X-Git-Url: https://git.proxmox.com/?a=blobdiff_plain;f=pct.adoc;h=ab529a9734435383843d6f2379a28288911d4fc6;hb=b3b9becbc4cf25de73d05a512d102aa3fdd19406;hp=b3659c4fcdd8b6f97d690fc21be302a18279f164;hpb=139a90198b15dde320ba74b18d3868044a49b348;p=pve-docs.git diff --git a/pct.adoc b/pct.adoc index b3659c4..ab529a9 100644 --- a/pct.adoc +++ b/pct.adoc @@ -102,32 +102,7 @@ virtualized VMs provide better isolation. The good news is that LXC uses many kernel security features like AppArmor, CGroups and PID and user namespaces, which makes containers -usage quite secure. We distinguish two types of containers: - - -Privileged Containers -~~~~~~~~~~~~~~~~~~~~~ - -Security is done by dropping capabilities, using mandatory access -control (AppArmor), SecComp filters and namespaces. The LXC team -considers this kind of container as unsafe, and they will not consider -new container escape exploits to be security issues worthy of a CVE -and quick fix. So you should use this kind of containers only inside a -trusted environment, or when no untrusted task is running as root in -the container. - - -Unprivileged Containers -~~~~~~~~~~~~~~~~~~~~~~~ - -This kind of containers use a new kernel feature called user -namespaces. The root UID 0 inside the container is mapped to an -unprivileged user outside the container. This means that most security -issues (container escape, resource abuse, ...) in those containers -will affect a random unprivileged user, and so would be a generic -kernel security bug rather than an LXC issue. The LXC team thinks -unprivileged containers are safe by design. - +usage quite secure. Guest Operating System Configuration ------------------------------------ @@ -345,10 +320,75 @@ ACLs allow you to set more detailed file ownership than the traditional user/ group/others model. +Backup of Containers mount points +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +By default additional mount points besides the RootDisk mount point are not +included in backups. You can reverse this default behavior by setting the +* Backup* option on a mount point. +// see PVE::VZDump::LXC::prepare() + +Replication of Containers mount points +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +By default additional mount points are replicated when the RootDisk +is replicated. If you want the {pve} storage replication mechanism to skip a + mount point when starting a replication job, you can set the +*Skip replication* option on that mount point. + +As of {pve} 5.0, replication requires a storage of type `zfspool`, so adding a + mount point to a different type of storage when the container has replication + configured requires to *Skip replication* for that mount point. + + [[pct_settings]] Container Settings ------------------ +[[pct_general]] +General Settings +~~~~~~~~~~~~~~~~ + +[thumbnail="gui-create-ct-general.png"] + +General settings of a container include + +* the *Node* : the physical server on which the container will run +* the *CT ID*: a unique number in this {pve} installation used to identify your container +* *Hostname*: the hostname of the container +* *Resource Pool*: a logical group of containers and VMs +* *Password*: the root password of the container +* *SSH Public Key*: a public key for connecting to the root account over SSH +* *Unprivileged container*: this option allows to choose at creation time +if you want to create a privileged or unprivileged container. + + +Privileged Containers +^^^^^^^^^^^^^^^^^^^^^ + +Security is done by dropping capabilities, using mandatory access +control (AppArmor), SecComp filters and namespaces. The LXC team +considers this kind of container as unsafe, and they will not consider +new container escape exploits to be security issues worthy of a CVE +and quick fix. So you should use this kind of containers only inside a +trusted environment, or when no untrusted task is running as root in +the container. + + +Unprivileged Containers +^^^^^^^^^^^^^^^^^^^^^^^ + +This kind of containers use a new kernel feature called user +namespaces. The root UID 0 inside the container is mapped to an +unprivileged user outside the container. This means that most security +issues (container escape, resource abuse, ...) in those containers +will affect a random unprivileged user, and so would be a generic +kernel security bug rather than an LXC issue. The LXC team thinks +unprivileged containers are safe by design. + +NOTE: If the container uses systemd as an init system, please be +aware the systemd version running inside the container should be equal +or greater than 220. + [[pct_cpu]] CPU ~~~ @@ -518,6 +558,10 @@ the following command: pct set -onboot 1 +.Start and Shutdown Order +// use the screenshot from qemu - its the same +[thumbnail="gui-qemu-edit-start-order.png"] + If you want to fine tune the boot order of your containers, you can use the following parameters : @@ -668,6 +712,26 @@ NOTE: If you have changed the container's configuration since the last start attempt with `pct start`, you need to run `pct start` at least once to also update the configuration used by `lxc-start`. +[[pct_migration]] +Migration +--------- + +If you have a cluster, you can migrate your Containers with + + pct migrate + +This works as long as your Container is offline. If it has local volumes or +mountpoints defined, the migration will copy the content over the network to +the target host if there is the same storage defined. + +If you want to migrate online Containers, the only way is to use +restart migration. This can be initiated with the -restart flag and the optional +-timeout parameter. + +A restart migration will shut down the Container and kill it after the specified +timeout (the default is 180 seconds). Then it will migrate the Container +like an offline migration and when finished, it starts the Container on the +target node. [[pct_configuration]] Configuration