]> git.proxmox.com Git - mirror_lxc.git/blame - doc/lxc.container.conf.sgml.in
projects / mirror_lxc.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
bdev: "detect" loop file
[mirror_lxc.git] / doc / lxc.container.conf.sgml.in
CommitLineData
55fc19a1
SG		 1<!--
2
3lxc: linux Container library
4
5(C) Copyright IBM Corp. 2007, 2008
6
7Authors:
8Daniel Lezcano <daniel.lezcano at free.fr>
9
10This library is free software; you can redistribute it and/or
11modify it under the terms of the GNU Lesser General Public
12License as published by the Free Software Foundation; either
13version 2.1 of the License, or (at your option) any later version.
14
15This library is distributed in the hope that it will be useful,
16but WITHOUT ANY WARRANTY; without even the implied warranty of
17MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
18Lesser General Public License for more details.
19
20You should have received a copy of the GNU Lesser General Public
21License along with this library; if not, write to the Free Software
22Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
23
24-->
25
26<!DOCTYPE refentry PUBLIC @docdtd@ [
27
28<!ENTITY seealso SYSTEM "@builddir@/see_also.sgml">
29]>
30
31<refentry>
32
33 <docinfo><date>@LXC_GENERATE_DATE@</date></docinfo>
34
35 <refmeta>
36 <refentrytitle>lxc.container.conf</refentrytitle>
37 <manvolnum>5</manvolnum>
38 </refmeta>
39
40 <refnamediv>
41 <refname>lxc.container.conf</refname>
42
43 <refpurpose>
44 LXC container configuration file
45 </refpurpose>
46 </refnamediv>
47
48 <refsect1>
49 <title>Description</title>
50
51 <para>
52 The linux containers (<command>lxc</command>) are always created
53 before being used. This creation defines a set of system
54 resources to be virtualized / isolated when a process is using
55 the container. By default, the pids, sysv ipc and mount points
56 are virtualized and isolated. The other system resources are
57 shared across containers, until they are explicitly defined in
58 the configuration file. For example, if there is no network
59 configuration, the network will be shared between the creator of
60 the container and the container itself, but if the network is
61 specified, a new network stack is created for the container and
62 the container can no longer use the network of its ancestor.
63 </para>
64
65 <para>
66 The configuration file defines the different system resources to
67 be assigned for the container. At present, the utsname, the
68 network, the mount points, the root file system, the user namespace,
69 and the control groups are supported.
70 </para>
71
72 <para>
73 Each option in the configuration file has the form <command>key
74 = value</command> fitting in one line. The '#' character means
ff689149
MH		 75 the line is a comment. List options, like capabilities and cgroups
76 options, can be used with no value to clear any previously
77 defined values of that option.
55fc19a1
SG		 78 </para>
79
80 <refsect2>
81 <title>Configuration</title>
82 <para>
c464fd7e
SG		 83 In order to ease administration of multiple related containers, it
84 is possible to have a container configuration file cause another
85 file to be loaded. For instance, network configuration
86 can be defined in one common file which is included by multiple
87 containers. Then, if the containers are moved to another host,
88 only one file may need to be updated.
55fc19a1
SG		 89 </para>
90
91 <variablelist>
c464fd7e
SG		 92 <varlistentry>
93 <term>
94 <option>lxc.include</option>
95 </term>
96 <listitem>
97 <para>
98 Specify the file to be included. The included file must be
99 in the same valid lxc configuration file format.
100 </para>
101 </listitem>
102 </varlistentry>
55fc19a1
SG		 103 </variablelist>
104 </refsect2>
105
106 <refsect2>
107 <title>Architecture</title>
108 <para>
c464fd7e
SG		 109 Allows one to set the architecture for the container. For example,
110 set a 32bits architecture for a container running 32bits
111 binaries on a 64bits host. This fixes the container scripts
112 which rely on the architecture to do some work like
113 downloading the packages.
55fc19a1
SG		 114 </para>
115
116 <variablelist>
c464fd7e
SG		 117 <varlistentry>
118 <term>
119 <option>lxc.arch</option>
120 </term>
121 <listitem>
122 <para>
123 Specify the architecture for the container.
124 </para>
125 <para>
126 Valid options are
127 <option>x86</option>,
128 <option>i686</option>,
129 <option>x86_64</option>,
130 <option>amd64</option>
131 </para>
132 </listitem>
133 </varlistentry>
55fc19a1
SG		 134 </variablelist>
135
136 </refsect2>
137
138 <refsect2>
139 <title>Hostname</title>
140 <para>
c464fd7e
SG		 141 The utsname section defines the hostname to be set for the
142 container. That means the container can set its own hostname
143 without changing the one from the system. That makes the
144 hostname private for the container.
55fc19a1
SG		 145 </para>
146 <variablelist>
c464fd7e
SG		 147 <varlistentry>
148 <term>
149 <option>lxc.utsname</option>
150 </term>
151 <listitem>
152 <para>
153 specify the hostname for the container
154 </para>
155 </listitem>
156 </varlistentry>
55fc19a1
SG		 157 </variablelist>
158 </refsect2>
159
160 <refsect2>
161 <title>Halt signal</title>
162 <para>
936762f3
BP		 163 Allows one to specify signal name or number, sent by lxc-stop to the
164 container's init process to cleanly shutdown the container. Different
165 init systems could use different signals to perform clean shutdown
166 sequence. This option allows the signal to be specified in kill(1)
167 fashion, e.g. SIGPWR, SIGRTMIN+14, SIGRTMAX-10 or plain number. The
168 default signal is SIGPWR.
55fc19a1
SG		 169 </para>
170 <variablelist>
936762f3
BP		 171 <varlistentry>
172 <term>
173 <option>lxc.haltsignal</option>
174 </term>
175 <listitem>
176 <para>
177 specify the signal used to halt the container
178 </para>
179 </listitem>
180 </varlistentry>
181 </variablelist>
182 </refsect2>
183
184 <refsect2>
185 <title>Reboot signal</title>
186 <para>
187 Allows one to specify signal name or number, sent by lxc-stop to
188 reboot the container. This option allows signal to be specified in
189 kill(1) fashion, e.g. SIGTERM, SIGRTMIN+14, SIGRTMAX-10 or plain number.
190 The default signal is SIGINT.
191 </para>
192 <variablelist>
193 <varlistentry>
194 <term>
195 <option>lxc.rebootsignal</option>
196 </term>
197 <listitem>
198 <para>
199 specify the signal used to reboot the container
200 </para>
201 </listitem>
202 </varlistentry>
55fc19a1
SG		 203 </variablelist>
204 </refsect2>
205
206 <refsect2>
207 <title>Stop signal</title>
208 <para>
936762f3
BP		 209 Allows one to specify signal name or number, sent by lxc-stop to forcibly
210 shutdown the container. This option allows signal to be specified in
211 kill(1) fashion, e.g. SIGKILL, SIGRTMIN+14, SIGRTMAX-10 or plain number.
212 The default signal is SIGKILL.
213 </para>
214 <variablelist>
215 <varlistentry>
216 <term>
217 <option>lxc.stopsignal</option>
218 </term>
219 <listitem>
220 <para>
221 specify the signal used to stop the container
222 </para>
223 </listitem>
224 </varlistentry>
55fc19a1
SG		 225 </variablelist>
226 </refsect2>
227
67c660d0
SG		 228 <refsect2>
229 <title>Init command</title>
230 <para>
231 Sets the command to use as the init system for the containers.
232
233 This option is ignored when using lxc-execute.
234
235 Defaults to: /sbin/init
236 </para>
237 <variablelist>
936762f3
BP		 238 <varlistentry>
239 <term>
240 <option>lxc.init_cmd</option>
241 </term>
242 <listitem>
243 <para>
244 Absolute path from container rootfs to the binary to use as init.
245 </para>
246 </listitem>
247 </varlistentry>
67c660d0
SG		 248 </variablelist>
249 </refsect2>
250
dbca9237
PT		 251 <refsect2>
252 <title>Init ID</title>
253 <para>
254 Sets the UID/GID to use for the init system, and subsequent command, executed by lxc-execute.
255
256 These options are only used when lxc-execute is started in a private user namespace.
257
258 Defaults to: UID(0), GID(0)
259 </para>
260 <variablelist>
261 <varlistentry>
262 <term>
263 <option>lxc.init_uid</option>
264 </term>
265 <listitem>
266 <para>
267 UID to use within a private user namesapce for init.
268 </para>
269 </listitem>
270 </varlistentry>
271 <varlistentry>
272 <term>
273 <option>lxc.init_gid</option>
274 </term>
275 <listitem>
276 <para>
277 GID to use within a private user namesapce for init.
278 </para>
279 </listitem>
280 </varlistentry>
281 </variablelist>
282 </refsect2>
283
4e6eb26b
CB		 284 <refsect2>
285 <title>Ephemeral</title>
286 <para>
287 Allows one to specify whether a container will be destroyed on shutdown.
288 </para>
289 <variablelist>
290 <varlistentry>
291 <term>
292 <option>lxc.ephemeral</option>
293 </term>
294 <listitem>
295 <para>
296 The only allowed values are 0 and 1. Set this to 1 to destroy a
297 container on shutdown.
298 </para>
299 </listitem>
300 </varlistentry>
301 </variablelist>
302 </refsect2>
303
55fc19a1
SG		 304 <refsect2>
305 <title>Network</title>
306 <para>
c464fd7e
SG		 307 The network section defines how the network is virtualized in
308 the container. The network virtualization acts at layer
309 two. In order to use the network virtualization, parameters
310 must be specified to define the network interfaces of the
311 container. Several virtual interfaces can be assigned and used
312 in a container even if the system has only one physical
313 network interface.
55fc19a1
SG		 314 </para>
315 <variablelist>
020104c3
MH		 316 <varlistentry>
317 <term>
318 <option>lxc.network</option>
319 </term>
320 <listitem>
321 <para>
322 may be used without a value to clear all previous network options.
323 </para>
324 </listitem>
325 </varlistentry>
c464fd7e
SG		 326 <varlistentry>
327 <term>
328 <option>lxc.network.type</option>
329 </term>
330 <listitem>
331 <para>
332 specify what kind of network virtualization to be used
333 for the container. Each time
334 a <option>lxc.network.type</option> field is found a new
335 round of network configuration begins. In this way,
336 several network virtualization types can be specified
337 for the same container, as well as assigning several
338 network interfaces for one container. The different
339 virtualization types can be:
340 </para>
341
342 <para>
343 <option>none:</option> will cause the container to share
344 the host's network namespace. This means the host
345 network devices are usable in the container. It also
346 means that if both the container and host have upstart as
347 init, 'halt' in a container (for instance) will shut down the
348 host.
349 </para>
350
351 <para>
352 <option>empty:</option> will create only the loopback
353 interface.
354 </para>
355
356 <para>
38005c54
MA		 357 <option>veth:</option> a virtual ethernet pair
358 device is created with one side assigned to the container
359 and the other side attached to a bridge specified by
360 the <option>lxc.network.link</option> option.
361 If the bridge is not specified, then the veth pair device
362 will be created but not attached to any bridge.
363 Otherwise, the bridge has to be created on the system
364 before starting the container.
365 <command>lxc</command> won't handle any
366 configuration outside of the container.
367 By default, <command>lxc</command> chooses a name for the
c464fd7e 368 network device belonging to the outside of the
38005c54
MA		 369 container, but if you wish to handle
370 this name yourselves, you can tell <command>lxc</command>
c464fd7e
SG		 371 to set a specific name with
372 the <option>lxc.network.veth.pair</option> option (except for
373 unprivileged containers where this option is ignored for security
374 reasons).
375 </para>
376
377 <para>
378 <option>vlan:</option> a vlan interface is linked with
379 the interface specified by
380 the <option>lxc.network.link</option> and assigned to
381 the container. The vlan identifier is specified with the
382 option <option>lxc.network.vlan.id</option>.
383 </para>
384
385 <para>
386 <option>macvlan:</option> a macvlan interface is linked
387 with the interface specified by
388 the <option>lxc.network.link</option> and assigned to
389 the container.
390 <option>lxc.network.macvlan.mode</option> specifies the
391 mode the macvlan will use to communicate between
392 different macvlan on the same upper device. The accepted
c15ea607
EL		 393 modes are <option>private</option>, <option>vepa</option>,
394 <option>bridge</option> and <option>passthru</option>.
395 In <option>private</option> mode, the device never
396 communicates with any other device on the same upper_dev (default).
397 In <option>vepa</option> mode, the new Virtual Ethernet Port
c464fd7e
SG		 398 Aggregator (VEPA) mode, it assumes that the adjacent
399 bridge returns all frames where both source and
400 destination are local to the macvlan port, i.e. the
401 bridge is set up as a reflective relay. Broadcast
402 frames coming in from the upper_dev get flooded to all
403 macvlan interfaces in VEPA mode, local frames are not
c15ea607 404 delivered locally. In <option>bridge</option> mode, it
c464fd7e
SG		 405 provides the behavior of a simple bridge between
406 different macvlan interfaces on the same port. Frames
407 from one interface to another one get delivered directly
408 and are not sent out externally. Broadcast frames get
409 flooded to all other bridge ports and to the external
410 interface, but when they come back from a reflective
411 relay, we don't deliver them again. Since we know all
412 the MAC addresses, the macvlan bridge mode does not
c15ea607
EL		 413 require learning or STP like the bridge module does. In
414 <option>passthru</option> mode, all frames received by
415 the physical interface are forwarded to the macvlan
416 interface. Only one macvlan interface in <option>passthru</option>
417 mode is possible for one physical interface.
c464fd7e
SG		 418 </para>
419
420 <para>
421 <option>phys:</option> an already existing interface
422 specified by the <option>lxc.network.link</option> is
423 assigned to the container.
424 </para>
425 </listitem>
426 </varlistentry>
427
428 <varlistentry>
429 <term>
430 <option>lxc.network.flags</option>
431 </term>
432 <listitem>
433 <para>
434 specify an action to do for the
435 network.
436 </para>
437
438 <para><option>up:</option> activates the interface.
439 </para>
440 </listitem>
441 </varlistentry>
442
443 <varlistentry>
444 <term>
445 <option>lxc.network.link</option>
446 </term>
447 <listitem>
448 <para>
449 specify the interface to be used for real network
450 traffic.
451 </para>
452 </listitem>
453 </varlistentry>
454
455 <varlistentry>
456 <term>
457 <option>lxc.network.mtu</option>
458 </term>
459 <listitem>
460 <para>
461 specify the maximum transfer unit for this interface.
462 </para>
463 </listitem>
464 </varlistentry>
465
466 <varlistentry>
467 <term>
468 <option>lxc.network.name</option>
469 </term>
470 <listitem>
471 <para>
472 the interface name is dynamically allocated, but if
473 another name is needed because the configuration files
474 being used by the container use a generic name,
475 eg. eth0, this option will rename the interface in the
476 container.
477 </para>
478 </listitem>
479 </varlistentry>
480
481 <varlistentry>
482 <term>
483 <option>lxc.network.hwaddr</option>
484 </term>
485 <listitem>
486 <para>
487 the interface mac address is dynamically allocated by
488 default to the virtual interface, but in some cases,
489 this is needed to resolve a mac address conflict or to
490 always have the same link-local ipv6 address.
491 Any "x" in address will be replaced by random value,
492 this allows setting hwaddr templates.
493 </para>
494 </listitem>
495 </varlistentry>
496
497 <varlistentry>
498 <term>
499 <option>lxc.network.ipv4</option>
500 </term>
501 <listitem>
502 <para>
503 specify the ipv4 address to assign to the virtualized
504 interface. Several lines specify several ipv4 addresses.
505 The address is in format x.y.z.t/m,
506 eg. 192.168.1.123/24. The broadcast address should be
507 specified on the same line, right after the ipv4
508 address.
509 </para>
510 </listitem>
511 </varlistentry>
512
513 <varlistentry>
514 <term>
515 <option>lxc.network.ipv4.gateway</option>
516 </term>
517 <listitem>
518 <para>
519 specify the ipv4 address to use as the gateway inside the
520 container. The address is in format x.y.z.t, eg.
521 192.168.1.123.
522
523 Can also have the special value <option>auto</option>,
524 which means to take the primary address from the bridge
525 interface (as specified by the
526 <option>lxc.network.link</option> option) and use that as
527 the gateway. <option>auto</option> is only available when
528 using the <option>veth</option> and
529 <option>macvlan</option> network types.
530 </para>
531 </listitem>
532 </varlistentry>
533
534
535 <varlistentry>
536 <term>
537 <option>lxc.network.ipv6</option>
538 </term>
539 <listitem>
540 <para>
541 specify the ipv6 address to assign to the virtualized
542 interface. Several lines specify several ipv6 addresses.
543 The address is in format x::y/m,
544 eg. 2003:db8:1:0:214:1234:fe0b:3596/64
545 </para>
546 </listitem>
547 </varlistentry>
548
549 <varlistentry>
550 <term>
551 <option>lxc.network.ipv6.gateway</option>
552 </term>
553 <listitem>
554 <para>
555 specify the ipv6 address to use as the gateway inside the
556 container. The address is in format x::y,
557 eg. 2003:db8:1:0::1
558
559 Can also have the special value <option>auto</option>,
560 which means to take the primary address from the bridge
561 interface (as specified by the
562 <option>lxc.network.link</option> option) and use that as
563 the gateway. <option>auto</option> is only available when
564 using the <option>veth</option> and
565 <option>macvlan</option> network types.
566 </para>
567 </listitem>
568 </varlistentry>
569
570 <varlistentry>
571 <term>
572 <option>lxc.network.script.up</option>
573 </term>
574 <listitem>
575 <para>
576 add a configuration option to specify a script to be
577 executed after creating and configuring the network used
578 from the host side. The following arguments are passed
579 to the script: container name and config section name
580 (net) Additional arguments depend on the config section
581 employing a script hook; the following are used by the
582 network system: execution context (up), network type
583 (empty/veth/macvlan/phys), Depending on the network
584 type, other arguments may be passed:
585 veth/macvlan/phys. And finally (host-sided) device name.
586 </para>
587 <para>
588 Standard output from the script is logged at debug level.
589 Standard error is not logged, but can be captured by the
590 hook redirecting its standard error to standard output.
591 </para>
592 </listitem>
593 </varlistentry>
594
595 <varlistentry>
596 <term>
597 <option>lxc.network.script.down</option>
598 </term>
599 <listitem>
600 <para>
601 add a configuration option to specify a script to be
602 executed before destroying the network used from the
603 host side. The following arguments are passed to the
604 script: container name and config section name (net)
605 Additional arguments depend on the config section
606 employing a script hook; the following are used by the
607 network system: execution context (down), network type
608 (empty/veth/macvlan/phys), Depending on the network
609 type, other arguments may be passed:
610 veth/macvlan/phys. And finally (host-sided) device name.
611 </para>
612 <para>
613 Standard output from the script is logged at debug level.
614 Standard error is not logged, but can be captured by the
615 hook redirecting its standard error to standard output.
616 </para>
617 </listitem>
618 </varlistentry>
55fc19a1
SG		 619 </variablelist>
620 </refsect2>
621
622 <refsect2>
623 <title>New pseudo tty instance (devpts)</title>
624 <para>
c464fd7e
SG		 625 For stricter isolation the container can have its own private
626 instance of the pseudo tty.
55fc19a1
SG		 627 </para>
628 <variablelist>
c464fd7e
SG		 629 <varlistentry>
630 <term>
631 <option>lxc.pts</option>
632 </term>
633 <listitem>
634 <para>
635 If set, the container will have a new pseudo tty
636 instance, making this private to it. The value specifies
55fc19a1
SG		 637 the maximum number of pseudo ttys allowed for a pts
638 instance (this limitation is not implemented yet).
c464fd7e
SG		 639 </para>
640 </listitem>
641 </varlistentry>
55fc19a1
SG		 642 </variablelist>
643 </refsect2>
644
645 <refsect2>
646 <title>Container system console</title>
647 <para>
c464fd7e
SG		 648 If the container is configured with a root filesystem and the
649 inittab file is setup to use the console, you may want to specify
650 where the output of this console goes.
55fc19a1
SG		 651 </para>
652 <variablelist>
c464fd7e
SG		 653 <varlistentry>
654 <term>
655 <option>lxc.console.logfile</option>
656 </term>
657 <listitem>
658 <para>
659 Specify a path to a file where the console output will
660 be written.
661 </para>
662 </listitem>
663 </varlistentry>
664 <varlistentry>
665 <term>
666 <option>lxc.console</option>
667 </term>
668 <listitem>
669 <para>
670 Specify a path to a device to which the console will be
6e3bb289
CB		 671 attached. The keyword 'none' will simply disable the
672 console. Note, when specifying 'none' and creating a device node
673 for the console in the container at /dev/console or bind-mounting
674 the hosts's /dev/console into the container at /dev/console the
675 container will have direct access to the hosts's /dev/console.
676 This is dangerous when the container has write access to the
677 device and should thus be used with caution.
c464fd7e
SG		 678 </para>
679 </listitem>
680 </varlistentry>
55fc19a1
SG		 681 </variablelist>
682 </refsect2>
683
684 <refsect2>
685 <title>Console through the ttys</title>
686 <para>
c464fd7e
SG		 687 This option is useful if the container is configured with a root
688 filesystem and the inittab file is setup to launch a getty on the
689 ttys. The option specifies the number of ttys to be available for
690 the container. The number of gettys in the inittab file of the
691 container should not be greater than the number of ttys specified
692 in this option, otherwise the excess getty sessions will die and
693 respawn indefinitely giving annoying messages on the console or in
694 <filename>/var/log/messages</filename>.
55fc19a1
SG		 695 </para>
696 <variablelist>
c464fd7e
SG		 697 <varlistentry>
698 <term>
699 <option>lxc.tty</option>
700 </term>
701 <listitem>
702 <para>
703 Specify the number of tty to make available to the
704 container.
705 </para>
706 </listitem>
707 </varlistentry>
55fc19a1
SG		 708 </variablelist>
709 </refsect2>
710
711 <refsect2>
712 <title>Console devices location</title>
713 <para>
714 LXC consoles are provided through Unix98 PTYs created on the
c464fd7e
SG		 715 host and bind-mounted over the expected devices in the container.
716 By default, they are bind-mounted over <filename>/dev/console</filename>
717 and <filename>/dev/ttyN</filename>. This can prevent package upgrades
718 in the guest. Therefore you can specify a directory location (under
719 <filename>/dev</filename> under which LXC will create the files and
720 bind-mount over them. These will then be symbolically linked to
721 <filename>/dev/console</filename> and <filename>/dev/ttyN</filename>.
722 A package upgrade can then succeed as it is able to remove and replace
723 the symbolic links.
55fc19a1
SG		 724 </para>
725 <variablelist>
c464fd7e
SG		 726 <varlistentry>
727 <term>
728 <option>lxc.devttydir</option>
729 </term>
730 <listitem>
731 <para>
732 Specify a directory under <filename>/dev</filename>
6e3bb289
CB		 733 under which to create the container console devices. Note that LXC
734 will move any bind-mounts or device nodes for /dev/console into
735 this directory.
c464fd7e
SG		 736 </para>
737 </listitem>
738 </varlistentry>
55fc19a1
SG		 739 </variablelist>
740 </refsect2>
741
742 <refsect2>
743 <title>/dev directory</title>
744 <para>
c464fd7e
SG		 745 By default, lxc creates a few symbolic links (fd,stdin,stdout,stderr)
746 in the container's <filename>/dev</filename> directory but does not
747 automatically create device node entries. This allows the container's
748 <filename>/dev</filename> to be set up as needed in the container
749 rootfs. If lxc.autodev is set to 1, then after mounting the container's
750 rootfs LXC will mount a fresh tmpfs under <filename>/dev</filename>
c35d2909 751 (limited to 500k) and fill in a minimal set of initial devices.
55fc19a1
SG		 752 This is generally required when starting a container containing
753 a "systemd" based "init" but may be optional at other times. Additional
754 devices in the containers /dev directory may be created through the
755 use of the <option>lxc.hook.autodev</option> hook.
756 </para>
757 <variablelist>
c464fd7e
SG		 758 <varlistentry>
759 <term>
760 <option>lxc.autodev</option>
761 </term>
762 <listitem>
763 <para>
124fa0a8 764 Set this to 0 to stop LXC from mounting and populating a minimal
c464fd7e
SG		 765 <filename>/dev</filename> when starting the container.
766 </para>
767 </listitem>
768 </varlistentry>
55fc19a1
SG		 769 </variablelist>
770 </refsect2>
771
772 <refsect2>
773 <title>Enable kmsg symlink</title>
774 <para>
d89de239 775 Enable creating /dev/kmsg as symlink to /dev/console. This defaults to 0.
55fc19a1
SG		 776 </para>
777 <variablelist>
778 <varlistentry>
779 <term>
780 <option>lxc.kmsg</option>
781 </term>
782 <listitem>
783 <para>
d89de239 784 Set this to 1 to enable /dev/kmsg symlinking.
55fc19a1
SG		 785 </para>
786 </listitem>
787 </varlistentry>
788 </variablelist>
789 </refsect2>
790
791 <refsect2>
792 <title>Mount points</title>
793 <para>
c464fd7e
SG		 794 The mount points section specifies the different places to be
795 mounted. These mount points will be private to the container
796 and won't be visible by the processes running outside of the
797 container. This is useful to mount /etc, /var or /home for
798 examples.
55fc19a1 799 </para>
592fd47a
SH		 800 <para>
801 NOTE - LXC will generally ensure that mount targets and relative
802 bind-mount sources are properly confined under the container
803 root, to avoid attacks involving over-mounting host directories
804 and files. (Symbolic links in absolute mount sources are ignored)
805 However, if the container configuration first mounts a directory which
806 is under the control of the container user, such as /home/joe, into
807 the container at some <filename>path</filename>, and then mounts
808 under <filename>path</filename>, then a TOCTTOU attack would be
809 possible where the container user modifies a symbolic link under
810 his home directory at just the right time.
811 </para>
55fc19a1 812 <variablelist>
c464fd7e
SG		 813 <varlistentry>
814 <term>
815 <option>lxc.mount</option>
816 </term>
817 <listitem>
818 <para>
819 specify a file location in
820 the <filename>fstab</filename> format, containing the
821 mount information. The mount target location can and in
822 most cases should be a relative path, which will become
823 relative to the mounted container root. For instance,
824 </para>
6191f4f4
SH		 825<screen>
826proc proc proc nodev,noexec,nosuid 0 0
827</screen>
c464fd7e
SG		 828 <para>
829 Will mount a proc filesystem under the container's /proc,
830 regardless of where the root filesystem comes from. This
831 is resilient to block device backed filesystems as well as
832 container cloning.
833 </para>
834 <para>
835 Note that when mounting a filesystem from an
836 image file or block device the third field (fs_vfstype)
837 cannot be auto as with
55fc19a1 838 <citerefentry>
c464fd7e 839 <refentrytitle>mount</refentrytitle>
55fc19a1
SG		 840 <manvolnum>8</manvolnum>
841 </citerefentry>
842 but must be explicitly specified.
c464fd7e
SG		 843 </para>
844 </listitem>
845 </varlistentry>
846
847 <varlistentry>
848 <term>
849 <option>lxc.mount.entry</option>
850 </term>
851 <listitem>
852 <para>
853 specify a mount point corresponding to a line in the
854 fstab format.
f5b67b36
NC		 855
856 Moreover lxc add two options to mount.
857 <option>optional</option> don't fail if mount does not work.
858 <option>create=dir</option> or <option>create=file</option>
859 to create dir (or file) when the point will be mounted.
c464fd7e
SG		 860 </para>
861 </listitem>
862 </varlistentry>
863
864 <varlistentry>
865 <term>
866 <option>lxc.mount.auto</option>
867 </term>
868 <listitem>
869 <para>
870 specify which standard kernel file systems should be
871 automatically mounted. This may dramatically simplify
872 the configuration. The file systems are:
873 </para>
874 <itemizedlist>
875 <listitem>
876 <para>
877 <option>proc:mixed</option> (or <option>proc</option>):
878 mount <filename>/proc</filename> as read-write, but
879 remount <filename>/proc/sys</filename> and
880 <filename>/proc/sysrq-trigger</filename> read-only
881 for security / container isolation purposes.
882 </para>
883 </listitem>
884 <listitem>
885 <para>
886 <option>proc:rw</option>: mount
887 <filename>/proc</filename> as read-write
888 </para>
889 </listitem>
890 <listitem>
891 <para>
f24a52d5
SG		 892 <option>sys:mixed</option> (or <option>sys</option>):
893 mount <filename>/sys</filename> as read-only but with
894 /sys/devices/virtual/net writable.
895 </para>
896 </listitem>
897 <listitem>
898 <para>
899 <option>sys:ro</option>:
c464fd7e
SG		 900 mount <filename>/sys</filename> as read-only
901 for security / container isolation purposes.
902 </para>
903 </listitem>
904 <listitem>
905 <para>
906 <option>sys:rw</option>: mount
907 <filename>/sys</filename> as read-write
908 </para>
909 </listitem>
910 <listitem>
911 <para>
912 <option>cgroup:mixed</option>:
913 mount a tmpfs to <filename>/sys/fs/cgroup</filename>,
914 create directories for all hierarchies to which
915 the container is added, create subdirectories
916 there with the name of the cgroup, and bind-mount
917 the container's own cgroup into that directory.
918 The container will be able to write to its own
919 cgroup directory, but not the parents, since they
4608594e 920 will be remounted read-only.
c464fd7e
SG		 921 </para>
922 </listitem>
923 <listitem>
924 <para>
925 <option>cgroup:ro</option>: similar to
926 <option>cgroup:mixed</option>, but everything will
927 be mounted read-only.
928 </para>
929 </listitem>
930 <listitem>
931 <para>
932 <option>cgroup:rw</option>: similar to
933 <option>cgroup:mixed</option>, but everything will
934 be mounted read-write. Note that the paths leading
935 up to the container's own cgroup will be writable,
936 but will not be a cgroup filesystem but just part
937 of the tmpfs of <filename>/sys/fs/cgroup</filename>
938 </para>
939 </listitem>
940 <listitem>
941 <para>
942 <option>cgroup</option> (without specifier):
943 defaults to <option>cgroup:rw</option> if the
944 container retains the CAP_SYS_ADMIN capability,
945 <option>cgroup:mixed</option> otherwise.
946 </para>
947 </listitem>
948 <listitem>
949 <para>
950 <option>cgroup-full:mixed</option>:
951 mount a tmpfs to <filename>/sys/fs/cgroup</filename>,
952 create directories for all hierarchies to which
953 the container is added, bind-mount the hierarchies
954 from the host to the container and make everything
955 read-only except the container's own cgroup. Note
956 that compared to <option>cgroup</option>, where
957 all paths leading up to the container's own cgroup
958 are just simple directories in the underlying
959 tmpfs, here
960 <filename>/sys/fs/cgroup/$hierarchy</filename>
961 will contain the host's full cgroup hierarchy,
962 albeit read-only outside the container's own cgroup.
963 This may leak quite a bit of information into the
964 container.
965 </para>
966 </listitem>
967 <listitem>
968 <para>
969 <option>cgroup-full:ro</option>: similar to
970 <option>cgroup-full:mixed</option>, but everything
971 will be mounted read-only.
972 </para>
973 </listitem>
974 <listitem>
975 <para>
976 <option>cgroup-full:rw</option>: similar to
977 <option>cgroup-full:mixed</option>, but everything
978 will be mounted read-write. Note that in this case,
979 the container may escape its own cgroup. (Note also
980 that if the container has CAP_SYS_ADMIN support
981 and can mount the cgroup filesystem itself, it may
982 do so anyway.)
983 </para>
984 </listitem>
985 <listitem>
986 <para>
987 <option>cgroup-full</option> (without specifier):
988 defaults to <option>cgroup-full:rw</option> if the
989 container retains the CAP_SYS_ADMIN capability,
990 <option>cgroup-full:mixed</option> otherwise.
991 </para>
992 </listitem>
993 </itemizedlist>
4608594e
SH		 994 <para>
995 If cgroup namespaces are enabled, then any <option>cgroup</option>
996 auto-mounting request will be ignored, since the container can
997 mount the filesystems itself, and automounting can confuse the
998 container init.
999 </para>
c464fd7e
SG		 1000 <para>
1001 Note that if automatic mounting of the cgroup filesystem
1002 is enabled, the tmpfs under
1003 <filename>/sys/fs/cgroup</filename> will always be
1004 mounted read-write (but for the <option>:mixed</option>
1005 and <option>:ro</option> cases, the individual
1006 hierarchies,
1007 <filename>/sys/fs/cgroup/$hierarchy</filename>, will be
1008 read-only). This is in order to work around a quirk in
1009 Ubuntu's
b46f0553 1010 <citerefentry>
c464fd7e 1011 <refentrytitle>mountall</refentrytitle>
b46f0553
CS		 1012 <manvolnum>8</manvolnum>
1013 </citerefentry>
c464fd7e
SG		 1014 command that will cause containers to wait for user
1015 input at boot if
1016 <filename>/sys/fs/cgroup</filename> is mounted read-only
1017 and the container can't remount it read-write due to a
1018 lack of CAP_SYS_ADMIN.
1019 </para>
1020 <para>
1021 Examples:
1022 </para>
1023 <programlisting>
1024 lxc.mount.auto = proc sys cgroup
1025 lxc.mount.auto = proc:rw sys:rw cgroup-full:rw
1026 </programlisting>
1027 </listitem>
1028 </varlistentry>
55fc19a1
SG		 1029
1030 </variablelist>
1031 </refsect2>
1032
1033 <refsect2>
1034 <title>Root file system</title>
1035 <para>
c464fd7e
SG		 1036 The root file system of the container can be different than that
1037 of the host system.
55fc19a1
SG		 1038 </para>
1039 <variablelist>
c464fd7e
SG		 1040 <varlistentry>
1041 <term>
1042 <option>lxc.rootfs</option>
1043 </term>
1044 <listitem>
1045 <para>
1046 specify the root file system for the container. It can
1047 be an image file, a directory or a block device. If not
1048 specified, the container shares its root file system
1049 with the host.
1050 </para>
1051 <para>
f1c26f2c
SH		 1052 For directory or simple block-device backed containers,
1053 a pathname can be used. If the rootfs is backed by a nbd
1054 device, then <filename>nbd:file:1</filename> specifies that
1055 <filename>file</filename> should be attached to a nbd device,
1056 and partition 1 should be mounted as the rootfs.
1057 <filename>nbd:file</filename> specifies that the nbd device
1058 itself should be mounted. <filename>overlayfs:/lower:/upper</filename>
1059 specifies that the rootfs should be an overlay with <filename>/upper</filename>
1060 being mounted read-write over a read-only mount of <filename>/lower</filename>.
1061 <filename>aufs:/lower:/upper</filename> does the same using aufs in place
280d2379
CB		 1062 of overlayfs. For both <filename>overlayfs</filename> and
1063 <filename>aufs</filename> multiple <filename>/lower</filename>
1064 directories can be specified. <filename>loop:/file</filename> tells lxc to attach
f1c26f2c 1065 <filename>/file</filename> to a loop device and mount the loop device.
c464fd7e
SG		 1066 </para>
1067 </listitem>
1068 </varlistentry>
1069
1070 <varlistentry>
1071 <term>
1072 <option>lxc.rootfs.mount</option>
1073 </term>
1074 <listitem>
1075 <para>
1076 where to recursively bind <option>lxc.rootfs</option>
1077 before pivoting. This is to ensure success of the
1078 <citerefentry>
1079 <refentrytitle><command>pivot_root</command></refentrytitle>
1080 <manvolnum>8</manvolnum>
1081 </citerefentry>
1082 syscall. Any directory suffices, the default should
1083 generally work.
1084 </para>
1085 </listitem>
1086 </varlistentry>
1087
1088 <varlistentry>
1089 <term>
1090 <option>lxc.rootfs.options</option>
1091 </term>
1092 <listitem>
1093 <para>
1094 extra mount options to use when mounting the rootfs.
1095 </para>
1096 </listitem>
1097 </varlistentry>
a17b1e65 1098
f9039861
SH		 1099 <varlistentry>
1100 <term>
1101 <option>lxc.rootfs.backend</option>
1102 </term>
1103 <listitem>
1104 <para>
1105 specify the rootfs backend type to use, for instance 'dir' or
1106 'zfs'. While this can be guessed by lxc at container startup,
1107 doing so takes time. Specifying it here avoids extra
1108 processing.
1109 </para>
1110 </listitem>
1111 </varlistentry>
1112
55fc19a1
SG		 1113 </variablelist>
1114 </refsect2>
1115
1116 <refsect2>
1117 <title>Control group</title>
1118 <para>
c464fd7e
SG		 1119 The control group section contains the configuration for the
1120 different subsystem. <command>lxc</command> does not check the
1121 correctness of the subsystem name. This has the disadvantage
1122 of not detecting configuration errors until the container is
1123 started, but has the advantage of permitting any future
1124 subsystem.
55fc19a1
SG		 1125 </para>
1126 <variablelist>
c464fd7e
SG		 1127 <varlistentry>
1128 <term>
1129 <option>lxc.cgroup.[subsystem name]</option>
1130 </term>
1131 <listitem>
1132 <para>
1133 specify the control group value to be set. The
1134 subsystem name is the literal name of the control group
1135 subsystem. The permitted names and the syntax of their
1136 values is not dictated by LXC, instead it depends on the
1137 features of the Linux kernel running at the time the
1138 container is started,
1139 eg. <option>lxc.cgroup.cpuset.cpus</option>
1140 </para>
1141 </listitem>
1142 </varlistentry>
55fc19a1
SG		 1143 </variablelist>
1144 </refsect2>
1145
1146 <refsect2>
1147 <title>Capabilities</title>
1148 <para>
c464fd7e
SG		 1149 The capabilities can be dropped in the container if this one
1150 is run as root.
55fc19a1
SG		 1151 </para>
1152 <variablelist>
c464fd7e
SG		 1153 <varlistentry>
1154 <term>
1155 <option>lxc.cap.drop</option>
1156 </term>
1157 <listitem>
1158 <para>
1159 Specify the capability to be dropped in the container. A
1160 single line defining several capabilities with a space
1161 separation is allowed. The format is the lower case of
1162 the capability definition without the "CAP_" prefix,
1163 eg. CAP_SYS_MODULE should be specified as
1164 sys_module. See
1165 <citerefentry>
1166 <refentrytitle><command>capabilities</command></refentrytitle>
1167 <manvolnum>7</manvolnum>
7eff30fd
MH		 1168 </citerefentry>.
1169 If used with no value, lxc will clear any drop capabilities
1170 specified up to this point.
c464fd7e
SG		 1171 </para>
1172 </listitem>
1173 </varlistentry>
1174 <varlistentry>
1175 <term>
1176 <option>lxc.cap.keep</option>
1177 </term>
1178 <listitem>
1179 <para>
1180 Specify the capability to be kept in the container. All other
1181 capabilities will be dropped. When a special value of "none" is
1182 encountered, lxc will clear any keep capabilities specified up
1183 to this point. A value of "none" alone can be used to drop all
1184 capabilities.
1185 </para>
1186 </listitem>
1187 </varlistentry>
55fc19a1
SG		 1188 </variablelist>
1189 </refsect2>
1190
93f9e90d
WB		 1191 <refsect2>
1192 <title>Resource limits</title>
1193 <para>
1194 The soft and hard resource limits for the container can be changed.
1195 Unprivileged containers can only lower them. Resources which are not
1196 explicitly specified will be inherited.
1197 </para>
1198 <variablelist>
1199 <varlistentry>
1200 <term>
1201 <option>lxc.limit.[limit name]</option>
1202 </term>
1203 <listitem>
1204 <para>
1205 Specify the resource limit to be set. A limit is specified as two
1206 colon separated values which are either numeric or the word
1207 'unlimited'. A single value can be used as a shortcut to set both
1208 soft and hard limit to the same value. The permitted names the
1209 "RLIMIT_" resource names in lowercase without the "RLIMIT_"
1210 prefix, eg. RLIMIT_NOFILE should be specified as "nofile". See
1211 <citerefentry>
1212 <refentrytitle><command>setrlimit</command></refentrytitle>
1213 <manvolnum>2</manvolnum>
1214 </citerefentry>.
1215 If used with no value, lxc will clear the resource limit
1216 specified up to this point. A resource with no explicitly
1217 configured limitation will be inherited from the process starting
1218 up the container.
1219 </para>
1220 </listitem>
1221 </varlistentry>
1222 </variablelist>
1223 </refsect2>
1224
55fc19a1
SG		 1225 <refsect2>
1226 <title>Apparmor profile</title>
1227 <para>
c464fd7e
SG		 1228 If lxc was compiled and installed with apparmor support, and the host
1229 system has apparmor enabled, then the apparmor profile under which the
1230 container should be run can be specified in the container
7a126ae1
SH		 1231 configuration. The default is <command>lxc-container-default-cgns</command>
1232 if the host kernel is cgroup namespace aware, or
1233 <command>lxc-container-default</command> othewise.
55fc19a1
SG		 1234 </para>
1235 <variablelist>
c464fd7e
SG		 1236 <varlistentry>
1237 <term>
1238 <option>lxc.aa_profile</option>
1239 </term>
1240 <listitem>
1241 <para>
1242 Specify the apparmor profile under which the container should
1243 be run. To specify that the container should be unconfined,
1244 use
1245 </para>
1246 <programlisting>lxc.aa_profile = unconfined</programlisting>
7a126ae1
SH		 1247 <para>
1248 If the apparmor profile should remain unchanged (i.e. if you
1249 are nesting containers and are already confined), then use
1250 </para>
1251 <programlisting>lxc.aa_profile = unchanged</programlisting>
c464fd7e
SG		 1252 </listitem>
1253 </varlistentry>
1254 <varlistentry>
1255 <term>
1256 <option>lxc.aa_allow_incomplete</option>
1257 </term>
1258 <listitem>
1259 <para>
1260 Apparmor profiles are pathname based. Therefore many file
1261 restrictions require mount restrictions to be effective against
1262 a determined attacker. However, these mount restrictions are not
1263 yet implemented in the upstream kernel. Without the mount
1264 restrictions, the apparmor profiles still protect against accidental
1265 damager.
1266 </para>
1267 <para>
1268 If this flag is 0 (default), then the container will not be
1269 started if the kernel lacks the apparmor mount features, so that a
1270 regression after a kernel upgrade will be detected. To start the
1271 container under partial apparmor protection, set this flag to 1.
1272 </para>
1273 </listitem>
1274 </varlistentry>
55fc19a1
SG		 1275 </variablelist>
1276 </refsect2>
1277
1278 <refsect2>
1279 <title>SELinux context</title>
1280 <para>
c464fd7e
SG		 1281 If lxc was compiled and installed with SELinux support, and the host
1282 system has SELinux enabled, then the SELinux context under which the
1283 container should be run can be specified in the container
1284 configuration. The default is <command>unconfined_t</command>,
1285 which means that lxc will not attempt to change contexts.
1286 See @DATADIR@/lxc/selinux/lxc.te for an example policy and more
1287 information.
55fc19a1
SG		 1288 </para>
1289 <variablelist>
c464fd7e
SG		 1290 <varlistentry>
1291 <term>
1292 <option>lxc.se_context</option>
1293 </term>
1294 <listitem>
1295 <para>
1296 Specify the SELinux context under which the container should
1297 be run or <command>unconfined_t</command>. For example
1298 </para>
1299 <programlisting>lxc.se_context = system_u:system_r:lxc_t:s0:c22</programlisting>
1300 </listitem>
1301 </varlistentry>
55fc19a1
SG		 1302 </variablelist>
1303 </refsect2>
1304
1305 <refsect2>
1306 <title>Seccomp configuration</title>
1307 <para>
1308 A container can be started with a reduced set of available
c464fd7e
SG		 1309 system calls by loading a seccomp profile at startup. The
1310 seccomp configuration file must begin with a version number
1311 on the first line, a policy type on the second line, followed
1312 by the configuration.
55fc19a1 1313 </para>
a7c27357
SH		 1314 <para>
1315 Versions 1 and 2 are currently supported. In version 1, the
c464fd7e
SG		 1316 policy is a simple whitelist. The second line therefore must
1317 read "whitelist", with the rest of the file containing one (numeric)
1318 sycall number per line. Each syscall number is whitelisted,
1319 while every unlisted number is blacklisted for use in the container
a7c27357
SH		 1320 </para>
1321
1322 <para>
1323 In version 2, the policy may be blacklist or whitelist,
1324 supports per-rule and per-policy default actions, and supports
1325 per-architecture system call resolution from textual names.
1326 </para>
1327 <para>
1328 An example blacklist policy, in which all system calls are
1329 allowed except for mknod, which will simply do nothing and
1330 return 0 (success), looks like:
1331 </para>
1332<screen>
13332
1334blacklist
1335mknod errno 0
1336</screen>
55fc19a1 1337 <variablelist>
c464fd7e
SG		 1338 <varlistentry>
1339 <term>
1340 <option>lxc.seccomp</option>
1341 </term>
1342 <listitem>
1343 <para>
1344 Specify a file containing the seccomp configuration to
1345 load before the container starts.
1346 </para>
1347 </listitem>
1348 </varlistentry>
55fc19a1
SG		 1349 </variablelist>
1350 </refsect2>
1351
222ddc91
CB		 1352 <refsect2>
1353 <title>PR_SET_NO_NEW_PRIVS</title>
1354 <para>
1355 With PR_SET_NO_NEW_PRIVS active execve() promises not to grant
1356 privileges to do anything that could not have been done without
1357 the execve() call (for example, rendering the set-user-ID and
1358 set-group-ID mode bits, and file capabilities non-functional).
1359 Once set, this bit cannot be unset. The setting of this bit is
1360 inherited by children created by fork() and clone(), and preserved
1361 across execve().
1362 Note that PR_SET_NO_NEW_PRIVS is applied after the container has
1363 changed into its intended AppArmor profile or SElinux context.
1364 </para>
1365 <variablelist>
1366 <varlistentry>
1367 <term>
1368 <option>lxc.no_new_privs</option>
1369 </term>
1370 <listitem>
1371 <para>
1372 Specify whether the PR_SET_NO_NEW_PRIVS flag should be set for the
1373 container. Set to 1 to activate.
1374 </para>
1375 </listitem>
1376 </varlistentry>
1377 </variablelist>
1378 </refsect2>
1379
55fc19a1
SG		 1380 <refsect2>
1381 <title>UID mappings</title>
1382 <para>
1383 A container can be started in a private user namespace with
c464fd7e
SG		 1384 user and group id mappings. For instance, you can map userid
1385 0 in the container to userid 200000 on the host. The root
1386 user in the container will be privileged in the container,
1387 but unprivileged on the host. Normally a system container
1388 will want a range of ids, so you would map, for instance,
1389 user and group ids 0 through 20,000 in the container to the
1390 ids 200,000 through 220,000.
55fc19a1
SG		 1391 </para>
1392 <variablelist>
c464fd7e
SG		 1393 <varlistentry>
1394 <term>
1395 <option>lxc.id_map</option>
1396 </term>
1397 <listitem>
1398 <para>
1399 Four values must be provided. First a character, either
1400 'u', or 'g', to specify whether user or group ids are
1401 being mapped. Next is the first userid as seen in the
1402 user namespace of the container. Next is the userid as
1403 seen on the host. Finally, a range indicating the number
1404 of consecutive ids to map.
1405 </para>
1406 </listitem>
1407 </varlistentry>
55fc19a1
SG		 1408 </variablelist>
1409 </refsect2>
1410
1411 <refsect2>
1412 <title>Container hooks</title>
1413 <para>
1414 Container hooks are programs or scripts which can be executed
c464fd7e 1415 at various times in a container's lifetime.
55fc19a1
SG		 1416 </para>
1417 <para>
1418 When a container hook is executed, information is passed both
c464fd7e
SG		 1419 as command line arguments and through environment variables.
1420 The arguments are:
1421 <itemizedlist>
1422 <listitem><para> Container name. </para></listitem>
1423 <listitem><para> Section (always 'lxc'). </para></listitem>
1424 <listitem><para> The hook type (i.e. 'clone' or 'pre-mount'). </para></listitem>
0a2b5ab1 1425 <listitem><para> Additional arguments. In the
c464fd7e 1426 case of the clone hook, any extra arguments passed to
0a2b5ab1
WB		 1427 lxc-clone will appear as further arguments to the hook.
1428 In the case of the stop hook, paths to filedescriptors
1429 for each of the container's namespaces along with their types
1430 are passed. </para></listitem>
c464fd7e
SG		 1431 </itemizedlist>
1432 The following environment variables are set:
1433 <itemizedlist>
1434 <listitem><para> LXC_NAME: is the container's name. </para></listitem>
1435 <listitem><para> LXC_ROOTFS_MOUNT: the path to the mounted root filesystem. </para></listitem>
1436 <listitem><para> LXC_CONFIG_FILE: the path to the container configuration file. </para></listitem>
1437 <listitem><para> LXC_SRC_NAME: in the case of the clone hook, this is the original container's name. </para></listitem>
1438 <listitem><para> LXC_ROOTFS_PATH: this is the lxc.rootfs entry for the container. Note this is likely not where the mounted rootfs is to be found, use LXC_ROOTFS_MOUNT for that. </para></listitem>
1439 </itemizedlist>
55fc19a1
SG		 1440 </para>
1441 <para>
1442 Standard output from the hooks is logged at debug level.
1443 Standard error is not logged, but can be captured by the
1444 hook redirecting its standard error to standard output.
1445 </para>
1446 <variablelist>
c464fd7e
SG		 1447 <varlistentry>
1448 <term>
1449 <option>lxc.hook.pre-start</option>
1450 </term>
1451 <listitem>
1452 <para>
1453 A hook to be run in the host's namespace before the
1454 container ttys, consoles, or mounts are up.
1455 </para>
1456 </listitem>
1457 </varlistentry>
55fc19a1
SG		 1458 </variablelist>
1459 <variablelist>
c464fd7e
SG		 1460 <varlistentry>
1461 <term>
1462 <option>lxc.hook.pre-mount</option>
1463 </term>
1464 <listitem>
1465 <para>
1466 A hook to be run in the container's fs namespace but before
1467 the rootfs has been set up. This allows for manipulation
1468 of the rootfs, i.e. to mount an encrypted filesystem. Mounts
1469 done in this hook will not be reflected on the host (apart from
1470 mounts propagation), so they will be automatically cleaned up
1471 when the container shuts down.
1472 </para>
1473 </listitem>
1474 </varlistentry>
55fc19a1
SG		 1475 </variablelist>
1476 <variablelist>
c464fd7e
SG		 1477 <varlistentry>
1478 <term>
1479 <option>lxc.hook.mount</option>
1480 </term>
1481 <listitem>
1482 <para>
1483 A hook to be run in the container's namespace after
1484 mounting has been done, but before the pivot_root.
1485 </para>
1486 </listitem>
1487 </varlistentry>
55fc19a1
SG		 1488 </variablelist>
1489 <variablelist>
c464fd7e
SG		 1490 <varlistentry>
1491 <term>
1492 <option>lxc.hook.autodev</option>
1493 </term>
1494 <listitem>
1495 <para>
1496 A hook to be run in the container's namespace after
1497 mounting has been done and after any mount hooks have
1498 run, but before the pivot_root, if
1499 <option>lxc.autodev</option> == 1.
1500 The purpose of this hook is to assist in populating the
1501 /dev directory of the container when using the autodev
1502 option for systemd based containers. The container's /dev
1503 directory is relative to the
1504 ${<option>LXC_ROOTFS_MOUNT</option>} environment
1505 variable available when the hook is run.
1506 </para>
1507 </listitem>
1508 </varlistentry>
55fc19a1
SG		 1509 </variablelist>
1510 <variablelist>
c464fd7e
SG		 1511 <varlistentry>
1512 <term>
1513 <option>lxc.hook.start</option>
1514 </term>
1515 <listitem>
1516 <para>
1517 A hook to be run in the container's namespace immediately
1518 before executing the container's init. This requires the
1519 program to be available in the container.
1520 </para>
1521 </listitem>
1522 </varlistentry>
55fc19a1 1523 </variablelist>
0a2b5ab1
WB		 1524 <variablelist>
1525 <varlistentry>
1526 <term>
1527 <option>lxc.hook.stop</option>
1528 </term>
1529 <listitem>
1530 <para>
1531 A hook to be run in the host's namespace with references
1532 to the container's namespaces after the container has been shut
1533 down. For each namespace an extra argument is passed to the hook
1534 containing the namespace's type and a filename that can be used to
1535 obtain a file descriptor to the corresponding namespace, separated
1536 by a colon. The type is the name as it would appear in the
1537 <filename>/proc/PID/ns</filename> directory.
1538 For instance for the mount namespace the argument usually looks
1539 like <filename>mnt:/proc/PID/fd/12</filename>.
1540 </para>
1541 </listitem>
1542 </varlistentry>
1543 </variablelist>
55fc19a1 1544 <variablelist>
c464fd7e
SG		 1545 <varlistentry>
1546 <term>
1547 <option>lxc.hook.post-stop</option>
1548 </term>
1549 <listitem>
1550 <para>
1551 A hook to be run in the host's namespace after the
1552 container has been shut down.
1553 </para>
1554 </listitem>
1555 </varlistentry>
55fc19a1
SG		 1556 </variablelist>
1557 <variablelist>
c464fd7e
SG		 1558 <varlistentry>
1559 <term>
1560 <option>lxc.hook.clone</option>
1561 </term>
1562 <listitem>
1563 <para>
1564 A hook to be run when the container is cloned to a new one.
1565 See <citerefentry><refentrytitle><command>lxc-clone</command></refentrytitle>
1566 <manvolnum>1</manvolnum></citerefentry> for more information.
1567 </para>
1568 </listitem>
1569 </varlistentry>
55fc19a1 1570 </variablelist>
37cf711b
SY		 1571 <variablelist>
1572 <varlistentry>
1573 <term>
1574 <option>lxc.hook.destroy</option>
1575 </term>
1576 <listitem>
1577 <para>
1578 A hook to be run when the container is destroyed.
1579 </para>
1580 </listitem>
1581 </varlistentry>
1582 </variablelist>
55fc19a1
SG		 1583 </refsect2>
1584
1585 <refsect2>
1586 <title>Container hooks Environment Variables</title>
1587 <para>
1588 A number of environment variables are made available to the startup
1589 hooks to provide configuration information and assist in the
1590 functioning of the hooks. Not all variables are valid in all
1591 contexts. In particular, all paths are relative to the host system
1592 and, as such, not valid during the <option>lxc.hook.start</option> hook.
1593 </para>
1594 <variablelist>
c464fd7e
SG		 1595 <varlistentry>
1596 <term>
1597 <option>LXC_NAME</option>
1598 </term>
1599 <listitem>
1600 <para>
1601 The LXC name of the container. Useful for logging messages
1602 in common log environments. [<option>-n</option>]
1603 </para>
1604 </listitem>
1605 </varlistentry>
55fc19a1
SG		 1606 </variablelist>
1607 <variablelist>
c464fd7e
SG		 1608 <varlistentry>
1609 <term>
1610 <option>LXC_CONFIG_FILE</option>
1611 </term>
1612 <listitem>
1613 <para>
1614 Host relative path to the container configuration file. This
1615 gives the container to reference the original, top level,
1616 configuration file for the container in order to locate any
1617 additional configuration information not otherwise made
1618 available. [<option>-f</option>]
1619 </para>
1620 </listitem>
1621 </varlistentry>
55fc19a1
SG		 1622 </variablelist>
1623 <variablelist>
c464fd7e
SG		 1624 <varlistentry>
1625 <term>
1626 <option>LXC_CONSOLE</option>
1627 </term>
1628 <listitem>
1629 <para>
1630 The path to the console output of the container if not NULL.
1631 [<option>-c</option>] [<option>lxc.console</option>]
1632 </para>
1633 </listitem>
1634 </varlistentry>
55fc19a1
SG		 1635 </variablelist>
1636 <variablelist>
c464fd7e
SG		 1637 <varlistentry>
1638 <term>
1639 <option>LXC_CONSOLE_LOGPATH</option>
1640 </term>
1641 <listitem>
1642 <para>
1643 The path to the console log output of the container if not NULL.
1644 [<option>-L</option>]
1645 </para>
1646 </listitem>
1647 </varlistentry>
55fc19a1
SG		 1648 </variablelist>
1649 <variablelist>
c464fd7e
SG		 1650 <varlistentry>
1651 <term>
1652 <option>LXC_ROOTFS_MOUNT</option>
1653 </term>
1654 <listitem>
1655 <para>
1656 The mount location to which the container is initially bound.
1657 This will be the host relative path to the container rootfs
1658 for the container instance being started and is where changes
1659 should be made for that instance.
1660 [<option>lxc.rootfs.mount</option>]
1661 </para>
1662 </listitem>
1663 </varlistentry>
55fc19a1
SG		 1664 </variablelist>
1665 <variablelist>
c464fd7e
SG		 1666 <varlistentry>
1667 <term>
1668 <option>LXC_ROOTFS_PATH</option>
1669 </term>
1670 <listitem>
1671 <para>
1672 The host relative path to the container root which has been
1673 mounted to the rootfs.mount location.
1674 [<option>lxc.rootfs</option>]
1675 </para>
1676 </listitem>
1677 </varlistentry>
55fc19a1 1678 </variablelist>
07945418
KY		 1679 <variablelist>
1680 <varlistentry>
1681 <term>
1682 <option>LXC_SRC_NAME</option>
1683 </term>
1684 <listitem>
1685 <para>
1686 Only for the clone hook. Is set to the original container name.
1687 </para>
1688 </listitem>
1689 </varlistentry>
1690 </variablelist>
c154af98
SG		 1691 <variablelist>
1692 <varlistentry>
1693 <term>
1694 <option>LXC_TARGET</option>
1695 </term>
1696 <listitem>
1697 <para>
1698 Only for the stop hook. Is set to "stop" for a container
1699 shutdown or "reboot" for a container reboot.
1700 </para>
1701 </listitem>
1702 </varlistentry>
c4cafa08
SH		 1703 </variablelist>
1704 <variablelist>
1705 <varlistentry>
1706 <term>
1707 <option>LXC_CGNS_AWARE</option>
1708 </term>
1709 <listitem>
1710 <para>
1711 If unset, then this version of lxc is not aware of cgroup
1712 namespaces. If set, it will be set to 1, and lxc is aware
1713 of cgroup namespaces. Note this does not guarantee that
1714 cgroup namespaces are enabled in the kernel. This is used
1715 by the lxcfs mount hook.
1716 </para>
1717 </listitem>
1718 </varlistentry>
c154af98 1719 </variablelist>
55fc19a1
SG		 1720 </refsect2>
1721 <refsect2>
1722 <title>Logging</title>
1723 <para>
1724 Logging can be configured on a per-container basis. By default,
1725 depending upon how the lxc package was compiled, container startup
1726 is logged only at the ERROR level, and logged to a file named after
1727 the container (with '.log' appended) either under the container path,
1728 or under @LOGPATH@.
1729 </para>
1730 <para>
1731 Both the default log level and the log file can be specified in the
1732 container configuration file, overriding the default behavior. Note
1733 that the configuration file entries can in turn be overridden by the
1734 command line options to <command>lxc-start</command>.
1735 </para>
1736 <variablelist>
c464fd7e
SG		 1737 <varlistentry>
1738 <term>
1739 <option>lxc.loglevel</option>
1740 </term>
1741 <listitem>
1742 <para>
1743 The level at which to log. The log level is an integer in
1744 the range of 0..8 inclusive, where a lower number means more
1745 verbose debugging. In particular 0 = trace, 1 = debug, 2 =
1746 info, 3 = notice, 4 = warn, 5 = error, 6 = critical, 7 =
1747 alert, and 8 = fatal. If unspecified, the level defaults
1748 to 5 (error), so that only errors and above are logged.
1749 </para>
1750 <para>
1751 Note that when a script (such as either a hook script or a
1752 network interface up or down script) is called, the script's
1753 standard output is logged at level 1, debug.
1754 </para>
1755 </listitem>
1756 </varlistentry>
1757 <varlistentry>
1758 <term>
1759 <option>lxc.logfile</option>
1760 </term>
1761 <listitem>
1762 <para>
1763 The file to which logging info should be written.
1764 </para>
1765 </listitem>
1766 </varlistentry>
204dfdf2
BD		 1767 <varlistentry>
1768 <term>
1769 <option>lxc.syslog</option>
1770 </term>
1771 <listitem>
1772 <para>
1773 Send logging info to syslog. It respects the log level defined in
1774 <command>lxc.loglevel</command>. The argument should be the syslog
1775 facility to use, valid ones are: daemon, local0, local1, local2,
917420dd 1776 local3, local4, local5, local5, local6, local7.
204dfdf2
BD		 1777 </para>
1778 </listitem>
1779 </varlistentry>
55fc19a1
SG		 1780 </variablelist>
1781 </refsect2>
1782
1783 <refsect2>
1784 <title>Autostart</title>
1785 <para>
1786 The autostart options support marking which containers should be
1787 auto-started and in what order. These options may be used by LXC tools
1788 directly or by external tooling provided by the distributions.
1789 </para>
1790
1791 <variablelist>
1792 <varlistentry>
1793 <term>
1794 <option>lxc.start.auto</option>
1795 </term>
1796 <listitem>
1797 <para>
1798 Whether the container should be auto-started.
1799 Valid values are 0 (off) and 1 (on).
1800 </para>
1801 </listitem>
1802 </varlistentry>
1803 <varlistentry>
1804 <term>
1805 <option>lxc.start.delay</option>
1806 </term>
1807 <listitem>
1808 <para>
1809 How long to wait (in seconds) after the container is
1810 started before starting the next one.
1811 </para>
1812 </listitem>
1813 </varlistentry>
1814 <varlistentry>
1815 <term>
1816 <option>lxc.start.order</option>
1817 </term>
1818 <listitem>
1819 <para>
1820 An integer used to sort the containers when auto-starting
1821 a series of containers at once.
1822 </para>
1823 </listitem>
1824 </varlistentry>
a8dfe4e0
WB		 1825 <varlistentry>
1826 <term>
1827 <option>lxc.monitor.unshare</option>
1828 </term>
1829 <listitem>
1830 <para>
1831 If not zero the mount namespace will be unshared from the host
1832 before initializing the container (before running any pre-start
6039eaa2
WB		 1833 hooks). This requires the CAP_SYS_ADMIN capability at startup.
1834 Default is 0.
a8dfe4e0
WB		 1835 </para>
1836 </listitem>
1837 </varlistentry>
55fc19a1
SG		 1838 <varlistentry>
1839 <term>
1840 <option>lxc.group</option>
1841 </term>
1842 <listitem>
1843 <para>
1844 A multi-value key (can be used multiple times) to put the
1845 container in a container group. Those groups can then be
1846 used (amongst other things) to start a series of related
1847 containers.
1848 </para>
1849 </listitem>
1850 </varlistentry>
1851 </variablelist>
1852 </refsect2>
015f0dd7
MW		 1853
1854 <refsect2>
1855 <title>Autostart and System Boot</title>
1856 <para>
1857 Each container can be part of any number of groups or no group at all.
1858 Two groups are special. One is the NULL group, i.e. the container does
1859 not belong to any group. The other group is the "onboot" group.
1860 </para>
1861
1862 <para>
1863 When the system boots with the LXC service enabled, it will first
1864 attempt to boot any containers with lxc.start.auto == 1 that is a member
1865 of the "onboot" group. The startup will be in order of lxc.start.order.
1866 If an lxc.start.delay has been specified, that delay will be honored
1867 before attempting to start the next container to give the current
1868 container time to begin initialization and reduce overloading the host
1869 system. After starting the members of the "onboot" group, the LXC system
1870 will proceed to boot containers with lxc.start.auto == 1 which are not
1871 members of any group (the NULL group) and proceed as with the onboot
1872 group.
1873 </para>
1874
1875 </refsect2>
7c661726
MP		 1876
1877 <refsect2>
1878 <title>Container Environment</title>
1879 <para>
c464fd7e
SG		 1880 If you want to pass environment variables into the container (that
1881 is, environment variables which will be available to init and all of
1882 its descendents), you can use <command>lxc.environment</command>
1883 parameters to do so. Be careful that you do not pass in anything
1884 sensitive; any process in the container which doesn't have its
1885 environment scrubbed will have these variables available to it, and
1886 environment variables are always available via
1887 <command>/proc/PID/environ</command>.
7c661726
MP		 1888 </para>
1889
1890 <para>
1891 This configuration parameter can be specified multiple times; once
1892 for each environment variable you wish to configure.
1893 </para>
1894
1895 <variablelist>
c464fd7e
SG		 1896 <varlistentry>
1897 <term>
1898 <option>lxc.environment</option>
1899 </term>
1900 <listitem>
1901 <para>
1902 Specify an environment variable to pass into the container.
1903 Example:
1904 </para>
1905 <programlisting>
1906 lxc.environment = APP_ENV=production
1907 lxc.environment = SYSLOG_SERVER=192.0.2.42
1908 </programlisting>
1909 </listitem>
1910 </varlistentry>
7c661726
MP		 1911 </variablelist>
1912 </refsect2>
1913
55fc19a1
SG		 1914 </refsect1>
1915
1916 <refsect1>
1917 <title>Examples</title>
1918 <para>
c464fd7e
SG		 1919 In addition to the few examples given below, you will find
1920 some other examples of configuration file in @DOCDIR@/examples
55fc19a1
SG		 1921 </para>
1922 <refsect2>
1923 <title>Network</title>
1924 <para>This configuration sets up a container to use a veth pair
c464fd7e
SG		 1925 device with one side plugged to a bridge br0 (which has been
1926 configured before on the system by the administrator). The
1927 virtual network device visible in the container is renamed to
1928 eth0.</para>
55fc19a1 1929 <programlisting>
c464fd7e
SG		 1930 lxc.utsname = myhostname
1931 lxc.network.type = veth
1932 lxc.network.flags = up
1933 lxc.network.link = br0
1934 lxc.network.name = eth0
1935 lxc.network.hwaddr = 4a:49:43:49:79:bf
1936 lxc.network.ipv4 = 10.2.3.5/24 10.2.3.255
1937 lxc.network.ipv6 = 2003:db8:1:0:214:1234:fe0b:3597
55fc19a1
SG		 1938 </programlisting>
1939 </refsect2>
1940
1941 <refsect2>
1942 <title>UID/GID mapping</title>
1943 <para>This configuration will map both user and group ids in the
1944 range 0-9999 in the container to the ids 100000-109999 on the host.
1945 </para>
1946 <programlisting>
c464fd7e
SG		 1947 lxc.id_map = u 0 100000 10000
1948 lxc.id_map = g 0 100000 10000
55fc19a1
SG		 1949 </programlisting>
1950 </refsect2>
1951
1952 <refsect2>
1953 <title>Control group</title>
1954 <para>This configuration will setup several control groups for
1955 the application, cpuset.cpus restricts usage of the defined cpu,
1956 cpus.share prioritize the control group, devices.allow makes
1957 usable the specified devices.</para>
1958 <programlisting>
c464fd7e
SG		 1959 lxc.cgroup.cpuset.cpus = 0,1
1960 lxc.cgroup.cpu.shares = 1234
1961 lxc.cgroup.devices.deny = a
1962 lxc.cgroup.devices.allow = c 1:3 rw
1963 lxc.cgroup.devices.allow = b 8:0 rw
55fc19a1
SG		 1964 </programlisting>
1965 </refsect2>
1966
1967 <refsect2>
1968 <title>Complex configuration</title>
1969 <para>This example show a complex configuration making a complex
1970 network stack, using the control groups, setting a new hostname,
1971 mounting some locations and a changing root file system.</para>
1972 <programlisting>
c464fd7e
SG		 1973 lxc.utsname = complex
1974 lxc.network.type = veth
1975 lxc.network.flags = up
1976 lxc.network.link = br0
1977 lxc.network.hwaddr = 4a:49:43:49:79:bf
1978 lxc.network.ipv4 = 10.2.3.5/24 10.2.3.255
1979 lxc.network.ipv6 = 2003:db8:1:0:214:1234:fe0b:3597
1980 lxc.network.ipv6 = 2003:db8:1:0:214:5432:feab:3588
1981 lxc.network.type = macvlan
1982 lxc.network.flags = up
1983 lxc.network.link = eth0
1984 lxc.network.hwaddr = 4a:49:43:49:79:bd
1985 lxc.network.ipv4 = 10.2.3.4/24
1986 lxc.network.ipv4 = 192.168.10.125/24
1987 lxc.network.ipv6 = 2003:db8:1:0:214:1234:fe0b:3596
1988 lxc.network.type = phys
1989 lxc.network.flags = up
1990 lxc.network.link = dummy0
1991 lxc.network.hwaddr = 4a:49:43:49:79:ff
1992 lxc.network.ipv4 = 10.2.3.6/24
1993 lxc.network.ipv6 = 2003:db8:1:0:214:1234:fe0b:3297
1994 lxc.cgroup.cpuset.cpus = 0,1
1995 lxc.cgroup.cpu.shares = 1234
1996 lxc.cgroup.devices.deny = a
1997 lxc.cgroup.devices.allow = c 1:3 rw
1998 lxc.cgroup.devices.allow = b 8:0 rw
1999 lxc.mount = /etc/fstab.complex
2000 lxc.mount.entry = /lib /root/myrootfs/lib none ro,bind 0 0
2001 lxc.rootfs = /mnt/rootfs.complex
2002 lxc.cap.drop = sys_module mknod setuid net_raw
2003 lxc.cap.drop = mac_override
55fc19a1
SG		 2004 </programlisting>
2005 </refsect2>
2006
2007 </refsect1>
2008
2009 <refsect1>
2010 <title>See Also</title>
2011 <simpara>
2012 <citerefentry>
c464fd7e
SG		 2013 <refentrytitle><command>chroot</command></refentrytitle>
2014 <manvolnum>1</manvolnum>
55fc19a1
SG		 2015 </citerefentry>,
2016
2017 <citerefentry>
c464fd7e
SG		 2018 <refentrytitle><command>pivot_root</command></refentrytitle>
2019 <manvolnum>8</manvolnum>
55fc19a1
SG		 2020 </citerefentry>,
2021
2022 <citerefentry>
c464fd7e
SG		 2023 <refentrytitle><filename>fstab</filename></refentrytitle>
2024 <manvolnum>5</manvolnum>
55fc19a1
SG		 2025 </citerefentry>,
2026
2027 <citerefentry>
c464fd7e
SG		 2028 <refentrytitle><filename>capabilities</filename></refentrytitle>
2029 <manvolnum>7</manvolnum>
55fc19a1
SG		 2030 </citerefentry>
2031 </simpara>
2032 </refsect1>
2033
2034 &seealso;
2035
2036 <refsect1>
2037 <title>Author</title>
2038 <para>Daniel Lezcano <email>daniel.lezcano@free.fr</email></para>
2039 </refsect1>
2040
2041</refentry>
2042
2043<!-- Keep this comment at the end of the file
2044Local variables:
2045mode: sgml
2046sgml-omittag:t
2047sgml-shorttag:t
2048sgml-minimize-attributes:nil
2049sgml-always-quote-attributes:t
2050sgml-indent-step:2
2051sgml-indent-data:t
2052sgml-parent-document:nil
2053sgml-default-dtd-file:nil
2054sgml-exposed-tags:nil
2055sgml-local-catalogs:nil
2056sgml-local-ecat-files:nil
2057End:
2058-->
LXC mirror