<refsynopsisdiv>
<cmdsynopsis>
<command>lxc-attach</command>
- <arg choice="req">-n <replaceable>name</replaceable></arg>
- <arg choice="opt">-a <replaceable>arch</replaceable></arg>
- <arg choice="opt">-e</arg>
- <arg choice="opt">-s <replaceable>namespaces</replaceable></arg>
- <arg choice="opt">-R</arg>
+ <arg choice="req">-n, --name <replaceable>name</replaceable></arg>
+ <arg choice="opt">-f, --rcfile <replaceable>config_file</replaceable></arg>
+ <arg choice="opt">-a, --arch <replaceable>arch</replaceable></arg>
+ <arg choice="opt">-e, --elevated-privileges <replaceable>privileges</replaceable></arg>
+ <arg choice="opt">-s, --namespaces <replaceable>namespaces</replaceable></arg>
+ <arg choice="opt">-R, --remount-sys-proc</arg>
<arg choice="opt">--keep-env</arg>
<arg choice="opt">--clear-env</arg>
+ <arg choice="opt">-v, --set-var <replaceable>variable</replaceable></arg>
+ <arg choice="opt">--keep-var <replaceable>variable</replaceable></arg>
<arg choice="opt">-- <replaceable>command</replaceable></arg>
</cmdsynopsis>
</refsynopsisdiv>
</para>
<para>
Previous versions of <command>lxc-attach</command> simply attached to the
- specified namespaces of a container and ran a shell or the specified
- command without allocating a pseudo terminal. This made them vulnerable to
+ specified namespaces of a container and ran a shell or the specified command
+ without first allocating a pseudo terminal. This made them vulnerable to
input faking via a TIOCSTI <command>ioctl</command> call after switching
between userspace execution contexts with different privilege levels. Newer
versions of <command>lxc-attach</command> will try to allocate a pseudo
- terminal master/slave pair and attach any standard file descriptors which
- refer to a terminal to the slave side of the pseudo terminal before
- executing a shell or command. <command>lxc-attach</command> will first try
- to allocate a pseudo terminal in the container. Should this fail it will try
- to allocate a pseudo terminal on the host before finally giving up. Note,
- that if none of the standard file descriptors refer to a terminal
- <command>lxc-attach</command> will not try to allocate a pseudo terminal.
- Instead it will simply attach to the containers namespaces and run a shell
- or the specified command.
+ terminal master/slave pair on the host and attach any standard file
+ descriptors which refer to a terminal to the slave side of the pseudo
+ terminal before executing a shell or command. Note, that if none of the
+ standard file descriptors refer to a terminal <command>lxc-attach</command>
+ will not try to allocate a pseudo terminal. Instead it will simply attach
+ to the containers namespaces and run a shell or the specified command.
</para>
</refsect1>
<variablelist>
+ <varlistentry>
+ <term>
+ <option>-f, --rcfile <replaceable>config_file</replaceable></option>
+ </term>
+ <listitem>
+ <para>
+ Specify the configuration file to configure the virtualization
+ and isolation functionalities for the container.
+ </para>
+ <para>
+ This configuration file if present will be used even if there is
+ already a configuration file present in the previously created
+ container (via lxc-create).
+ </para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term>
<option>-a, --arch <replaceable>arch</replaceable></option>
<replaceable>CGROUP|LSM</replaceable>. Allowed values are
<replaceable>CGROUP</replaceable>, <replaceable>CAP</replaceable> and
<replaceable>LSM</replaceable> representing cgroup, capabilities and
- restriction privileges respectively.
+ restriction privileges respectively. (The pipe symbol needs to be escaped,
+ e.g. <replaceable>CGROUP\|LSM</replaceable> or quoted, e.g.
+ <replaceable>"CGROUP|LSM"</replaceable>.)
</para>
<para>
<emphasis>Warning:</emphasis> This may leak privileges into the
<replaceable>NETWORK</replaceable>. This allows one to change
the context of the process to e.g. the network namespace of the
container while retaining the other namespaces as those of the
- host.
+ host. (The pipe symbol needs to be escaped, e.g.
+ <replaceable>MOUNT\|PID</replaceable> or quoted, e.g.
+ <replaceable>"MOUNT|PID"</replaceable>.)
</para>
<para>
<emphasis>Important:</emphasis> This option implies
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>
+ <option>-v, --set-var <replaceable>variable</replaceable></option>
+ </term>
+ <listitem>
+ <para>
+ Set an additional environment variable that is seen by the
+ attached program in the container. It is specified in the
+ form of "VAR=VALUE", and can be specified multiple times.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>
+ <option>--keep-var <replaceable>variable</replaceable></option>
+ </term>
+ <listitem>
+ <para>
+ Keep a specified environment variable. It can only be
+ specified in conjunction
+ with <replaceable>--clear-env</replaceable>, and can be
+ specified multiple times.
+ </para>
+ </listitem>
+ </varlistentry>
+
</variablelist>
</refsect1>
network/pid namespace context of the attached process. In order
not to interfere with the host's actual filesystem, the mount
namespace will be unshared (like <command>lxc-unshare</command>
- does) before this is done, esentially giving the process a new
+ does) before this is done, essentially giving the process a new
mount namespace, which is identical to the hosts's mount namespace
except for the <replaceable>/proc</replaceable> and
<replaceable>/sys</replaceable> filesystems.
projects / mirror_lxc.git / blobdiff