]> git.proxmox.com Git - mirror_lxc.git/blame - doc/lxc.container.conf.sgml.in
projects / mirror_lxc.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
log: use the right size for timestamp formatting
[mirror_lxc.git] / doc / lxc.container.conf.sgml.in
CommitLineData
55fc19a1
SG		 1<!--
2
3lxc: linux Container library
4
5(C) Copyright IBM Corp. 2007, 2008
6
7Authors:
8Daniel Lezcano <daniel.lezcano at free.fr>
9
10This library is free software; you can redistribute it and/or
11modify it under the terms of the GNU Lesser General Public
12License as published by the Free Software Foundation; either
13version 2.1 of the License, or (at your option) any later version.
14
15This library is distributed in the hope that it will be useful,
16but WITHOUT ANY WARRANTY; without even the implied warranty of
17MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
18Lesser General Public License for more details.
19
20You should have received a copy of the GNU Lesser General Public
21License along with this library; if not, write to the Free Software
22Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
23
24-->
25
26<!DOCTYPE refentry PUBLIC @docdtd@ [
27
28<!ENTITY seealso SYSTEM "@builddir@/see_also.sgml">
29]>
30
31<refentry>
32
33 <docinfo><date>@LXC_GENERATE_DATE@</date></docinfo>
34
35 <refmeta>
36 <refentrytitle>lxc.container.conf</refentrytitle>
37 <manvolnum>5</manvolnum>
38 </refmeta>
39
40 <refnamediv>
41 <refname>lxc.container.conf</refname>
42
43 <refpurpose>
44 LXC container configuration file
45 </refpurpose>
46 </refnamediv>
47
48 <refsect1>
49 <title>Description</title>
50
51 <para>
52 The linux containers (<command>lxc</command>) are always created
53 before being used. This creation defines a set of system
54 resources to be virtualized / isolated when a process is using
55 the container. By default, the pids, sysv ipc and mount points
56 are virtualized and isolated. The other system resources are
57 shared across containers, until they are explicitly defined in
58 the configuration file. For example, if there is no network
59 configuration, the network will be shared between the creator of
60 the container and the container itself, but if the network is
61 specified, a new network stack is created for the container and
62 the container can no longer use the network of its ancestor.
63 </para>
64
65 <para>
66 The configuration file defines the different system resources to
67 be assigned for the container. At present, the utsname, the
68 network, the mount points, the root file system, the user namespace,
69 and the control groups are supported.
70 </para>
71
72 <para>
73 Each option in the configuration file has the form <command>key
74 = value</command> fitting in one line. The '#' character means
75 the line is a comment.
76 </para>
77
78 <refsect2>
79 <title>Configuration</title>
80 <para>
c464fd7e
SG		 81 In order to ease administration of multiple related containers, it
82 is possible to have a container configuration file cause another
83 file to be loaded. For instance, network configuration
84 can be defined in one common file which is included by multiple
85 containers. Then, if the containers are moved to another host,
86 only one file may need to be updated.
55fc19a1
SG		 87 </para>
88
89 <variablelist>
c464fd7e
SG		 90 <varlistentry>
91 <term>
92 <option>lxc.include</option>
93 </term>
94 <listitem>
95 <para>
96 Specify the file to be included. The included file must be
97 in the same valid lxc configuration file format.
98 </para>
99 </listitem>
100 </varlistentry>
55fc19a1
SG		 101 </variablelist>
102 </refsect2>
103
104 <refsect2>
105 <title>Architecture</title>
106 <para>
c464fd7e
SG		 107 Allows one to set the architecture for the container. For example,
108 set a 32bits architecture for a container running 32bits
109 binaries on a 64bits host. This fixes the container scripts
110 which rely on the architecture to do some work like
111 downloading the packages.
55fc19a1
SG		 112 </para>
113
114 <variablelist>
c464fd7e
SG		 115 <varlistentry>
116 <term>
117 <option>lxc.arch</option>
118 </term>
119 <listitem>
120 <para>
121 Specify the architecture for the container.
122 </para>
123 <para>
124 Valid options are
125 <option>x86</option>,
126 <option>i686</option>,
127 <option>x86_64</option>,
128 <option>amd64</option>
129 </para>
130 </listitem>
131 </varlistentry>
55fc19a1
SG		 132 </variablelist>
133
134 </refsect2>
135
136 <refsect2>
137 <title>Hostname</title>
138 <para>
c464fd7e
SG		 139 The utsname section defines the hostname to be set for the
140 container. That means the container can set its own hostname
141 without changing the one from the system. That makes the
142 hostname private for the container.
55fc19a1
SG		 143 </para>
144 <variablelist>
c464fd7e
SG		 145 <varlistentry>
146 <term>
147 <option>lxc.utsname</option>
148 </term>
149 <listitem>
150 <para>
151 specify the hostname for the container
152 </para>
153 </listitem>
154 </varlistentry>
55fc19a1
SG		 155 </variablelist>
156 </refsect2>
157
158 <refsect2>
159 <title>Halt signal</title>
160 <para>
936762f3
BP		 161 Allows one to specify signal name or number, sent by lxc-stop to the
162 container's init process to cleanly shutdown the container. Different
163 init systems could use different signals to perform clean shutdown
164 sequence. This option allows the signal to be specified in kill(1)
165 fashion, e.g. SIGPWR, SIGRTMIN+14, SIGRTMAX-10 or plain number. The
166 default signal is SIGPWR.
55fc19a1
SG		 167 </para>
168 <variablelist>
936762f3
BP		 169 <varlistentry>
170 <term>
171 <option>lxc.haltsignal</option>
172 </term>
173 <listitem>
174 <para>
175 specify the signal used to halt the container
176 </para>
177 </listitem>
178 </varlistentry>
179 </variablelist>
180 </refsect2>
181
182 <refsect2>
183 <title>Reboot signal</title>
184 <para>
185 Allows one to specify signal name or number, sent by lxc-stop to
186 reboot the container. This option allows signal to be specified in
187 kill(1) fashion, e.g. SIGTERM, SIGRTMIN+14, SIGRTMAX-10 or plain number.
188 The default signal is SIGINT.
189 </para>
190 <variablelist>
191 <varlistentry>
192 <term>
193 <option>lxc.rebootsignal</option>
194 </term>
195 <listitem>
196 <para>
197 specify the signal used to reboot the container
198 </para>
199 </listitem>
200 </varlistentry>
55fc19a1
SG		 201 </variablelist>
202 </refsect2>
203
204 <refsect2>
205 <title>Stop signal</title>
206 <para>
936762f3
BP		 207 Allows one to specify signal name or number, sent by lxc-stop to forcibly
208 shutdown the container. This option allows signal to be specified in
209 kill(1) fashion, e.g. SIGKILL, SIGRTMIN+14, SIGRTMAX-10 or plain number.
210 The default signal is SIGKILL.
211 </para>
212 <variablelist>
213 <varlistentry>
214 <term>
215 <option>lxc.stopsignal</option>
216 </term>
217 <listitem>
218 <para>
219 specify the signal used to stop the container
220 </para>
221 </listitem>
222 </varlistentry>
55fc19a1
SG		 223 </variablelist>
224 </refsect2>
225
67c660d0
SG		 226 <refsect2>
227 <title>Init command</title>
228 <para>
229 Sets the command to use as the init system for the containers.
230
231 This option is ignored when using lxc-execute.
232
233 Defaults to: /sbin/init
234 </para>
235 <variablelist>
936762f3
BP		 236 <varlistentry>
237 <term>
238 <option>lxc.init_cmd</option>
239 </term>
240 <listitem>
241 <para>
242 Absolute path from container rootfs to the binary to use as init.
243 </para>
244 </listitem>
245 </varlistentry>
67c660d0
SG		 246 </variablelist>
247 </refsect2>
248
dbca9237
PT		 249 <refsect2>
250 <title>Init ID</title>
251 <para>
252 Sets the UID/GID to use for the init system, and subsequent command, executed by lxc-execute.
253
254 These options are only used when lxc-execute is started in a private user namespace.
255
256 Defaults to: UID(0), GID(0)
257 </para>
258 <variablelist>
259 <varlistentry>
260 <term>
261 <option>lxc.init_uid</option>
262 </term>
263 <listitem>
264 <para>
265 UID to use within a private user namesapce for init.
266 </para>
267 </listitem>
268 </varlistentry>
269 <varlistentry>
270 <term>
271 <option>lxc.init_gid</option>
272 </term>
273 <listitem>
274 <para>
275 GID to use within a private user namesapce for init.
276 </para>
277 </listitem>
278 </varlistentry>
279 </variablelist>
280 </refsect2>
281
4e6eb26b
CB		 282 <refsect2>
283 <title>Ephemeral</title>
284 <para>
285 Allows one to specify whether a container will be destroyed on shutdown.
286 </para>
287 <variablelist>
288 <varlistentry>
289 <term>
290 <option>lxc.ephemeral</option>
291 </term>
292 <listitem>
293 <para>
294 The only allowed values are 0 and 1. Set this to 1 to destroy a
295 container on shutdown.
296 </para>
297 </listitem>
298 </varlistentry>
299 </variablelist>
300 </refsect2>
301
55fc19a1
SG		 302 <refsect2>
303 <title>Network</title>
304 <para>
c464fd7e
SG		 305 The network section defines how the network is virtualized in
306 the container. The network virtualization acts at layer
307 two. In order to use the network virtualization, parameters
308 must be specified to define the network interfaces of the
309 container. Several virtual interfaces can be assigned and used
310 in a container even if the system has only one physical
311 network interface.
55fc19a1
SG		 312 </para>
313 <variablelist>
c464fd7e
SG		 314 <varlistentry>
315 <term>
316 <option>lxc.network.type</option>
317 </term>
318 <listitem>
319 <para>
320 specify what kind of network virtualization to be used
321 for the container. Each time
322 a <option>lxc.network.type</option> field is found a new
323 round of network configuration begins. In this way,
324 several network virtualization types can be specified
325 for the same container, as well as assigning several
326 network interfaces for one container. The different
327 virtualization types can be:
328 </para>
329
330 <para>
331 <option>none:</option> will cause the container to share
332 the host's network namespace. This means the host
333 network devices are usable in the container. It also
334 means that if both the container and host have upstart as
335 init, 'halt' in a container (for instance) will shut down the
336 host.
337 </para>
338
339 <para>
340 <option>empty:</option> will create only the loopback
341 interface.
342 </para>
343
344 <para>
38005c54
MA		 345 <option>veth:</option> a virtual ethernet pair
346 device is created with one side assigned to the container
347 and the other side attached to a bridge specified by
348 the <option>lxc.network.link</option> option.
349 If the bridge is not specified, then the veth pair device
350 will be created but not attached to any bridge.
351 Otherwise, the bridge has to be created on the system
352 before starting the container.
353 <command>lxc</command> won't handle any
354 configuration outside of the container.
355 By default, <command>lxc</command> chooses a name for the
c464fd7e 356 network device belonging to the outside of the
38005c54
MA		 357 container, but if you wish to handle
358 this name yourselves, you can tell <command>lxc</command>
c464fd7e
SG		 359 to set a specific name with
360 the <option>lxc.network.veth.pair</option> option (except for
361 unprivileged containers where this option is ignored for security
362 reasons).
363 </para>
364
365 <para>
366 <option>vlan:</option> a vlan interface is linked with
367 the interface specified by
368 the <option>lxc.network.link</option> and assigned to
369 the container. The vlan identifier is specified with the
370 option <option>lxc.network.vlan.id</option>.
371 </para>
372
373 <para>
374 <option>macvlan:</option> a macvlan interface is linked
375 with the interface specified by
376 the <option>lxc.network.link</option> and assigned to
377 the container.
378 <option>lxc.network.macvlan.mode</option> specifies the
379 mode the macvlan will use to communicate between
380 different macvlan on the same upper device. The accepted
c15ea607
EL		 381 modes are <option>private</option>, <option>vepa</option>,
382 <option>bridge</option> and <option>passthru</option>.
383 In <option>private</option> mode, the device never
384 communicates with any other device on the same upper_dev (default).
385 In <option>vepa</option> mode, the new Virtual Ethernet Port
c464fd7e
SG		 386 Aggregator (VEPA) mode, it assumes that the adjacent
387 bridge returns all frames where both source and
388 destination are local to the macvlan port, i.e. the
389 bridge is set up as a reflective relay. Broadcast
390 frames coming in from the upper_dev get flooded to all
391 macvlan interfaces in VEPA mode, local frames are not
c15ea607 392 delivered locally. In <option>bridge</option> mode, it
c464fd7e
SG		 393 provides the behavior of a simple bridge between
394 different macvlan interfaces on the same port. Frames
395 from one interface to another one get delivered directly
396 and are not sent out externally. Broadcast frames get
397 flooded to all other bridge ports and to the external
398 interface, but when they come back from a reflective
399 relay, we don't deliver them again. Since we know all
400 the MAC addresses, the macvlan bridge mode does not
c15ea607
EL		 401 require learning or STP like the bridge module does. In
402 <option>passthru</option> mode, all frames received by
403 the physical interface are forwarded to the macvlan
404 interface. Only one macvlan interface in <option>passthru</option>
405 mode is possible for one physical interface.
c464fd7e
SG		 406 </para>
407
408 <para>
409 <option>phys:</option> an already existing interface
410 specified by the <option>lxc.network.link</option> is
411 assigned to the container.
412 </para>
413 </listitem>
414 </varlistentry>
415
416 <varlistentry>
417 <term>
418 <option>lxc.network.flags</option>
419 </term>
420 <listitem>
421 <para>
422 specify an action to do for the
423 network.
424 </para>
425
426 <para><option>up:</option> activates the interface.
427 </para>
428 </listitem>
429 </varlistentry>
430
431 <varlistentry>
432 <term>
433 <option>lxc.network.link</option>
434 </term>
435 <listitem>
436 <para>
437 specify the interface to be used for real network
438 traffic.
439 </para>
440 </listitem>
441 </varlistentry>
442
443 <varlistentry>
444 <term>
445 <option>lxc.network.mtu</option>
446 </term>
447 <listitem>
448 <para>
449 specify the maximum transfer unit for this interface.
450 </para>
451 </listitem>
452 </varlistentry>
453
454 <varlistentry>
455 <term>
456 <option>lxc.network.name</option>
457 </term>
458 <listitem>
459 <para>
460 the interface name is dynamically allocated, but if
461 another name is needed because the configuration files
462 being used by the container use a generic name,
463 eg. eth0, this option will rename the interface in the
464 container.
465 </para>
466 </listitem>
467 </varlistentry>
468
469 <varlistentry>
470 <term>
471 <option>lxc.network.hwaddr</option>
472 </term>
473 <listitem>
474 <para>
475 the interface mac address is dynamically allocated by
476 default to the virtual interface, but in some cases,
477 this is needed to resolve a mac address conflict or to
478 always have the same link-local ipv6 address.
479 Any "x" in address will be replaced by random value,
480 this allows setting hwaddr templates.
481 </para>
482 </listitem>
483 </varlistentry>
484
485 <varlistentry>
486 <term>
487 <option>lxc.network.ipv4</option>
488 </term>
489 <listitem>
490 <para>
491 specify the ipv4 address to assign to the virtualized
492 interface. Several lines specify several ipv4 addresses.
493 The address is in format x.y.z.t/m,
494 eg. 192.168.1.123/24. The broadcast address should be
495 specified on the same line, right after the ipv4
496 address.
497 </para>
498 </listitem>
499 </varlistentry>
500
501 <varlistentry>
502 <term>
503 <option>lxc.network.ipv4.gateway</option>
504 </term>
505 <listitem>
506 <para>
507 specify the ipv4 address to use as the gateway inside the
508 container. The address is in format x.y.z.t, eg.
509 192.168.1.123.
510
511 Can also have the special value <option>auto</option>,
512 which means to take the primary address from the bridge
513 interface (as specified by the
514 <option>lxc.network.link</option> option) and use that as
515 the gateway. <option>auto</option> is only available when
516 using the <option>veth</option> and
517 <option>macvlan</option> network types.
518 </para>
519 </listitem>
520 </varlistentry>
521
522
523 <varlistentry>
524 <term>
525 <option>lxc.network.ipv6</option>
526 </term>
527 <listitem>
528 <para>
529 specify the ipv6 address to assign to the virtualized
530 interface. Several lines specify several ipv6 addresses.
531 The address is in format x::y/m,
532 eg. 2003:db8:1:0:214:1234:fe0b:3596/64
533 </para>
534 </listitem>
535 </varlistentry>
536
537 <varlistentry>
538 <term>
539 <option>lxc.network.ipv6.gateway</option>
540 </term>
541 <listitem>
542 <para>
543 specify the ipv6 address to use as the gateway inside the
544 container. The address is in format x::y,
545 eg. 2003:db8:1:0::1
546
547 Can also have the special value <option>auto</option>,
548 which means to take the primary address from the bridge
549 interface (as specified by the
550 <option>lxc.network.link</option> option) and use that as
551 the gateway. <option>auto</option> is only available when
552 using the <option>veth</option> and
553 <option>macvlan</option> network types.
554 </para>
555 </listitem>
556 </varlistentry>
557
558 <varlistentry>
559 <term>
560 <option>lxc.network.script.up</option>
561 </term>
562 <listitem>
563 <para>
564 add a configuration option to specify a script to be
565 executed after creating and configuring the network used
566 from the host side. The following arguments are passed
567 to the script: container name and config section name
568 (net) Additional arguments depend on the config section
569 employing a script hook; the following are used by the
570 network system: execution context (up), network type
571 (empty/veth/macvlan/phys), Depending on the network
572 type, other arguments may be passed:
573 veth/macvlan/phys. And finally (host-sided) device name.
574 </para>
575 <para>
576 Standard output from the script is logged at debug level.
577 Standard error is not logged, but can be captured by the
578 hook redirecting its standard error to standard output.
579 </para>
580 </listitem>
581 </varlistentry>
582
583 <varlistentry>
584 <term>
585 <option>lxc.network.script.down</option>
586 </term>
587 <listitem>
588 <para>
589 add a configuration option to specify a script to be
590 executed before destroying the network used from the
591 host side. The following arguments are passed to the
592 script: container name and config section name (net)
593 Additional arguments depend on the config section
594 employing a script hook; the following are used by the
595 network system: execution context (down), network type
596 (empty/veth/macvlan/phys), Depending on the network
597 type, other arguments may be passed:
598 veth/macvlan/phys. And finally (host-sided) device name.
599 </para>
600 <para>
601 Standard output from the script is logged at debug level.
602 Standard error is not logged, but can be captured by the
603 hook redirecting its standard error to standard output.
604 </para>
605 </listitem>
606 </varlistentry>
55fc19a1
SG		 607 </variablelist>
608 </refsect2>
609
610 <refsect2>
611 <title>New pseudo tty instance (devpts)</title>
612 <para>
c464fd7e
SG		 613 For stricter isolation the container can have its own private
614 instance of the pseudo tty.
55fc19a1
SG		 615 </para>
616 <variablelist>
c464fd7e
SG		 617 <varlistentry>
618 <term>
619 <option>lxc.pts</option>
620 </term>
621 <listitem>
622 <para>
623 If set, the container will have a new pseudo tty
624 instance, making this private to it. The value specifies
55fc19a1
SG		 625 the maximum number of pseudo ttys allowed for a pts
626 instance (this limitation is not implemented yet).
c464fd7e
SG		 627 </para>
628 </listitem>
629 </varlistentry>
55fc19a1
SG		 630 </variablelist>
631 </refsect2>
632
633 <refsect2>
634 <title>Container system console</title>
635 <para>
c464fd7e
SG		 636 If the container is configured with a root filesystem and the
637 inittab file is setup to use the console, you may want to specify
638 where the output of this console goes.
55fc19a1
SG		 639 </para>
640 <variablelist>
c464fd7e
SG		 641 <varlistentry>
642 <term>
643 <option>lxc.console.logfile</option>
644 </term>
645 <listitem>
646 <para>
647 Specify a path to a file where the console output will
648 be written.
649 </para>
650 </listitem>
651 </varlistentry>
652 <varlistentry>
653 <term>
654 <option>lxc.console</option>
655 </term>
656 <listitem>
657 <para>
658 Specify a path to a device to which the console will be
659 attached. The keyword 'none' will simply disable the
660 console. This is dangerous once if have a rootfs with a
661 console device file where the application can write, the
662 messages will fall in the host.
663 </para>
664 </listitem>
665 </varlistentry>
55fc19a1
SG		 666 </variablelist>
667 </refsect2>
668
669 <refsect2>
670 <title>Console through the ttys</title>
671 <para>
c464fd7e
SG		 672 This option is useful if the container is configured with a root
673 filesystem and the inittab file is setup to launch a getty on the
674 ttys. The option specifies the number of ttys to be available for
675 the container. The number of gettys in the inittab file of the
676 container should not be greater than the number of ttys specified
677 in this option, otherwise the excess getty sessions will die and
678 respawn indefinitely giving annoying messages on the console or in
679 <filename>/var/log/messages</filename>.
55fc19a1
SG		 680 </para>
681 <variablelist>
c464fd7e
SG		 682 <varlistentry>
683 <term>
684 <option>lxc.tty</option>
685 </term>
686 <listitem>
687 <para>
688 Specify the number of tty to make available to the
689 container.
690 </para>
691 </listitem>
692 </varlistentry>
55fc19a1
SG		 693 </variablelist>
694 </refsect2>
695
696 <refsect2>
697 <title>Console devices location</title>
698 <para>
699 LXC consoles are provided through Unix98 PTYs created on the
c464fd7e
SG		 700 host and bind-mounted over the expected devices in the container.
701 By default, they are bind-mounted over <filename>/dev/console</filename>
702 and <filename>/dev/ttyN</filename>. This can prevent package upgrades
703 in the guest. Therefore you can specify a directory location (under
704 <filename>/dev</filename> under which LXC will create the files and
705 bind-mount over them. These will then be symbolically linked to
706 <filename>/dev/console</filename> and <filename>/dev/ttyN</filename>.
707 A package upgrade can then succeed as it is able to remove and replace
708 the symbolic links.
55fc19a1
SG		 709 </para>
710 <variablelist>
c464fd7e
SG		 711 <varlistentry>
712 <term>
713 <option>lxc.devttydir</option>
714 </term>
715 <listitem>
716 <para>
717 Specify a directory under <filename>/dev</filename>
718 under which to create the container console devices.
719 </para>
720 </listitem>
721 </varlistentry>
55fc19a1
SG		 722 </variablelist>
723 </refsect2>
724
725 <refsect2>
726 <title>/dev directory</title>
727 <para>
c464fd7e
SG		 728 By default, lxc creates a few symbolic links (fd,stdin,stdout,stderr)
729 in the container's <filename>/dev</filename> directory but does not
730 automatically create device node entries. This allows the container's
731 <filename>/dev</filename> to be set up as needed in the container
732 rootfs. If lxc.autodev is set to 1, then after mounting the container's
733 rootfs LXC will mount a fresh tmpfs under <filename>/dev</filename>
734 (limited to 100k) and fill in a minimal set of initial devices.
55fc19a1
SG		 735 This is generally required when starting a container containing
736 a "systemd" based "init" but may be optional at other times. Additional
737 devices in the containers /dev directory may be created through the
738 use of the <option>lxc.hook.autodev</option> hook.
739 </para>
740 <variablelist>
c464fd7e
SG		 741 <varlistentry>
742 <term>
743 <option>lxc.autodev</option>
744 </term>
745 <listitem>
746 <para>
124fa0a8 747 Set this to 0 to stop LXC from mounting and populating a minimal
c464fd7e
SG		 748 <filename>/dev</filename> when starting the container.
749 </para>
750 </listitem>
751 </varlistentry>
55fc19a1
SG		 752 </variablelist>
753 </refsect2>
754
755 <refsect2>
756 <title>Enable kmsg symlink</title>
757 <para>
d89de239 758 Enable creating /dev/kmsg as symlink to /dev/console. This defaults to 0.
55fc19a1
SG		 759 </para>
760 <variablelist>
761 <varlistentry>
762 <term>
763 <option>lxc.kmsg</option>
764 </term>
765 <listitem>
766 <para>
d89de239 767 Set this to 1 to enable /dev/kmsg symlinking.
55fc19a1
SG		 768 </para>
769 </listitem>
770 </varlistentry>
771 </variablelist>
772 </refsect2>
773
774 <refsect2>
775 <title>Mount points</title>
776 <para>
c464fd7e
SG		 777 The mount points section specifies the different places to be
778 mounted. These mount points will be private to the container
779 and won't be visible by the processes running outside of the
780 container. This is useful to mount /etc, /var or /home for
781 examples.
55fc19a1 782 </para>
592fd47a
SH		 783 <para>
784 NOTE - LXC will generally ensure that mount targets and relative
785 bind-mount sources are properly confined under the container
786 root, to avoid attacks involving over-mounting host directories
787 and files. (Symbolic links in absolute mount sources are ignored)
788 However, if the container configuration first mounts a directory which
789 is under the control of the container user, such as /home/joe, into
790 the container at some <filename>path</filename>, and then mounts
791 under <filename>path</filename>, then a TOCTTOU attack would be
792 possible where the container user modifies a symbolic link under
793 his home directory at just the right time.
794 </para>
55fc19a1 795 <variablelist>
c464fd7e
SG		 796 <varlistentry>
797 <term>
798 <option>lxc.mount</option>
799 </term>
800 <listitem>
801 <para>
802 specify a file location in
803 the <filename>fstab</filename> format, containing the
804 mount information. The mount target location can and in
805 most cases should be a relative path, which will become
806 relative to the mounted container root. For instance,
807 </para>
6191f4f4
SH		 808<screen>
809proc proc proc nodev,noexec,nosuid 0 0
810</screen>
c464fd7e
SG		 811 <para>
812 Will mount a proc filesystem under the container's /proc,
813 regardless of where the root filesystem comes from. This
814 is resilient to block device backed filesystems as well as
815 container cloning.
816 </para>
817 <para>
818 Note that when mounting a filesystem from an
819 image file or block device the third field (fs_vfstype)
820 cannot be auto as with
55fc19a1 821 <citerefentry>
c464fd7e 822 <refentrytitle>mount</refentrytitle>
55fc19a1
SG		 823 <manvolnum>8</manvolnum>
824 </citerefentry>
825 but must be explicitly specified.
c464fd7e
SG		 826 </para>
827 </listitem>
828 </varlistentry>
829
830 <varlistentry>
831 <term>
832 <option>lxc.mount.entry</option>
833 </term>
834 <listitem>
835 <para>
836 specify a mount point corresponding to a line in the
837 fstab format.
f5b67b36
NC		 838
839 Moreover lxc add two options to mount.
840 <option>optional</option> don't fail if mount does not work.
841 <option>create=dir</option> or <option>create=file</option>
842 to create dir (or file) when the point will be mounted.
c464fd7e
SG		 843 </para>
844 </listitem>
845 </varlistentry>
846
847 <varlistentry>
848 <term>
849 <option>lxc.mount.auto</option>
850 </term>
851 <listitem>
852 <para>
853 specify which standard kernel file systems should be
854 automatically mounted. This may dramatically simplify
855 the configuration. The file systems are:
856 </para>
857 <itemizedlist>
858 <listitem>
859 <para>
860 <option>proc:mixed</option> (or <option>proc</option>):
861 mount <filename>/proc</filename> as read-write, but
862 remount <filename>/proc/sys</filename> and
863 <filename>/proc/sysrq-trigger</filename> read-only
864 for security / container isolation purposes.
865 </para>
866 </listitem>
867 <listitem>
868 <para>
869 <option>proc:rw</option>: mount
870 <filename>/proc</filename> as read-write
871 </para>
872 </listitem>
873 <listitem>
874 <para>
f24a52d5
SG		 875 <option>sys:mixed</option> (or <option>sys</option>):
876 mount <filename>/sys</filename> as read-only but with
877 /sys/devices/virtual/net writable.
878 </para>
879 </listitem>
880 <listitem>
881 <para>
882 <option>sys:ro</option>:
c464fd7e
SG		 883 mount <filename>/sys</filename> as read-only
884 for security / container isolation purposes.
885 </para>
886 </listitem>
887 <listitem>
888 <para>
889 <option>sys:rw</option>: mount
890 <filename>/sys</filename> as read-write
891 </para>
892 </listitem>
893 <listitem>
894 <para>
895 <option>cgroup:mixed</option>:
896 mount a tmpfs to <filename>/sys/fs/cgroup</filename>,
897 create directories for all hierarchies to which
898 the container is added, create subdirectories
899 there with the name of the cgroup, and bind-mount
900 the container's own cgroup into that directory.
901 The container will be able to write to its own
902 cgroup directory, but not the parents, since they
903 will be remounted read-only
904 </para>
905 </listitem>
906 <listitem>
907 <para>
908 <option>cgroup:ro</option>: similar to
909 <option>cgroup:mixed</option>, but everything will
910 be mounted read-only.
911 </para>
912 </listitem>
913 <listitem>
914 <para>
915 <option>cgroup:rw</option>: similar to
916 <option>cgroup:mixed</option>, but everything will
917 be mounted read-write. Note that the paths leading
918 up to the container's own cgroup will be writable,
919 but will not be a cgroup filesystem but just part
920 of the tmpfs of <filename>/sys/fs/cgroup</filename>
921 </para>
922 </listitem>
923 <listitem>
924 <para>
925 <option>cgroup</option> (without specifier):
926 defaults to <option>cgroup:rw</option> if the
927 container retains the CAP_SYS_ADMIN capability,
928 <option>cgroup:mixed</option> otherwise.
929 </para>
930 </listitem>
931 <listitem>
932 <para>
933 <option>cgroup-full:mixed</option>:
934 mount a tmpfs to <filename>/sys/fs/cgroup</filename>,
935 create directories for all hierarchies to which
936 the container is added, bind-mount the hierarchies
937 from the host to the container and make everything
938 read-only except the container's own cgroup. Note
939 that compared to <option>cgroup</option>, where
940 all paths leading up to the container's own cgroup
941 are just simple directories in the underlying
942 tmpfs, here
943 <filename>/sys/fs/cgroup/$hierarchy</filename>
944 will contain the host's full cgroup hierarchy,
945 albeit read-only outside the container's own cgroup.
946 This may leak quite a bit of information into the
947 container.
948 </para>
949 </listitem>
950 <listitem>
951 <para>
952 <option>cgroup-full:ro</option>: similar to
953 <option>cgroup-full:mixed</option>, but everything
954 will be mounted read-only.
955 </para>
956 </listitem>
957 <listitem>
958 <para>
959 <option>cgroup-full:rw</option>: similar to
960 <option>cgroup-full:mixed</option>, but everything
961 will be mounted read-write. Note that in this case,
962 the container may escape its own cgroup. (Note also
963 that if the container has CAP_SYS_ADMIN support
964 and can mount the cgroup filesystem itself, it may
965 do so anyway.)
966 </para>
967 </listitem>
968 <listitem>
969 <para>
970 <option>cgroup-full</option> (without specifier):
971 defaults to <option>cgroup-full:rw</option> if the
972 container retains the CAP_SYS_ADMIN capability,
973 <option>cgroup-full:mixed</option> otherwise.
974 </para>
975 </listitem>
976 </itemizedlist>
977 <para>
978 Note that if automatic mounting of the cgroup filesystem
979 is enabled, the tmpfs under
980 <filename>/sys/fs/cgroup</filename> will always be
981 mounted read-write (but for the <option>:mixed</option>
982 and <option>:ro</option> cases, the individual
983 hierarchies,
984 <filename>/sys/fs/cgroup/$hierarchy</filename>, will be
985 read-only). This is in order to work around a quirk in
986 Ubuntu's
b46f0553 987 <citerefentry>
c464fd7e 988 <refentrytitle>mountall</refentrytitle>
b46f0553
CS		 989 <manvolnum>8</manvolnum>
990 </citerefentry>
c464fd7e
SG		 991 command that will cause containers to wait for user
992 input at boot if
993 <filename>/sys/fs/cgroup</filename> is mounted read-only
994 and the container can't remount it read-write due to a
995 lack of CAP_SYS_ADMIN.
996 </para>
997 <para>
998 Examples:
999 </para>
1000 <programlisting>
1001 lxc.mount.auto = proc sys cgroup
1002 lxc.mount.auto = proc:rw sys:rw cgroup-full:rw
1003 </programlisting>
1004 </listitem>
1005 </varlistentry>
55fc19a1
SG		 1006
1007 </variablelist>
1008 </refsect2>
1009
1010 <refsect2>
1011 <title>Root file system</title>
1012 <para>
c464fd7e
SG		 1013 The root file system of the container can be different than that
1014 of the host system.
55fc19a1
SG		 1015 </para>
1016 <variablelist>
c464fd7e
SG		 1017 <varlistentry>
1018 <term>
1019 <option>lxc.rootfs</option>
1020 </term>
1021 <listitem>
1022 <para>
1023 specify the root file system for the container. It can
1024 be an image file, a directory or a block device. If not
1025 specified, the container shares its root file system
1026 with the host.
1027 </para>
1028 <para>
f1c26f2c
SH		 1029 For directory or simple block-device backed containers,
1030 a pathname can be used. If the rootfs is backed by a nbd
1031 device, then <filename>nbd:file:1</filename> specifies that
1032 <filename>file</filename> should be attached to a nbd device,
1033 and partition 1 should be mounted as the rootfs.
1034 <filename>nbd:file</filename> specifies that the nbd device
1035 itself should be mounted. <filename>overlayfs:/lower:/upper</filename>
1036 specifies that the rootfs should be an overlay with <filename>/upper</filename>
1037 being mounted read-write over a read-only mount of <filename>/lower</filename>.
1038 <filename>aufs:/lower:/upper</filename> does the same using aufs in place
1039 of overlayfs. <filename>loop:/file</filename> tells lxc to attach
1040 <filename>/file</filename> to a loop device and mount the loop device.
c464fd7e
SG		 1041 </para>
1042 </listitem>
1043 </varlistentry>
1044
1045 <varlistentry>
1046 <term>
1047 <option>lxc.rootfs.mount</option>
1048 </term>
1049 <listitem>
1050 <para>
1051 where to recursively bind <option>lxc.rootfs</option>
1052 before pivoting. This is to ensure success of the
1053 <citerefentry>
1054 <refentrytitle><command>pivot_root</command></refentrytitle>
1055 <manvolnum>8</manvolnum>
1056 </citerefentry>
1057 syscall. Any directory suffices, the default should
1058 generally work.
1059 </para>
1060 </listitem>
1061 </varlistentry>
1062
1063 <varlistentry>
1064 <term>
1065 <option>lxc.rootfs.options</option>
1066 </term>
1067 <listitem>
1068 <para>
1069 extra mount options to use when mounting the rootfs.
1070 </para>
1071 </listitem>
1072 </varlistentry>
a17b1e65 1073
55fc19a1
SG		 1074 </variablelist>
1075 </refsect2>
1076
1077 <refsect2>
1078 <title>Control group</title>
1079 <para>
c464fd7e
SG		 1080 The control group section contains the configuration for the
1081 different subsystem. <command>lxc</command> does not check the
1082 correctness of the subsystem name. This has the disadvantage
1083 of not detecting configuration errors until the container is
1084 started, but has the advantage of permitting any future
1085 subsystem.
55fc19a1
SG		 1086 </para>
1087 <variablelist>
c464fd7e
SG		 1088 <varlistentry>
1089 <term>
1090 <option>lxc.cgroup.[subsystem name]</option>
1091 </term>
1092 <listitem>
1093 <para>
1094 specify the control group value to be set. The
1095 subsystem name is the literal name of the control group
1096 subsystem. The permitted names and the syntax of their
1097 values is not dictated by LXC, instead it depends on the
1098 features of the Linux kernel running at the time the
1099 container is started,
1100 eg. <option>lxc.cgroup.cpuset.cpus</option>
1101 </para>
1102 </listitem>
1103 </varlistentry>
55fc19a1
SG		 1104 </variablelist>
1105 </refsect2>
1106
1107 <refsect2>
1108 <title>Capabilities</title>
1109 <para>
c464fd7e
SG		 1110 The capabilities can be dropped in the container if this one
1111 is run as root.
55fc19a1
SG		 1112 </para>
1113 <variablelist>
c464fd7e
SG		 1114 <varlistentry>
1115 <term>
1116 <option>lxc.cap.drop</option>
1117 </term>
1118 <listitem>
1119 <para>
1120 Specify the capability to be dropped in the container. A
1121 single line defining several capabilities with a space
1122 separation is allowed. The format is the lower case of
1123 the capability definition without the "CAP_" prefix,
1124 eg. CAP_SYS_MODULE should be specified as
1125 sys_module. See
1126 <citerefentry>
1127 <refentrytitle><command>capabilities</command></refentrytitle>
1128 <manvolnum>7</manvolnum>
1129 </citerefentry>,
1130 </para>
1131 </listitem>
1132 </varlistentry>
1133 <varlistentry>
1134 <term>
1135 <option>lxc.cap.keep</option>
1136 </term>
1137 <listitem>
1138 <para>
1139 Specify the capability to be kept in the container. All other
1140 capabilities will be dropped. When a special value of "none" is
1141 encountered, lxc will clear any keep capabilities specified up
1142 to this point. A value of "none" alone can be used to drop all
1143 capabilities.
1144 </para>
1145 </listitem>
1146 </varlistentry>
55fc19a1
SG		 1147 </variablelist>
1148 </refsect2>
1149
1150 <refsect2>
1151 <title>Apparmor profile</title>
1152 <para>
c464fd7e
SG		 1153 If lxc was compiled and installed with apparmor support, and the host
1154 system has apparmor enabled, then the apparmor profile under which the
1155 container should be run can be specified in the container
1156 configuration. The default is <command>lxc-container-default</command>.
55fc19a1
SG		 1157 </para>
1158 <variablelist>
c464fd7e
SG		 1159 <varlistentry>
1160 <term>
1161 <option>lxc.aa_profile</option>
1162 </term>
1163 <listitem>
1164 <para>
1165 Specify the apparmor profile under which the container should
1166 be run. To specify that the container should be unconfined,
1167 use
1168 </para>
1169 <programlisting>lxc.aa_profile = unconfined</programlisting>
1170 </listitem>
1171 </varlistentry>
1172 <varlistentry>
1173 <term>
1174 <option>lxc.aa_allow_incomplete</option>
1175 </term>
1176 <listitem>
1177 <para>
1178 Apparmor profiles are pathname based. Therefore many file
1179 restrictions require mount restrictions to be effective against
1180 a determined attacker. However, these mount restrictions are not
1181 yet implemented in the upstream kernel. Without the mount
1182 restrictions, the apparmor profiles still protect against accidental
1183 damager.
1184 </para>
1185 <para>
1186 If this flag is 0 (default), then the container will not be
1187 started if the kernel lacks the apparmor mount features, so that a
1188 regression after a kernel upgrade will be detected. To start the
1189 container under partial apparmor protection, set this flag to 1.
1190 </para>
1191 </listitem>
1192 </varlistentry>
55fc19a1
SG		 1193 </variablelist>
1194 </refsect2>
1195
1196 <refsect2>
1197 <title>SELinux context</title>
1198 <para>
c464fd7e
SG		 1199 If lxc was compiled and installed with SELinux support, and the host
1200 system has SELinux enabled, then the SELinux context under which the
1201 container should be run can be specified in the container
1202 configuration. The default is <command>unconfined_t</command>,
1203 which means that lxc will not attempt to change contexts.
1204 See @DATADIR@/lxc/selinux/lxc.te for an example policy and more
1205 information.
55fc19a1
SG		 1206 </para>
1207 <variablelist>
c464fd7e
SG		 1208 <varlistentry>
1209 <term>
1210 <option>lxc.se_context</option>
1211 </term>
1212 <listitem>
1213 <para>
1214 Specify the SELinux context under which the container should
1215 be run or <command>unconfined_t</command>. For example
1216 </para>
1217 <programlisting>lxc.se_context = system_u:system_r:lxc_t:s0:c22</programlisting>
1218 </listitem>
1219 </varlistentry>
55fc19a1
SG		 1220 </variablelist>
1221 </refsect2>
1222
1223 <refsect2>
1224 <title>Seccomp configuration</title>
1225 <para>
1226 A container can be started with a reduced set of available
c464fd7e
SG		 1227 system calls by loading a seccomp profile at startup. The
1228 seccomp configuration file must begin with a version number
1229 on the first line, a policy type on the second line, followed
1230 by the configuration.
55fc19a1 1231 </para>
a7c27357
SH		 1232 <para>
1233 Versions 1 and 2 are currently supported. In version 1, the
c464fd7e
SG		 1234 policy is a simple whitelist. The second line therefore must
1235 read "whitelist", with the rest of the file containing one (numeric)
1236 sycall number per line. Each syscall number is whitelisted,
1237 while every unlisted number is blacklisted for use in the container
a7c27357
SH		 1238 </para>
1239
1240 <para>
1241 In version 2, the policy may be blacklist or whitelist,
1242 supports per-rule and per-policy default actions, and supports
1243 per-architecture system call resolution from textual names.
1244 </para>
1245 <para>
1246 An example blacklist policy, in which all system calls are
1247 allowed except for mknod, which will simply do nothing and
1248 return 0 (success), looks like:
1249 </para>
1250<screen>
12512
1252blacklist
1253mknod errno 0
1254</screen>
55fc19a1 1255 <variablelist>
c464fd7e
SG		 1256 <varlistentry>
1257 <term>
1258 <option>lxc.seccomp</option>
1259 </term>
1260 <listitem>
1261 <para>
1262 Specify a file containing the seccomp configuration to
1263 load before the container starts.
1264 </para>
1265 </listitem>
1266 </varlistentry>
55fc19a1
SG		 1267 </variablelist>
1268 </refsect2>
1269
1270 <refsect2>
1271 <title>UID mappings</title>
1272 <para>
1273 A container can be started in a private user namespace with
c464fd7e
SG		 1274 user and group id mappings. For instance, you can map userid
1275 0 in the container to userid 200000 on the host. The root
1276 user in the container will be privileged in the container,
1277 but unprivileged on the host. Normally a system container
1278 will want a range of ids, so you would map, for instance,
1279 user and group ids 0 through 20,000 in the container to the
1280 ids 200,000 through 220,000.
55fc19a1
SG		 1281 </para>
1282 <variablelist>
c464fd7e
SG		 1283 <varlistentry>
1284 <term>
1285 <option>lxc.id_map</option>
1286 </term>
1287 <listitem>
1288 <para>
1289 Four values must be provided. First a character, either
1290 'u', or 'g', to specify whether user or group ids are
1291 being mapped. Next is the first userid as seen in the
1292 user namespace of the container. Next is the userid as
1293 seen on the host. Finally, a range indicating the number
1294 of consecutive ids to map.
1295 </para>
1296 </listitem>
1297 </varlistentry>
55fc19a1
SG		 1298 </variablelist>
1299 </refsect2>
1300
1301 <refsect2>
1302 <title>Container hooks</title>
1303 <para>
1304 Container hooks are programs or scripts which can be executed
c464fd7e 1305 at various times in a container's lifetime.
55fc19a1
SG		 1306 </para>
1307 <para>
1308 When a container hook is executed, information is passed both
c464fd7e
SG		 1309 as command line arguments and through environment variables.
1310 The arguments are:
1311 <itemizedlist>
1312 <listitem><para> Container name. </para></listitem>
1313 <listitem><para> Section (always 'lxc'). </para></listitem>
1314 <listitem><para> The hook type (i.e. 'clone' or 'pre-mount'). </para></listitem>
0a2b5ab1 1315 <listitem><para> Additional arguments. In the
c464fd7e 1316 case of the clone hook, any extra arguments passed to
0a2b5ab1
WB		 1317 lxc-clone will appear as further arguments to the hook.
1318 In the case of the stop hook, paths to filedescriptors
1319 for each of the container's namespaces along with their types
1320 are passed. </para></listitem>
c464fd7e
SG		 1321 </itemizedlist>
1322 The following environment variables are set:
1323 <itemizedlist>
1324 <listitem><para> LXC_NAME: is the container's name. </para></listitem>
1325 <listitem><para> LXC_ROOTFS_MOUNT: the path to the mounted root filesystem. </para></listitem>
1326 <listitem><para> LXC_CONFIG_FILE: the path to the container configuration file. </para></listitem>
1327 <listitem><para> LXC_SRC_NAME: in the case of the clone hook, this is the original container's name. </para></listitem>
1328 <listitem><para> LXC_ROOTFS_PATH: this is the lxc.rootfs entry for the container. Note this is likely not where the mounted rootfs is to be found, use LXC_ROOTFS_MOUNT for that. </para></listitem>
1329 </itemizedlist>
55fc19a1
SG		 1330 </para>
1331 <para>
1332 Standard output from the hooks is logged at debug level.
1333 Standard error is not logged, but can be captured by the
1334 hook redirecting its standard error to standard output.
1335 </para>
1336 <variablelist>
c464fd7e
SG		 1337 <varlistentry>
1338 <term>
1339 <option>lxc.hook.pre-start</option>
1340 </term>
1341 <listitem>
1342 <para>
1343 A hook to be run in the host's namespace before the
1344 container ttys, consoles, or mounts are up.
1345 </para>
1346 </listitem>
1347 </varlistentry>
55fc19a1
SG		 1348 </variablelist>
1349 <variablelist>
c464fd7e
SG		 1350 <varlistentry>
1351 <term>
1352 <option>lxc.hook.pre-mount</option>
1353 </term>
1354 <listitem>
1355 <para>
1356 A hook to be run in the container's fs namespace but before
1357 the rootfs has been set up. This allows for manipulation
1358 of the rootfs, i.e. to mount an encrypted filesystem. Mounts
1359 done in this hook will not be reflected on the host (apart from
1360 mounts propagation), so they will be automatically cleaned up
1361 when the container shuts down.
1362 </para>
1363 </listitem>
1364 </varlistentry>
55fc19a1
SG		 1365 </variablelist>
1366 <variablelist>
c464fd7e
SG		 1367 <varlistentry>
1368 <term>
1369 <option>lxc.hook.mount</option>
1370 </term>
1371 <listitem>
1372 <para>
1373 A hook to be run in the container's namespace after
1374 mounting has been done, but before the pivot_root.
1375 </para>
1376 </listitem>
1377 </varlistentry>
55fc19a1
SG		 1378 </variablelist>
1379 <variablelist>
c464fd7e
SG		 1380 <varlistentry>
1381 <term>
1382 <option>lxc.hook.autodev</option>
1383 </term>
1384 <listitem>
1385 <para>
1386 A hook to be run in the container's namespace after
1387 mounting has been done and after any mount hooks have
1388 run, but before the pivot_root, if
1389 <option>lxc.autodev</option> == 1.
1390 The purpose of this hook is to assist in populating the
1391 /dev directory of the container when using the autodev
1392 option for systemd based containers. The container's /dev
1393 directory is relative to the
1394 ${<option>LXC_ROOTFS_MOUNT</option>} environment
1395 variable available when the hook is run.
1396 </para>
1397 </listitem>
1398 </varlistentry>
55fc19a1
SG		 1399 </variablelist>
1400 <variablelist>
c464fd7e
SG		 1401 <varlistentry>
1402 <term>
1403 <option>lxc.hook.start</option>
1404 </term>
1405 <listitem>
1406 <para>
1407 A hook to be run in the container's namespace immediately
1408 before executing the container's init. This requires the
1409 program to be available in the container.
1410 </para>
1411 </listitem>
1412 </varlistentry>
55fc19a1 1413 </variablelist>
0a2b5ab1
WB		 1414 <variablelist>
1415 <varlistentry>
1416 <term>
1417 <option>lxc.hook.stop</option>
1418 </term>
1419 <listitem>
1420 <para>
1421 A hook to be run in the host's namespace with references
1422 to the container's namespaces after the container has been shut
1423 down. For each namespace an extra argument is passed to the hook
1424 containing the namespace's type and a filename that can be used to
1425 obtain a file descriptor to the corresponding namespace, separated
1426 by a colon. The type is the name as it would appear in the
1427 <filename>/proc/PID/ns</filename> directory.
1428 For instance for the mount namespace the argument usually looks
1429 like <filename>mnt:/proc/PID/fd/12</filename>.
1430 </para>
1431 </listitem>
1432 </varlistentry>
1433 </variablelist>
55fc19a1 1434 <variablelist>
c464fd7e
SG		 1435 <varlistentry>
1436 <term>
1437 <option>lxc.hook.post-stop</option>
1438 </term>
1439 <listitem>
1440 <para>
1441 A hook to be run in the host's namespace after the
1442 container has been shut down.
1443 </para>
1444 </listitem>
1445 </varlistentry>
55fc19a1
SG		 1446 </variablelist>
1447 <variablelist>
c464fd7e
SG		 1448 <varlistentry>
1449 <term>
1450 <option>lxc.hook.clone</option>
1451 </term>
1452 <listitem>
1453 <para>
1454 A hook to be run when the container is cloned to a new one.
1455 See <citerefentry><refentrytitle><command>lxc-clone</command></refentrytitle>
1456 <manvolnum>1</manvolnum></citerefentry> for more information.
1457 </para>
1458 </listitem>
1459 </varlistentry>
55fc19a1 1460 </variablelist>
37cf711b
SY		 1461 <variablelist>
1462 <varlistentry>
1463 <term>
1464 <option>lxc.hook.destroy</option>
1465 </term>
1466 <listitem>
1467 <para>
1468 A hook to be run when the container is destroyed.
1469 </para>
1470 </listitem>
1471 </varlistentry>
1472 </variablelist>
55fc19a1
SG		 1473 </refsect2>
1474
1475 <refsect2>
1476 <title>Container hooks Environment Variables</title>
1477 <para>
1478 A number of environment variables are made available to the startup
1479 hooks to provide configuration information and assist in the
1480 functioning of the hooks. Not all variables are valid in all
1481 contexts. In particular, all paths are relative to the host system
1482 and, as such, not valid during the <option>lxc.hook.start</option> hook.
1483 </para>
1484 <variablelist>
c464fd7e
SG		 1485 <varlistentry>
1486 <term>
1487 <option>LXC_NAME</option>
1488 </term>
1489 <listitem>
1490 <para>
1491 The LXC name of the container. Useful for logging messages
1492 in common log environments. [<option>-n</option>]
1493 </para>
1494 </listitem>
1495 </varlistentry>
55fc19a1
SG		 1496 </variablelist>
1497 <variablelist>
c464fd7e
SG		 1498 <varlistentry>
1499 <term>
1500 <option>LXC_CONFIG_FILE</option>
1501 </term>
1502 <listitem>
1503 <para>
1504 Host relative path to the container configuration file. This
1505 gives the container to reference the original, top level,
1506 configuration file for the container in order to locate any
1507 additional configuration information not otherwise made
1508 available. [<option>-f</option>]
1509 </para>
1510 </listitem>
1511 </varlistentry>
55fc19a1
SG		 1512 </variablelist>
1513 <variablelist>
c464fd7e
SG		 1514 <varlistentry>
1515 <term>
1516 <option>LXC_CONSOLE</option>
1517 </term>
1518 <listitem>
1519 <para>
1520 The path to the console output of the container if not NULL.
1521 [<option>-c</option>] [<option>lxc.console</option>]
1522 </para>
1523 </listitem>
1524 </varlistentry>
55fc19a1
SG		 1525 </variablelist>
1526 <variablelist>
c464fd7e
SG		 1527 <varlistentry>
1528 <term>
1529 <option>LXC_CONSOLE_LOGPATH</option>
1530 </term>
1531 <listitem>
1532 <para>
1533 The path to the console log output of the container if not NULL.
1534 [<option>-L</option>]
1535 </para>
1536 </listitem>
1537 </varlistentry>
55fc19a1
SG		 1538 </variablelist>
1539 <variablelist>
c464fd7e
SG		 1540 <varlistentry>
1541 <term>
1542 <option>LXC_ROOTFS_MOUNT</option>
1543 </term>
1544 <listitem>
1545 <para>
1546 The mount location to which the container is initially bound.
1547 This will be the host relative path to the container rootfs
1548 for the container instance being started and is where changes
1549 should be made for that instance.
1550 [<option>lxc.rootfs.mount</option>]
1551 </para>
1552 </listitem>
1553 </varlistentry>
55fc19a1
SG		 1554 </variablelist>
1555 <variablelist>
c464fd7e
SG		 1556 <varlistentry>
1557 <term>
1558 <option>LXC_ROOTFS_PATH</option>
1559 </term>
1560 <listitem>
1561 <para>
1562 The host relative path to the container root which has been
1563 mounted to the rootfs.mount location.
1564 [<option>lxc.rootfs</option>]
1565 </para>
1566 </listitem>
1567 </varlistentry>
55fc19a1 1568 </variablelist>
c154af98
SG		 1569 <variablelist>
1570 <varlistentry>
1571 <term>
1572 <option>LXC_TARGET</option>
1573 </term>
1574 <listitem>
1575 <para>
1576 Only for the stop hook. Is set to "stop" for a container
1577 shutdown or "reboot" for a container reboot.
1578 </para>
1579 </listitem>
1580 </varlistentry>
1581 </variablelist>
55fc19a1
SG		 1582 </refsect2>
1583 <refsect2>
1584 <title>Logging</title>
1585 <para>
1586 Logging can be configured on a per-container basis. By default,
1587 depending upon how the lxc package was compiled, container startup
1588 is logged only at the ERROR level, and logged to a file named after
1589 the container (with '.log' appended) either under the container path,
1590 or under @LOGPATH@.
1591 </para>
1592 <para>
1593 Both the default log level and the log file can be specified in the
1594 container configuration file, overriding the default behavior. Note
1595 that the configuration file entries can in turn be overridden by the
1596 command line options to <command>lxc-start</command>.
1597 </para>
1598 <variablelist>
c464fd7e
SG		 1599 <varlistentry>
1600 <term>
1601 <option>lxc.loglevel</option>
1602 </term>
1603 <listitem>
1604 <para>
1605 The level at which to log. The log level is an integer in
1606 the range of 0..8 inclusive, where a lower number means more
1607 verbose debugging. In particular 0 = trace, 1 = debug, 2 =
1608 info, 3 = notice, 4 = warn, 5 = error, 6 = critical, 7 =
1609 alert, and 8 = fatal. If unspecified, the level defaults
1610 to 5 (error), so that only errors and above are logged.
1611 </para>
1612 <para>
1613 Note that when a script (such as either a hook script or a
1614 network interface up or down script) is called, the script's
1615 standard output is logged at level 1, debug.
1616 </para>
1617 </listitem>
1618 </varlistentry>
1619 <varlistentry>
1620 <term>
1621 <option>lxc.logfile</option>
1622 </term>
1623 <listitem>
1624 <para>
1625 The file to which logging info should be written.
1626 </para>
1627 </listitem>
1628 </varlistentry>
55fc19a1
SG		 1629 </variablelist>
1630 </refsect2>
1631
1632 <refsect2>
1633 <title>Autostart</title>
1634 <para>
1635 The autostart options support marking which containers should be
1636 auto-started and in what order. These options may be used by LXC tools
1637 directly or by external tooling provided by the distributions.
1638 </para>
1639
1640 <variablelist>
1641 <varlistentry>
1642 <term>
1643 <option>lxc.start.auto</option>
1644 </term>
1645 <listitem>
1646 <para>
1647 Whether the container should be auto-started.
1648 Valid values are 0 (off) and 1 (on).
1649 </para>
1650 </listitem>
1651 </varlistentry>
1652 <varlistentry>
1653 <term>
1654 <option>lxc.start.delay</option>
1655 </term>
1656 <listitem>
1657 <para>
1658 How long to wait (in seconds) after the container is
1659 started before starting the next one.
1660 </para>
1661 </listitem>
1662 </varlistentry>
1663 <varlistentry>
1664 <term>
1665 <option>lxc.start.order</option>
1666 </term>
1667 <listitem>
1668 <para>
1669 An integer used to sort the containers when auto-starting
1670 a series of containers at once.
1671 </para>
1672 </listitem>
1673 </varlistentry>
1674 <varlistentry>
1675 <term>
1676 <option>lxc.group</option>
1677 </term>
1678 <listitem>
1679 <para>
1680 A multi-value key (can be used multiple times) to put the
1681 container in a container group. Those groups can then be
1682 used (amongst other things) to start a series of related
1683 containers.
1684 </para>
1685 </listitem>
1686 </varlistentry>
1687 </variablelist>
1688 </refsect2>
015f0dd7
MW		 1689
1690 <refsect2>
1691 <title>Autostart and System Boot</title>
1692 <para>
1693 Each container can be part of any number of groups or no group at all.
1694 Two groups are special. One is the NULL group, i.e. the container does
1695 not belong to any group. The other group is the "onboot" group.
1696 </para>
1697
1698 <para>
1699 When the system boots with the LXC service enabled, it will first
1700 attempt to boot any containers with lxc.start.auto == 1 that is a member
1701 of the "onboot" group. The startup will be in order of lxc.start.order.
1702 If an lxc.start.delay has been specified, that delay will be honored
1703 before attempting to start the next container to give the current
1704 container time to begin initialization and reduce overloading the host
1705 system. After starting the members of the "onboot" group, the LXC system
1706 will proceed to boot containers with lxc.start.auto == 1 which are not
1707 members of any group (the NULL group) and proceed as with the onboot
1708 group.
1709 </para>
1710
1711 </refsect2>
7c661726
MP		 1712
1713 <refsect2>
1714 <title>Container Environment</title>
1715 <para>
c464fd7e
SG		 1716 If you want to pass environment variables into the container (that
1717 is, environment variables which will be available to init and all of
1718 its descendents), you can use <command>lxc.environment</command>
1719 parameters to do so. Be careful that you do not pass in anything
1720 sensitive; any process in the container which doesn't have its
1721 environment scrubbed will have these variables available to it, and
1722 environment variables are always available via
1723 <command>/proc/PID/environ</command>.
7c661726
MP		 1724 </para>
1725
1726 <para>
1727 This configuration parameter can be specified multiple times; once
1728 for each environment variable you wish to configure.
1729 </para>
1730
1731 <variablelist>
c464fd7e
SG		 1732 <varlistentry>
1733 <term>
1734 <option>lxc.environment</option>
1735 </term>
1736 <listitem>
1737 <para>
1738 Specify an environment variable to pass into the container.
1739 Example:
1740 </para>
1741 <programlisting>
1742 lxc.environment = APP_ENV=production
1743 lxc.environment = SYSLOG_SERVER=192.0.2.42
1744 </programlisting>
1745 </listitem>
1746 </varlistentry>
7c661726
MP		 1747 </variablelist>
1748 </refsect2>
1749
55fc19a1
SG		 1750 </refsect1>
1751
1752 <refsect1>
1753 <title>Examples</title>
1754 <para>
c464fd7e
SG		 1755 In addition to the few examples given below, you will find
1756 some other examples of configuration file in @DOCDIR@/examples
55fc19a1
SG		 1757 </para>
1758 <refsect2>
1759 <title>Network</title>
1760 <para>This configuration sets up a container to use a veth pair
c464fd7e
SG		 1761 device with one side plugged to a bridge br0 (which has been
1762 configured before on the system by the administrator). The
1763 virtual network device visible in the container is renamed to
1764 eth0.</para>
55fc19a1 1765 <programlisting>
c464fd7e
SG		 1766 lxc.utsname = myhostname
1767 lxc.network.type = veth
1768 lxc.network.flags = up
1769 lxc.network.link = br0
1770 lxc.network.name = eth0
1771 lxc.network.hwaddr = 4a:49:43:49:79:bf
1772 lxc.network.ipv4 = 10.2.3.5/24 10.2.3.255
1773 lxc.network.ipv6 = 2003:db8:1:0:214:1234:fe0b:3597
55fc19a1
SG		 1774 </programlisting>
1775 </refsect2>
1776
1777 <refsect2>
1778 <title>UID/GID mapping</title>
1779 <para>This configuration will map both user and group ids in the
1780 range 0-9999 in the container to the ids 100000-109999 on the host.
1781 </para>
1782 <programlisting>
c464fd7e
SG		 1783 lxc.id_map = u 0 100000 10000
1784 lxc.id_map = g 0 100000 10000
55fc19a1
SG		 1785 </programlisting>
1786 </refsect2>
1787
1788 <refsect2>
1789 <title>Control group</title>
1790 <para>This configuration will setup several control groups for
1791 the application, cpuset.cpus restricts usage of the defined cpu,
1792 cpus.share prioritize the control group, devices.allow makes
1793 usable the specified devices.</para>
1794 <programlisting>
c464fd7e
SG		 1795 lxc.cgroup.cpuset.cpus = 0,1
1796 lxc.cgroup.cpu.shares = 1234
1797 lxc.cgroup.devices.deny = a
1798 lxc.cgroup.devices.allow = c 1:3 rw
1799 lxc.cgroup.devices.allow = b 8:0 rw
55fc19a1
SG		 1800 </programlisting>
1801 </refsect2>
1802
1803 <refsect2>
1804 <title>Complex configuration</title>
1805 <para>This example show a complex configuration making a complex
1806 network stack, using the control groups, setting a new hostname,
1807 mounting some locations and a changing root file system.</para>
1808 <programlisting>
c464fd7e
SG		 1809 lxc.utsname = complex
1810 lxc.network.type = veth
1811 lxc.network.flags = up
1812 lxc.network.link = br0
1813 lxc.network.hwaddr = 4a:49:43:49:79:bf
1814 lxc.network.ipv4 = 10.2.3.5/24 10.2.3.255
1815 lxc.network.ipv6 = 2003:db8:1:0:214:1234:fe0b:3597
1816 lxc.network.ipv6 = 2003:db8:1:0:214:5432:feab:3588
1817 lxc.network.type = macvlan
1818 lxc.network.flags = up
1819 lxc.network.link = eth0
1820 lxc.network.hwaddr = 4a:49:43:49:79:bd
1821 lxc.network.ipv4 = 10.2.3.4/24
1822 lxc.network.ipv4 = 192.168.10.125/24
1823 lxc.network.ipv6 = 2003:db8:1:0:214:1234:fe0b:3596
1824 lxc.network.type = phys
1825 lxc.network.flags = up
1826 lxc.network.link = dummy0
1827 lxc.network.hwaddr = 4a:49:43:49:79:ff
1828 lxc.network.ipv4 = 10.2.3.6/24
1829 lxc.network.ipv6 = 2003:db8:1:0:214:1234:fe0b:3297
1830 lxc.cgroup.cpuset.cpus = 0,1
1831 lxc.cgroup.cpu.shares = 1234
1832 lxc.cgroup.devices.deny = a
1833 lxc.cgroup.devices.allow = c 1:3 rw
1834 lxc.cgroup.devices.allow = b 8:0 rw
1835 lxc.mount = /etc/fstab.complex
1836 lxc.mount.entry = /lib /root/myrootfs/lib none ro,bind 0 0
1837 lxc.rootfs = /mnt/rootfs.complex
1838 lxc.cap.drop = sys_module mknod setuid net_raw
1839 lxc.cap.drop = mac_override
55fc19a1
SG		 1840 </programlisting>
1841 </refsect2>
1842
1843 </refsect1>
1844
1845 <refsect1>
1846 <title>See Also</title>
1847 <simpara>
1848 <citerefentry>
c464fd7e
SG		 1849 <refentrytitle><command>chroot</command></refentrytitle>
1850 <manvolnum>1</manvolnum>
55fc19a1
SG		 1851 </citerefentry>,
1852
1853 <citerefentry>
c464fd7e
SG		 1854 <refentrytitle><command>pivot_root</command></refentrytitle>
1855 <manvolnum>8</manvolnum>
55fc19a1
SG		 1856 </citerefentry>,
1857
1858 <citerefentry>
c464fd7e
SG		 1859 <refentrytitle><filename>fstab</filename></refentrytitle>
1860 <manvolnum>5</manvolnum>
55fc19a1
SG		 1861 </citerefentry>,
1862
1863 <citerefentry>
c464fd7e
SG		 1864 <refentrytitle><filename>capabilities</filename></refentrytitle>
1865 <manvolnum>7</manvolnum>
55fc19a1
SG		 1866 </citerefentry>
1867 </simpara>
1868 </refsect1>
1869
1870 &seealso;
1871
1872 <refsect1>
1873 <title>Author</title>
1874 <para>Daniel Lezcano <email>daniel.lezcano@free.fr</email></para>
1875 </refsect1>
1876
1877</refentry>
1878
1879<!-- Keep this comment at the end of the file
1880Local variables:
1881mode: sgml
1882sgml-omittag:t
1883sgml-shorttag:t
1884sgml-minimize-attributes:nil
1885sgml-always-quote-attributes:t
1886sgml-indent-step:2
1887sgml-indent-data:t
1888sgml-parent-document:nil
1889sgml-default-dtd-file:nil
1890sgml-exposed-tags:nil
1891sgml-local-catalogs:nil
1892sgml-local-ecat-files:nil
1893End:
1894-->
LXC mirror