3 lxc: linux Container library
5 (C) Copyright IBM Corp. 2007, 2008
8 Daniel Lezcano <dlezcano at fr.ibm.com>
10 This library is free software; you can redistribute it and/or
11 modify it under the terms of the GNU Lesser General Public
12 License as published by the Free Software Foundation; either
13 version 2.1 of the License, or (at your option) any later version.
15 This library is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
18 Lesser General Public License for more details.
20 You should have received a copy of the GNU Lesser General Public
21 License along with this library; if not, write to the Free Software
22 Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
26 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
28 <!ENTITY seealso SYSTEM "@builddir@/see_also.sgml">
33 <docinfo><date>@LXC_GENERATE_DATE@</date></docinfo>
36 <refentrytitle>lxc.conf</refentrytitle>
37 <manvolnum>5</manvolnum>
41 <refname>lxc.conf</refname>
44 linux container configuration file
49 <title>Description</title>
52 The linux containers (<command>lxc</command>) are always created
53 before being used. This creation defines a set of system
54 resources to be virtualized / isolated when a process is using
55 the container. By default, the pids, sysv ipc and mount points
56 are virtualized and isolated. The other system resources are
57 shared across containers, until they are explicitly defined in
58 the configuration file. For example, if there is no network
59 configuration, the network will be shared between the creator of
60 the container and the container itself, but if the network is
61 specified, a new network stack is created for the container and
62 the container can no longer use the network of its ancestor.
66 The configuration file defines the different system resources to
67 be assigned for the container. At present, the utsname, the
68 network, the mount points, the root file system and the control
73 Each option in the configuration file has the form <command>key
74 = value</command> fitting in one line. The '#' character means
75 the line is a comment.
79 <title>Architecture</title>
81 Allows to set the architecture for the container. For example,
82 set a 32bits architecture for a container running 32bits
83 binaries on a 64bits host. That fix the container scripts
84 which rely on the architecture to do some work like
85 downloading the packages.
91 <option>lxc.arch</option>
95 Specify the architecture for the container.
100 <option>i686</option>,
101 <option>x86_64</option>,
102 <option>amd64</option>
111 <title>Hostname</title>
113 The utsname section defines the hostname to be set for the
114 container. That means the container can set its own hostname
115 without changing the one from the system. That makes the
116 hostname private for the container.
121 <option>lxc.utsname</option>
125 specify the hostname for the container
133 <title>Network</title>
135 The network section defines how the network is virtualized in
136 the container. The network virtualization acts at layer
137 two. In order to use the network virtualization, parameters
138 must be specified to define the network interfaces of the
139 container. Several virtual interfaces can be assigned and used
140 in a container even if the system has only one physical
146 <option>lxc.network.type</option>
150 specify what kind of network virtualization to be used
151 for the container. Each time
152 a <option>lxc.network.type</option> field is found a new
153 round of network configuration begins. In this way,
154 several network virtualization types can be specified
155 for the same container, as well as assigning several
156 network interfaces for one container. The different
157 virtualization types can be:
161 <option>empty:</option> will create only the loopback
166 <option>veth:</option> a peer network device is created
167 with one side assigned to the container and the other
168 side is attached to a bridge specified by
169 the <option>lxc.network.link</option>. If the bridge is
170 not specified, then the veth pair device will be created
171 but not attached to any bridge. Otherwise, the bridge
172 has to be setup before on the
173 system, <command>lxc</command> won't handle any
174 configuration outside of the container. By
175 default <command>lxc</command> choose a name for the
176 network device belonging to the outside of the
177 container, this name is handled
178 by <command>lxc</command>, but if you wish to handle
179 this name yourself, you can tell <command>lxc</command>
180 to set a specific name with
181 the <option>lxc.network.veth.pair</option> option.
185 <option>vlan:</option> a vlan interface is linked with
186 the interface specified by
187 the <option>lxc.network.link</option> and assigned to
188 the container. The vlan identifier is specified with the
189 option <option>lxc.network.vlan.id</option>.
193 <option>macvlan:</option> a macvlan interface is linked
194 with the interface specified by
195 the <option>lxc.network.link</option> and assigned to
197 <option>lxc.network.macvlan.mode</option> specifies the
198 mode the macvlan will use to communicate between
199 different macvlan on the same upper device. The accepted
200 modes are <option>private</option>, the device never
201 communicates with any other device on the same upper_dev (default),
202 <option>vepa</option>, the new Virtual Ethernet Port
203 Aggregator (VEPA) mode, it assumes that the adjacent
204 bridge returns all frames where both source and
205 destination are local to the macvlan port, i.e. the
206 bridge is set up as a reflective relay. Broadcast
207 frames coming in from the upper_dev get flooded to all
208 macvlan interfaces in VEPA mode, local frames are not
209 delivered locallay, or <option>bridge</option>, it
210 provides the behavior of a simple bridge between
211 different macvlan interfaces on the same port. Frames
212 from one interface to another one get delivered directly
213 and are not sent out externally. Broadcast frames get
214 flooded to all other bridge ports and to the external
215 interface, but when they come back from a reflective
216 relay, we don't deliver them again. Since we know all
217 the MAC addresses, the macvlan bridge mode does not
218 require learning or STP like the bridge module does.
222 <option>phys:</option> an already existing interface
223 specified by the <option>lxc.network.link</option> is
224 assigned to the container.
231 <option>lxc.network.flags</option>
235 specify an action to do for the
239 <para><option>up:</option> activates the interface.
246 <option>lxc.network.link</option>
250 specify the interface to be used for real network
258 <option>lxc.network.name</option>
262 the interface name is dynamically allocated, but if
263 another name is needed because the configuration files
264 being used by the container use a generic name,
265 eg. eth0, this option will rename the interface in the
273 <option>lxc.network.hwaddr</option>
277 the interface mac address is dynamically allocated by
278 default to the virtual interface, but in some cases,
279 this is needed to resolve a mac address conflict or to
280 always have the same link-local ipv6 address
287 <option>lxc.network.ipv4</option>
291 specify the ipv4 address to assign to the virtualized
292 interface. Several lines specify several ipv4 addresses.
293 The address is in format x.y.z.t/m,
294 eg. 192.168.1.123/24. The broadcast address should be
295 specified on the same line, right after the ipv4
303 <option>lxc.network.ipv4.gateway</option>
307 specify the ipv4 address to use as the gateway inside the
308 container. The address is in format x.y.z.t, eg.
311 Can also have the special value <option>auto</option>,
312 which means to take the primary address from the bridge
313 interface (as specified by the
314 <option>lxc.network.link</option> option) and use that as
315 the gateway. <option>auto</option> is only available when
316 using the <option>veth</option> and
317 <option>macvlan</option> network types.
325 <option>lxc.network.ipv6</option>
329 specify the ipv6 address to assign to the virtualized
330 interface. Several lines specify several ipv6 addresses.
331 The address is in format x::y/m,
332 eg. 2003:db8:1:0:214:1234:fe0b:3596/64
339 <option>lxc.network.ipv6.gateway</option>
343 specify the ipv6 address to use as the gateway inside the
344 container. The address is in format x::y,
347 Can also have the special value <option>auto</option>,
348 which means to take the primary address from the bridge
349 interface (as specified by the
350 <option>lxc.network.link</option> option) and use that as
351 the gateway. <option>auto</option> is only available when
352 using the <option>veth</option> and
353 <option>macvlan</option> network types.
360 <option>lxc.network.script.up</option>
364 add a configuration option to specify a script to be
365 executed after creating and configuring the network used
366 from the host side. The following arguments are passed
367 to the script: container name and config section name
368 (net) Additional arguments depend on the config section
369 employing a script hook; the following are used by the
370 network system: execution context (up), network type
371 (empty/veth/macvlan/phys), Depending on the network
372 type, other arguments may be passed:
373 veth/macvlan/phys. And finally (host-sided) device name.
380 <option>lxc.network.script.down</option>
384 add a configuration option to specify a script to be
385 executed before destroying the network used from the
386 host side. The following arguments are passed to the
387 script: container name and config section name (net)
388 Additional arguments depend on the config section
389 employing a script hook; the following are used by the
390 network system: execution context (down), network type
391 (empty/veth/macvlan/phys), Depending on the network
392 type, other arguments may be passed:
393 veth/macvlan/phys. And finally (host-sided) device name.
401 <title>New pseudo tty instance (devpts)</title>
403 For stricter isolation the container can have its own private
404 instance of the pseudo tty.
409 <option>lxc.pts</option>
413 If set, the container will have a new pseudo tty
414 instance, making this private to it. The value specifies
415 the maximum number of pseudo ttys allowed for a pts
416 instance (this limitation is not implemented yet).
424 <title>Container system console</title>
426 If the container is configured with a root filesystem and the
427 inittab file is setup to use the console, you may want to specify
428 where goes the output of this console.
433 <option>lxc.console</option>
437 Specify a path to a file where the console output will
438 be written. The keyword 'none' will simply disable the
439 console. This is dangerous once if have a rootfs with a
440 console device file where the application can write, the
441 messages will fall in the host.
449 <title>Console through the ttys</title>
451 If the container is configured with a root filesystem and the
452 inittab file is setup to launch a getty on the ttys. This
453 option will specify the number of ttys to be available for the
454 container. The number of getty in the inittab file of the
455 container should not be greater than the number of ttys
456 specified in this configuration file, otherwise the excess
457 getty sessions will die and respawn indefinitly giving
458 annoying messages on the console.
463 <option>lxc.tty</option>
467 Specify the number of tty to make available to the
476 <title>Console devices location</title>
478 LXC consoles are provided through Unix98 PTYs created on the
479 host and bind-mounted over the expected devices in the container.
480 By default, they are bind-mounted over <filename>/dev/console</filename>
481 and <filename>/dev/ttyN</filename>. This can prevent package upgrades
482 in the guest. Therefore you can specify a directory location (under
483 <filename>/dev</filename> under which LXC will create the files and
484 bind-mount over them. These will then be symbolically linked to
485 <filename>/dev/console</filename> and <filename>/dev/ttyN</filename>.
486 A package upgrade can then succeed as it is able to remove and replace
492 <option>lxc.devttydir</option>
496 Specify a directory under <filename>/dev</filename>
497 under which to create the container console devices.
505 <title>/dev directory</title>
507 By default, lxc does nothing with the container's
508 <filename>/dev</filename>. This allows the container's
509 <filename>/dev</filename> to be set up as needed in the container
510 rootfs. If lxc.autodev is set to 1, then after mounting the container's
511 rootfs LXC will mount a fresh tmpfs under <filename>/dev</filename>
512 (limited to 100k) and fill in a minimal set of initial devices.
513 This is generally required when starting a container containing
514 a "systemd" based "init" but may be optional at other times. Addional
515 devices in the containers /dev directory may be created through the
516 use of the <option>lxc.hook.autodev</option> hook.
521 <option>lxc.autodev</option>
525 Set this to 1 to have LXC mount and populate a minimal
526 <filename>/dev</filename> when starting the container.
534 <title>Mount points</title>
536 The mount points section specifies the different places to be
537 mounted. These mount points will be private to the container
538 and won't be visible by the processes running outside of the
539 container. This is useful to mount /etc, /var or /home for
545 <option>lxc.mount</option>
549 specify a file location in
550 the <filename>fstab</filename> format, containing the
551 mount informations. If the rootfs is an image file or a
552 device block and the fstab is used to mount a point
553 somewhere in this rootfs, the path of the rootfs mount
554 point should be prefixed with the
555 <filename>@LXCROOTFSMOUNT@</filename> default path or
556 the value of <option>lxc.rootfs.mount</option> if
564 <option>lxc.mount.entry</option>
568 specify a mount point corresponding to a line in the
578 <title>Root file system</title>
580 The root file system of the container can be different than that
586 <option>lxc.rootfs</option>
590 specify the root file system for the container. It can
591 be an image file, a directory or a block device. If not
592 specified, the container shares its root file system
600 <option>lxc.rootfs.mount</option>
604 where to recursively bind <option>lxc.rootfs</option>
605 before pivoting. This is to ensure success of the
607 <refentrytitle><command>pivot_root</command></refentrytitle>
608 <manvolnum>8</manvolnum>
610 syscall. Any directory suffices, the default should
618 <option>lxc.pivotdir</option>
622 where to pivot the original root file system under
623 <option>lxc.rootfs</option>, specified relatively to
624 that. The default is <filename>mnt</filename>.
625 It is created if necessary, and also removed after
626 unmounting everything from it during container setup.
634 <title>Control group</title>
636 The control group section contains the configuration for the
637 different subsystem. <command>lxc</command> does not check the
638 correctness of the subsystem name. This has the disadvantage
639 of not detecting configuration errors until the container is
640 started, but has the advantage of permitting any future
646 <option>lxc.cgroup.[subsystem name]</option>
650 specify the control group value to be set. The
651 subsystem name is the literal name of the control group
652 subsystem. The permitted names and the syntax of their
653 values is not dictated by LXC, instead it depends on the
654 features of the Linux kernel running at the time the
655 container is started,
656 eg. <option>lxc.cgroup.cpuset.cpus</option>
664 <title>Capabilities</title>
666 The capabilities can be dropped in the container if this one
672 <option>lxc.cap.drop</option>
676 Specify the capability to be dropped in the container. A
677 single line defining several capabilities with a space
678 separation is allowed. The format is the lower case of
679 the capability definition without the "CAP_" prefix,
680 eg. CAP_SYS_MODULE should be specified as
683 <refentrytitle><command>capabilities</command></refentrytitle>
684 <manvolnum>7</manvolnum>
693 <title>UID mappings</title>
695 A container can be started in a private user namespace with
696 user and group id mappings. For instance, you can map userid
697 0 in the container to userid 200000 on the host. The root
698 user in the container will be privileged in the container,
699 but unprivileged on the host. Normally a system container
700 will want a range of ids, so you would map, for instance,
701 user and group ids 0 through 20,000 in the container to the
702 ids 200,000 through 220,000.
707 <option>lxc.id_map</option>
711 Four values must be provided. First a character, either
712 'u', or 'g', to specify whether user or group ids are
713 being mapped. Next is the first userid as seen in the
714 user namespace of the container. Next is the userid as
715 seen on the host. Finally, a range indicating the number
716 of consecutive ids to map.
724 <title>Startup hooks</title>
726 Startup hooks are programs or scripts which can be executed
727 at various times in a container's lifetime.
732 <option>lxc.hook.pre-start</option>
736 A hook to be run in the host's namespace before the
737 container ttys, consoles, or mounts are up.
745 <option>lxc.hook.pre-mount</option>
749 A hook to be run in the container's fs namespace but before
750 the rootfs has been set up. This allows for manipulation
751 of the rootfs, i.e. to mount an encrypted filesystem. Mounts
752 done in this hook will not be reflected on the host (apart from
753 mounts propagation), so they will be automatically cleaned up
754 when the container shuts down.
762 <option>lxc.hook.mount</option>
766 A hook to be run in the container's namespace after
767 mounting has been done, but before the pivot_root.
775 <option>lxc.hook.autodev</option>
779 A hook to be run in the container's namespace after
780 mounting has been done and after any mount hooks have
781 run, but before the pivot_root, if
782 <option>lxc.autodev</option> == 1.
783 The purpose of this hook is to assist in populating the
784 /dev directory of the container when using the autodev
785 option for systemd based containers. The container's /dev
786 directory is relative to the
787 ${<option>LXC_ROOTFS_MOUNT</option>} environment
788 variable available when the hook is run.
796 <option>lxc.hook.start</option>
800 A hook to be run in the container's namespace immediately
801 before executing the container's init. This requires the
802 program to be available in the container.
810 <option>lxc.hook.post-stop</option>
814 A hook to be run in the host's namespace after the
815 container has been shut down.
823 <title>Startup hooks Environment Variables</title>
825 A number of environment variables are made available to the startup
826 hooks to provide configuration information and assist in the
827 functioning of the hooks. Not all variables are valid in all
828 contexts. In particular, all paths are relative to the host system
829 and, as such, not valid during the <option>lxc.hook.start</option> hook.
834 <option>LXC_NAME</option>
838 The LXC name of the container. Useful for logging messages
839 in commmon log environments. [<option>-n</option>]
847 <option>LXC_CONFIG_FILE</option>
851 Host relative path to the container configuration file. This
852 gives the container to reference the original, top level,
853 configuration file for the container in order to locate any
854 addotional configuration information not otherwise made
855 available. [<option>-f</option>]
863 <option>LXC_CONSOLE</option>
867 The path to the console output of the container if not NULL.
868 [<option>-c</option>] [<option>lxc.console</option>]
876 <option>LXC_CONSOLE_LOGPATH</option>
880 The path to the console log output of the container if not NULL.
881 [<option>-L</option>]
889 <option>LXC_ROOTFS_MOUNT</option>
893 The mount location to which the container is initially bound.
894 This will be the host relative path to the container rootfs
895 for the container instance being started and is where changes
896 should be made for that instance.
897 [<option>lxc.rootfs.mount</option>]
905 <option>LXC_ROOTFS_PATH</option>
909 The host relative path to the container root which has been
910 mounted to the rootfs.mount location.
911 [<option>lxc.rootfs</option>]
922 <title>Examples</title>
924 In addition to the few examples given below, you will find
925 some other examples of configuration file in @DOCDIR@/examples
928 <title>Network</title>
929 <para>This configuration sets up a container to use a veth pair
930 device with one side plugged to a bridge br0 (which has been
931 configured before on the system by the administrator). The
932 virtual network device visible in the container is renamed to
935 lxc.utsname = myhostname
936 lxc.network.type = veth
937 lxc.network.flags = up
938 lxc.network.link = br0
939 lxc.network.name = eth0
940 lxc.network.hwaddr = 4a:49:43:49:79:bf
941 lxc.network.ipv4 = 10.2.3.5/24 10.2.3.255
942 lxc.network.ipv6 = 2003:db8:1:0:214:1234:fe0b:3597
947 <title>UID/GID mapping</title>
948 <para>This configuration will map both user and group ids in the
949 range 0-9999 in the container to the ids 100000-109999 on the host.
952 lxc.id_map = u 0 100000 10000
953 lxc.id_map = g 0 100000 10000
958 <title>Control group</title>
959 <para>This configuration will setup several control groups for
960 the application, cpuset.cpus restricts usage of the defined cpu,
961 cpus.share prioritize the control group, devices.allow makes
962 usable the specified devices.</para>
964 lxc.cgroup.cpuset.cpus = 0,1
965 lxc.cgroup.cpu.shares = 1234
966 lxc.cgroup.devices.deny = a
967 lxc.cgroup.devices.allow = c 1:3 rw
968 lxc.cgroup.devices.allow = b 8:0 rw
973 <title>Complex configuration</title>
974 <para>This example show a complex configuration making a complex
975 network stack, using the control groups, setting a new hostname,
976 mounting some locations and a changing root file system.</para>
978 lxc.utsname = complex
979 lxc.network.type = veth
980 lxc.network.flags = up
981 lxc.network.link = br0
982 lxc.network.hwaddr = 4a:49:43:49:79:bf
983 lxc.network.ipv4 = 10.2.3.5/24 10.2.3.255
984 lxc.network.ipv6 = 2003:db8:1:0:214:1234:fe0b:3597
985 lxc.network.ipv6 = 2003:db8:1:0:214:5432:feab:3588
986 lxc.network.type = macvlan
987 lxc.network.flags = up
988 lxc.network.link = eth0
989 lxc.network.hwaddr = 4a:49:43:49:79:bd
990 lxc.network.ipv4 = 10.2.3.4/24
991 lxc.network.ipv4 = 192.168.10.125/24
992 lxc.network.ipv6 = 2003:db8:1:0:214:1234:fe0b:3596
993 lxc.network.type = phys
994 lxc.network.flags = up
995 lxc.network.link = dummy0
996 lxc.network.hwaddr = 4a:49:43:49:79:ff
997 lxc.network.ipv4 = 10.2.3.6/24
998 lxc.network.ipv6 = 2003:db8:1:0:214:1234:fe0b:3297
999 lxc.cgroup.cpuset.cpus = 0,1
1000 lxc.cgroup.cpu.shares = 1234
1001 lxc.cgroup.devices.deny = a
1002 lxc.cgroup.devices.allow = c 1:3 rw
1003 lxc.cgroup.devices.allow = b 8:0 rw
1004 lxc.mount = /etc/fstab.complex
1005 lxc.mount.entry = /lib /root/myrootfs/lib none ro,bind 0 0
1006 lxc.rootfs = /mnt/rootfs.complex
1007 lxc.cap.drop = sys_module mknod setuid net_raw
1008 lxc.cap.drop = mac_override
1015 <title>See Also</title>
1018 <refentrytitle><command>chroot</command></refentrytitle>
1019 <manvolnum>1</manvolnum>
1023 <refentrytitle><command>pivot_root</command></refentrytitle>
1024 <manvolnum>8</manvolnum>
1028 <refentrytitle><filename>fstab</filename></refentrytitle>
1029 <manvolnum>5</manvolnum>
1038 <title>Author</title>
1039 <para>Daniel Lezcano <email>daniel.lezcano@free.fr</email></para>
1044 <!-- Keep this comment at the end of the file
1049 sgml-minimize-attributes:nil
1050 sgml-always-quote-attributes:t
1053 sgml-parent-document:nil
1054 sgml-default-dtd-file:nil
1055 sgml-exposed-tags:nil
1056 sgml-local-catalogs:nil
1057 sgml-local-ecat-files:nil