along with this library; if not, write to the Free Software
22Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
23
24-->
25
26<!DOCTYPE refentry PUBLIC @docdtd@ [
27
28<!ENTITY seealso SYSTEM "@builddir@/see_also.sgml">
29]>
30
31<refentry>
32
33 <docinfo><date>@LXC_GENERATE_DATE@</date></docinfo>
34
35 <refmeta>
36 <refentrytitle>lxc.container.conf</refentrytitle>
37 <manvolnum>5</manvolnum>
38 </refmeta>
39
40 <refnamediv>
41 <refname>lxc.container.conf</refname>
42
43 <refpurpose>
44 LXC container configuration file
45 </refpurpose>
46 </refnamediv>
47
48 <refsect1>
49 <title>Description</title>
50
51 <para>
52 The linux containers (<command>lxc</command>) are always created
53 before being used. This creation defines a set of system
54 resources to be virtualized / isolated when a process is using
55 the container. By default, the pids, sysv ipc and mount points
56 are virtualized and isolated. The other system resources are
57 shared across containers, until they are explicitly defined in
58 the configuration file. For example, if there is no network
59 configuration, the network will be shared between the creator of
60 the container and the container itself, but if the network is
61 specified, a new network stack is created for the container and
62 the container can no longer use the network of its ancestor.
63 </para>
64
65 <para>
66 The configuration file defines the different system resources to
67 be assigned for the container. At present, the utsname, the
68 network, the mount points, the root file system, the user namespace,
69 and the control groups are supported.
70 </para>
71
72 <para>
73 Each option in the configuration file has the form <command>key
74 = value</command> fitting in one line. The '#' character means
75 the line is a comment.
76 </para>
77
78 <refsect2>
79 <title>Configuration</title>
80 <para>
81 In order to ease administration of multiple related containers, it
82 is possible to have a container configuration file cause another
83 file to be loaded. For instance, network configuration
84 can be defined in one common file which is included by multiple
85 containers. Then, if the containers are moved to another host,
86 only one file may need to be updated.
87 </para>
88
89 <variablelist>
90 <varlistentry>
91 <term>
92 <option>lxc.include</option>
93 </term>
94 <listitem>
95 <para>
96 Specify the file to be included. The included file must be
97 in the same valid lxc configuration file format.
98 </para>
99 </listitem>
100 </varlistentry>
101 </variablelist>
102 </refsect2>
103
104 <refsect2>
105 <title>Architecture</title>
106 <para>
107 Allows one to set the architecture for the container. For example,
108 set a 32bits architecture for a container running 32bits
109 binaries on a 64bits host. This fixes the container scripts
110 which rely on the architecture to do some work like
111 downloading the packages.
112 </para>
113
114 <variablelist>
115 <varlistentry>
116 <term>
117 <option>lxc.arch</option>
118 </term>
119 <listitem>
120 <para>
121 Specify the architecture for the container.
122 </para>
123 <para>
124 Valid options are
125 <option>x86</option>,
126 <option>i686</option>,
127 <option>x86_64</option>,
128 <option>amd64</option>
129 </para>
130 </listitem>
131 </varlistentry>
132 </variablelist>
133
134 </refsect2>
135
136 <refsect2>
137 <title>Hostname</title>
138 <para>
139 The utsname section defines the hostname to be set for the
140 container. That means the container can set its own hostname
141 without changing the one from the system. That makes the
142 hostname private for the container.
143 </para>
144 <variablelist>
145 <varlistentry>
146 <term>
147 <option>lxc.utsname</option>
148 </term>
149 <listitem>
150 <para>
151 specify the hostname for the container
152 </para>
153 </listitem>
154 </varlistentry>
155 </variablelist>
156 </refsect2>
157
158 <refsect2>
159 <title>Halt signal</title>
160 <para>
161 Allows one to specify signal name or number, sent by lxc-stop to the
162 container's init process to cleanly shutdown the container. Different
163 init systems could use different signals to perform clean shutdown
164 sequence. This option allows the signal to be specified in kill(1)
165 fashion, e.g. SIGPWR, SIGRTMIN+14, SIGRTMAX-10 or plain number. The
166 default signal is SIGPWR.
167 </para>
168 <variablelist>
169 <varlistentry>
170 <term>
171 <option>lxc.haltsignal</option>
172 </term>
173 <listitem>
174 <para>
175 specify the signal used to halt the container
176 </para>
177 </listitem>
178 </varlistentry>
179 </variablelist>
180 </refsect2>
181
182 <refsect2>
183 <title>Stop signal</title>
184 <para>
185 Allows one to specify signal name or number, sent by lxc-stop to forcibly
186 shutdown the container. This option allows signal to be specified in
187 kill(1) fashion, e.g. SIGKILL, SIGRTMIN+14, SIGRTMAX-10 or plain number.
188 The default signal is SIGKILL.
189 </para>
190 <variablelist>
191 <varlistentry>
192 <term>
193 <option>lxc.stopsignal</option>
194 </term>
195 <listitem>
196 <para>
197 specify the signal used to stop the container
198 </para>
199 </listitem>
200 </varlistentry>
201 </variablelist>
202 </refsect2>
203
204 <refsect2>
205 <title>Network</title>
206 <para>
207 The network section defines how the network is virtualized in
208 the container. The network virtualization acts at layer
209 two. In order to use the network virtualization, parameters
210 must be specified to define the network interfaces of the
211 container. Several virtual interfaces can be assigned and used
212 in a container even if the system has only one physical
213 network interface.
214 </para>
215 <variablelist>
216 <varlistentry>
217 <term>
218 <option>lxc.network.type</option>
219 </term>
220 <listitem>
221 <para>
222 specify what kind of network virtualization to be used
223 for the container. Each time
224 a <option>lxc.network.type</option> field is found a new
225 round of network configuration begins. In this way,
226 several network virtualization types can be specified
227 for the same container, as well as assigning several
228 network interfaces for one container. The different
229 virtualization types can be:
230 </para>
231
232 <para>
233 <option>none:</option> will cause the container to share
234 the host's network namespace. This means the host
235 network devices are usable in the container. It also
236 means that if both the container and host have upstart as
237 init, 'halt' in a container (for instance) will shut down the
238 host.
239 </para>
240
241 <para>
242 <option>empty:</option> will create only the loopback
243 interface.
244 </para>
245
246 <para>
247 <option>veth:</option> a peer network device is created
248 with one side assigned to the container and the other
249 side is attached to a bridge specified by
250 the <option>lxc.network.link</option>. If the bridge is
251 not specified, then the veth pair device will be created
252 but not attached to any bridge. Otherwise, the bridge
253 has to be setup before on the
254 system, <command>lxc</command> won't handle any
255 configuration outside of the container. By
256 default <command>lxc</command> choose a name for the
257 network device belonging to the outside of the
258 container, this name is handled
259 by <command>lxc</command>, but if you wish to handle
260 this name yourself, you can tell <command>lxc</command>
261 to set a specific name with
262 the <option>lxc.network.veth.pair</option> option.
263 </para>
264
265 <para>
266 <option>vlan:</option> a vlan interface is linked with
267 the interface specified by
268 the <option>lxc.network.link</option> and assigned to
269 the container. The vlan identifier is specified with the
270 option <option>lxc.network.vlan.id</option>.
271 </para>
272
273 <para>
274 <option>macvlan:</option> a macvlan interface is linked
275 with the interface specified by
276 the <option>lxc.network.link</option> and assigned to
277 the container.
278 <option>lxc.network.macvlan.mode</option> specifies the
279 mode the macvlan will use to communicate between
280 different macvlan on the same upper device. The accepted
281 modes are <option>private</option>, the device never
282 communicates with any other device on the same upper_dev (default),
283 <option>vepa</option>, the new Virtual Ethernet Port
284 Aggregator (VEPA) mode, it assumes that the adjacent
285 bridge returns all frames where both source and
286 destination are local to the macvlan port, i.e. the
287 bridge is set up as a reflective relay. Broadcast
288 frames coming in from the upper_dev get flooded to all
289 macvlan interfaces in VEPA mode, local frames are not
290 delivered locally, or <option>bridge</option>, it
291 provides the behavior of a simple bridge between
292 different macvlan interfaces on the same port. Frames
293 from one interface to another one get delivered directly
294 and are not sent out externally. Broadcast frames get
295 flooded to all other bridge ports and to the external
296 interface, but when they come back from a reflective
297 relay, we don't deliver them again. Since we know all
298 the MAC addresses, the macvlan bridge mode does not
299 require learning or STP like the bridge module does.
300 </para>
301
302 <para>
303 <option>phys:</option> an already existing interface
304 specified by the <option>lxc.network.link</option> is
305 assigned to the container.
306 </para>
307 </listitem>
308 </varlistentry>
309
310 <varlistentry>
311 <term>
312 <option>lxc.network.flags</option>
313 </term>
314 <listitem>
315 <para>
316 specify an action to do for the
317 network.
318 </para>
319
320 <para><option>up:</option> activates the interface.
321 </para>
322 </listitem>
323 </varlistentry>
324
325 <varlistentry>
326 <term>
327 <option>lxc.network.link</option>
328 </term>
329 <listitem>
330 <para>
331 specify the interface to be used for real network
332 traffic.
333 </para>
334 </listitem>
335 </varlistentry>
336
337 <varlistentry>
338 <term>
339 <option>lxc.network.mtu</option>
340 </term>
341 <listitem>
342 <para>
343 specify the maximum transfer unit for this interface.
344 </para>
345 </listitem>
346 </varlistentry>
347
348 <varlistentry>
349 <term>
350 <option>lxc.network.name</option>
351 </term>
352 <listitem>
353 <para>
354 the interface name is dynamically allocated, but if
355 another name is needed because the configuration files
356 being used by the container use a generic name,
357 eg. eth0, this option will rename the interface in the
358 container.
359 </para>
360 </listitem>
361 </varlistentry>
362
363 <varlistentry>
364 <term>
365 <option>lxc.network.hwaddr</option>
366 </term>
367 <listitem>
368 <para>
369 the interface mac address is dynamically allocated by
370 default to the virtual interface, but in some cases,
371 this is needed to resolve a mac address conflict or to
372 always have the same link-local ipv6 address.
373 Any "x" in address will be replaced by random value,
374 this allows setting hwaddr templates.
375 </para>
376 </listitem>
377 </varlistentry>
378
379 <varlistentry>
380 <term>
381 <option>lxc.network.ipv4</option>
382 </term>
383 <listitem>
384 <para>
385 specify the ipv4 address to assign to the virtualized
386 interface. Several lines specify several ipv4 addresses.
387 The address is in format x.y.z.t/m,
388 eg. 192.168.1.123/24. The broadcast address should be
389 specified on the same line, right after the ipv4
390 address.
391 </para>
392 </listitem>
393 </varlistentry>
394
395 <varlistentry>
396 <term>
397 <option>lxc.network.ipv4.gateway</option>
398 </term>
399 <listitem>
400 <para>
401 specify the ipv4 address to use as the gateway inside the
402 container. The address is in format x.y.z.t, eg.
403 192.168.1.123.
404
405 Can also have the special value <option>auto</option>,
406 which means to take the primary address from the bridge
407 interface (as specified by the
408 <option>lxc.network.link</option> option) and use that as
409 the gateway. <option>auto</option> is only available when
410 using the <option>veth</option> and
411 <option>macvlan</option> network types.
412 </para>
413 </listitem>
414 </varlistentry>
415
416
417 <varlistentry>
418 <term>
419 <option>lxc.network.ipv6</option>
420 </term>
421 <listitem>
422 <para>
423 specify the ipv6 address to assign to the virtualized
424 interface. Several lines specify several ipv6 addresses.
425 The address is in format x::y/m,
426 eg. 2003:db8:1:0:214:1234:fe0b:3596/64
427 </para>
428 </listitem>
429 </varlistentry>
430
431 <varlistentry>
432 <term>
433 <option>lxc.network.ipv6.gateway</option>
434 </term>
435 <listitem>
436 <para>
437 specify the ipv6 address to use as the gateway inside the
438 container. The address is in format x::y,
439 eg. 2003:db8:1:0::1
440
441 Can also have the special value <option>auto</option>,
442 which means to take the primary address from the bridge
443 interface (as specified by the
444 <option>lxc.network.link</option> option) and use that as
445 the gateway. <option>auto</option> is only available when
446 using the <option>veth</option> and
447 <option>macvlan</option> network types.
448 </para>
449 </listitem>
450 </varlistentry>
451
452 <varlistentry>
453 <term>
454 <option>lxc.network.script.up</option>
455 </term>
456 <listitem>
457 <para>
458 add a configuration option to specify a script to be
459 executed after creating and configuring the network used
460 from the host side. The following arguments are passed
461 to the script: container name and config section name
462 (net) Additional arguments depend on the config section
463 employing a script hook; the following are used by the
464 network system: execution context (up), network type
465 (empty/veth/macvlan/phys), Depending on the network
466 type, other arguments may be passed:
467 veth/macvlan/phys. And finally (host-sided) device name.
468 </para>
469 <para>
470 Standard output from the script is logged at debug level.
471 Standard error is not logged, but can be captured by the
472 hook redirecting its standard error to standard output.
473 </para>
474 </listitem>
475 </varlistentry>
476
477 <varlistentry>
478 <term>
479 <option>lxc.network.script.down</option>
480 </term>
481 <listitem>
482 <para>
483 add a configuration option to specify a script to be
484 executed before destroying the network used from the
485 host side. The following arguments are passed to the
486 script: container name and config section name (net)
487 Additional arguments depend on the config section
488 employing a script hook; the following are used by the
489 network system: execution context (down), network type
490 (empty/veth/macvlan/phys), Depending on the network
491 type, other arguments may be passed:
492 veth/macvlan/phys. And finally (host-sided) device name.
493 </para>
494 <para>
495 Standard output from the script is logged at debug level.
496 Standard error is not logged, but can be captured by the
497 hook redirecting its standard error to standard output.
498 </para>
499 </listitem>
500 </varlistentry>
501 </variablelist>
502 </refsect2>
503
504 <refsect2>
505 <title>New pseudo tty instance (devpts)</title>
506 <para>
507 For stricter isolation the container can have its own private
508 instance of the pseudo tty.
509 </para>
510 <variablelist>
511 <varlistentry>
512 <term>
513 <option>lxc.pts</option>
514 </term>
515 <listitem>
516 <para>
517 If set, the container will have a new pseudo tty
518 instance, making this private to it. The value specifies
519 the maximum number of pseudo ttys allowed for a pts
520 instance (this limitation is not implemented yet).
521 </para>
522 </listitem>
523 </varlistentry>
524 </variablelist>
525 </refsect2>
526
527 <refsect2>
528 <title>Container system console</title>
529 <para>
530 If the container is configured with a root filesystem and the
531 inittab file is setup to use the console, you may want to specify
532 where the output of this console goes.
533 </para>
534 <variablelist>
535 <varlistentry>
536 <term>
537 <option>lxc.console</option>
538 </term>
539 <listitem>
540 <para>
541 Specify a path to a file where the console output will
542 be written. The keyword 'none' will simply disable the
543 console. This is dangerous once if have a rootfs with a
544 console device file where the application can write, the
545 messages will fall in the host.
546 </para>
547 </listitem>
548 </varlistentry>
549 </variablelist>
550 </refsect2>
551
552 <refsect2>
553 <title>Console through the ttys</title>
554 <para>
555 This option is useful if the container is configured with a root
556 filesystem and the inittab file is setup to launch a getty on the
557 ttys. The option specifies the number of ttys to be available for
558 the container. The number of gettys in the inittab file of the
559 container should not be greater than the number of ttys specified
560 in this option, otherwise the excess getty sessions will die and
561 respawn indefinitely giving annoying messages on the console or in
562 <filename>/var/log/messages</filename>.
563 </para>
564 <variablelist>
565 <varlistentry>
566 <term>
567 <option>lxc.tty</option>
568 </term>
569 <listitem>
570 <para>
571 Specify the number of tty to make available to the
572 container.
573 </para>
574 </listitem>
575 </varlistentry>
576 </variablelist>
577 </refsect2>
578
579 <refsect2>
580 <title>Console devices location</title>
581 <para>
582 LXC consoles are provided through Unix98 PTYs created on the
583 host and bind-mounted over the expected devices in the container.
584 By default, they are bind-mounted over <filename>/dev/console</filename>
585 and <filename>/dev/ttyN</filename>. This can prevent package upgrades
586 in the guest. Therefore you can specify a directory location (under
587 <filename>/dev</filename> under which LXC will create the files and
588 bind-mount over them. These will then be symbolically linked to
589 <filename>/dev/console</filename> and <filename>/dev/ttyN</filename>.
590 A package upgrade can then succeed as it is able to remove and replace
591 the symbolic links.
592 </para>
593 <variablelist>
594 <varlistentry>
595 <term>
596 <option>lxc.devttydir</option>
597 </term>
598 <listitem>
599 <para>
600 Specify a directory under <filename>/dev</filename>
601 under which to create the container console devices.
602 </para>
603 </listitem>
604 </varlistentry>
605 </variablelist>
606 </refsect2>
607
608 <refsect2>
609 <title>/dev directory</title>
610 <para>
611 By default, lxc does nothing with the container's
612 <filename>/dev</filename>. This allows the container's
613 <filename>/dev</filename> to be set up as needed in the container
614 rootfs. If lxc.autodev is set to 1, then after mounting the container's
615 rootfs LXC will mount a fresh tmpfs under <filename>/dev</filename>
616 (limited to 100k) and fill in a minimal set of initial devices.
617 This is generally required when starting a container containing
618 a "systemd" based "init" but may be optional at other times. Additional
619 devices in the containers /dev directory may be created through the
620 use of the <option>lxc.hook.autodev</option> hook.
621 </para>
622 <variablelist>
623 <varlistentry>
624 <term>
625 <option>lxc.autodev</option>
626 </term>
627 <listitem>
628 <para>
629 Set this to 1 to have LXC mount and populate a minimal
630 <filename>/dev</filename> when starting the container.
631 </para>
632 </listitem>
633 </varlistentry>
634 </variablelist>
635 </refsect2>
636
637 <refsect2>
638 <title>Enable kmsg symlink</title>
639 <para>
640 Enable creating /dev/kmsg as symlink to /dev/console. This defaults to 1.
641 </para>
642 <variablelist>
643 <varlistentry>
644 <term>
645 <option>lxc.kmsg</option>
646 </term>
647 <listitem>
648 <para>
649 Set this to 0 to disable /dev/kmsg symlinking.
650 </para>
651 </listitem>
652 </varlistentry>
653 </variablelist>
654 </refsect2>
655
656 <refsect2>
657 <title>Mount points</title>
658 <para>
659 The mount points section specifies the different places to be
660 mounted. These mount points will be private to the container
661 and won't be visible by the processes running outside of the
662 container. This is useful to mount /etc, /var or /home for
663 examples.
664 </para>
665 <variablelist>
666 <varlistentry>
667 <term>
668 <option>lxc.mount</option>
669 </term>
670 <listitem>
671 <para>
672 specify a file location in
673 the <filename>fstab</filename> format, containing the
674 mount information. If the rootfs is an image file or a
675 block device and the fstab is used to mount a point
676 somewhere in this rootfs, the path of the rootfs mount
677 point should be prefixed with the
678 <filename>@LXCROOTFSMOUNT@</filename> default path or
679 the value of <option>lxc.rootfs.mount</option> if
680 specified. Note that when mounting a filesystem from an
681 image file or block device the third field (fs_vfstype)
682 cannot be auto as with
683 <citerefentry>
684 <refentrytitle>mount</refentrytitle>
685 <manvolnum>8</manvolnum>
686 </citerefentry>
687 but must be explicitly specified.
688 </para>
689 </listitem>
690 </varlistentry>
691
692 <varlistentry>
693 <term>
694 <option>lxc.mount.entry</option>
695 </term>
696 <listitem>
697 <para>
698 specify a mount point corresponding to a line in the
699 fstab format.
700 </para>
701 </listitem>
702 </varlistentry>
703
704 <varlistentry>
705 <term>
706 <option>lxc.mount.auto</option>
707 </term>
708 <listitem>
709 <para>
710 specify which standard kernel file systems should be
711 automatically mounted. This may dramatically simplify
712 the configuration. The file systems are:
713 </para>
714 <itemizedlist>
715 <listitem>
716 <para>
717 <option>proc:mixed</option> (or <option>proc</option>):
718 mount <filename>/proc</filename> as read-write, but
719 remount <filename>/proc/sys</filename> and
720 <filename>/proc/sysrq-trigger</filename> read-only
721 for security / container isolation purposes.
722 </para>
723 </listitem>
724 <listitem>
725 <para>
726 <option>proc:rw</option>: mount
727 <filename>/proc</filename> as read-write
728 </para>
729 </listitem>
730 <listitem>
731 <para>
732 <option>sys:ro</option> (or <option>sys</option>):
733 mount <filename>/sys</filename> as read-only
734 for security / container isolation purposes.
735 </para>
736 </listitem>
737 <listitem>
738 <para>
739 <option>sys:rw</option>: mount
740 <filename>/sys</filename> as read-write
741 </para>
742 </listitem>
743 <listitem>
744 <para>
745 <option>cgroup:mixed</option> (or
746 <option>cgroup</option>):
747 mount a tmpfs to <filename>/sys/fs/cgroup</filename>,
748 create directories for all hierarchies to which
749 the container is added, create subdirectories
750 there with the name of the cgroup, and bind-mount
751 the container's own cgroup into that directory.
752 The container will be able to write to its own
753 cgroup directory, but not the parents, since they
754 will be remounted read-only
755 </para>
756 </listitem>
757 <listitem>
758 <para>
759 <option>cgroup:ro</option>: similar to
760 <option>cgroup:mixed</option>, but everything will
761 be mounted read-only.
762 </para>
763 </listitem>
764 <listitem>
765 <para>
766 <option>cgroup:rw</option>: similar to
767 <option>cgroup:mixed</option>, but everything will
768 be mounted read-write. Note that the paths leading
769 up to the container's own cgroup will be writable,
770 but will not be a cgroup filesystem but just part
771 of the tmpfs of <filename>/sys/fs/cgroup</filename>
772 </para>
773 </listitem>
774 <listitem>
775 <para>
776 <option>cgroup-full:mixed</option> (or
777 <option>cgroup-full</option>):
778 mount a tmpfs to <filename>/sys/fs/cgroup</filename>,
779 create directories for all hierarchies to which
780 the container is added, bind-mount the hierarchies
781 from the host to the container and make everything
782 read-only except the container's own cgroup. Note
783 that compared to <option>cgroup</option>, where
784 all paths leading up to the container's own cgroup
785 are just simple directories in the underlying
786 tmpfs, here
787 <filename>/sys/fs/cgroup/$hierarchy</filename>
788 will contain the host's full cgroup hierarchy,
789 albeit read-only outside the container's own cgroup.
790 This may leak quite a bit of information into the
791 container.
792 </para>
793 </listitem>
794 <listitem>
795 <para>
796 <option>cgroup-full:ro</option>: similar to
797 <option>cgroup-full:mixed</option>, but everything
798 will be mounted read-only.
799 </para>
800 </listitem>
801 <listitem>
802 <para>
803 <option>cgroup-full:rw</option>: similar to
804 <option>cgroup-full:mixed</option>, but everything
805 will be mounted read-write. Note that in this case,
806 the container may escape its own cgroup. (Note also
807 that if the container has CAP_SYS_ADMIN support
808 and can mount the cgroup filesystem itself, it may
809 do so anyway.)
810 </para>
811 </listitem>
812 </itemizedlist>
813 <para>
814 Examples:
815 </para>
816 <programlisting>
817 lxc.mount.auto = proc sys cgroup
818 lxc.mount.auto = proc:rw sys:rw cgroup-full:rw
819 </programlisting>
820 </listitem>
821 </varlistentry>
822
823 </variablelist>
824 </refsect2>
825
826 <refsect2>
827 <title>Root file system</title>
828 <para>
829 The root file system of the container can be different than that
830 of the host system.
831 </para>
832 <variablelist>
833 <varlistentry>
834 <term>
835 <option>lxc.rootfs</option>
836 </term>
837 <listitem>
838 <para>
839 specify the root file system for the container. It can
840 be an image file, a directory or a block device. If not
841 specified, the container shares its root file system
842 with the host.
843 </para>
844 </listitem>
845 </varlistentry>
846
847 <varlistentry>
848 <term>
849 <option>lxc.rootfs.mount</option>
850 </term>
851 <listitem>
852 <para>
853 where to recursively bind <option>lxc.rootfs</option>
854 before pivoting. This is to ensure success of the
855 <citerefentry>
856 <refentrytitle><command>pivot_root</command></refentrytitle>
857 <manvolnum>8</manvolnum>
858 </citerefentry>
859 syscall. Any directory suffices, the default should
860 generally work.
861 </para>
862 </listitem>
863 </varlistentry>
864
a17b1e65
SG		 865 <varlistentry>
866 <term>
867 <option>lxc.rootfs.options</option>
868 </term>
869 <listitem>
870 <para>
871 extra mount options to use when mounting the rootfs.
872 </para>
873 </listitem>
874 </varlistentry>
875
55fc19a1
SG		 876 <varlistentry>
877 <term>
878 <option>lxc.pivotdir</option>
879 </term>
880 <listitem>
881 <para>
882 where to pivot the original root file system under
883 <option>lxc.rootfs</option>, specified relatively to
884 that. The default is <filename>mnt</filename>.
885 It is created if necessary, and also removed after
886 unmounting everything from it during container setup.
887 </para>
888 </listitem>
889 </varlistentry>
890 </variablelist>
891 </refsect2>
892
893 <refsect2>
894 <title>Control group</title>
895 <para>
896 The control group section contains the configuration for the
897 different subsystem. <command>lxc</command> does not check the
898 correctness of the subsystem name. This has the disadvantage
899 of not detecting configuration errors until the container is
900 started, but has the advantage of permitting any future
901 subsystem.
902 </para>
903 <variablelist>
904 <varlistentry>
905 <term>
906 <option>lxc.cgroup.[subsystem name]</option>
907 </term>
908 <listitem>
909 <para>
910 specify the control group value to be set. The
911 subsystem name is the literal name of the control group
912 subsystem. The permitted names and the syntax of their
913 values is not dictated by LXC, instead it depends on the
914 features of the Linux kernel running at the time the
915 container is started,
916 eg. <option>lxc.cgroup.cpuset.cpus</option>
917 </para>
918 </listitem>
919 </varlistentry>
920 </variablelist>
921 </refsect2>
922
923 <refsect2>
924 <title>Capabilities</title>
925 <para>
926 The capabilities can be dropped in the container if this one
927 is run as root.
928 </para>
929 <variablelist>
930 <varlistentry>
931 <term>
932 <option>lxc.cap.drop</option>
933 </term>
934 <listitem>
935 <para>
936 Specify the capability to be dropped in the container. A
937 single line defining several capabilities with a space
938 separation is allowed. The format is the lower case of
939 the capability definition without the "CAP_" prefix,
940 eg. CAP_SYS_MODULE should be specified as
941 sys_module. See
942 <citerefentry>
943 <refentrytitle><command>capabilities</command></refentrytitle>
944 <manvolnum>7</manvolnum>
945 </citerefentry>,
946 </para>
947 </listitem>
948 </varlistentry>
949 <varlistentry>
950 <term>
951 <option>lxc.cap.keep</option>
952 </term>
953 <listitem>
954 <para>
955 Specify the capability to be kept in the container. All other
956 capabilities will be dropped.
957 </para>
958 </listitem>
959 </varlistentry>
960 </variablelist>
961 </refsect2>
962
963 <refsect2>
964 <title>Apparmor profile</title>
965 <para>
966 If lxc was compiled and installed with apparmor support, and the host
967 system has apparmor enabled, then the apparmor profile under which the
968 container should be run can be specified in the container
969 configuration. The default is <command>lxc-container-default</command>.
970 </para>
971 <variablelist>
972 <varlistentry>
973 <term>
974 <option>lxc.aa_profile</option>
975 </term>
976 <listitem>
977 <para>
978 Specify the apparmor profile under which the container should
979 be run. To specify that the container should be unconfined,
980 use
981 </para>
982 <programlisting>lxc.aa_profile = unconfined</programlisting>
983 </listitem>
984 </varlistentry>
985 </variablelist>
986 </refsect2>
987
988 <refsect2>
989 <title>SELinux context</title>
990 <para>
991 If lxc was compiled and installed with SELinux support, and the host
992 system has SELinux enabled, then the SELinux context under which the
993 container should be run can be specified in the container
994 configuration. The default is <command>unconfined_t</command>,
995 which means that lxc will not attempt to change contexts.
996 </para>
997 <variablelist>
998 <varlistentry>
999 <term>
1000 <option>lxc.se_context</option>
1001 </term>
1002 <listitem>
1003 <para>
1004 Specify the SELinux context under which the container should
1005 be run or <command>unconfined_t</command>. For example
1006 </para>
1007 <programlisting>lxc.se_context = unconfined_u:unconfined_r:lxc_t:s0-s0:c0.c1023</programlisting>
1008 </listitem>
1009 </varlistentry>
1010 </variablelist>
1011 </refsect2>
1012
1013 <refsect2>
1014 <title>Seccomp configuration</title>
1015 <para>
1016 A container can be started with a reduced set of available
1017 system calls by loading a seccomp profile at startup. The
1018 seccomp configuration file should begin with a version number
1019 (which currently must be 1) on the first line, a policy type
1020 (which must be 'whitelist') on the second line, followed by a
1021 list of allowed system call numbers, one per line.
1022 </para>
1023 <variablelist>
1024 <varlistentry>
1025 <term>
1026 <option>lxc.seccomp</option>
1027 </term>
1028 <listitem>
1029 <para>
1030 Specify a file containing the seccomp configuration to
1031 load before the container starts.
1032 </para>
1033 </listitem>
1034 </varlistentry>
1035 </variablelist>
1036 </refsect2>
1037
1038 <refsect2>
1039 <title>UID mappings</title>
1040 <para>
1041 A container can be started in a private user namespace with
1042 user and group id mappings. For instance, you can map userid
1043 0 in the container to userid 200000 on the host. The root
1044 user in the container will be privileged in the container,
1045 but unprivileged on the host. Normally a system container
1046 will want a range of ids, so you would map, for instance,
1047 user and group ids 0 through 20,000 in the container to the
1048 ids 200,000 through 220,000.
1049 </para>
1050 <variablelist>
1051 <varlistentry>
1052 <term>
1053 <option>lxc.id_map</option>
1054 </term>
1055 <listitem>
1056 <para>
1057 Four values must be provided. First a character, either
1058 'u', or 'g', to specify whether user or group ids are
1059 being mapped. Next is the first userid as seen in the
1060 user namespace of the container. Next is the userid as
1061 seen on the host. Finally, a range indicating the number
1062 of consecutive ids to map.
1063 </para>
1064 </listitem>
1065 </varlistentry>
1066 </variablelist>
1067 </refsect2>
1068
1069 <refsect2>
1070 <title>Container hooks</title>
1071 <para>
1072 Container hooks are programs or scripts which can be executed
1073 at various times in a container's lifetime.
1074 </para>
1075 <para>
1076 When a container hook is executed, information is passed both
1077 as command line arguments and through environment variables.
1078 The arguments are:
1079 <itemizedlist>
1080 <listitem><para> Container name. </para></listitem>
1081 <listitem><para> Section (always 'lxc'). </para></listitem>
1082 <listitem><para> The hook type (i.e. 'clone' or 'pre-mount'). </para></listitem>
1083 <listitem><para> Additional arguments In the
1084 case of the clone hook, any extra arguments passed to
1085 lxc-clone will appear as further arguments to the hook. </para></listitem>
1086 </itemizedlist>
1087 The following environment variables are set:
1088 <itemizedlist>
1089 <listitem><para> LXC_NAME: is the container's name. </para></listitem>
1090 <listitem><para> LXC_ROOTFS_MOUNT: the path to the mounted root filesystem. </para></listitem>
1091 <listitem><para> LXC_CONFIG_FILE: the path to the container configuration file. </para></listitem>
1092 <listitem><para> LXC_SRC_NAME: in the case of the clone hook, this is the original container's name. </para></listitem>
1093 <listitem><para> LXC_ROOTFS_PATH: this is the lxc.rootfs entry for the container. Note this is likely not where the mounted rootfs is to be found, use LXC_ROOTFS_MOUNT for that. </para></listitem>
1094 </itemizedlist>
1095 </para>
1096 <para>
1097 Standard output from the hooks is logged at debug level.
1098 Standard error is not logged, but can be captured by the
1099 hook redirecting its standard error to standard output.
1100 </para>
1101 <variablelist>
1102 <varlistentry>
1103 <term>
1104 <option>lxc.hook.pre-start</option>
1105 </term>
1106 <listitem>
1107 <para>
1108 A hook to be run in the host's namespace before the
1109 container ttys, consoles, or mounts are up.
1110 </para>
1111 </listitem>
1112 </varlistentry>
1113 </variablelist>
1114 <variablelist>
1115 <varlistentry>
1116 <term>
1117 <option>lxc.hook.pre-mount</option>
1118 </term>
1119 <listitem>
1120 <para>
1121 A hook to be run in the container's fs namespace but before
1122 the rootfs has been set up. This allows for manipulation
1123 of the rootfs, i.e. to mount an encrypted filesystem. Mounts
1124 done in this hook will not be reflected on the host (apart from
1125 mounts propagation), so they will be automatically cleaned up
1126 when the container shuts down.
1127 </para>
1128 </listitem>
1129 </varlistentry>
1130 </variablelist>
1131 <variablelist>
1132 <varlistentry>
1133 <term>
1134 <option>lxc.hook.mount</option>
1135 </term>
1136 <listitem>
1137 <para>
1138 A hook to be run in the container's namespace after
1139 mounting has been done, but before the pivot_root.
1140 </para>
1141 </listitem>
1142 </varlistentry>
1143 </variablelist>
1144 <variablelist>
1145 <varlistentry>
1146 <term>
1147 <option>lxc.hook.autodev</option>
1148 </term>
1149 <listitem>
1150 <para>
1151 A hook to be run in the container's namespace after
1152 mounting has been done and after any mount hooks have
1153 run, but before the pivot_root, if
1154 <option>lxc.autodev</option> == 1.
1155 The purpose of this hook is to assist in populating the
1156 /dev directory of the container when using the autodev
1157 option for systemd based containers. The container's /dev
1158 directory is relative to the
1159 ${<option>LXC_ROOTFS_MOUNT</option>} environment
1160 variable available when the hook is run.
1161 </para>
1162 </listitem>
1163 </varlistentry>
1164 </variablelist>
1165 <variablelist>
1166 <varlistentry>
1167 <term>
1168 <option>lxc.hook.start</option>
1169 </term>
1170 <listitem>
1171 <para>
1172 A hook to be run in the container's namespace immediately
1173 before executing the container's init. This requires the
1174 program to be available in the container.
1175 </para>
1176 </listitem>
1177 </varlistentry>
1178 </variablelist>
1179 <variablelist>
1180 <varlistentry>
1181 <term>
1182 <option>lxc.hook.post-stop</option>
1183 </term>
1184 <listitem>
1185 <para>
1186 A hook to be run in the host's namespace after the
1187 container has been shut down.
1188 </para>
1189 </listitem>
1190 </varlistentry>
1191 </variablelist>
1192 <variablelist>
1193 <varlistentry>
1194 <term>
1195 <option>lxc.hook.clone</option>
1196 </term>
1197 <listitem>
1198 <para>
1199 A hook to be run when the container is cloned to a new one.
1200 See <citerefentry><refentrytitle><command>lxc-clone</command></refentrytitle>
1201 <manvolnum>1</manvolnum></citerefentry> for more information.
1202 </para>
1203 </listitem>
1204 </varlistentry>
1205 </variablelist>
1206 </refsect2>
1207
1208 <refsect2>
1209 <title>Container hooks Environment Variables</title>
1210 <para>
1211 A number of environment variables are made available to the startup
1212 hooks to provide configuration information and assist in the
1213 functioning of the hooks. Not all variables are valid in all
1214 contexts. In particular, all paths are relative to the host system
1215 and, as such, not valid during the <option>lxc.hook.start</option> hook.
1216 </para>
1217 <variablelist>
1218 <varlistentry>
1219 <term>
1220 <option>LXC_NAME</option>
1221 </term>
1222 <listitem>
1223 <para>
1224 The LXC name of the container. Useful for logging messages
1225 in common log environments. [<option>-n</option>]
1226 </para>
1227 </listitem>
1228 </varlistentry>
1229 </variablelist>
1230 <variablelist>
1231 <varlistentry>
1232 <term>
1233 <option>LXC_CONFIG_FILE</option>
1234 </term>
1235 <listitem>
1236 <para>
1237 Host relative path to the container configuration file. This
1238 gives the container to reference the original, top level,
1239 configuration file for the container in order to locate any
1240 additional configuration information not otherwise made
1241 available. [<option>-f</option>]
1242 </para>
1243 </listitem>
1244 </varlistentry>
1245 </variablelist>
1246 <variablelist>
1247 <varlistentry>
1248 <term>
1249 <option>LXC_CONSOLE</option>
1250 </term>
1251 <listitem>
1252 <para>
1253 The path to the console output of the container if not NULL.
1254 [<option>-c</option>] [<option>lxc.console</option>]
1255 </para>
1256 </listitem>
1257 </varlistentry>
1258 </variablelist>
1259 <variablelist>
1260 <varlistentry>
1261 <term>
1262 <option>LXC_CONSOLE_LOGPATH</option>
1263 </term>
1264 <listitem>
1265 <para>
1266 The path to the console log output of the container if not NULL.
1267 [<option>-L</option>]
1268 </para>
1269 </listitem>
1270 </varlistentry>
1271 </variablelist>
1272 <variablelist>
1273 <varlistentry>
1274 <term>
1275 <option>LXC_ROOTFS_MOUNT</option>
1276 </term>
1277 <listitem>
1278 <para>
1279 The mount location to which the container is initially bound.
1280 This will be the host relative path to the container rootfs
1281 for the container instance being started and is where changes
1282 should be made for that instance.
1283 [<option>lxc.rootfs.mount</option>]
1284 </para>
1285 </listitem>
1286 </varlistentry>
1287 </variablelist>
1288 <variablelist>
1289 <varlistentry>
1290 <term>
1291 <option>LXC_ROOTFS_PATH</option>
1292 </term>
1293 <listitem>
1294 <para>
1295 The host relative path to the container root which has been
1296 mounted to the rootfs.mount location.
1297 [<option>lxc.rootfs</option>]
1298 </para>
1299 </listitem>
1300 </varlistentry>
1301 </variablelist>
1302
1303 </refsect2>
1304 <refsect2>
1305 <title>Logging</title>
1306 <para>
1307 Logging can be configured on a per-container basis. By default,
1308 depending upon how the lxc package was compiled, container startup
1309 is logged only at the ERROR level, and logged to a file named after
1310 the container (with '.log' appended) either under the container path,
1311 or under @LOGPATH@.
1312 </para>
1313 <para>
1314 Both the default log level and the log file can be specified in the
1315 container configuration file, overriding the default behavior. Note
1316 that the configuration file entries can in turn be overridden by the
1317 command line options to <command>lxc-start</command>.
1318 </para>
1319 <variablelist>
1320 <varlistentry>
1321 <term>
1322 <option>lxc.loglevel</option>
1323 </term>
1324 <listitem>
1325 <para>
1326 The level at which to log. The log level is an integer in
1327 the range of 0..8 inclusive, where a lower number means more
1328 verbose debugging. In particular 0 = trace, 1 = debug, 2 =
1329 info, 3 = notice, 4 = warn, 5 = error, 6 = critical, 7 =
1330 alert, and 8 = fatal. If unspecified, the level defaults
1331 to 5 (error), so that only errors and above are logged.
1332 </para>
1333 <para>
1334 Note that when a script (such as either a hook script or a
1335 network interface up or down script) is called, the script's
1336 standard output is logged at level 1, debug.
1337 </para>
1338 </listitem>
1339 </varlistentry>
1340 <varlistentry>
1341 <term>
1342 <option>lxc.logfile</option>
1343 </term>
1344 <listitem>
1345 <para>
1346 The file to which logging info should be written.
1347 </para>
1348 </listitem>
1349 </varlistentry>
1350 </variablelist>
1351 </refsect2>
1352
1353 <refsect2>
1354 <title>Autostart</title>
1355 <para>
1356 The autostart options support marking which containers should be
1357 auto-started and in what order. These options may be used by LXC tools
1358 directly or by external tooling provided by the distributions.
1359 </para>
1360
1361 <variablelist>
1362 <varlistentry>
1363 <term>
1364 <option>lxc.start.auto</option>
1365 </term>
1366 <listitem>
1367 <para>
1368 Whether the container should be auto-started.
1369 Valid values are 0 (off) and 1 (on).
1370 </para>
1371 </listitem>
1372 </varlistentry>
1373 <varlistentry>
1374 <term>
1375 <option>lxc.start.delay</option>
1376 </term>
1377 <listitem>
1378 <para>
1379 How long to wait (in seconds) after the container is
1380 started before starting the next one.
1381 </para>
1382 </listitem>
1383 </varlistentry>
1384 <varlistentry>
1385 <term>
1386 <option>lxc.start.order</option>
1387 </term>
1388 <listitem>
1389 <para>
1390 An integer used to sort the containers when auto-starting
1391 a series of containers at once.
1392 </para>
1393 </listitem>
1394 </varlistentry>
1395 <varlistentry>
1396 <term>
1397 <option>lxc.group</option>
1398 </term>
1399 <listitem>
1400 <para>
1401 A multi-value key (can be used multiple times) to put the
1402 container in a container group. Those groups can then be
1403 used (amongst other things) to start a series of related
1404 containers.
1405 </para>
1406 </listitem>
1407 </varlistentry>
1408 </variablelist>
1409 </refsect2>
1410 </refsect1>
1411
1412 <refsect1>
1413 <title>Examples</title>
1414 <para>
1415 In addition to the few examples given below, you will find
1416 some other examples of configuration file in @DOCDIR@/examples
1417 </para>
1418 <refsect2>
1419 <title>Network</title>
1420 <para>This configuration sets up a container to use a veth pair
1421 device with one side plugged to a bridge br0 (which has been
1422 configured before on the system by the administrator). The
1423 virtual network device visible in the container is renamed to
1424 eth0.</para>
1425 <programlisting>
1426 lxc.utsname = myhostname
1427 lxc.network.type = veth
1428 lxc.network.flags = up
1429 lxc.network.link = br0
1430 lxc.network.name = eth0
1431 lxc.network.hwaddr = 4a:49:43:49:79:bf
1432 lxc.network.ipv4 = 10.2.3.5/24 10.2.3.255
1433 lxc.network.ipv6 = 2003:db8:1:0:214:1234:fe0b:3597
1434 </programlisting>
1435 </refsect2>
1436
1437 <refsect2>
1438 <title>UID/GID mapping</title>
1439 <para>This configuration will map both user and group ids in the
1440 range 0-9999 in the container to the ids 100000-109999 on the host.
1441 </para>
1442 <programlisting>
1443 lxc.id_map = u 0 100000 10000
1444 lxc.id_map = g 0 100000 10000
1445 </programlisting>
1446 </refsect2>
1447
1448 <refsect2>
1449 <title>Control group</title>
1450 <para>This configuration will setup several control groups for
1451 the application, cpuset.cpus restricts usage of the defined cpu,
1452 cpus.share prioritize the control group, devices.allow makes
1453 usable the specified devices.</para>
1454 <programlisting>
1455 lxc.cgroup.cpuset.cpus = 0,1
1456 lxc.cgroup.cpu.shares = 1234
1457 lxc.cgroup.devices.deny = a
1458 lxc.cgroup.devices.allow = c 1:3 rw
1459 lxc.cgroup.devices.allow = b 8:0 rw
1460 </programlisting>
1461 </refsect2>
1462
1463 <refsect2>
1464 <title>Complex configuration</title>
1465 <para>This example show a complex configuration making a complex
1466 network stack, using the control groups, setting a new hostname,
1467 mounting some locations and a changing root file system.</para>
1468 <programlisting>
1469 lxc.utsname = complex
1470 lxc.network.type = veth
1471 lxc.network.flags = up
1472 lxc.network.link = br0
1473 lxc.network.hwaddr = 4a:49:43:49:79:bf
1474 lxc.network.ipv4 = 10.2.3.5/24 10.2.3.255
1475 lxc.network.ipv6 = 2003:db8:1:0:214:1234:fe0b:3597
1476 lxc.network.ipv6 = 2003:db8:1:0:214:5432:feab:3588
1477 lxc.network.type = macvlan
1478 lxc.network.flags = up
1479 lxc.network.link = eth0
1480 lxc.network.hwaddr = 4a:49:43:49:79:bd
1481 lxc.network.ipv4 = 10.2.3.4/24
1482 lxc.network.ipv4 = 192.168.10.125/24
1483 lxc.network.ipv6 = 2003:db8:1:0:214:1234:fe0b:3596
1484 lxc.network.type = phys
1485 lxc.network.flags = up
1486 lxc.network.link = dummy0
1487 lxc.network.hwaddr = 4a:49:43:49:79:ff
1488 lxc.network.ipv4 = 10.2.3.6/24
1489 lxc.network.ipv6 = 2003:db8:1:0:214:1234:fe0b:3297
1490 lxc.cgroup.cpuset.cpus = 0,1
1491 lxc.cgroup.cpu.shares = 1234
1492 lxc.cgroup.devices.deny = a
1493 lxc.cgroup.devices.allow = c 1:3 rw
1494 lxc.cgroup.devices.allow = b 8:0 rw
1495 lxc.mount = /etc/fstab.complex
1496 lxc.mount.entry = /lib /root/myrootfs/lib none ro,bind 0 0
1497 lxc.rootfs = /mnt/rootfs.complex
1498 lxc.cap.drop = sys_module mknod setuid net_raw
1499 lxc.cap.drop = mac_override
1500 </programlisting>
1501 </refsect2>
1502
1503 </refsect1>
1504
1505 <refsect1>
1506 <title>See Also</title>
1507 <simpara>
1508 <citerefentry>
1509 <refentrytitle><command>chroot</command></refentrytitle>
1510 <manvolnum>1</manvolnum>
1511 </citerefentry>,
1512
1513 <citerefentry>
1514 <refentrytitle><command>pivot_root</command></refentrytitle>
1515 <manvolnum>8</manvolnum>
1516 </citerefentry>,
1517
1518 <citerefentry>
1519 <refentrytitle><filename>fstab</filename></refentrytitle>
1520 <manvolnum>5</manvolnum>
1521 </citerefentry>,
1522
1523 <citerefentry>
1524 <refentrytitle><filename>capabilities</filename></refentrytitle>
1525 <manvolnum>7</manvolnum>
1526 </citerefentry>
1527 </simpara>
1528 </refsect1>
1529
1530 &seealso;
1531
1532 <refsect1>
1533 <title>Author</title>
1534 <para>Daniel Lezcano <email>daniel.lezcano@free.fr</email></para>
1535 </refsect1>
1536
1537</refentry>
1538
1539<!-- Keep this comment at the end of the file
1540Local variables:
1541mode: sgml
1542sgml-omittag:t
1543sgml-shorttag:t
1544sgml-minimize-attributes:nil
1545sgml-always-quote-attributes:t
1546sgml-indent-step:2
1547sgml-indent-data:t
1548sgml-parent-document:nil
1549sgml-default-dtd-file:nil
1550sgml-exposed-tags:nil
1551sgml-local-catalogs:nil
1552sgml-local-ecat-files:nil
1553End:
1554-->
LXC mirror