Container description. Only used on the configuration web interface.
-`features`: `[fuse=<1|0>] [,keyctl=<1|0>] [,mount=<fstype;fstype;...>] [,nesting=<1|0>]` ::
+`features`: `[force_rw_sys=<1|0>] [,fuse=<1|0>] [,keyctl=<1|0>] [,mknod=<1|0>] [,mount=<fstype;fstype;...>] [,nesting=<1|0>]` ::
Allow containers access to advanced features.
+`force_rw_sys`=`<boolean>` ('default =' `0`);;
+
+Mount /sys in unprivileged containers as `rw` instead of `mixed`. This can break networking under newer (>= v245) systemd-network use.
+
`fuse`=`<boolean>` ('default =' `0`);;
Allow using 'fuse' file systems in a container. Note that interactions between fuse and the freezer cgroup can potentially cause I/O deadlocks.
For unprivileged containers only: Allow the use of the keyctl() system call. This is required to use docker inside a container. By default unprivileged containers will see this system call as non-existent. This is mostly a workaround for systemd-networkd, as it will treat it as a fatal error when some keyctl() operations are denied by the kernel due to lacking permissions. Essentially, you can choose between running systemd-networkd or docker.
+`mknod`=`<boolean>` ('default =' `0`);;
+
+Allow unprivileged containers to use mknod() to add certain device nodes. This requires a kernel with seccomp trap to user space support (5.3 or newer). This is experimental.
+
`mount`=`<fstype;fstype;...>` ;;
Allow mounting file systems of specific types. This should be a list of file system types as used with the mount command. Note that this can have negative effects on the container's security. With access to a loop device, mounting a file can circumvent the mknod permission of the devices cgroup, mounting an NFS file system can block the host's I/O completely and prevent it from rebooting, etc.
Set a host name for the container.
-`lock`: `<backup | create | disk | fstrim | migrate | mounted | rollback | snapshot | snapshot-delete>` ::
+`lock`: `<backup | create | destroyed | disk | fstrim | migrate | mounted | rollback | snapshot | snapshot-delete>` ::
Lock/unlock the VM.
Amount of SWAP for the VM in MB.
+`tags`: `<string>` ::
+
+Tags of the Container. This is only meta information.
+
`template`: `<boolean>` ('default =' `0`)::
Enable/disable Template.
Makes the container run as unprivileged user. (Should not be modified manually.)
-`unused[n]`: `<string>` ::
+`unused[n]`: `[volume=]<volume>` ::
Reference to unused volumes. This is used internally, and should not be modified manually.
+`volume`=`<volume>` ;;
+
+The volume that is not used currently.
+