]> git.proxmox.com Git - mirror_lxc.git/blame - doc/lxc.container.conf.sgml.in
projects / mirror_lxc.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Merge pull request #777 from hallyn/2016-01-28/cgns1
[mirror_lxc.git] / doc / lxc.container.conf.sgml.in
CommitLineData
55fc19a1
SG		 1<!--
2
3lxc: linux Container library
4
5(C) Copyright IBM Corp. 2007, 2008
6
7Authors:
8Daniel Lezcano <daniel.lezcano at free.fr>
9
10This library is free software; you can redistribute it and/or
11modify it under the terms of the GNU Lesser General Public
12License as published by the Free Software Foundation; either
13version 2.1 of the License, or (at your option) any later version.
14
15This library is distributed in the hope that it will be useful,
16but WITHOUT ANY WARRANTY; without even the implied warranty of
17MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
18Lesser General Public License for more details.
19
20You should have received a copy of the GNU Lesser General Public
21License along with this library; if not, write to the Free Software
22Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
23
24-->
25
26<!DOCTYPE refentry PUBLIC @docdtd@ [
27
28<!ENTITY seealso SYSTEM "@builddir@/see_also.sgml">
29]>
30
31<refentry>
32
33 <docinfo><date>@LXC_GENERATE_DATE@</date></docinfo>
34
35 <refmeta>
36 <refentrytitle>lxc.container.conf</refentrytitle>
37 <manvolnum>5</manvolnum>
38 </refmeta>
39
40 <refnamediv>
41 <refname>lxc.container.conf</refname>
42
43 <refpurpose>
44 LXC container configuration file
45 </refpurpose>
46 </refnamediv>
47
48 <refsect1>
49 <title>Description</title>
50
51 <para>
52 The linux containers (<command>lxc</command>) are always created
53 before being used. This creation defines a set of system
54 resources to be virtualized / isolated when a process is using
55 the container. By default, the pids, sysv ipc and mount points
56 are virtualized and isolated. The other system resources are
57 shared across containers, until they are explicitly defined in
58 the configuration file. For example, if there is no network
59 configuration, the network will be shared between the creator of
60 the container and the container itself, but if the network is
61 specified, a new network stack is created for the container and
62 the container can no longer use the network of its ancestor.
63 </para>
64
65 <para>
66 The configuration file defines the different system resources to
67 be assigned for the container. At present, the utsname, the
68 network, the mount points, the root file system, the user namespace,
69 and the control groups are supported.
70 </para>
71
72 <para>
73 Each option in the configuration file has the form <command>key
74 = value</command> fitting in one line. The '#' character means
ff689149
MH		 75 the line is a comment. List options, like capabilities and cgroups
76 options, can be used with no value to clear any previously
77 defined values of that option.
55fc19a1
SG		 78 </para>
79
80 <refsect2>
81 <title>Configuration</title>
82 <para>
c464fd7e
SG		 83 In order to ease administration of multiple related containers, it
84 is possible to have a container configuration file cause another
85 file to be loaded. For instance, network configuration
86 can be defined in one common file which is included by multiple
87 containers. Then, if the containers are moved to another host,
88 only one file may need to be updated.
55fc19a1
SG		 89 </para>
90
91 <variablelist>
c464fd7e
SG		 92 <varlistentry>
93 <term>
94 <option>lxc.include</option>
95 </term>
96 <listitem>
97 <para>
98 Specify the file to be included. The included file must be
99 in the same valid lxc configuration file format.
100 </para>
101 </listitem>
102 </varlistentry>
55fc19a1
SG		 103 </variablelist>
104 </refsect2>
105
106 <refsect2>
107 <title>Architecture</title>
108 <para>
c464fd7e
SG		 109 Allows one to set the architecture for the container. For example,
110 set a 32bits architecture for a container running 32bits
111 binaries on a 64bits host. This fixes the container scripts
112 which rely on the architecture to do some work like
113 downloading the packages.
55fc19a1
SG		 114 </para>
115
116 <variablelist>
c464fd7e
SG		 117 <varlistentry>
118 <term>
119 <option>lxc.arch</option>
120 </term>
121 <listitem>
122 <para>
123 Specify the architecture for the container.
124 </para>
125 <para>
126 Valid options are
127 <option>x86</option>,
128 <option>i686</option>,
129 <option>x86_64</option>,
130 <option>amd64</option>
131 </para>
132 </listitem>
133 </varlistentry>
55fc19a1
SG		 134 </variablelist>
135
136 </refsect2>
137
138 <refsect2>
139 <title>Hostname</title>
140 <para>
c464fd7e
SG		 141 The utsname section defines the hostname to be set for the
142 container. That means the container can set its own hostname
143 without changing the one from the system. That makes the
144 hostname private for the container.
55fc19a1
SG		 145 </para>
146 <variablelist>
c464fd7e
SG		 147 <varlistentry>
148 <term>
149 <option>lxc.utsname</option>
150 </term>
151 <listitem>
152 <para>
153 specify the hostname for the container
154 </para>
155 </listitem>
156 </varlistentry>
55fc19a1
SG		 157 </variablelist>
158 </refsect2>
159
160 <refsect2>
161 <title>Halt signal</title>
162 <para>
936762f3
BP		 163 Allows one to specify signal name or number, sent by lxc-stop to the
164 container's init process to cleanly shutdown the container. Different
165 init systems could use different signals to perform clean shutdown
166 sequence. This option allows the signal to be specified in kill(1)
167 fashion, e.g. SIGPWR, SIGRTMIN+14, SIGRTMAX-10 or plain number. The
168 default signal is SIGPWR.
55fc19a1
SG		 169 </para>
170 <variablelist>
936762f3
BP		 171 <varlistentry>
172 <term>
173 <option>lxc.haltsignal</option>
174 </term>
175 <listitem>
176 <para>
177 specify the signal used to halt the container
178 </para>
179 </listitem>
180 </varlistentry>
181 </variablelist>
182 </refsect2>
183
184 <refsect2>
185 <title>Reboot signal</title>
186 <para>
187 Allows one to specify signal name or number, sent by lxc-stop to
188 reboot the container. This option allows signal to be specified in
189 kill(1) fashion, e.g. SIGTERM, SIGRTMIN+14, SIGRTMAX-10 or plain number.
190 The default signal is SIGINT.
191 </para>
192 <variablelist>
193 <varlistentry>
194 <term>
195 <option>lxc.rebootsignal</option>
196 </term>
197 <listitem>
198 <para>
199 specify the signal used to reboot the container
200 </para>
201 </listitem>
202 </varlistentry>
55fc19a1
SG		 203 </variablelist>
204 </refsect2>
205
206 <refsect2>
207 <title>Stop signal</title>
208 <para>
936762f3
BP		 209 Allows one to specify signal name or number, sent by lxc-stop to forcibly
210 shutdown the container. This option allows signal to be specified in
211 kill(1) fashion, e.g. SIGKILL, SIGRTMIN+14, SIGRTMAX-10 or plain number.
212 The default signal is SIGKILL.
213 </para>
214 <variablelist>
215 <varlistentry>
216 <term>
217 <option>lxc.stopsignal</option>
218 </term>
219 <listitem>
220 <para>
221 specify the signal used to stop the container
222 </para>
223 </listitem>
224 </varlistentry>
55fc19a1
SG		 225 </variablelist>
226 </refsect2>
227
67c660d0
SG		 228 <refsect2>
229 <title>Init command</title>
230 <para>
231 Sets the command to use as the init system for the containers.
232
233 This option is ignored when using lxc-execute.
234
235 Defaults to: /sbin/init
236 </para>
237 <variablelist>
936762f3
BP		 238 <varlistentry>
239 <term>
240 <option>lxc.init_cmd</option>
241 </term>
242 <listitem>
243 <para>
244 Absolute path from container rootfs to the binary to use as init.
245 </para>
246 </listitem>
247 </varlistentry>
67c660d0
SG		 248 </variablelist>
249 </refsect2>
250
dbca9237
PT		 251 <refsect2>
252 <title>Init ID</title>
253 <para>
254 Sets the UID/GID to use for the init system, and subsequent command, executed by lxc-execute.
255
256 These options are only used when lxc-execute is started in a private user namespace.
257
258 Defaults to: UID(0), GID(0)
259 </para>
260 <variablelist>
261 <varlistentry>
262 <term>
263 <option>lxc.init_uid</option>
264 </term>
265 <listitem>
266 <para>
267 UID to use within a private user namesapce for init.
268 </para>
269 </listitem>
270 </varlistentry>
271 <varlistentry>
272 <term>
273 <option>lxc.init_gid</option>
274 </term>
275 <listitem>
276 <para>
277 GID to use within a private user namesapce for init.
278 </para>
279 </listitem>
280 </varlistentry>
281 </variablelist>
282 </refsect2>
283
4e6eb26b
CB		 284 <refsect2>
285 <title>Ephemeral</title>
286 <para>
287 Allows one to specify whether a container will be destroyed on shutdown.
288 </para>
289 <variablelist>
290 <varlistentry>
291 <term>
292 <option>lxc.ephemeral</option>
293 </term>
294 <listitem>
295 <para>
296 The only allowed values are 0 and 1. Set this to 1 to destroy a
297 container on shutdown.
298 </para>
299 </listitem>
300 </varlistentry>
301 </variablelist>
302 </refsect2>
303
55fc19a1
SG		 304 <refsect2>
305 <title>Network</title>
306 <para>
c464fd7e
SG		 307 The network section defines how the network is virtualized in
308 the container. The network virtualization acts at layer
309 two. In order to use the network virtualization, parameters
310 must be specified to define the network interfaces of the
311 container. Several virtual interfaces can be assigned and used
312 in a container even if the system has only one physical
313 network interface.
55fc19a1
SG		 314 </para>
315 <variablelist>
020104c3
MH		 316 <varlistentry>
317 <term>
318 <option>lxc.network</option>
319 </term>
320 <listitem>
321 <para>
322 may be used without a value to clear all previous network options.
323 </para>
324 </listitem>
325 </varlistentry>
c464fd7e
SG		 326 <varlistentry>
327 <term>
328 <option>lxc.network.type</option>
329 </term>
330 <listitem>
331 <para>
332 specify what kind of network virtualization to be used
333 for the container. Each time
334 a <option>lxc.network.type</option> field is found a new
335 round of network configuration begins. In this way,
336 several network virtualization types can be specified
337 for the same container, as well as assigning several
338 network interfaces for one container. The different
339 virtualization types can be:
340 </para>
341
342 <para>
343 <option>none:</option> will cause the container to share
344 the host's network namespace. This means the host
345 network devices are usable in the container. It also
346 means that if both the container and host have upstart as
347 init, 'halt' in a container (for instance) will shut down the
348 host.
349 </para>
350
351 <para>
352 <option>empty:</option> will create only the loopback
353 interface.
354 </para>
355
356 <para>
38005c54
MA		 357 <option>veth:</option> a virtual ethernet pair
358 device is created with one side assigned to the container
359 and the other side attached to a bridge specified by
360 the <option>lxc.network.link</option> option.
361 If the bridge is not specified, then the veth pair device
362 will be created but not attached to any bridge.
363 Otherwise, the bridge has to be created on the system
364 before starting the container.
365 <command>lxc</command> won't handle any
366 configuration outside of the container.
367 By default, <command>lxc</command> chooses a name for the
c464fd7e 368 network device belonging to the outside of the
38005c54
MA		 369 container, but if you wish to handle
370 this name yourselves, you can tell <command>lxc</command>
c464fd7e
SG		 371 to set a specific name with
372 the <option>lxc.network.veth.pair</option> option (except for
373 unprivileged containers where this option is ignored for security
374 reasons).
375 </para>
376
377 <para>
378 <option>vlan:</option> a vlan interface is linked with
379 the interface specified by
380 the <option>lxc.network.link</option> and assigned to
381 the container. The vlan identifier is specified with the
382 option <option>lxc.network.vlan.id</option>.
383 </para>
384
385 <para>
386 <option>macvlan:</option> a macvlan interface is linked
387 with the interface specified by
388 the <option>lxc.network.link</option> and assigned to
389 the container.
390 <option>lxc.network.macvlan.mode</option> specifies the
391 mode the macvlan will use to communicate between
392 different macvlan on the same upper device. The accepted
c15ea607
EL		 393 modes are <option>private</option>, <option>vepa</option>,
394 <option>bridge</option> and <option>passthru</option>.
395 In <option>private</option> mode, the device never
396 communicates with any other device on the same upper_dev (default).
397 In <option>vepa</option> mode, the new Virtual Ethernet Port
c464fd7e
SG		 398 Aggregator (VEPA) mode, it assumes that the adjacent
399 bridge returns all frames where both source and
400 destination are local to the macvlan port, i.e. the
401 bridge is set up as a reflective relay. Broadcast
402 frames coming in from the upper_dev get flooded to all
403 macvlan interfaces in VEPA mode, local frames are not
c15ea607 404 delivered locally. In <option>bridge</option> mode, it
c464fd7e
SG		 405 provides the behavior of a simple bridge between
406 different macvlan interfaces on the same port. Frames
407 from one interface to another one get delivered directly
408 and are not sent out externally. Broadcast frames get
409 flooded to all other bridge ports and to the external
410 interface, but when they come back from a reflective
411 relay, we don't deliver them again. Since we know all
412 the MAC addresses, the macvlan bridge mode does not
c15ea607
EL		 413 require learning or STP like the bridge module does. In
414 <option>passthru</option> mode, all frames received by
415 the physical interface are forwarded to the macvlan
416 interface. Only one macvlan interface in <option>passthru</option>
417 mode is possible for one physical interface.
c464fd7e
SG		 418 </para>
419
420 <para>
421 <option>phys:</option> an already existing interface
422 specified by the <option>lxc.network.link</option> is
423 assigned to the container.
424 </para>
425 </listitem>
426 </varlistentry>
427
428 <varlistentry>
429 <term>
430 <option>lxc.network.flags</option>
431 </term>
432 <listitem>
433 <para>
434 specify an action to do for the
435 network.
436 </para>
437
438 <para><option>up:</option> activates the interface.
439 </para>
440 </listitem>
441 </varlistentry>
442
443 <varlistentry>
444 <term>
445 <option>lxc.network.link</option>
446 </term>
447 <listitem>
448 <para>
449 specify the interface to be used for real network
450 traffic.
451 </para>
452 </listitem>
453 </varlistentry>
454
455 <varlistentry>
456 <term>
457 <option>lxc.network.mtu</option>
458 </term>
459 <listitem>
460 <para>
461 specify the maximum transfer unit for this interface.
462 </para>
463 </listitem>
464 </varlistentry>
465
466 <varlistentry>
467 <term>
468 <option>lxc.network.name</option>
469 </term>
470 <listitem>
471 <para>
472 the interface name is dynamically allocated, but if
473 another name is needed because the configuration files
474 being used by the container use a generic name,
475 eg. eth0, this option will rename the interface in the
476 container.
477 </para>
478 </listitem>
479 </varlistentry>
480
481 <varlistentry>
482 <term>
483 <option>lxc.network.hwaddr</option>
484 </term>
485 <listitem>
486 <para>
487 the interface mac address is dynamically allocated by
488 default to the virtual interface, but in some cases,
489 this is needed to resolve a mac address conflict or to
490 always have the same link-local ipv6 address.
491 Any "x" in address will be replaced by random value,
492 this allows setting hwaddr templates.
493 </para>
494 </listitem>
495 </varlistentry>
496
497 <varlistentry>
498 <term>
499 <option>lxc.network.ipv4</option>
500 </term>
501 <listitem>
502 <para>
503 specify the ipv4 address to assign to the virtualized
504 interface. Several lines specify several ipv4 addresses.
505 The address is in format x.y.z.t/m,
506 eg. 192.168.1.123/24. The broadcast address should be
507 specified on the same line, right after the ipv4
508 address.
509 </para>
510 </listitem>
511 </varlistentry>
512
513 <varlistentry>
514 <term>
515 <option>lxc.network.ipv4.gateway</option>
516 </term>
517 <listitem>
518 <para>
519 specify the ipv4 address to use as the gateway inside the
520 container. The address is in format x.y.z.t, eg.
521 192.168.1.123.
522
523 Can also have the special value <option>auto</option>,
524 which means to take the primary address from the bridge
525 interface (as specified by the
526 <option>lxc.network.link</option> option) and use that as
527 the gateway. <option>auto</option> is only available when
528 using the <option>veth</option> and
529 <option>macvlan</option> network types.
530 </para>
531 </listitem>
532 </varlistentry>
533
534
535 <varlistentry>
536 <term>
537 <option>lxc.network.ipv6</option>
538 </term>
539 <listitem>
540 <para>
541 specify the ipv6 address to assign to the virtualized
542 interface. Several lines specify several ipv6 addresses.
543 The address is in format x::y/m,
544 eg. 2003:db8:1:0:214:1234:fe0b:3596/64
545 </para>
546 </listitem>
547 </varlistentry>
548
549 <varlistentry>
550 <term>
551 <option>lxc.network.ipv6.gateway</option>
552 </term>
553 <listitem>
554 <para>
555 specify the ipv6 address to use as the gateway inside the
556 container. The address is in format x::y,
557 eg. 2003:db8:1:0::1
558
559 Can also have the special value <option>auto</option>,
560 which means to take the primary address from the bridge
561 interface (as specified by the
562 <option>lxc.network.link</option> option) and use that as
563 the gateway. <option>auto</option> is only available when
564 using the <option>veth</option> and
565 <option>macvlan</option> network types.
566 </para>
567 </listitem>
568 </varlistentry>
569
570 <varlistentry>
571 <term>
572 <option>lxc.network.script.up</option>
573 </term>
574 <listitem>
575 <para>
576 add a configuration option to specify a script to be
577 executed after creating and configuring the network used
578 from the host side. The following arguments are passed
579 to the script: container name and config section name
580 (net) Additional arguments depend on the config section
581 employing a script hook; the following are used by the
582 network system: execution context (up), network type
583 (empty/veth/macvlan/phys), Depending on the network
584 type, other arguments may be passed:
585 veth/macvlan/phys. And finally (host-sided) device name.
586 </para>
587 <para>
588 Standard output from the script is logged at debug level.
589 Standard error is not logged, but can be captured by the
590 hook redirecting its standard error to standard output.
591 </para>
592 </listitem>
593 </varlistentry>
594
595 <varlistentry>
596 <term>
597 <option>lxc.network.script.down</option>
598 </term>
599 <listitem>
600 <para>
601 add a configuration option to specify a script to be
602 executed before destroying the network used from the
603 host side. The following arguments are passed to the
604 script: container name and config section name (net)
605 Additional arguments depend on the config section
606 employing a script hook; the following are used by the
607 network system: execution context (down), network type
608 (empty/veth/macvlan/phys), Depending on the network
609 type, other arguments may be passed:
610 veth/macvlan/phys. And finally (host-sided) device name.
611 </para>
612 <para>
613 Standard output from the script is logged at debug level.
614 Standard error is not logged, but can be captured by the
615 hook redirecting its standard error to standard output.
616 </para>
617 </listitem>
618 </varlistentry>
55fc19a1
SG		 619 </variablelist>
620 </refsect2>
621
622 <refsect2>
623 <title>New pseudo tty instance (devpts)</title>
624 <para>
c464fd7e
SG		 625 For stricter isolation the container can have its own private
626 instance of the pseudo tty.
55fc19a1
SG		 627 </para>
628 <variablelist>
c464fd7e
SG		 629 <varlistentry>
630 <term>
631 <option>lxc.pts</option>
632 </term>
633 <listitem>
634 <para>
635 If set, the container will have a new pseudo tty
636 instance, making this private to it. The value specifies
55fc19a1
SG		 637 the maximum number of pseudo ttys allowed for a pts
638 instance (this limitation is not implemented yet).
c464fd7e
SG		 639 </para>
640 </listitem>
641 </varlistentry>
55fc19a1
SG		 642 </variablelist>
643 </refsect2>
644
645 <refsect2>
646 <title>Container system console</title>
647 <para>
c464fd7e
SG		 648 If the container is configured with a root filesystem and the
649 inittab file is setup to use the console, you may want to specify
650 where the output of this console goes.
55fc19a1
SG		 651 </para>
652 <variablelist>
c464fd7e
SG		 653 <varlistentry>
654 <term>
655 <option>lxc.console.logfile</option>
656 </term>
657 <listitem>
658 <para>
659 Specify a path to a file where the console output will
660 be written.
661 </para>
662 </listitem>
663 </varlistentry>
664 <varlistentry>
665 <term>
666 <option>lxc.console</option>
667 </term>
668 <listitem>
669 <para>
670 Specify a path to a device to which the console will be
671 attached. The keyword 'none' will simply disable the
672 console. This is dangerous once if have a rootfs with a
673 console device file where the application can write, the
674 messages will fall in the host.
675 </para>
676 </listitem>
677 </varlistentry>
55fc19a1
SG		 678 </variablelist>
679 </refsect2>
680
681 <refsect2>
682 <title>Console through the ttys</title>
683 <para>
c464fd7e
SG		 684 This option is useful if the container is configured with a root
685 filesystem and the inittab file is setup to launch a getty on the
686 ttys. The option specifies the number of ttys to be available for
687 the container. The number of gettys in the inittab file of the
688 container should not be greater than the number of ttys specified
689 in this option, otherwise the excess getty sessions will die and
690 respawn indefinitely giving annoying messages on the console or in
691 <filename>/var/log/messages</filename>.
55fc19a1
SG		 692 </para>
693 <variablelist>
c464fd7e
SG		 694 <varlistentry>
695 <term>
696 <option>lxc.tty</option>
697 </term>
698 <listitem>
699 <para>
700 Specify the number of tty to make available to the
701 container.
702 </para>
703 </listitem>
704 </varlistentry>
55fc19a1
SG		 705 </variablelist>
706 </refsect2>
707
708 <refsect2>
709 <title>Console devices location</title>
710 <para>
711 LXC consoles are provided through Unix98 PTYs created on the
c464fd7e
SG		 712 host and bind-mounted over the expected devices in the container.
713 By default, they are bind-mounted over <filename>/dev/console</filename>
714 and <filename>/dev/ttyN</filename>. This can prevent package upgrades
715 in the guest. Therefore you can specify a directory location (under
716 <filename>/dev</filename> under which LXC will create the files and
717 bind-mount over them. These will then be symbolically linked to
718 <filename>/dev/console</filename> and <filename>/dev/ttyN</filename>.
719 A package upgrade can then succeed as it is able to remove and replace
720 the symbolic links.
55fc19a1
SG		 721 </para>
722 <variablelist>
c464fd7e
SG		 723 <varlistentry>
724 <term>
725 <option>lxc.devttydir</option>
726 </term>
727 <listitem>
728 <para>
729 Specify a directory under <filename>/dev</filename>
730 under which to create the container console devices.
731 </para>
732 </listitem>
733 </varlistentry>
55fc19a1
SG		 734 </variablelist>
735 </refsect2>
736
737 <refsect2>
738 <title>/dev directory</title>
739 <para>
c464fd7e
SG		 740 By default, lxc creates a few symbolic links (fd,stdin,stdout,stderr)
741 in the container's <filename>/dev</filename> directory but does not
742 automatically create device node entries. This allows the container's
743 <filename>/dev</filename> to be set up as needed in the container
744 rootfs. If lxc.autodev is set to 1, then after mounting the container's
745 rootfs LXC will mount a fresh tmpfs under <filename>/dev</filename>
746 (limited to 100k) and fill in a minimal set of initial devices.
55fc19a1
SG		 747 This is generally required when starting a container containing
748 a "systemd" based "init" but may be optional at other times. Additional
749 devices in the containers /dev directory may be created through the
750 use of the <option>lxc.hook.autodev</option> hook.
751 </para>
752 <variablelist>
c464fd7e
SG		 753 <varlistentry>
754 <term>
755 <option>lxc.autodev</option>
756 </term>
757 <listitem>
758 <para>
124fa0a8 759 Set this to 0 to stop LXC from mounting and populating a minimal
c464fd7e
SG		 760 <filename>/dev</filename> when starting the container.
761 </para>
762 </listitem>
763 </varlistentry>
55fc19a1
SG		 764 </variablelist>
765 </refsect2>
766
767 <refsect2>
768 <title>Enable kmsg symlink</title>
769 <para>
d89de239 770 Enable creating /dev/kmsg as symlink to /dev/console. This defaults to 0.
55fc19a1
SG		 771 </para>
772 <variablelist>
773 <varlistentry>
774 <term>
775 <option>lxc.kmsg</option>
776 </term>
777 <listitem>
778 <para>
d89de239 779 Set this to 1 to enable /dev/kmsg symlinking.
55fc19a1
SG		 780 </para>
781 </listitem>
782 </varlistentry>
783 </variablelist>
784 </refsect2>
785
786 <refsect2>
787 <title>Mount points</title>
788 <para>
c464fd7e
SG		 789 The mount points section specifies the different places to be
790 mounted. These mount points will be private to the container
791 and won't be visible by the processes running outside of the
792 container. This is useful to mount /etc, /var or /home for
793 examples.
55fc19a1 794 </para>
592fd47a
SH		 795 <para>
796 NOTE - LXC will generally ensure that mount targets and relative
797 bind-mount sources are properly confined under the container
798 root, to avoid attacks involving over-mounting host directories
799 and files. (Symbolic links in absolute mount sources are ignored)
800 However, if the container configuration first mounts a directory which
801 is under the control of the container user, such as /home/joe, into
802 the container at some <filename>path</filename>, and then mounts
803 under <filename>path</filename>, then a TOCTTOU attack would be
804 possible where the container user modifies a symbolic link under
805 his home directory at just the right time.
806 </para>
55fc19a1 807 <variablelist>
c464fd7e
SG		 808 <varlistentry>
809 <term>
810 <option>lxc.mount</option>
811 </term>
812 <listitem>
813 <para>
814 specify a file location in
815 the <filename>fstab</filename> format, containing the
816 mount information. The mount target location can and in
817 most cases should be a relative path, which will become
818 relative to the mounted container root. For instance,
819 </para>
6191f4f4
SH		 820<screen>
821proc proc proc nodev,noexec,nosuid 0 0
822</screen>
c464fd7e
SG		 823 <para>
824 Will mount a proc filesystem under the container's /proc,
825 regardless of where the root filesystem comes from. This
826 is resilient to block device backed filesystems as well as
827 container cloning.
828 </para>
829 <para>
830 Note that when mounting a filesystem from an
831 image file or block device the third field (fs_vfstype)
832 cannot be auto as with
55fc19a1 833 <citerefentry>
c464fd7e 834 <refentrytitle>mount</refentrytitle>
55fc19a1
SG		 835 <manvolnum>8</manvolnum>
836 </citerefentry>
837 but must be explicitly specified.
c464fd7e
SG		 838 </para>
839 </listitem>
840 </varlistentry>
841
842 <varlistentry>
843 <term>
844 <option>lxc.mount.entry</option>
845 </term>
846 <listitem>
847 <para>
848 specify a mount point corresponding to a line in the
849 fstab format.
f5b67b36
NC		 850
851 Moreover lxc add two options to mount.
852 <option>optional</option> don't fail if mount does not work.
853 <option>create=dir</option> or <option>create=file</option>
854 to create dir (or file) when the point will be mounted.
c464fd7e
SG		 855 </para>
856 </listitem>
857 </varlistentry>
858
859 <varlistentry>
860 <term>
861 <option>lxc.mount.auto</option>
862 </term>
863 <listitem>
864 <para>
865 specify which standard kernel file systems should be
866 automatically mounted. This may dramatically simplify
867 the configuration. The file systems are:
868 </para>
869 <itemizedlist>
870 <listitem>
871 <para>
872 <option>proc:mixed</option> (or <option>proc</option>):
873 mount <filename>/proc</filename> as read-write, but
874 remount <filename>/proc/sys</filename> and
875 <filename>/proc/sysrq-trigger</filename> read-only
876 for security / container isolation purposes.
877 </para>
878 </listitem>
879 <listitem>
880 <para>
881 <option>proc:rw</option>: mount
882 <filename>/proc</filename> as read-write
883 </para>
884 </listitem>
885 <listitem>
886 <para>
f24a52d5
SG		 887 <option>sys:mixed</option> (or <option>sys</option>):
888 mount <filename>/sys</filename> as read-only but with
889 /sys/devices/virtual/net writable.
890 </para>
891 </listitem>
892 <listitem>
893 <para>
894 <option>sys:ro</option>:
c464fd7e
SG		 895 mount <filename>/sys</filename> as read-only
896 for security / container isolation purposes.
897 </para>
898 </listitem>
899 <listitem>
900 <para>
901 <option>sys:rw</option>: mount
902 <filename>/sys</filename> as read-write
903 </para>
904 </listitem>
905 <listitem>
906 <para>
907 <option>cgroup:mixed</option>:
908 mount a tmpfs to <filename>/sys/fs/cgroup</filename>,
909 create directories for all hierarchies to which
910 the container is added, create subdirectories
911 there with the name of the cgroup, and bind-mount
912 the container's own cgroup into that directory.
913 The container will be able to write to its own
914 cgroup directory, but not the parents, since they
915 will be remounted read-only
916 </para>
917 </listitem>
918 <listitem>
919 <para>
920 <option>cgroup:ro</option>: similar to
921 <option>cgroup:mixed</option>, but everything will
922 be mounted read-only.
923 </para>
924 </listitem>
925 <listitem>
926 <para>
927 <option>cgroup:rw</option>: similar to
928 <option>cgroup:mixed</option>, but everything will
929 be mounted read-write. Note that the paths leading
930 up to the container's own cgroup will be writable,
931 but will not be a cgroup filesystem but just part
932 of the tmpfs of <filename>/sys/fs/cgroup</filename>
933 </para>
934 </listitem>
935 <listitem>
936 <para>
937 <option>cgroup</option> (without specifier):
938 defaults to <option>cgroup:rw</option> if the
939 container retains the CAP_SYS_ADMIN capability,
940 <option>cgroup:mixed</option> otherwise.
941 </para>
942 </listitem>
943 <listitem>
944 <para>
945 <option>cgroup-full:mixed</option>:
946 mount a tmpfs to <filename>/sys/fs/cgroup</filename>,
947 create directories for all hierarchies to which
948 the container is added, bind-mount the hierarchies
949 from the host to the container and make everything
950 read-only except the container's own cgroup. Note
951 that compared to <option>cgroup</option>, where
952 all paths leading up to the container's own cgroup
953 are just simple directories in the underlying
954 tmpfs, here
955 <filename>/sys/fs/cgroup/$hierarchy</filename>
956 will contain the host's full cgroup hierarchy,
957 albeit read-only outside the container's own cgroup.
958 This may leak quite a bit of information into the
959 container.
960 </para>
961 </listitem>
962 <listitem>
963 <para>
964 <option>cgroup-full:ro</option>: similar to
965 <option>cgroup-full:mixed</option>, but everything
966 will be mounted read-only.
967 </para>
968 </listitem>
969 <listitem>
970 <para>
971 <option>cgroup-full:rw</option>: similar to
972 <option>cgroup-full:mixed</option>, but everything
973 will be mounted read-write. Note that in this case,
974 the container may escape its own cgroup. (Note also
975 that if the container has CAP_SYS_ADMIN support
976 and can mount the cgroup filesystem itself, it may
977 do so anyway.)
978 </para>
979 </listitem>
980 <listitem>
981 <para>
982 <option>cgroup-full</option> (without specifier):
983 defaults to <option>cgroup-full:rw</option> if the
984 container retains the CAP_SYS_ADMIN capability,
985 <option>cgroup-full:mixed</option> otherwise.
986 </para>
987 </listitem>
988 </itemizedlist>
989 <para>
990 Note that if automatic mounting of the cgroup filesystem
991 is enabled, the tmpfs under
992 <filename>/sys/fs/cgroup</filename> will always be
993 mounted read-write (but for the <option>:mixed</option>
994 and <option>:ro</option> cases, the individual
995 hierarchies,
996 <filename>/sys/fs/cgroup/$hierarchy</filename>, will be
997 read-only). This is in order to work around a quirk in
998 Ubuntu's
b46f0553 999 <citerefentry>
c464fd7e 1000 <refentrytitle>mountall</refentrytitle>
b46f0553
CS		 1001 <manvolnum>8</manvolnum>
1002 </citerefentry>
c464fd7e
SG		 1003 command that will cause containers to wait for user
1004 input at boot if
1005 <filename>/sys/fs/cgroup</filename> is mounted read-only
1006 and the container can't remount it read-write due to a
1007 lack of CAP_SYS_ADMIN.
1008 </para>
1009 <para>
1010 Examples:
1011 </para>
1012 <programlisting>
1013 lxc.mount.auto = proc sys cgroup
1014 lxc.mount.auto = proc:rw sys:rw cgroup-full:rw
1015 </programlisting>
1016 </listitem>
1017 </varlistentry>
55fc19a1
SG		 1018
1019 </variablelist>
1020 </refsect2>
1021
1022 <refsect2>
1023 <title>Root file system</title>
1024 <para>
c464fd7e
SG		 1025 The root file system of the container can be different than that
1026 of the host system.
55fc19a1
SG		 1027 </para>
1028 <variablelist>
c464fd7e
SG		 1029 <varlistentry>
1030 <term>
1031 <option>lxc.rootfs</option>
1032 </term>
1033 <listitem>
1034 <para>
1035 specify the root file system for the container. It can
1036 be an image file, a directory or a block device. If not
1037 specified, the container shares its root file system
1038 with the host.
1039 </para>
1040 <para>
f1c26f2c
SH		 1041 For directory or simple block-device backed containers,
1042 a pathname can be used. If the rootfs is backed by a nbd
1043 device, then <filename>nbd:file:1</filename> specifies that
1044 <filename>file</filename> should be attached to a nbd device,
1045 and partition 1 should be mounted as the rootfs.
1046 <filename>nbd:file</filename> specifies that the nbd device
1047 itself should be mounted. <filename>overlayfs:/lower:/upper</filename>
1048 specifies that the rootfs should be an overlay with <filename>/upper</filename>
1049 being mounted read-write over a read-only mount of <filename>/lower</filename>.
1050 <filename>aufs:/lower:/upper</filename> does the same using aufs in place
280d2379
CB		 1051 of overlayfs. For both <filename>overlayfs</filename> and
1052 <filename>aufs</filename> multiple <filename>/lower</filename>
1053 directories can be specified. <filename>loop:/file</filename> tells lxc to attach
f1c26f2c 1054 <filename>/file</filename> to a loop device and mount the loop device.
c464fd7e
SG		 1055 </para>
1056 </listitem>
1057 </varlistentry>
1058
1059 <varlistentry>
1060 <term>
1061 <option>lxc.rootfs.mount</option>
1062 </term>
1063 <listitem>
1064 <para>
1065 where to recursively bind <option>lxc.rootfs</option>
1066 before pivoting. This is to ensure success of the
1067 <citerefentry>
1068 <refentrytitle><command>pivot_root</command></refentrytitle>
1069 <manvolnum>8</manvolnum>
1070 </citerefentry>
1071 syscall. Any directory suffices, the default should
1072 generally work.
1073 </para>
1074 </listitem>
1075 </varlistentry>
1076
1077 <varlistentry>
1078 <term>
1079 <option>lxc.rootfs.options</option>
1080 </term>
1081 <listitem>
1082 <para>
1083 extra mount options to use when mounting the rootfs.
1084 </para>
1085 </listitem>
1086 </varlistentry>
a17b1e65 1087
55fc19a1
SG		 1088 </variablelist>
1089 </refsect2>
1090
1091 <refsect2>
1092 <title>Control group</title>
1093 <para>
c464fd7e
SG		 1094 The control group section contains the configuration for the
1095 different subsystem. <command>lxc</command> does not check the
1096 correctness of the subsystem name. This has the disadvantage
1097 of not detecting configuration errors until the container is
1098 started, but has the advantage of permitting any future
1099 subsystem.
55fc19a1
SG		 1100 </para>
1101 <variablelist>
c464fd7e
SG		 1102 <varlistentry>
1103 <term>
1104 <option>lxc.cgroup.[subsystem name]</option>
1105 </term>
1106 <listitem>
1107 <para>
1108 specify the control group value to be set. The
1109 subsystem name is the literal name of the control group
1110 subsystem. The permitted names and the syntax of their
1111 values is not dictated by LXC, instead it depends on the
1112 features of the Linux kernel running at the time the
1113 container is started,
1114 eg. <option>lxc.cgroup.cpuset.cpus</option>
1115 </para>
1116 </listitem>
1117 </varlistentry>
55fc19a1
SG		 1118 </variablelist>
1119 </refsect2>
1120
1121 <refsect2>
1122 <title>Capabilities</title>
1123 <para>
c464fd7e
SG		 1124 The capabilities can be dropped in the container if this one
1125 is run as root.
55fc19a1
SG		 1126 </para>
1127 <variablelist>
c464fd7e
SG		 1128 <varlistentry>
1129 <term>
1130 <option>lxc.cap.drop</option>
1131 </term>
1132 <listitem>
1133 <para>
1134 Specify the capability to be dropped in the container. A
1135 single line defining several capabilities with a space
1136 separation is allowed. The format is the lower case of
1137 the capability definition without the "CAP_" prefix,
1138 eg. CAP_SYS_MODULE should be specified as
1139 sys_module. See
1140 <citerefentry>
1141 <refentrytitle><command>capabilities</command></refentrytitle>
1142 <manvolnum>7</manvolnum>
7eff30fd
MH		 1143 </citerefentry>.
1144 If used with no value, lxc will clear any drop capabilities
1145 specified up to this point.
c464fd7e
SG		 1146 </para>
1147 </listitem>
1148 </varlistentry>
1149 <varlistentry>
1150 <term>
1151 <option>lxc.cap.keep</option>
1152 </term>
1153 <listitem>
1154 <para>
1155 Specify the capability to be kept in the container. All other
1156 capabilities will be dropped. When a special value of "none" is
1157 encountered, lxc will clear any keep capabilities specified up
1158 to this point. A value of "none" alone can be used to drop all
1159 capabilities.
1160 </para>
1161 </listitem>
1162 </varlistentry>
55fc19a1
SG		 1163 </variablelist>
1164 </refsect2>
1165
1166 <refsect2>
1167 <title>Apparmor profile</title>
1168 <para>
c464fd7e
SG		 1169 If lxc was compiled and installed with apparmor support, and the host
1170 system has apparmor enabled, then the apparmor profile under which the
1171 container should be run can be specified in the container
1172 configuration. The default is <command>lxc-container-default</command>.
55fc19a1
SG		 1173 </para>
1174 <variablelist>
c464fd7e
SG		 1175 <varlistentry>
1176 <term>
1177 <option>lxc.aa_profile</option>
1178 </term>
1179 <listitem>
1180 <para>
1181 Specify the apparmor profile under which the container should
1182 be run. To specify that the container should be unconfined,
1183 use
1184 </para>
1185 <programlisting>lxc.aa_profile = unconfined</programlisting>
1186 </listitem>
1187 </varlistentry>
1188 <varlistentry>
1189 <term>
1190 <option>lxc.aa_allow_incomplete</option>
1191 </term>
1192 <listitem>
1193 <para>
1194 Apparmor profiles are pathname based. Therefore many file
1195 restrictions require mount restrictions to be effective against
1196 a determined attacker. However, these mount restrictions are not
1197 yet implemented in the upstream kernel. Without the mount
1198 restrictions, the apparmor profiles still protect against accidental
1199 damager.
1200 </para>
1201 <para>
1202 If this flag is 0 (default), then the container will not be
1203 started if the kernel lacks the apparmor mount features, so that a
1204 regression after a kernel upgrade will be detected. To start the
1205 container under partial apparmor protection, set this flag to 1.
1206 </para>
1207 </listitem>
1208 </varlistentry>
55fc19a1
SG		 1209 </variablelist>
1210 </refsect2>
1211
1212 <refsect2>
1213 <title>SELinux context</title>
1214 <para>
c464fd7e
SG		 1215 If lxc was compiled and installed with SELinux support, and the host
1216 system has SELinux enabled, then the SELinux context under which the
1217 container should be run can be specified in the container
1218 configuration. The default is <command>unconfined_t</command>,
1219 which means that lxc will not attempt to change contexts.
1220 See @DATADIR@/lxc/selinux/lxc.te for an example policy and more
1221 information.
55fc19a1
SG		 1222 </para>
1223 <variablelist>
c464fd7e
SG		 1224 <varlistentry>
1225 <term>
1226 <option>lxc.se_context</option>
1227 </term>
1228 <listitem>
1229 <para>
1230 Specify the SELinux context under which the container should
1231 be run or <command>unconfined_t</command>. For example
1232 </para>
1233 <programlisting>lxc.se_context = system_u:system_r:lxc_t:s0:c22</programlisting>
1234 </listitem>
1235 </varlistentry>
55fc19a1
SG		 1236 </variablelist>
1237 </refsect2>
1238
1239 <refsect2>
1240 <title>Seccomp configuration</title>
1241 <para>
1242 A container can be started with a reduced set of available
c464fd7e
SG		 1243 system calls by loading a seccomp profile at startup. The
1244 seccomp configuration file must begin with a version number
1245 on the first line, a policy type on the second line, followed
1246 by the configuration.
55fc19a1 1247 </para>
a7c27357
SH		 1248 <para>
1249 Versions 1 and 2 are currently supported. In version 1, the
c464fd7e
SG		 1250 policy is a simple whitelist. The second line therefore must
1251 read "whitelist", with the rest of the file containing one (numeric)
1252 sycall number per line. Each syscall number is whitelisted,
1253 while every unlisted number is blacklisted for use in the container
a7c27357
SH		 1254 </para>
1255
1256 <para>
1257 In version 2, the policy may be blacklist or whitelist,
1258 supports per-rule and per-policy default actions, and supports
1259 per-architecture system call resolution from textual names.
1260 </para>
1261 <para>
1262 An example blacklist policy, in which all system calls are
1263 allowed except for mknod, which will simply do nothing and
1264 return 0 (success), looks like:
1265 </para>
1266<screen>
12672
1268blacklist
1269mknod errno 0
1270</screen>
55fc19a1 1271 <variablelist>
c464fd7e
SG		 1272 <varlistentry>
1273 <term>
1274 <option>lxc.seccomp</option>
1275 </term>
1276 <listitem>
1277 <para>
1278 Specify a file containing the seccomp configuration to
1279 load before the container starts.
1280 </para>
1281 </listitem>
1282 </varlistentry>
55fc19a1
SG		 1283 </variablelist>
1284 </refsect2>
1285
1286 <refsect2>
1287 <title>UID mappings</title>
1288 <para>
1289 A container can be started in a private user namespace with
c464fd7e
SG		 1290 user and group id mappings. For instance, you can map userid
1291 0 in the container to userid 200000 on the host. The root
1292 user in the container will be privileged in the container,
1293 but unprivileged on the host. Normally a system container
1294 will want a range of ids, so you would map, for instance,
1295 user and group ids 0 through 20,000 in the container to the
1296 ids 200,000 through 220,000.
55fc19a1
SG		 1297 </para>
1298 <variablelist>
c464fd7e
SG		 1299 <varlistentry>
1300 <term>
1301 <option>lxc.id_map</option>
1302 </term>
1303 <listitem>
1304 <para>
1305 Four values must be provided. First a character, either
1306 'u', or 'g', to specify whether user or group ids are
1307 being mapped. Next is the first userid as seen in the
1308 user namespace of the container. Next is the userid as
1309 seen on the host. Finally, a range indicating the number
1310 of consecutive ids to map.
1311 </para>
1312 </listitem>
1313 </varlistentry>
55fc19a1
SG		 1314 </variablelist>
1315 </refsect2>
1316
1317 <refsect2>
1318 <title>Container hooks</title>
1319 <para>
1320 Container hooks are programs or scripts which can be executed
c464fd7e 1321 at various times in a container's lifetime.
55fc19a1
SG		 1322 </para>
1323 <para>
1324 When a container hook is executed, information is passed both
c464fd7e
SG		 1325 as command line arguments and through environment variables.
1326 The arguments are:
1327 <itemizedlist>
1328 <listitem><para> Container name. </para></listitem>
1329 <listitem><para> Section (always 'lxc'). </para></listitem>
1330 <listitem><para> The hook type (i.e. 'clone' or 'pre-mount'). </para></listitem>
0a2b5ab1 1331 <listitem><para> Additional arguments. In the
c464fd7e 1332 case of the clone hook, any extra arguments passed to
0a2b5ab1
WB		 1333 lxc-clone will appear as further arguments to the hook.
1334 In the case of the stop hook, paths to filedescriptors
1335 for each of the container's namespaces along with their types
1336 are passed. </para></listitem>
c464fd7e
SG		 1337 </itemizedlist>
1338 The following environment variables are set:
1339 <itemizedlist>
1340 <listitem><para> LXC_NAME: is the container's name. </para></listitem>
1341 <listitem><para> LXC_ROOTFS_MOUNT: the path to the mounted root filesystem. </para></listitem>
1342 <listitem><para> LXC_CONFIG_FILE: the path to the container configuration file. </para></listitem>
1343 <listitem><para> LXC_SRC_NAME: in the case of the clone hook, this is the original container's name. </para></listitem>
1344 <listitem><para> LXC_ROOTFS_PATH: this is the lxc.rootfs entry for the container. Note this is likely not where the mounted rootfs is to be found, use LXC_ROOTFS_MOUNT for that. </para></listitem>
1345 </itemizedlist>
55fc19a1
SG		 1346 </para>
1347 <para>
1348 Standard output from the hooks is logged at debug level.
1349 Standard error is not logged, but can be captured by the
1350 hook redirecting its standard error to standard output.
1351 </para>
1352 <variablelist>
c464fd7e
SG		 1353 <varlistentry>
1354 <term>
1355 <option>lxc.hook.pre-start</option>
1356 </term>
1357 <listitem>
1358 <para>
1359 A hook to be run in the host's namespace before the
1360 container ttys, consoles, or mounts are up.
1361 </para>
1362 </listitem>
1363 </varlistentry>
55fc19a1
SG		 1364 </variablelist>
1365 <variablelist>
c464fd7e
SG		 1366 <varlistentry>
1367 <term>
1368 <option>lxc.hook.pre-mount</option>
1369 </term>
1370 <listitem>
1371 <para>
1372 A hook to be run in the container's fs namespace but before
1373 the rootfs has been set up. This allows for manipulation
1374 of the rootfs, i.e. to mount an encrypted filesystem. Mounts
1375 done in this hook will not be reflected on the host (apart from
1376 mounts propagation), so they will be automatically cleaned up
1377 when the container shuts down.
1378 </para>
1379 </listitem>
1380 </varlistentry>
55fc19a1
SG		 1381 </variablelist>
1382 <variablelist>
c464fd7e
SG		 1383 <varlistentry>
1384 <term>
1385 <option>lxc.hook.mount</option>
1386 </term>
1387 <listitem>
1388 <para>
1389 A hook to be run in the container's namespace after
1390 mounting has been done, but before the pivot_root.
1391 </para>
1392 </listitem>
1393 </varlistentry>
55fc19a1
SG		 1394 </variablelist>
1395 <variablelist>
c464fd7e
SG		 1396 <varlistentry>
1397 <term>
1398 <option>lxc.hook.autodev</option>
1399 </term>
1400 <listitem>
1401 <para>
1402 A hook to be run in the container's namespace after
1403 mounting has been done and after any mount hooks have
1404 run, but before the pivot_root, if
1405 <option>lxc.autodev</option> == 1.
1406 The purpose of this hook is to assist in populating the
1407 /dev directory of the container when using the autodev
1408 option for systemd based containers. The container's /dev
1409 directory is relative to the
1410 ${<option>LXC_ROOTFS_MOUNT</option>} environment
1411 variable available when the hook is run.
1412 </para>
1413 </listitem>
1414 </varlistentry>
55fc19a1
SG		 1415 </variablelist>
1416 <variablelist>
c464fd7e
SG		 1417 <varlistentry>
1418 <term>
1419 <option>lxc.hook.start</option>
1420 </term>
1421 <listitem>
1422 <para>
1423 A hook to be run in the container's namespace immediately
1424 before executing the container's init. This requires the
1425 program to be available in the container.
1426 </para>
1427 </listitem>
1428 </varlistentry>
55fc19a1 1429 </variablelist>
0a2b5ab1
WB		 1430 <variablelist>
1431 <varlistentry>
1432 <term>
1433 <option>lxc.hook.stop</option>
1434 </term>
1435 <listitem>
1436 <para>
1437 A hook to be run in the host's namespace with references
1438 to the container's namespaces after the container has been shut
1439 down. For each namespace an extra argument is passed to the hook
1440 containing the namespace's type and a filename that can be used to
1441 obtain a file descriptor to the corresponding namespace, separated
1442 by a colon. The type is the name as it would appear in the
1443 <filename>/proc/PID/ns</filename> directory.
1444 For instance for the mount namespace the argument usually looks
1445 like <filename>mnt:/proc/PID/fd/12</filename>.
1446 </para>
1447 </listitem>
1448 </varlistentry>
1449 </variablelist>
55fc19a1 1450 <variablelist>
c464fd7e
SG		 1451 <varlistentry>
1452 <term>
1453 <option>lxc.hook.post-stop</option>
1454 </term>
1455 <listitem>
1456 <para>
1457 A hook to be run in the host's namespace after the
1458 container has been shut down.
1459 </para>
1460 </listitem>
1461 </varlistentry>
55fc19a1
SG		 1462 </variablelist>
1463 <variablelist>
c464fd7e
SG		 1464 <varlistentry>
1465 <term>
1466 <option>lxc.hook.clone</option>
1467 </term>
1468 <listitem>
1469 <para>
1470 A hook to be run when the container is cloned to a new one.
1471 See <citerefentry><refentrytitle><command>lxc-clone</command></refentrytitle>
1472 <manvolnum>1</manvolnum></citerefentry> for more information.
1473 </para>
1474 </listitem>
1475 </varlistentry>
55fc19a1 1476 </variablelist>
37cf711b
SY		 1477 <variablelist>
1478 <varlistentry>
1479 <term>
1480 <option>lxc.hook.destroy</option>
1481 </term>
1482 <listitem>
1483 <para>
1484 A hook to be run when the container is destroyed.
1485 </para>
1486 </listitem>
1487 </varlistentry>
1488 </variablelist>
55fc19a1
SG		 1489 </refsect2>
1490
1491 <refsect2>
1492 <title>Container hooks Environment Variables</title>
1493 <para>
1494 A number of environment variables are made available to the startup
1495 hooks to provide configuration information and assist in the
1496 functioning of the hooks. Not all variables are valid in all
1497 contexts. In particular, all paths are relative to the host system
1498 and, as such, not valid during the <option>lxc.hook.start</option> hook.
1499 </para>
1500 <variablelist>
c464fd7e
SG		 1501 <varlistentry>
1502 <term>
1503 <option>LXC_NAME</option>
1504 </term>
1505 <listitem>
1506 <para>
1507 The LXC name of the container. Useful for logging messages
1508 in common log environments. [<option>-n</option>]
1509 </para>
1510 </listitem>
1511 </varlistentry>
55fc19a1
SG		 1512 </variablelist>
1513 <variablelist>
c464fd7e
SG		 1514 <varlistentry>
1515 <term>
1516 <option>LXC_CONFIG_FILE</option>
1517 </term>
1518 <listitem>
1519 <para>
1520 Host relative path to the container configuration file. This
1521 gives the container to reference the original, top level,
1522 configuration file for the container in order to locate any
1523 additional configuration information not otherwise made
1524 available. [<option>-f</option>]
1525 </para>
1526 </listitem>
1527 </varlistentry>
55fc19a1
SG		 1528 </variablelist>
1529 <variablelist>
c464fd7e
SG		 1530 <varlistentry>
1531 <term>
1532 <option>LXC_CONSOLE</option>
1533 </term>
1534 <listitem>
1535 <para>
1536 The path to the console output of the container if not NULL.
1537 [<option>-c</option>] [<option>lxc.console</option>]
1538 </para>
1539 </listitem>
1540 </varlistentry>
55fc19a1
SG		 1541 </variablelist>
1542 <variablelist>
c464fd7e
SG		 1543 <varlistentry>
1544 <term>
1545 <option>LXC_CONSOLE_LOGPATH</option>
1546 </term>
1547 <listitem>
1548 <para>
1549 The path to the console log output of the container if not NULL.
1550 [<option>-L</option>]
1551 </para>
1552 </listitem>
1553 </varlistentry>
55fc19a1
SG		 1554 </variablelist>
1555 <variablelist>
c464fd7e
SG		 1556 <varlistentry>
1557 <term>
1558 <option>LXC_ROOTFS_MOUNT</option>
1559 </term>
1560 <listitem>
1561 <para>
1562 The mount location to which the container is initially bound.
1563 This will be the host relative path to the container rootfs
1564 for the container instance being started and is where changes
1565 should be made for that instance.
1566 [<option>lxc.rootfs.mount</option>]
1567 </para>
1568 </listitem>
1569 </varlistentry>
55fc19a1
SG		 1570 </variablelist>
1571 <variablelist>
c464fd7e
SG		 1572 <varlistentry>
1573 <term>
1574 <option>LXC_ROOTFS_PATH</option>
1575 </term>
1576 <listitem>
1577 <para>
1578 The host relative path to the container root which has been
1579 mounted to the rootfs.mount location.
1580 [<option>lxc.rootfs</option>]
1581 </para>
1582 </listitem>
1583 </varlistentry>
55fc19a1 1584 </variablelist>
07945418
KY		 1585 <variablelist>
1586 <varlistentry>
1587 <term>
1588 <option>LXC_SRC_NAME</option>
1589 </term>
1590 <listitem>
1591 <para>
1592 Only for the clone hook. Is set to the original container name.
1593 </para>
1594 </listitem>
1595 </varlistentry>
1596 </variablelist>
c154af98
SG		 1597 <variablelist>
1598 <varlistentry>
1599 <term>
1600 <option>LXC_TARGET</option>
1601 </term>
1602 <listitem>
1603 <para>
1604 Only for the stop hook. Is set to "stop" for a container
1605 shutdown or "reboot" for a container reboot.
1606 </para>
1607 </listitem>
1608 </varlistentry>
c4cafa08
SH		 1609 </variablelist>
1610 <variablelist>
1611 <varlistentry>
1612 <term>
1613 <option>LXC_CGNS_AWARE</option>
1614 </term>
1615 <listitem>
1616 <para>
1617 If unset, then this version of lxc is not aware of cgroup
1618 namespaces. If set, it will be set to 1, and lxc is aware
1619 of cgroup namespaces. Note this does not guarantee that
1620 cgroup namespaces are enabled in the kernel. This is used
1621 by the lxcfs mount hook.
1622 </para>
1623 </listitem>
1624 </varlistentry>
c154af98 1625 </variablelist>
55fc19a1
SG		 1626 </refsect2>
1627 <refsect2>
1628 <title>Logging</title>
1629 <para>
1630 Logging can be configured on a per-container basis. By default,
1631 depending upon how the lxc package was compiled, container startup
1632 is logged only at the ERROR level, and logged to a file named after
1633 the container (with '.log' appended) either under the container path,
1634 or under @LOGPATH@.
1635 </para>
1636 <para>
1637 Both the default log level and the log file can be specified in the
1638 container configuration file, overriding the default behavior. Note
1639 that the configuration file entries can in turn be overridden by the
1640 command line options to <command>lxc-start</command>.
1641 </para>
1642 <variablelist>
c464fd7e
SG		 1643 <varlistentry>
1644 <term>
1645 <option>lxc.loglevel</option>
1646 </term>
1647 <listitem>
1648 <para>
1649 The level at which to log. The log level is an integer in
1650 the range of 0..8 inclusive, where a lower number means more
1651 verbose debugging. In particular 0 = trace, 1 = debug, 2 =
1652 info, 3 = notice, 4 = warn, 5 = error, 6 = critical, 7 =
1653 alert, and 8 = fatal. If unspecified, the level defaults
1654 to 5 (error), so that only errors and above are logged.
1655 </para>
1656 <para>
1657 Note that when a script (such as either a hook script or a
1658 network interface up or down script) is called, the script's
1659 standard output is logged at level 1, debug.
1660 </para>
1661 </listitem>
1662 </varlistentry>
1663 <varlistentry>
1664 <term>
1665 <option>lxc.logfile</option>
1666 </term>
1667 <listitem>
1668 <para>
1669 The file to which logging info should be written.
1670 </para>
1671 </listitem>
1672 </varlistentry>
55fc19a1
SG		 1673 </variablelist>
1674 </refsect2>
1675
1676 <refsect2>
1677 <title>Autostart</title>
1678 <para>
1679 The autostart options support marking which containers should be
1680 auto-started and in what order. These options may be used by LXC tools
1681 directly or by external tooling provided by the distributions.
1682 </para>
1683
1684 <variablelist>
1685 <varlistentry>
1686 <term>
1687 <option>lxc.start.auto</option>
1688 </term>
1689 <listitem>
1690 <para>
1691 Whether the container should be auto-started.
1692 Valid values are 0 (off) and 1 (on).
1693 </para>
1694 </listitem>
1695 </varlistentry>
1696 <varlistentry>
1697 <term>
1698 <option>lxc.start.delay</option>
1699 </term>
1700 <listitem>
1701 <para>
1702 How long to wait (in seconds) after the container is
1703 started before starting the next one.
1704 </para>
1705 </listitem>
1706 </varlistentry>
1707 <varlistentry>
1708 <term>
1709 <option>lxc.start.order</option>
1710 </term>
1711 <listitem>
1712 <para>
1713 An integer used to sort the containers when auto-starting
1714 a series of containers at once.
1715 </para>
1716 </listitem>
1717 </varlistentry>
a8dfe4e0
WB		 1718 <varlistentry>
1719 <term>
1720 <option>lxc.monitor.unshare</option>
1721 </term>
1722 <listitem>
1723 <para>
1724 If not zero the mount namespace will be unshared from the host
1725 before initializing the container (before running any pre-start
6039eaa2
WB		 1726 hooks). This requires the CAP_SYS_ADMIN capability at startup.
1727 Default is 0.
a8dfe4e0
WB		 1728 </para>
1729 </listitem>
1730 </varlistentry>
55fc19a1
SG		 1731 <varlistentry>
1732 <term>
1733 <option>lxc.group</option>
1734 </term>
1735 <listitem>
1736 <para>
1737 A multi-value key (can be used multiple times) to put the
1738 container in a container group. Those groups can then be
1739 used (amongst other things) to start a series of related
1740 containers.
1741 </para>
1742 </listitem>
1743 </varlistentry>
1744 </variablelist>
1745 </refsect2>
015f0dd7
MW		 1746
1747 <refsect2>
1748 <title>Autostart and System Boot</title>
1749 <para>
1750 Each container can be part of any number of groups or no group at all.
1751 Two groups are special. One is the NULL group, i.e. the container does
1752 not belong to any group. The other group is the "onboot" group.
1753 </para>
1754
1755 <para>
1756 When the system boots with the LXC service enabled, it will first
1757 attempt to boot any containers with lxc.start.auto == 1 that is a member
1758 of the "onboot" group. The startup will be in order of lxc.start.order.
1759 If an lxc.start.delay has been specified, that delay will be honored
1760 before attempting to start the next container to give the current
1761 container time to begin initialization and reduce overloading the host
1762 system. After starting the members of the "onboot" group, the LXC system
1763 will proceed to boot containers with lxc.start.auto == 1 which are not
1764 members of any group (the NULL group) and proceed as with the onboot
1765 group.
1766 </para>
1767
1768 </refsect2>
7c661726
MP		 1769
1770 <refsect2>
1771 <title>Container Environment</title>
1772 <para>
c464fd7e
SG		 1773 If you want to pass environment variables into the container (that
1774 is, environment variables which will be available to init and all of
1775 its descendents), you can use <command>lxc.environment</command>
1776 parameters to do so. Be careful that you do not pass in anything
1777 sensitive; any process in the container which doesn't have its
1778 environment scrubbed will have these variables available to it, and
1779 environment variables are always available via
1780 <command>/proc/PID/environ</command>.
7c661726
MP		 1781 </para>
1782
1783 <para>
1784 This configuration parameter can be specified multiple times; once
1785 for each environment variable you wish to configure.
1786 </para>
1787
1788 <variablelist>
c464fd7e
SG		 1789 <varlistentry>
1790 <term>
1791 <option>lxc.environment</option>
1792 </term>
1793 <listitem>
1794 <para>
1795 Specify an environment variable to pass into the container.
1796 Example:
1797 </para>
1798 <programlisting>
1799 lxc.environment = APP_ENV=production
1800 lxc.environment = SYSLOG_SERVER=192.0.2.42
1801 </programlisting>
1802 </listitem>
1803 </varlistentry>
7c661726
MP		 1804 </variablelist>
1805 </refsect2>
1806
55fc19a1
SG		 1807 </refsect1>
1808
1809 <refsect1>
1810 <title>Examples</title>
1811 <para>
c464fd7e
SG		 1812 In addition to the few examples given below, you will find
1813 some other examples of configuration file in @DOCDIR@/examples
55fc19a1
SG		 1814 </para>
1815 <refsect2>
1816 <title>Network</title>
1817 <para>This configuration sets up a container to use a veth pair
c464fd7e
SG		 1818 device with one side plugged to a bridge br0 (which has been
1819 configured before on the system by the administrator). The
1820 virtual network device visible in the container is renamed to
1821 eth0.</para>
55fc19a1 1822 <programlisting>
c464fd7e
SG		 1823 lxc.utsname = myhostname
1824 lxc.network.type = veth
1825 lxc.network.flags = up
1826 lxc.network.link = br0
1827 lxc.network.name = eth0
1828 lxc.network.hwaddr = 4a:49:43:49:79:bf
1829 lxc.network.ipv4 = 10.2.3.5/24 10.2.3.255
1830 lxc.network.ipv6 = 2003:db8:1:0:214:1234:fe0b:3597
55fc19a1
SG		 1831 </programlisting>
1832 </refsect2>
1833
1834 <refsect2>
1835 <title>UID/GID mapping</title>
1836 <para>This configuration will map both user and group ids in the
1837 range 0-9999 in the container to the ids 100000-109999 on the host.
1838 </para>
1839 <programlisting>
c464fd7e
SG		 1840 lxc.id_map = u 0 100000 10000
1841 lxc.id_map = g 0 100000 10000
55fc19a1
SG		 1842 </programlisting>
1843 </refsect2>
1844
1845 <refsect2>
1846 <title>Control group</title>
1847 <para>This configuration will setup several control groups for
1848 the application, cpuset.cpus restricts usage of the defined cpu,
1849 cpus.share prioritize the control group, devices.allow makes
1850 usable the specified devices.</para>
1851 <programlisting>
c464fd7e
SG		 1852 lxc.cgroup.cpuset.cpus = 0,1
1853 lxc.cgroup.cpu.shares = 1234
1854 lxc.cgroup.devices.deny = a
1855 lxc.cgroup.devices.allow = c 1:3 rw
1856 lxc.cgroup.devices.allow = b 8:0 rw
55fc19a1
SG		 1857 </programlisting>
1858 </refsect2>
1859
1860 <refsect2>
1861 <title>Complex configuration</title>
1862 <para>This example show a complex configuration making a complex
1863 network stack, using the control groups, setting a new hostname,
1864 mounting some locations and a changing root file system.</para>
1865 <programlisting>
c464fd7e
SG		 1866 lxc.utsname = complex
1867 lxc.network.type = veth
1868 lxc.network.flags = up
1869 lxc.network.link = br0
1870 lxc.network.hwaddr = 4a:49:43:49:79:bf
1871 lxc.network.ipv4 = 10.2.3.5/24 10.2.3.255
1872 lxc.network.ipv6 = 2003:db8:1:0:214:1234:fe0b:3597
1873 lxc.network.ipv6 = 2003:db8:1:0:214:5432:feab:3588
1874 lxc.network.type = macvlan
1875 lxc.network.flags = up
1876 lxc.network.link = eth0
1877 lxc.network.hwaddr = 4a:49:43:49:79:bd
1878 lxc.network.ipv4 = 10.2.3.4/24
1879 lxc.network.ipv4 = 192.168.10.125/24
1880 lxc.network.ipv6 = 2003:db8:1:0:214:1234:fe0b:3596
1881 lxc.network.type = phys
1882 lxc.network.flags = up
1883 lxc.network.link = dummy0
1884 lxc.network.hwaddr = 4a:49:43:49:79:ff
1885 lxc.network.ipv4 = 10.2.3.6/24
1886 lxc.network.ipv6 = 2003:db8:1:0:214:1234:fe0b:3297
1887 lxc.cgroup.cpuset.cpus = 0,1
1888 lxc.cgroup.cpu.shares = 1234
1889 lxc.cgroup.devices.deny = a
1890 lxc.cgroup.devices.allow = c 1:3 rw
1891 lxc.cgroup.devices.allow = b 8:0 rw
1892 lxc.mount = /etc/fstab.complex
1893 lxc.mount.entry = /lib /root/myrootfs/lib none ro,bind 0 0
1894 lxc.rootfs = /mnt/rootfs.complex
1895 lxc.cap.drop = sys_module mknod setuid net_raw
1896 lxc.cap.drop = mac_override
55fc19a1
SG		 1897 </programlisting>
1898 </refsect2>
1899
1900 </refsect1>
1901
1902 <refsect1>
1903 <title>See Also</title>
1904 <simpara>
1905 <citerefentry>
c464fd7e
SG		 1906 <refentrytitle><command>chroot</command></refentrytitle>
1907 <manvolnum>1</manvolnum>
55fc19a1
SG		 1908 </citerefentry>,
1909
1910 <citerefentry>
c464fd7e
SG		 1911 <refentrytitle><command>pivot_root</command></refentrytitle>
1912 <manvolnum>8</manvolnum>
55fc19a1
SG		 1913 </citerefentry>,
1914
1915 <citerefentry>
c464fd7e
SG		 1916 <refentrytitle><filename>fstab</filename></refentrytitle>
1917 <manvolnum>5</manvolnum>
55fc19a1
SG		 1918 </citerefentry>,
1919
1920 <citerefentry>
c464fd7e
SG		 1921 <refentrytitle><filename>capabilities</filename></refentrytitle>
1922 <manvolnum>7</manvolnum>
55fc19a1
SG		 1923 </citerefentry>
1924 </simpara>
1925 </refsect1>
1926
1927 &seealso;
1928
1929 <refsect1>
1930 <title>Author</title>
1931 <para>Daniel Lezcano <email>daniel.lezcano@free.fr</email></para>
1932 </refsect1>
1933
1934</refentry>
1935
1936<!-- Keep this comment at the end of the file
1937Local variables:
1938mode: sgml
1939sgml-omittag:t
1940sgml-shorttag:t
1941sgml-minimize-attributes:nil
1942sgml-always-quote-attributes:t
1943sgml-indent-step:2
1944sgml-indent-data:t
1945sgml-parent-document:nil
1946sgml-default-dtd-file:nil
1947sgml-exposed-tags:nil
1948sgml-local-catalogs:nil
1949sgml-local-ecat-files:nil
1950End:
1951-->
LXC mirror