]> git.proxmox.com Git - mirror_lxc.git/blame - doc/lxc.container.conf.sgml.in
projects / mirror_lxc.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
doc: Add lxc.cgroup.relative to lxc.container.conf(5)
[mirror_lxc.git] / doc / lxc.container.conf.sgml.in
CommitLineData
55fc19a1
SG		 1<!--
2
3lxc: linux Container library
4
5(C) Copyright IBM Corp. 2007, 2008
6
7Authors:
8Daniel Lezcano <daniel.lezcano at free.fr>
9
10This library is free software; you can redistribute it and/or
11modify it under the terms of the GNU Lesser General Public
12License as published by the Free Software Foundation; either
13version 2.1 of the License, or (at your option) any later version.
14
15This library is distributed in the hope that it will be useful,
16but WITHOUT ANY WARRANTY; without even the implied warranty of
17MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
18Lesser General Public License for more details.
19
20You should have received a copy of the GNU Lesser General Public
21License along with this library; if not, write to the Free Software
22Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
23
24-->
25
26<!DOCTYPE refentry PUBLIC @docdtd@ [
27
28<!ENTITY seealso SYSTEM "@builddir@/see_also.sgml">
29]>
30
31<refentry>
32
33 <docinfo><date>@LXC_GENERATE_DATE@</date></docinfo>
34
35 <refmeta>
36 <refentrytitle>lxc.container.conf</refentrytitle>
37 <manvolnum>5</manvolnum>
38 </refmeta>
39
40 <refnamediv>
41 <refname>lxc.container.conf</refname>
42
43 <refpurpose>
44 LXC container configuration file
45 </refpurpose>
46 </refnamediv>
47
48 <refsect1>
49 <title>Description</title>
50
51 <para>
b9986e43
CB		 52 LXC is the well-known and heavily tested low-level Linux container
53 runtime. It is in active development since 2008 and has proven itself in
54 critical production environments world-wide. Some of its core contributors
55 are the same people that helped to implement various well-known
56 containerization features inside the Linux kernel.
55fc19a1
SG		 57 </para>
58
59 <para>
b9986e43
CB		 60 LXC's main focus is system containers. That is, containers which offer an
61 environment as close as possible as the one you'd get from a VM but
62 without the overhead that comes with running a separate kernel and
63 simulating all the hardware.
55fc19a1
SG		 64 </para>
65
66 <para>
b9986e43
CB		 67 This is achieved through a combination of kernel security features such as
68 namespaces, mandatory access control and control groups.
69 </para>
70
71 <para>
eb4225a0 72 LXC has support for unprivileged containers. Unprivileged containers are
b9986e43
CB		 73 containers that are run without any privilege. This requires support for
74 user namespaces in the kernel that the container is run on. LXC was the
75 first runtime to support unprivileged containers after user namespaces
76 were merged into the mainline kernel.
77 </para>
78
79 <para>
80 In essence, user namespaces isolate given sets of UIDs and GIDs. This is
81 achieved by establishing a mapping between a range of UIDs and GIDs on the
82 host to a different (unprivileged) range of UIDs and GIDs in the
83 container. The kernel will translate this mapping in such a way that
84 inside the container all UIDs and GIDs appear as you would expect from the
85 host whereas on the host these UIDs and GIDs are in fact unprivileged. For
86 example, a process running as UID and GID 0 inside the container might
87 appear as UID and GID 100000 on the host. The implementation and working
88 details can be gathered from the corresponding user namespace man page.
bdcbb6b3 89 UID and GID mappings can be defined with the <option>lxc.idmap</option>
b9986e43
CB		 90 key.
91 </para>
92
93 <para>
94 Linux containers are defined with a simple configuration file. Each
95 option in the configuration file has the form <command>key =
96 value</command> fitting in one line. The "#" character means the line is a
97 comment. List options, like capabilities and cgroups options, can be used
98 with no value to clear any previously defined values of that option.
99 </para>
100
101 <para>
eb4225a0 102 LXC namespaces configuration keys use single dots. This means complex
7fa3f2e9 103 configuration keys such as <option>lxc.net.0</option> expose various
104 subkeys such as <option>lxc.net.0.type</option>,
2e44ae28 105 <option>lxc.net.0.link</option>, <option>lxc.net.0.ipv6.address</option>, and
b9986e43 106 others for even more fine-grained configuration.
55fc19a1
SG		 107 </para>
108
109 <refsect2>
110 <title>Configuration</title>
111 <para>
b9986e43
CB		 112 In order to ease administration of multiple related containers, it is
113 possible to have a container configuration file cause another file to be
114 loaded. For instance, network configuration can be defined in one common
115 file which is included by multiple containers. Then, if the containers
116 are moved to another host, only one file may need to be updated.
55fc19a1
SG		 117 </para>
118
119 <variablelist>
c464fd7e
SG		 120 <varlistentry>
121 <term>
122 <option>lxc.include</option>
123 </term>
124 <listitem>
125 <para>
126 Specify the file to be included. The included file must be
127 in the same valid lxc configuration file format.
128 </para>
129 </listitem>
130 </varlistentry>
55fc19a1
SG		 131 </variablelist>
132 </refsect2>
133
134 <refsect2>
135 <title>Architecture</title>
136 <para>
b9986e43
CB		 137 Allows one to set the architecture for the container. For example, set a
138 32bits architecture for a container running 32bits binaries on a 64bits
139 host. This fixes the container scripts which rely on the architecture to
140 do some work like downloading the packages.
55fc19a1
SG		 141 </para>
142
143 <variablelist>
c464fd7e
SG		 144 <varlistentry>
145 <term>
146 <option>lxc.arch</option>
147 </term>
148 <listitem>
149 <para>
150 Specify the architecture for the container.
151 </para>
152 <para>
b9986e43 153 Some valid options are
c464fd7e
SG		 154 <option>x86</option>,
155 <option>i686</option>,
156 <option>x86_64</option>,
157 <option>amd64</option>
158 </para>
159 </listitem>
160 </varlistentry>
55fc19a1
SG		 161 </variablelist>
162
163 </refsect2>
164
165 <refsect2>
166 <title>Hostname</title>
167 <para>
b9986e43
CB		 168 The utsname section defines the hostname to be set for the container.
169 That means the container can set its own hostname without changing the
170 one from the system. That makes the hostname private for the container.
55fc19a1
SG		 171 </para>
172 <variablelist>
c464fd7e
SG		 173 <varlistentry>
174 <term>
b67771bc 175 <option>lxc.uts.name</option>
c464fd7e
SG		 176 </term>
177 <listitem>
178 <para>
179 specify the hostname for the container
180 </para>
181 </listitem>
182 </varlistentry>
55fc19a1
SG		 183 </variablelist>
184 </refsect2>
185
186 <refsect2>
187 <title>Halt signal</title>
188 <para>
b9986e43
CB		 189 Allows one to specify signal name or number sent to the container's
190 init process to cleanly shutdown the container. Different init systems
191 could use different signals to perform clean shutdown sequence. This
192 option allows the signal to be specified in kill(1) fashion, e.g.
193 SIGPWR, SIGRTMIN+14, SIGRTMAX-10 or plain number. The default signal is
194 SIGPWR.
55fc19a1
SG		 195 </para>
196 <variablelist>
936762f3
BP		 197 <varlistentry>
198 <term>
55c84efc 199 <option>lxc.signal.halt</option>
936762f3
BP		 200 </term>
201 <listitem>
202 <para>
203 specify the signal used to halt the container
204 </para>
205 </listitem>
206 </varlistentry>
207 </variablelist>
208 </refsect2>
209
210 <refsect2>
211 <title>Reboot signal</title>
212 <para>
b9986e43
CB		 213 Allows one to specify signal name or number to reboot the container.
214 This option allows signal to be specified in kill(1) fashion, e.g.
215 SIGTERM, SIGRTMIN+14, SIGRTMAX-10 or plain number. The default signal
216 is SIGINT.
936762f3
BP		 217 </para>
218 <variablelist>
219 <varlistentry>
220 <term>
55c84efc 221 <option>lxc.signal.reboot</option>
936762f3
BP		 222 </term>
223 <listitem>
224 <para>
225 specify the signal used to reboot the container
226 </para>
227 </listitem>
228 </varlistentry>
55fc19a1
SG		 229 </variablelist>
230 </refsect2>
231
232 <refsect2>
233 <title>Stop signal</title>
234 <para>
b9986e43
CB		 235 Allows one to specify signal name or number to forcibly shutdown the
236 container. This option allows signal to be specified in kill(1) fashion,
237 e.g. SIGKILL, SIGRTMIN+14, SIGRTMAX-10 or plain number. The default
238 signal is SIGKILL.
936762f3
BP		 239 </para>
240 <variablelist>
241 <varlistentry>
242 <term>
55c84efc 243 <option>lxc.signal.stop</option>
936762f3
BP		 244 </term>
245 <listitem>
246 <para>
247 specify the signal used to stop the container
248 </para>
249 </listitem>
250 </varlistentry>
55fc19a1
SG		 251 </variablelist>
252 </refsect2>
253
67c660d0
SG		 254 <refsect2>
255 <title>Init command</title>
256 <para>
257 Sets the command to use as the init system for the containers.
67c660d0 258 </para>
5cda27c1
SH		 259 <variablelist>
260 <varlistentry>
261 <term>
262 <option>lxc.execute.cmd</option>
263 </term>
264 <listitem>
265 <para>
266 Absolute path from container rootfs to the binary to run by default. This
fcd95ae9 267 mostly makes sense for <command>lxc-execute</command>.
5cda27c1
SH		 268 </para>
269 </listitem>
270 </varlistentry>
271 </variablelist>
67c660d0 272 <variablelist>
936762f3
BP		 273 <varlistentry>
274 <term>
9dcf7b4d 275 <option>lxc.init.cmd</option>
936762f3
BP		 276 </term>
277 <listitem>
278 <para>
fcd95ae9
KY		 279 Absolute path from container rootfs to the binary to use as init. This
280 mostly makes sense for <command>lxc-start</command>. Default is <command>/sbin/init</command>.
936762f3
BP		 281 </para>
282 </listitem>
283 </varlistentry>
67c660d0
SG		 284 </variablelist>
285 </refsect2>
286
3c491553
L		 287 <refsect2>
288 <title>Init working directory</title>
289 <para>
290 Sets the absolute path inside the container as the working directory for the containers.
291 LXC will switch to this directory before executing init.
292 </para>
293 <variablelist>
294 <varlistentry>
295 <term>
296 <option>lxc.init.cwd</option>
297 </term>
298 <listitem>
299 <para>
300 Absolute path inside the container to use as the working directory.
301 </para>
302 </listitem>
303 </varlistentry>
304 </variablelist>
305 </refsect2>
306
dbca9237
PT		 307 <refsect2>
308 <title>Init ID</title>
309 <para>
b9986e43 310 Sets the UID/GID to use for the init system, and subsequent commands.
14a7b0f9 311 Note that using a non-root UID when booting a system container will
b9986e43 312 likely not work due to missing privileges. Setting the UID/GID is mostly
14a7b0f9 313 useful when running application containers.
dbca9237
PT		 314
315 Defaults to: UID(0), GID(0)
316 </para>
317 <variablelist>
318 <varlistentry>
319 <term>
9dcf7b4d 320 <option>lxc.init.uid</option>
dbca9237
PT		 321 </term>
322 <listitem>
323 <para>
b9986e43 324 UID to use for init.
dbca9237
PT		 325 </para>
326 </listitem>
327 </varlistentry>
328 <varlistentry>
329 <term>
9dcf7b4d 330 <option>lxc.init.gid</option>
dbca9237
PT		 331 </term>
332 <listitem>
333 <para>
b9986e43 334 GID to use for init.
dbca9237
PT		 335 </para>
336 </listitem>
337 </varlistentry>
338 </variablelist>
339 </refsect2>
340
61d7a733
YT		 341 <refsect2>
342 <title>Proc</title>
343 <para>
344 Configure proc filesystem for the container.
345 </para>
346 <variablelist>
347 <varlistentry>
348 <term>
349 <option>lxc.proc.[proc file name]</option>
350 </term>
351 <listitem>
352 <para>
eb4225a0 353 Specify the proc file name to be set. The file names available
61d7a733
YT		 354 are those listed under /proc/PID/.
355 Example:
356 </para>
357 <programlisting>
358 lxc.proc.oom_score_adj = 10
359 </programlisting>
360 </listitem>
361 </varlistentry>
362 </variablelist>
363 </refsect2>
364
4e6eb26b
CB		 365 <refsect2>
366 <title>Ephemeral</title>
367 <para>
368 Allows one to specify whether a container will be destroyed on shutdown.
369 </para>
370 <variablelist>
371 <varlistentry>
372 <term>
373 <option>lxc.ephemeral</option>
374 </term>
375 <listitem>
376 <para>
377 The only allowed values are 0 and 1. Set this to 1 to destroy a
378 container on shutdown.
379 </para>
380 </listitem>
381 </varlistentry>
382 </variablelist>
383 </refsect2>
384
55fc19a1
SG		 385 <refsect2>
386 <title>Network</title>
387 <para>
c464fd7e
SG		 388 The network section defines how the network is virtualized in
389 the container. The network virtualization acts at layer
390 two. In order to use the network virtualization, parameters
391 must be specified to define the network interfaces of the
392 container. Several virtual interfaces can be assigned and used
393 in a container even if the system has only one physical
394 network interface.
55fc19a1
SG		 395 </para>
396 <variablelist>
020104c3
MH		 397 <varlistentry>
398 <term>
7fa3f2e9 399 <option>lxc.net</option>
020104c3
MH		 400 </term>
401 <listitem>
402 <para>
403 may be used without a value to clear all previous network options.
404 </para>
405 </listitem>
406 </varlistentry>
c464fd7e
SG		 407 <varlistentry>
408 <term>
7fa3f2e9 409 <option>lxc.net.[i].type</option>
c464fd7e
SG		 410 </term>
411 <listitem>
412 <para>
413 specify what kind of network virtualization to be used
b9986e43
CB		 414 for the container.
415 Multiple networks can be specified by using an additional index
416 <option>i</option>
7fa3f2e9 417 after all <option>lxc.net.*</option> keys. For example,
418 <option>lxc.net.0.type = veth</option> and
419 <option>lxc.net.1.type = veth</option> specify two different
b9986e43
CB		 420 networks of the same type. All keys sharing the same index
421 <option>i</option> will be treated as belonging to the same
7fa3f2e9 422 network. For example, <option>lxc.net.0.link = br0</option>
423 will belong to <option>lxc.net.0.type</option>.
b9986e43 424 Currently, the different virtualization types can be:
c464fd7e
SG		 425 </para>
426
427 <para>
428 <option>none:</option> will cause the container to share
429 the host's network namespace. This means the host
430 network devices are usable in the container. It also
431 means that if both the container and host have upstart as
432 init, 'halt' in a container (for instance) will shut down the
e4b3e369
AK		 433 host. Note that unprivileged containers do not work with this
434 setting due to an inability to mount sysfs. An unsafe workaround
435 would be to bind mount the host's sysfs.
c464fd7e
SG		 436 </para>
437
438 <para>
439 <option>empty:</option> will create only the loopback
440 interface.
441 </para>
442
443 <para>
38005c54
MA		 444 <option>veth:</option> a virtual ethernet pair
445 device is created with one side assigned to the container
446 and the other side attached to a bridge specified by
7fa3f2e9 447 the <option>lxc.net.[i].link</option> option.
38005c54
MA		 448 If the bridge is not specified, then the veth pair device
449 will be created but not attached to any bridge.
450 Otherwise, the bridge has to be created on the system
451 before starting the container.
452 <command>lxc</command> won't handle any
453 configuration outside of the container.
454 By default, <command>lxc</command> chooses a name for the
c464fd7e 455 network device belonging to the outside of the
38005c54
MA		 456 container, but if you wish to handle
457 this name yourselves, you can tell <command>lxc</command>
c464fd7e 458 to set a specific name with
7fa3f2e9 459 the <option>lxc.net.[i].veth.pair</option> option (except for
c464fd7e
SG		 460 unprivileged containers where this option is ignored for security
461 reasons).
462 </para>
463
464 <para>
465 <option>vlan:</option> a vlan interface is linked with
466 the interface specified by
7fa3f2e9 467 the <option>lxc.net.[i].link</option> and assigned to
c464fd7e 468 the container. The vlan identifier is specified with the
7fa3f2e9 469 option <option>lxc.net.[i].vlan.id</option>.
c464fd7e
SG		 470 </para>
471
472 <para>
473 <option>macvlan:</option> a macvlan interface is linked
474 with the interface specified by
7fa3f2e9 475 the <option>lxc.net.[i].link</option> and assigned to
c464fd7e 476 the container.
7fa3f2e9 477 <option>lxc.net.[i].macvlan.mode</option> specifies the
c464fd7e
SG		 478 mode the macvlan will use to communicate between
479 different macvlan on the same upper device. The accepted
c15ea607
EL		 480 modes are <option>private</option>, <option>vepa</option>,
481 <option>bridge</option> and <option>passthru</option>.
482 In <option>private</option> mode, the device never
483 communicates with any other device on the same upper_dev (default).
484 In <option>vepa</option> mode, the new Virtual Ethernet Port
c464fd7e
SG		 485 Aggregator (VEPA) mode, it assumes that the adjacent
486 bridge returns all frames where both source and
487 destination are local to the macvlan port, i.e. the
488 bridge is set up as a reflective relay. Broadcast
489 frames coming in from the upper_dev get flooded to all
490 macvlan interfaces in VEPA mode, local frames are not
c15ea607 491 delivered locally. In <option>bridge</option> mode, it
c464fd7e
SG		 492 provides the behavior of a simple bridge between
493 different macvlan interfaces on the same port. Frames
494 from one interface to another one get delivered directly
495 and are not sent out externally. Broadcast frames get
496 flooded to all other bridge ports and to the external
497 interface, but when they come back from a reflective
498 relay, we don't deliver them again. Since we know all
499 the MAC addresses, the macvlan bridge mode does not
c15ea607
EL		 500 require learning or STP like the bridge module does. In
501 <option>passthru</option> mode, all frames received by
502 the physical interface are forwarded to the macvlan
503 interface. Only one macvlan interface in <option>passthru</option>
504 mode is possible for one physical interface.
c464fd7e
SG		 505 </para>
506
507 <para>
508 <option>phys:</option> an already existing interface
7fa3f2e9 509 specified by the <option>lxc.net.[i].link</option> is
c464fd7e
SG		 510 assigned to the container.
511 </para>
512 </listitem>
513 </varlistentry>
514
515 <varlistentry>
516 <term>
7fa3f2e9 517 <option>lxc.net.[i].flags</option>
c464fd7e
SG		 518 </term>
519 <listitem>
520 <para>
b9986e43 521 Specify an action to do for the network.
c464fd7e
SG		 522 </para>
523
524 <para><option>up:</option> activates the interface.
525 </para>
526 </listitem>
527 </varlistentry>
528
529 <varlistentry>
530 <term>
7fa3f2e9 531 <option>lxc.net.[i].link</option>
c464fd7e
SG		 532 </term>
533 <listitem>
534 <para>
b9986e43
CB		 535 Specify the interface to be used for real network traffic.
536 </para>
c464fd7e
SG		 537 </listitem>
538 </varlistentry>
539
540 <varlistentry>
541 <term>
7fa3f2e9 542 <option>lxc.net.[i].mtu</option>
c464fd7e
SG		 543 </term>
544 <listitem>
545 <para>
b9986e43 546 Specify the maximum transfer unit for this interface.
c464fd7e
SG		 547 </para>
548 </listitem>
549 </varlistentry>
550
551 <varlistentry>
552 <term>
7fa3f2e9 553 <option>lxc.net.[i].name</option>
c464fd7e
SG		 554 </term>
555 <listitem>
556 <para>
b9986e43
CB		 557 The interface name is dynamically allocated, but if another name
558 is needed because the configuration files being used by the
559 container use a generic name, eg. eth0, this option will rename
560 the interface in the container.
c464fd7e
SG		 561 </para>
562 </listitem>
563 </varlistentry>
564
565 <varlistentry>
566 <term>
7fa3f2e9 567 <option>lxc.net.[i].hwaddr</option>
c464fd7e
SG		 568 </term>
569 <listitem>
570 <para>
b9986e43
CB		 571 The interface mac address is dynamically allocated by default to
572 the virtual interface, but in some cases, this is needed to
573 resolve a mac address conflict or to always have the same
574 link-local ipv6 address. Any "x" in address will be replaced by
575 random value, this allows setting hwaddr templates.
c464fd7e
SG		 576 </para>
577 </listitem>
578 </varlistentry>
579
580 <varlistentry>
581 <term>
9ff60df2 582 <option>lxc.net.[i].ipv4.address</option>
c464fd7e
SG		 583 </term>
584 <listitem>
585 <para>
b9986e43
CB		 586 Specify the ipv4 address to assign to the virtualized interface.
587 Several lines specify several ipv4 addresses. The address is in
588 format x.y.z.t/m, eg. 192.168.1.123/24.
c464fd7e
SG		 589 </para>
590 </listitem>
591 </varlistentry>
592
593 <varlistentry>
594 <term>
7fa3f2e9 595 <option>lxc.net.[i].ipv4.gateway</option>
c464fd7e
SG		 596 </term>
597 <listitem>
598 <para>
b9986e43
CB		 599 Specify the ipv4 address to use as the gateway inside the
600 container. The address is in format x.y.z.t, eg. 192.168.1.123.
c464fd7e
SG		 601
602 Can also have the special value <option>auto</option>,
603 which means to take the primary address from the bridge
604 interface (as specified by the
7fa3f2e9 605 <option>lxc.net.[i].link</option> option) and use that as
c464fd7e
SG		 606 the gateway. <option>auto</option> is only available when
607 using the <option>veth</option> and
608 <option>macvlan</option> network types.
609 </para>
610 </listitem>
611 </varlistentry>
612
c464fd7e
SG		 613 <varlistentry>
614 <term>
2e44ae28 615 <option>lxc.net.[i].ipv6.address</option>
c464fd7e
SG		 616 </term>
617 <listitem>
618 <para>
b9986e43
CB		 619 Specify the ipv6 address to assign to the virtualized
620 interface. Several lines specify several ipv6 addresses. The
621 address is in format x::y/m, eg.
622 2003:db8:1:0:214:1234:fe0b:3596/64
c464fd7e
SG		 623 </para>
624 </listitem>
625 </varlistentry>
626
627 <varlistentry>
628 <term>
7fa3f2e9 629 <option>lxc.net.[i].ipv6.gateway</option>
c464fd7e
SG		 630 </term>
631 <listitem>
632 <para>
b9986e43
CB		 633 Specify the ipv6 address to use as the gateway inside the
634 container. The address is in format x::y, eg. 2003:db8:1:0::1
c464fd7e
SG		 635
636 Can also have the special value <option>auto</option>,
637 which means to take the primary address from the bridge
638 interface (as specified by the
7fa3f2e9 639 <option>lxc.net.[i].link</option> option) and use that as
c464fd7e
SG		 640 the gateway. <option>auto</option> is only available when
641 using the <option>veth</option> and
642 <option>macvlan</option> network types.
643 </para>
644 </listitem>
645 </varlistentry>
646
647 <varlistentry>
648 <term>
7fa3f2e9 649 <option>lxc.net.[i].script.up</option>
c464fd7e
SG		 650 </term>
651 <listitem>
652 <para>
b9986e43 653 Add a configuration option to specify a script to be
c464fd7e 654 executed after creating and configuring the network used
14a7b0f9
CB		 655 from the host side.
656 </para>
657
658 <para>
659 In addition to the information available to all hooks. The
660 following information is provided to the script:
661 <itemizedlist>
662 <listitem>
663 <para>
664 LXC_HOOK_TYPE: the hook type. This is either 'up' or 'down'.
665 </para>
666 </listitem>
667
668 <listitem>
669 <para>
670 LXC_HOOK_SECTION: the section type 'net'.
671 </para>
672 </listitem>
673
674 <listitem>
675 <para>
676 LXC_NET_TYPE: the network type. This is one of the valid
677 network types listed here (e.g. 'macvlan', 'veth').
678 </para>
679 </listitem>
680
681 <listitem>
682 <para>
683 LXC_NET_PARENT: the parent device on the host. This is only
684 set for network types 'mavclan', 'veth', 'phys'.
685 </para>
686 </listitem>
687
688 <listitem>
689 <para>
690 LXC_NET_PEER: the name of the peer device on the host. This is
691 only set for 'veth' network types. Note that this information
692 is only available when <option>lxc.hook.version</option> is set
693 to 1.
694 </para>
695 </listitem>
696 </itemizedlist>
697
698 Whether this information is provided in the form of environment
699 variables or as arguments to the script depends on the value of
700 <option>lxc.hook.version</option>. If set to 1 then information is
701 provided in the form of environment variables. If set to 0
702 information is provided as arguments to the script.
c464fd7e 703 </para>
14a7b0f9 704
c464fd7e
SG		 705 <para>
706 Standard output from the script is logged at debug level.
707 Standard error is not logged, but can be captured by the
708 hook redirecting its standard error to standard output.
709 </para>
710 </listitem>
711 </varlistentry>
712
713 <varlistentry>
714 <term>
7fa3f2e9 715 <option>lxc.net.[i].script.down</option>
c464fd7e
SG		 716 </term>
717 <listitem>
718 <para>
b9986e43 719 Add a configuration option to specify a script to be
c464fd7e 720 executed before destroying the network used from the
14a7b0f9
CB		 721 host side.
722 </para>
723
724 <para>
725 In addition to the information available to all hooks. The
726 following information is provided to the script:
727 <itemizedlist>
728 <listitem>
729 <para>
730 LXC_HOOK_TYPE: the hook type. This is either 'up' or 'down'.
731 </para>
732 </listitem>
733
734 <listitem>
735 <para>
736 LXC_HOOK_SECTION: the section type 'net'.
737 </para>
738 </listitem>
739
740 <listitem>
741 <para>
742 LXC_NET_TYPE: the network type. This is one of the valid
743 network types listed here (e.g. 'macvlan', 'veth').
744 </para>
745 </listitem>
746
747 <listitem>
748 <para>
749 LXC_NET_PARENT: the parent device on the host. This is only
750 set for network types 'mavclan', 'veth', 'phys'.
751 </para>
752 </listitem>
753
754 <listitem>
755 <para>
756 LXC_NET_PEER: the name of the peer device on the host. This is
757 only set for 'veth' network types. Note that this information
758 is only available when <option>lxc.hook.version</option> is set
759 to 1.
760 </para>
761 </listitem>
762 </itemizedlist>
763
764 Whether this information is provided in the form of environment
765 variables or as arguments to the script depends on the value of
766 <option>lxc.hook.version</option>. If set to 1 then information is
767 provided in the form of environment variables. If set to 0
768 information is provided as arguments to the script.
c464fd7e 769 </para>
14a7b0f9 770
c464fd7e
SG		 771 <para>
772 Standard output from the script is logged at debug level.
773 Standard error is not logged, but can be captured by the
774 hook redirecting its standard error to standard output.
775 </para>
776 </listitem>
777 </varlistentry>
55fc19a1
SG		 778 </variablelist>
779 </refsect2>
780
781 <refsect2>
782 <title>New pseudo tty instance (devpts)</title>
783 <para>
c464fd7e
SG		 784 For stricter isolation the container can have its own private
785 instance of the pseudo tty.
55fc19a1
SG		 786 </para>
787 <variablelist>
c464fd7e
SG		 788 <varlistentry>
789 <term>
232763d6 790 <option>lxc.pty.max</option>
c464fd7e
SG		 791 </term>
792 <listitem>
793 <para>
794 If set, the container will have a new pseudo tty
795 instance, making this private to it. The value specifies
55fc19a1
SG		 796 the maximum number of pseudo ttys allowed for a pts
797 instance (this limitation is not implemented yet).
c464fd7e
SG		 798 </para>
799 </listitem>
800 </varlistentry>
55fc19a1
SG		 801 </variablelist>
802 </refsect2>
803
804 <refsect2>
805 <title>Container system console</title>
806 <para>
c464fd7e
SG		 807 If the container is configured with a root filesystem and the
808 inittab file is setup to use the console, you may want to specify
809 where the output of this console goes.
55fc19a1
SG		 810 </para>
811 <variablelist>
28f3b1cd
CB		 812
813 <varlistentry>
814 <term>
815 <option>lxc.console.buffer.size</option>
816 </term>
817 <listitem>
818 <para>
819 Setting this option instructs liblxc to allocate an in-memory
820 ringbuffer. The container's console output will be written to the
821 ringbuffer. Note that ringbuffer must be at least as big as a
822 standard page size. When passed a value smaller than a single page
823 size liblxc will allocate a ringbuffer of a single page size. A page
39ebeb72 824 size is usually 4KB.
28f3b1cd
CB		 825
826 The keyword 'auto' will cause liblxc to allocate a ringbuffer of
39ebeb72 827 128KB.
28f3b1cd
CB		 828
829 When manually specifying a size for the ringbuffer the value should
830 be a power of 2 when converted to bytes. Valid size prefixes are
39ebeb72 831 'KB', 'MB', 'GB'. (Note that all conversions are based on multiples
832 of 1024. That means 'KB' == 'KiB', 'MB' == 'MiB', 'GB' == 'GiB'.
6d276edc
CB		 833 Additionally, the case of the suffix is ignored, i.e. 'kB', 'KB' and
834 'Kb' are treated equally.)
28f3b1cd
CB		 835 </para>
836 </listitem>
837 </varlistentry>
838
861813e5
CB		 839 <varlistentry>
840 <term>
841 <option>lxc.console.size</option>
842 </term>
843 <listitem>
844 <para>
845 Setting this option instructs liblxc to place a limit on the size of
846 the console log file specified in
847 <option>lxc.console.logfile</option>. Note that size of the log file
848 must be at least as big as a standard page size. When passed a value
849 smaller than a single page size liblxc will set the size of log file
39ebeb72 850 to a single page size. A page size is usually 4KB.
861813e5 851
39ebeb72 852 The keyword 'auto' will cause liblxc to place a limit of 128KB on
861813e5
CB		 853 the log file.
854
855 When manually specifying a size for the log file the value should
856 be a power of 2 when converted to bytes. Valid size prefixes are
39ebeb72 857 'KB', 'MB', 'GB'. (Note that all conversions are based on multiples
858 of 1024. That means 'KB' == 'KiB', 'MB' == 'MiB', 'GB' == 'GiB'.
6d276edc
CB		 859 Additionally, the case of the suffix is ignored, i.e. 'kB', 'KB' and
860 'Kb' are treated equally.)
861813e5
CB		 861
862 If users want to mirror the console ringbuffer on disk they should set
863 <option>lxc.console.size</option> equal to
864 <option>lxc.console.buffer.size</option>.
865 </para>
866 </listitem>
867 </varlistentry>
868
c464fd7e
SG		 869 <varlistentry>
870 <term>
871 <option>lxc.console.logfile</option>
872 </term>
873 <listitem>
874 <para>
d91adfa6
CB		 875 Specify a path to a file where the console output will be written.
876 Note that in contrast to the on-disk ringbuffer logfile this file
877 will keep growing potentially filling up the users disks if not
878 rotated and deleted. This problem can also be avoided by using the
879 in-memory ringbuffer options
880 <option>lxc.console.buffer.size</option> and
881 <option>lxc.console.buffer.logfile</option>.
c464fd7e
SG		 882 </para>
883 </listitem>
884 </varlistentry>
d91adfa6
CB		 885
886 <varlistentry>
887 <term>
888 <option>lxc.console.rotate</option>
889 </term>
890 <listitem>
891 <para>
892 Whether to rotate the console logfile specified in
893 <option>lxc.console.logfile</option>. Users can send an API
894 request to rotate the logfile. Note that the old logfile will have
895 the same name as the original with the suffix ".1" appended.
896
897 Users wishing to prevent the console log file from filling the
898 disk should rotate the logfile and delete it if unneeded. This
899 problem can also be avoided by using the in-memory ringbuffer
900 options <option>lxc.console.buffer.size</option> and
901 <option>lxc.console.buffer.logfile</option>.
902 </para>
903 </listitem>
904 </varlistentry>
905
c464fd7e
SG		 906 <varlistentry>
907 <term>
3aed4934 908 <option>lxc.console.path</option>
c464fd7e
SG		 909 </term>
910 <listitem>
911 <para>
912 Specify a path to a device to which the console will be
6e3bb289
CB		 913 attached. The keyword 'none' will simply disable the
914 console. Note, when specifying 'none' and creating a device node
915 for the console in the container at /dev/console or bind-mounting
916 the hosts's /dev/console into the container at /dev/console the
917 container will have direct access to the hosts's /dev/console.
918 This is dangerous when the container has write access to the
919 device and should thus be used with caution.
c464fd7e
SG		 920 </para>
921 </listitem>
922 </varlistentry>
55fc19a1
SG		 923 </variablelist>
924 </refsect2>
925
926 <refsect2>
927 <title>Console through the ttys</title>
928 <para>
c464fd7e
SG		 929 This option is useful if the container is configured with a root
930 filesystem and the inittab file is setup to launch a getty on the
931 ttys. The option specifies the number of ttys to be available for
932 the container. The number of gettys in the inittab file of the
933 container should not be greater than the number of ttys specified
934 in this option, otherwise the excess getty sessions will die and
935 respawn indefinitely giving annoying messages on the console or in
936 <filename>/var/log/messages</filename>.
55fc19a1
SG		 937 </para>
938 <variablelist>
c464fd7e
SG		 939 <varlistentry>
940 <term>
fe1c5887 941 <option>lxc.tty.max</option>
c464fd7e
SG		 942 </term>
943 <listitem>
944 <para>
945 Specify the number of tty to make available to the
946 container.
947 </para>
948 </listitem>
949 </varlistentry>
55fc19a1
SG		 950 </variablelist>
951 </refsect2>
952
953 <refsect2>
954 <title>Console devices location</title>
955 <para>
956 LXC consoles are provided through Unix98 PTYs created on the
c464fd7e
SG		 957 host and bind-mounted over the expected devices in the container.
958 By default, they are bind-mounted over <filename>/dev/console</filename>
959 and <filename>/dev/ttyN</filename>. This can prevent package upgrades
960 in the guest. Therefore you can specify a directory location (under
961 <filename>/dev</filename> under which LXC will create the files and
962 bind-mount over them. These will then be symbolically linked to
963 <filename>/dev/console</filename> and <filename>/dev/ttyN</filename>.
964 A package upgrade can then succeed as it is able to remove and replace
965 the symbolic links.
55fc19a1
SG		 966 </para>
967 <variablelist>
c464fd7e
SG		 968 <varlistentry>
969 <term>
fe1c5887 970 <option>lxc.tty.dir</option>
c464fd7e
SG		 971 </term>
972 <listitem>
973 <para>
974 Specify a directory under <filename>/dev</filename>
6e3bb289
CB		 975 under which to create the container console devices. Note that LXC
976 will move any bind-mounts or device nodes for /dev/console into
977 this directory.
c464fd7e
SG		 978 </para>
979 </listitem>
980 </varlistentry>
55fc19a1
SG		 981 </variablelist>
982 </refsect2>
983
984 <refsect2>
985 <title>/dev directory</title>
986 <para>
c464fd7e
SG		 987 By default, lxc creates a few symbolic links (fd,stdin,stdout,stderr)
988 in the container's <filename>/dev</filename> directory but does not
989 automatically create device node entries. This allows the container's
990 <filename>/dev</filename> to be set up as needed in the container
991 rootfs. If lxc.autodev is set to 1, then after mounting the container's
992 rootfs LXC will mount a fresh tmpfs under <filename>/dev</filename>
c35d2909 993 (limited to 500k) and fill in a minimal set of initial devices.
55fc19a1
SG		 994 This is generally required when starting a container containing
995 a "systemd" based "init" but may be optional at other times. Additional
996 devices in the containers /dev directory may be created through the
997 use of the <option>lxc.hook.autodev</option> hook.
998 </para>
999 <variablelist>
c464fd7e
SG		 1000 <varlistentry>
1001 <term>
1002 <option>lxc.autodev</option>
1003 </term>
1004 <listitem>
1005 <para>
124fa0a8 1006 Set this to 0 to stop LXC from mounting and populating a minimal
c464fd7e
SG		 1007 <filename>/dev</filename> when starting the container.
1008 </para>
1009 </listitem>
1010 </varlistentry>
55fc19a1 1011 </variablelist>
55fc19a1
SG		 1012 </refsect2>
1013
1014 <refsect2>
1015 <title>Mount points</title>
1016 <para>
c464fd7e
SG		 1017 The mount points section specifies the different places to be
1018 mounted. These mount points will be private to the container
1019 and won't be visible by the processes running outside of the
1020 container. This is useful to mount /etc, /var or /home for
1021 examples.
55fc19a1 1022 </para>
592fd47a
SH		 1023 <para>
1024 NOTE - LXC will generally ensure that mount targets and relative
1025 bind-mount sources are properly confined under the container
1026 root, to avoid attacks involving over-mounting host directories
1027 and files. (Symbolic links in absolute mount sources are ignored)
1028 However, if the container configuration first mounts a directory which
1029 is under the control of the container user, such as /home/joe, into
1030 the container at some <filename>path</filename>, and then mounts
1031 under <filename>path</filename>, then a TOCTTOU attack would be
1032 possible where the container user modifies a symbolic link under
1033 his home directory at just the right time.
1034 </para>
55fc19a1 1035 <variablelist>
c464fd7e
SG		 1036 <varlistentry>
1037 <term>
47148e96 1038 <option>lxc.mount.fstab</option>
c464fd7e
SG		 1039 </term>
1040 <listitem>
1041 <para>
1042 specify a file location in
1043 the <filename>fstab</filename> format, containing the
1044 mount information. The mount target location can and in
1045 most cases should be a relative path, which will become
1046 relative to the mounted container root. For instance,
1047 </para>
b9986e43
CB		 1048 <programlisting>
1049 proc proc proc nodev,noexec,nosuid 0 0
1050 </programlisting>
c464fd7e
SG		 1051 <para>
1052 Will mount a proc filesystem under the container's /proc,
1053 regardless of where the root filesystem comes from. This
1054 is resilient to block device backed filesystems as well as
1055 container cloning.
1056 </para>
1057 <para>
1058 Note that when mounting a filesystem from an
1059 image file or block device the third field (fs_vfstype)
1060 cannot be auto as with
55fc19a1 1061 <citerefentry>
c464fd7e 1062 <refentrytitle>mount</refentrytitle>
55fc19a1
SG		 1063 <manvolnum>8</manvolnum>
1064 </citerefentry>
1065 but must be explicitly specified.
c464fd7e
SG		 1066 </para>
1067 </listitem>
1068 </varlistentry>
1069
1070 <varlistentry>
1071 <term>
1072 <option>lxc.mount.entry</option>
1073 </term>
1074 <listitem>
1075 <para>
d840039e 1076 Specify a mount point corresponding to a line in the
c464fd7e 1077 fstab format.
f5b67b36 1078
d840039e
YT		 1079 Moreover lxc supports mount propagation, such as rslave or
1080 rprivate, and adds three additional mount options.
f5b67b36
NC		 1081 <option>optional</option> don't fail if mount does not work.
1082 <option>create=dir</option> or <option>create=file</option>
1083 to create dir (or file) when the point will be mounted.
181437fd
YT		 1084 <option>relative</option> source path is taken to be relative to
1085 the mounted container root. For instance,
1086 </para>
1087<screen>
1088dev/null proc/kcore none bind,relative 0 0
1089</screen>
1090 <para>
1091 Will expand dev/null to ${<option>LXC_ROOTFS_MOUNT</option>}/dev/null,
1092 and mount it to proc/kcore inside the container.
1093 </para>
c464fd7e
SG		 1094 </listitem>
1095 </varlistentry>
1096
1097 <varlistentry>
1098 <term>
1099 <option>lxc.mount.auto</option>
1100 </term>
1101 <listitem>
1102 <para>
1103 specify which standard kernel file systems should be
1104 automatically mounted. This may dramatically simplify
1105 the configuration. The file systems are:
1106 </para>
1107 <itemizedlist>
1108 <listitem>
1109 <para>
1110 <option>proc:mixed</option> (or <option>proc</option>):
1111 mount <filename>/proc</filename> as read-write, but
1112 remount <filename>/proc/sys</filename> and
1113 <filename>/proc/sysrq-trigger</filename> read-only
1114 for security / container isolation purposes.
1115 </para>
1116 </listitem>
1117 <listitem>
1118 <para>
1119 <option>proc:rw</option>: mount
1120 <filename>/proc</filename> as read-write
1121 </para>
1122 </listitem>
1123 <listitem>
1124 <para>
f24a52d5
SG		 1125 <option>sys:mixed</option> (or <option>sys</option>):
1126 mount <filename>/sys</filename> as read-only but with
1127 /sys/devices/virtual/net writable.
1128 </para>
1129 </listitem>
1130 <listitem>
1131 <para>
1132 <option>sys:ro</option>:
c464fd7e
SG		 1133 mount <filename>/sys</filename> as read-only
1134 for security / container isolation purposes.
1135 </para>
1136 </listitem>
1137 <listitem>
1138 <para>
1139 <option>sys:rw</option>: mount
1140 <filename>/sys</filename> as read-write
1141 </para>
1142 </listitem>
3f69fb12 1143
c464fd7e
SG		 1144 <listitem>
1145 <para>
1146 <option>cgroup:mixed</option>:
3f69fb12
SY		 1147 Mount a tmpfs to <filename>/sys/fs/cgroup</filename>,
1148 create directories for all hierarchies to which the container
1149 is added, create subdirectories in those hierarchies with the
1150 name of the cgroup, and bind-mount the container's own cgroup
1151 into that directory. The container will be able to write to
1152 its own cgroup directory, but not the parents, since they will
1153 be remounted read-only.
c464fd7e
SG		 1154 </para>
1155 </listitem>
3f69fb12 1156
c464fd7e
SG		 1157 <listitem>
1158 <para>
3f69fb12
SY		 1159 <option>cgroup:mixed:force</option>:
1160 The <option>force</option> option will cause LXC to perform
1161 the cgroup mounts for the container under all circumstances.
1162 Otherwise it is similar to <option>cgroup:mixed</option>.
1163 This is mainly useful when the cgroup namespaces are enabled
1164 where LXC will normally leave mounting cgroups to the init
1165 binary of the container since it is perfectly safe to do so.
c464fd7e
SG		 1166 </para>
1167 </listitem>
3f69fb12
SY		 1168
1169 <listitem>
1170 <para>
1171 <option>cgroup:ro</option>:
1172 similar to <option>cgroup:mixed</option>, but everything will
1173 be mounted read-only.
1174 </para>
1175 </listitem>
1176
1177 <listitem>
1178 <para>
1179 <option>cgroup:ro:force</option>:
1180 The <option>force</option> option will cause LXC to perform
1181 the cgroup mounts for the container under all circumstances.
1182 Otherwise it is similar to <option>cgroup:ro</option>.
1183 This is mainly useful when the cgroup namespaces are enabled
1184 where LXC will normally leave mounting cgroups to the init
1185 binary of the container since it is perfectly safe to do so.
1186 </para>
1187 </listitem>
1188
c464fd7e
SG		 1189 <listitem>
1190 <para>
1191 <option>cgroup:rw</option>: similar to
3f69fb12
SY		 1192 <option>cgroup:mixed</option>, but everything will be mounted
1193 read-write. Note that the paths leading up to the container's
1194 own cgroup will be writable, but will not be a cgroup
1195 filesystem but just part of the tmpfs of
1196 <filename>/sys/fs/cgroup</filename>
1197 </para>
1198 </listitem>
1199
1200 <listitem>
1201 <para>
1202 <option>cgroup:rw:force</option>:
1203 The <option>force</option> option will cause LXC to perform
1204 the cgroup mounts for the container under all circumstances.
1205 Otherwise it is similar to <option>cgroup:rw</option>.
1206 This is mainly useful when the cgroup namespaces are enabled
1207 where LXC will normally leave mounting cgroups to the init
1208 binary of the container since it is perfectly safe to do so.
c464fd7e
SG		 1209 </para>
1210 </listitem>
3f69fb12 1211
c464fd7e
SG		 1212 <listitem>
1213 <para>
1214 <option>cgroup</option> (without specifier):
1215 defaults to <option>cgroup:rw</option> if the
1216 container retains the CAP_SYS_ADMIN capability,
1217 <option>cgroup:mixed</option> otherwise.
1218 </para>
1219 </listitem>
e7806b2e 1220
c464fd7e
SG		 1221 <listitem>
1222 <para>
1223 <option>cgroup-full:mixed</option>:
1224 mount a tmpfs to <filename>/sys/fs/cgroup</filename>,
1225 create directories for all hierarchies to which
1226 the container is added, bind-mount the hierarchies
1227 from the host to the container and make everything
1228 read-only except the container's own cgroup. Note
1229 that compared to <option>cgroup</option>, where
1230 all paths leading up to the container's own cgroup
1231 are just simple directories in the underlying
1232 tmpfs, here
1233 <filename>/sys/fs/cgroup/$hierarchy</filename>
1234 will contain the host's full cgroup hierarchy,
1235 albeit read-only outside the container's own cgroup.
1236 This may leak quite a bit of information into the
1237 container.
1238 </para>
1239 </listitem>
e7806b2e
CB		 1240
1241 <listitem>
1242 <para>
1243 <option>cgroup-full:mixed:force</option>:
1244 The <option>force</option> option will cause LXC to perform
1245 the cgroup mounts for the container under all circumstances.
1246 Otherwise it is similar to <option>cgroup-full:mixed</option>.
1247 This is mainly useful when the cgroup namespaces are enabled
1248 where LXC will normally leave mounting cgroups to the init
1249 binary of the container since it is perfectly safe to do so.
1250 </para>
1251 </listitem>
1252
c464fd7e
SG		 1253 <listitem>
1254 <para>
1255 <option>cgroup-full:ro</option>: similar to
1256 <option>cgroup-full:mixed</option>, but everything
1257 will be mounted read-only.
1258 </para>
1259 </listitem>
e7806b2e
CB		 1260
1261 <listitem>
1262 <para>
1263 <option>cgroup-full:ro:force</option>:
1264 The <option>force</option> option will cause LXC to perform
1265 the cgroup mounts for the container under all circumstances.
1266 Otherwise it is similar to <option>cgroup-full:ro</option>.
1267 This is mainly useful when the cgroup namespaces are enabled
1268 where LXC will normally leave mounting cgroups to the init
1269 binary of the container since it is perfectly safe to do so.
1270 </para>
1271 </listitem>
1272
c464fd7e
SG		 1273 <listitem>
1274 <para>
1275 <option>cgroup-full:rw</option>: similar to
1276 <option>cgroup-full:mixed</option>, but everything
1277 will be mounted read-write. Note that in this case,
1278 the container may escape its own cgroup. (Note also
1279 that if the container has CAP_SYS_ADMIN support
1280 and can mount the cgroup filesystem itself, it may
1281 do so anyway.)
1282 </para>
1283 </listitem>
e7806b2e
CB		 1284
1285 <listitem>
1286 <para>
1287 <option>cgroup-full:rw:force</option>:
1288 The <option>force</option> option will cause LXC to perform
1289 the cgroup mounts for the container under all circumstances.
1290 Otherwise it is similar to <option>cgroup-full:rw</option>.
1291 This is mainly useful when the cgroup namespaces are enabled
1292 where LXC will normally leave mounting cgroups to the init
1293 binary of the container since it is perfectly safe to do so.
1294 </para>
1295 </listitem>
1296
c464fd7e
SG		 1297 <listitem>
1298 <para>
1299 <option>cgroup-full</option> (without specifier):
1300 defaults to <option>cgroup-full:rw</option> if the
1301 container retains the CAP_SYS_ADMIN capability,
1302 <option>cgroup-full:mixed</option> otherwise.
1303 </para>
1304 </listitem>
e7806b2e 1305
c464fd7e 1306 </itemizedlist>
4608594e
SH		 1307 <para>
1308 If cgroup namespaces are enabled, then any <option>cgroup</option>
1309 auto-mounting request will be ignored, since the container can
1310 mount the filesystems itself, and automounting can confuse the
1311 container init.
1312 </para>
c464fd7e
SG		 1313 <para>
1314 Note that if automatic mounting of the cgroup filesystem
1315 is enabled, the tmpfs under
1316 <filename>/sys/fs/cgroup</filename> will always be
1317 mounted read-write (but for the <option>:mixed</option>
1318 and <option>:ro</option> cases, the individual
1319 hierarchies,
1320 <filename>/sys/fs/cgroup/$hierarchy</filename>, will be
1321 read-only). This is in order to work around a quirk in
1322 Ubuntu's
b46f0553 1323 <citerefentry>
c464fd7e 1324 <refentrytitle>mountall</refentrytitle>
b46f0553
CS		 1325 <manvolnum>8</manvolnum>
1326 </citerefentry>
c464fd7e
SG		 1327 command that will cause containers to wait for user
1328 input at boot if
1329 <filename>/sys/fs/cgroup</filename> is mounted read-only
1330 and the container can't remount it read-write due to a
1331 lack of CAP_SYS_ADMIN.
1332 </para>
1333 <para>
1334 Examples:
1335 </para>
1336 <programlisting>
1337 lxc.mount.auto = proc sys cgroup
1338 lxc.mount.auto = proc:rw sys:rw cgroup-full:rw
1339 </programlisting>
1340 </listitem>
1341 </varlistentry>
55fc19a1
SG		 1342
1343 </variablelist>
1344 </refsect2>
1345
1346 <refsect2>
1347 <title>Root file system</title>
1348 <para>
c464fd7e
SG		 1349 The root file system of the container can be different than that
1350 of the host system.
55fc19a1
SG		 1351 </para>
1352 <variablelist>
c464fd7e
SG		 1353 <varlistentry>
1354 <term>
7a96a068 1355 <option>lxc.rootfs.path</option>
c464fd7e
SG		 1356 </term>
1357 <listitem>
1358 <para>
1359 specify the root file system for the container. It can
1360 be an image file, a directory or a block device. If not
1361 specified, the container shares its root file system
1362 with the host.
1363 </para>
1364 <para>
f1c26f2c
SH		 1365 For directory or simple block-device backed containers,
1366 a pathname can be used. If the rootfs is backed by a nbd
1367 device, then <filename>nbd:file:1</filename> specifies that
1368 <filename>file</filename> should be attached to a nbd device,
1369 and partition 1 should be mounted as the rootfs.
1370 <filename>nbd:file</filename> specifies that the nbd device
1371 itself should be mounted. <filename>overlayfs:/lower:/upper</filename>
1372 specifies that the rootfs should be an overlay with <filename>/upper</filename>
1373 being mounted read-write over a read-only mount of <filename>/lower</filename>.
12e6ab5d 1374 For <filename>overlay</filename> multiple <filename>/lower</filename>
280d2379 1375 directories can be specified. <filename>loop:/file</filename> tells lxc to attach
f1c26f2c 1376 <filename>/file</filename> to a loop device and mount the loop device.
c464fd7e
SG		 1377 </para>
1378 </listitem>
1379 </varlistentry>
1380
1381 <varlistentry>
1382 <term>
1383 <option>lxc.rootfs.mount</option>
1384 </term>
1385 <listitem>
1386 <para>
7a96a068 1387 where to recursively bind <option>lxc.rootfs.path</option>
c464fd7e
SG		 1388 before pivoting. This is to ensure success of the
1389 <citerefentry>
1390 <refentrytitle><command>pivot_root</command></refentrytitle>
1391 <manvolnum>8</manvolnum>
1392 </citerefentry>
1393 syscall. Any directory suffices, the default should
1394 generally work.
1395 </para>
1396 </listitem>
1397 </varlistentry>
1398
1399 <varlistentry>
1400 <term>
1401 <option>lxc.rootfs.options</option>
1402 </term>
1403 <listitem>
1404 <para>
1405 extra mount options to use when mounting the rootfs.
1406 </para>
1407 </listitem>
1408 </varlistentry>
a17b1e65 1409
55fc19a1
SG		 1410 </variablelist>
1411 </refsect2>
1412
1413 <refsect2>
1414 <title>Control group</title>
1415 <para>
c464fd7e
SG		 1416 The control group section contains the configuration for the
1417 different subsystem. <command>lxc</command> does not check the
1418 correctness of the subsystem name. This has the disadvantage
1419 of not detecting configuration errors until the container is
1420 started, but has the advantage of permitting any future
1421 subsystem.
55fc19a1
SG		 1422 </para>
1423 <variablelist>
c464fd7e
SG		 1424 <varlistentry>
1425 <term>
54860ed0 1426 <option>lxc.cgroup.[controller name]</option>
c464fd7e
SG		 1427 </term>
1428 <listitem>
1429 <para>
54860ed0
CB		 1430 Specify the control group value to be set on a legacy cgroup
1431 hierarchy. The controller name is the literal name of the control
1432 group. The permitted names and the syntax of their values is not
1433 dictated by LXC, instead it depends on the features of the Linux
1434 kernel running at the time the container is started, eg.
1435 <option>lxc.cgroup.cpuset.cpus</option>
1436 </para>
1437 </listitem>
1438 </varlistentry>
1439 <varlistentry>
1440 <term>
1441 <option>lxc.cgroup2.[controller name]</option>
1442 </term>
1443 <listitem>
1444 <para>
1445 Specify the control group value to be set on the unified cgroup
d0d68468 1446 hierarchy. The controller name is the literal name of the control
54860ed0
CB		 1447 group. The permitted names and the syntax of their values is not
1448 dictated by LXC, instead it depends on the features of the Linux
1449 kernel running at the time the container is started, eg.
1450 <option>lxc.cgroup2.memory.high</option>
c464fd7e
SG		 1451 </para>
1452 </listitem>
1453 </varlistentry>
bdcbb6b3
CB		 1454 <varlistentry>
1455 <term>
1456 <option>lxc.cgroup.dir</option>
1457 </term>
1458 <listitem>
1459 <para>
1460 specify a directory or path in which the container's cgroup will
1461 be created. For example, setting
1462 <option>lxc.cgroup.dir = my-cgroup/first</option> for a container
1463 named "c1" will create the container's cgroup as a sub-cgroup of
1464 "my-cgroup". For example, if the user's current cgroup "my-user"
78be8d75 1465 is located in the root cgroup of the cpuset controller in a
bdcbb6b3
CB		 1466 cgroup v1 hierarchy this would create the cgroup
1467 "/sys/fs/cgroup/cpuset/my-user/my-cgroup/first/c1" for the
1468 container. Any missing cgroups will be created by LXC. This
1469 presupposes that the user has write access to its current cgroup.
1470 </para>
1471 </listitem>
1472 </varlistentry>
c3b7fd80
KY		 1473 <varlistentry>
1474 <term>
1475 <option>lxc.cgroup.relative</option>
1476 </term>
1477 <listitem>
1478 <para>
1479 Set this to 1 to instruct LXC to never escape to the
1480 root cgroup. This makes it easy for users to adhere to
1481 restrictions enforced by cgroup2 and
1482 systemd. Specifically, this makes it possible to run LXC
1483 containers as systemd services.
1484 </para>
1485 </listitem>
1486 </varlistentry>
55fc19a1
SG		 1487 </variablelist>
1488 </refsect2>
1489
1490 <refsect2>
1491 <title>Capabilities</title>
1492 <para>
c464fd7e
SG		 1493 The capabilities can be dropped in the container if this one
1494 is run as root.
55fc19a1
SG		 1495 </para>
1496 <variablelist>
c464fd7e
SG		 1497 <varlistentry>
1498 <term>
1499 <option>lxc.cap.drop</option>
1500 </term>
1501 <listitem>
1502 <para>
1503 Specify the capability to be dropped in the container. A
1504 single line defining several capabilities with a space
1505 separation is allowed. The format is the lower case of
1506 the capability definition without the "CAP_" prefix,
1507 eg. CAP_SYS_MODULE should be specified as
1508 sys_module. See
1509 <citerefentry>
1510 <refentrytitle><command>capabilities</command></refentrytitle>
1511 <manvolnum>7</manvolnum>
7eff30fd
MH		 1512 </citerefentry>.
1513 If used with no value, lxc will clear any drop capabilities
1514 specified up to this point.
c464fd7e
SG		 1515 </para>
1516 </listitem>
1517 </varlistentry>
1518 <varlistentry>
1519 <term>
1520 <option>lxc.cap.keep</option>
1521 </term>
1522 <listitem>
1523 <para>
1524 Specify the capability to be kept in the container. All other
1525 capabilities will be dropped. When a special value of "none" is
1526 encountered, lxc will clear any keep capabilities specified up
1527 to this point. A value of "none" alone can be used to drop all
1528 capabilities.
1529 </para>
1530 </listitem>
1531 </varlistentry>
55fc19a1
SG		 1532 </variablelist>
1533 </refsect2>
1534
f3c9f122 1535 <refsect2>
46186acd 1536 <title>Namespaces</title>
f3c9f122 1537 <para>
46186acd
CB		 1538 A namespace can be cloned (<option>lxc.namespace.clone</option>),
1539 kept (<option>lxc.namespace.keep</option>) or shared
1540 (<option>lxc.namespace.share.[namespace identifier]</option>).
f3c9f122
CB		 1541 </para>
1542 <variablelist>
46186acd
CB		 1543 <varlistentry>
1544 <term>
1545 <option>lxc.namespace.clone</option>
1546 </term>
1547 <listitem>
1548 <para>
1549 Specify namespaces which the container is supposed to be created
1550 with. The namespaces to create are specified as a space separated
1551 list. Each namespace must correspond to one of the standard
1552 namespace identifiers as seen in the
1553 <filename>/proc/PID/ns</filename> directory.
1554 When <option>lxc.namespace.clone</option> is not explicitly set all
1555 namespaces supported by the kernel and the current configuration
1556 will be used.
1557 </para>
1558
1559 <para>
1560 To create a new mount, net and ipc namespace set
1561 <option>lxc.namespace.clone=mount net ipc</option>.
1562 </para>
1563 </listitem>
1564 </varlistentry>
1565
1566 <varlistentry>
1567 <term>
1568 <option>lxc.namespace.keep</option>
1569 </term>
1570 <listitem>
1571 <para>
1572 Specify namespaces which the container is supposed to inherit from
1573 the process that created it. The namespaces to keep are specified as
1574 a space separated list. Each namespace must correspond to one of the
1575 standard namespace identifiers as seen in the
1576 <filename>/proc/PID/ns</filename> directory.
1577 The <option>lxc.namespace.keep</option> is a
1578 blacklist option, i.e. it is useful when enforcing that containers
1579 must keep a specific set of namespaces.
1580 </para>
1581
1582 <para>
1583 To keep the network, user and ipc namespace set
1584 <option>lxc.namespace.keep=user net ipc</option>.
1585 </para>
1586
1587 <para>
1588 Note that sharing pid namespaces will likely not work with most init
1589 systems.
1590 </para>
1591
1592 <para>
1593 Note that if the container requests a new user namespace and the
1594 container wants to inherit the network namespace it needs to inherit
1595 the user namespace as well.
1596 </para>
1597 </listitem>
1598 </varlistentry>
1599
f3c9f122
CB		 1600 <varlistentry>
1601 <term>
b074bbf1 1602 <option>lxc.namespace.share.[namespace identifier]</option>
f3c9f122
CB		 1603 </term>
1604 <listitem>
1605 <para>
1606 Specify a namespace to inherit from another container or process.
1607 The <option>[namespace identifier]</option> suffix needs to be
1608 replaced with one of the namespaces that appear in the
1609 <filename>/proc/PID/ns</filename> directory.
1610 </para>
1611
1612 <para>
1613 To inherit the namespace from another process set the
b074bbf1
CB		 1614 <option>lxc.namespace.share.[namespace identifier]</option> to the PID of
1615 the process, e.g. <option>lxc.namespace.share.net=42</option>.
f3c9f122
CB		 1616 </para>
1617
1618 <para>
1619 To inherit the namespace from another container set the
b074bbf1
CB		 1620 <option>lxc.namespace.share.[namespace identifier]</option> to the name of
1621 the container, e.g. <option>lxc.namespace.share.pid=c3</option>.
f3c9f122
CB		 1622 </para>
1623
1624 <para>
1625 To inherit the namespace from another container located in a
1626 different path than the standard liblxc path set the
b074bbf1 1627 <option>lxc.namespace.share.[namespace identifier]</option> to the full
f3c9f122 1628 path to the container, e.g.
b074bbf1 1629 <option>lxc.namespace.share.user=/opt/c3</option>.
f3c9f122
CB		 1630 </para>
1631
1632 <para>
1633 In order to inherit namespaces the caller needs to have sufficient
1634 privilege over the process or container.
1635 </para>
1636
1637 <para>
1638 Note that sharing pid namespaces between system containers will
1639 likely not work with most init systems.
1640 </para>
1641
1642 <para>
1643 Note that if two processes are in different user namespaces and one
1644 process wants to inherit the other's network namespace it usually
1645 needs to inherit the user namespace as well.
1646 </para>
1647 </listitem>
1648 </varlistentry>
1649 </variablelist>
1650 </refsect2>
1651
93f9e90d
WB		 1652 <refsect2>
1653 <title>Resource limits</title>
1654 <para>
1655 The soft and hard resource limits for the container can be changed.
1656 Unprivileged containers can only lower them. Resources which are not
1657 explicitly specified will be inherited.
1658 </para>
1659 <variablelist>
1660 <varlistentry>
1661 <term>
240d4b74 1662 <option>lxc.prlimit.[limit name]</option>
93f9e90d
WB		 1663 </term>
1664 <listitem>
1665 <para>
1666 Specify the resource limit to be set. A limit is specified as two
1667 colon separated values which are either numeric or the word
1668 'unlimited'. A single value can be used as a shortcut to set both
1669 soft and hard limit to the same value. The permitted names the
1670 "RLIMIT_" resource names in lowercase without the "RLIMIT_"
1671 prefix, eg. RLIMIT_NOFILE should be specified as "nofile". See
1672 <citerefentry>
1673 <refentrytitle><command>setrlimit</command></refentrytitle>
1674 <manvolnum>2</manvolnum>
1675 </citerefentry>.
1676 If used with no value, lxc will clear the resource limit
1677 specified up to this point. A resource with no explicitly
1678 configured limitation will be inherited from the process starting
1679 up the container.
1680 </para>
1681 </listitem>
1682 </varlistentry>
1683 </variablelist>
1684 </refsect2>
1685
7edd0540
L		 1686 <refsect2>
1687 <title>Sysctl</title>
1688 <para>
1689 Configure kernel parameters for the container.
1690 </para>
1691 <variablelist>
1692 <varlistentry>
1693 <term>
1694 <option>lxc.sysctl.[kernel parameters name]</option>
1695 </term>
1696 <listitem>
1697 <para>
1698 Specify the kernel parameters to be set. The parameters available
1699 are those listed under /proc/sys/.
e409b214 1700 Note that not all sysctls are namespaced. Changing Non-namespaced
7edd0540
L		 1701 sysctls will cause the system-wide setting to be modified.
1702 <citerefentry>
1703 <refentrytitle><command>sysctl</command></refentrytitle>
1704 <manvolnum>8</manvolnum>
1705 </citerefentry>.
1706 If used with no value, lxc will clear the parameters specified up
1707 to this point.
1708 </para>
1709 </listitem>
1710 </varlistentry>
1711 </variablelist>
1712 </refsect2>
1713
55fc19a1
SG		 1714 <refsect2>
1715 <title>Apparmor profile</title>
1716 <para>
c464fd7e
SG		 1717 If lxc was compiled and installed with apparmor support, and the host
1718 system has apparmor enabled, then the apparmor profile under which the
1719 container should be run can be specified in the container
7a126ae1
SH		 1720 configuration. The default is <command>lxc-container-default-cgns</command>
1721 if the host kernel is cgroup namespace aware, or
69e3b3be 1722 <command>lxc-container-default</command> otherwise.
55fc19a1
SG		 1723 </para>
1724 <variablelist>
c464fd7e
SG		 1725 <varlistentry>
1726 <term>
a1d5fdfd 1727 <option>lxc.apparmor.profile</option>
c464fd7e
SG		 1728 </term>
1729 <listitem>
1730 <para>
1731 Specify the apparmor profile under which the container should
1732 be run. To specify that the container should be unconfined,
1733 use
1734 </para>
a1d5fdfd 1735 <programlisting>lxc.apparmor.profile = unconfined</programlisting>
7a126ae1
SH		 1736 <para>
1737 If the apparmor profile should remain unchanged (i.e. if you
1738 are nesting containers and are already confined), then use
1739 </para>
a1d5fdfd 1740 <programlisting>lxc.apparmor.profile = unchanged</programlisting>
c464fd7e
SG		 1741 </listitem>
1742 </varlistentry>
1743 <varlistentry>
1744 <term>
69e38e00 1745 <option>lxc.apparmor.allow_incomplete</option>
c464fd7e
SG		 1746 </term>
1747 <listitem>
1748 <para>
1749 Apparmor profiles are pathname based. Therefore many file
1750 restrictions require mount restrictions to be effective against
1751 a determined attacker. However, these mount restrictions are not
1752 yet implemented in the upstream kernel. Without the mount
1753 restrictions, the apparmor profiles still protect against accidental
1754 damager.
1755 </para>
1756 <para>
1757 If this flag is 0 (default), then the container will not be
1758 started if the kernel lacks the apparmor mount features, so that a
1759 regression after a kernel upgrade will be detected. To start the
1760 container under partial apparmor protection, set this flag to 1.
1761 </para>
1762 </listitem>
1763 </varlistentry>
55fc19a1
SG		 1764 </variablelist>
1765 </refsect2>
1766
1767 <refsect2>
1768 <title>SELinux context</title>
1769 <para>
c464fd7e
SG		 1770 If lxc was compiled and installed with SELinux support, and the host
1771 system has SELinux enabled, then the SELinux context under which the
1772 container should be run can be specified in the container
1773 configuration. The default is <command>unconfined_t</command>,
1774 which means that lxc will not attempt to change contexts.
1775 See @DATADIR@/lxc/selinux/lxc.te for an example policy and more
1776 information.
55fc19a1
SG		 1777 </para>
1778 <variablelist>
c464fd7e
SG		 1779 <varlistentry>
1780 <term>
b84702ab 1781 <option>lxc.selinux.context</option>
c464fd7e
SG		 1782 </term>
1783 <listitem>
1784 <para>
1785 Specify the SELinux context under which the container should
1786 be run or <command>unconfined_t</command>. For example
1787 </para>
b84702ab 1788 <programlisting>lxc.selinux.context = system_u:system_r:lxc_t:s0:c22</programlisting>
c464fd7e
SG		 1789 </listitem>
1790 </varlistentry>
55fc19a1
SG		 1791 </variablelist>
1792 </refsect2>
1793
1794 <refsect2>
1795 <title>Seccomp configuration</title>
1796 <para>
1797 A container can be started with a reduced set of available
c464fd7e
SG		 1798 system calls by loading a seccomp profile at startup. The
1799 seccomp configuration file must begin with a version number
1800 on the first line, a policy type on the second line, followed
1801 by the configuration.
55fc19a1 1802 </para>
a7c27357
SH		 1803 <para>
1804 Versions 1 and 2 are currently supported. In version 1, the
c464fd7e
SG		 1805 policy is a simple whitelist. The second line therefore must
1806 read "whitelist", with the rest of the file containing one (numeric)
8927207b 1807 syscall number per line. Each syscall number is whitelisted,
c464fd7e 1808 while every unlisted number is blacklisted for use in the container
a7c27357
SH		 1809 </para>
1810
1811 <para>
1812 In version 2, the policy may be blacklist or whitelist,
1813 supports per-rule and per-policy default actions, and supports
1814 per-architecture system call resolution from textual names.
1815 </para>
1816 <para>
1817 An example blacklist policy, in which all system calls are
1818 allowed except for mknod, which will simply do nothing and
1819 return 0 (success), looks like:
1820 </para>
b9986e43
CB		 1821
1822 <programlisting>
1823 2
1824 blacklist
1825 mknod errno 0
1826 </programlisting>
1827
55fc19a1 1828 <variablelist>
c464fd7e
SG		 1829 <varlistentry>
1830 <term>
0b427da0 1831 <option>lxc.seccomp.profile</option>
c464fd7e
SG		 1832 </term>
1833 <listitem>
1834 <para>
1835 Specify a file containing the seccomp configuration to
1836 load before the container starts.
1837 </para>
1838 </listitem>
1839 </varlistentry>
50d86993
CB		 1840 <varlistentry>
1841 <term>
1842 <option>lxc.seccomp.allow_nesting</option>
1843 </term>
1844 <listitem>
1845 <para>
1846 If this flag is set to 1, then seccomp filters will be stacked
1847 regardless of whether a seccomp profile is already loaded.
1848 This allows nested containers to load their own seccomp profile.
1849 The default setting is 0.
1850 </para>
1851 </listitem>
1852 </varlistentry>
55fc19a1
SG		 1853 </variablelist>
1854 </refsect2>
1855
222ddc91
CB		 1856 <refsect2>
1857 <title>PR_SET_NO_NEW_PRIVS</title>
1858 <para>
1859 With PR_SET_NO_NEW_PRIVS active execve() promises not to grant
1860 privileges to do anything that could not have been done without
1861 the execve() call (for example, rendering the set-user-ID and
1862 set-group-ID mode bits, and file capabilities non-functional).
1863 Once set, this bit cannot be unset. The setting of this bit is
1864 inherited by children created by fork() and clone(), and preserved
1865 across execve().
1866 Note that PR_SET_NO_NEW_PRIVS is applied after the container has
1867 changed into its intended AppArmor profile or SElinux context.
1868 </para>
1869 <variablelist>
1870 <varlistentry>
1871 <term>
1872 <option>lxc.no_new_privs</option>
1873 </term>
1874 <listitem>
1875 <para>
1876 Specify whether the PR_SET_NO_NEW_PRIVS flag should be set for the
1877 container. Set to 1 to activate.
1878 </para>
1879 </listitem>
1880 </varlistentry>
1881 </variablelist>
1882 </refsect2>
1883
55fc19a1
SG		 1884 <refsect2>
1885 <title>UID mappings</title>
1886 <para>
1887 A container can be started in a private user namespace with
c464fd7e
SG		 1888 user and group id mappings. For instance, you can map userid
1889 0 in the container to userid 200000 on the host. The root
1890 user in the container will be privileged in the container,
1891 but unprivileged on the host. Normally a system container
1892 will want a range of ids, so you would map, for instance,
1893 user and group ids 0 through 20,000 in the container to the
1894 ids 200,000 through 220,000.
55fc19a1
SG		 1895 </para>
1896 <variablelist>
c464fd7e
SG		 1897 <varlistentry>
1898 <term>
bdcbb6b3 1899 <option>lxc.idmap</option>
c464fd7e
SG		 1900 </term>
1901 <listitem>
1902 <para>
1903 Four values must be provided. First a character, either
1904 'u', or 'g', to specify whether user or group ids are
1905 being mapped. Next is the first userid as seen in the
1906 user namespace of the container. Next is the userid as
1907 seen on the host. Finally, a range indicating the number
1908 of consecutive ids to map.
1909 </para>
1910 </listitem>
1911 </varlistentry>
55fc19a1
SG		 1912 </variablelist>
1913 </refsect2>
1914
1915 <refsect2>
1916 <title>Container hooks</title>
1917 <para>
1918 Container hooks are programs or scripts which can be executed
c464fd7e 1919 at various times in a container's lifetime.
55fc19a1
SG		 1920 </para>
1921 <para>
44ae0fb6
CB		 1922 When a container hook is executed, additional information is passed
1923 along. The <option>lxc.hook.version</option> argument can be used to
1924 determine if the following arguments are passed as command line
1925 arguments or through environment variables. The arguments are:
c464fd7e
SG		 1926 <itemizedlist>
1927 <listitem><para> Container name. </para></listitem>
1928 <listitem><para> Section (always 'lxc'). </para></listitem>
1929 <listitem><para> The hook type (i.e. 'clone' or 'pre-mount'). </para></listitem>
0a2b5ab1 1930 <listitem><para> Additional arguments. In the
a9145d62
CB		 1931 case of the clone hook, any extra arguments passed will appear as
1932 further arguments to the hook. In the case of the stop hook, paths to
1933 filedescriptors for each of the container's namespaces along with
1934 their types are passed. </para></listitem>
c464fd7e
SG		 1935 </itemizedlist>
1936 The following environment variables are set:
1937 <itemizedlist>
44ae0fb6
CB		 1938 <listitem><para> LXC_CGNS_AWARE: indicator whether the container is
1939 cgroup namespace aware. </para></listitem>
1940 <listitem><para> LXC_CONFIG_FILE: the path to the container
1941 configuration file. </para></listitem>
1942 <listitem><para> LXC_HOOK_TYPE: the hook type (e.g. 'clone', 'mount',
1943 'pre-mount'). Note that the existence of this environment variable is
1944 conditional on the value of <option>lxc.hook.version</option>. If it
1945 is set to 1 then LXC_HOOK_TYPE will be set.
1946 </para></listitem>
1947 <listitem><para> LXC_HOOK_SECTION: the section type (e.g. 'lxc',
1948 'net'). Note that the existence of this environment variable is
1949 conditional on the value of <option>lxc.hook.version</option>. If it
1950 is set to 1 then LXC_HOOK_SECTION will be set.
1951 </para></listitem>
a2c09be0
CB		 1952 <listitem><para> LXC_HOOK_VERSION: the version of the hooks. This
1953 value is identical to the value of the container's
1954 <option>lxc.hook.version</option> config item. If it is set to 0 then
1955 old-style hooks are used. If it is set to 1 then new-style hooks are
1956 used. </para></listitem>
44ae0fb6 1957 <listitem><para> LXC_LOG_LEVEL: the container's log level. </para></listitem>
c464fd7e 1958 <listitem><para> LXC_NAME: is the container's name. </para></listitem>
18b3b9c1
CB		 1959 <listitem><para> LXC_[NAMESPACE IDENTIFIER]_NS: path under
1960 /proc/PID/fd/ to a file descriptor referring to the container's
1961 namespace. For each preserved namespace type there will be a separate
1962 environment variable. These environment variables will only be set if
1963 <option>lxc.hook.version</option> is set to 1. </para></listitem>
c464fd7e 1964 <listitem><para> LXC_ROOTFS_MOUNT: the path to the mounted root filesystem. </para></listitem>
44ae0fb6
CB		 1965 <listitem><para> LXC_ROOTFS_PATH: this is the lxc.rootfs.path entry
1966 for the container. Note this is likely not where the mounted rootfs is
1967 to be found, use LXC_ROOTFS_MOUNT for that. </para></listitem>
1968 <listitem><para> LXC_SRC_NAME: in the case of the clone hook, this is
1969 the original container's name. </para></listitem>
c464fd7e 1970 </itemizedlist>
55fc19a1
SG		 1971 </para>
1972 <para>
1973 Standard output from the hooks is logged at debug level.
1974 Standard error is not logged, but can be captured by the
1975 hook redirecting its standard error to standard output.
1976 </para>
1977 <variablelist>
44ae0fb6
CB		 1978 <varlistentry>
1979 <term>
1980 <option>lxc.hook.version</option>
1981 </term>
1982 <listitem>
1983 <para>
1984 To pass the arguments in new style via environment variables set to
1985 1 otherwise set to 0 to pass them as arguments.
1986 This setting affects all hooks arguments that were traditionally
1987 passed as arguments to the script. Specifically, it affects the
1988 container name, section (e.g. 'lxc', 'net') and hook type (e.g.
1989 'clone', 'mount', 'pre-mount') arguments. If new-style hooks are
1990 used then the arguments will be available as environment variables.
1991 The container name will be set in LXC_NAME. (This is set
1992 independently of the value used for this config item.) The section
1993 will be set in LXC_HOOK_SECTION and the hook type will be set in
1994 LXC_HOOK_TYPE.
18b3b9c1
CB		 1995 It also affects how the paths to file descriptors referring to the
1996 container's namespaces are passed. If set to 1 then for each
1997 namespace a separate environment variable LXC_[NAMESPACE
1998 IDENTIFIER]_NS will be set. If set to 0 then the paths will be
1999 passed as arguments to the stop hook.
44ae0fb6
CB		 2000 </para>
2001 </listitem>
2002 </varlistentry>
2003 </variablelist>
2004 <variablelist>
c464fd7e
SG		 2005 <varlistentry>
2006 <term>
2007 <option>lxc.hook.pre-start</option>
2008 </term>
2009 <listitem>
2010 <para>
2011 A hook to be run in the host's namespace before the
2012 container ttys, consoles, or mounts are up.
2013 </para>
2014 </listitem>
2015 </varlistentry>
55fc19a1
SG		 2016 </variablelist>
2017 <variablelist>
c464fd7e
SG		 2018 <varlistentry>
2019 <term>
2020 <option>lxc.hook.pre-mount</option>
2021 </term>
2022 <listitem>
2023 <para>
2024 A hook to be run in the container's fs namespace but before
2025 the rootfs has been set up. This allows for manipulation
2026 of the rootfs, i.e. to mount an encrypted filesystem. Mounts
2027 done in this hook will not be reflected on the host (apart from
2028 mounts propagation), so they will be automatically cleaned up
2029 when the container shuts down.
2030 </para>
2031 </listitem>
2032 </varlistentry>
55fc19a1
SG		 2033 </variablelist>
2034 <variablelist>
c464fd7e
SG		 2035 <varlistentry>
2036 <term>
2037 <option>lxc.hook.mount</option>
2038 </term>
2039 <listitem>
2040 <para>
2041 A hook to be run in the container's namespace after
2042 mounting has been done, but before the pivot_root.
2043 </para>
2044 </listitem>
2045 </varlistentry>
55fc19a1
SG		 2046 </variablelist>
2047 <variablelist>
c464fd7e
SG		 2048 <varlistentry>
2049 <term>
2050 <option>lxc.hook.autodev</option>
2051 </term>
2052 <listitem>
2053 <para>
2054 A hook to be run in the container's namespace after
2055 mounting has been done and after any mount hooks have
2056 run, but before the pivot_root, if
2057 <option>lxc.autodev</option> == 1.
2058 The purpose of this hook is to assist in populating the
2059 /dev directory of the container when using the autodev
2060 option for systemd based containers. The container's /dev
2061 directory is relative to the
2062 ${<option>LXC_ROOTFS_MOUNT</option>} environment
2063 variable available when the hook is run.
2064 </para>
2065 </listitem>
2066 </varlistentry>
55fc19a1 2067 </variablelist>
08dd2805
SH		 2068 <variablelist>
2069 <varlistentry>
2070 <term>
2071 <option>lxc.hook.start-host</option>
2072 </term>
2073 <listitem>
2074 <para>
2075 A hook to be run in the host's namespace after the
2076 container has been setup, and immediately before starting
2077 the container init.
2078 </para>
2079 </listitem>
2080 </varlistentry>
2081 </variablelist>
55fc19a1 2082 <variablelist>
c464fd7e
SG		 2083 <varlistentry>
2084 <term>
2085 <option>lxc.hook.start</option>
2086 </term>
2087 <listitem>
2088 <para>
2089 A hook to be run in the container's namespace immediately
2090 before executing the container's init. This requires the
2091 program to be available in the container.
2092 </para>
2093 </listitem>
2094 </varlistentry>
55fc19a1 2095 </variablelist>
0a2b5ab1
WB		 2096 <variablelist>
2097 <varlistentry>
2098 <term>
2099 <option>lxc.hook.stop</option>
2100 </term>
2101 <listitem>
2102 <para>
2103 A hook to be run in the host's namespace with references
2104 to the container's namespaces after the container has been shut
2105 down. For each namespace an extra argument is passed to the hook
2106 containing the namespace's type and a filename that can be used to
2107 obtain a file descriptor to the corresponding namespace, separated
2108 by a colon. The type is the name as it would appear in the
2109 <filename>/proc/PID/ns</filename> directory.
2110 For instance for the mount namespace the argument usually looks
2111 like <filename>mnt:/proc/PID/fd/12</filename>.
2112 </para>
2113 </listitem>
2114 </varlistentry>
2115 </variablelist>
55fc19a1 2116 <variablelist>
c464fd7e
SG		 2117 <varlistentry>
2118 <term>
2119 <option>lxc.hook.post-stop</option>
2120 </term>
2121 <listitem>
2122 <para>
2123 A hook to be run in the host's namespace after the
2124 container has been shut down.
2125 </para>
2126 </listitem>
2127 </varlistentry>
55fc19a1
SG		 2128 </variablelist>
2129 <variablelist>
c464fd7e
SG		 2130 <varlistentry>
2131 <term>
2132 <option>lxc.hook.clone</option>
2133 </term>
2134 <listitem>
2135 <para>
2136 A hook to be run when the container is cloned to a new one.
2137 See <citerefentry><refentrytitle><command>lxc-clone</command></refentrytitle>
2138 <manvolnum>1</manvolnum></citerefentry> for more information.
2139 </para>
2140 </listitem>
2141 </varlistentry>
55fc19a1 2142 </variablelist>
37cf711b
SY		 2143 <variablelist>
2144 <varlistentry>
2145 <term>
2146 <option>lxc.hook.destroy</option>
2147 </term>
2148 <listitem>
2149 <para>
2150 A hook to be run when the container is destroyed.
2151 </para>
2152 </listitem>
2153 </varlistentry>
2154 </variablelist>
55fc19a1
SG		 2155 </refsect2>
2156
2157 <refsect2>
2158 <title>Container hooks Environment Variables</title>
2159 <para>
2160 A number of environment variables are made available to the startup
2161 hooks to provide configuration information and assist in the
2162 functioning of the hooks. Not all variables are valid in all
2163 contexts. In particular, all paths are relative to the host system
2164 and, as such, not valid during the <option>lxc.hook.start</option> hook.
2165 </para>
2166 <variablelist>
c464fd7e
SG		 2167 <varlistentry>
2168 <term>
2169 <option>LXC_NAME</option>
2170 </term>
2171 <listitem>
2172 <para>
2173 The LXC name of the container. Useful for logging messages
2174 in common log environments. [<option>-n</option>]
2175 </para>
2176 </listitem>
2177 </varlistentry>
55fc19a1
SG		 2178 </variablelist>
2179 <variablelist>
c464fd7e
SG		 2180 <varlistentry>
2181 <term>
2182 <option>LXC_CONFIG_FILE</option>
2183 </term>
2184 <listitem>
2185 <para>
2186 Host relative path to the container configuration file. This
2187 gives the container to reference the original, top level,
2188 configuration file for the container in order to locate any
2189 additional configuration information not otherwise made
2190 available. [<option>-f</option>]
2191 </para>
2192 </listitem>
2193 </varlistentry>
55fc19a1
SG		 2194 </variablelist>
2195 <variablelist>
c464fd7e
SG		 2196 <varlistentry>
2197 <term>
2198 <option>LXC_CONSOLE</option>
2199 </term>
2200 <listitem>
2201 <para>
2202 The path to the console output of the container if not NULL.
3aed4934 2203 [<option>-c</option>] [<option>lxc.console.path</option>]
c464fd7e
SG		 2204 </para>
2205 </listitem>
2206 </varlistentry>
55fc19a1
SG		 2207 </variablelist>
2208 <variablelist>
c464fd7e
SG		 2209 <varlistentry>
2210 <term>
2211 <option>LXC_CONSOLE_LOGPATH</option>
2212 </term>
2213 <listitem>
2214 <para>
2215 The path to the console log output of the container if not NULL.
2216 [<option>-L</option>]
2217 </para>
2218 </listitem>
2219 </varlistentry>
55fc19a1
SG		 2220 </variablelist>
2221 <variablelist>
c464fd7e
SG		 2222 <varlistentry>
2223 <term>
2224 <option>LXC_ROOTFS_MOUNT</option>
2225 </term>
2226 <listitem>
2227 <para>
2228 The mount location to which the container is initially bound.
2229 This will be the host relative path to the container rootfs
2230 for the container instance being started and is where changes
2231 should be made for that instance.
2232 [<option>lxc.rootfs.mount</option>]
2233 </para>
2234 </listitem>
2235 </varlistentry>
55fc19a1
SG		 2236 </variablelist>
2237 <variablelist>
c464fd7e
SG		 2238 <varlistentry>
2239 <term>
2240 <option>LXC_ROOTFS_PATH</option>
2241 </term>
2242 <listitem>
2243 <para>
2244 The host relative path to the container root which has been
2245 mounted to the rootfs.mount location.
7a96a068 2246 [<option>lxc.rootfs.path</option>]
c464fd7e
SG		 2247 </para>
2248 </listitem>
2249 </varlistentry>
55fc19a1 2250 </variablelist>
07945418
KY		 2251 <variablelist>
2252 <varlistentry>
2253 <term>
2254 <option>LXC_SRC_NAME</option>
2255 </term>
2256 <listitem>
2257 <para>
2258 Only for the clone hook. Is set to the original container name.
2259 </para>
2260 </listitem>
2261 </varlistentry>
2262 </variablelist>
c154af98
SG		 2263 <variablelist>
2264 <varlistentry>
2265 <term>
2266 <option>LXC_TARGET</option>
2267 </term>
2268 <listitem>
2269 <para>
2270 Only for the stop hook. Is set to "stop" for a container
2271 shutdown or "reboot" for a container reboot.
2272 </para>
2273 </listitem>
2274 </varlistentry>
c4cafa08
SH		 2275 </variablelist>
2276 <variablelist>
2277 <varlistentry>
2278 <term>
2279 <option>LXC_CGNS_AWARE</option>
2280 </term>
2281 <listitem>
2282 <para>
2283 If unset, then this version of lxc is not aware of cgroup
2284 namespaces. If set, it will be set to 1, and lxc is aware
2285 of cgroup namespaces. Note this does not guarantee that
2286 cgroup namespaces are enabled in the kernel. This is used
2287 by the lxcfs mount hook.
2288 </para>
2289 </listitem>
2290 </varlistentry>
c154af98 2291 </variablelist>
55fc19a1
SG		 2292 </refsect2>
2293 <refsect2>
2294 <title>Logging</title>
2295 <para>
2296 Logging can be configured on a per-container basis. By default,
2297 depending upon how the lxc package was compiled, container startup
2298 is logged only at the ERROR level, and logged to a file named after
2299 the container (with '.log' appended) either under the container path,
2300 or under @LOGPATH@.
2301 </para>
2302 <para>
2303 Both the default log level and the log file can be specified in the
2304 container configuration file, overriding the default behavior. Note
2305 that the configuration file entries can in turn be overridden by the
2306 command line options to <command>lxc-start</command>.
2307 </para>
2308 <variablelist>
c464fd7e
SG		 2309 <varlistentry>
2310 <term>
46cc906d 2311 <option>lxc.log.level</option>
c464fd7e
SG		 2312 </term>
2313 <listitem>
2314 <para>
2315 The level at which to log. The log level is an integer in
2316 the range of 0..8 inclusive, where a lower number means more
2317 verbose debugging. In particular 0 = trace, 1 = debug, 2 =
2318 info, 3 = notice, 4 = warn, 5 = error, 6 = critical, 7 =
2319 alert, and 8 = fatal. If unspecified, the level defaults
2320 to 5 (error), so that only errors and above are logged.
2321 </para>
2322 <para>
2323 Note that when a script (such as either a hook script or a
2324 network interface up or down script) is called, the script's
2325 standard output is logged at level 1, debug.
2326 </para>
2327 </listitem>
2328 </varlistentry>
2329 <varlistentry>
2330 <term>
5757588f 2331 <option>lxc.log.file</option>
c464fd7e
SG		 2332 </term>
2333 <listitem>
2334 <para>
2335 The file to which logging info should be written.
2336 </para>
2337 </listitem>
2338 </varlistentry>
204dfdf2
BD		 2339 <varlistentry>
2340 <term>
46cc906d 2341 <option>lxc.log.syslog</option>
204dfdf2
BD		 2342 </term>
2343 <listitem>
2344 <para>
2345 Send logging info to syslog. It respects the log level defined in
46cc906d 2346 <command>lxc.log.level</command>. The argument should be the syslog
204dfdf2 2347 facility to use, valid ones are: daemon, local0, local1, local2,
917420dd 2348 local3, local4, local5, local5, local6, local7.
204dfdf2
BD		 2349 </para>
2350 </listitem>
2351 </varlistentry>
55fc19a1
SG		 2352 </variablelist>
2353 </refsect2>
2354
2355 <refsect2>
2356 <title>Autostart</title>
2357 <para>
2358 The autostart options support marking which containers should be
2359 auto-started and in what order. These options may be used by LXC tools
2360 directly or by external tooling provided by the distributions.
2361 </para>
2362
2363 <variablelist>
2364 <varlistentry>
2365 <term>
2366 <option>lxc.start.auto</option>
2367 </term>
2368 <listitem>
2369 <para>
2370 Whether the container should be auto-started.
2371 Valid values are 0 (off) and 1 (on).
2372 </para>
2373 </listitem>
2374 </varlistentry>
2375 <varlistentry>
2376 <term>
2377 <option>lxc.start.delay</option>
2378 </term>
2379 <listitem>
2380 <para>
2381 How long to wait (in seconds) after the container is
2382 started before starting the next one.
2383 </para>
2384 </listitem>
2385 </varlistentry>
2386 <varlistentry>
2387 <term>
2388 <option>lxc.start.order</option>
2389 </term>
2390 <listitem>
2391 <para>
2392 An integer used to sort the containers when auto-starting
2393 a series of containers at once.
2394 </para>
2395 </listitem>
2396 </varlistentry>
a8dfe4e0
WB		 2397 <varlistentry>
2398 <term>
2399 <option>lxc.monitor.unshare</option>
2400 </term>
2401 <listitem>
2402 <para>
2403 If not zero the mount namespace will be unshared from the host
2404 before initializing the container (before running any pre-start
6039eaa2
WB		 2405 hooks). This requires the CAP_SYS_ADMIN capability at startup.
2406 Default is 0.
a8dfe4e0
WB		 2407 </para>
2408 </listitem>
2409 </varlistentry>
258f8051
CB		 2410 <varlistentry>
2411 <term>
2412 <option>lxc.monitor.signal.pdeath</option>
2413 </term>
2414 <listitem>
2415 <para>
2416 Set the signal to be sent to the container's init when the lxc
2417 monitor exits. By default it is set to SIGKILL which will cause
2418 all container processes to be killed when the lxc monitor process
2419 dies.
2420 To ensure that containers stay alive even if lxc monitor dies set
2421 this to 0.
2422 </para>
2423 </listitem>
2424 </varlistentry>
55fc19a1
SG		 2425 <varlistentry>
2426 <term>
2427 <option>lxc.group</option>
2428 </term>
2429 <listitem>
2430 <para>
2431 A multi-value key (can be used multiple times) to put the
2432 container in a container group. Those groups can then be
2433 used (amongst other things) to start a series of related
2434 containers.
2435 </para>
2436 </listitem>
2437 </varlistentry>
2438 </variablelist>
2439 </refsect2>
015f0dd7
MW		 2440
2441 <refsect2>
2442 <title>Autostart and System Boot</title>
2443 <para>
2444 Each container can be part of any number of groups or no group at all.
2445 Two groups are special. One is the NULL group, i.e. the container does
2446 not belong to any group. The other group is the "onboot" group.
2447 </para>
2448
2449 <para>
2450 When the system boots with the LXC service enabled, it will first
2451 attempt to boot any containers with lxc.start.auto == 1 that is a member
2452 of the "onboot" group. The startup will be in order of lxc.start.order.
2453 If an lxc.start.delay has been specified, that delay will be honored
2454 before attempting to start the next container to give the current
2455 container time to begin initialization and reduce overloading the host
2456 system. After starting the members of the "onboot" group, the LXC system
2457 will proceed to boot containers with lxc.start.auto == 1 which are not
2458 members of any group (the NULL group) and proceed as with the onboot
2459 group.
2460 </para>
2461
2462 </refsect2>
7c661726
MP		 2463
2464 <refsect2>
2465 <title>Container Environment</title>
2466 <para>
c464fd7e
SG		 2467 If you want to pass environment variables into the container (that
2468 is, environment variables which will be available to init and all of
2469 its descendents), you can use <command>lxc.environment</command>
2470 parameters to do so. Be careful that you do not pass in anything
2471 sensitive; any process in the container which doesn't have its
2472 environment scrubbed will have these variables available to it, and
2473 environment variables are always available via
2474 <command>/proc/PID/environ</command>.
7c661726
MP		 2475 </para>
2476
2477 <para>
2478 This configuration parameter can be specified multiple times; once
2479 for each environment variable you wish to configure.
2480 </para>
2481
2482 <variablelist>
c464fd7e
SG		 2483 <varlistentry>
2484 <term>
2485 <option>lxc.environment</option>
2486 </term>
2487 <listitem>
2488 <para>
2489 Specify an environment variable to pass into the container.
2490 Example:
2491 </para>
2492 <programlisting>
2493 lxc.environment = APP_ENV=production
2494 lxc.environment = SYSLOG_SERVER=192.0.2.42
2495 </programlisting>
5eab47bc
CB		 2496 <para>
2497 It is possible to inherit host environment variables by setting the
2498 name of the variable without a "=" sign. For example:
2499 </para>
2500 <programlisting>
2501 lxc.environment = PATH
2502 </programlisting>
c464fd7e
SG		 2503 </listitem>
2504 </varlistentry>
7c661726
MP		 2505 </variablelist>
2506 </refsect2>
2507
55fc19a1
SG		 2508 </refsect1>
2509
2510 <refsect1>
2511 <title>Examples</title>
2512 <para>
c464fd7e
SG		 2513 In addition to the few examples given below, you will find
2514 some other examples of configuration file in @DOCDIR@/examples
55fc19a1
SG		 2515 </para>
2516 <refsect2>
2517 <title>Network</title>
2518 <para>This configuration sets up a container to use a veth pair
c464fd7e
SG		 2519 device with one side plugged to a bridge br0 (which has been
2520 configured before on the system by the administrator). The
2521 virtual network device visible in the container is renamed to
2522 eth0.</para>
55fc19a1 2523 <programlisting>
b67771bc 2524 lxc.uts.name = myhostname
7fa3f2e9 2525 lxc.net.0.type = veth
2526 lxc.net.0.flags = up
2527 lxc.net.0.link = br0
2528 lxc.net.0.name = eth0
2529 lxc.net.0.hwaddr = 4a:49:43:49:79:bf
9ff60df2 2530 lxc.net.0.ipv4.address = 10.2.3.5/24 10.2.3.255
2e44ae28 2531 lxc.net.0.ipv6.address = 2003:db8:1:0:214:1234:fe0b:3597
55fc19a1
SG		 2532 </programlisting>
2533 </refsect2>
2534
2535 <refsect2>
2536 <title>UID/GID mapping</title>
2537 <para>This configuration will map both user and group ids in the
2538 range 0-9999 in the container to the ids 100000-109999 on the host.
2539 </para>
2540 <programlisting>
bdcbb6b3
CB		 2541 lxc.idmap = u 0 100000 10000
2542 lxc.idmap = g 0 100000 10000
55fc19a1
SG		 2543 </programlisting>
2544 </refsect2>
2545
2546 <refsect2>
2547 <title>Control group</title>
2548 <para>This configuration will setup several control groups for
2549 the application, cpuset.cpus restricts usage of the defined cpu,
2550 cpus.share prioritize the control group, devices.allow makes
2551 usable the specified devices.</para>
2552 <programlisting>
c464fd7e
SG		 2553 lxc.cgroup.cpuset.cpus = 0,1
2554 lxc.cgroup.cpu.shares = 1234
2555 lxc.cgroup.devices.deny = a
2556 lxc.cgroup.devices.allow = c 1:3 rw
2557 lxc.cgroup.devices.allow = b 8:0 rw
55fc19a1
SG		 2558 </programlisting>
2559 </refsect2>
2560
2561 <refsect2>
2562 <title>Complex configuration</title>
2563 <para>This example show a complex configuration making a complex
2564 network stack, using the control groups, setting a new hostname,
2565 mounting some locations and a changing root file system.</para>
2566 <programlisting>
b67771bc 2567 lxc.uts.name = complex
7fa3f2e9 2568 lxc.net.0.type = veth
2569 lxc.net.0.flags = up
2570 lxc.net.0.link = br0
2571 lxc.net.0.hwaddr = 4a:49:43:49:79:bf
9ff60df2 2572 lxc.net.0.ipv4.address = 10.2.3.5/24 10.2.3.255
2e44ae28
CB		 2573 lxc.net.0.ipv6.address = 2003:db8:1:0:214:1234:fe0b:3597
2574 lxc.net.0.ipv6.address = 2003:db8:1:0:214:5432:feab:3588
7fa3f2e9 2575 lxc.net.1.type = macvlan
2576 lxc.net.1.flags = up
2577 lxc.net.1.link = eth0
2578 lxc.net.1.hwaddr = 4a:49:43:49:79:bd
9ff60df2
CB		 2579 lxc.net.1.ipv4.address = 10.2.3.4/24
2580 lxc.net.1.ipv4.address = 192.168.10.125/24
2e44ae28 2581 lxc.net.1.ipv6.address = 2003:db8:1:0:214:1234:fe0b:3596
7fa3f2e9 2582 lxc.net.2.type = phys
2583 lxc.net.2.flags = up
2584 lxc.net.2.link = dummy0
2585 lxc.net.2.hwaddr = 4a:49:43:49:79:ff
9ff60df2 2586 lxc.net.2.ipv4.address = 10.2.3.6/24
2e44ae28 2587 lxc.net.2.ipv6.address = 2003:db8:1:0:214:1234:fe0b:3297
c464fd7e
SG		 2588 lxc.cgroup.cpuset.cpus = 0,1
2589 lxc.cgroup.cpu.shares = 1234
2590 lxc.cgroup.devices.deny = a
2591 lxc.cgroup.devices.allow = c 1:3 rw
2592 lxc.cgroup.devices.allow = b 8:0 rw
47148e96 2593 lxc.mount.fstab = /etc/fstab.complex
c464fd7e 2594 lxc.mount.entry = /lib /root/myrootfs/lib none ro,bind 0 0
7a96a068 2595 lxc.rootfs.path = dir:/mnt/rootfs.complex
c464fd7e
SG		 2596 lxc.cap.drop = sys_module mknod setuid net_raw
2597 lxc.cap.drop = mac_override
55fc19a1
SG		 2598 </programlisting>
2599 </refsect2>
2600
2601 </refsect1>
2602
2603 <refsect1>
2604 <title>See Also</title>
2605 <simpara>
2606 <citerefentry>
c464fd7e
SG		 2607 <refentrytitle><command>chroot</command></refentrytitle>
2608 <manvolnum>1</manvolnum>
55fc19a1
SG		 2609 </citerefentry>,
2610
2611 <citerefentry>
c464fd7e
SG		 2612 <refentrytitle><command>pivot_root</command></refentrytitle>
2613 <manvolnum>8</manvolnum>
55fc19a1
SG		 2614 </citerefentry>,
2615
2616 <citerefentry>
c464fd7e
SG		 2617 <refentrytitle><filename>fstab</filename></refentrytitle>
2618 <manvolnum>5</manvolnum>
55fc19a1
SG		 2619 </citerefentry>,
2620
2621 <citerefentry>
c464fd7e
SG		 2622 <refentrytitle><filename>capabilities</filename></refentrytitle>
2623 <manvolnum>7</manvolnum>
55fc19a1
SG		 2624 </citerefentry>
2625 </simpara>
2626 </refsect1>
2627
2628 &seealso;
2629
2630 <refsect1>
2631 <title>Author</title>
2632 <para>Daniel Lezcano <email>daniel.lezcano@free.fr</email></para>
2633 </refsect1>
2634
2635</refentry>
2636
2637<!-- Keep this comment at the end of the file
2638Local variables:
2639mode: sgml
2640sgml-omittag:t
2641sgml-shorttag:t
2642sgml-minimize-attributes:nil
2643sgml-always-quote-attributes:t
2644sgml-indent-step:2
2645sgml-indent-data:t
2646sgml-parent-document:nil
2647sgml-default-dtd-file:nil
2648sgml-exposed-tags:nil
2649sgml-local-catalogs:nil
2650sgml-local-ecat-files:nil
2651End:
2652-->
LXC mirror