X-Git-Url: https://git.proxmox.com/?a=blobdiff_plain;f=pct.conf.5-opts.adoc;h=1a88936fc7442e0423851ec283cfe1f8f563dc91;hb=c5aa7e14b592291fa456e0749fcea4b953704b73;hp=4024154ecaa1c51e0aefdfc2d4586ea52333074f;hpb=e2d681b3686090218b5217114ccdde49300c902c;p=pve-docs.git

diff --git a/pct.conf.5-opts.adoc b/pct.conf.5-opts.adoc
index 4024154..1a88936 100644
--- a/pct.conf.5-opts.adoc
+++ b/pct.conf.5-opts.adoc
@@ -30,10 +30,14 @@ NOTE: You can disable fair-scheduler configuration by setting this to 0.
 
 Container description. Only used on the configuration web interface.
 
-`features`: `[fuse=<1|0>] [,keyctl=<1|0>] [,mount=<fstype;fstype;...>] [,nesting=<1|0>]` ::
+`features`: `[force_rw_sys=<1|0>] [,fuse=<1|0>] [,keyctl=<1|0>] [,mknod=<1|0>] [,mount=<fstype;fstype;...>] [,nesting=<1|0>]` ::
 
 Allow containers access to advanced features.
 
+`force_rw_sys`=`<boolean>` ('default =' `0`);;
+
+Mount /sys in unprivileged containers as `rw` instead of `mixed`. This can break networking under newer (>= v245) systemd-network use.
+
 `fuse`=`<boolean>` ('default =' `0`);;
 
 Allow using 'fuse' file systems in a container. Note that interactions between fuse and the freezer cgroup can potentially cause I/O deadlocks.
@@ -42,6 +46,10 @@ Allow using 'fuse' file systems in a container. Note that interactions between f
 
 For unprivileged containers only: Allow the use of the keyctl() system call. This is required to use docker inside a container. By default unprivileged containers will see this system call as non-existent. This is mostly a workaround for systemd-networkd, as it will treat it as a fatal error when some keyctl() operations are denied by the kernel due to lacking permissions. Essentially, you can choose between running systemd-networkd or docker.
 
+`mknod`=`<boolean>` ('default =' `0`);;
+
+Allow unprivileged containers to use mknod() to add certain device nodes. This requires a kernel with seccomp trap to user space support (5.3 or newer). This is experimental.
+
 `mount`=`<fstype;fstype;...>` ;;
 
 Allow mounting file systems of specific types. This should be a list of file system types as used with the mount command. Note that this can have negative effects on the container's security. With access to a loop device, mounting a file can circumvent the mknod permission of the devices cgroup, mounting an NFS file system can block the host's I/O completely and prevent it from rebooting, etc.
@@ -50,11 +58,15 @@ Allow mounting file systems of specific types. This should be a list of file sys
 
 Allow nesting. Best used with unprivileged containers with additional id mapping. Note that this will expose procfs and sysfs contents of the host to the guest.
 
+`hookscript`: `<string>` ::
+
+Script that will be exectued during various steps in the containers lifetime.
+
 `hostname`: `<string>` ::
 
 Set a host name for the container.
 
-`lock`: `<backup | disk | migrate | mounted | rollback | snapshot | snapshot-delete>` ::
+`lock`: `<backup | create | destroyed | disk | fstrim | migrate | mounted | rollback | snapshot | snapshot-delete>` ::
 
 Lock/unlock the VM.
 
@@ -62,7 +74,7 @@ Lock/unlock the VM.
 
 Amount of RAM for the VM in MB.
 
-`mp[n]`: `[volume=]<volume> ,mp=<Path> [,acl=<1|0>] [,backup=<1|0>] [,quota=<1|0>] [,replicate=<1|0>] [,ro=<1|0>] [,shared=<1|0>] [,size=<DiskSize>]` ::
+`mp[n]`: `[volume=]<volume> ,mp=<Path> [,acl=<1|0>] [,backup=<1|0>] [,mountoptions=<opt[;opt...]>] [,quota=<1|0>] [,replicate=<1|0>] [,ro=<1|0>] [,shared=<1|0>] [,size=<DiskSize>]` ::
 
 Use volume as container mount point.
 
@@ -74,6 +86,10 @@ Explicitly enable or disable ACL support.
 
 Whether to include the mount point in backups (only used for volume mount points).
 
+`mountoptions`=`<opt[;opt...]>` ;;
+
+Extra mount options for rootfs/mps.
+
 `mp`=`<Path>` ;;
 
 Path to the mount point as seen from inside the container.
@@ -132,7 +148,7 @@ Default gateway for IPv6 traffic.
 
 `hwaddr`=`<XX:XX:XX:XX:XX:XX>` ;;
 
-The interface MAC address. This is dynamically allocated by default, but you can set that statically if needed, for example to always have the same link-local IPv6 address. (lxc.network.hwaddr)
+A common MAC address with the I/G (Individual/Group) bit not set.
 
 `ip`=`<(IPv4/CIDR|dhcp|manual)>` ;;
 
@@ -178,7 +194,7 @@ OS type. This is used to setup configuration inside the container, and correspon
 
 Sets the protection flag of the container. This will prevent the CT or CT's disk remove/update operation.
 
-`rootfs`: `[volume=]<volume> [,acl=<1|0>] [,quota=<1|0>] [,replicate=<1|0>] [,ro=<1|0>] [,shared=<1|0>] [,size=<DiskSize>]` ::
+`rootfs`: `[volume=]<volume> [,acl=<1|0>] [,mountoptions=<opt[;opt...]>] [,quota=<1|0>] [,replicate=<1|0>] [,ro=<1|0>] [,shared=<1|0>] [,size=<DiskSize>]` ::
 
 Use volume as container root.
 
@@ -186,6 +202,10 @@ Use volume as container root.
 
 Explicitly enable or disable ACL support.
 
+`mountoptions`=`<opt[;opt...]>` ;;
+
+Extra mount options for rootfs/mps.
+
 `quota`=`<boolean>` ;;
 
 Enable user quotas inside the container (not supported with zfs subvolumes)
@@ -224,6 +244,10 @@ Startup and shutdown behavior. Order is a non-negative number defining the gener
 
 Amount of SWAP for the VM in MB.
 
+`tags`: `<string>` ::
+
+Tags of the Container. This is only meta information.
+
 `template`: `<boolean>` ('default =' `0`)::
 
 Enable/disable Template.
@@ -236,7 +260,11 @@ Specify the number of tty available to the container
 
 Makes the container run as unprivileged user. (Should not be modified manually.)
 
-`unused[n]`: `<string>` ::
+`unused[n]`: `[volume=]<volume>` ::
 
 Reference to unused volumes. This is used internally, and should not be modified manually.
 
+`volume`=`<volume>` ;;
+
+The volume that is not used currently.
+