[mirror_lxc.git] / README

Please see the COPYING file for details on copying and usage.
Please refer to the INSTALL file for instructions on how to build.

What is lxc:

  The container technology is actively being pushed into the mainstream linux
  kernel. It provides the resource management through the control groups  aka
  process containers and resource isolation through the namespaces.

  The  linux  containers, lxc, aims to use these new functionalities to pro-
  vide a userspace container object which provides full  resource  isolation
  and resource control for an application or a system.

  The first objective of this project is to make the life easier for the ker-
  nel developers involved in the containers project and  especially  to  con-
  tinue  working  on  the  Checkpoint/Restart  new features. The lxc is small
  enough to easily manage a container with simple command lines and  complete
  enough to be used for other purposes.

Using lxc:

  Refer the lxc* man pages (generated from doc/* files)

Downloading the current source code:

  Source for the latest released version can always be downloaded from
  http://linuxcontainers.org/downloads/

  You can browse the up to the minute source code and change history online.
  http://github.com/lxc/lxc

  For detailed build instruction refer to INSTALL and man lxc man page
  but a short command line should work:
  ./autogen.sh && ./configure && make && sudo make install
  preceded by ./autogen.sh if configure do not exist yet.

Troubleshooting:

  If you get an error message at the autogen.sh or configure stage, make
  sure you have, autoconf, automake, pkg-config, make and gcc installed on
  your machine.

  The configure script will usually give you hints as to what you are missing,
  looking for those in your package manager will usually give you the package
  that you need to install.

  Also pay a close attention to the feature summary showed at the end of
  the configure run, features are automatically enabled/disabled based on
  whether the needed development packages are installed on your machine.
  If you want a feature but don't know what to install, force it with
  --enable-<feature> and look at the error message from configure.

Getting help:

  when you find you need help, you can check out one of the two
  lxc mailing list archives and register if interested:
  http://lists.linuxcontainers.org/listinfo/lxc-devel
  http://lists.linuxcontainers.org/listinfo/lxc-users

Portability:

  lxc  is  still  in  development, so the command syntax and the API can
  change. The version 1.0.0 will be the frozen version.

  lxc is developed and tested on Linux since kernel mainline version 2.6.27
  (without network) and 2.6.29 with network isolation.
  It's compiled with gcc, and should work on most architectures as long as the
  required kernel features are available. This includes (but isn't limited to):
  i686, x86_64, ppc, ppc64, S390, armel and armhf.

AUTHOR
       Daniel Lezcano <daniel.lezcano@free.fr>

Seccomp with LXC
----------------

To restrict a container with seccomp, you must specify a profile which is
basically a whitelist of system calls it may execute.  In the container
config file, add a line like

lxc.seccomp = /var/lib/lxc/q1/seccomp.full

I created a usable (but basically worthless) seccomp.full file using

cat > seccomp.full << EOF
1
whitelist
EOF
for i in `seq 0 300`; do
    echo $i >> seccomp.full
done
for i in `seq 1024 1079`; do
    echo $i >> seccomp.full
done

 -- Serge Hallyn <serge.hallyn@ubuntu.com>  Fri, 27 Jul 2012 15:47:02 +0600
Commit	Line	Data
14a198d5 MN	1	Please see the COPYING file for details on copying and usage.
14a198d5 MN	2	Please refer to the INSTALL file for instructions on how to build.
7f989f01	3
14a198d5	4	What is lxc:
7f989f01	5
14a198d5 MN	6	The container technology is actively being pushed into the mainstream linux
	7	kernel. It provides the resource management through the control groups aka
	8	process containers and resource isolation through the namespaces.
7f989f01	9
e54d6cce	10	The linux containers, lxc, aims to use these new functionalities to pro-
70bb1a9c	11	vide a userspace container object which provides full resource isolation
ffe25ef8	12	and resource control for an application or a system.
7f989f01	13
14a198d5 MN	14	The first objective of this project is to make the life easier for the ker-
	15	nel developers involved in the containers project and especially to con-
	16	tinue working on the Checkpoint/Restart new features. The lxc is small
	17	enough to easily manage a container with simple command lines and complete
	18	enough to be used for other purposes.
7f989f01	19
14a198d5	20	Using lxc:
7f989f01	21
14a198d5	22	Refer the lxc* man pages (generated from doc/* files)
7f989f01	23
14a198d5	24	Downloading the current source code:
7f989f01	25
14a198d5	26	Source for the latest released version can always be downloaded from
07520b2a	27	http://linuxcontainers.org/downloads/
5e97c3fc	28
14a198d5	29	You can browse the up to the minute source code and change history online.
e1483a02 SG	30	http://github.com/lxc/lxc
e1483a02 SG	31
14a198d5 MN	32	For detailed build instruction refer to INSTALL and man lxc man page
14a198d5 MN	33	but a short command line should work:
113c39bf	34	./autogen.sh && ./configure && make && sudo make install
14a198d5	35	preceded by ./autogen.sh if configure do not exist yet.
7f989f01	36
c5427d7d AW	37	Troubleshooting:
c5427d7d AW	38
385e8e8c SG	39	If you get an error message at the autogen.sh or configure stage, make
	40	sure you have, autoconf, automake, pkg-config, make and gcc installed on
	41	your machine.
c5427d7d	42
c5427d7d AW	43	The configure script will usually give you hints as to what you are missing,
	44	looking for those in your package manager will usually give you the package
	45	that you need to install.
	46
385e8e8c SG	47	Also pay a close attention to the feature summary showed at the end of
	48	the configure run, features are automatically enabled/disabled based on
	49	whether the needed development packages are installed on your machine.
	50	If you want a feature but don't know what to install, force it with
	51	--enable-<feature> and look at the error message from configure.
	52
14a198d5	53	Getting help:
7f989f01	54
14a198d5 MN	55	when you find you need help, you can check out one of the two
14a198d5 MN	56	lxc mailing list archives and register if interested:
4ed0b622 SG	57	http://lists.linuxcontainers.org/listinfo/lxc-devel
4ed0b622 SG	58	http://lists.linuxcontainers.org/listinfo/lxc-users
7f989f01	59
14a198d5	60	Portability:
7f989f01	61
14a198d5 MN	62	lxc is still in development, so the command syntax and the API can
14a198d5 MN	63	change. The version 1.0.0 will be the frozen version.
7f989f01	64
14a198d5 MN	65	lxc is developed and tested on Linux since kernel mainline version 2.6.27
14a198d5 MN	66	(without network) and 2.6.29 with network isolation.
e1483a02 SG	67	It's compiled with gcc, and should work on most architectures as long as the
	68	required kernel features are available. This includes (but isn't limited to):
	69	i686, x86_64, ppc, ppc64, S390, armel and armhf.
5e97c3fc	70
7f989f01	71	AUTHOR
7f989f01	72	Daniel Lezcano <daniel.lezcano@free.fr>
8f2c3a70 SH	73
	74	Seccomp with LXC
	75	----------------
	76
	77	To restrict a container with seccomp, you must specify a profile which is
	78	basically a whitelist of system calls it may execute. In the container
	79	config file, add a line like
	80
	81	lxc.seccomp = /var/lib/lxc/q1/seccomp.full
	82
	83	I created a usable (but basically worthless) seccomp.full file using
	84
	85	cat > seccomp.full << EOF
	86	1
	87	whitelist
	88	EOF
	89	for i in `seq 0 300`; do
a02264fb	90	echo $i >> seccomp.full
8f2c3a70 SH	91	done
8f2c3a70 SH	92	for i in `seq 1024 1079`; do
14d9c0f0	93	echo $i >> seccomp.full
8f2c3a70 SH	94	done
	95
	96	-- Serge Hallyn <serge.hallyn@ubuntu.com> Fri, 27 Jul 2012 15:47:02 +0600