]> @LXC_GENERATE_DATE@ lxc-attach 1 lxc-attach start a process inside a running container. lxc-attach -n name -a arch -e -s namespaces -- command lxc-attach runs the specified command inside the container specified by name. The container has to be running already. If no command is specified, the current default shell of the user running lxc-attach will be looked up inside the container and executed. This will fail if no such user exists inside the container or the container does not have a working nsswitch mechanism. -a, --arch arch Specify the architecture which the kernel should appear to be running as to the command executed. This option will accept the same settings as the lxc.arch option in container configuration files, see lxc.conf 5 . By default, the current archictecture of the running container will be used. -e, --elevated-privileges Do not drop privileges when running command inside the container. If this option is specified, the new process will not be added to the container's cgroup(s) and it will not drop its capabilities before executing. Warning: This may leak privileges into the container if the command starts subprocesses that remain active after the main process that was attached is terminated. The (re-)starting of daemons inside the container is problematic, especially if the daemon starts a lot of subprocesses such as cron or sshd. Use with great care. -s, --namespaces namespaces Specify the namespaces to attach to, as a pipe-separated liste, e.g. NETWORK|IPC. Allowed values are MOUNT, PID, UTSNAME, IPC, USER and NETWORK. This allows one to change the context of the process to e.g. the network namespace of the container while retaining the other namespaces as those of the host. Important: This option implies -e. &commonoptions; To spawn a new shell running inside an existing container, use lxc-attach -n container To restart the cron service of a running Debian container, use lxc-attach -n container -- /etc/init.d/cron restart To deactivate the network link eth1 of a running container that does not have the NET_ADMIN capability, use either the -e option to use increased capabilities, assuming the ip tool is installed: lxc-attach -n container -e -- /sbin/ip link delete eth1 Or, alternatively, use the -s to use the tools installed on the host outside the container: lxc-attach -n container -s NETWORK -- /sbin/ip link delete eth1 Attaching completely (including the pid and mount namespaces) to a container requires a patched kernel, please see the lxc website for details. lxc-attach will fail in that case if used with an unpatched kernel. Nevertheless, it will succeed on an unpatched kernel of version 3.0 or higher if the -s option is used to restrict the namespaces that the process is to be attached to to one or more of NETWORK, IPC and UTSNAME. Attaching to user namespaces is currently completely unsupported by the kernel. lxc-attach should however be able to do this once once future kernel versions implement this. The Linux /proc and /sys filesystems contain information about some quantities that are affected by namespaces, such as the directories named after process ids in /proc or the network interface infromation in /sys/class/net. The namespace of the process mounting the pseudo-filesystems determines what information is shown, not the namespace of the process accessing /proc or /sys. If one uses the -s option to only attach to the pid namespace of a container, but not its mount namespace (which will contain the /proc of the container and not the host), the contents of /proc will reflect that of the host and not the container. Analogously, the same issue occurs when reading the contents of /sys/class/net and attaching to just the network namespace. A workaround is to use lxc-unshare to unshare the mount namespace after using lxc-attach with -s PID and/or -s NETWORK and then unmount and then mount again both pseudo-filesystems within that new mount namespace, before executing a program/script that relies on this information to be correct. The -e and -s options should be used with care, as it may break the isolation of the containers if used improperly. &seealso; Daniel Lezcano daniel.lezcano@free.fr