doc/lxc-attach.sgml.in

   1 <!--
   2
   3 lxc: linux Container library
   4
   5 (C) Copyright IBM Corp. 2007, 2008
   6
   7 Authors:
   8 Daniel Lezcano <daniel.lezcano at free.fr>
   9
  10 This library is free software; you can redistribute it and/or
  11 modify it under the terms of the GNU Lesser General Public
  12 License as published by the Free Software Foundation; either
  13 version 2.1 of the License, or (at your option) any later version.
  14
  15 This library is distributed in the hope that it will be useful,
  16 but WITHOUT ANY WARRANTY; without even the implied warranty of
  17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  18 Lesser General Public License for more details.
  19
  20 You should have received a copy of the GNU Lesser General Public
  21 License along with this library; if not, write to the Free Software
  22 Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
  23
  24 -->
  25
  26
  27 <!DOCTYPE refentry PUBLIC @docdtd@ [
  28
  29 <!ENTITY commonoptions SYSTEM "@builddir@/common_options.sgml">
  30 <!ENTITY seealso SYSTEM "@builddir@/see_also.sgml">
  31 ]>
  32
  33 <refentry>
  34
  35   <docinfo><date>@LXC_GENERATE_DATE@</date></docinfo>
  36
  37   <refmeta>
  38     <refentrytitle>lxc-attach</refentrytitle>
  39     <manvolnum>1</manvolnum>
  40   </refmeta>
  41
  42   <refnamediv>
  43     <refname>lxc-attach</refname>
  44
  45     <refpurpose>
  46       start a process inside a running container.
  47     </refpurpose>
  48   </refnamediv>
  49
  50   <refsynopsisdiv>
  51     <cmdsynopsis>
  52       <command>lxc-attach</command>
  53       <arg choice="req">-n <replaceable>name</replaceable></arg>
  54       <arg choice="opt">-a <replaceable>arch</replaceable></arg>
  55       <arg choice="opt">-e</arg>
  56       <arg choice="opt">-s <replaceable>namespaces</replaceable></arg>
  57       <arg choice="opt">-R</arg>
  58       <arg choice="opt">--keep-env</arg>
  59       <arg choice="opt">--clear-env</arg>
  60       <arg choice="opt">-- <replaceable>command</replaceable></arg>
  61     </cmdsynopsis>
  62   </refsynopsisdiv>
  63
  64   <refsect1>
  65     <title>Description</title>
  66
  67     <para>
  68       <command>lxc-attach</command> runs the specified
  69       <replaceable>command</replaceable> inside the container
  70       specified by <replaceable>name</replaceable>. The container
  71       has to be running already.
  72     </para>
  73     <para>
  74       If no <replaceable>command</replaceable> is specified, the
  75       current default shell of the user running
  76       <command>lxc-attach</command> will be looked up inside the
  77       container and executed. This will fail if no such user exists
  78       inside the container or the container does not have a working
  79       nsswitch mechanism.
  80     </para>
  81     <para>
  82     Previous versions of <command>lxc-attach</command> simply attached to the
  83     specified namespaces of a container and ran a shell or the specified command
  84     without first allocating a pseudo terminal. This made them vulnerable to
  85     input faking via a TIOCSTI <command>ioctl</command> call after switching
  86     between userspace execution contexts with different privilege levels. Newer
  87     versions of <command>lxc-attach</command> will try to allocate a pseudo
  88     terminal master/slave pair on the host and attach any standard file
  89     descriptors which refer to a terminal to the slave side of the pseudo
  90     terminal before executing a shell or command. Note, that if none of the
  91     standard file descriptors refer to a terminal <command>lxc-attach</command>
  92     will not try to allocate a pseudo terminal. Instead it will simply attach
  93     to the containers namespaces and run a shell or the specified command.
  94     </para>
  95
  96   </refsect1>
  97
  98   <refsect1>
  99
 100     <title>Options</title>
 101
 102     <variablelist>
 103
 104       <varlistentry>
 105         <term>
 106           <option>-a, --arch <replaceable>arch</replaceable></option>
 107         </term>
 108         <listitem>
 109           <para>
 110             Specify the architecture which the kernel should appear to be
 111             running as to the command executed. This option will accept the
 112             same settings as the <option>lxc.arch</option> option in
 113             container configuration files, see
 114             <citerefentry>
 115               <refentrytitle><filename>lxc.conf</filename></refentrytitle>
 116               <manvolnum>5</manvolnum>
 117             </citerefentry>. By default, the current archictecture of the
 118             running container will be used.
 119           </para>
 120         </listitem>
 121       </varlistentry>
 122
 123       <varlistentry>
 124         <term>
 125           <option>
 126       -e, --elevated-privileges <replaceable>privileges</replaceable>
 127     </option>
 128         </term>
 129         <listitem>
 130           <para>
 131             Do not drop privileges when running
 132             <replaceable>command</replaceable> inside the container. If
 133             this option is specified, the new process will
 134             <emphasis>not</emphasis> be added to the container's cgroup(s)
 135             and it will not drop its capabilities before executing.
 136           </para>
 137     <para>
 138       You may specify privileges, in case you do not want to elevate all of
 139       them, as a pipe-separated list, e.g.
 140       <replaceable>CGROUP|LSM</replaceable>. Allowed values are
 141       <replaceable>CGROUP</replaceable>, <replaceable>CAP</replaceable> and
 142       <replaceable>LSM</replaceable> representing cgroup, capabilities and
 143       restriction privileges respectively.
 144     </para>
 145           <para>
 146             <emphasis>Warning:</emphasis> This may leak privileges into the
 147             container if the command starts subprocesses that remain active
 148             after the main process that was attached is terminated. The
 149             (re-)starting of daemons inside the container is problematic,
 150             especially if the daemon starts a lot of subprocesses such as
 151             <command>cron</command> or <command>sshd</command>.
 152             <emphasis>Use with great care.</emphasis>
 153           </para>
 154         </listitem>
 155       </varlistentry>
 156
 157       <varlistentry>
 158         <term>
 159           <option>-s, --namespaces <replaceable>namespaces</replaceable></option>
 160         </term>
 161         <listitem>
 162           <para>
 163             Specify the namespaces to attach to, as a pipe-separated list,
 164             e.g. <replaceable>NETWORK|IPC</replaceable>. Allowed values are
 165             <replaceable>MOUNT</replaceable>, <replaceable>PID</replaceable>,
 166             <replaceable>UTSNAME</replaceable>, <replaceable>IPC</replaceable>,
 167             <replaceable>USER </replaceable> and
 168             <replaceable>NETWORK</replaceable>. This allows one to change
 169             the context of the process to e.g. the network namespace of the
 170             container while retaining the other namespaces as those of the
 171             host.
 172           </para>
 173           <para>
 174             <emphasis>Important:</emphasis> This option implies
 175             <option>-e</option>.
 176           </para>
 177         </listitem>
 178       </varlistentry>
 179
 180       <varlistentry>
 181         <term>
 182           <option>-R, --remount-sys-proc</option>
 183         </term>
 184         <listitem>
 185           <para>
 186             When using <option>-s</option> and the mount namespace is not
 187             included, this flag will cause <command>lxc-attach</command>
 188             to remount <replaceable>/proc</replaceable> and
 189             <replaceable>/sys</replaceable> to reflect the current other
 190             namespace contexts.
 191           </para>
 192           <para>
 193             Please see the <emphasis>Notes</emphasis> section for more
 194             details.
 195           </para>
 196           <para>
 197             This option will be ignored if one tries to attach to the
 198             mount namespace anyway.
 199           </para>
 200         </listitem>
 201       </varlistentry>
 202
 203       <varlistentry>
 204         <term>
 205           <option>--keep-env</option>
 206         </term>
 207         <listitem>
 208           <para>
 209             Keep the current environment for attached programs. This is
 210             the current default behaviour (as of version 0.9), but is
 211             is likely to change in the future, since this may leak
 212             undesirable information into the container. If you rely on
 213             the environment being available for the attached program,
 214             please use this option to be future-proof. In addition to
 215             current environment variables, container=lxc will be set.
 216           </para>
 217         </listitem>
 218       </varlistentry>
 219
 220       <varlistentry>
 221         <term>
 222           <option>--clear-env</option>
 223         </term>
 224         <listitem>
 225           <para>
 226             Clear the environment before attaching, so no undesired
 227             environment variables leak into the container. The variable
 228             container=lxc will be the only environment with which the
 229             attached program starts.
 230           </para>
 231         </listitem>
 232       </varlistentry>
 233
 234      </variablelist>
 235
 236   </refsect1>
 237
 238   &commonoptions;
 239
 240   <refsect1>
 241     <title>Examples</title>
 242       <para>
 243         To spawn a new shell running inside an existing container, use
 244         <programlisting>
 245           lxc-attach -n container
 246         </programlisting>
 247       </para>
 248       <para>
 249         To restart the cron service of a running Debian container, use
 250         <programlisting>
 251           lxc-attach -n container -- /etc/init.d/cron restart
 252         </programlisting>
 253       </para>
 254       <para>
 255         To deactivate the network link eth1 of a running container that
 256         does not have the NET_ADMIN capability, use either the
 257         <option>-e</option> option to use increased capabilities,
 258         assuming the <command>ip</command> tool is installed:
 259         <programlisting>
 260           lxc-attach -n container -e -- /sbin/ip link delete eth1
 261         </programlisting>
 262         Or, alternatively, use the <option>-s</option> to use the
 263         tools installed on the host outside the container:
 264         <programlisting>
 265           lxc-attach -n container -s NETWORK -- /sbin/ip link delete eth1
 266         </programlisting>
 267       </para>
 268   </refsect1>
 269
 270   <refsect1>
 271     <title>Compatibility</title>
 272     <para>
 273       Attaching completely (including the pid and mount namespaces) to a
 274       container requires a kernel of version 3.8 or higher, or a
 275       patched kernel, please see the lxc website for
 276       details. <command>lxc-attach</command> will fail in that case if
 277       used with an unpatched kernel of version 3.7 and prior.
 278     </para>
 279     <para>
 280       Nevertheless, it will succeed on an unpatched kernel of version 3.0
 281       or higher if the <option>-s</option> option is used to restrict the
 282       namespaces that the process is to be attached to to one or more of
 283       <replaceable>NETWORK</replaceable>, <replaceable>IPC</replaceable>
 284       and <replaceable>UTSNAME</replaceable>.
 285     </para>
 286     <para>
 287       Attaching to user namespaces is supported by kernel 3.8 or higher
 288       with enabling user namespace.
 289     </para>
 290   </refsect1>
 291
 292   <refsect1>
 293     <title>Notes</title>
 294     <para>
 295       The Linux <replaceable>/proc</replaceable> and
 296       <replaceable>/sys</replaceable> filesystems contain information
 297       about some quantities that are affected by namespaces, such as
 298       the directories named after process ids in
 299       <replaceable>/proc</replaceable> or the network interface information
 300       in <replaceable>/sys/class/net</replaceable>. The namespace of the
 301       process mounting the pseudo-filesystems determines what information
 302       is shown, <emphasis>not</emphasis> the namespace of the process
 303       accessing <replaceable>/proc</replaceable> or
 304       <replaceable>/sys</replaceable>.
 305     </para>
 306     <para>
 307       If one uses the <option>-s</option> option to only attach to
 308       the pid namespace of a container, but not its mount namespace
 309       (which will contain the <replaceable>/proc</replaceable> of the
 310       container and not the host), the contents of <option>/proc</option>
 311       will reflect that of the host and not the container. Analogously,
 312       the same issue occurs when reading the contents of
 313       <replaceable>/sys/class/net</replaceable> and attaching to just
 314       the network namespace.
 315     </para>
 316     <para>
 317       To work around this problem, the <option>-R</option> flag provides
 318       the option to remount <replaceable>/proc</replaceable> and
 319       <replaceable>/sys</replaceable> in order for them to reflect the
 320       network/pid namespace context of the attached process. In order
 321       not to interfere with the host's actual filesystem, the mount
 322       namespace will be unshared (like <command>lxc-unshare</command>
 323       does) before this is done, esentially giving the process a new
 324       mount namespace, which is identical to the hosts's mount namespace
 325       except for the <replaceable>/proc</replaceable> and
 326       <replaceable>/sys</replaceable> filesystems.
 327     </para>
 328     <para>
 329       Previous versions of <command>lxc-attach</command> suffered a bug whereby
 330       a user could attach to a containers namespace without being placed in a
 331       writeable cgroup for some critical subsystems. Newer versions of
 332       <command>lxc-attach</command> will check whether a user is in a writeable
 333       cgroup for those critical subsystems. <command>lxc-attach</command> might
 334       thus fail unexpectedly for some users (E.g. on systems where an
 335       unprivileged user is not placed in a writeable cgroup in critical
 336       subsystems on login.). However, this behavior is correct and more secure.
 337     </para>
 338   </refsect1>
 339
 340   <refsect1>
 341     <title>Security</title>
 342     <para>
 343       The <option>-e</option> and <option>-s</option> options should
 344       be used with care, as it may break the isolation of the containers
 345       if used improperly.
 346     </para>
 347   </refsect1>
 348
 349   &seealso;
 350
 351   <refsect1>
 352     <title>Author</title>
 353     <para>Daniel Lezcano <email>daniel.lezcano@free.fr</email></para>
 354   </refsect1>
 355
 356 </refentry>
 357
 358 <!-- Keep this comment at the end of the file
 359 Local variables:
 360 mode: sgml
 361 sgml-omittag:t
 362 sgml-shorttag:t
 363 sgml-minimize-attributes:nil
 364 sgml-always-quote-attributes:t
 365 sgml-indent-step:2
 366 sgml-indent-data:t
 367 sgml-parent-document:nil
 368 sgml-default-dtd-file:nil
 369 sgml-exposed-tags:nil
 370 sgml-local-catalogs:nil
 371 sgml-local-ecat-files:nil
 372 End:
 373 -->