[mirror_lxc.git] / doc / lxc-attach.sgml.in

<!--

lxc: linux Container library

(C) Copyright IBM Corp. 2007, 2008

Authors:
Daniel Lezcano <daniel.lezcano at free.fr>

This library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
License as published by the Free Software Foundation; either
version 2.1 of the License, or (at your option) any later version.

This library is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
Lesser General Public License for more details.

You should have received a copy of the GNU Lesser General Public
License along with this library; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA

-->


<!DOCTYPE refentry PUBLIC @docdtd@ [

<!ENTITY commonoptions SYSTEM "@builddir@/common_options.sgml">
<!ENTITY seealso SYSTEM "@builddir@/see_also.sgml">
]>

<refentry>

  <docinfo><date>@LXC_GENERATE_DATE@</date></docinfo>

  <refmeta>
    <refentrytitle>lxc-attach</refentrytitle>
    <manvolnum>1</manvolnum>
  </refmeta>

  <refnamediv>
    <refname>lxc-attach</refname>

    <refpurpose>
      start a process inside a running container.
    </refpurpose>
  </refnamediv>

  <refsynopsisdiv>
    <cmdsynopsis>
      <command>lxc-attach</command>
      <arg choice="req">-n, --name <replaceable>name</replaceable></arg>
      <arg choice="opt">-f, --rcfile <replaceable>config_file</replaceable></arg>
      <arg choice="opt">-a, --arch <replaceable>arch</replaceable></arg>
      <arg choice="opt">-e, --elevated-privileges <replaceable>privileges</replaceable></arg>
      <arg choice="opt">-s, --namespaces <replaceable>namespaces</replaceable></arg>
      <arg choice="opt">-R, --remount-sys-proc</arg>
      <arg choice="opt">--keep-env</arg>
      <arg choice="opt">--clear-env</arg>
      <arg choice="opt">-v, --set-var <replaceable>variable</replaceable></arg>
      <arg choice="opt">--keep-var <replaceable>variable</replaceable></arg>
      <arg choice="opt">-u, --uid <replaceable>uid</replaceable></arg>
      <arg choice="opt">-g, --gid <replaceable>gid</replaceable></arg>
      <arg choice="opt">-- <replaceable>command</replaceable></arg>
    </cmdsynopsis>
  </refsynopsisdiv>

  <refsect1>
    <title>Description</title>

    <para>
      <command>lxc-attach</command> runs the specified
      <replaceable>command</replaceable> inside the container
      specified by <replaceable>name</replaceable>. The container
      has to be running already.
    </para>
    <para>
      If no <replaceable>command</replaceable> is specified, the
      current default shell of the user running
      <command>lxc-attach</command> will be looked up inside the
      container and executed. This will fail if no such user exists
      inside the container or the container does not have a working
      nsswitch mechanism.
    </para>
    <para>
    Previous versions of <command>lxc-attach</command> simply attached to the
    specified namespaces of a container and ran a shell or the specified command
    without first allocating a pseudo terminal. This made them vulnerable to
    input faking via a TIOCSTI <command>ioctl</command> call after switching
    between userspace execution contexts with different privilege levels. Newer
    versions of <command>lxc-attach</command> will try to allocate a pseudo
    terminal file descriptor pair on the host and attach any standard file
    descriptors which refer to a terminal to the container side of the pseudo
    terminal before executing a shell or command. Note, that if none of the
    standard file descriptors refer to a terminal <command>lxc-attach</command>
    will not try to allocate a pseudo terminal. Instead it will simply attach
    to the containers namespaces and run a shell or the specified command.
    </para>

  </refsect1>

  <refsect1>

    <title>Options</title>

    <variablelist>

      <varlistentry>
	<term>
	  <option>-f, --rcfile <replaceable>config_file</replaceable></option>
	</term>
	<listitem>
	  <para>
	    Specify the configuration file to configure the virtualization
	    and isolation functionalities for the container.
	  </para>
	  <para>
	   This configuration file if present will be used even if there is
	   already a configuration file present in the previously created
	   container (via lxc-create).
	  </para>
	</listitem>
      </varlistentry>

      <varlistentry>
	<term>
	  <option>-a, --arch <replaceable>arch</replaceable></option>
	</term>
	<listitem>
	  <para>
	    Specify the architecture which the kernel should appear to be
	    running as to the command executed. This option will accept the
	    same settings as the <option>lxc.arch</option> option in
	    container configuration files, see
	    <citerefentry>
	      <refentrytitle><filename>lxc.conf</filename></refentrytitle>
	      <manvolnum>5</manvolnum>
	    </citerefentry>. By default, the current architecture of the
	    running container will be used.
	  </para>
	</listitem>
      </varlistentry>

      <varlistentry>
	<term>
	  <option>
      -e, --elevated-privileges <replaceable>privileges</replaceable>
    </option>
	</term>
	<listitem>
	  <para>
	    Do not drop privileges when running
	    <replaceable>command</replaceable> inside the container. If
	    this option is specified, the new process will
	    <emphasis>not</emphasis> be added to the container's cgroup(s)
	    and it will not drop its capabilities before executing.
	  </para>
    <para>
      You may specify privileges, in case you do not want to elevate all of
      them, as a pipe-separated list, e.g.
      <replaceable>CGROUP|LSM</replaceable>. Allowed values are
      <replaceable>CGROUP</replaceable>, <replaceable>CAP</replaceable> and
      <replaceable>LSM</replaceable> representing cgroup, capabilities and
      restriction privileges respectively. (The pipe symbol needs to be escaped,
      e.g. <replaceable>CGROUP\|LSM</replaceable> or quoted, e.g.
      <replaceable>"CGROUP|LSM"</replaceable>.)
    </para>
	  <para>
	    <emphasis>Warning:</emphasis> This may leak privileges into the
	    container if the command starts subprocesses that remain active
	    after the main process that was attached is terminated. The
	    (re-)starting of daemons inside the container is problematic,
	    especially if the daemon starts a lot of subprocesses such as
	    <command>cron</command> or <command>sshd</command>.
	    <emphasis>Use with great care.</emphasis>
	  </para>
	</listitem>
      </varlistentry>

      <varlistentry>
	<term>
	  <option>-s, --namespaces <replaceable>namespaces</replaceable></option>
	</term>
	<listitem>
	  <para>
	    Specify the namespaces to attach to, as a pipe-separated list,
	    e.g. <replaceable>NETWORK|IPC</replaceable>. Allowed values are
	    <replaceable>MOUNT</replaceable>, <replaceable>PID</replaceable>,
	    <replaceable>UTSNAME</replaceable>, <replaceable>IPC</replaceable>,
	    <replaceable>USER </replaceable> and
	    <replaceable>NETWORK</replaceable>. This allows one to change
	    the context of the process to e.g. the network namespace of the
	    container while retaining the other namespaces as those of the
            host. (The pipe symbol needs to be escaped, e.g.
            <replaceable>MOUNT\|PID</replaceable> or quoted, e.g.
            <replaceable>"MOUNT|PID"</replaceable>.)
	  </para>
	  <para>
	    <emphasis>Important:</emphasis> This option implies
	    <option>-e</option>.
	  </para>
	</listitem>
      </varlistentry>

      <varlistentry>
	<term>
	  <option>-R, --remount-sys-proc</option>
	</term>
	<listitem>
	  <para>
	    When using <option>-s</option> and the mount namespace is not
	    included, this flag will cause <command>lxc-attach</command>
	    to remount <replaceable>/proc</replaceable> and
	    <replaceable>/sys</replaceable> to reflect the current other
	    namespace contexts.
	  </para>
	  <para>
	    Please see the <emphasis>Notes</emphasis> section for more
	    details.
	  </para>
	  <para>
	    This option will be ignored if one tries to attach to the
	    mount namespace anyway.
	  </para>
	</listitem>
      </varlistentry>

      <varlistentry>
	<term>
	  <option>--keep-env</option>
	</term>
	<listitem>
	  <para>
	    Keep the current environment for attached programs. This is
	    the current default behaviour (as of version 0.9), but is
	    is likely to change in the future, since this may leak
	    undesirable information into the container. If you rely on
	    the environment being available for the attached program,
	    please use this option to be future-proof. In addition to
	    current environment variables, container=lxc will be set.
	  </para>
	</listitem>
      </varlistentry>

      <varlistentry>
	<term>
	  <option>--clear-env</option>
	</term>
	<listitem>
	  <para>
	    Clear the environment before attaching, so no undesired
	    environment variables leak into the container. The variable
	    container=lxc will be the only environment with which the
	    attached program starts.
	  </para>
	</listitem>
      </varlistentry>

      <varlistentry>
	<term>
	  <option>-v, --set-var <replaceable>variable</replaceable></option>
	</term>
	<listitem>
	  <para>
	    Set an additional environment variable that is seen by the
	    attached program in the container. It is specified in the
	    form of "VAR=VALUE", and can be specified multiple times.
	  </para>
	</listitem>
      </varlistentry>

      <varlistentry>
	<term>
	  <option>--keep-var <replaceable>variable</replaceable></option>
	</term>
	<listitem>
	  <para>
	    Keep a specified environment variable. It can only be
	    specified in conjunction
	    with <replaceable>--clear-env</replaceable>, and can be
	    specified multiple times.
	  </para>
	</listitem>
      </varlistentry>

      <varlistentry>
	<term>
	  <option>--u, --uid <replaceable>uid</replaceable></option>
	</term>
	<listitem>
	  <para>
	    Executes the <replaceable>command</replaceable> with user ID
	    <replaceable>uid</replaceable> inside the container.
	  </para>
	</listitem>
      </varlistentry>

      <varlistentry>
	<term>
	  <option>--g, --gid <replaceable>gid</replaceable></option>
	</term>
	<listitem>
	  <para>
	    Executes the <replaceable>command</replaceable> with group ID
	    <replaceable>gid</replaceable> inside the container.
	  </para>
	</listitem>
      </varlistentry>

     </variablelist>

  </refsect1>

  &commonoptions;

  <refsect1>
    <title>Examples</title>
      <para>
        To spawn a new shell running inside an existing container, use
        <programlisting>
          lxc-attach -n container
        </programlisting>
      </para>
      <para>
        To restart the cron service of a running Debian container, use
        <programlisting>
          lxc-attach -n container -- /etc/init.d/cron restart
        </programlisting>
      </para>
      <para>
        To deactivate the network link eth1 of a running container that
        does not have the NET_ADMIN capability, use either the
        <option>-e</option> option to use increased capabilities,
        assuming the <command>ip</command> tool is installed:
        <programlisting>
          lxc-attach -n container -e -- /sbin/ip link delete eth1
        </programlisting>
        Or, alternatively, use the <option>-s</option> to use the
        tools installed on the host outside the container:
        <programlisting>
          lxc-attach -n container -s NETWORK -- /sbin/ip link delete eth1
        </programlisting>
      </para>
  </refsect1>

  <refsect1>
    <title>Compatibility</title>
    <para>
      Attaching completely (including the pid and mount namespaces) to a
      container requires a kernel of version 3.8 or higher, or a
      patched kernel, please see the lxc website for
      details. <command>lxc-attach</command> will fail in that case if
      used with an unpatched kernel of version 3.7 and prior.
    </para>
    <para>
      Nevertheless, it will succeed on an unpatched kernel of version 3.0
      or higher if the <option>-s</option> option is used to restrict the
      namespaces that the process is to be attached to to one or more of
      <replaceable>NETWORK</replaceable>, <replaceable>IPC</replaceable>
      and <replaceable>UTSNAME</replaceable>.
    </para>
    <para>
      Attaching to user namespaces is supported by kernel 3.8 or higher
      with enabling user namespace.
    </para>
  </refsect1>

  <refsect1>
    <title>Notes</title>
    <para>
      The Linux <replaceable>/proc</replaceable> and
      <replaceable>/sys</replaceable> filesystems contain information
      about some quantities that are affected by namespaces, such as
      the directories named after process ids in
      <replaceable>/proc</replaceable> or the network interface information
      in <replaceable>/sys/class/net</replaceable>. The namespace of the
      process mounting the pseudo-filesystems determines what information
      is shown, <emphasis>not</emphasis> the namespace of the process
      accessing <replaceable>/proc</replaceable> or
      <replaceable>/sys</replaceable>.
    </para>
    <para>
      If one uses the <option>-s</option> option to only attach to
      the pid namespace of a container, but not its mount namespace
      (which will contain the <replaceable>/proc</replaceable> of the
      container and not the host), the contents of <option>/proc</option>
      will reflect that of the host and not the container. Analogously,
      the same issue occurs when reading the contents of
      <replaceable>/sys/class/net</replaceable> and attaching to just
      the network namespace.
    </para>
    <para>
      To work around this problem, the <option>-R</option> flag provides
      the option to remount <replaceable>/proc</replaceable> and
      <replaceable>/sys</replaceable> in order for them to reflect the
      network/pid namespace context of the attached process. In order
      not to interfere with the host's actual filesystem, the mount
      namespace will be unshared (like <command>lxc-unshare</command>
      does) before this is done, essentially giving the process a new
      mount namespace, which is identical to the hosts's mount namespace
      except for the <replaceable>/proc</replaceable> and
      <replaceable>/sys</replaceable> filesystems.
    </para>
    <para>
      Previous versions of <command>lxc-attach</command> suffered a bug whereby
      a user could attach to a containers namespace without being placed in a
      writeable cgroup for some critical subsystems. Newer versions of
      <command>lxc-attach</command> will check whether a user is in a writeable
      cgroup for those critical subsystems. <command>lxc-attach</command> might
      thus fail unexpectedly for some users (E.g. on systems where an
      unprivileged user is not placed in a writeable cgroup in critical
      subsystems on login.). However, this behavior is correct and more secure.
    </para>
  </refsect1>

  <refsect1>
    <title>Security</title>
    <para>
      The <option>-e</option> and <option>-s</option> options should
      be used with care, as it may break the isolation of the containers
      if used improperly.
    </para>
  </refsect1>

  &seealso;

  <refsect1>
    <title>Author</title>
    <para>Daniel Lezcano <email>daniel.lezcano@free.fr</email></para>
  </refsect1>

</refentry>

<!-- Keep this comment at the end of the file
Local variables:
mode: sgml
sgml-omittag:t
sgml-shorttag:t
sgml-minimize-attributes:nil
sgml-always-quote-attributes:t
sgml-indent-step:2
sgml-indent-data:t
sgml-parent-document:nil
sgml-default-dtd-file:nil
sgml-exposed-tags:nil
sgml-local-catalogs:nil
sgml-local-ecat-files:nil
End:
-->
Commit	Line	Data
49ee6cdc CS	1	<!--
	2
	3	lxc: linux Container library
	4
	5	(C) Copyright IBM Corp. 2007, 2008
	6
	7	Authors:
9afe19d6	8	Daniel Lezcano <daniel.lezcano at free.fr>
49ee6cdc CS	9
	10	This library is free software; you can redistribute it and/or
	11	modify it under the terms of the GNU Lesser General Public
	12	License as published by the Free Software Foundation; either
	13	version 2.1 of the License, or (at your option) any later version.
	14
	15	This library is distributed in the hope that it will be useful,
	16	but WITHOUT ANY WARRANTY; without even the implied warranty of
	17	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	18	Lesser General Public License for more details.
	19
	20	You should have received a copy of the GNU Lesser General Public
	21	License along with this library; if not, write to the Free Software
250b1eec	22	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
49ee6cdc CS	23
	24	-->
	25
4d69b293	26
7f951458	27	<!DOCTYPE refentry PUBLIC @docdtd@ [
49ee6cdc CS	28
	29	<!ENTITY commonoptions SYSTEM "@builddir@/common_options.sgml">
	30	<!ENTITY seealso SYSTEM "@builddir@/see_also.sgml">
	31	]>
	32
	33	<refentry>
	34
	35	<docinfo><date>@LXC_GENERATE_DATE@</date></docinfo>
	36
	37	<refmeta>
	38	<refentrytitle>lxc-attach</refentrytitle>
	39	<manvolnum>1</manvolnum>
	40	</refmeta>
	41
	42	<refnamediv>
	43	<refname>lxc-attach</refname>
	44
	45	<refpurpose>
	46	start a process inside a running container.
	47	</refpurpose>
	48	</refnamediv>
	49
	50	<refsynopsisdiv>
b4578c5b DE	51	<cmdsynopsis>
b4578c5b DE	52	<command>lxc-attach</command>
03b03982 KY	53	<arg choice="req">-n, --name <replaceable>name</replaceable></arg>
	54	<arg choice="opt">-f, --rcfile <replaceable>config_file</replaceable></arg>
	55	<arg choice="opt">-a, --arch <replaceable>arch</replaceable></arg>
	56	<arg choice="opt">-e, --elevated-privileges <replaceable>privileges</replaceable></arg>
	57	<arg choice="opt">-s, --namespaces <replaceable>namespaces</replaceable></arg>
	58	<arg choice="opt">-R, --remount-sys-proc</arg>
799f96fd CS	59	<arg choice="opt">--keep-env</arg>
799f96fd CS	60	<arg choice="opt">--clear-env</arg>
03b03982 KY	61	<arg choice="opt">-v, --set-var <replaceable>variable</replaceable></arg>
03b03982 KY	62	<arg choice="opt">--keep-var <replaceable>variable</replaceable></arg>
ddd51fdb CB	63	<arg choice="opt">-u, --uid <replaceable>uid</replaceable></arg>
ddd51fdb CB	64	<arg choice="opt">-g, --gid <replaceable>gid</replaceable></arg>
b4578c5b DE	65	<arg choice="opt">-- <replaceable>command</replaceable></arg>
b4578c5b DE	66	</cmdsynopsis>
49ee6cdc CS	67	</refsynopsisdiv>
	68
	69	<refsect1>
	70	<title>Description</title>
	71
	72	<para>
	73	<command>lxc-attach</command> runs the specified
	74	<replaceable>command</replaceable> inside the container
	75	specified by <replaceable>name</replaceable>. The container
	76	has to be running already.
	77	</para>
	78	<para>
	79	If no <replaceable>command</replaceable> is specified, the
	80	current default shell of the user running
	81	<command>lxc-attach</command> will be looked up inside the
	82	container and executed. This will fail if no such user exists
	83	inside the container or the container does not have a working
	84	nsswitch mechanism.
	85	</para>
e986ea3d CB	86	<para>
e986ea3d CB	87	Previous versions of <command>lxc-attach</command> simply attached to the
478dda76 CB	88	specified namespaces of a container and ran a shell or the specified command
478dda76 CB	89	without first allocating a pseudo terminal. This made them vulnerable to
e986ea3d	90	input faking via a TIOCSTI <command>ioctl</command> call after switching
02e5d92b	91	between userspace execution contexts with different privilege levels. Newer
e986ea3d	92	versions of <command>lxc-attach</command> will try to allocate a pseudo
08401048 CB	93	terminal file descriptor pair on the host and attach any standard file
08401048 CB	94	descriptors which refer to a terminal to the container side of the pseudo
478dda76 CB	95	terminal before executing a shell or command. Note, that if none of the
	96	standard file descriptors refer to a terminal <command>lxc-attach</command>
	97	will not try to allocate a pseudo terminal. Instead it will simply attach
	98	to the containers namespaces and run a shell or the specified command.
e986ea3d	99	</para>
49ee6cdc CS	100
	101	</refsect1>
	102
	103	<refsect1>
	104
	105	<title>Options</title>
	106
	107	<variablelist>
	108
03b03982 KY	109	<varlistentry>
	110	<term>
	111	<option>-f, --rcfile <replaceable>config_file</replaceable></option>
	112	</term>
	113	<listitem>
	114	<para>
	115	Specify the configuration file to configure the virtualization
	116	and isolation functionalities for the container.
	117	</para>
	118	<para>
	119	This configuration file if present will be used even if there is
	120	already a configuration file present in the previously created
	121	container (via lxc-create).
	122	</para>
	123	</listitem>
	124	</varlistentry>
	125
49ee6cdc CS	126	<varlistentry>
	127	<term>
	128	<option>-a, --arch <replaceable>arch</replaceable></option>
	129	</term>
	130	<listitem>
	131	<para>
	132	Specify the architecture which the kernel should appear to be
	133	running as to the command executed. This option will accept the
	134	same settings as the <option>lxc.arch</option> option in
	135	container configuration files, see
	136	<citerefentry>
	137	<refentrytitle><filename>lxc.conf</filename></refentrytitle>
	138	<manvolnum>5</manvolnum>
a1e0e6df	139	</citerefentry>. By default, the current architecture of the
49ee6cdc CS	140	running container will be used.
	141	</para>
	142	</listitem>
	143	</varlistentry>
	144
	145	<varlistentry>
	146	<term>
4d69b293 NK	147	<option>
	148	-e, --elevated-privileges <replaceable>privileges</replaceable>
	149	</option>
49ee6cdc CS	150	</term>
	151	<listitem>
	152	<para>
	153	Do not drop privileges when running
	154	<replaceable>command</replaceable> inside the container. If
	155	this option is specified, the new process will
	156	<emphasis>not</emphasis> be added to the container's cgroup(s)
	157	and it will not drop its capabilities before executing.
	158	</para>
4d69b293 NK	159	<para>
	160	You may specify privileges, in case you do not want to elevate all of
	161	them, as a pipe-separated list, e.g.
	162	<replaceable>CGROUP\|LSM</replaceable>. Allowed values are
	163	<replaceable>CGROUP</replaceable>, <replaceable>CAP</replaceable> and
	164	<replaceable>LSM</replaceable> representing cgroup, capabilities and
759d521b CB	165	restriction privileges respectively. (The pipe symbol needs to be escaped,
	166	e.g. <replaceable>CGROUP\\|LSM</replaceable> or quoted, e.g.
	167	<replaceable>"CGROUP\|LSM"</replaceable>.)
4d69b293	168	</para>
49ee6cdc CS	169	<para>
	170	<emphasis>Warning:</emphasis> This may leak privileges into the
	171	container if the command starts subprocesses that remain active
	172	after the main process that was attached is terminated. The
	173	(re-)starting of daemons inside the container is problematic,
	174	especially if the daemon starts a lot of subprocesses such as
	175	<command>cron</command> or <command>sshd</command>.
	176	<emphasis>Use with great care.</emphasis>
	177	</para>
	178	</listitem>
	179	</varlistentry>
	180
e13eeea2 CS	181	<varlistentry>
	182	<term>
	183	<option>-s, --namespaces <replaceable>namespaces</replaceable></option>
	184	</term>
	185	<listitem>
	186	<para>
037ba55c	187	Specify the namespaces to attach to, as a pipe-separated list,
e13eeea2 CS	188	e.g. <replaceable>NETWORK\|IPC</replaceable>. Allowed values are
	189	<replaceable>MOUNT</replaceable>, <replaceable>PID</replaceable>,
	190	<replaceable>UTSNAME</replaceable>, <replaceable>IPC</replaceable>,
	191	<replaceable>USER </replaceable> and
	192	<replaceable>NETWORK</replaceable>. This allows one to change
	193	the context of the process to e.g. the network namespace of the
	194	container while retaining the other namespaces as those of the
759d521b CB	195	host. (The pipe symbol needs to be escaped, e.g.
	196	<replaceable>MOUNT\\|PID</replaceable> or quoted, e.g.
	197	<replaceable>"MOUNT\|PID"</replaceable>.)
e13eeea2 CS	198	</para>
	199	<para>
	200	<emphasis>Important:</emphasis> This option implies
	201	<option>-e</option>.
	202	</para>
	203	</listitem>
	204	</varlistentry>
	205
7a0b0b56 CS	206	<varlistentry>
	207	<term>
	208	<option>-R, --remount-sys-proc</option>
	209	</term>
	210	<listitem>
	211	<para>
	212	When using <option>-s</option> and the mount namespace is not
	213	included, this flag will cause <command>lxc-attach</command>
	214	to remount <replaceable>/proc</replaceable> and
	215	<replaceable>/sys</replaceable> to reflect the current other
	216	namespace contexts.
	217	</para>
	218	<para>
	219	Please see the <emphasis>Notes</emphasis> section for more
	220	details.
	221	</para>
	222	<para>
	223	This option will be ignored if one tries to attach to the
	224	mount namespace anyway.
	225	</para>
	226	</listitem>
	227	</varlistentry>
	228
799f96fd CS	229	<varlistentry>
	230	<term>
	231	<option>--keep-env</option>
	232	</term>
	233	<listitem>
	234	<para>
	235	Keep the current environment for attached programs. This is
	236	the current default behaviour (as of version 0.9), but is
	237	is likely to change in the future, since this may leak
	238	undesirable information into the container. If you rely on
	239	the environment being available for the attached program,
	240	please use this option to be future-proof. In addition to
	241	current environment variables, container=lxc will be set.
	242	</para>
	243	</listitem>
	244	</varlistentry>
	245
	246	<varlistentry>
	247	<term>
	248	<option>--clear-env</option>
	249	</term>
	250	<listitem>
	251	<para>
	252	Clear the environment before attaching, so no undesired
	253	environment variables leak into the container. The variable
	254	container=lxc will be the only environment with which the
	255	attached program starts.
	256	</para>
	257	</listitem>
	258	</varlistentry>
	259
03b03982 KY	260	<varlistentry>
	261	<term>
	262	<option>-v, --set-var <replaceable>variable</replaceable></option>
	263	</term>
	264	<listitem>
	265	<para>
	266	Set an additional environment variable that is seen by the
	267	attached program in the container. It is specified in the
	268	form of "VAR=VALUE", and can be specified multiple times.
	269	</para>
	270	</listitem>
	271	</varlistentry>
	272
	273	<varlistentry>
	274	<term>
	275	<option>--keep-var <replaceable>variable</replaceable></option>
	276	</term>
	277	<listitem>
	278	<para>
	279	Keep a specified environment variable. It can only be
	280	specified in conjunction
	281	with <replaceable>--clear-env</replaceable>, and can be
	282	specified multiple times.
	283	</para>
	284	</listitem>
	285	</varlistentry>
	286
ddd51fdb CB	287	<varlistentry>
	288	<term>
	289	<option>--u, --uid <replaceable>uid</replaceable></option>
	290	</term>
	291	<listitem>
	292	<para>
	293	Executes the <replaceable>command</replaceable> with user ID
ec4f666f	294	<replaceable>uid</replaceable> inside the container.
ddd51fdb CB	295	</para>
	296	</listitem>
	297	</varlistentry>
	298
	299	<varlistentry>
	300	<term>
	301	<option>--g, --gid <replaceable>gid</replaceable></option>
	302	</term>
	303	<listitem>
	304	<para>
	305	Executes the <replaceable>command</replaceable> with group ID
ec4f666f	306	<replaceable>gid</replaceable> inside the container.
ddd51fdb CB	307	</para>
	308	</listitem>
	309	</varlistentry>
	310
7a0b0b56	311	</variablelist>
49ee6cdc CS	312
	313	</refsect1>
	314
	315	&commonoptions;
	316
	317	<refsect1>
	318	<title>Examples</title>
	319	<para>
	320	To spawn a new shell running inside an existing container, use
	321	<programlisting>
	322	lxc-attach -n container
	323	</programlisting>
	324	</para>
	325	<para>
	326	To restart the cron service of a running Debian container, use
	327	<programlisting>
	328	lxc-attach -n container -- /etc/init.d/cron restart
	329	</programlisting>
	330	</para>
	331	<para>
	332	To deactivate the network link eth1 of a running container that
e13eeea2 CS	333	does not have the NET_ADMIN capability, use either the
	334	<option>-e</option> option to use increased capabilities,
	335	assuming the <command>ip</command> tool is installed:
49ee6cdc CS	336	<programlisting>
	337	lxc-attach -n container -e -- /sbin/ip link delete eth1
	338	</programlisting>
e13eeea2 CS	339	Or, alternatively, use the <option>-s</option> to use the
	340	tools installed on the host outside the container:
	341	<programlisting>
	342	lxc-attach -n container -s NETWORK -- /sbin/ip link delete eth1
	343	</programlisting>
49ee6cdc	344	</para>
49ee6cdc CS	345	</refsect1>
49ee6cdc CS	346
e13eeea2 CS	347	<refsect1>
	348	<title>Compatibility</title>
	349	<para>
	350	Attaching completely (including the pid and mount namespaces) to a
a600d021 KY	351	container requires a kernel of version 3.8 or higher, or a
a600d021 KY	352	patched kernel, please see the lxc website for
e13eeea2	353	details. <command>lxc-attach</command> will fail in that case if
a600d021	354	used with an unpatched kernel of version 3.7 and prior.
e13eeea2 CS	355	</para>
	356	<para>
	357	Nevertheless, it will succeed on an unpatched kernel of version 3.0
	358	or higher if the <option>-s</option> option is used to restrict the
aa8d013e	359	namespaces that the process is to be attached to to one or more of
e13eeea2 CS	360	<replaceable>NETWORK</replaceable>, <replaceable>IPC</replaceable>
	361	and <replaceable>UTSNAME</replaceable>.
	362	</para>
	363	<para>
a600d021 KY	364	Attaching to user namespaces is supported by kernel 3.8 or higher
a600d021 KY	365	with enabling user namespace.
e13eeea2 CS	366	</para>
	367	</refsect1>
	368
	369	<refsect1>
	370	<title>Notes</title>
	371	<para>
	372	The Linux <replaceable>/proc</replaceable> and
	373	<replaceable>/sys</replaceable> filesystems contain information
	374	about some quantities that are affected by namespaces, such as
	375	the directories named after process ids in
36b33520	376	<replaceable>/proc</replaceable> or the network interface information
e13eeea2 CS	377	in <replaceable>/sys/class/net</replaceable>. The namespace of the
	378	process mounting the pseudo-filesystems determines what information
	379	is shown, <emphasis>not</emphasis> the namespace of the process
	380	accessing <replaceable>/proc</replaceable> or
	381	<replaceable>/sys</replaceable>.
	382	</para>
	383	<para>
	384	If one uses the <option>-s</option> option to only attach to
	385	the pid namespace of a container, but not its mount namespace
	386	(which will contain the <replaceable>/proc</replaceable> of the
	387	container and not the host), the contents of <option>/proc</option>
	388	will reflect that of the host and not the container. Analogously,
	389	the same issue occurs when reading the contents of
	390	<replaceable>/sys/class/net</replaceable> and attaching to just
	391	the network namespace.
	392	</para>
	393	<para>
7a0b0b56 CS	394	To work around this problem, the <option>-R</option> flag provides
	395	the option to remount <replaceable>/proc</replaceable> and
	396	<replaceable>/sys</replaceable> in order for them to reflect the
	397	network/pid namespace context of the attached process. In order
	398	not to interfere with the host's actual filesystem, the mount
	399	namespace will be unshared (like <command>lxc-unshare</command>
e9555a6b	400	does) before this is done, essentially giving the process a new
7a0b0b56 CS	401	mount namespace, which is identical to the hosts's mount namespace
	402	except for the <replaceable>/proc</replaceable> and
	403	<replaceable>/sys</replaceable> filesystems.
e13eeea2	404	</para>
e986ea3d CB	405	<para>
	406	Previous versions of <command>lxc-attach</command> suffered a bug whereby
	407	a user could attach to a containers namespace without being placed in a
	408	writeable cgroup for some critical subsystems. Newer versions of
	409	<command>lxc-attach</command> will check whether a user is in a writeable
	410	cgroup for those critical subsystems. <command>lxc-attach</command> might
	411	thus fail unexpectedly for some users (E.g. on systems where an
	412	unprivileged user is not placed in a writeable cgroup in critical
	413	subsystems on login.). However, this behavior is correct and more secure.
	414	</para>
e13eeea2 CS	415	</refsect1>
e13eeea2 CS	416
49ee6cdc CS	417	<refsect1>
	418	<title>Security</title>
	419	<para>
e13eeea2 CS	420	The <option>-e</option> and <option>-s</option> options should
	421	be used with care, as it may break the isolation of the containers
	422	if used improperly.
49ee6cdc CS	423	</para>
	424	</refsect1>
	425
	426	&seealso;
	427
	428	<refsect1>
	429	<title>Author</title>
	430	<para>Daniel Lezcano <email>daniel.lezcano@free.fr</email></para>
	431	</refsect1>
	432
	433	</refentry>
	434
	435	<!-- Keep this comment at the end of the file
	436	Local variables:
	437	mode: sgml
	438	sgml-omittag:t
	439	sgml-shorttag:t
	440	sgml-minimize-attributes:nil
	441	sgml-always-quote-attributes:t
	442	sgml-indent-step:2
	443	sgml-indent-data:t
	444	sgml-parent-document:nil
	445	sgml-default-dtd-file:nil
	446	sgml-exposed-tags:nil
	447	sgml-local-catalogs:nil
	448	sgml-local-ecat-files:nil
	449	End:
	450	-->