doc/lxc-attach.sgml.in

   1 <!--
   2
   3 lxc: linux Container library
   4
   5 (C) Copyright IBM Corp. 2007, 2008
   6
   7 Authors:
   8 Daniel Lezcano <daniel.lezcano at free.fr>
   9
  10 This library is free software; you can redistribute it and/or
  11 modify it under the terms of the GNU Lesser General Public
  12 License as published by the Free Software Foundation; either
  13 version 2.1 of the License, or (at your option) any later version.
  14
  15 This library is distributed in the hope that it will be useful,
  16 but WITHOUT ANY WARRANTY; without even the implied warranty of
  17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  18 Lesser General Public License for more details.
  19
  20 You should have received a copy of the GNU Lesser General Public
  21 License along with this library; if not, write to the Free Software
  22 Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
  23
  24 -->
  25
  26
  27 <!DOCTYPE refentry PUBLIC @docdtd@ [
  28
  29 <!ENTITY commonoptions SYSTEM "@builddir@/common_options.sgml">
  30 <!ENTITY seealso SYSTEM "@builddir@/see_also.sgml">
  31 ]>
  32
  33 <refentry>
  34
  35   <docinfo><date>@LXC_GENERATE_DATE@</date></docinfo>
  36
  37   <refmeta>
  38     <refentrytitle>lxc-attach</refentrytitle>
  39     <manvolnum>1</manvolnum>
  40   </refmeta>
  41
  42   <refnamediv>
  43     <refname>lxc-attach</refname>
  44
  45     <refpurpose>
  46       start a process inside a running container.
  47     </refpurpose>
  48   </refnamediv>
  49
  50   <refsynopsisdiv>
  51     <cmdsynopsis>
  52       <command>lxc-attach</command>
  53       <arg choice="req">-n, --name <replaceable>name</replaceable></arg>
  54       <arg choice="opt">-f, --rcfile <replaceable>config_file</replaceable></arg>
  55       <arg choice="opt">-a, --arch <replaceable>arch</replaceable></arg>
  56       <arg choice="opt">-e, --elevated-privileges <replaceable>privileges</replaceable></arg>
  57       <arg choice="opt">-s, --namespaces <replaceable>namespaces</replaceable></arg>
  58       <arg choice="opt">-R, --remount-sys-proc</arg>
  59       <arg choice="opt">--keep-env</arg>
  60       <arg choice="opt">--clear-env</arg>
  61       <arg choice="opt">-L, --pty-log <replaceable>file</replaceable></arg>
  62       <arg choice="opt">-v, --set-var <replaceable>variable</replaceable></arg>
  63       <arg choice="opt">--keep-var <replaceable>variable</replaceable></arg>
  64       <arg choice="opt">-- <replaceable>command</replaceable></arg>
  65     </cmdsynopsis>
  66   </refsynopsisdiv>
  67
  68   <refsect1>
  69     <title>Description</title>
  70
  71     <para>
  72       <command>lxc-attach</command> runs the specified
  73       <replaceable>command</replaceable> inside the container
  74       specified by <replaceable>name</replaceable>. The container
  75       has to be running already.
  76     </para>
  77     <para>
  78       If no <replaceable>command</replaceable> is specified, the
  79       current default shell of the user running
  80       <command>lxc-attach</command> will be looked up inside the
  81       container and executed. This will fail if no such user exists
  82       inside the container or the container does not have a working
  83       nsswitch mechanism.
  84     </para>
  85     <para>
  86     Previous versions of <command>lxc-attach</command> simply attached to the
  87     specified namespaces of a container and ran a shell or the specified command
  88     without first allocating a pseudo terminal. This made them vulnerable to
  89     input faking via a TIOCSTI <command>ioctl</command> call after switching
  90     between userspace execution contexts with different privilege levels. Newer
  91     versions of <command>lxc-attach</command> will try to allocate a pseudo
  92     terminal master/slave pair on the host and attach any standard file
  93     descriptors which refer to a terminal to the slave side of the pseudo
  94     terminal before executing a shell or command. Note, that if none of the
  95     standard file descriptors refer to a terminal <command>lxc-attach</command>
  96     will not try to allocate a pseudo terminal. Instead it will simply attach
  97     to the containers namespaces and run a shell or the specified command.
  98     </para>
  99
 100   </refsect1>
 101
 102   <refsect1>
 103
 104     <title>Options</title>
 105
 106     <variablelist>
 107
 108       <varlistentry>
 109         <term>
 110           <option>-f, --rcfile <replaceable>config_file</replaceable></option>
 111         </term>
 112         <listitem>
 113           <para>
 114             Specify the configuration file to configure the virtualization
 115             and isolation functionalities for the container.
 116           </para>
 117           <para>
 118            This configuration file if present will be used even if there is
 119            already a configuration file present in the previously created
 120            container (via lxc-create).
 121           </para>
 122         </listitem>
 123       </varlistentry>
 124
 125       <varlistentry>
 126         <term>
 127           <option>-a, --arch <replaceable>arch</replaceable></option>
 128         </term>
 129         <listitem>
 130           <para>
 131             Specify the architecture which the kernel should appear to be
 132             running as to the command executed. This option will accept the
 133             same settings as the <option>lxc.arch</option> option in
 134             container configuration files, see
 135             <citerefentry>
 136               <refentrytitle><filename>lxc.conf</filename></refentrytitle>
 137               <manvolnum>5</manvolnum>
 138             </citerefentry>. By default, the current archictecture of the
 139             running container will be used.
 140           </para>
 141         </listitem>
 142       </varlistentry>
 143
 144       <varlistentry>
 145         <term>
 146           <option>
 147       -e, --elevated-privileges <replaceable>privileges</replaceable>
 148     </option>
 149         </term>
 150         <listitem>
 151           <para>
 152             Do not drop privileges when running
 153             <replaceable>command</replaceable> inside the container. If
 154             this option is specified, the new process will
 155             <emphasis>not</emphasis> be added to the container's cgroup(s)
 156             and it will not drop its capabilities before executing.
 157           </para>
 158     <para>
 159       You may specify privileges, in case you do not want to elevate all of
 160       them, as a pipe-separated list, e.g.
 161       <replaceable>CGROUP|LSM</replaceable>. Allowed values are
 162       <replaceable>CGROUP</replaceable>, <replaceable>CAP</replaceable> and
 163       <replaceable>LSM</replaceable> representing cgroup, capabilities and
 164       restriction privileges respectively. (The pipe symbol needs to be escaped,
 165       e.g. <replaceable>CGROUP\|LSM</replaceable> or quoted, e.g.
 166       <replaceable>"CGROUP|LSM"</replaceable>.)
 167     </para>
 168           <para>
 169             <emphasis>Warning:</emphasis> This may leak privileges into the
 170             container if the command starts subprocesses that remain active
 171             after the main process that was attached is terminated. The
 172             (re-)starting of daemons inside the container is problematic,
 173             especially if the daemon starts a lot of subprocesses such as
 174             <command>cron</command> or <command>sshd</command>.
 175             <emphasis>Use with great care.</emphasis>
 176           </para>
 177         </listitem>
 178       </varlistentry>
 179
 180       <varlistentry>
 181         <term>
 182           <option>-s, --namespaces <replaceable>namespaces</replaceable></option>
 183         </term>
 184         <listitem>
 185           <para>
 186             Specify the namespaces to attach to, as a pipe-separated list,
 187             e.g. <replaceable>NETWORK|IPC</replaceable>. Allowed values are
 188             <replaceable>MOUNT</replaceable>, <replaceable>PID</replaceable>,
 189             <replaceable>UTSNAME</replaceable>, <replaceable>IPC</replaceable>,
 190             <replaceable>USER </replaceable> and
 191             <replaceable>NETWORK</replaceable>. This allows one to change
 192             the context of the process to e.g. the network namespace of the
 193             container while retaining the other namespaces as those of the
 194             host. (The pipe symbol needs to be escaped, e.g.
 195             <replaceable>MOUNT\|PID</replaceable> or quoted, e.g.
 196             <replaceable>"MOUNT|PID"</replaceable>.)
 197           </para>
 198           <para>
 199             <emphasis>Important:</emphasis> This option implies
 200             <option>-e</option>.
 201           </para>
 202         </listitem>
 203       </varlistentry>
 204
 205       <varlistentry>
 206         <term>
 207           <option>-R, --remount-sys-proc</option>
 208         </term>
 209         <listitem>
 210           <para>
 211             When using <option>-s</option> and the mount namespace is not
 212             included, this flag will cause <command>lxc-attach</command>
 213             to remount <replaceable>/proc</replaceable> and
 214             <replaceable>/sys</replaceable> to reflect the current other
 215             namespace contexts.
 216           </para>
 217           <para>
 218             Please see the <emphasis>Notes</emphasis> section for more
 219             details.
 220           </para>
 221           <para>
 222             This option will be ignored if one tries to attach to the
 223             mount namespace anyway.
 224           </para>
 225         </listitem>
 226       </varlistentry>
 227
 228       <varlistentry>
 229         <term>
 230           <option>--keep-env</option>
 231         </term>
 232         <listitem>
 233           <para>
 234             Keep the current environment for attached programs. This is
 235             the current default behaviour (as of version 0.9), but is
 236             is likely to change in the future, since this may leak
 237             undesirable information into the container. If you rely on
 238             the environment being available for the attached program,
 239             please use this option to be future-proof. In addition to
 240             current environment variables, container=lxc will be set.
 241           </para>
 242         </listitem>
 243       </varlistentry>
 244
 245       <varlistentry>
 246         <term>
 247           <option>--clear-env</option>
 248         </term>
 249         <listitem>
 250           <para>
 251             Clear the environment before attaching, so no undesired
 252             environment variables leak into the container. The variable
 253             container=lxc will be the only environment with which the
 254             attached program starts.
 255           </para>
 256         </listitem>
 257       </varlistentry>
 258
 259       <varlistentry>
 260         <term>
 261           <option>-L, --pty-log <replaceable>file</replaceable></option>
 262         </term>
 263         <listitem>
 264           <para>
 265         Specify a file where the output of <command>lxc-attach</command> will be
 266         logged.
 267           </para>
 268           <para>
 269             <emphasis>Important:</emphasis>  When a standard file descriptor
 270             does not refer to a pty output produced on it will not be logged.
 271           </para>
 272         </listitem>
 273       </varlistentry>
 274
 275       <varlistentry>
 276         <term>
 277           <option>-v, --set-var <replaceable>variable</replaceable></option>
 278         </term>
 279         <listitem>
 280           <para>
 281             Set an additional environment variable that is seen by the
 282             attached program in the container. It is specified in the
 283             form of "VAR=VALUE", and can be specified multiple times.
 284           </para>
 285         </listitem>
 286       </varlistentry>
 287
 288       <varlistentry>
 289         <term>
 290           <option>--keep-var <replaceable>variable</replaceable></option>
 291         </term>
 292         <listitem>
 293           <para>
 294             Keep a specified environment variable. It can only be
 295             specified in conjunction
 296             with <replaceable>--clear-env</replaceable>, and can be
 297             specified multiple times.
 298           </para>
 299         </listitem>
 300       </varlistentry>
 301
 302      </variablelist>
 303
 304   </refsect1>
 305
 306   &commonoptions;
 307
 308   <refsect1>
 309     <title>Examples</title>
 310       <para>
 311         To spawn a new shell running inside an existing container, use
 312         <programlisting>
 313           lxc-attach -n container
 314         </programlisting>
 315       </para>
 316       <para>
 317         To restart the cron service of a running Debian container, use
 318         <programlisting>
 319           lxc-attach -n container -- /etc/init.d/cron restart
 320         </programlisting>
 321       </para>
 322       <para>
 323         To deactivate the network link eth1 of a running container that
 324         does not have the NET_ADMIN capability, use either the
 325         <option>-e</option> option to use increased capabilities,
 326         assuming the <command>ip</command> tool is installed:
 327         <programlisting>
 328           lxc-attach -n container -e -- /sbin/ip link delete eth1
 329         </programlisting>
 330         Or, alternatively, use the <option>-s</option> to use the
 331         tools installed on the host outside the container:
 332         <programlisting>
 333           lxc-attach -n container -s NETWORK -- /sbin/ip link delete eth1
 334         </programlisting>
 335       </para>
 336   </refsect1>
 337
 338   <refsect1>
 339     <title>Compatibility</title>
 340     <para>
 341       Attaching completely (including the pid and mount namespaces) to a
 342       container requires a kernel of version 3.8 or higher, or a
 343       patched kernel, please see the lxc website for
 344       details. <command>lxc-attach</command> will fail in that case if
 345       used with an unpatched kernel of version 3.7 and prior.
 346     </para>
 347     <para>
 348       Nevertheless, it will succeed on an unpatched kernel of version 3.0
 349       or higher if the <option>-s</option> option is used to restrict the
 350       namespaces that the process is to be attached to to one or more of
 351       <replaceable>NETWORK</replaceable>, <replaceable>IPC</replaceable>
 352       and <replaceable>UTSNAME</replaceable>.
 353     </para>
 354     <para>
 355       Attaching to user namespaces is supported by kernel 3.8 or higher
 356       with enabling user namespace.
 357     </para>
 358   </refsect1>
 359
 360   <refsect1>
 361     <title>Notes</title>
 362     <para>
 363       The Linux <replaceable>/proc</replaceable> and
 364       <replaceable>/sys</replaceable> filesystems contain information
 365       about some quantities that are affected by namespaces, such as
 366       the directories named after process ids in
 367       <replaceable>/proc</replaceable> or the network interface information
 368       in <replaceable>/sys/class/net</replaceable>. The namespace of the
 369       process mounting the pseudo-filesystems determines what information
 370       is shown, <emphasis>not</emphasis> the namespace of the process
 371       accessing <replaceable>/proc</replaceable> or
 372       <replaceable>/sys</replaceable>.
 373     </para>
 374     <para>
 375       If one uses the <option>-s</option> option to only attach to
 376       the pid namespace of a container, but not its mount namespace
 377       (which will contain the <replaceable>/proc</replaceable> of the
 378       container and not the host), the contents of <option>/proc</option>
 379       will reflect that of the host and not the container. Analogously,
 380       the same issue occurs when reading the contents of
 381       <replaceable>/sys/class/net</replaceable> and attaching to just
 382       the network namespace.
 383     </para>
 384     <para>
 385       To work around this problem, the <option>-R</option> flag provides
 386       the option to remount <replaceable>/proc</replaceable> and
 387       <replaceable>/sys</replaceable> in order for them to reflect the
 388       network/pid namespace context of the attached process. In order
 389       not to interfere with the host's actual filesystem, the mount
 390       namespace will be unshared (like <command>lxc-unshare</command>
 391       does) before this is done, essentially giving the process a new
 392       mount namespace, which is identical to the hosts's mount namespace
 393       except for the <replaceable>/proc</replaceable> and
 394       <replaceable>/sys</replaceable> filesystems.
 395     </para>
 396     <para>
 397       Previous versions of <command>lxc-attach</command> suffered a bug whereby
 398       a user could attach to a containers namespace without being placed in a
 399       writeable cgroup for some critical subsystems. Newer versions of
 400       <command>lxc-attach</command> will check whether a user is in a writeable
 401       cgroup for those critical subsystems. <command>lxc-attach</command> might
 402       thus fail unexpectedly for some users (E.g. on systems where an
 403       unprivileged user is not placed in a writeable cgroup in critical
 404       subsystems on login.). However, this behavior is correct and more secure.
 405     </para>
 406   </refsect1>
 407
 408   <refsect1>
 409     <title>Security</title>
 410     <para>
 411       The <option>-e</option> and <option>-s</option> options should
 412       be used with care, as it may break the isolation of the containers
 413       if used improperly.
 414     </para>
 415   </refsect1>
 416
 417   &seealso;
 418
 419   <refsect1>
 420     <title>Author</title>
 421     <para>Daniel Lezcano <email>daniel.lezcano@free.fr</email></para>
 422   </refsect1>
 423
 424 </refentry>
 425
 426 <!-- Keep this comment at the end of the file
 427 Local variables:
 428 mode: sgml
 429 sgml-omittag:t
 430 sgml-shorttag:t
 431 sgml-minimize-attributes:nil
 432 sgml-always-quote-attributes:t
 433 sgml-indent-step:2
 434 sgml-indent-data:t
 435 sgml-parent-document:nil
 436 sgml-default-dtd-file:nil
 437 sgml-exposed-tags:nil
 438 sgml-local-catalogs:nil
 439 sgml-local-ecat-files:nil
 440 End:
 441 -->