]> git.proxmox.com Git - mirror_lxc.git/blame - doc/lxc.container.conf.sgml.in
projects / mirror_lxc.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Merge pull request #499 from krichter722/gitignore
[mirror_lxc.git] / doc / lxc.container.conf.sgml.in
CommitLineData
55fc19a1
SG		 1<!--
2
3lxc: linux Container library
4
5(C) Copyright IBM Corp. 2007, 2008
6
7Authors:
8Daniel Lezcano <daniel.lezcano at free.fr>
9
10This library is free software; you can redistribute it and/or
11modify it under the terms of the GNU Lesser General Public
12License as published by the Free Software Foundation; either
13version 2.1 of the License, or (at your option) any later version.
14
15This library is distributed in the hope that it will be useful,
16but WITHOUT ANY WARRANTY; without even the implied warranty of
17MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
18Lesser General Public License for more details.
19
20You should have received a copy of the GNU Lesser General Public
21License along with this library; if not, write to the Free Software
22Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
23
24-->
25
26<!DOCTYPE refentry PUBLIC @docdtd@ [
27
28<!ENTITY seealso SYSTEM "@builddir@/see_also.sgml">
29]>
30
31<refentry>
32
33 <docinfo><date>@LXC_GENERATE_DATE@</date></docinfo>
34
35 <refmeta>
36 <refentrytitle>lxc.container.conf</refentrytitle>
37 <manvolnum>5</manvolnum>
38 </refmeta>
39
40 <refnamediv>
41 <refname>lxc.container.conf</refname>
42
43 <refpurpose>
44 LXC container configuration file
45 </refpurpose>
46 </refnamediv>
47
48 <refsect1>
49 <title>Description</title>
50
51 <para>
52 The linux containers (<command>lxc</command>) are always created
53 before being used. This creation defines a set of system
54 resources to be virtualized / isolated when a process is using
55 the container. By default, the pids, sysv ipc and mount points
56 are virtualized and isolated. The other system resources are
57 shared across containers, until they are explicitly defined in
58 the configuration file. For example, if there is no network
59 configuration, the network will be shared between the creator of
60 the container and the container itself, but if the network is
61 specified, a new network stack is created for the container and
62 the container can no longer use the network of its ancestor.
63 </para>
64
65 <para>
66 The configuration file defines the different system resources to
67 be assigned for the container. At present, the utsname, the
68 network, the mount points, the root file system, the user namespace,
69 and the control groups are supported.
70 </para>
71
72 <para>
73 Each option in the configuration file has the form <command>key
74 = value</command> fitting in one line. The '#' character means
75 the line is a comment.
76 </para>
77
78 <refsect2>
79 <title>Configuration</title>
80 <para>
c464fd7e
SG		 81 In order to ease administration of multiple related containers, it
82 is possible to have a container configuration file cause another
83 file to be loaded. For instance, network configuration
84 can be defined in one common file which is included by multiple
85 containers. Then, if the containers are moved to another host,
86 only one file may need to be updated.
55fc19a1
SG		 87 </para>
88
89 <variablelist>
c464fd7e
SG		 90 <varlistentry>
91 <term>
92 <option>lxc.include</option>
93 </term>
94 <listitem>
95 <para>
96 Specify the file to be included. The included file must be
97 in the same valid lxc configuration file format.
98 </para>
99 </listitem>
100 </varlistentry>
55fc19a1
SG		 101 </variablelist>
102 </refsect2>
103
104 <refsect2>
105 <title>Architecture</title>
106 <para>
c464fd7e
SG		 107 Allows one to set the architecture for the container. For example,
108 set a 32bits architecture for a container running 32bits
109 binaries on a 64bits host. This fixes the container scripts
110 which rely on the architecture to do some work like
111 downloading the packages.
55fc19a1
SG		 112 </para>
113
114 <variablelist>
c464fd7e
SG		 115 <varlistentry>
116 <term>
117 <option>lxc.arch</option>
118 </term>
119 <listitem>
120 <para>
121 Specify the architecture for the container.
122 </para>
123 <para>
124 Valid options are
125 <option>x86</option>,
126 <option>i686</option>,
127 <option>x86_64</option>,
128 <option>amd64</option>
129 </para>
130 </listitem>
131 </varlistentry>
55fc19a1
SG		 132 </variablelist>
133
134 </refsect2>
135
136 <refsect2>
137 <title>Hostname</title>
138 <para>
c464fd7e
SG		 139 The utsname section defines the hostname to be set for the
140 container. That means the container can set its own hostname
141 without changing the one from the system. That makes the
142 hostname private for the container.
55fc19a1
SG		 143 </para>
144 <variablelist>
c464fd7e
SG		 145 <varlistentry>
146 <term>
147 <option>lxc.utsname</option>
148 </term>
149 <listitem>
150 <para>
151 specify the hostname for the container
152 </para>
153 </listitem>
154 </varlistentry>
55fc19a1
SG		 155 </variablelist>
156 </refsect2>
157
158 <refsect2>
159 <title>Halt signal</title>
160 <para>
936762f3
BP		 161 Allows one to specify signal name or number, sent by lxc-stop to the
162 container's init process to cleanly shutdown the container. Different
163 init systems could use different signals to perform clean shutdown
164 sequence. This option allows the signal to be specified in kill(1)
165 fashion, e.g. SIGPWR, SIGRTMIN+14, SIGRTMAX-10 or plain number. The
166 default signal is SIGPWR.
55fc19a1
SG		 167 </para>
168 <variablelist>
936762f3
BP		 169 <varlistentry>
170 <term>
171 <option>lxc.haltsignal</option>
172 </term>
173 <listitem>
174 <para>
175 specify the signal used to halt the container
176 </para>
177 </listitem>
178 </varlistentry>
179 </variablelist>
180 </refsect2>
181
182 <refsect2>
183 <title>Reboot signal</title>
184 <para>
185 Allows one to specify signal name or number, sent by lxc-stop to
186 reboot the container. This option allows signal to be specified in
187 kill(1) fashion, e.g. SIGTERM, SIGRTMIN+14, SIGRTMAX-10 or plain number.
188 The default signal is SIGINT.
189 </para>
190 <variablelist>
191 <varlistentry>
192 <term>
193 <option>lxc.rebootsignal</option>
194 </term>
195 <listitem>
196 <para>
197 specify the signal used to reboot the container
198 </para>
199 </listitem>
200 </varlistentry>
55fc19a1
SG		 201 </variablelist>
202 </refsect2>
203
204 <refsect2>
205 <title>Stop signal</title>
206 <para>
936762f3
BP		 207 Allows one to specify signal name or number, sent by lxc-stop to forcibly
208 shutdown the container. This option allows signal to be specified in
209 kill(1) fashion, e.g. SIGKILL, SIGRTMIN+14, SIGRTMAX-10 or plain number.
210 The default signal is SIGKILL.
211 </para>
212 <variablelist>
213 <varlistentry>
214 <term>
215 <option>lxc.stopsignal</option>
216 </term>
217 <listitem>
218 <para>
219 specify the signal used to stop the container
220 </para>
221 </listitem>
222 </varlistentry>
55fc19a1
SG		 223 </variablelist>
224 </refsect2>
225
67c660d0
SG		 226 <refsect2>
227 <title>Init command</title>
228 <para>
229 Sets the command to use as the init system for the containers.
230
231 This option is ignored when using lxc-execute.
232
233 Defaults to: /sbin/init
234 </para>
235 <variablelist>
936762f3
BP		 236 <varlistentry>
237 <term>
238 <option>lxc.init_cmd</option>
239 </term>
240 <listitem>
241 <para>
242 Absolute path from container rootfs to the binary to use as init.
243 </para>
244 </listitem>
245 </varlistentry>
67c660d0
SG		 246 </variablelist>
247 </refsect2>
248
55fc19a1
SG		 249 <refsect2>
250 <title>Network</title>
251 <para>
c464fd7e
SG		 252 The network section defines how the network is virtualized in
253 the container. The network virtualization acts at layer
254 two. In order to use the network virtualization, parameters
255 must be specified to define the network interfaces of the
256 container. Several virtual interfaces can be assigned and used
257 in a container even if the system has only one physical
258 network interface.
55fc19a1
SG		 259 </para>
260 <variablelist>
c464fd7e
SG		 261 <varlistentry>
262 <term>
263 <option>lxc.network.type</option>
264 </term>
265 <listitem>
266 <para>
267 specify what kind of network virtualization to be used
268 for the container. Each time
269 a <option>lxc.network.type</option> field is found a new
270 round of network configuration begins. In this way,
271 several network virtualization types can be specified
272 for the same container, as well as assigning several
273 network interfaces for one container. The different
274 virtualization types can be:
275 </para>
276
277 <para>
278 <option>none:</option> will cause the container to share
279 the host's network namespace. This means the host
280 network devices are usable in the container. It also
281 means that if both the container and host have upstart as
282 init, 'halt' in a container (for instance) will shut down the
283 host.
284 </para>
285
286 <para>
287 <option>empty:</option> will create only the loopback
288 interface.
289 </para>
290
291 <para>
38005c54
MA		 292 <option>veth:</option> a virtual ethernet pair
293 device is created with one side assigned to the container
294 and the other side attached to a bridge specified by
295 the <option>lxc.network.link</option> option.
296 If the bridge is not specified, then the veth pair device
297 will be created but not attached to any bridge.
298 Otherwise, the bridge has to be created on the system
299 before starting the container.
300 <command>lxc</command> won't handle any
301 configuration outside of the container.
302 By default, <command>lxc</command> chooses a name for the
c464fd7e 303 network device belonging to the outside of the
38005c54
MA		 304 container, but if you wish to handle
305 this name yourselves, you can tell <command>lxc</command>
c464fd7e
SG		 306 to set a specific name with
307 the <option>lxc.network.veth.pair</option> option (except for
308 unprivileged containers where this option is ignored for security
309 reasons).
310 </para>
311
312 <para>
313 <option>vlan:</option> a vlan interface is linked with
314 the interface specified by
315 the <option>lxc.network.link</option> and assigned to
316 the container. The vlan identifier is specified with the
317 option <option>lxc.network.vlan.id</option>.
318 </para>
319
320 <para>
321 <option>macvlan:</option> a macvlan interface is linked
322 with the interface specified by
323 the <option>lxc.network.link</option> and assigned to
324 the container.
325 <option>lxc.network.macvlan.mode</option> specifies the
326 mode the macvlan will use to communicate between
327 different macvlan on the same upper device. The accepted
328 modes are <option>private</option>, the device never
329 communicates with any other device on the same upper_dev (default),
330 <option>vepa</option>, the new Virtual Ethernet Port
331 Aggregator (VEPA) mode, it assumes that the adjacent
332 bridge returns all frames where both source and
333 destination are local to the macvlan port, i.e. the
334 bridge is set up as a reflective relay. Broadcast
335 frames coming in from the upper_dev get flooded to all
336 macvlan interfaces in VEPA mode, local frames are not
337 delivered locally, or <option>bridge</option>, it
338 provides the behavior of a simple bridge between
339 different macvlan interfaces on the same port. Frames
340 from one interface to another one get delivered directly
341 and are not sent out externally. Broadcast frames get
342 flooded to all other bridge ports and to the external
343 interface, but when they come back from a reflective
344 relay, we don't deliver them again. Since we know all
345 the MAC addresses, the macvlan bridge mode does not
346 require learning or STP like the bridge module does.
347 </para>
348
349 <para>
350 <option>phys:</option> an already existing interface
351 specified by the <option>lxc.network.link</option> is
352 assigned to the container.
353 </para>
354 </listitem>
355 </varlistentry>
356
357 <varlistentry>
358 <term>
359 <option>lxc.network.flags</option>
360 </term>
361 <listitem>
362 <para>
363 specify an action to do for the
364 network.
365 </para>
366
367 <para><option>up:</option> activates the interface.
368 </para>
369 </listitem>
370 </varlistentry>
371
372 <varlistentry>
373 <term>
374 <option>lxc.network.link</option>
375 </term>
376 <listitem>
377 <para>
378 specify the interface to be used for real network
379 traffic.
380 </para>
381 </listitem>
382 </varlistentry>
383
384 <varlistentry>
385 <term>
386 <option>lxc.network.mtu</option>
387 </term>
388 <listitem>
389 <para>
390 specify the maximum transfer unit for this interface.
391 </para>
392 </listitem>
393 </varlistentry>
394
395 <varlistentry>
396 <term>
397 <option>lxc.network.name</option>
398 </term>
399 <listitem>
400 <para>
401 the interface name is dynamically allocated, but if
402 another name is needed because the configuration files
403 being used by the container use a generic name,
404 eg. eth0, this option will rename the interface in the
405 container.
406 </para>
407 </listitem>
408 </varlistentry>
409
410 <varlistentry>
411 <term>
412 <option>lxc.network.hwaddr</option>
413 </term>
414 <listitem>
415 <para>
416 the interface mac address is dynamically allocated by
417 default to the virtual interface, but in some cases,
418 this is needed to resolve a mac address conflict or to
419 always have the same link-local ipv6 address.
420 Any "x" in address will be replaced by random value,
421 this allows setting hwaddr templates.
422 </para>
423 </listitem>
424 </varlistentry>
425
426 <varlistentry>
427 <term>
428 <option>lxc.network.ipv4</option>
429 </term>
430 <listitem>
431 <para>
432 specify the ipv4 address to assign to the virtualized
433 interface. Several lines specify several ipv4 addresses.
434 The address is in format x.y.z.t/m,
435 eg. 192.168.1.123/24. The broadcast address should be
436 specified on the same line, right after the ipv4
437 address.
438 </para>
439 </listitem>
440 </varlistentry>
441
442 <varlistentry>
443 <term>
444 <option>lxc.network.ipv4.gateway</option>
445 </term>
446 <listitem>
447 <para>
448 specify the ipv4 address to use as the gateway inside the
449 container. The address is in format x.y.z.t, eg.
450 192.168.1.123.
451
452 Can also have the special value <option>auto</option>,
453 which means to take the primary address from the bridge
454 interface (as specified by the
455 <option>lxc.network.link</option> option) and use that as
456 the gateway. <option>auto</option> is only available when
457 using the <option>veth</option> and
458 <option>macvlan</option> network types.
459 </para>
460 </listitem>
461 </varlistentry>
462
463
464 <varlistentry>
465 <term>
466 <option>lxc.network.ipv6</option>
467 </term>
468 <listitem>
469 <para>
470 specify the ipv6 address to assign to the virtualized
471 interface. Several lines specify several ipv6 addresses.
472 The address is in format x::y/m,
473 eg. 2003:db8:1:0:214:1234:fe0b:3596/64
474 </para>
475 </listitem>
476 </varlistentry>
477
478 <varlistentry>
479 <term>
480 <option>lxc.network.ipv6.gateway</option>
481 </term>
482 <listitem>
483 <para>
484 specify the ipv6 address to use as the gateway inside the
485 container. The address is in format x::y,
486 eg. 2003:db8:1:0::1
487
488 Can also have the special value <option>auto</option>,
489 which means to take the primary address from the bridge
490 interface (as specified by the
491 <option>lxc.network.link</option> option) and use that as
492 the gateway. <option>auto</option> is only available when
493 using the <option>veth</option> and
494 <option>macvlan</option> network types.
495 </para>
496 </listitem>
497 </varlistentry>
498
499 <varlistentry>
500 <term>
501 <option>lxc.network.script.up</option>
502 </term>
503 <listitem>
504 <para>
505 add a configuration option to specify a script to be
506 executed after creating and configuring the network used
507 from the host side. The following arguments are passed
508 to the script: container name and config section name
509 (net) Additional arguments depend on the config section
510 employing a script hook; the following are used by the
511 network system: execution context (up), network type
512 (empty/veth/macvlan/phys), Depending on the network
513 type, other arguments may be passed:
514 veth/macvlan/phys. And finally (host-sided) device name.
515 </para>
516 <para>
517 Standard output from the script is logged at debug level.
518 Standard error is not logged, but can be captured by the
519 hook redirecting its standard error to standard output.
520 </para>
521 </listitem>
522 </varlistentry>
523
524 <varlistentry>
525 <term>
526 <option>lxc.network.script.down</option>
527 </term>
528 <listitem>
529 <para>
530 add a configuration option to specify a script to be
531 executed before destroying the network used from the
532 host side. The following arguments are passed to the
533 script: container name and config section name (net)
534 Additional arguments depend on the config section
535 employing a script hook; the following are used by the
536 network system: execution context (down), network type
537 (empty/veth/macvlan/phys), Depending on the network
538 type, other arguments may be passed:
539 veth/macvlan/phys. And finally (host-sided) device name.
540 </para>
541 <para>
542 Standard output from the script is logged at debug level.
543 Standard error is not logged, but can be captured by the
544 hook redirecting its standard error to standard output.
545 </para>
546 </listitem>
547 </varlistentry>
55fc19a1
SG		 548 </variablelist>
549 </refsect2>
550
551 <refsect2>
552 <title>New pseudo tty instance (devpts)</title>
553 <para>
c464fd7e
SG		 554 For stricter isolation the container can have its own private
555 instance of the pseudo tty.
55fc19a1
SG		 556 </para>
557 <variablelist>
c464fd7e
SG		 558 <varlistentry>
559 <term>
560 <option>lxc.pts</option>
561 </term>
562 <listitem>
563 <para>
564 If set, the container will have a new pseudo tty
565 instance, making this private to it. The value specifies
55fc19a1
SG		 566 the maximum number of pseudo ttys allowed for a pts
567 instance (this limitation is not implemented yet).
c464fd7e
SG		 568 </para>
569 </listitem>
570 </varlistentry>
55fc19a1
SG		 571 </variablelist>
572 </refsect2>
573
574 <refsect2>
575 <title>Container system console</title>
576 <para>
c464fd7e
SG		 577 If the container is configured with a root filesystem and the
578 inittab file is setup to use the console, you may want to specify
579 where the output of this console goes.
55fc19a1
SG		 580 </para>
581 <variablelist>
c464fd7e
SG		 582 <varlistentry>
583 <term>
584 <option>lxc.console.logfile</option>
585 </term>
586 <listitem>
587 <para>
588 Specify a path to a file where the console output will
589 be written.
590 </para>
591 </listitem>
592 </varlistentry>
593 <varlistentry>
594 <term>
595 <option>lxc.console</option>
596 </term>
597 <listitem>
598 <para>
599 Specify a path to a device to which the console will be
600 attached. The keyword 'none' will simply disable the
601 console. This is dangerous once if have a rootfs with a
602 console device file where the application can write, the
603 messages will fall in the host.
604 </para>
605 </listitem>
606 </varlistentry>
55fc19a1
SG		 607 </variablelist>
608 </refsect2>
609
610 <refsect2>
611 <title>Console through the ttys</title>
612 <para>
c464fd7e
SG		 613 This option is useful if the container is configured with a root
614 filesystem and the inittab file is setup to launch a getty on the
615 ttys. The option specifies the number of ttys to be available for
616 the container. The number of gettys in the inittab file of the
617 container should not be greater than the number of ttys specified
618 in this option, otherwise the excess getty sessions will die and
619 respawn indefinitely giving annoying messages on the console or in
620 <filename>/var/log/messages</filename>.
55fc19a1
SG		 621 </para>
622 <variablelist>
c464fd7e
SG		 623 <varlistentry>
624 <term>
625 <option>lxc.tty</option>
626 </term>
627 <listitem>
628 <para>
629 Specify the number of tty to make available to the
630 container.
631 </para>
632 </listitem>
633 </varlistentry>
55fc19a1
SG		 634 </variablelist>
635 </refsect2>
636
637 <refsect2>
638 <title>Console devices location</title>
639 <para>
640 LXC consoles are provided through Unix98 PTYs created on the
c464fd7e
SG		 641 host and bind-mounted over the expected devices in the container.
642 By default, they are bind-mounted over <filename>/dev/console</filename>
643 and <filename>/dev/ttyN</filename>. This can prevent package upgrades
644 in the guest. Therefore you can specify a directory location (under
645 <filename>/dev</filename> under which LXC will create the files and
646 bind-mount over them. These will then be symbolically linked to
647 <filename>/dev/console</filename> and <filename>/dev/ttyN</filename>.
648 A package upgrade can then succeed as it is able to remove and replace
649 the symbolic links.
55fc19a1
SG		 650 </para>
651 <variablelist>
c464fd7e
SG		 652 <varlistentry>
653 <term>
654 <option>lxc.devttydir</option>
655 </term>
656 <listitem>
657 <para>
658 Specify a directory under <filename>/dev</filename>
659 under which to create the container console devices.
660 </para>
661 </listitem>
662 </varlistentry>
55fc19a1
SG		 663 </variablelist>
664 </refsect2>
665
666 <refsect2>
667 <title>/dev directory</title>
668 <para>
c464fd7e
SG		 669 By default, lxc creates a few symbolic links (fd,stdin,stdout,stderr)
670 in the container's <filename>/dev</filename> directory but does not
671 automatically create device node entries. This allows the container's
672 <filename>/dev</filename> to be set up as needed in the container
673 rootfs. If lxc.autodev is set to 1, then after mounting the container's
674 rootfs LXC will mount a fresh tmpfs under <filename>/dev</filename>
675 (limited to 100k) and fill in a minimal set of initial devices.
55fc19a1
SG		 676 This is generally required when starting a container containing
677 a "systemd" based "init" but may be optional at other times. Additional
678 devices in the containers /dev directory may be created through the
679 use of the <option>lxc.hook.autodev</option> hook.
680 </para>
681 <variablelist>
c464fd7e
SG		 682 <varlistentry>
683 <term>
684 <option>lxc.autodev</option>
685 </term>
686 <listitem>
687 <para>
124fa0a8 688 Set this to 0 to stop LXC from mounting and populating a minimal
c464fd7e
SG		 689 <filename>/dev</filename> when starting the container.
690 </para>
691 </listitem>
692 </varlistentry>
55fc19a1
SG		 693 </variablelist>
694 </refsect2>
695
696 <refsect2>
697 <title>Enable kmsg symlink</title>
698 <para>
d89de239 699 Enable creating /dev/kmsg as symlink to /dev/console. This defaults to 0.
55fc19a1
SG		 700 </para>
701 <variablelist>
702 <varlistentry>
703 <term>
704 <option>lxc.kmsg</option>
705 </term>
706 <listitem>
707 <para>
d89de239 708 Set this to 1 to enable /dev/kmsg symlinking.
55fc19a1
SG		 709 </para>
710 </listitem>
711 </varlistentry>
712 </variablelist>
713 </refsect2>
714
715 <refsect2>
716 <title>Mount points</title>
717 <para>
c464fd7e
SG		 718 The mount points section specifies the different places to be
719 mounted. These mount points will be private to the container
720 and won't be visible by the processes running outside of the
721 container. This is useful to mount /etc, /var or /home for
722 examples.
55fc19a1
SG		 723 </para>
724 <variablelist>
c464fd7e
SG		 725 <varlistentry>
726 <term>
727 <option>lxc.mount</option>
728 </term>
729 <listitem>
730 <para>
731 specify a file location in
732 the <filename>fstab</filename> format, containing the
733 mount information. The mount target location can and in
734 most cases should be a relative path, which will become
735 relative to the mounted container root. For instance,
736 </para>
6191f4f4
SH		 737<screen>
738proc proc proc nodev,noexec,nosuid 0 0
739</screen>
c464fd7e
SG		 740 <para>
741 Will mount a proc filesystem under the container's /proc,
742 regardless of where the root filesystem comes from. This
743 is resilient to block device backed filesystems as well as
744 container cloning.
745 </para>
746 <para>
747 Note that when mounting a filesystem from an
748 image file or block device the third field (fs_vfstype)
749 cannot be auto as with
55fc19a1 750 <citerefentry>
c464fd7e 751 <refentrytitle>mount</refentrytitle>
55fc19a1
SG		 752 <manvolnum>8</manvolnum>
753 </citerefentry>
754 but must be explicitly specified.
c464fd7e
SG		 755 </para>
756 </listitem>
757 </varlistentry>
758
759 <varlistentry>
760 <term>
761 <option>lxc.mount.entry</option>
762 </term>
763 <listitem>
764 <para>
765 specify a mount point corresponding to a line in the
766 fstab format.
767 </para>
768 </listitem>
769 </varlistentry>
770
771 <varlistentry>
772 <term>
773 <option>lxc.mount.auto</option>
774 </term>
775 <listitem>
776 <para>
777 specify which standard kernel file systems should be
778 automatically mounted. This may dramatically simplify
779 the configuration. The file systems are:
780 </para>
781 <itemizedlist>
782 <listitem>
783 <para>
784 <option>proc:mixed</option> (or <option>proc</option>):
785 mount <filename>/proc</filename> as read-write, but
786 remount <filename>/proc/sys</filename> and
787 <filename>/proc/sysrq-trigger</filename> read-only
788 for security / container isolation purposes.
789 </para>
790 </listitem>
791 <listitem>
792 <para>
793 <option>proc:rw</option>: mount
794 <filename>/proc</filename> as read-write
795 </para>
796 </listitem>
797 <listitem>
798 <para>
f24a52d5
SG		 799 <option>sys:mixed</option> (or <option>sys</option>):
800 mount <filename>/sys</filename> as read-only but with
801 /sys/devices/virtual/net writable.
802 </para>
803 </listitem>
804 <listitem>
805 <para>
806 <option>sys:ro</option>:
c464fd7e
SG		 807 mount <filename>/sys</filename> as read-only
808 for security / container isolation purposes.
809 </para>
810 </listitem>
811 <listitem>
812 <para>
813 <option>sys:rw</option>: mount
814 <filename>/sys</filename> as read-write
815 </para>
816 </listitem>
817 <listitem>
818 <para>
819 <option>cgroup:mixed</option>:
820 mount a tmpfs to <filename>/sys/fs/cgroup</filename>,
821 create directories for all hierarchies to which
822 the container is added, create subdirectories
823 there with the name of the cgroup, and bind-mount
824 the container's own cgroup into that directory.
825 The container will be able to write to its own
826 cgroup directory, but not the parents, since they
827 will be remounted read-only
828 </para>
829 </listitem>
830 <listitem>
831 <para>
832 <option>cgroup:ro</option>: similar to
833 <option>cgroup:mixed</option>, but everything will
834 be mounted read-only.
835 </para>
836 </listitem>
837 <listitem>
838 <para>
839 <option>cgroup:rw</option>: similar to
840 <option>cgroup:mixed</option>, but everything will
841 be mounted read-write. Note that the paths leading
842 up to the container's own cgroup will be writable,
843 but will not be a cgroup filesystem but just part
844 of the tmpfs of <filename>/sys/fs/cgroup</filename>
845 </para>
846 </listitem>
847 <listitem>
848 <para>
849 <option>cgroup</option> (without specifier):
850 defaults to <option>cgroup:rw</option> if the
851 container retains the CAP_SYS_ADMIN capability,
852 <option>cgroup:mixed</option> otherwise.
853 </para>
854 </listitem>
855 <listitem>
856 <para>
857 <option>cgroup-full:mixed</option>:
858 mount a tmpfs to <filename>/sys/fs/cgroup</filename>,
859 create directories for all hierarchies to which
860 the container is added, bind-mount the hierarchies
861 from the host to the container and make everything
862 read-only except the container's own cgroup. Note
863 that compared to <option>cgroup</option>, where
864 all paths leading up to the container's own cgroup
865 are just simple directories in the underlying
866 tmpfs, here
867 <filename>/sys/fs/cgroup/$hierarchy</filename>
868 will contain the host's full cgroup hierarchy,
869 albeit read-only outside the container's own cgroup.
870 This may leak quite a bit of information into the
871 container.
872 </para>
873 </listitem>
874 <listitem>
875 <para>
876 <option>cgroup-full:ro</option>: similar to
877 <option>cgroup-full:mixed</option>, but everything
878 will be mounted read-only.
879 </para>
880 </listitem>
881 <listitem>
882 <para>
883 <option>cgroup-full:rw</option>: similar to
884 <option>cgroup-full:mixed</option>, but everything
885 will be mounted read-write. Note that in this case,
886 the container may escape its own cgroup. (Note also
887 that if the container has CAP_SYS_ADMIN support
888 and can mount the cgroup filesystem itself, it may
889 do so anyway.)
890 </para>
891 </listitem>
892 <listitem>
893 <para>
894 <option>cgroup-full</option> (without specifier):
895 defaults to <option>cgroup-full:rw</option> if the
896 container retains the CAP_SYS_ADMIN capability,
897 <option>cgroup-full:mixed</option> otherwise.
898 </para>
899 </listitem>
900 </itemizedlist>
901 <para>
902 Note that if automatic mounting of the cgroup filesystem
903 is enabled, the tmpfs under
904 <filename>/sys/fs/cgroup</filename> will always be
905 mounted read-write (but for the <option>:mixed</option>
906 and <option>:ro</option> cases, the individual
907 hierarchies,
908 <filename>/sys/fs/cgroup/$hierarchy</filename>, will be
909 read-only). This is in order to work around a quirk in
910 Ubuntu's
b46f0553 911 <citerefentry>
c464fd7e 912 <refentrytitle>mountall</refentrytitle>
b46f0553
CS		 913 <manvolnum>8</manvolnum>
914 </citerefentry>
c464fd7e
SG		 915 command that will cause containers to wait for user
916 input at boot if
917 <filename>/sys/fs/cgroup</filename> is mounted read-only
918 and the container can't remount it read-write due to a
919 lack of CAP_SYS_ADMIN.
920 </para>
921 <para>
922 Examples:
923 </para>
924 <programlisting>
925 lxc.mount.auto = proc sys cgroup
926 lxc.mount.auto = proc:rw sys:rw cgroup-full:rw
927 </programlisting>
928 </listitem>
929 </varlistentry>
55fc19a1
SG		 930
931 </variablelist>
932 </refsect2>
933
934 <refsect2>
935 <title>Root file system</title>
936 <para>
c464fd7e
SG		 937 The root file system of the container can be different than that
938 of the host system.
55fc19a1
SG		 939 </para>
940 <variablelist>
c464fd7e
SG		 941 <varlistentry>
942 <term>
943 <option>lxc.rootfs</option>
944 </term>
945 <listitem>
946 <para>
947 specify the root file system for the container. It can
948 be an image file, a directory or a block device. If not
949 specified, the container shares its root file system
950 with the host.
951 </para>
952 <para>
f1c26f2c
SH		 953 For directory or simple block-device backed containers,
954 a pathname can be used. If the rootfs is backed by a nbd
955 device, then <filename>nbd:file:1</filename> specifies that
956 <filename>file</filename> should be attached to a nbd device,
957 and partition 1 should be mounted as the rootfs.
958 <filename>nbd:file</filename> specifies that the nbd device
959 itself should be mounted. <filename>overlayfs:/lower:/upper</filename>
960 specifies that the rootfs should be an overlay with <filename>/upper</filename>
961 being mounted read-write over a read-only mount of <filename>/lower</filename>.
962 <filename>aufs:/lower:/upper</filename> does the same using aufs in place
963 of overlayfs. <filename>loop:/file</filename> tells lxc to attach
964 <filename>/file</filename> to a loop device and mount the loop device.
c464fd7e
SG		 965 </para>
966 </listitem>
967 </varlistentry>
968
969 <varlistentry>
970 <term>
971 <option>lxc.rootfs.mount</option>
972 </term>
973 <listitem>
974 <para>
975 where to recursively bind <option>lxc.rootfs</option>
976 before pivoting. This is to ensure success of the
977 <citerefentry>
978 <refentrytitle><command>pivot_root</command></refentrytitle>
979 <manvolnum>8</manvolnum>
980 </citerefentry>
981 syscall. Any directory suffices, the default should
982 generally work.
983 </para>
984 </listitem>
985 </varlistentry>
986
987 <varlistentry>
988 <term>
989 <option>lxc.rootfs.options</option>
990 </term>
991 <listitem>
992 <para>
993 extra mount options to use when mounting the rootfs.
994 </para>
995 </listitem>
996 </varlistentry>
a17b1e65 997
55fc19a1
SG		 998 </variablelist>
999 </refsect2>
1000
1001 <refsect2>
1002 <title>Control group</title>
1003 <para>
c464fd7e
SG		 1004 The control group section contains the configuration for the
1005 different subsystem. <command>lxc</command> does not check the
1006 correctness of the subsystem name. This has the disadvantage
1007 of not detecting configuration errors until the container is
1008 started, but has the advantage of permitting any future
1009 subsystem.
55fc19a1
SG		 1010 </para>
1011 <variablelist>
c464fd7e
SG		 1012 <varlistentry>
1013 <term>
1014 <option>lxc.cgroup.[subsystem name]</option>
1015 </term>
1016 <listitem>
1017 <para>
1018 specify the control group value to be set. The
1019 subsystem name is the literal name of the control group
1020 subsystem. The permitted names and the syntax of their
1021 values is not dictated by LXC, instead it depends on the
1022 features of the Linux kernel running at the time the
1023 container is started,
1024 eg. <option>lxc.cgroup.cpuset.cpus</option>
1025 </para>
1026 </listitem>
1027 </varlistentry>
55fc19a1
SG		 1028 </variablelist>
1029 </refsect2>
1030
1031 <refsect2>
1032 <title>Capabilities</title>
1033 <para>
c464fd7e
SG		 1034 The capabilities can be dropped in the container if this one
1035 is run as root.
55fc19a1
SG		 1036 </para>
1037 <variablelist>
c464fd7e
SG		 1038 <varlistentry>
1039 <term>
1040 <option>lxc.cap.drop</option>
1041 </term>
1042 <listitem>
1043 <para>
1044 Specify the capability to be dropped in the container. A
1045 single line defining several capabilities with a space
1046 separation is allowed. The format is the lower case of
1047 the capability definition without the "CAP_" prefix,
1048 eg. CAP_SYS_MODULE should be specified as
1049 sys_module. See
1050 <citerefentry>
1051 <refentrytitle><command>capabilities</command></refentrytitle>
1052 <manvolnum>7</manvolnum>
1053 </citerefentry>,
1054 </para>
1055 </listitem>
1056 </varlistentry>
1057 <varlistentry>
1058 <term>
1059 <option>lxc.cap.keep</option>
1060 </term>
1061 <listitem>
1062 <para>
1063 Specify the capability to be kept in the container. All other
1064 capabilities will be dropped. When a special value of "none" is
1065 encountered, lxc will clear any keep capabilities specified up
1066 to this point. A value of "none" alone can be used to drop all
1067 capabilities.
1068 </para>
1069 </listitem>
1070 </varlistentry>
55fc19a1
SG		 1071 </variablelist>
1072 </refsect2>
1073
1074 <refsect2>
1075 <title>Apparmor profile</title>
1076 <para>
c464fd7e
SG		 1077 If lxc was compiled and installed with apparmor support, and the host
1078 system has apparmor enabled, then the apparmor profile under which the
1079 container should be run can be specified in the container
1080 configuration. The default is <command>lxc-container-default</command>.
55fc19a1
SG		 1081 </para>
1082 <variablelist>
c464fd7e
SG		 1083 <varlistentry>
1084 <term>
1085 <option>lxc.aa_profile</option>
1086 </term>
1087 <listitem>
1088 <para>
1089 Specify the apparmor profile under which the container should
1090 be run. To specify that the container should be unconfined,
1091 use
1092 </para>
1093 <programlisting>lxc.aa_profile = unconfined</programlisting>
1094 </listitem>
1095 </varlistentry>
1096 <varlistentry>
1097 <term>
1098 <option>lxc.aa_allow_incomplete</option>
1099 </term>
1100 <listitem>
1101 <para>
1102 Apparmor profiles are pathname based. Therefore many file
1103 restrictions require mount restrictions to be effective against
1104 a determined attacker. However, these mount restrictions are not
1105 yet implemented in the upstream kernel. Without the mount
1106 restrictions, the apparmor profiles still protect against accidental
1107 damager.
1108 </para>
1109 <para>
1110 If this flag is 0 (default), then the container will not be
1111 started if the kernel lacks the apparmor mount features, so that a
1112 regression after a kernel upgrade will be detected. To start the
1113 container under partial apparmor protection, set this flag to 1.
1114 </para>
1115 </listitem>
1116 </varlistentry>
55fc19a1
SG		 1117 </variablelist>
1118 </refsect2>
1119
1120 <refsect2>
1121 <title>SELinux context</title>
1122 <para>
c464fd7e
SG		 1123 If lxc was compiled and installed with SELinux support, and the host
1124 system has SELinux enabled, then the SELinux context under which the
1125 container should be run can be specified in the container
1126 configuration. The default is <command>unconfined_t</command>,
1127 which means that lxc will not attempt to change contexts.
1128 See @DATADIR@/lxc/selinux/lxc.te for an example policy and more
1129 information.
55fc19a1
SG		 1130 </para>
1131 <variablelist>
c464fd7e
SG		 1132 <varlistentry>
1133 <term>
1134 <option>lxc.se_context</option>
1135 </term>
1136 <listitem>
1137 <para>
1138 Specify the SELinux context under which the container should
1139 be run or <command>unconfined_t</command>. For example
1140 </para>
1141 <programlisting>lxc.se_context = system_u:system_r:lxc_t:s0:c22</programlisting>
1142 </listitem>
1143 </varlistentry>
55fc19a1
SG		 1144 </variablelist>
1145 </refsect2>
1146
1147 <refsect2>
1148 <title>Seccomp configuration</title>
1149 <para>
1150 A container can be started with a reduced set of available
c464fd7e
SG		 1151 system calls by loading a seccomp profile at startup. The
1152 seccomp configuration file must begin with a version number
1153 on the first line, a policy type on the second line, followed
1154 by the configuration.
55fc19a1 1155 </para>
a7c27357
SH		 1156 <para>
1157 Versions 1 and 2 are currently supported. In version 1, the
c464fd7e
SG		 1158 policy is a simple whitelist. The second line therefore must
1159 read "whitelist", with the rest of the file containing one (numeric)
1160 sycall number per line. Each syscall number is whitelisted,
1161 while every unlisted number is blacklisted for use in the container
a7c27357
SH		 1162 </para>
1163
1164 <para>
1165 In version 2, the policy may be blacklist or whitelist,
1166 supports per-rule and per-policy default actions, and supports
1167 per-architecture system call resolution from textual names.
1168 </para>
1169 <para>
1170 An example blacklist policy, in which all system calls are
1171 allowed except for mknod, which will simply do nothing and
1172 return 0 (success), looks like:
1173 </para>
1174<screen>
11752
1176blacklist
1177mknod errno 0
1178</screen>
55fc19a1 1179 <variablelist>
c464fd7e
SG		 1180 <varlistentry>
1181 <term>
1182 <option>lxc.seccomp</option>
1183 </term>
1184 <listitem>
1185 <para>
1186 Specify a file containing the seccomp configuration to
1187 load before the container starts.
1188 </para>
1189 </listitem>
1190 </varlistentry>
55fc19a1
SG		 1191 </variablelist>
1192 </refsect2>
1193
1194 <refsect2>
1195 <title>UID mappings</title>
1196 <para>
1197 A container can be started in a private user namespace with
c464fd7e
SG		 1198 user and group id mappings. For instance, you can map userid
1199 0 in the container to userid 200000 on the host. The root
1200 user in the container will be privileged in the container,
1201 but unprivileged on the host. Normally a system container
1202 will want a range of ids, so you would map, for instance,
1203 user and group ids 0 through 20,000 in the container to the
1204 ids 200,000 through 220,000.
55fc19a1
SG		 1205 </para>
1206 <variablelist>
c464fd7e
SG		 1207 <varlistentry>
1208 <term>
1209 <option>lxc.id_map</option>
1210 </term>
1211 <listitem>
1212 <para>
1213 Four values must be provided. First a character, either
1214 'u', or 'g', to specify whether user or group ids are
1215 being mapped. Next is the first userid as seen in the
1216 user namespace of the container. Next is the userid as
1217 seen on the host. Finally, a range indicating the number
1218 of consecutive ids to map.
1219 </para>
1220 </listitem>
1221 </varlistentry>
55fc19a1
SG		 1222 </variablelist>
1223 </refsect2>
1224
1225 <refsect2>
1226 <title>Container hooks</title>
1227 <para>
1228 Container hooks are programs or scripts which can be executed
c464fd7e 1229 at various times in a container's lifetime.
55fc19a1
SG		 1230 </para>
1231 <para>
1232 When a container hook is executed, information is passed both
c464fd7e
SG		 1233 as command line arguments and through environment variables.
1234 The arguments are:
1235 <itemizedlist>
1236 <listitem><para> Container name. </para></listitem>
1237 <listitem><para> Section (always 'lxc'). </para></listitem>
1238 <listitem><para> The hook type (i.e. 'clone' or 'pre-mount'). </para></listitem>
1239 <listitem><para> Additional arguments In the
1240 case of the clone hook, any extra arguments passed to
1241 lxc-clone will appear as further arguments to the hook. </para></listitem>
1242 </itemizedlist>
1243 The following environment variables are set:
1244 <itemizedlist>
1245 <listitem><para> LXC_NAME: is the container's name. </para></listitem>
1246 <listitem><para> LXC_ROOTFS_MOUNT: the path to the mounted root filesystem. </para></listitem>
1247 <listitem><para> LXC_CONFIG_FILE: the path to the container configuration file. </para></listitem>
1248 <listitem><para> LXC_SRC_NAME: in the case of the clone hook, this is the original container's name. </para></listitem>
1249 <listitem><para> LXC_ROOTFS_PATH: this is the lxc.rootfs entry for the container. Note this is likely not where the mounted rootfs is to be found, use LXC_ROOTFS_MOUNT for that. </para></listitem>
1250 </itemizedlist>
55fc19a1
SG		 1251 </para>
1252 <para>
1253 Standard output from the hooks is logged at debug level.
1254 Standard error is not logged, but can be captured by the
1255 hook redirecting its standard error to standard output.
1256 </para>
1257 <variablelist>
c464fd7e
SG		 1258 <varlistentry>
1259 <term>
1260 <option>lxc.hook.pre-start</option>
1261 </term>
1262 <listitem>
1263 <para>
1264 A hook to be run in the host's namespace before the
1265 container ttys, consoles, or mounts are up.
1266 </para>
1267 </listitem>
1268 </varlistentry>
55fc19a1
SG		 1269 </variablelist>
1270 <variablelist>
c464fd7e
SG		 1271 <varlistentry>
1272 <term>
1273 <option>lxc.hook.pre-mount</option>
1274 </term>
1275 <listitem>
1276 <para>
1277 A hook to be run in the container's fs namespace but before
1278 the rootfs has been set up. This allows for manipulation
1279 of the rootfs, i.e. to mount an encrypted filesystem. Mounts
1280 done in this hook will not be reflected on the host (apart from
1281 mounts propagation), so they will be automatically cleaned up
1282 when the container shuts down.
1283 </para>
1284 </listitem>
1285 </varlistentry>
55fc19a1
SG		 1286 </variablelist>
1287 <variablelist>
c464fd7e
SG		 1288 <varlistentry>
1289 <term>
1290 <option>lxc.hook.mount</option>
1291 </term>
1292 <listitem>
1293 <para>
1294 A hook to be run in the container's namespace after
1295 mounting has been done, but before the pivot_root.
1296 </para>
1297 </listitem>
1298 </varlistentry>
55fc19a1
SG		 1299 </variablelist>
1300 <variablelist>
c464fd7e
SG		 1301 <varlistentry>
1302 <term>
1303 <option>lxc.hook.autodev</option>
1304 </term>
1305 <listitem>
1306 <para>
1307 A hook to be run in the container's namespace after
1308 mounting has been done and after any mount hooks have
1309 run, but before the pivot_root, if
1310 <option>lxc.autodev</option> == 1.
1311 The purpose of this hook is to assist in populating the
1312 /dev directory of the container when using the autodev
1313 option for systemd based containers. The container's /dev
1314 directory is relative to the
1315 ${<option>LXC_ROOTFS_MOUNT</option>} environment
1316 variable available when the hook is run.
1317 </para>
1318 </listitem>
1319 </varlistentry>
55fc19a1
SG		 1320 </variablelist>
1321 <variablelist>
c464fd7e
SG		 1322 <varlistentry>
1323 <term>
1324 <option>lxc.hook.start</option>
1325 </term>
1326 <listitem>
1327 <para>
1328 A hook to be run in the container's namespace immediately
1329 before executing the container's init. This requires the
1330 program to be available in the container.
1331 </para>
1332 </listitem>
1333 </varlistentry>
55fc19a1
SG		 1334 </variablelist>
1335 <variablelist>
c464fd7e
SG		 1336 <varlistentry>
1337 <term>
1338 <option>lxc.hook.post-stop</option>
1339 </term>
1340 <listitem>
1341 <para>
1342 A hook to be run in the host's namespace after the
1343 container has been shut down.
1344 </para>
1345 </listitem>
1346 </varlistentry>
55fc19a1
SG		 1347 </variablelist>
1348 <variablelist>
c464fd7e
SG		 1349 <varlistentry>
1350 <term>
1351 <option>lxc.hook.clone</option>
1352 </term>
1353 <listitem>
1354 <para>
1355 A hook to be run when the container is cloned to a new one.
1356 See <citerefentry><refentrytitle><command>lxc-clone</command></refentrytitle>
1357 <manvolnum>1</manvolnum></citerefentry> for more information.
1358 </para>
1359 </listitem>
1360 </varlistentry>
55fc19a1
SG		 1361 </variablelist>
1362 </refsect2>
1363
1364 <refsect2>
1365 <title>Container hooks Environment Variables</title>
1366 <para>
1367 A number of environment variables are made available to the startup
1368 hooks to provide configuration information and assist in the
1369 functioning of the hooks. Not all variables are valid in all
1370 contexts. In particular, all paths are relative to the host system
1371 and, as such, not valid during the <option>lxc.hook.start</option> hook.
1372 </para>
1373 <variablelist>
c464fd7e
SG		 1374 <varlistentry>
1375 <term>
1376 <option>LXC_NAME</option>
1377 </term>
1378 <listitem>
1379 <para>
1380 The LXC name of the container. Useful for logging messages
1381 in common log environments. [<option>-n</option>]
1382 </para>
1383 </listitem>
1384 </varlistentry>
55fc19a1
SG		 1385 </variablelist>
1386 <variablelist>
c464fd7e
SG		 1387 <varlistentry>
1388 <term>
1389 <option>LXC_CONFIG_FILE</option>
1390 </term>
1391 <listitem>
1392 <para>
1393 Host relative path to the container configuration file. This
1394 gives the container to reference the original, top level,
1395 configuration file for the container in order to locate any
1396 additional configuration information not otherwise made
1397 available. [<option>-f</option>]
1398 </para>
1399 </listitem>
1400 </varlistentry>
55fc19a1
SG		 1401 </variablelist>
1402 <variablelist>
c464fd7e
SG		 1403 <varlistentry>
1404 <term>
1405 <option>LXC_CONSOLE</option>
1406 </term>
1407 <listitem>
1408 <para>
1409 The path to the console output of the container if not NULL.
1410 [<option>-c</option>] [<option>lxc.console</option>]
1411 </para>
1412 </listitem>
1413 </varlistentry>
55fc19a1
SG		 1414 </variablelist>
1415 <variablelist>
c464fd7e
SG		 1416 <varlistentry>
1417 <term>
1418 <option>LXC_CONSOLE_LOGPATH</option>
1419 </term>
1420 <listitem>
1421 <para>
1422 The path to the console log output of the container if not NULL.
1423 [<option>-L</option>]
1424 </para>
1425 </listitem>
1426 </varlistentry>
55fc19a1
SG		 1427 </variablelist>
1428 <variablelist>
c464fd7e
SG		 1429 <varlistentry>
1430 <term>
1431 <option>LXC_ROOTFS_MOUNT</option>
1432 </term>
1433 <listitem>
1434 <para>
1435 The mount location to which the container is initially bound.
1436 This will be the host relative path to the container rootfs
1437 for the container instance being started and is where changes
1438 should be made for that instance.
1439 [<option>lxc.rootfs.mount</option>]
1440 </para>
1441 </listitem>
1442 </varlistentry>
55fc19a1
SG		 1443 </variablelist>
1444 <variablelist>
c464fd7e
SG		 1445 <varlistentry>
1446 <term>
1447 <option>LXC_ROOTFS_PATH</option>
1448 </term>
1449 <listitem>
1450 <para>
1451 The host relative path to the container root which has been
1452 mounted to the rootfs.mount location.
1453 [<option>lxc.rootfs</option>]
1454 </para>
1455 </listitem>
1456 </varlistentry>
55fc19a1
SG		 1457 </variablelist>
1458
1459 </refsect2>
1460 <refsect2>
1461 <title>Logging</title>
1462 <para>
1463 Logging can be configured on a per-container basis. By default,
1464 depending upon how the lxc package was compiled, container startup
1465 is logged only at the ERROR level, and logged to a file named after
1466 the container (with '.log' appended) either under the container path,
1467 or under @LOGPATH@.
1468 </para>
1469 <para>
1470 Both the default log level and the log file can be specified in the
1471 container configuration file, overriding the default behavior. Note
1472 that the configuration file entries can in turn be overridden by the
1473 command line options to <command>lxc-start</command>.
1474 </para>
1475 <variablelist>
c464fd7e
SG		 1476 <varlistentry>
1477 <term>
1478 <option>lxc.loglevel</option>
1479 </term>
1480 <listitem>
1481 <para>
1482 The level at which to log. The log level is an integer in
1483 the range of 0..8 inclusive, where a lower number means more
1484 verbose debugging. In particular 0 = trace, 1 = debug, 2 =
1485 info, 3 = notice, 4 = warn, 5 = error, 6 = critical, 7 =
1486 alert, and 8 = fatal. If unspecified, the level defaults
1487 to 5 (error), so that only errors and above are logged.
1488 </para>
1489 <para>
1490 Note that when a script (such as either a hook script or a
1491 network interface up or down script) is called, the script's
1492 standard output is logged at level 1, debug.
1493 </para>
1494 </listitem>
1495 </varlistentry>
1496 <varlistentry>
1497 <term>
1498 <option>lxc.logfile</option>
1499 </term>
1500 <listitem>
1501 <para>
1502 The file to which logging info should be written.
1503 </para>
1504 </listitem>
1505 </varlistentry>
55fc19a1
SG		 1506 </variablelist>
1507 </refsect2>
1508
1509 <refsect2>
1510 <title>Autostart</title>
1511 <para>
1512 The autostart options support marking which containers should be
1513 auto-started and in what order. These options may be used by LXC tools
1514 directly or by external tooling provided by the distributions.
1515 </para>
1516
1517 <variablelist>
1518 <varlistentry>
1519 <term>
1520 <option>lxc.start.auto</option>
1521 </term>
1522 <listitem>
1523 <para>
1524 Whether the container should be auto-started.
1525 Valid values are 0 (off) and 1 (on).
1526 </para>
1527 </listitem>
1528 </varlistentry>
1529 <varlistentry>
1530 <term>
1531 <option>lxc.start.delay</option>
1532 </term>
1533 <listitem>
1534 <para>
1535 How long to wait (in seconds) after the container is
1536 started before starting the next one.
1537 </para>
1538 </listitem>
1539 </varlistentry>
1540 <varlistentry>
1541 <term>
1542 <option>lxc.start.order</option>
1543 </term>
1544 <listitem>
1545 <para>
1546 An integer used to sort the containers when auto-starting
1547 a series of containers at once.
1548 </para>
1549 </listitem>
1550 </varlistentry>
1551 <varlistentry>
1552 <term>
1553 <option>lxc.group</option>
1554 </term>
1555 <listitem>
1556 <para>
1557 A multi-value key (can be used multiple times) to put the
1558 container in a container group. Those groups can then be
1559 used (amongst other things) to start a series of related
1560 containers.
1561 </para>
1562 </listitem>
1563 </varlistentry>
1564 </variablelist>
1565 </refsect2>
015f0dd7
MW		 1566
1567 <refsect2>
1568 <title>Autostart and System Boot</title>
1569 <para>
1570 Each container can be part of any number of groups or no group at all.
1571 Two groups are special. One is the NULL group, i.e. the container does
1572 not belong to any group. The other group is the "onboot" group.
1573 </para>
1574
1575 <para>
1576 When the system boots with the LXC service enabled, it will first
1577 attempt to boot any containers with lxc.start.auto == 1 that is a member
1578 of the "onboot" group. The startup will be in order of lxc.start.order.
1579 If an lxc.start.delay has been specified, that delay will be honored
1580 before attempting to start the next container to give the current
1581 container time to begin initialization and reduce overloading the host
1582 system. After starting the members of the "onboot" group, the LXC system
1583 will proceed to boot containers with lxc.start.auto == 1 which are not
1584 members of any group (the NULL group) and proceed as with the onboot
1585 group.
1586 </para>
1587
1588 </refsect2>
7c661726
MP		 1589
1590 <refsect2>
1591 <title>Container Environment</title>
1592 <para>
c464fd7e
SG		 1593 If you want to pass environment variables into the container (that
1594 is, environment variables which will be available to init and all of
1595 its descendents), you can use <command>lxc.environment</command>
1596 parameters to do so. Be careful that you do not pass in anything
1597 sensitive; any process in the container which doesn't have its
1598 environment scrubbed will have these variables available to it, and
1599 environment variables are always available via
1600 <command>/proc/PID/environ</command>.
7c661726
MP		 1601 </para>
1602
1603 <para>
1604 This configuration parameter can be specified multiple times; once
1605 for each environment variable you wish to configure.
1606 </para>
1607
1608 <variablelist>
c464fd7e
SG		 1609 <varlistentry>
1610 <term>
1611 <option>lxc.environment</option>
1612 </term>
1613 <listitem>
1614 <para>
1615 Specify an environment variable to pass into the container.
1616 Example:
1617 </para>
1618 <programlisting>
1619 lxc.environment = APP_ENV=production
1620 lxc.environment = SYSLOG_SERVER=192.0.2.42
1621 </programlisting>
1622 </listitem>
1623 </varlistentry>
7c661726
MP		 1624 </variablelist>
1625 </refsect2>
1626
55fc19a1
SG		 1627 </refsect1>
1628
1629 <refsect1>
1630 <title>Examples</title>
1631 <para>
c464fd7e
SG		 1632 In addition to the few examples given below, you will find
1633 some other examples of configuration file in @DOCDIR@/examples
55fc19a1
SG		 1634 </para>
1635 <refsect2>
1636 <title>Network</title>
1637 <para>This configuration sets up a container to use a veth pair
c464fd7e
SG		 1638 device with one side plugged to a bridge br0 (which has been
1639 configured before on the system by the administrator). The
1640 virtual network device visible in the container is renamed to
1641 eth0.</para>
55fc19a1 1642 <programlisting>
c464fd7e
SG		 1643 lxc.utsname = myhostname
1644 lxc.network.type = veth
1645 lxc.network.flags = up
1646 lxc.network.link = br0
1647 lxc.network.name = eth0
1648 lxc.network.hwaddr = 4a:49:43:49:79:bf
1649 lxc.network.ipv4 = 10.2.3.5/24 10.2.3.255
1650 lxc.network.ipv6 = 2003:db8:1:0:214:1234:fe0b:3597
55fc19a1
SG		 1651 </programlisting>
1652 </refsect2>
1653
1654 <refsect2>
1655 <title>UID/GID mapping</title>
1656 <para>This configuration will map both user and group ids in the
1657 range 0-9999 in the container to the ids 100000-109999 on the host.
1658 </para>
1659 <programlisting>
c464fd7e
SG		 1660 lxc.id_map = u 0 100000 10000
1661 lxc.id_map = g 0 100000 10000
55fc19a1
SG		 1662 </programlisting>
1663 </refsect2>
1664
1665 <refsect2>
1666 <title>Control group</title>
1667 <para>This configuration will setup several control groups for
1668 the application, cpuset.cpus restricts usage of the defined cpu,
1669 cpus.share prioritize the control group, devices.allow makes
1670 usable the specified devices.</para>
1671 <programlisting>
c464fd7e
SG		 1672 lxc.cgroup.cpuset.cpus = 0,1
1673 lxc.cgroup.cpu.shares = 1234
1674 lxc.cgroup.devices.deny = a
1675 lxc.cgroup.devices.allow = c 1:3 rw
1676 lxc.cgroup.devices.allow = b 8:0 rw
55fc19a1
SG		 1677 </programlisting>
1678 </refsect2>
1679
1680 <refsect2>
1681 <title>Complex configuration</title>
1682 <para>This example show a complex configuration making a complex
1683 network stack, using the control groups, setting a new hostname,
1684 mounting some locations and a changing root file system.</para>
1685 <programlisting>
c464fd7e
SG		 1686 lxc.utsname = complex
1687 lxc.network.type = veth
1688 lxc.network.flags = up
1689 lxc.network.link = br0
1690 lxc.network.hwaddr = 4a:49:43:49:79:bf
1691 lxc.network.ipv4 = 10.2.3.5/24 10.2.3.255
1692 lxc.network.ipv6 = 2003:db8:1:0:214:1234:fe0b:3597
1693 lxc.network.ipv6 = 2003:db8:1:0:214:5432:feab:3588
1694 lxc.network.type = macvlan
1695 lxc.network.flags = up
1696 lxc.network.link = eth0
1697 lxc.network.hwaddr = 4a:49:43:49:79:bd
1698 lxc.network.ipv4 = 10.2.3.4/24
1699 lxc.network.ipv4 = 192.168.10.125/24
1700 lxc.network.ipv6 = 2003:db8:1:0:214:1234:fe0b:3596
1701 lxc.network.type = phys
1702 lxc.network.flags = up
1703 lxc.network.link = dummy0
1704 lxc.network.hwaddr = 4a:49:43:49:79:ff
1705 lxc.network.ipv4 = 10.2.3.6/24
1706 lxc.network.ipv6 = 2003:db8:1:0:214:1234:fe0b:3297
1707 lxc.cgroup.cpuset.cpus = 0,1
1708 lxc.cgroup.cpu.shares = 1234
1709 lxc.cgroup.devices.deny = a
1710 lxc.cgroup.devices.allow = c 1:3 rw
1711 lxc.cgroup.devices.allow = b 8:0 rw
1712 lxc.mount = /etc/fstab.complex
1713 lxc.mount.entry = /lib /root/myrootfs/lib none ro,bind 0 0
1714 lxc.rootfs = /mnt/rootfs.complex
1715 lxc.cap.drop = sys_module mknod setuid net_raw
1716 lxc.cap.drop = mac_override
55fc19a1
SG		 1717 </programlisting>
1718 </refsect2>
1719
1720 </refsect1>
1721
1722 <refsect1>
1723 <title>See Also</title>
1724 <simpara>
1725 <citerefentry>
c464fd7e
SG		 1726 <refentrytitle><command>chroot</command></refentrytitle>
1727 <manvolnum>1</manvolnum>
55fc19a1
SG		 1728 </citerefentry>,
1729
1730 <citerefentry>
c464fd7e
SG		 1731 <refentrytitle><command>pivot_root</command></refentrytitle>
1732 <manvolnum>8</manvolnum>
55fc19a1
SG		 1733 </citerefentry>,
1734
1735 <citerefentry>
c464fd7e
SG		 1736 <refentrytitle><filename>fstab</filename></refentrytitle>
1737 <manvolnum>5</manvolnum>
55fc19a1
SG		 1738 </citerefentry>,
1739
1740 <citerefentry>
c464fd7e
SG		 1741 <refentrytitle><filename>capabilities</filename></refentrytitle>
1742 <manvolnum>7</manvolnum>
55fc19a1
SG		 1743 </citerefentry>
1744 </simpara>
1745 </refsect1>
1746
1747 &seealso;
1748
1749 <refsect1>
1750 <title>Author</title>
1751 <para>Daniel Lezcano <email>daniel.lezcano@free.fr</email></para>
1752 </refsect1>
1753
1754</refentry>
1755
1756<!-- Keep this comment at the end of the file
1757Local variables:
1758mode: sgml
1759sgml-omittag:t
1760sgml-shorttag:t
1761sgml-minimize-attributes:nil
1762sgml-always-quote-attributes:t
1763sgml-indent-step:2
1764sgml-indent-data:t
1765sgml-parent-document:nil
1766sgml-default-dtd-file:nil
1767sgml-exposed-tags:nil
1768sgml-local-catalogs:nil
1769sgml-local-ecat-files:nil
1770End:
1771-->
LXC mirror