]> git.proxmox.com Git - mirror_lxc.git/blame - doc/lxc.container.conf.sgml.in
projects / mirror_lxc.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
yet another problem with new overlay fs
[mirror_lxc.git] / doc / lxc.container.conf.sgml.in
CommitLineData
55fc19a1
SG		 1<!--
2
3lxc: linux Container library
4
5(C) Copyright IBM Corp. 2007, 2008
6
7Authors:
8Daniel Lezcano <daniel.lezcano at free.fr>
9
10This library is free software; you can redistribute it and/or
11modify it under the terms of the GNU Lesser General Public
12License as published by the Free Software Foundation; either
13version 2.1 of the License, or (at your option) any later version.
14
15This library is distributed in the hope that it will be useful,
16but WITHOUT ANY WARRANTY; without even the implied warranty of
17MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
18Lesser General Public License for more details.
19
20You should have received a copy of the GNU Lesser General Public
21License along with this library; if not, write to the Free Software
22Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
23
24-->
25
26<!DOCTYPE refentry PUBLIC @docdtd@ [
27
28<!ENTITY seealso SYSTEM "@builddir@/see_also.sgml">
29]>
30
31<refentry>
32
33 <docinfo><date>@LXC_GENERATE_DATE@</date></docinfo>
34
35 <refmeta>
36 <refentrytitle>lxc.container.conf</refentrytitle>
37 <manvolnum>5</manvolnum>
38 </refmeta>
39
40 <refnamediv>
41 <refname>lxc.container.conf</refname>
42
43 <refpurpose>
44 LXC container configuration file
45 </refpurpose>
46 </refnamediv>
47
48 <refsect1>
49 <title>Description</title>
50
51 <para>
52 The linux containers (<command>lxc</command>) are always created
53 before being used. This creation defines a set of system
54 resources to be virtualized / isolated when a process is using
55 the container. By default, the pids, sysv ipc and mount points
56 are virtualized and isolated. The other system resources are
57 shared across containers, until they are explicitly defined in
58 the configuration file. For example, if there is no network
59 configuration, the network will be shared between the creator of
60 the container and the container itself, but if the network is
61 specified, a new network stack is created for the container and
62 the container can no longer use the network of its ancestor.
63 </para>
64
65 <para>
66 The configuration file defines the different system resources to
67 be assigned for the container. At present, the utsname, the
68 network, the mount points, the root file system, the user namespace,
69 and the control groups are supported.
70 </para>
71
72 <para>
73 Each option in the configuration file has the form <command>key
74 = value</command> fitting in one line. The '#' character means
75 the line is a comment.
76 </para>
77
78 <refsect2>
79 <title>Configuration</title>
80 <para>
c464fd7e
SG		 81 In order to ease administration of multiple related containers, it
82 is possible to have a container configuration file cause another
83 file to be loaded. For instance, network configuration
84 can be defined in one common file which is included by multiple
85 containers. Then, if the containers are moved to another host,
86 only one file may need to be updated.
55fc19a1
SG		 87 </para>
88
89 <variablelist>
c464fd7e
SG		 90 <varlistentry>
91 <term>
92 <option>lxc.include</option>
93 </term>
94 <listitem>
95 <para>
96 Specify the file to be included. The included file must be
97 in the same valid lxc configuration file format.
98 </para>
99 </listitem>
100 </varlistentry>
55fc19a1
SG		 101 </variablelist>
102 </refsect2>
103
104 <refsect2>
105 <title>Architecture</title>
106 <para>
c464fd7e
SG		 107 Allows one to set the architecture for the container. For example,
108 set a 32bits architecture for a container running 32bits
109 binaries on a 64bits host. This fixes the container scripts
110 which rely on the architecture to do some work like
111 downloading the packages.
55fc19a1
SG		 112 </para>
113
114 <variablelist>
c464fd7e
SG		 115 <varlistentry>
116 <term>
117 <option>lxc.arch</option>
118 </term>
119 <listitem>
120 <para>
121 Specify the architecture for the container.
122 </para>
123 <para>
124 Valid options are
125 <option>x86</option>,
126 <option>i686</option>,
127 <option>x86_64</option>,
128 <option>amd64</option>
129 </para>
130 </listitem>
131 </varlistentry>
55fc19a1
SG		 132 </variablelist>
133
134 </refsect2>
135
136 <refsect2>
137 <title>Hostname</title>
138 <para>
c464fd7e
SG		 139 The utsname section defines the hostname to be set for the
140 container. That means the container can set its own hostname
141 without changing the one from the system. That makes the
142 hostname private for the container.
55fc19a1
SG		 143 </para>
144 <variablelist>
c464fd7e
SG		 145 <varlistentry>
146 <term>
147 <option>lxc.utsname</option>
148 </term>
149 <listitem>
150 <para>
151 specify the hostname for the container
152 </para>
153 </listitem>
154 </varlistentry>
55fc19a1
SG		 155 </variablelist>
156 </refsect2>
157
158 <refsect2>
159 <title>Halt signal</title>
160 <para>
161 Allows one to specify signal name or number, sent by lxc-stop to the
162 container's init process to cleanly shutdown the container. Different
163 init systems could use different signals to perform clean shutdown
164 sequence. This option allows the signal to be specified in kill(1)
165 fashion, e.g. SIGPWR, SIGRTMIN+14, SIGRTMAX-10 or plain number. The
166 default signal is SIGPWR.
167 </para>
168 <variablelist>
169 <varlistentry>
170 <term>
171 <option>lxc.haltsignal</option>
172 </term>
173 <listitem>
174 <para>
175 specify the signal used to halt the container
176 </para>
177 </listitem>
178 </varlistentry>
179 </variablelist>
180 </refsect2>
181
182 <refsect2>
183 <title>Stop signal</title>
184 <para>
185 Allows one to specify signal name or number, sent by lxc-stop to forcibly
186 shutdown the container. This option allows signal to be specified in
187 kill(1) fashion, e.g. SIGKILL, SIGRTMIN+14, SIGRTMAX-10 or plain number.
188 The default signal is SIGKILL.
189 </para>
190 <variablelist>
191 <varlistentry>
192 <term>
193 <option>lxc.stopsignal</option>
194 </term>
195 <listitem>
196 <para>
197 specify the signal used to stop the container
198 </para>
199 </listitem>
200 </varlistentry>
201 </variablelist>
202 </refsect2>
203
67c660d0
SG		 204 <refsect2>
205 <title>Init command</title>
206 <para>
207 Sets the command to use as the init system for the containers.
208
209 This option is ignored when using lxc-execute.
210
211 Defaults to: /sbin/init
212 </para>
213 <variablelist>
214 <varlistentry>
215 <term>
216 <option>lxc.init_cmd</option>
217 </term>
218 <listitem>
219 <para>
220 Absolute path from container rootfs to the binary to use as init.
221 </para>
222 </listitem>
223 </varlistentry>
224 </variablelist>
225 </refsect2>
226
55fc19a1
SG		 227 <refsect2>
228 <title>Network</title>
229 <para>
c464fd7e
SG		 230 The network section defines how the network is virtualized in
231 the container. The network virtualization acts at layer
232 two. In order to use the network virtualization, parameters
233 must be specified to define the network interfaces of the
234 container. Several virtual interfaces can be assigned and used
235 in a container even if the system has only one physical
236 network interface.
55fc19a1
SG		 237 </para>
238 <variablelist>
c464fd7e
SG		 239 <varlistentry>
240 <term>
241 <option>lxc.network.type</option>
242 </term>
243 <listitem>
244 <para>
245 specify what kind of network virtualization to be used
246 for the container. Each time
247 a <option>lxc.network.type</option> field is found a new
248 round of network configuration begins. In this way,
249 several network virtualization types can be specified
250 for the same container, as well as assigning several
251 network interfaces for one container. The different
252 virtualization types can be:
253 </para>
254
255 <para>
256 <option>none:</option> will cause the container to share
257 the host's network namespace. This means the host
258 network devices are usable in the container. It also
259 means that if both the container and host have upstart as
260 init, 'halt' in a container (for instance) will shut down the
261 host.
262 </para>
263
264 <para>
265 <option>empty:</option> will create only the loopback
266 interface.
267 </para>
268
269 <para>
38005c54
MA		 270 <option>veth:</option> a virtual ethernet pair
271 device is created with one side assigned to the container
272 and the other side attached to a bridge specified by
273 the <option>lxc.network.link</option> option.
274 If the bridge is not specified, then the veth pair device
275 will be created but not attached to any bridge.
276 Otherwise, the bridge has to be created on the system
277 before starting the container.
278 <command>lxc</command> won't handle any
279 configuration outside of the container.
280 By default, <command>lxc</command> chooses a name for the
c464fd7e 281 network device belonging to the outside of the
38005c54
MA		 282 container, but if you wish to handle
283 this name yourselves, you can tell <command>lxc</command>
c464fd7e
SG		 284 to set a specific name with
285 the <option>lxc.network.veth.pair</option> option (except for
286 unprivileged containers where this option is ignored for security
287 reasons).
288 </para>
289
290 <para>
291 <option>vlan:</option> a vlan interface is linked with
292 the interface specified by
293 the <option>lxc.network.link</option> and assigned to
294 the container. The vlan identifier is specified with the
295 option <option>lxc.network.vlan.id</option>.
296 </para>
297
298 <para>
299 <option>macvlan:</option> a macvlan interface is linked
300 with the interface specified by
301 the <option>lxc.network.link</option> and assigned to
302 the container.
303 <option>lxc.network.macvlan.mode</option> specifies the
304 mode the macvlan will use to communicate between
305 different macvlan on the same upper device. The accepted
306 modes are <option>private</option>, the device never
307 communicates with any other device on the same upper_dev (default),
308 <option>vepa</option>, the new Virtual Ethernet Port
309 Aggregator (VEPA) mode, it assumes that the adjacent
310 bridge returns all frames where both source and
311 destination are local to the macvlan port, i.e. the
312 bridge is set up as a reflective relay. Broadcast
313 frames coming in from the upper_dev get flooded to all
314 macvlan interfaces in VEPA mode, local frames are not
315 delivered locally, or <option>bridge</option>, it
316 provides the behavior of a simple bridge between
317 different macvlan interfaces on the same port. Frames
318 from one interface to another one get delivered directly
319 and are not sent out externally. Broadcast frames get
320 flooded to all other bridge ports and to the external
321 interface, but when they come back from a reflective
322 relay, we don't deliver them again. Since we know all
323 the MAC addresses, the macvlan bridge mode does not
324 require learning or STP like the bridge module does.
325 </para>
326
327 <para>
328 <option>phys:</option> an already existing interface
329 specified by the <option>lxc.network.link</option> is
330 assigned to the container.
331 </para>
332 </listitem>
333 </varlistentry>
334
335 <varlistentry>
336 <term>
337 <option>lxc.network.flags</option>
338 </term>
339 <listitem>
340 <para>
341 specify an action to do for the
342 network.
343 </para>
344
345 <para><option>up:</option> activates the interface.
346 </para>
347 </listitem>
348 </varlistentry>
349
350 <varlistentry>
351 <term>
352 <option>lxc.network.link</option>
353 </term>
354 <listitem>
355 <para>
356 specify the interface to be used for real network
357 traffic.
358 </para>
359 </listitem>
360 </varlistentry>
361
362 <varlistentry>
363 <term>
364 <option>lxc.network.mtu</option>
365 </term>
366 <listitem>
367 <para>
368 specify the maximum transfer unit for this interface.
369 </para>
370 </listitem>
371 </varlistentry>
372
373 <varlistentry>
374 <term>
375 <option>lxc.network.name</option>
376 </term>
377 <listitem>
378 <para>
379 the interface name is dynamically allocated, but if
380 another name is needed because the configuration files
381 being used by the container use a generic name,
382 eg. eth0, this option will rename the interface in the
383 container.
384 </para>
385 </listitem>
386 </varlistentry>
387
388 <varlistentry>
389 <term>
390 <option>lxc.network.hwaddr</option>
391 </term>
392 <listitem>
393 <para>
394 the interface mac address is dynamically allocated by
395 default to the virtual interface, but in some cases,
396 this is needed to resolve a mac address conflict or to
397 always have the same link-local ipv6 address.
398 Any "x" in address will be replaced by random value,
399 this allows setting hwaddr templates.
400 </para>
401 </listitem>
402 </varlistentry>
403
404 <varlistentry>
405 <term>
406 <option>lxc.network.ipv4</option>
407 </term>
408 <listitem>
409 <para>
410 specify the ipv4 address to assign to the virtualized
411 interface. Several lines specify several ipv4 addresses.
412 The address is in format x.y.z.t/m,
413 eg. 192.168.1.123/24. The broadcast address should be
414 specified on the same line, right after the ipv4
415 address.
416 </para>
417 </listitem>
418 </varlistentry>
419
420 <varlistentry>
421 <term>
422 <option>lxc.network.ipv4.gateway</option>
423 </term>
424 <listitem>
425 <para>
426 specify the ipv4 address to use as the gateway inside the
427 container. The address is in format x.y.z.t, eg.
428 192.168.1.123.
429
430 Can also have the special value <option>auto</option>,
431 which means to take the primary address from the bridge
432 interface (as specified by the
433 <option>lxc.network.link</option> option) and use that as
434 the gateway. <option>auto</option> is only available when
435 using the <option>veth</option> and
436 <option>macvlan</option> network types.
437 </para>
438 </listitem>
439 </varlistentry>
440
441
442 <varlistentry>
443 <term>
444 <option>lxc.network.ipv6</option>
445 </term>
446 <listitem>
447 <para>
448 specify the ipv6 address to assign to the virtualized
449 interface. Several lines specify several ipv6 addresses.
450 The address is in format x::y/m,
451 eg. 2003:db8:1:0:214:1234:fe0b:3596/64
452 </para>
453 </listitem>
454 </varlistentry>
455
456 <varlistentry>
457 <term>
458 <option>lxc.network.ipv6.gateway</option>
459 </term>
460 <listitem>
461 <para>
462 specify the ipv6 address to use as the gateway inside the
463 container. The address is in format x::y,
464 eg. 2003:db8:1:0::1
465
466 Can also have the special value <option>auto</option>,
467 which means to take the primary address from the bridge
468 interface (as specified by the
469 <option>lxc.network.link</option> option) and use that as
470 the gateway. <option>auto</option> is only available when
471 using the <option>veth</option> and
472 <option>macvlan</option> network types.
473 </para>
474 </listitem>
475 </varlistentry>
476
477 <varlistentry>
478 <term>
479 <option>lxc.network.script.up</option>
480 </term>
481 <listitem>
482 <para>
483 add a configuration option to specify a script to be
484 executed after creating and configuring the network used
485 from the host side. The following arguments are passed
486 to the script: container name and config section name
487 (net) Additional arguments depend on the config section
488 employing a script hook; the following are used by the
489 network system: execution context (up), network type
490 (empty/veth/macvlan/phys), Depending on the network
491 type, other arguments may be passed:
492 veth/macvlan/phys. And finally (host-sided) device name.
493 </para>
494 <para>
495 Standard output from the script is logged at debug level.
496 Standard error is not logged, but can be captured by the
497 hook redirecting its standard error to standard output.
498 </para>
499 </listitem>
500 </varlistentry>
501
502 <varlistentry>
503 <term>
504 <option>lxc.network.script.down</option>
505 </term>
506 <listitem>
507 <para>
508 add a configuration option to specify a script to be
509 executed before destroying the network used from the
510 host side. The following arguments are passed to the
511 script: container name and config section name (net)
512 Additional arguments depend on the config section
513 employing a script hook; the following are used by the
514 network system: execution context (down), network type
515 (empty/veth/macvlan/phys), Depending on the network
516 type, other arguments may be passed:
517 veth/macvlan/phys. And finally (host-sided) device name.
518 </para>
519 <para>
520 Standard output from the script is logged at debug level.
521 Standard error is not logged, but can be captured by the
522 hook redirecting its standard error to standard output.
523 </para>
524 </listitem>
525 </varlistentry>
55fc19a1
SG		 526 </variablelist>
527 </refsect2>
528
529 <refsect2>
530 <title>New pseudo tty instance (devpts)</title>
531 <para>
c464fd7e
SG		 532 For stricter isolation the container can have its own private
533 instance of the pseudo tty.
55fc19a1
SG		 534 </para>
535 <variablelist>
c464fd7e
SG		 536 <varlistentry>
537 <term>
538 <option>lxc.pts</option>
539 </term>
540 <listitem>
541 <para>
542 If set, the container will have a new pseudo tty
543 instance, making this private to it. The value specifies
55fc19a1
SG		 544 the maximum number of pseudo ttys allowed for a pts
545 instance (this limitation is not implemented yet).
c464fd7e
SG		 546 </para>
547 </listitem>
548 </varlistentry>
55fc19a1
SG		 549 </variablelist>
550 </refsect2>
551
552 <refsect2>
553 <title>Container system console</title>
554 <para>
c464fd7e
SG		 555 If the container is configured with a root filesystem and the
556 inittab file is setup to use the console, you may want to specify
557 where the output of this console goes.
55fc19a1
SG		 558 </para>
559 <variablelist>
c464fd7e
SG		 560 <varlistentry>
561 <term>
562 <option>lxc.console.logfile</option>
563 </term>
564 <listitem>
565 <para>
566 Specify a path to a file where the console output will
567 be written.
568 </para>
569 </listitem>
570 </varlistentry>
571 <varlistentry>
572 <term>
573 <option>lxc.console</option>
574 </term>
575 <listitem>
576 <para>
577 Specify a path to a device to which the console will be
578 attached. The keyword 'none' will simply disable the
579 console. This is dangerous once if have a rootfs with a
580 console device file where the application can write, the
581 messages will fall in the host.
582 </para>
583 </listitem>
584 </varlistentry>
55fc19a1
SG		 585 </variablelist>
586 </refsect2>
587
588 <refsect2>
589 <title>Console through the ttys</title>
590 <para>
c464fd7e
SG		 591 This option is useful if the container is configured with a root
592 filesystem and the inittab file is setup to launch a getty on the
593 ttys. The option specifies the number of ttys to be available for
594 the container. The number of gettys in the inittab file of the
595 container should not be greater than the number of ttys specified
596 in this option, otherwise the excess getty sessions will die and
597 respawn indefinitely giving annoying messages on the console or in
598 <filename>/var/log/messages</filename>.
55fc19a1
SG		 599 </para>
600 <variablelist>
c464fd7e
SG		 601 <varlistentry>
602 <term>
603 <option>lxc.tty</option>
604 </term>
605 <listitem>
606 <para>
607 Specify the number of tty to make available to the
608 container.
609 </para>
610 </listitem>
611 </varlistentry>
55fc19a1
SG		 612 </variablelist>
613 </refsect2>
614
615 <refsect2>
616 <title>Console devices location</title>
617 <para>
618 LXC consoles are provided through Unix98 PTYs created on the
c464fd7e
SG		 619 host and bind-mounted over the expected devices in the container.
620 By default, they are bind-mounted over <filename>/dev/console</filename>
621 and <filename>/dev/ttyN</filename>. This can prevent package upgrades
622 in the guest. Therefore you can specify a directory location (under
623 <filename>/dev</filename> under which LXC will create the files and
624 bind-mount over them. These will then be symbolically linked to
625 <filename>/dev/console</filename> and <filename>/dev/ttyN</filename>.
626 A package upgrade can then succeed as it is able to remove and replace
627 the symbolic links.
55fc19a1
SG		 628 </para>
629 <variablelist>
c464fd7e
SG		 630 <varlistentry>
631 <term>
632 <option>lxc.devttydir</option>
633 </term>
634 <listitem>
635 <para>
636 Specify a directory under <filename>/dev</filename>
637 under which to create the container console devices.
638 </para>
639 </listitem>
640 </varlistentry>
55fc19a1
SG		 641 </variablelist>
642 </refsect2>
643
644 <refsect2>
645 <title>/dev directory</title>
646 <para>
c464fd7e
SG		 647 By default, lxc creates a few symbolic links (fd,stdin,stdout,stderr)
648 in the container's <filename>/dev</filename> directory but does not
649 automatically create device node entries. This allows the container's
650 <filename>/dev</filename> to be set up as needed in the container
651 rootfs. If lxc.autodev is set to 1, then after mounting the container's
652 rootfs LXC will mount a fresh tmpfs under <filename>/dev</filename>
653 (limited to 100k) and fill in a minimal set of initial devices.
55fc19a1
SG		 654 This is generally required when starting a container containing
655 a "systemd" based "init" but may be optional at other times. Additional
656 devices in the containers /dev directory may be created through the
657 use of the <option>lxc.hook.autodev</option> hook.
658 </para>
659 <variablelist>
c464fd7e
SG		 660 <varlistentry>
661 <term>
662 <option>lxc.autodev</option>
663 </term>
664 <listitem>
665 <para>
666 Set this to 1 to have LXC mount and populate a minimal
667 <filename>/dev</filename> when starting the container.
668 </para>
669 </listitem>
670 </varlistentry>
55fc19a1
SG		 671 </variablelist>
672 </refsect2>
673
674 <refsect2>
675 <title>Enable kmsg symlink</title>
676 <para>
677 Enable creating /dev/kmsg as symlink to /dev/console. This defaults to 1.
678 </para>
679 <variablelist>
680 <varlistentry>
681 <term>
682 <option>lxc.kmsg</option>
683 </term>
684 <listitem>
685 <para>
686 Set this to 0 to disable /dev/kmsg symlinking.
687 </para>
688 </listitem>
689 </varlistentry>
690 </variablelist>
691 </refsect2>
692
693 <refsect2>
694 <title>Mount points</title>
695 <para>
c464fd7e
SG		 696 The mount points section specifies the different places to be
697 mounted. These mount points will be private to the container
698 and won't be visible by the processes running outside of the
699 container. This is useful to mount /etc, /var or /home for
700 examples.
55fc19a1
SG		 701 </para>
702 <variablelist>
c464fd7e
SG		 703 <varlistentry>
704 <term>
705 <option>lxc.mount</option>
706 </term>
707 <listitem>
708 <para>
709 specify a file location in
710 the <filename>fstab</filename> format, containing the
711 mount information. The mount target location can and in
712 most cases should be a relative path, which will become
713 relative to the mounted container root. For instance,
714 </para>
6191f4f4
SH		 715<screen>
716proc proc proc nodev,noexec,nosuid 0 0
717</screen>
c464fd7e
SG		 718 <para>
719 Will mount a proc filesystem under the container's /proc,
720 regardless of where the root filesystem comes from. This
721 is resilient to block device backed filesystems as well as
722 container cloning.
723 </para>
724 <para>
725 Note that when mounting a filesystem from an
726 image file or block device the third field (fs_vfstype)
727 cannot be auto as with
55fc19a1 728 <citerefentry>
c464fd7e 729 <refentrytitle>mount</refentrytitle>
55fc19a1
SG		 730 <manvolnum>8</manvolnum>
731 </citerefentry>
732 but must be explicitly specified.
c464fd7e
SG		 733 </para>
734 </listitem>
735 </varlistentry>
736
737 <varlistentry>
738 <term>
739 <option>lxc.mount.entry</option>
740 </term>
741 <listitem>
742 <para>
743 specify a mount point corresponding to a line in the
744 fstab format.
745 </para>
746 </listitem>
747 </varlistentry>
748
749 <varlistentry>
750 <term>
751 <option>lxc.mount.auto</option>
752 </term>
753 <listitem>
754 <para>
755 specify which standard kernel file systems should be
756 automatically mounted. This may dramatically simplify
757 the configuration. The file systems are:
758 </para>
759 <itemizedlist>
760 <listitem>
761 <para>
762 <option>proc:mixed</option> (or <option>proc</option>):
763 mount <filename>/proc</filename> as read-write, but
764 remount <filename>/proc/sys</filename> and
765 <filename>/proc/sysrq-trigger</filename> read-only
766 for security / container isolation purposes.
767 </para>
768 </listitem>
769 <listitem>
770 <para>
771 <option>proc:rw</option>: mount
772 <filename>/proc</filename> as read-write
773 </para>
774 </listitem>
775 <listitem>
776 <para>
777 <option>sys:ro</option> (or <option>sys</option>):
778 mount <filename>/sys</filename> as read-only
779 for security / container isolation purposes.
780 </para>
781 </listitem>
782 <listitem>
783 <para>
784 <option>sys:rw</option>: mount
785 <filename>/sys</filename> as read-write
786 </para>
787 </listitem>
788 <listitem>
789 <para>
790 <option>cgroup:mixed</option>:
791 mount a tmpfs to <filename>/sys/fs/cgroup</filename>,
792 create directories for all hierarchies to which
793 the container is added, create subdirectories
794 there with the name of the cgroup, and bind-mount
795 the container's own cgroup into that directory.
796 The container will be able to write to its own
797 cgroup directory, but not the parents, since they
798 will be remounted read-only
799 </para>
800 </listitem>
801 <listitem>
802 <para>
803 <option>cgroup:ro</option>: similar to
804 <option>cgroup:mixed</option>, but everything will
805 be mounted read-only.
806 </para>
807 </listitem>
808 <listitem>
809 <para>
810 <option>cgroup:rw</option>: similar to
811 <option>cgroup:mixed</option>, but everything will
812 be mounted read-write. Note that the paths leading
813 up to the container's own cgroup will be writable,
814 but will not be a cgroup filesystem but just part
815 of the tmpfs of <filename>/sys/fs/cgroup</filename>
816 </para>
817 </listitem>
818 <listitem>
819 <para>
820 <option>cgroup</option> (without specifier):
821 defaults to <option>cgroup:rw</option> if the
822 container retains the CAP_SYS_ADMIN capability,
823 <option>cgroup:mixed</option> otherwise.
824 </para>
825 </listitem>
826 <listitem>
827 <para>
828 <option>cgroup-full:mixed</option>:
829 mount a tmpfs to <filename>/sys/fs/cgroup</filename>,
830 create directories for all hierarchies to which
831 the container is added, bind-mount the hierarchies
832 from the host to the container and make everything
833 read-only except the container's own cgroup. Note
834 that compared to <option>cgroup</option>, where
835 all paths leading up to the container's own cgroup
836 are just simple directories in the underlying
837 tmpfs, here
838 <filename>/sys/fs/cgroup/$hierarchy</filename>
839 will contain the host's full cgroup hierarchy,
840 albeit read-only outside the container's own cgroup.
841 This may leak quite a bit of information into the
842 container.
843 </para>
844 </listitem>
845 <listitem>
846 <para>
847 <option>cgroup-full:ro</option>: similar to
848 <option>cgroup-full:mixed</option>, but everything
849 will be mounted read-only.
850 </para>
851 </listitem>
852 <listitem>
853 <para>
854 <option>cgroup-full:rw</option>: similar to
855 <option>cgroup-full:mixed</option>, but everything
856 will be mounted read-write. Note that in this case,
857 the container may escape its own cgroup. (Note also
858 that if the container has CAP_SYS_ADMIN support
859 and can mount the cgroup filesystem itself, it may
860 do so anyway.)
861 </para>
862 </listitem>
863 <listitem>
864 <para>
865 <option>cgroup-full</option> (without specifier):
866 defaults to <option>cgroup-full:rw</option> if the
867 container retains the CAP_SYS_ADMIN capability,
868 <option>cgroup-full:mixed</option> otherwise.
869 </para>
870 </listitem>
871 </itemizedlist>
872 <para>
873 Note that if automatic mounting of the cgroup filesystem
874 is enabled, the tmpfs under
875 <filename>/sys/fs/cgroup</filename> will always be
876 mounted read-write (but for the <option>:mixed</option>
877 and <option>:ro</option> cases, the individual
878 hierarchies,
879 <filename>/sys/fs/cgroup/$hierarchy</filename>, will be
880 read-only). This is in order to work around a quirk in
881 Ubuntu's
b46f0553 882 <citerefentry>
c464fd7e 883 <refentrytitle>mountall</refentrytitle>
b46f0553
CS		 884 <manvolnum>8</manvolnum>
885 </citerefentry>
c464fd7e
SG		 886 command that will cause containers to wait for user
887 input at boot if
888 <filename>/sys/fs/cgroup</filename> is mounted read-only
889 and the container can't remount it read-write due to a
890 lack of CAP_SYS_ADMIN.
891 </para>
892 <para>
893 Examples:
894 </para>
895 <programlisting>
896 lxc.mount.auto = proc sys cgroup
897 lxc.mount.auto = proc:rw sys:rw cgroup-full:rw
898 </programlisting>
899 </listitem>
900 </varlistentry>
55fc19a1
SG		 901
902 </variablelist>
903 </refsect2>
904
905 <refsect2>
906 <title>Root file system</title>
907 <para>
c464fd7e
SG		 908 The root file system of the container can be different than that
909 of the host system.
55fc19a1
SG		 910 </para>
911 <variablelist>
c464fd7e
SG		 912 <varlistentry>
913 <term>
914 <option>lxc.rootfs</option>
915 </term>
916 <listitem>
917 <para>
918 specify the root file system for the container. It can
919 be an image file, a directory or a block device. If not
920 specified, the container shares its root file system
921 with the host.
922 </para>
923 <para>
f1c26f2c
SH		 924 For directory or simple block-device backed containers,
925 a pathname can be used. If the rootfs is backed by a nbd
926 device, then <filename>nbd:file:1</filename> specifies that
927 <filename>file</filename> should be attached to a nbd device,
928 and partition 1 should be mounted as the rootfs.
929 <filename>nbd:file</filename> specifies that the nbd device
930 itself should be mounted. <filename>overlayfs:/lower:/upper</filename>
931 specifies that the rootfs should be an overlay with <filename>/upper</filename>
932 being mounted read-write over a read-only mount of <filename>/lower</filename>.
933 <filename>aufs:/lower:/upper</filename> does the same using aufs in place
934 of overlayfs. <filename>loop:/file</filename> tells lxc to attach
935 <filename>/file</filename> to a loop device and mount the loop device.
c464fd7e
SG		 936 </para>
937 </listitem>
938 </varlistentry>
939
940 <varlistentry>
941 <term>
942 <option>lxc.rootfs.mount</option>
943 </term>
944 <listitem>
945 <para>
946 where to recursively bind <option>lxc.rootfs</option>
947 before pivoting. This is to ensure success of the
948 <citerefentry>
949 <refentrytitle><command>pivot_root</command></refentrytitle>
950 <manvolnum>8</manvolnum>
951 </citerefentry>
952 syscall. Any directory suffices, the default should
953 generally work.
954 </para>
955 </listitem>
956 </varlistentry>
957
958 <varlistentry>
959 <term>
960 <option>lxc.rootfs.options</option>
961 </term>
962 <listitem>
963 <para>
964 extra mount options to use when mounting the rootfs.
965 </para>
966 </listitem>
967 </varlistentry>
a17b1e65 968
55fc19a1
SG		 969 </variablelist>
970 </refsect2>
971
972 <refsect2>
973 <title>Control group</title>
974 <para>
c464fd7e
SG		 975 The control group section contains the configuration for the
976 different subsystem. <command>lxc</command> does not check the
977 correctness of the subsystem name. This has the disadvantage
978 of not detecting configuration errors until the container is
979 started, but has the advantage of permitting any future
980 subsystem.
55fc19a1
SG		 981 </para>
982 <variablelist>
c464fd7e
SG		 983 <varlistentry>
984 <term>
985 <option>lxc.cgroup.[subsystem name]</option>
986 </term>
987 <listitem>
988 <para>
989 specify the control group value to be set. The
990 subsystem name is the literal name of the control group
991 subsystem. The permitted names and the syntax of their
992 values is not dictated by LXC, instead it depends on the
993 features of the Linux kernel running at the time the
994 container is started,
995 eg. <option>lxc.cgroup.cpuset.cpus</option>
996 </para>
997 </listitem>
998 </varlistentry>
55fc19a1
SG		 999 </variablelist>
1000 </refsect2>
1001
1002 <refsect2>
1003 <title>Capabilities</title>
1004 <para>
c464fd7e
SG		 1005 The capabilities can be dropped in the container if this one
1006 is run as root.
55fc19a1
SG		 1007 </para>
1008 <variablelist>
c464fd7e
SG		 1009 <varlistentry>
1010 <term>
1011 <option>lxc.cap.drop</option>
1012 </term>
1013 <listitem>
1014 <para>
1015 Specify the capability to be dropped in the container. A
1016 single line defining several capabilities with a space
1017 separation is allowed. The format is the lower case of
1018 the capability definition without the "CAP_" prefix,
1019 eg. CAP_SYS_MODULE should be specified as
1020 sys_module. See
1021 <citerefentry>
1022 <refentrytitle><command>capabilities</command></refentrytitle>
1023 <manvolnum>7</manvolnum>
1024 </citerefentry>,
1025 </para>
1026 </listitem>
1027 </varlistentry>
1028 <varlistentry>
1029 <term>
1030 <option>lxc.cap.keep</option>
1031 </term>
1032 <listitem>
1033 <para>
1034 Specify the capability to be kept in the container. All other
1035 capabilities will be dropped. When a special value of "none" is
1036 encountered, lxc will clear any keep capabilities specified up
1037 to this point. A value of "none" alone can be used to drop all
1038 capabilities.
1039 </para>
1040 </listitem>
1041 </varlistentry>
55fc19a1
SG		 1042 </variablelist>
1043 </refsect2>
1044
1045 <refsect2>
1046 <title>Apparmor profile</title>
1047 <para>
c464fd7e
SG		 1048 If lxc was compiled and installed with apparmor support, and the host
1049 system has apparmor enabled, then the apparmor profile under which the
1050 container should be run can be specified in the container
1051 configuration. The default is <command>lxc-container-default</command>.
55fc19a1
SG		 1052 </para>
1053 <variablelist>
c464fd7e
SG		 1054 <varlistentry>
1055 <term>
1056 <option>lxc.aa_profile</option>
1057 </term>
1058 <listitem>
1059 <para>
1060 Specify the apparmor profile under which the container should
1061 be run. To specify that the container should be unconfined,
1062 use
1063 </para>
1064 <programlisting>lxc.aa_profile = unconfined</programlisting>
1065 </listitem>
1066 </varlistentry>
1067 <varlistentry>
1068 <term>
1069 <option>lxc.aa_allow_incomplete</option>
1070 </term>
1071 <listitem>
1072 <para>
1073 Apparmor profiles are pathname based. Therefore many file
1074 restrictions require mount restrictions to be effective against
1075 a determined attacker. However, these mount restrictions are not
1076 yet implemented in the upstream kernel. Without the mount
1077 restrictions, the apparmor profiles still protect against accidental
1078 damager.
1079 </para>
1080 <para>
1081 If this flag is 0 (default), then the container will not be
1082 started if the kernel lacks the apparmor mount features, so that a
1083 regression after a kernel upgrade will be detected. To start the
1084 container under partial apparmor protection, set this flag to 1.
1085 </para>
1086 </listitem>
1087 </varlistentry>
55fc19a1
SG		 1088 </variablelist>
1089 </refsect2>
1090
1091 <refsect2>
1092 <title>SELinux context</title>
1093 <para>
c464fd7e
SG		 1094 If lxc was compiled and installed with SELinux support, and the host
1095 system has SELinux enabled, then the SELinux context under which the
1096 container should be run can be specified in the container
1097 configuration. The default is <command>unconfined_t</command>,
1098 which means that lxc will not attempt to change contexts.
1099 See @DATADIR@/lxc/selinux/lxc.te for an example policy and more
1100 information.
55fc19a1
SG		 1101 </para>
1102 <variablelist>
c464fd7e
SG		 1103 <varlistentry>
1104 <term>
1105 <option>lxc.se_context</option>
1106 </term>
1107 <listitem>
1108 <para>
1109 Specify the SELinux context under which the container should
1110 be run or <command>unconfined_t</command>. For example
1111 </para>
1112 <programlisting>lxc.se_context = system_u:system_r:lxc_t:s0:c22</programlisting>
1113 </listitem>
1114 </varlistentry>
55fc19a1
SG		 1115 </variablelist>
1116 </refsect2>
1117
1118 <refsect2>
1119 <title>Seccomp configuration</title>
1120 <para>
1121 A container can be started with a reduced set of available
c464fd7e
SG		 1122 system calls by loading a seccomp profile at startup. The
1123 seccomp configuration file must begin with a version number
1124 on the first line, a policy type on the second line, followed
1125 by the configuration.
55fc19a1 1126 </para>
a7c27357
SH		 1127 <para>
1128 Versions 1 and 2 are currently supported. In version 1, the
c464fd7e
SG		 1129 policy is a simple whitelist. The second line therefore must
1130 read "whitelist", with the rest of the file containing one (numeric)
1131 sycall number per line. Each syscall number is whitelisted,
1132 while every unlisted number is blacklisted for use in the container
a7c27357
SH		 1133 </para>
1134
1135 <para>
1136 In version 2, the policy may be blacklist or whitelist,
1137 supports per-rule and per-policy default actions, and supports
1138 per-architecture system call resolution from textual names.
1139 </para>
1140 <para>
1141 An example blacklist policy, in which all system calls are
1142 allowed except for mknod, which will simply do nothing and
1143 return 0 (success), looks like:
1144 </para>
1145<screen>
11462
1147blacklist
1148mknod errno 0
1149</screen>
55fc19a1 1150 <variablelist>
c464fd7e
SG		 1151 <varlistentry>
1152 <term>
1153 <option>lxc.seccomp</option>
1154 </term>
1155 <listitem>
1156 <para>
1157 Specify a file containing the seccomp configuration to
1158 load before the container starts.
1159 </para>
1160 </listitem>
1161 </varlistentry>
55fc19a1
SG		 1162 </variablelist>
1163 </refsect2>
1164
1165 <refsect2>
1166 <title>UID mappings</title>
1167 <para>
1168 A container can be started in a private user namespace with
c464fd7e
SG		 1169 user and group id mappings. For instance, you can map userid
1170 0 in the container to userid 200000 on the host. The root
1171 user in the container will be privileged in the container,
1172 but unprivileged on the host. Normally a system container
1173 will want a range of ids, so you would map, for instance,
1174 user and group ids 0 through 20,000 in the container to the
1175 ids 200,000 through 220,000.
55fc19a1
SG		 1176 </para>
1177 <variablelist>
c464fd7e
SG		 1178 <varlistentry>
1179 <term>
1180 <option>lxc.id_map</option>
1181 </term>
1182 <listitem>
1183 <para>
1184 Four values must be provided. First a character, either
1185 'u', or 'g', to specify whether user or group ids are
1186 being mapped. Next is the first userid as seen in the
1187 user namespace of the container. Next is the userid as
1188 seen on the host. Finally, a range indicating the number
1189 of consecutive ids to map.
1190 </para>
1191 </listitem>
1192 </varlistentry>
55fc19a1
SG		 1193 </variablelist>
1194 </refsect2>
1195
1196 <refsect2>
1197 <title>Container hooks</title>
1198 <para>
1199 Container hooks are programs or scripts which can be executed
c464fd7e 1200 at various times in a container's lifetime.
55fc19a1
SG		 1201 </para>
1202 <para>
1203 When a container hook is executed, information is passed both
c464fd7e
SG		 1204 as command line arguments and through environment variables.
1205 The arguments are:
1206 <itemizedlist>
1207 <listitem><para> Container name. </para></listitem>
1208 <listitem><para> Section (always 'lxc'). </para></listitem>
1209 <listitem><para> The hook type (i.e. 'clone' or 'pre-mount'). </para></listitem>
1210 <listitem><para> Additional arguments In the
1211 case of the clone hook, any extra arguments passed to
1212 lxc-clone will appear as further arguments to the hook. </para></listitem>
1213 </itemizedlist>
1214 The following environment variables are set:
1215 <itemizedlist>
1216 <listitem><para> LXC_NAME: is the container's name. </para></listitem>
1217 <listitem><para> LXC_ROOTFS_MOUNT: the path to the mounted root filesystem. </para></listitem>
1218 <listitem><para> LXC_CONFIG_FILE: the path to the container configuration file. </para></listitem>
1219 <listitem><para> LXC_SRC_NAME: in the case of the clone hook, this is the original container's name. </para></listitem>
1220 <listitem><para> LXC_ROOTFS_PATH: this is the lxc.rootfs entry for the container. Note this is likely not where the mounted rootfs is to be found, use LXC_ROOTFS_MOUNT for that. </para></listitem>
1221 </itemizedlist>
55fc19a1
SG		 1222 </para>
1223 <para>
1224 Standard output from the hooks is logged at debug level.
1225 Standard error is not logged, but can be captured by the
1226 hook redirecting its standard error to standard output.
1227 </para>
1228 <variablelist>
c464fd7e
SG		 1229 <varlistentry>
1230 <term>
1231 <option>lxc.hook.pre-start</option>
1232 </term>
1233 <listitem>
1234 <para>
1235 A hook to be run in the host's namespace before the
1236 container ttys, consoles, or mounts are up.
1237 </para>
1238 </listitem>
1239 </varlistentry>
55fc19a1
SG		 1240 </variablelist>
1241 <variablelist>
c464fd7e
SG		 1242 <varlistentry>
1243 <term>
1244 <option>lxc.hook.pre-mount</option>
1245 </term>
1246 <listitem>
1247 <para>
1248 A hook to be run in the container's fs namespace but before
1249 the rootfs has been set up. This allows for manipulation
1250 of the rootfs, i.e. to mount an encrypted filesystem. Mounts
1251 done in this hook will not be reflected on the host (apart from
1252 mounts propagation), so they will be automatically cleaned up
1253 when the container shuts down.
1254 </para>
1255 </listitem>
1256 </varlistentry>
55fc19a1
SG		 1257 </variablelist>
1258 <variablelist>
c464fd7e
SG		 1259 <varlistentry>
1260 <term>
1261 <option>lxc.hook.mount</option>
1262 </term>
1263 <listitem>
1264 <para>
1265 A hook to be run in the container's namespace after
1266 mounting has been done, but before the pivot_root.
1267 </para>
1268 </listitem>
1269 </varlistentry>
55fc19a1
SG		 1270 </variablelist>
1271 <variablelist>
c464fd7e
SG		 1272 <varlistentry>
1273 <term>
1274 <option>lxc.hook.autodev</option>
1275 </term>
1276 <listitem>
1277 <para>
1278 A hook to be run in the container's namespace after
1279 mounting has been done and after any mount hooks have
1280 run, but before the pivot_root, if
1281 <option>lxc.autodev</option> == 1.
1282 The purpose of this hook is to assist in populating the
1283 /dev directory of the container when using the autodev
1284 option for systemd based containers. The container's /dev
1285 directory is relative to the
1286 ${<option>LXC_ROOTFS_MOUNT</option>} environment
1287 variable available when the hook is run.
1288 </para>
1289 </listitem>
1290 </varlistentry>
55fc19a1
SG		 1291 </variablelist>
1292 <variablelist>
c464fd7e
SG		 1293 <varlistentry>
1294 <term>
1295 <option>lxc.hook.start</option>
1296 </term>
1297 <listitem>
1298 <para>
1299 A hook to be run in the container's namespace immediately
1300 before executing the container's init. This requires the
1301 program to be available in the container.
1302 </para>
1303 </listitem>
1304 </varlistentry>
55fc19a1
SG		 1305 </variablelist>
1306 <variablelist>
c464fd7e
SG		 1307 <varlistentry>
1308 <term>
1309 <option>lxc.hook.post-stop</option>
1310 </term>
1311 <listitem>
1312 <para>
1313 A hook to be run in the host's namespace after the
1314 container has been shut down.
1315 </para>
1316 </listitem>
1317 </varlistentry>
55fc19a1
SG		 1318 </variablelist>
1319 <variablelist>
c464fd7e
SG		 1320 <varlistentry>
1321 <term>
1322 <option>lxc.hook.clone</option>
1323 </term>
1324 <listitem>
1325 <para>
1326 A hook to be run when the container is cloned to a new one.
1327 See <citerefentry><refentrytitle><command>lxc-clone</command></refentrytitle>
1328 <manvolnum>1</manvolnum></citerefentry> for more information.
1329 </para>
1330 </listitem>
1331 </varlistentry>
55fc19a1
SG		 1332 </variablelist>
1333 </refsect2>
1334
1335 <refsect2>
1336 <title>Container hooks Environment Variables</title>
1337 <para>
1338 A number of environment variables are made available to the startup
1339 hooks to provide configuration information and assist in the
1340 functioning of the hooks. Not all variables are valid in all
1341 contexts. In particular, all paths are relative to the host system
1342 and, as such, not valid during the <option>lxc.hook.start</option> hook.
1343 </para>
1344 <variablelist>
c464fd7e
SG		 1345 <varlistentry>
1346 <term>
1347 <option>LXC_NAME</option>
1348 </term>
1349 <listitem>
1350 <para>
1351 The LXC name of the container. Useful for logging messages
1352 in common log environments. [<option>-n</option>]
1353 </para>
1354 </listitem>
1355 </varlistentry>
55fc19a1
SG		 1356 </variablelist>
1357 <variablelist>
c464fd7e
SG		 1358 <varlistentry>
1359 <term>
1360 <option>LXC_CONFIG_FILE</option>
1361 </term>
1362 <listitem>
1363 <para>
1364 Host relative path to the container configuration file. This
1365 gives the container to reference the original, top level,
1366 configuration file for the container in order to locate any
1367 additional configuration information not otherwise made
1368 available. [<option>-f</option>]
1369 </para>
1370 </listitem>
1371 </varlistentry>
55fc19a1
SG		 1372 </variablelist>
1373 <variablelist>
c464fd7e
SG		 1374 <varlistentry>
1375 <term>
1376 <option>LXC_CONSOLE</option>
1377 </term>
1378 <listitem>
1379 <para>
1380 The path to the console output of the container if not NULL.
1381 [<option>-c</option>] [<option>lxc.console</option>]
1382 </para>
1383 </listitem>
1384 </varlistentry>
55fc19a1
SG		 1385 </variablelist>
1386 <variablelist>
c464fd7e
SG		 1387 <varlistentry>
1388 <term>
1389 <option>LXC_CONSOLE_LOGPATH</option>
1390 </term>
1391 <listitem>
1392 <para>
1393 The path to the console log output of the container if not NULL.
1394 [<option>-L</option>]
1395 </para>
1396 </listitem>
1397 </varlistentry>
55fc19a1
SG		 1398 </variablelist>
1399 <variablelist>
c464fd7e
SG		 1400 <varlistentry>
1401 <term>
1402 <option>LXC_ROOTFS_MOUNT</option>
1403 </term>
1404 <listitem>
1405 <para>
1406 The mount location to which the container is initially bound.
1407 This will be the host relative path to the container rootfs
1408 for the container instance being started and is where changes
1409 should be made for that instance.
1410 [<option>lxc.rootfs.mount</option>]
1411 </para>
1412 </listitem>
1413 </varlistentry>
55fc19a1
SG		 1414 </variablelist>
1415 <variablelist>
c464fd7e
SG		 1416 <varlistentry>
1417 <term>
1418 <option>LXC_ROOTFS_PATH</option>
1419 </term>
1420 <listitem>
1421 <para>
1422 The host relative path to the container root which has been
1423 mounted to the rootfs.mount location.
1424 [<option>lxc.rootfs</option>]
1425 </para>
1426 </listitem>
1427 </varlistentry>
55fc19a1
SG		 1428 </variablelist>
1429
1430 </refsect2>
1431 <refsect2>
1432 <title>Logging</title>
1433 <para>
1434 Logging can be configured on a per-container basis. By default,
1435 depending upon how the lxc package was compiled, container startup
1436 is logged only at the ERROR level, and logged to a file named after
1437 the container (with '.log' appended) either under the container path,
1438 or under @LOGPATH@.
1439 </para>
1440 <para>
1441 Both the default log level and the log file can be specified in the
1442 container configuration file, overriding the default behavior. Note
1443 that the configuration file entries can in turn be overridden by the
1444 command line options to <command>lxc-start</command>.
1445 </para>
1446 <variablelist>
c464fd7e
SG		 1447 <varlistentry>
1448 <term>
1449 <option>lxc.loglevel</option>
1450 </term>
1451 <listitem>
1452 <para>
1453 The level at which to log. The log level is an integer in
1454 the range of 0..8 inclusive, where a lower number means more
1455 verbose debugging. In particular 0 = trace, 1 = debug, 2 =
1456 info, 3 = notice, 4 = warn, 5 = error, 6 = critical, 7 =
1457 alert, and 8 = fatal. If unspecified, the level defaults
1458 to 5 (error), so that only errors and above are logged.
1459 </para>
1460 <para>
1461 Note that when a script (such as either a hook script or a
1462 network interface up or down script) is called, the script's
1463 standard output is logged at level 1, debug.
1464 </para>
1465 </listitem>
1466 </varlistentry>
1467 <varlistentry>
1468 <term>
1469 <option>lxc.logfile</option>
1470 </term>
1471 <listitem>
1472 <para>
1473 The file to which logging info should be written.
1474 </para>
1475 </listitem>
1476 </varlistentry>
55fc19a1
SG		 1477 </variablelist>
1478 </refsect2>
1479
1480 <refsect2>
1481 <title>Autostart</title>
1482 <para>
1483 The autostart options support marking which containers should be
1484 auto-started and in what order. These options may be used by LXC tools
1485 directly or by external tooling provided by the distributions.
1486 </para>
1487
1488 <variablelist>
1489 <varlistentry>
1490 <term>
1491 <option>lxc.start.auto</option>
1492 </term>
1493 <listitem>
1494 <para>
1495 Whether the container should be auto-started.
1496 Valid values are 0 (off) and 1 (on).
1497 </para>
1498 </listitem>
1499 </varlistentry>
1500 <varlistentry>
1501 <term>
1502 <option>lxc.start.delay</option>
1503 </term>
1504 <listitem>
1505 <para>
1506 How long to wait (in seconds) after the container is
1507 started before starting the next one.
1508 </para>
1509 </listitem>
1510 </varlistentry>
1511 <varlistentry>
1512 <term>
1513 <option>lxc.start.order</option>
1514 </term>
1515 <listitem>
1516 <para>
1517 An integer used to sort the containers when auto-starting
1518 a series of containers at once.
1519 </para>
1520 </listitem>
1521 </varlistentry>
1522 <varlistentry>
1523 <term>
1524 <option>lxc.group</option>
1525 </term>
1526 <listitem>
1527 <para>
1528 A multi-value key (can be used multiple times) to put the
1529 container in a container group. Those groups can then be
1530 used (amongst other things) to start a series of related
1531 containers.
1532 </para>
1533 </listitem>
1534 </varlistentry>
1535 </variablelist>
1536 </refsect2>
015f0dd7
MW		 1537
1538 <refsect2>
1539 <title>Autostart and System Boot</title>
1540 <para>
1541 Each container can be part of any number of groups or no group at all.
1542 Two groups are special. One is the NULL group, i.e. the container does
1543 not belong to any group. The other group is the "onboot" group.
1544 </para>
1545
1546 <para>
1547 When the system boots with the LXC service enabled, it will first
1548 attempt to boot any containers with lxc.start.auto == 1 that is a member
1549 of the "onboot" group. The startup will be in order of lxc.start.order.
1550 If an lxc.start.delay has been specified, that delay will be honored
1551 before attempting to start the next container to give the current
1552 container time to begin initialization and reduce overloading the host
1553 system. After starting the members of the "onboot" group, the LXC system
1554 will proceed to boot containers with lxc.start.auto == 1 which are not
1555 members of any group (the NULL group) and proceed as with the onboot
1556 group.
1557 </para>
1558
1559 </refsect2>
7c661726
MP		 1560
1561 <refsect2>
1562 <title>Container Environment</title>
1563 <para>
c464fd7e
SG		 1564 If you want to pass environment variables into the container (that
1565 is, environment variables which will be available to init and all of
1566 its descendents), you can use <command>lxc.environment</command>
1567 parameters to do so. Be careful that you do not pass in anything
1568 sensitive; any process in the container which doesn't have its
1569 environment scrubbed will have these variables available to it, and
1570 environment variables are always available via
1571 <command>/proc/PID/environ</command>.
7c661726
MP		 1572 </para>
1573
1574 <para>
1575 This configuration parameter can be specified multiple times; once
1576 for each environment variable you wish to configure.
1577 </para>
1578
1579 <variablelist>
c464fd7e
SG		 1580 <varlistentry>
1581 <term>
1582 <option>lxc.environment</option>
1583 </term>
1584 <listitem>
1585 <para>
1586 Specify an environment variable to pass into the container.
1587 Example:
1588 </para>
1589 <programlisting>
1590 lxc.environment = APP_ENV=production
1591 lxc.environment = SYSLOG_SERVER=192.0.2.42
1592 </programlisting>
1593 </listitem>
1594 </varlistentry>
7c661726
MP		 1595 </variablelist>
1596 </refsect2>
1597
55fc19a1
SG		 1598 </refsect1>
1599
1600 <refsect1>
1601 <title>Examples</title>
1602 <para>
c464fd7e
SG		 1603 In addition to the few examples given below, you will find
1604 some other examples of configuration file in @DOCDIR@/examples
55fc19a1
SG		 1605 </para>
1606 <refsect2>
1607 <title>Network</title>
1608 <para>This configuration sets up a container to use a veth pair
c464fd7e
SG		 1609 device with one side plugged to a bridge br0 (which has been
1610 configured before on the system by the administrator). The
1611 virtual network device visible in the container is renamed to
1612 eth0.</para>
55fc19a1 1613 <programlisting>
c464fd7e
SG		 1614 lxc.utsname = myhostname
1615 lxc.network.type = veth
1616 lxc.network.flags = up
1617 lxc.network.link = br0
1618 lxc.network.name = eth0
1619 lxc.network.hwaddr = 4a:49:43:49:79:bf
1620 lxc.network.ipv4 = 10.2.3.5/24 10.2.3.255
1621 lxc.network.ipv6 = 2003:db8:1:0:214:1234:fe0b:3597
55fc19a1
SG		 1622 </programlisting>
1623 </refsect2>
1624
1625 <refsect2>
1626 <title>UID/GID mapping</title>
1627 <para>This configuration will map both user and group ids in the
1628 range 0-9999 in the container to the ids 100000-109999 on the host.
1629 </para>
1630 <programlisting>
c464fd7e
SG		 1631 lxc.id_map = u 0 100000 10000
1632 lxc.id_map = g 0 100000 10000
55fc19a1
SG		 1633 </programlisting>
1634 </refsect2>
1635
1636 <refsect2>
1637 <title>Control group</title>
1638 <para>This configuration will setup several control groups for
1639 the application, cpuset.cpus restricts usage of the defined cpu,
1640 cpus.share prioritize the control group, devices.allow makes
1641 usable the specified devices.</para>
1642 <programlisting>
c464fd7e
SG		 1643 lxc.cgroup.cpuset.cpus = 0,1
1644 lxc.cgroup.cpu.shares = 1234
1645 lxc.cgroup.devices.deny = a
1646 lxc.cgroup.devices.allow = c 1:3 rw
1647 lxc.cgroup.devices.allow = b 8:0 rw
55fc19a1
SG		 1648 </programlisting>
1649 </refsect2>
1650
1651 <refsect2>
1652 <title>Complex configuration</title>
1653 <para>This example show a complex configuration making a complex
1654 network stack, using the control groups, setting a new hostname,
1655 mounting some locations and a changing root file system.</para>
1656 <programlisting>
c464fd7e
SG		 1657 lxc.utsname = complex
1658 lxc.network.type = veth
1659 lxc.network.flags = up
1660 lxc.network.link = br0
1661 lxc.network.hwaddr = 4a:49:43:49:79:bf
1662 lxc.network.ipv4 = 10.2.3.5/24 10.2.3.255
1663 lxc.network.ipv6 = 2003:db8:1:0:214:1234:fe0b:3597
1664 lxc.network.ipv6 = 2003:db8:1:0:214:5432:feab:3588
1665 lxc.network.type = macvlan
1666 lxc.network.flags = up
1667 lxc.network.link = eth0
1668 lxc.network.hwaddr = 4a:49:43:49:79:bd
1669 lxc.network.ipv4 = 10.2.3.4/24
1670 lxc.network.ipv4 = 192.168.10.125/24
1671 lxc.network.ipv6 = 2003:db8:1:0:214:1234:fe0b:3596
1672 lxc.network.type = phys
1673 lxc.network.flags = up
1674 lxc.network.link = dummy0
1675 lxc.network.hwaddr = 4a:49:43:49:79:ff
1676 lxc.network.ipv4 = 10.2.3.6/24
1677 lxc.network.ipv6 = 2003:db8:1:0:214:1234:fe0b:3297
1678 lxc.cgroup.cpuset.cpus = 0,1
1679 lxc.cgroup.cpu.shares = 1234
1680 lxc.cgroup.devices.deny = a
1681 lxc.cgroup.devices.allow = c 1:3 rw
1682 lxc.cgroup.devices.allow = b 8:0 rw
1683 lxc.mount = /etc/fstab.complex
1684 lxc.mount.entry = /lib /root/myrootfs/lib none ro,bind 0 0
1685 lxc.rootfs = /mnt/rootfs.complex
1686 lxc.cap.drop = sys_module mknod setuid net_raw
1687 lxc.cap.drop = mac_override
55fc19a1
SG		 1688 </programlisting>
1689 </refsect2>
1690
1691 </refsect1>
1692
1693 <refsect1>
1694 <title>See Also</title>
1695 <simpara>
1696 <citerefentry>
c464fd7e
SG		 1697 <refentrytitle><command>chroot</command></refentrytitle>
1698 <manvolnum>1</manvolnum>
55fc19a1
SG		 1699 </citerefentry>,
1700
1701 <citerefentry>
c464fd7e
SG		 1702 <refentrytitle><command>pivot_root</command></refentrytitle>
1703 <manvolnum>8</manvolnum>
55fc19a1
SG		 1704 </citerefentry>,
1705
1706 <citerefentry>
c464fd7e
SG		 1707 <refentrytitle><filename>fstab</filename></refentrytitle>
1708 <manvolnum>5</manvolnum>
55fc19a1
SG		 1709 </citerefentry>,
1710
1711 <citerefentry>
c464fd7e
SG		 1712 <refentrytitle><filename>capabilities</filename></refentrytitle>
1713 <manvolnum>7</manvolnum>
55fc19a1
SG		 1714 </citerefentry>
1715 </simpara>
1716 </refsect1>
1717
1718 &seealso;
1719
1720 <refsect1>
1721 <title>Author</title>
1722 <para>Daniel Lezcano <email>daniel.lezcano@free.fr</email></para>
1723 </refsect1>
1724
1725</refentry>
1726
1727<!-- Keep this comment at the end of the file
1728Local variables:
1729mode: sgml
1730sgml-omittag:t
1731sgml-shorttag:t
1732sgml-minimize-attributes:nil
1733sgml-always-quote-attributes:t
1734sgml-indent-step:2
1735sgml-indent-data:t
1736sgml-parent-document:nil
1737sgml-default-dtd-file:nil
1738sgml-exposed-tags:nil
1739sgml-local-catalogs:nil
1740sgml-local-ecat-files:nil
1741End:
1742-->
LXC mirror