]>
Commit | Line | Data |
---|---|---|
55fc19a1 SG |
1 | <!-- |
2 | ||
3 | lxc: linux Container library | |
4 | ||
5 | (C) Copyright IBM Corp. 2007, 2008 | |
6 | ||
7 | Authors: | |
8 | Daniel Lezcano <daniel.lezcano at free.fr> | |
9 | ||
10 | This library is free software; you can redistribute it and/or | |
11 | modify it under the terms of the GNU Lesser General Public | |
12 | License as published by the Free Software Foundation; either | |
13 | version 2.1 of the License, or (at your option) any later version. | |
14 | ||
15 | This library is distributed in the hope that it will be useful, | |
16 | but WITHOUT ANY WARRANTY; without even the implied warranty of | |
17 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
18 | Lesser General Public License for more details. | |
19 | ||
20 | You should have received a copy of the GNU Lesser General Public | |
21 | License along with this library; if not, write to the Free Software | |
22 | Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA | |
23 | ||
24 | --> | |
25 | ||
26 | <!DOCTYPE refentry PUBLIC @docdtd@ [ | |
27 | ||
28 | <!ENTITY seealso SYSTEM "@builddir@/see_also.sgml"> | |
29 | ]> | |
30 | ||
31 | <refentry> | |
32 | ||
33 | <docinfo><date>@LXC_GENERATE_DATE@</date></docinfo> | |
34 | ||
35 | <refmeta> | |
36 | <refentrytitle>lxc.container.conf</refentrytitle> | |
37 | <manvolnum>5</manvolnum> | |
38 | </refmeta> | |
39 | ||
40 | <refnamediv> | |
41 | <refname>lxc.container.conf</refname> | |
42 | ||
43 | <refpurpose> | |
44 | LXC container configuration file | |
45 | </refpurpose> | |
46 | </refnamediv> | |
47 | ||
48 | <refsect1> | |
49 | <title>Description</title> | |
50 | ||
51 | <para> | |
b9986e43 CB |
52 | LXC is the well-known and heavily tested low-level Linux container |
53 | runtime. It is in active development since 2008 and has proven itself in | |
54 | critical production environments world-wide. Some of its core contributors | |
55 | are the same people that helped to implement various well-known | |
56 | containerization features inside the Linux kernel. | |
55fc19a1 SG |
57 | </para> |
58 | ||
59 | <para> | |
b9986e43 CB |
60 | LXC's main focus is system containers. That is, containers which offer an |
61 | environment as close as possible as the one you'd get from a VM but | |
62 | without the overhead that comes with running a separate kernel and | |
63 | simulating all the hardware. | |
55fc19a1 SG |
64 | </para> |
65 | ||
66 | <para> | |
b9986e43 CB |
67 | This is achieved through a combination of kernel security features such as |
68 | namespaces, mandatory access control and control groups. | |
69 | </para> | |
70 | ||
71 | <para> | |
72 | LXC has supports unprivileged containers. Unprivileged containers are | |
73 | containers that are run without any privilege. This requires support for | |
74 | user namespaces in the kernel that the container is run on. LXC was the | |
75 | first runtime to support unprivileged containers after user namespaces | |
76 | were merged into the mainline kernel. | |
77 | </para> | |
78 | ||
79 | <para> | |
80 | In essence, user namespaces isolate given sets of UIDs and GIDs. This is | |
81 | achieved by establishing a mapping between a range of UIDs and GIDs on the | |
82 | host to a different (unprivileged) range of UIDs and GIDs in the | |
83 | container. The kernel will translate this mapping in such a way that | |
84 | inside the container all UIDs and GIDs appear as you would expect from the | |
85 | host whereas on the host these UIDs and GIDs are in fact unprivileged. For | |
86 | example, a process running as UID and GID 0 inside the container might | |
87 | appear as UID and GID 100000 on the host. The implementation and working | |
88 | details can be gathered from the corresponding user namespace man page. | |
bdcbb6b3 | 89 | UID and GID mappings can be defined with the <option>lxc.idmap</option> |
b9986e43 CB |
90 | key. |
91 | </para> | |
92 | ||
93 | <para> | |
94 | Linux containers are defined with a simple configuration file. Each | |
95 | option in the configuration file has the form <command>key = | |
96 | value</command> fitting in one line. The "#" character means the line is a | |
97 | comment. List options, like capabilities and cgroups options, can be used | |
98 | with no value to clear any previously defined values of that option. | |
99 | </para> | |
100 | ||
101 | <para> | |
102 | LXC namespaces configuration keys by using single dots. This means complex | |
7fa3f2e9 | 103 | configuration keys such as <option>lxc.net.0</option> expose various |
104 | subkeys such as <option>lxc.net.0.type</option>, | |
2e44ae28 | 105 | <option>lxc.net.0.link</option>, <option>lxc.net.0.ipv6.address</option>, and |
b9986e43 | 106 | others for even more fine-grained configuration. |
55fc19a1 SG |
107 | </para> |
108 | ||
109 | <refsect2> | |
110 | <title>Configuration</title> | |
111 | <para> | |
b9986e43 CB |
112 | In order to ease administration of multiple related containers, it is |
113 | possible to have a container configuration file cause another file to be | |
114 | loaded. For instance, network configuration can be defined in one common | |
115 | file which is included by multiple containers. Then, if the containers | |
116 | are moved to another host, only one file may need to be updated. | |
55fc19a1 SG |
117 | </para> |
118 | ||
119 | <variablelist> | |
c464fd7e SG |
120 | <varlistentry> |
121 | <term> | |
122 | <option>lxc.include</option> | |
123 | </term> | |
124 | <listitem> | |
125 | <para> | |
126 | Specify the file to be included. The included file must be | |
127 | in the same valid lxc configuration file format. | |
128 | </para> | |
129 | </listitem> | |
130 | </varlistentry> | |
55fc19a1 SG |
131 | </variablelist> |
132 | </refsect2> | |
133 | ||
134 | <refsect2> | |
135 | <title>Architecture</title> | |
136 | <para> | |
b9986e43 CB |
137 | Allows one to set the architecture for the container. For example, set a |
138 | 32bits architecture for a container running 32bits binaries on a 64bits | |
139 | host. This fixes the container scripts which rely on the architecture to | |
140 | do some work like downloading the packages. | |
55fc19a1 SG |
141 | </para> |
142 | ||
143 | <variablelist> | |
c464fd7e SG |
144 | <varlistentry> |
145 | <term> | |
146 | <option>lxc.arch</option> | |
147 | </term> | |
148 | <listitem> | |
149 | <para> | |
150 | Specify the architecture for the container. | |
151 | </para> | |
152 | <para> | |
b9986e43 | 153 | Some valid options are |
c464fd7e SG |
154 | <option>x86</option>, |
155 | <option>i686</option>, | |
156 | <option>x86_64</option>, | |
157 | <option>amd64</option> | |
158 | </para> | |
159 | </listitem> | |
160 | </varlistentry> | |
55fc19a1 SG |
161 | </variablelist> |
162 | ||
163 | </refsect2> | |
164 | ||
165 | <refsect2> | |
166 | <title>Hostname</title> | |
167 | <para> | |
b9986e43 CB |
168 | The utsname section defines the hostname to be set for the container. |
169 | That means the container can set its own hostname without changing the | |
170 | one from the system. That makes the hostname private for the container. | |
55fc19a1 SG |
171 | </para> |
172 | <variablelist> | |
c464fd7e SG |
173 | <varlistentry> |
174 | <term> | |
b67771bc | 175 | <option>lxc.uts.name</option> |
c464fd7e SG |
176 | </term> |
177 | <listitem> | |
178 | <para> | |
179 | specify the hostname for the container | |
180 | </para> | |
181 | </listitem> | |
182 | </varlistentry> | |
55fc19a1 SG |
183 | </variablelist> |
184 | </refsect2> | |
185 | ||
186 | <refsect2> | |
187 | <title>Halt signal</title> | |
188 | <para> | |
b9986e43 CB |
189 | Allows one to specify signal name or number sent to the container's |
190 | init process to cleanly shutdown the container. Different init systems | |
191 | could use different signals to perform clean shutdown sequence. This | |
192 | option allows the signal to be specified in kill(1) fashion, e.g. | |
193 | SIGPWR, SIGRTMIN+14, SIGRTMAX-10 or plain number. The default signal is | |
194 | SIGPWR. | |
55fc19a1 SG |
195 | </para> |
196 | <variablelist> | |
936762f3 BP |
197 | <varlistentry> |
198 | <term> | |
55c84efc | 199 | <option>lxc.signal.halt</option> |
936762f3 BP |
200 | </term> |
201 | <listitem> | |
202 | <para> | |
203 | specify the signal used to halt the container | |
204 | </para> | |
205 | </listitem> | |
206 | </varlistentry> | |
207 | </variablelist> | |
208 | </refsect2> | |
209 | ||
210 | <refsect2> | |
211 | <title>Reboot signal</title> | |
212 | <para> | |
b9986e43 CB |
213 | Allows one to specify signal name or number to reboot the container. |
214 | This option allows signal to be specified in kill(1) fashion, e.g. | |
215 | SIGTERM, SIGRTMIN+14, SIGRTMAX-10 or plain number. The default signal | |
216 | is SIGINT. | |
936762f3 BP |
217 | </para> |
218 | <variablelist> | |
219 | <varlistentry> | |
220 | <term> | |
55c84efc | 221 | <option>lxc.signal.reboot</option> |
936762f3 BP |
222 | </term> |
223 | <listitem> | |
224 | <para> | |
225 | specify the signal used to reboot the container | |
226 | </para> | |
227 | </listitem> | |
228 | </varlistentry> | |
55fc19a1 SG |
229 | </variablelist> |
230 | </refsect2> | |
231 | ||
232 | <refsect2> | |
233 | <title>Stop signal</title> | |
234 | <para> | |
b9986e43 CB |
235 | Allows one to specify signal name or number to forcibly shutdown the |
236 | container. This option allows signal to be specified in kill(1) fashion, | |
237 | e.g. SIGKILL, SIGRTMIN+14, SIGRTMAX-10 or plain number. The default | |
238 | signal is SIGKILL. | |
936762f3 BP |
239 | </para> |
240 | <variablelist> | |
241 | <varlistentry> | |
242 | <term> | |
55c84efc | 243 | <option>lxc.signal.stop</option> |
936762f3 BP |
244 | </term> |
245 | <listitem> | |
246 | <para> | |
247 | specify the signal used to stop the container | |
248 | </para> | |
249 | </listitem> | |
250 | </varlistentry> | |
55fc19a1 SG |
251 | </variablelist> |
252 | </refsect2> | |
253 | ||
67c660d0 SG |
254 | <refsect2> |
255 | <title>Init command</title> | |
256 | <para> | |
257 | Sets the command to use as the init system for the containers. | |
67c660d0 | 258 | </para> |
5cda27c1 SH |
259 | <variablelist> |
260 | <varlistentry> | |
261 | <term> | |
262 | <option>lxc.execute.cmd</option> | |
263 | </term> | |
264 | <listitem> | |
265 | <para> | |
266 | Absolute path from container rootfs to the binary to run by default. This | |
fcd95ae9 | 267 | mostly makes sense for <command>lxc-execute</command>. |
5cda27c1 SH |
268 | </para> |
269 | </listitem> | |
270 | </varlistentry> | |
271 | </variablelist> | |
67c660d0 | 272 | <variablelist> |
936762f3 BP |
273 | <varlistentry> |
274 | <term> | |
9dcf7b4d | 275 | <option>lxc.init.cmd</option> |
936762f3 BP |
276 | </term> |
277 | <listitem> | |
278 | <para> | |
fcd95ae9 KY |
279 | Absolute path from container rootfs to the binary to use as init. This |
280 | mostly makes sense for <command>lxc-start</command>. Default is <command>/sbin/init</command>. | |
936762f3 BP |
281 | </para> |
282 | </listitem> | |
283 | </varlistentry> | |
67c660d0 SG |
284 | </variablelist> |
285 | </refsect2> | |
286 | ||
dbca9237 PT |
287 | <refsect2> |
288 | <title>Init ID</title> | |
289 | <para> | |
b9986e43 CB |
290 | Sets the UID/GID to use for the init system, and subsequent commands. |
291 | Note that using a non-root uid when booting a system container will | |
292 | likely not work due to missing privileges. Setting the UID/GID is mostly | |
293 | useful when running application container. | |
dbca9237 PT |
294 | |
295 | Defaults to: UID(0), GID(0) | |
296 | </para> | |
297 | <variablelist> | |
298 | <varlistentry> | |
299 | <term> | |
9dcf7b4d | 300 | <option>lxc.init.uid</option> |
dbca9237 PT |
301 | </term> |
302 | <listitem> | |
303 | <para> | |
b9986e43 | 304 | UID to use for init. |
dbca9237 PT |
305 | </para> |
306 | </listitem> | |
307 | </varlistentry> | |
308 | <varlistentry> | |
309 | <term> | |
9dcf7b4d | 310 | <option>lxc.init.gid</option> |
dbca9237 PT |
311 | </term> |
312 | <listitem> | |
313 | <para> | |
b9986e43 | 314 | GID to use for init. |
dbca9237 PT |
315 | </para> |
316 | </listitem> | |
317 | </varlistentry> | |
318 | </variablelist> | |
319 | </refsect2> | |
320 | ||
4e6eb26b CB |
321 | <refsect2> |
322 | <title>Ephemeral</title> | |
323 | <para> | |
324 | Allows one to specify whether a container will be destroyed on shutdown. | |
325 | </para> | |
326 | <variablelist> | |
327 | <varlistentry> | |
328 | <term> | |
329 | <option>lxc.ephemeral</option> | |
330 | </term> | |
331 | <listitem> | |
332 | <para> | |
333 | The only allowed values are 0 and 1. Set this to 1 to destroy a | |
334 | container on shutdown. | |
335 | </para> | |
336 | </listitem> | |
337 | </varlistentry> | |
338 | </variablelist> | |
339 | </refsect2> | |
340 | ||
55fc19a1 SG |
341 | <refsect2> |
342 | <title>Network</title> | |
343 | <para> | |
c464fd7e SG |
344 | The network section defines how the network is virtualized in |
345 | the container. The network virtualization acts at layer | |
346 | two. In order to use the network virtualization, parameters | |
347 | must be specified to define the network interfaces of the | |
348 | container. Several virtual interfaces can be assigned and used | |
349 | in a container even if the system has only one physical | |
350 | network interface. | |
55fc19a1 SG |
351 | </para> |
352 | <variablelist> | |
020104c3 MH |
353 | <varlistentry> |
354 | <term> | |
7fa3f2e9 | 355 | <option>lxc.net</option> |
020104c3 MH |
356 | </term> |
357 | <listitem> | |
358 | <para> | |
359 | may be used without a value to clear all previous network options. | |
360 | </para> | |
361 | </listitem> | |
362 | </varlistentry> | |
c464fd7e SG |
363 | <varlistentry> |
364 | <term> | |
7fa3f2e9 | 365 | <option>lxc.net.[i].type</option> |
c464fd7e SG |
366 | </term> |
367 | <listitem> | |
368 | <para> | |
369 | specify what kind of network virtualization to be used | |
b9986e43 CB |
370 | for the container. |
371 | Multiple networks can be specified by using an additional index | |
372 | <option>i</option> | |
7fa3f2e9 | 373 | after all <option>lxc.net.*</option> keys. For example, |
374 | <option>lxc.net.0.type = veth</option> and | |
375 | <option>lxc.net.1.type = veth</option> specify two different | |
b9986e43 CB |
376 | networks of the same type. All keys sharing the same index |
377 | <option>i</option> will be treated as belonging to the same | |
7fa3f2e9 | 378 | network. For example, <option>lxc.net.0.link = br0</option> |
379 | will belong to <option>lxc.net.0.type</option>. | |
b9986e43 | 380 | Currently, the different virtualization types can be: |
c464fd7e SG |
381 | </para> |
382 | ||
383 | <para> | |
384 | <option>none:</option> will cause the container to share | |
385 | the host's network namespace. This means the host | |
386 | network devices are usable in the container. It also | |
387 | means that if both the container and host have upstart as | |
388 | init, 'halt' in a container (for instance) will shut down the | |
389 | host. | |
390 | </para> | |
391 | ||
392 | <para> | |
393 | <option>empty:</option> will create only the loopback | |
394 | interface. | |
395 | </para> | |
396 | ||
397 | <para> | |
38005c54 MA |
398 | <option>veth:</option> a virtual ethernet pair |
399 | device is created with one side assigned to the container | |
400 | and the other side attached to a bridge specified by | |
7fa3f2e9 | 401 | the <option>lxc.net.[i].link</option> option. |
38005c54 MA |
402 | If the bridge is not specified, then the veth pair device |
403 | will be created but not attached to any bridge. | |
404 | Otherwise, the bridge has to be created on the system | |
405 | before starting the container. | |
406 | <command>lxc</command> won't handle any | |
407 | configuration outside of the container. | |
408 | By default, <command>lxc</command> chooses a name for the | |
c464fd7e | 409 | network device belonging to the outside of the |
38005c54 MA |
410 | container, but if you wish to handle |
411 | this name yourselves, you can tell <command>lxc</command> | |
c464fd7e | 412 | to set a specific name with |
7fa3f2e9 | 413 | the <option>lxc.net.[i].veth.pair</option> option (except for |
c464fd7e SG |
414 | unprivileged containers where this option is ignored for security |
415 | reasons). | |
416 | </para> | |
417 | ||
418 | <para> | |
419 | <option>vlan:</option> a vlan interface is linked with | |
420 | the interface specified by | |
7fa3f2e9 | 421 | the <option>lxc.net.[i].link</option> and assigned to |
c464fd7e | 422 | the container. The vlan identifier is specified with the |
7fa3f2e9 | 423 | option <option>lxc.net.[i].vlan.id</option>. |
c464fd7e SG |
424 | </para> |
425 | ||
426 | <para> | |
427 | <option>macvlan:</option> a macvlan interface is linked | |
428 | with the interface specified by | |
7fa3f2e9 | 429 | the <option>lxc.net.[i].link</option> and assigned to |
c464fd7e | 430 | the container. |
7fa3f2e9 | 431 | <option>lxc.net.[i].macvlan.mode</option> specifies the |
c464fd7e SG |
432 | mode the macvlan will use to communicate between |
433 | different macvlan on the same upper device. The accepted | |
c15ea607 EL |
434 | modes are <option>private</option>, <option>vepa</option>, |
435 | <option>bridge</option> and <option>passthru</option>. | |
436 | In <option>private</option> mode, the device never | |
437 | communicates with any other device on the same upper_dev (default). | |
438 | In <option>vepa</option> mode, the new Virtual Ethernet Port | |
c464fd7e SG |
439 | Aggregator (VEPA) mode, it assumes that the adjacent |
440 | bridge returns all frames where both source and | |
441 | destination are local to the macvlan port, i.e. the | |
442 | bridge is set up as a reflective relay. Broadcast | |
443 | frames coming in from the upper_dev get flooded to all | |
444 | macvlan interfaces in VEPA mode, local frames are not | |
c15ea607 | 445 | delivered locally. In <option>bridge</option> mode, it |
c464fd7e SG |
446 | provides the behavior of a simple bridge between |
447 | different macvlan interfaces on the same port. Frames | |
448 | from one interface to another one get delivered directly | |
449 | and are not sent out externally. Broadcast frames get | |
450 | flooded to all other bridge ports and to the external | |
451 | interface, but when they come back from a reflective | |
452 | relay, we don't deliver them again. Since we know all | |
453 | the MAC addresses, the macvlan bridge mode does not | |
c15ea607 EL |
454 | require learning or STP like the bridge module does. In |
455 | <option>passthru</option> mode, all frames received by | |
456 | the physical interface are forwarded to the macvlan | |
457 | interface. Only one macvlan interface in <option>passthru</option> | |
458 | mode is possible for one physical interface. | |
c464fd7e SG |
459 | </para> |
460 | ||
461 | <para> | |
462 | <option>phys:</option> an already existing interface | |
7fa3f2e9 | 463 | specified by the <option>lxc.net.[i].link</option> is |
c464fd7e SG |
464 | assigned to the container. |
465 | </para> | |
466 | </listitem> | |
467 | </varlistentry> | |
468 | ||
469 | <varlistentry> | |
470 | <term> | |
7fa3f2e9 | 471 | <option>lxc.net.[i].flags</option> |
c464fd7e SG |
472 | </term> |
473 | <listitem> | |
474 | <para> | |
b9986e43 | 475 | Specify an action to do for the network. |
c464fd7e SG |
476 | </para> |
477 | ||
478 | <para><option>up:</option> activates the interface. | |
479 | </para> | |
480 | </listitem> | |
481 | </varlistentry> | |
482 | ||
483 | <varlistentry> | |
484 | <term> | |
7fa3f2e9 | 485 | <option>lxc.net.[i].link</option> |
c464fd7e SG |
486 | </term> |
487 | <listitem> | |
488 | <para> | |
b9986e43 CB |
489 | Specify the interface to be used for real network traffic. |
490 | </para> | |
c464fd7e SG |
491 | </listitem> |
492 | </varlistentry> | |
493 | ||
494 | <varlistentry> | |
495 | <term> | |
7fa3f2e9 | 496 | <option>lxc.net.[i].mtu</option> |
c464fd7e SG |
497 | </term> |
498 | <listitem> | |
499 | <para> | |
b9986e43 | 500 | Specify the maximum transfer unit for this interface. |
c464fd7e SG |
501 | </para> |
502 | </listitem> | |
503 | </varlistentry> | |
504 | ||
505 | <varlistentry> | |
506 | <term> | |
7fa3f2e9 | 507 | <option>lxc.net.[i].name</option> |
c464fd7e SG |
508 | </term> |
509 | <listitem> | |
510 | <para> | |
b9986e43 CB |
511 | The interface name is dynamically allocated, but if another name |
512 | is needed because the configuration files being used by the | |
513 | container use a generic name, eg. eth0, this option will rename | |
514 | the interface in the container. | |
c464fd7e SG |
515 | </para> |
516 | </listitem> | |
517 | </varlistentry> | |
518 | ||
519 | <varlistentry> | |
520 | <term> | |
7fa3f2e9 | 521 | <option>lxc.net.[i].hwaddr</option> |
c464fd7e SG |
522 | </term> |
523 | <listitem> | |
524 | <para> | |
b9986e43 CB |
525 | The interface mac address is dynamically allocated by default to |
526 | the virtual interface, but in some cases, this is needed to | |
527 | resolve a mac address conflict or to always have the same | |
528 | link-local ipv6 address. Any "x" in address will be replaced by | |
529 | random value, this allows setting hwaddr templates. | |
c464fd7e SG |
530 | </para> |
531 | </listitem> | |
532 | </varlistentry> | |
533 | ||
534 | <varlistentry> | |
535 | <term> | |
9ff60df2 | 536 | <option>lxc.net.[i].ipv4.address</option> |
c464fd7e SG |
537 | </term> |
538 | <listitem> | |
539 | <para> | |
b9986e43 CB |
540 | Specify the ipv4 address to assign to the virtualized interface. |
541 | Several lines specify several ipv4 addresses. The address is in | |
542 | format x.y.z.t/m, eg. 192.168.1.123/24. | |
c464fd7e SG |
543 | </para> |
544 | </listitem> | |
545 | </varlistentry> | |
546 | ||
547 | <varlistentry> | |
548 | <term> | |
7fa3f2e9 | 549 | <option>lxc.net.[i].ipv4.gateway</option> |
c464fd7e SG |
550 | </term> |
551 | <listitem> | |
552 | <para> | |
b9986e43 CB |
553 | Specify the ipv4 address to use as the gateway inside the |
554 | container. The address is in format x.y.z.t, eg. 192.168.1.123. | |
c464fd7e SG |
555 | |
556 | Can also have the special value <option>auto</option>, | |
557 | which means to take the primary address from the bridge | |
558 | interface (as specified by the | |
7fa3f2e9 | 559 | <option>lxc.net.[i].link</option> option) and use that as |
c464fd7e SG |
560 | the gateway. <option>auto</option> is only available when |
561 | using the <option>veth</option> and | |
562 | <option>macvlan</option> network types. | |
563 | </para> | |
564 | </listitem> | |
565 | </varlistentry> | |
566 | ||
567 | ||
568 | <varlistentry> | |
569 | <term> | |
2e44ae28 | 570 | <option>lxc.net.[i].ipv6.address</option> |
c464fd7e SG |
571 | </term> |
572 | <listitem> | |
573 | <para> | |
b9986e43 CB |
574 | Specify the ipv6 address to assign to the virtualized |
575 | interface. Several lines specify several ipv6 addresses. The | |
576 | address is in format x::y/m, eg. | |
577 | 2003:db8:1:0:214:1234:fe0b:3596/64 | |
c464fd7e SG |
578 | </para> |
579 | </listitem> | |
580 | </varlistentry> | |
581 | ||
582 | <varlistentry> | |
583 | <term> | |
7fa3f2e9 | 584 | <option>lxc.net.[i].ipv6.gateway</option> |
c464fd7e SG |
585 | </term> |
586 | <listitem> | |
587 | <para> | |
b9986e43 CB |
588 | Specify the ipv6 address to use as the gateway inside the |
589 | container. The address is in format x::y, eg. 2003:db8:1:0::1 | |
c464fd7e SG |
590 | |
591 | Can also have the special value <option>auto</option>, | |
592 | which means to take the primary address from the bridge | |
593 | interface (as specified by the | |
7fa3f2e9 | 594 | <option>lxc.net.[i].link</option> option) and use that as |
c464fd7e SG |
595 | the gateway. <option>auto</option> is only available when |
596 | using the <option>veth</option> and | |
597 | <option>macvlan</option> network types. | |
598 | </para> | |
599 | </listitem> | |
600 | </varlistentry> | |
601 | ||
602 | <varlistentry> | |
603 | <term> | |
7fa3f2e9 | 604 | <option>lxc.net.[i].script.up</option> |
c464fd7e SG |
605 | </term> |
606 | <listitem> | |
607 | <para> | |
b9986e43 | 608 | Add a configuration option to specify a script to be |
c464fd7e SG |
609 | executed after creating and configuring the network used |
610 | from the host side. The following arguments are passed | |
611 | to the script: container name and config section name | |
612 | (net) Additional arguments depend on the config section | |
613 | employing a script hook; the following are used by the | |
614 | network system: execution context (up), network type | |
615 | (empty/veth/macvlan/phys), Depending on the network | |
616 | type, other arguments may be passed: | |
617 | veth/macvlan/phys. And finally (host-sided) device name. | |
618 | </para> | |
619 | <para> | |
620 | Standard output from the script is logged at debug level. | |
621 | Standard error is not logged, but can be captured by the | |
622 | hook redirecting its standard error to standard output. | |
623 | </para> | |
624 | </listitem> | |
625 | </varlistentry> | |
626 | ||
627 | <varlistentry> | |
628 | <term> | |
7fa3f2e9 | 629 | <option>lxc.net.[i].script.down</option> |
c464fd7e SG |
630 | </term> |
631 | <listitem> | |
632 | <para> | |
b9986e43 | 633 | Add a configuration option to specify a script to be |
c464fd7e SG |
634 | executed before destroying the network used from the |
635 | host side. The following arguments are passed to the | |
636 | script: container name and config section name (net) | |
637 | Additional arguments depend on the config section | |
638 | employing a script hook; the following are used by the | |
639 | network system: execution context (down), network type | |
640 | (empty/veth/macvlan/phys), Depending on the network | |
641 | type, other arguments may be passed: | |
642 | veth/macvlan/phys. And finally (host-sided) device name. | |
643 | </para> | |
644 | <para> | |
645 | Standard output from the script is logged at debug level. | |
646 | Standard error is not logged, but can be captured by the | |
647 | hook redirecting its standard error to standard output. | |
648 | </para> | |
649 | </listitem> | |
650 | </varlistentry> | |
55fc19a1 SG |
651 | </variablelist> |
652 | </refsect2> | |
653 | ||
654 | <refsect2> | |
655 | <title>New pseudo tty instance (devpts)</title> | |
656 | <para> | |
c464fd7e SG |
657 | For stricter isolation the container can have its own private |
658 | instance of the pseudo tty. | |
55fc19a1 SG |
659 | </para> |
660 | <variablelist> | |
c464fd7e SG |
661 | <varlistentry> |
662 | <term> | |
232763d6 | 663 | <option>lxc.pty.max</option> |
c464fd7e SG |
664 | </term> |
665 | <listitem> | |
666 | <para> | |
667 | If set, the container will have a new pseudo tty | |
668 | instance, making this private to it. The value specifies | |
55fc19a1 SG |
669 | the maximum number of pseudo ttys allowed for a pts |
670 | instance (this limitation is not implemented yet). | |
c464fd7e SG |
671 | </para> |
672 | </listitem> | |
673 | </varlistentry> | |
55fc19a1 SG |
674 | </variablelist> |
675 | </refsect2> | |
676 | ||
677 | <refsect2> | |
678 | <title>Container system console</title> | |
679 | <para> | |
c464fd7e SG |
680 | If the container is configured with a root filesystem and the |
681 | inittab file is setup to use the console, you may want to specify | |
682 | where the output of this console goes. | |
55fc19a1 SG |
683 | </para> |
684 | <variablelist> | |
c464fd7e SG |
685 | <varlistentry> |
686 | <term> | |
687 | <option>lxc.console.logfile</option> | |
688 | </term> | |
689 | <listitem> | |
690 | <para> | |
691 | Specify a path to a file where the console output will | |
692 | be written. | |
693 | </para> | |
694 | </listitem> | |
695 | </varlistentry> | |
696 | <varlistentry> | |
697 | <term> | |
3aed4934 | 698 | <option>lxc.console.path</option> |
c464fd7e SG |
699 | </term> |
700 | <listitem> | |
701 | <para> | |
702 | Specify a path to a device to which the console will be | |
6e3bb289 CB |
703 | attached. The keyword 'none' will simply disable the |
704 | console. Note, when specifying 'none' and creating a device node | |
705 | for the console in the container at /dev/console or bind-mounting | |
706 | the hosts's /dev/console into the container at /dev/console the | |
707 | container will have direct access to the hosts's /dev/console. | |
708 | This is dangerous when the container has write access to the | |
709 | device and should thus be used with caution. | |
c464fd7e SG |
710 | </para> |
711 | </listitem> | |
712 | </varlistentry> | |
55fc19a1 SG |
713 | </variablelist> |
714 | </refsect2> | |
715 | ||
716 | <refsect2> | |
717 | <title>Console through the ttys</title> | |
718 | <para> | |
c464fd7e SG |
719 | This option is useful if the container is configured with a root |
720 | filesystem and the inittab file is setup to launch a getty on the | |
721 | ttys. The option specifies the number of ttys to be available for | |
722 | the container. The number of gettys in the inittab file of the | |
723 | container should not be greater than the number of ttys specified | |
724 | in this option, otherwise the excess getty sessions will die and | |
725 | respawn indefinitely giving annoying messages on the console or in | |
726 | <filename>/var/log/messages</filename>. | |
55fc19a1 SG |
727 | </para> |
728 | <variablelist> | |
c464fd7e SG |
729 | <varlistentry> |
730 | <term> | |
fe1c5887 | 731 | <option>lxc.tty.max</option> |
c464fd7e SG |
732 | </term> |
733 | <listitem> | |
734 | <para> | |
735 | Specify the number of tty to make available to the | |
736 | container. | |
737 | </para> | |
738 | </listitem> | |
739 | </varlistentry> | |
55fc19a1 SG |
740 | </variablelist> |
741 | </refsect2> | |
742 | ||
743 | <refsect2> | |
744 | <title>Console devices location</title> | |
745 | <para> | |
746 | LXC consoles are provided through Unix98 PTYs created on the | |
c464fd7e SG |
747 | host and bind-mounted over the expected devices in the container. |
748 | By default, they are bind-mounted over <filename>/dev/console</filename> | |
749 | and <filename>/dev/ttyN</filename>. This can prevent package upgrades | |
750 | in the guest. Therefore you can specify a directory location (under | |
751 | <filename>/dev</filename> under which LXC will create the files and | |
752 | bind-mount over them. These will then be symbolically linked to | |
753 | <filename>/dev/console</filename> and <filename>/dev/ttyN</filename>. | |
754 | A package upgrade can then succeed as it is able to remove and replace | |
755 | the symbolic links. | |
55fc19a1 SG |
756 | </para> |
757 | <variablelist> | |
c464fd7e SG |
758 | <varlistentry> |
759 | <term> | |
fe1c5887 | 760 | <option>lxc.tty.dir</option> |
c464fd7e SG |
761 | </term> |
762 | <listitem> | |
763 | <para> | |
764 | Specify a directory under <filename>/dev</filename> | |
6e3bb289 CB |
765 | under which to create the container console devices. Note that LXC |
766 | will move any bind-mounts or device nodes for /dev/console into | |
767 | this directory. | |
c464fd7e SG |
768 | </para> |
769 | </listitem> | |
770 | </varlistentry> | |
55fc19a1 SG |
771 | </variablelist> |
772 | </refsect2> | |
773 | ||
774 | <refsect2> | |
775 | <title>/dev directory</title> | |
776 | <para> | |
c464fd7e SG |
777 | By default, lxc creates a few symbolic links (fd,stdin,stdout,stderr) |
778 | in the container's <filename>/dev</filename> directory but does not | |
779 | automatically create device node entries. This allows the container's | |
780 | <filename>/dev</filename> to be set up as needed in the container | |
781 | rootfs. If lxc.autodev is set to 1, then after mounting the container's | |
782 | rootfs LXC will mount a fresh tmpfs under <filename>/dev</filename> | |
c35d2909 | 783 | (limited to 500k) and fill in a minimal set of initial devices. |
55fc19a1 SG |
784 | This is generally required when starting a container containing |
785 | a "systemd" based "init" but may be optional at other times. Additional | |
786 | devices in the containers /dev directory may be created through the | |
787 | use of the <option>lxc.hook.autodev</option> hook. | |
788 | </para> | |
789 | <variablelist> | |
c464fd7e SG |
790 | <varlistentry> |
791 | <term> | |
792 | <option>lxc.autodev</option> | |
793 | </term> | |
794 | <listitem> | |
795 | <para> | |
124fa0a8 | 796 | Set this to 0 to stop LXC from mounting and populating a minimal |
c464fd7e SG |
797 | <filename>/dev</filename> when starting the container. |
798 | </para> | |
799 | </listitem> | |
800 | </varlistentry> | |
55fc19a1 | 801 | </variablelist> |
55fc19a1 SG |
802 | </refsect2> |
803 | ||
804 | <refsect2> | |
805 | <title>Mount points</title> | |
806 | <para> | |
c464fd7e SG |
807 | The mount points section specifies the different places to be |
808 | mounted. These mount points will be private to the container | |
809 | and won't be visible by the processes running outside of the | |
810 | container. This is useful to mount /etc, /var or /home for | |
811 | examples. | |
55fc19a1 | 812 | </para> |
592fd47a SH |
813 | <para> |
814 | NOTE - LXC will generally ensure that mount targets and relative | |
815 | bind-mount sources are properly confined under the container | |
816 | root, to avoid attacks involving over-mounting host directories | |
817 | and files. (Symbolic links in absolute mount sources are ignored) | |
818 | However, if the container configuration first mounts a directory which | |
819 | is under the control of the container user, such as /home/joe, into | |
820 | the container at some <filename>path</filename>, and then mounts | |
821 | under <filename>path</filename>, then a TOCTTOU attack would be | |
822 | possible where the container user modifies a symbolic link under | |
823 | his home directory at just the right time. | |
824 | </para> | |
55fc19a1 | 825 | <variablelist> |
c464fd7e SG |
826 | <varlistentry> |
827 | <term> | |
47148e96 | 828 | <option>lxc.mount.fstab</option> |
c464fd7e SG |
829 | </term> |
830 | <listitem> | |
831 | <para> | |
832 | specify a file location in | |
833 | the <filename>fstab</filename> format, containing the | |
834 | mount information. The mount target location can and in | |
835 | most cases should be a relative path, which will become | |
836 | relative to the mounted container root. For instance, | |
837 | </para> | |
b9986e43 CB |
838 | <programlisting> |
839 | proc proc proc nodev,noexec,nosuid 0 0 | |
840 | </programlisting> | |
c464fd7e SG |
841 | <para> |
842 | Will mount a proc filesystem under the container's /proc, | |
843 | regardless of where the root filesystem comes from. This | |
844 | is resilient to block device backed filesystems as well as | |
845 | container cloning. | |
846 | </para> | |
847 | <para> | |
848 | Note that when mounting a filesystem from an | |
849 | image file or block device the third field (fs_vfstype) | |
850 | cannot be auto as with | |
55fc19a1 | 851 | <citerefentry> |
c464fd7e | 852 | <refentrytitle>mount</refentrytitle> |
55fc19a1 SG |
853 | <manvolnum>8</manvolnum> |
854 | </citerefentry> | |
855 | but must be explicitly specified. | |
c464fd7e SG |
856 | </para> |
857 | </listitem> | |
858 | </varlistentry> | |
859 | ||
860 | <varlistentry> | |
861 | <term> | |
862 | <option>lxc.mount.entry</option> | |
863 | </term> | |
864 | <listitem> | |
865 | <para> | |
866 | specify a mount point corresponding to a line in the | |
867 | fstab format. | |
f5b67b36 NC |
868 | |
869 | Moreover lxc add two options to mount. | |
870 | <option>optional</option> don't fail if mount does not work. | |
871 | <option>create=dir</option> or <option>create=file</option> | |
872 | to create dir (or file) when the point will be mounted. | |
c464fd7e SG |
873 | </para> |
874 | </listitem> | |
875 | </varlistentry> | |
876 | ||
877 | <varlistentry> | |
878 | <term> | |
879 | <option>lxc.mount.auto</option> | |
880 | </term> | |
881 | <listitem> | |
882 | <para> | |
883 | specify which standard kernel file systems should be | |
884 | automatically mounted. This may dramatically simplify | |
885 | the configuration. The file systems are: | |
886 | </para> | |
887 | <itemizedlist> | |
888 | <listitem> | |
889 | <para> | |
890 | <option>proc:mixed</option> (or <option>proc</option>): | |
891 | mount <filename>/proc</filename> as read-write, but | |
892 | remount <filename>/proc/sys</filename> and | |
893 | <filename>/proc/sysrq-trigger</filename> read-only | |
894 | for security / container isolation purposes. | |
895 | </para> | |
896 | </listitem> | |
897 | <listitem> | |
898 | <para> | |
899 | <option>proc:rw</option>: mount | |
900 | <filename>/proc</filename> as read-write | |
901 | </para> | |
902 | </listitem> | |
903 | <listitem> | |
904 | <para> | |
f24a52d5 SG |
905 | <option>sys:mixed</option> (or <option>sys</option>): |
906 | mount <filename>/sys</filename> as read-only but with | |
907 | /sys/devices/virtual/net writable. | |
908 | </para> | |
909 | </listitem> | |
910 | <listitem> | |
911 | <para> | |
912 | <option>sys:ro</option>: | |
c464fd7e SG |
913 | mount <filename>/sys</filename> as read-only |
914 | for security / container isolation purposes. | |
915 | </para> | |
916 | </listitem> | |
917 | <listitem> | |
918 | <para> | |
919 | <option>sys:rw</option>: mount | |
920 | <filename>/sys</filename> as read-write | |
921 | </para> | |
922 | </listitem> | |
923 | <listitem> | |
924 | <para> | |
925 | <option>cgroup:mixed</option>: | |
926 | mount a tmpfs to <filename>/sys/fs/cgroup</filename>, | |
927 | create directories for all hierarchies to which | |
928 | the container is added, create subdirectories | |
929 | there with the name of the cgroup, and bind-mount | |
930 | the container's own cgroup into that directory. | |
931 | The container will be able to write to its own | |
932 | cgroup directory, but not the parents, since they | |
4608594e | 933 | will be remounted read-only. |
c464fd7e SG |
934 | </para> |
935 | </listitem> | |
936 | <listitem> | |
937 | <para> | |
938 | <option>cgroup:ro</option>: similar to | |
939 | <option>cgroup:mixed</option>, but everything will | |
940 | be mounted read-only. | |
941 | </para> | |
942 | </listitem> | |
943 | <listitem> | |
944 | <para> | |
945 | <option>cgroup:rw</option>: similar to | |
946 | <option>cgroup:mixed</option>, but everything will | |
947 | be mounted read-write. Note that the paths leading | |
948 | up to the container's own cgroup will be writable, | |
949 | but will not be a cgroup filesystem but just part | |
950 | of the tmpfs of <filename>/sys/fs/cgroup</filename> | |
951 | </para> | |
952 | </listitem> | |
953 | <listitem> | |
954 | <para> | |
955 | <option>cgroup</option> (without specifier): | |
956 | defaults to <option>cgroup:rw</option> if the | |
957 | container retains the CAP_SYS_ADMIN capability, | |
958 | <option>cgroup:mixed</option> otherwise. | |
959 | </para> | |
960 | </listitem> | |
961 | <listitem> | |
962 | <para> | |
963 | <option>cgroup-full:mixed</option>: | |
964 | mount a tmpfs to <filename>/sys/fs/cgroup</filename>, | |
965 | create directories for all hierarchies to which | |
966 | the container is added, bind-mount the hierarchies | |
967 | from the host to the container and make everything | |
968 | read-only except the container's own cgroup. Note | |
969 | that compared to <option>cgroup</option>, where | |
970 | all paths leading up to the container's own cgroup | |
971 | are just simple directories in the underlying | |
972 | tmpfs, here | |
973 | <filename>/sys/fs/cgroup/$hierarchy</filename> | |
974 | will contain the host's full cgroup hierarchy, | |
975 | albeit read-only outside the container's own cgroup. | |
976 | This may leak quite a bit of information into the | |
977 | container. | |
978 | </para> | |
979 | </listitem> | |
980 | <listitem> | |
981 | <para> | |
982 | <option>cgroup-full:ro</option>: similar to | |
983 | <option>cgroup-full:mixed</option>, but everything | |
984 | will be mounted read-only. | |
985 | </para> | |
986 | </listitem> | |
987 | <listitem> | |
988 | <para> | |
989 | <option>cgroup-full:rw</option>: similar to | |
990 | <option>cgroup-full:mixed</option>, but everything | |
991 | will be mounted read-write. Note that in this case, | |
992 | the container may escape its own cgroup. (Note also | |
993 | that if the container has CAP_SYS_ADMIN support | |
994 | and can mount the cgroup filesystem itself, it may | |
995 | do so anyway.) | |
996 | </para> | |
997 | </listitem> | |
998 | <listitem> | |
999 | <para> | |
1000 | <option>cgroup-full</option> (without specifier): | |
1001 | defaults to <option>cgroup-full:rw</option> if the | |
1002 | container retains the CAP_SYS_ADMIN capability, | |
1003 | <option>cgroup-full:mixed</option> otherwise. | |
1004 | </para> | |
1005 | </listitem> | |
1006 | </itemizedlist> | |
4608594e SH |
1007 | <para> |
1008 | If cgroup namespaces are enabled, then any <option>cgroup</option> | |
1009 | auto-mounting request will be ignored, since the container can | |
1010 | mount the filesystems itself, and automounting can confuse the | |
1011 | container init. | |
1012 | </para> | |
c464fd7e SG |
1013 | <para> |
1014 | Note that if automatic mounting of the cgroup filesystem | |
1015 | is enabled, the tmpfs under | |
1016 | <filename>/sys/fs/cgroup</filename> will always be | |
1017 | mounted read-write (but for the <option>:mixed</option> | |
1018 | and <option>:ro</option> cases, the individual | |
1019 | hierarchies, | |
1020 | <filename>/sys/fs/cgroup/$hierarchy</filename>, will be | |
1021 | read-only). This is in order to work around a quirk in | |
1022 | Ubuntu's | |
b46f0553 | 1023 | <citerefentry> |
c464fd7e | 1024 | <refentrytitle>mountall</refentrytitle> |
b46f0553 CS |
1025 | <manvolnum>8</manvolnum> |
1026 | </citerefentry> | |
c464fd7e SG |
1027 | command that will cause containers to wait for user |
1028 | input at boot if | |
1029 | <filename>/sys/fs/cgroup</filename> is mounted read-only | |
1030 | and the container can't remount it read-write due to a | |
1031 | lack of CAP_SYS_ADMIN. | |
1032 | </para> | |
1033 | <para> | |
1034 | Examples: | |
1035 | </para> | |
1036 | <programlisting> | |
1037 | lxc.mount.auto = proc sys cgroup | |
1038 | lxc.mount.auto = proc:rw sys:rw cgroup-full:rw | |
1039 | </programlisting> | |
1040 | </listitem> | |
1041 | </varlistentry> | |
55fc19a1 SG |
1042 | |
1043 | </variablelist> | |
1044 | </refsect2> | |
1045 | ||
1046 | <refsect2> | |
1047 | <title>Root file system</title> | |
1048 | <para> | |
c464fd7e SG |
1049 | The root file system of the container can be different than that |
1050 | of the host system. | |
55fc19a1 SG |
1051 | </para> |
1052 | <variablelist> | |
c464fd7e SG |
1053 | <varlistentry> |
1054 | <term> | |
7a96a068 | 1055 | <option>lxc.rootfs.path</option> |
c464fd7e SG |
1056 | </term> |
1057 | <listitem> | |
1058 | <para> | |
1059 | specify the root file system for the container. It can | |
1060 | be an image file, a directory or a block device. If not | |
1061 | specified, the container shares its root file system | |
1062 | with the host. | |
1063 | </para> | |
1064 | <para> | |
f1c26f2c SH |
1065 | For directory or simple block-device backed containers, |
1066 | a pathname can be used. If the rootfs is backed by a nbd | |
1067 | device, then <filename>nbd:file:1</filename> specifies that | |
1068 | <filename>file</filename> should be attached to a nbd device, | |
1069 | and partition 1 should be mounted as the rootfs. | |
1070 | <filename>nbd:file</filename> specifies that the nbd device | |
1071 | itself should be mounted. <filename>overlayfs:/lower:/upper</filename> | |
1072 | specifies that the rootfs should be an overlay with <filename>/upper</filename> | |
1073 | being mounted read-write over a read-only mount of <filename>/lower</filename>. | |
1074 | <filename>aufs:/lower:/upper</filename> does the same using aufs in place | |
280d2379 CB |
1075 | of overlayfs. For both <filename>overlayfs</filename> and |
1076 | <filename>aufs</filename> multiple <filename>/lower</filename> | |
1077 | directories can be specified. <filename>loop:/file</filename> tells lxc to attach | |
f1c26f2c | 1078 | <filename>/file</filename> to a loop device and mount the loop device. |
c464fd7e SG |
1079 | </para> |
1080 | </listitem> | |
1081 | </varlistentry> | |
1082 | ||
1083 | <varlistentry> | |
1084 | <term> | |
1085 | <option>lxc.rootfs.mount</option> | |
1086 | </term> | |
1087 | <listitem> | |
1088 | <para> | |
7a96a068 | 1089 | where to recursively bind <option>lxc.rootfs.path</option> |
c464fd7e SG |
1090 | before pivoting. This is to ensure success of the |
1091 | <citerefentry> | |
1092 | <refentrytitle><command>pivot_root</command></refentrytitle> | |
1093 | <manvolnum>8</manvolnum> | |
1094 | </citerefentry> | |
1095 | syscall. Any directory suffices, the default should | |
1096 | generally work. | |
1097 | </para> | |
1098 | </listitem> | |
1099 | </varlistentry> | |
1100 | ||
1101 | <varlistentry> | |
1102 | <term> | |
1103 | <option>lxc.rootfs.options</option> | |
1104 | </term> | |
1105 | <listitem> | |
1106 | <para> | |
1107 | extra mount options to use when mounting the rootfs. | |
1108 | </para> | |
1109 | </listitem> | |
1110 | </varlistentry> | |
a17b1e65 | 1111 | |
55fc19a1 SG |
1112 | </variablelist> |
1113 | </refsect2> | |
1114 | ||
1115 | <refsect2> | |
1116 | <title>Control group</title> | |
1117 | <para> | |
c464fd7e SG |
1118 | The control group section contains the configuration for the |
1119 | different subsystem. <command>lxc</command> does not check the | |
1120 | correctness of the subsystem name. This has the disadvantage | |
1121 | of not detecting configuration errors until the container is | |
1122 | started, but has the advantage of permitting any future | |
1123 | subsystem. | |
55fc19a1 SG |
1124 | </para> |
1125 | <variablelist> | |
c464fd7e SG |
1126 | <varlistentry> |
1127 | <term> | |
1128 | <option>lxc.cgroup.[subsystem name]</option> | |
1129 | </term> | |
1130 | <listitem> | |
1131 | <para> | |
1132 | specify the control group value to be set. The | |
1133 | subsystem name is the literal name of the control group | |
1134 | subsystem. The permitted names and the syntax of their | |
1135 | values is not dictated by LXC, instead it depends on the | |
1136 | features of the Linux kernel running at the time the | |
1137 | container is started, | |
1138 | eg. <option>lxc.cgroup.cpuset.cpus</option> | |
1139 | </para> | |
1140 | </listitem> | |
1141 | </varlistentry> | |
bdcbb6b3 CB |
1142 | <varlistentry> |
1143 | <term> | |
1144 | <option>lxc.cgroup.dir</option> | |
1145 | </term> | |
1146 | <listitem> | |
1147 | <para> | |
1148 | specify a directory or path in which the container's cgroup will | |
1149 | be created. For example, setting | |
1150 | <option>lxc.cgroup.dir = my-cgroup/first</option> for a container | |
1151 | named "c1" will create the container's cgroup as a sub-cgroup of | |
1152 | "my-cgroup". For example, if the user's current cgroup "my-user" | |
78be8d75 | 1153 | is located in the root cgroup of the cpuset controller in a |
bdcbb6b3 CB |
1154 | cgroup v1 hierarchy this would create the cgroup |
1155 | "/sys/fs/cgroup/cpuset/my-user/my-cgroup/first/c1" for the | |
1156 | container. Any missing cgroups will be created by LXC. This | |
1157 | presupposes that the user has write access to its current cgroup. | |
1158 | </para> | |
1159 | </listitem> | |
1160 | </varlistentry> | |
55fc19a1 SG |
1161 | </variablelist> |
1162 | </refsect2> | |
1163 | ||
1164 | <refsect2> | |
1165 | <title>Capabilities</title> | |
1166 | <para> | |
c464fd7e SG |
1167 | The capabilities can be dropped in the container if this one |
1168 | is run as root. | |
55fc19a1 SG |
1169 | </para> |
1170 | <variablelist> | |
c464fd7e SG |
1171 | <varlistentry> |
1172 | <term> | |
1173 | <option>lxc.cap.drop</option> | |
1174 | </term> | |
1175 | <listitem> | |
1176 | <para> | |
1177 | Specify the capability to be dropped in the container. A | |
1178 | single line defining several capabilities with a space | |
1179 | separation is allowed. The format is the lower case of | |
1180 | the capability definition without the "CAP_" prefix, | |
1181 | eg. CAP_SYS_MODULE should be specified as | |
1182 | sys_module. See | |
1183 | <citerefentry> | |
1184 | <refentrytitle><command>capabilities</command></refentrytitle> | |
1185 | <manvolnum>7</manvolnum> | |
7eff30fd MH |
1186 | </citerefentry>. |
1187 | If used with no value, lxc will clear any drop capabilities | |
1188 | specified up to this point. | |
c464fd7e SG |
1189 | </para> |
1190 | </listitem> | |
1191 | </varlistentry> | |
1192 | <varlistentry> | |
1193 | <term> | |
1194 | <option>lxc.cap.keep</option> | |
1195 | </term> | |
1196 | <listitem> | |
1197 | <para> | |
1198 | Specify the capability to be kept in the container. All other | |
1199 | capabilities will be dropped. When a special value of "none" is | |
1200 | encountered, lxc will clear any keep capabilities specified up | |
1201 | to this point. A value of "none" alone can be used to drop all | |
1202 | capabilities. | |
1203 | </para> | |
1204 | </listitem> | |
1205 | </varlistentry> | |
55fc19a1 SG |
1206 | </variablelist> |
1207 | </refsect2> | |
1208 | ||
93f9e90d WB |
1209 | <refsect2> |
1210 | <title>Resource limits</title> | |
1211 | <para> | |
1212 | The soft and hard resource limits for the container can be changed. | |
1213 | Unprivileged containers can only lower them. Resources which are not | |
1214 | explicitly specified will be inherited. | |
1215 | </para> | |
1216 | <variablelist> | |
1217 | <varlistentry> | |
1218 | <term> | |
240d4b74 | 1219 | <option>lxc.prlimit.[limit name]</option> |
93f9e90d WB |
1220 | </term> |
1221 | <listitem> | |
1222 | <para> | |
1223 | Specify the resource limit to be set. A limit is specified as two | |
1224 | colon separated values which are either numeric or the word | |
1225 | 'unlimited'. A single value can be used as a shortcut to set both | |
1226 | soft and hard limit to the same value. The permitted names the | |
1227 | "RLIMIT_" resource names in lowercase without the "RLIMIT_" | |
1228 | prefix, eg. RLIMIT_NOFILE should be specified as "nofile". See | |
1229 | <citerefentry> | |
1230 | <refentrytitle><command>setrlimit</command></refentrytitle> | |
1231 | <manvolnum>2</manvolnum> | |
1232 | </citerefentry>. | |
1233 | If used with no value, lxc will clear the resource limit | |
1234 | specified up to this point. A resource with no explicitly | |
1235 | configured limitation will be inherited from the process starting | |
1236 | up the container. | |
1237 | </para> | |
1238 | </listitem> | |
1239 | </varlistentry> | |
1240 | </variablelist> | |
1241 | </refsect2> | |
1242 | ||
55fc19a1 SG |
1243 | <refsect2> |
1244 | <title>Apparmor profile</title> | |
1245 | <para> | |
c464fd7e SG |
1246 | If lxc was compiled and installed with apparmor support, and the host |
1247 | system has apparmor enabled, then the apparmor profile under which the | |
1248 | container should be run can be specified in the container | |
7a126ae1 SH |
1249 | configuration. The default is <command>lxc-container-default-cgns</command> |
1250 | if the host kernel is cgroup namespace aware, or | |
1251 | <command>lxc-container-default</command> othewise. | |
55fc19a1 SG |
1252 | </para> |
1253 | <variablelist> | |
c464fd7e SG |
1254 | <varlistentry> |
1255 | <term> | |
a1d5fdfd | 1256 | <option>lxc.apparmor.profile</option> |
c464fd7e SG |
1257 | </term> |
1258 | <listitem> | |
1259 | <para> | |
1260 | Specify the apparmor profile under which the container should | |
1261 | be run. To specify that the container should be unconfined, | |
1262 | use | |
1263 | </para> | |
a1d5fdfd | 1264 | <programlisting>lxc.apparmor.profile = unconfined</programlisting> |
7a126ae1 SH |
1265 | <para> |
1266 | If the apparmor profile should remain unchanged (i.e. if you | |
1267 | are nesting containers and are already confined), then use | |
1268 | </para> | |
a1d5fdfd | 1269 | <programlisting>lxc.apparmor.profile = unchanged</programlisting> |
c464fd7e SG |
1270 | </listitem> |
1271 | </varlistentry> | |
1272 | <varlistentry> | |
1273 | <term> | |
69e38e00 | 1274 | <option>lxc.apparmor.allow_incomplete</option> |
c464fd7e SG |
1275 | </term> |
1276 | <listitem> | |
1277 | <para> | |
1278 | Apparmor profiles are pathname based. Therefore many file | |
1279 | restrictions require mount restrictions to be effective against | |
1280 | a determined attacker. However, these mount restrictions are not | |
1281 | yet implemented in the upstream kernel. Without the mount | |
1282 | restrictions, the apparmor profiles still protect against accidental | |
1283 | damager. | |
1284 | </para> | |
1285 | <para> | |
1286 | If this flag is 0 (default), then the container will not be | |
1287 | started if the kernel lacks the apparmor mount features, so that a | |
1288 | regression after a kernel upgrade will be detected. To start the | |
1289 | container under partial apparmor protection, set this flag to 1. | |
1290 | </para> | |
1291 | </listitem> | |
1292 | </varlistentry> | |
55fc19a1 SG |
1293 | </variablelist> |
1294 | </refsect2> | |
1295 | ||
1296 | <refsect2> | |
1297 | <title>SELinux context</title> | |
1298 | <para> | |
c464fd7e SG |
1299 | If lxc was compiled and installed with SELinux support, and the host |
1300 | system has SELinux enabled, then the SELinux context under which the | |
1301 | container should be run can be specified in the container | |
1302 | configuration. The default is <command>unconfined_t</command>, | |
1303 | which means that lxc will not attempt to change contexts. | |
1304 | See @DATADIR@/lxc/selinux/lxc.te for an example policy and more | |
1305 | information. | |
55fc19a1 SG |
1306 | </para> |
1307 | <variablelist> | |
c464fd7e SG |
1308 | <varlistentry> |
1309 | <term> | |
b84702ab | 1310 | <option>lxc.selinux.context</option> |
c464fd7e SG |
1311 | </term> |
1312 | <listitem> | |
1313 | <para> | |
1314 | Specify the SELinux context under which the container should | |
1315 | be run or <command>unconfined_t</command>. For example | |
1316 | </para> | |
b84702ab | 1317 | <programlisting>lxc.selinux.context = system_u:system_r:lxc_t:s0:c22</programlisting> |
c464fd7e SG |
1318 | </listitem> |
1319 | </varlistentry> | |
55fc19a1 SG |
1320 | </variablelist> |
1321 | </refsect2> | |
1322 | ||
1323 | <refsect2> | |
1324 | <title>Seccomp configuration</title> | |
1325 | <para> | |
1326 | A container can be started with a reduced set of available | |
c464fd7e SG |
1327 | system calls by loading a seccomp profile at startup. The |
1328 | seccomp configuration file must begin with a version number | |
1329 | on the first line, a policy type on the second line, followed | |
1330 | by the configuration. | |
55fc19a1 | 1331 | </para> |
a7c27357 SH |
1332 | <para> |
1333 | Versions 1 and 2 are currently supported. In version 1, the | |
c464fd7e SG |
1334 | policy is a simple whitelist. The second line therefore must |
1335 | read "whitelist", with the rest of the file containing one (numeric) | |
1336 | sycall number per line. Each syscall number is whitelisted, | |
1337 | while every unlisted number is blacklisted for use in the container | |
a7c27357 SH |
1338 | </para> |
1339 | ||
1340 | <para> | |
1341 | In version 2, the policy may be blacklist or whitelist, | |
1342 | supports per-rule and per-policy default actions, and supports | |
1343 | per-architecture system call resolution from textual names. | |
1344 | </para> | |
1345 | <para> | |
1346 | An example blacklist policy, in which all system calls are | |
1347 | allowed except for mknod, which will simply do nothing and | |
1348 | return 0 (success), looks like: | |
1349 | </para> | |
b9986e43 CB |
1350 | |
1351 | <programlisting> | |
1352 | 2 | |
1353 | blacklist | |
1354 | mknod errno 0 | |
1355 | </programlisting> | |
1356 | ||
55fc19a1 | 1357 | <variablelist> |
c464fd7e SG |
1358 | <varlistentry> |
1359 | <term> | |
0b427da0 | 1360 | <option>lxc.seccomp.profile</option> |
c464fd7e SG |
1361 | </term> |
1362 | <listitem> | |
1363 | <para> | |
1364 | Specify a file containing the seccomp configuration to | |
1365 | load before the container starts. | |
1366 | </para> | |
1367 | </listitem> | |
1368 | </varlistentry> | |
55fc19a1 SG |
1369 | </variablelist> |
1370 | </refsect2> | |
1371 | ||
222ddc91 CB |
1372 | <refsect2> |
1373 | <title>PR_SET_NO_NEW_PRIVS</title> | |
1374 | <para> | |
1375 | With PR_SET_NO_NEW_PRIVS active execve() promises not to grant | |
1376 | privileges to do anything that could not have been done without | |
1377 | the execve() call (for example, rendering the set-user-ID and | |
1378 | set-group-ID mode bits, and file capabilities non-functional). | |
1379 | Once set, this bit cannot be unset. The setting of this bit is | |
1380 | inherited by children created by fork() and clone(), and preserved | |
1381 | across execve(). | |
1382 | Note that PR_SET_NO_NEW_PRIVS is applied after the container has | |
1383 | changed into its intended AppArmor profile or SElinux context. | |
1384 | </para> | |
1385 | <variablelist> | |
1386 | <varlistentry> | |
1387 | <term> | |
1388 | <option>lxc.no_new_privs</option> | |
1389 | </term> | |
1390 | <listitem> | |
1391 | <para> | |
1392 | Specify whether the PR_SET_NO_NEW_PRIVS flag should be set for the | |
1393 | container. Set to 1 to activate. | |
1394 | </para> | |
1395 | </listitem> | |
1396 | </varlistentry> | |
1397 | </variablelist> | |
1398 | </refsect2> | |
1399 | ||
55fc19a1 SG |
1400 | <refsect2> |
1401 | <title>UID mappings</title> | |
1402 | <para> | |
1403 | A container can be started in a private user namespace with | |
c464fd7e SG |
1404 | user and group id mappings. For instance, you can map userid |
1405 | 0 in the container to userid 200000 on the host. The root | |
1406 | user in the container will be privileged in the container, | |
1407 | but unprivileged on the host. Normally a system container | |
1408 | will want a range of ids, so you would map, for instance, | |
1409 | user and group ids 0 through 20,000 in the container to the | |
1410 | ids 200,000 through 220,000. | |
55fc19a1 SG |
1411 | </para> |
1412 | <variablelist> | |
c464fd7e SG |
1413 | <varlistentry> |
1414 | <term> | |
bdcbb6b3 | 1415 | <option>lxc.idmap</option> |
c464fd7e SG |
1416 | </term> |
1417 | <listitem> | |
1418 | <para> | |
1419 | Four values must be provided. First a character, either | |
1420 | 'u', or 'g', to specify whether user or group ids are | |
1421 | being mapped. Next is the first userid as seen in the | |
1422 | user namespace of the container. Next is the userid as | |
1423 | seen on the host. Finally, a range indicating the number | |
1424 | of consecutive ids to map. | |
1425 | </para> | |
1426 | </listitem> | |
1427 | </varlistentry> | |
55fc19a1 SG |
1428 | </variablelist> |
1429 | </refsect2> | |
1430 | ||
1431 | <refsect2> | |
1432 | <title>Container hooks</title> | |
1433 | <para> | |
1434 | Container hooks are programs or scripts which can be executed | |
c464fd7e | 1435 | at various times in a container's lifetime. |
55fc19a1 SG |
1436 | </para> |
1437 | <para> | |
1438 | When a container hook is executed, information is passed both | |
c464fd7e SG |
1439 | as command line arguments and through environment variables. |
1440 | The arguments are: | |
1441 | <itemizedlist> | |
1442 | <listitem><para> Container name. </para></listitem> | |
1443 | <listitem><para> Section (always 'lxc'). </para></listitem> | |
1444 | <listitem><para> The hook type (i.e. 'clone' or 'pre-mount'). </para></listitem> | |
0a2b5ab1 | 1445 | <listitem><para> Additional arguments. In the |
c464fd7e | 1446 | case of the clone hook, any extra arguments passed to |
0a2b5ab1 WB |
1447 | lxc-clone will appear as further arguments to the hook. |
1448 | In the case of the stop hook, paths to filedescriptors | |
1449 | for each of the container's namespaces along with their types | |
1450 | are passed. </para></listitem> | |
c464fd7e SG |
1451 | </itemizedlist> |
1452 | The following environment variables are set: | |
1453 | <itemizedlist> | |
1454 | <listitem><para> LXC_NAME: is the container's name. </para></listitem> | |
1455 | <listitem><para> LXC_ROOTFS_MOUNT: the path to the mounted root filesystem. </para></listitem> | |
1456 | <listitem><para> LXC_CONFIG_FILE: the path to the container configuration file. </para></listitem> | |
1457 | <listitem><para> LXC_SRC_NAME: in the case of the clone hook, this is the original container's name. </para></listitem> | |
7a96a068 | 1458 | <listitem><para> LXC_ROOTFS_PATH: this is the lxc.rootfs.path entry for the container. Note this is likely not where the mounted rootfs is to be found, use LXC_ROOTFS_MOUNT for that. </para></listitem> |
b68c6a71 CB |
1459 | <listitem><para> LXC_CGNS_AWARE: indicated whether the container is cgroup namespace aware. </para></listitem> |
1460 | <listitem><para> LXC_LOG_LEVEL: the container's log level. </para></listitem> | |
c464fd7e | 1461 | </itemizedlist> |
55fc19a1 SG |
1462 | </para> |
1463 | <para> | |
1464 | Standard output from the hooks is logged at debug level. | |
1465 | Standard error is not logged, but can be captured by the | |
1466 | hook redirecting its standard error to standard output. | |
1467 | </para> | |
1468 | <variablelist> | |
c464fd7e SG |
1469 | <varlistentry> |
1470 | <term> | |
1471 | <option>lxc.hook.pre-start</option> | |
1472 | </term> | |
1473 | <listitem> | |
1474 | <para> | |
1475 | A hook to be run in the host's namespace before the | |
1476 | container ttys, consoles, or mounts are up. | |
1477 | </para> | |
1478 | </listitem> | |
1479 | </varlistentry> | |
55fc19a1 SG |
1480 | </variablelist> |
1481 | <variablelist> | |
c464fd7e SG |
1482 | <varlistentry> |
1483 | <term> | |
1484 | <option>lxc.hook.pre-mount</option> | |
1485 | </term> | |
1486 | <listitem> | |
1487 | <para> | |
1488 | A hook to be run in the container's fs namespace but before | |
1489 | the rootfs has been set up. This allows for manipulation | |
1490 | of the rootfs, i.e. to mount an encrypted filesystem. Mounts | |
1491 | done in this hook will not be reflected on the host (apart from | |
1492 | mounts propagation), so they will be automatically cleaned up | |
1493 | when the container shuts down. | |
1494 | </para> | |
1495 | </listitem> | |
1496 | </varlistentry> | |
55fc19a1 SG |
1497 | </variablelist> |
1498 | <variablelist> | |
c464fd7e SG |
1499 | <varlistentry> |
1500 | <term> | |
1501 | <option>lxc.hook.mount</option> | |
1502 | </term> | |
1503 | <listitem> | |
1504 | <para> | |
1505 | A hook to be run in the container's namespace after | |
1506 | mounting has been done, but before the pivot_root. | |
1507 | </para> | |
1508 | </listitem> | |
1509 | </varlistentry> | |
55fc19a1 SG |
1510 | </variablelist> |
1511 | <variablelist> | |
c464fd7e SG |
1512 | <varlistentry> |
1513 | <term> | |
1514 | <option>lxc.hook.autodev</option> | |
1515 | </term> | |
1516 | <listitem> | |
1517 | <para> | |
1518 | A hook to be run in the container's namespace after | |
1519 | mounting has been done and after any mount hooks have | |
1520 | run, but before the pivot_root, if | |
1521 | <option>lxc.autodev</option> == 1. | |
1522 | The purpose of this hook is to assist in populating the | |
1523 | /dev directory of the container when using the autodev | |
1524 | option for systemd based containers. The container's /dev | |
1525 | directory is relative to the | |
1526 | ${<option>LXC_ROOTFS_MOUNT</option>} environment | |
1527 | variable available when the hook is run. | |
1528 | </para> | |
1529 | </listitem> | |
1530 | </varlistentry> | |
55fc19a1 | 1531 | </variablelist> |
08dd2805 SH |
1532 | <variablelist> |
1533 | <varlistentry> | |
1534 | <term> | |
1535 | <option>lxc.hook.start-host</option> | |
1536 | </term> | |
1537 | <listitem> | |
1538 | <para> | |
1539 | A hook to be run in the host's namespace after the | |
1540 | container has been setup, and immediately before starting | |
1541 | the container init. | |
1542 | </para> | |
1543 | </listitem> | |
1544 | </varlistentry> | |
1545 | </variablelist> | |
55fc19a1 | 1546 | <variablelist> |
c464fd7e SG |
1547 | <varlistentry> |
1548 | <term> | |
1549 | <option>lxc.hook.start</option> | |
1550 | </term> | |
1551 | <listitem> | |
1552 | <para> | |
1553 | A hook to be run in the container's namespace immediately | |
1554 | before executing the container's init. This requires the | |
1555 | program to be available in the container. | |
1556 | </para> | |
1557 | </listitem> | |
1558 | </varlistentry> | |
55fc19a1 | 1559 | </variablelist> |
0a2b5ab1 WB |
1560 | <variablelist> |
1561 | <varlistentry> | |
1562 | <term> | |
1563 | <option>lxc.hook.stop</option> | |
1564 | </term> | |
1565 | <listitem> | |
1566 | <para> | |
1567 | A hook to be run in the host's namespace with references | |
1568 | to the container's namespaces after the container has been shut | |
1569 | down. For each namespace an extra argument is passed to the hook | |
1570 | containing the namespace's type and a filename that can be used to | |
1571 | obtain a file descriptor to the corresponding namespace, separated | |
1572 | by a colon. The type is the name as it would appear in the | |
1573 | <filename>/proc/PID/ns</filename> directory. | |
1574 | For instance for the mount namespace the argument usually looks | |
1575 | like <filename>mnt:/proc/PID/fd/12</filename>. | |
1576 | </para> | |
1577 | </listitem> | |
1578 | </varlistentry> | |
1579 | </variablelist> | |
55fc19a1 | 1580 | <variablelist> |
c464fd7e SG |
1581 | <varlistentry> |
1582 | <term> | |
1583 | <option>lxc.hook.post-stop</option> | |
1584 | </term> | |
1585 | <listitem> | |
1586 | <para> | |
1587 | A hook to be run in the host's namespace after the | |
1588 | container has been shut down. | |
1589 | </para> | |
1590 | </listitem> | |
1591 | </varlistentry> | |
55fc19a1 SG |
1592 | </variablelist> |
1593 | <variablelist> | |
c464fd7e SG |
1594 | <varlistentry> |
1595 | <term> | |
1596 | <option>lxc.hook.clone</option> | |
1597 | </term> | |
1598 | <listitem> | |
1599 | <para> | |
1600 | A hook to be run when the container is cloned to a new one. | |
1601 | See <citerefentry><refentrytitle><command>lxc-clone</command></refentrytitle> | |
1602 | <manvolnum>1</manvolnum></citerefentry> for more information. | |
1603 | </para> | |
1604 | </listitem> | |
1605 | </varlistentry> | |
55fc19a1 | 1606 | </variablelist> |
37cf711b SY |
1607 | <variablelist> |
1608 | <varlistentry> | |
1609 | <term> | |
1610 | <option>lxc.hook.destroy</option> | |
1611 | </term> | |
1612 | <listitem> | |
1613 | <para> | |
1614 | A hook to be run when the container is destroyed. | |
1615 | </para> | |
1616 | </listitem> | |
1617 | </varlistentry> | |
1618 | </variablelist> | |
55fc19a1 SG |
1619 | </refsect2> |
1620 | ||
1621 | <refsect2> | |
1622 | <title>Container hooks Environment Variables</title> | |
1623 | <para> | |
1624 | A number of environment variables are made available to the startup | |
1625 | hooks to provide configuration information and assist in the | |
1626 | functioning of the hooks. Not all variables are valid in all | |
1627 | contexts. In particular, all paths are relative to the host system | |
1628 | and, as such, not valid during the <option>lxc.hook.start</option> hook. | |
1629 | </para> | |
1630 | <variablelist> | |
c464fd7e SG |
1631 | <varlistentry> |
1632 | <term> | |
1633 | <option>LXC_NAME</option> | |
1634 | </term> | |
1635 | <listitem> | |
1636 | <para> | |
1637 | The LXC name of the container. Useful for logging messages | |
1638 | in common log environments. [<option>-n</option>] | |
1639 | </para> | |
1640 | </listitem> | |
1641 | </varlistentry> | |
55fc19a1 SG |
1642 | </variablelist> |
1643 | <variablelist> | |
c464fd7e SG |
1644 | <varlistentry> |
1645 | <term> | |
1646 | <option>LXC_CONFIG_FILE</option> | |
1647 | </term> | |
1648 | <listitem> | |
1649 | <para> | |
1650 | Host relative path to the container configuration file. This | |
1651 | gives the container to reference the original, top level, | |
1652 | configuration file for the container in order to locate any | |
1653 | additional configuration information not otherwise made | |
1654 | available. [<option>-f</option>] | |
1655 | </para> | |
1656 | </listitem> | |
1657 | </varlistentry> | |
55fc19a1 SG |
1658 | </variablelist> |
1659 | <variablelist> | |
c464fd7e SG |
1660 | <varlistentry> |
1661 | <term> | |
1662 | <option>LXC_CONSOLE</option> | |
1663 | </term> | |
1664 | <listitem> | |
1665 | <para> | |
1666 | The path to the console output of the container if not NULL. | |
3aed4934 | 1667 | [<option>-c</option>] [<option>lxc.console.path</option>] |
c464fd7e SG |
1668 | </para> |
1669 | </listitem> | |
1670 | </varlistentry> | |
55fc19a1 SG |
1671 | </variablelist> |
1672 | <variablelist> | |
c464fd7e SG |
1673 | <varlistentry> |
1674 | <term> | |
1675 | <option>LXC_CONSOLE_LOGPATH</option> | |
1676 | </term> | |
1677 | <listitem> | |
1678 | <para> | |
1679 | The path to the console log output of the container if not NULL. | |
1680 | [<option>-L</option>] | |
1681 | </para> | |
1682 | </listitem> | |
1683 | </varlistentry> | |
55fc19a1 SG |
1684 | </variablelist> |
1685 | <variablelist> | |
c464fd7e SG |
1686 | <varlistentry> |
1687 | <term> | |
1688 | <option>LXC_ROOTFS_MOUNT</option> | |
1689 | </term> | |
1690 | <listitem> | |
1691 | <para> | |
1692 | The mount location to which the container is initially bound. | |
1693 | This will be the host relative path to the container rootfs | |
1694 | for the container instance being started and is where changes | |
1695 | should be made for that instance. | |
1696 | [<option>lxc.rootfs.mount</option>] | |
1697 | </para> | |
1698 | </listitem> | |
1699 | </varlistentry> | |
55fc19a1 SG |
1700 | </variablelist> |
1701 | <variablelist> | |
c464fd7e SG |
1702 | <varlistentry> |
1703 | <term> | |
1704 | <option>LXC_ROOTFS_PATH</option> | |
1705 | </term> | |
1706 | <listitem> | |
1707 | <para> | |
1708 | The host relative path to the container root which has been | |
1709 | mounted to the rootfs.mount location. | |
7a96a068 | 1710 | [<option>lxc.rootfs.path</option>] |
c464fd7e SG |
1711 | </para> |
1712 | </listitem> | |
1713 | </varlistentry> | |
55fc19a1 | 1714 | </variablelist> |
07945418 KY |
1715 | <variablelist> |
1716 | <varlistentry> | |
1717 | <term> | |
1718 | <option>LXC_SRC_NAME</option> | |
1719 | </term> | |
1720 | <listitem> | |
1721 | <para> | |
1722 | Only for the clone hook. Is set to the original container name. | |
1723 | </para> | |
1724 | </listitem> | |
1725 | </varlistentry> | |
1726 | </variablelist> | |
c154af98 SG |
1727 | <variablelist> |
1728 | <varlistentry> | |
1729 | <term> | |
1730 | <option>LXC_TARGET</option> | |
1731 | </term> | |
1732 | <listitem> | |
1733 | <para> | |
1734 | Only for the stop hook. Is set to "stop" for a container | |
1735 | shutdown or "reboot" for a container reboot. | |
1736 | </para> | |
1737 | </listitem> | |
1738 | </varlistentry> | |
c4cafa08 SH |
1739 | </variablelist> |
1740 | <variablelist> | |
1741 | <varlistentry> | |
1742 | <term> | |
1743 | <option>LXC_CGNS_AWARE</option> | |
1744 | </term> | |
1745 | <listitem> | |
1746 | <para> | |
1747 | If unset, then this version of lxc is not aware of cgroup | |
1748 | namespaces. If set, it will be set to 1, and lxc is aware | |
1749 | of cgroup namespaces. Note this does not guarantee that | |
1750 | cgroup namespaces are enabled in the kernel. This is used | |
1751 | by the lxcfs mount hook. | |
1752 | </para> | |
1753 | </listitem> | |
1754 | </varlistentry> | |
c154af98 | 1755 | </variablelist> |
55fc19a1 SG |
1756 | </refsect2> |
1757 | <refsect2> | |
1758 | <title>Logging</title> | |
1759 | <para> | |
1760 | Logging can be configured on a per-container basis. By default, | |
1761 | depending upon how the lxc package was compiled, container startup | |
1762 | is logged only at the ERROR level, and logged to a file named after | |
1763 | the container (with '.log' appended) either under the container path, | |
1764 | or under @LOGPATH@. | |
1765 | </para> | |
1766 | <para> | |
1767 | Both the default log level and the log file can be specified in the | |
1768 | container configuration file, overriding the default behavior. Note | |
1769 | that the configuration file entries can in turn be overridden by the | |
1770 | command line options to <command>lxc-start</command>. | |
1771 | </para> | |
1772 | <variablelist> | |
c464fd7e SG |
1773 | <varlistentry> |
1774 | <term> | |
46cc906d | 1775 | <option>lxc.log.level</option> |
c464fd7e SG |
1776 | </term> |
1777 | <listitem> | |
1778 | <para> | |
1779 | The level at which to log. The log level is an integer in | |
1780 | the range of 0..8 inclusive, where a lower number means more | |
1781 | verbose debugging. In particular 0 = trace, 1 = debug, 2 = | |
1782 | info, 3 = notice, 4 = warn, 5 = error, 6 = critical, 7 = | |
1783 | alert, and 8 = fatal. If unspecified, the level defaults | |
1784 | to 5 (error), so that only errors and above are logged. | |
1785 | </para> | |
1786 | <para> | |
1787 | Note that when a script (such as either a hook script or a | |
1788 | network interface up or down script) is called, the script's | |
1789 | standard output is logged at level 1, debug. | |
1790 | </para> | |
1791 | </listitem> | |
1792 | </varlistentry> | |
1793 | <varlistentry> | |
1794 | <term> | |
46cc906d | 1795 | <option>lxc.log</option> |
c464fd7e SG |
1796 | </term> |
1797 | <listitem> | |
1798 | <para> | |
1799 | The file to which logging info should be written. | |
1800 | </para> | |
1801 | </listitem> | |
1802 | </varlistentry> | |
204dfdf2 BD |
1803 | <varlistentry> |
1804 | <term> | |
46cc906d | 1805 | <option>lxc.log.syslog</option> |
204dfdf2 BD |
1806 | </term> |
1807 | <listitem> | |
1808 | <para> | |
1809 | Send logging info to syslog. It respects the log level defined in | |
46cc906d | 1810 | <command>lxc.log.level</command>. The argument should be the syslog |
204dfdf2 | 1811 | facility to use, valid ones are: daemon, local0, local1, local2, |
917420dd | 1812 | local3, local4, local5, local5, local6, local7. |
204dfdf2 BD |
1813 | </para> |
1814 | </listitem> | |
1815 | </varlistentry> | |
55fc19a1 SG |
1816 | </variablelist> |
1817 | </refsect2> | |
1818 | ||
1819 | <refsect2> | |
1820 | <title>Autostart</title> | |
1821 | <para> | |
1822 | The autostart options support marking which containers should be | |
1823 | auto-started and in what order. These options may be used by LXC tools | |
1824 | directly or by external tooling provided by the distributions. | |
1825 | </para> | |
1826 | ||
1827 | <variablelist> | |
1828 | <varlistentry> | |
1829 | <term> | |
1830 | <option>lxc.start.auto</option> | |
1831 | </term> | |
1832 | <listitem> | |
1833 | <para> | |
1834 | Whether the container should be auto-started. | |
1835 | Valid values are 0 (off) and 1 (on). | |
1836 | </para> | |
1837 | </listitem> | |
1838 | </varlistentry> | |
1839 | <varlistentry> | |
1840 | <term> | |
1841 | <option>lxc.start.delay</option> | |
1842 | </term> | |
1843 | <listitem> | |
1844 | <para> | |
1845 | How long to wait (in seconds) after the container is | |
1846 | started before starting the next one. | |
1847 | </para> | |
1848 | </listitem> | |
1849 | </varlistentry> | |
1850 | <varlistentry> | |
1851 | <term> | |
1852 | <option>lxc.start.order</option> | |
1853 | </term> | |
1854 | <listitem> | |
1855 | <para> | |
1856 | An integer used to sort the containers when auto-starting | |
1857 | a series of containers at once. | |
1858 | </para> | |
1859 | </listitem> | |
1860 | </varlistentry> | |
a8dfe4e0 WB |
1861 | <varlistentry> |
1862 | <term> | |
1863 | <option>lxc.monitor.unshare</option> | |
1864 | </term> | |
1865 | <listitem> | |
1866 | <para> | |
1867 | If not zero the mount namespace will be unshared from the host | |
1868 | before initializing the container (before running any pre-start | |
6039eaa2 WB |
1869 | hooks). This requires the CAP_SYS_ADMIN capability at startup. |
1870 | Default is 0. | |
a8dfe4e0 WB |
1871 | </para> |
1872 | </listitem> | |
1873 | </varlistentry> | |
55fc19a1 SG |
1874 | <varlistentry> |
1875 | <term> | |
1876 | <option>lxc.group</option> | |
1877 | </term> | |
1878 | <listitem> | |
1879 | <para> | |
1880 | A multi-value key (can be used multiple times) to put the | |
1881 | container in a container group. Those groups can then be | |
1882 | used (amongst other things) to start a series of related | |
1883 | containers. | |
1884 | </para> | |
1885 | </listitem> | |
1886 | </varlistentry> | |
1887 | </variablelist> | |
1888 | </refsect2> | |
015f0dd7 MW |
1889 | |
1890 | <refsect2> | |
1891 | <title>Autostart and System Boot</title> | |
1892 | <para> | |
1893 | Each container can be part of any number of groups or no group at all. | |
1894 | Two groups are special. One is the NULL group, i.e. the container does | |
1895 | not belong to any group. The other group is the "onboot" group. | |
1896 | </para> | |
1897 | ||
1898 | <para> | |
1899 | When the system boots with the LXC service enabled, it will first | |
1900 | attempt to boot any containers with lxc.start.auto == 1 that is a member | |
1901 | of the "onboot" group. The startup will be in order of lxc.start.order. | |
1902 | If an lxc.start.delay has been specified, that delay will be honored | |
1903 | before attempting to start the next container to give the current | |
1904 | container time to begin initialization and reduce overloading the host | |
1905 | system. After starting the members of the "onboot" group, the LXC system | |
1906 | will proceed to boot containers with lxc.start.auto == 1 which are not | |
1907 | members of any group (the NULL group) and proceed as with the onboot | |
1908 | group. | |
1909 | </para> | |
1910 | ||
1911 | </refsect2> | |
7c661726 MP |
1912 | |
1913 | <refsect2> | |
1914 | <title>Container Environment</title> | |
1915 | <para> | |
c464fd7e SG |
1916 | If you want to pass environment variables into the container (that |
1917 | is, environment variables which will be available to init and all of | |
1918 | its descendents), you can use <command>lxc.environment</command> | |
1919 | parameters to do so. Be careful that you do not pass in anything | |
1920 | sensitive; any process in the container which doesn't have its | |
1921 | environment scrubbed will have these variables available to it, and | |
1922 | environment variables are always available via | |
1923 | <command>/proc/PID/environ</command>. | |
7c661726 MP |
1924 | </para> |
1925 | ||
1926 | <para> | |
1927 | This configuration parameter can be specified multiple times; once | |
1928 | for each environment variable you wish to configure. | |
1929 | </para> | |
1930 | ||
1931 | <variablelist> | |
c464fd7e SG |
1932 | <varlistentry> |
1933 | <term> | |
1934 | <option>lxc.environment</option> | |
1935 | </term> | |
1936 | <listitem> | |
1937 | <para> | |
1938 | Specify an environment variable to pass into the container. | |
1939 | Example: | |
1940 | </para> | |
1941 | <programlisting> | |
1942 | lxc.environment = APP_ENV=production | |
1943 | lxc.environment = SYSLOG_SERVER=192.0.2.42 | |
1944 | </programlisting> | |
1945 | </listitem> | |
1946 | </varlistentry> | |
7c661726 MP |
1947 | </variablelist> |
1948 | </refsect2> | |
1949 | ||
55fc19a1 SG |
1950 | </refsect1> |
1951 | ||
1952 | <refsect1> | |
1953 | <title>Examples</title> | |
1954 | <para> | |
c464fd7e SG |
1955 | In addition to the few examples given below, you will find |
1956 | some other examples of configuration file in @DOCDIR@/examples | |
55fc19a1 SG |
1957 | </para> |
1958 | <refsect2> | |
1959 | <title>Network</title> | |
1960 | <para>This configuration sets up a container to use a veth pair | |
c464fd7e SG |
1961 | device with one side plugged to a bridge br0 (which has been |
1962 | configured before on the system by the administrator). The | |
1963 | virtual network device visible in the container is renamed to | |
1964 | eth0.</para> | |
55fc19a1 | 1965 | <programlisting> |
b67771bc | 1966 | lxc.uts.name = myhostname |
7fa3f2e9 | 1967 | lxc.net.0.type = veth |
1968 | lxc.net.0.flags = up | |
1969 | lxc.net.0.link = br0 | |
1970 | lxc.net.0.name = eth0 | |
1971 | lxc.net.0.hwaddr = 4a:49:43:49:79:bf | |
9ff60df2 | 1972 | lxc.net.0.ipv4.address = 10.2.3.5/24 10.2.3.255 |
2e44ae28 | 1973 | lxc.net.0.ipv6.address = 2003:db8:1:0:214:1234:fe0b:3597 |
55fc19a1 SG |
1974 | </programlisting> |
1975 | </refsect2> | |
1976 | ||
1977 | <refsect2> | |
1978 | <title>UID/GID mapping</title> | |
1979 | <para>This configuration will map both user and group ids in the | |
1980 | range 0-9999 in the container to the ids 100000-109999 on the host. | |
1981 | </para> | |
1982 | <programlisting> | |
bdcbb6b3 CB |
1983 | lxc.idmap = u 0 100000 10000 |
1984 | lxc.idmap = g 0 100000 10000 | |
55fc19a1 SG |
1985 | </programlisting> |
1986 | </refsect2> | |
1987 | ||
1988 | <refsect2> | |
1989 | <title>Control group</title> | |
1990 | <para>This configuration will setup several control groups for | |
1991 | the application, cpuset.cpus restricts usage of the defined cpu, | |
1992 | cpus.share prioritize the control group, devices.allow makes | |
1993 | usable the specified devices.</para> | |
1994 | <programlisting> | |
c464fd7e SG |
1995 | lxc.cgroup.cpuset.cpus = 0,1 |
1996 | lxc.cgroup.cpu.shares = 1234 | |
1997 | lxc.cgroup.devices.deny = a | |
1998 | lxc.cgroup.devices.allow = c 1:3 rw | |
1999 | lxc.cgroup.devices.allow = b 8:0 rw | |
55fc19a1 SG |
2000 | </programlisting> |
2001 | </refsect2> | |
2002 | ||
2003 | <refsect2> | |
2004 | <title>Complex configuration</title> | |
2005 | <para>This example show a complex configuration making a complex | |
2006 | network stack, using the control groups, setting a new hostname, | |
2007 | mounting some locations and a changing root file system.</para> | |
2008 | <programlisting> | |
b67771bc | 2009 | lxc.uts.name = complex |
7fa3f2e9 | 2010 | lxc.net.0.type = veth |
2011 | lxc.net.0.flags = up | |
2012 | lxc.net.0.link = br0 | |
2013 | lxc.net.0.hwaddr = 4a:49:43:49:79:bf | |
9ff60df2 | 2014 | lxc.net.0.ipv4.address = 10.2.3.5/24 10.2.3.255 |
2e44ae28 CB |
2015 | lxc.net.0.ipv6.address = 2003:db8:1:0:214:1234:fe0b:3597 |
2016 | lxc.net.0.ipv6.address = 2003:db8:1:0:214:5432:feab:3588 | |
7fa3f2e9 | 2017 | lxc.net.1.type = macvlan |
2018 | lxc.net.1.flags = up | |
2019 | lxc.net.1.link = eth0 | |
2020 | lxc.net.1.hwaddr = 4a:49:43:49:79:bd | |
9ff60df2 CB |
2021 | lxc.net.1.ipv4.address = 10.2.3.4/24 |
2022 | lxc.net.1.ipv4.address = 192.168.10.125/24 | |
2e44ae28 | 2023 | lxc.net.1.ipv6.address = 2003:db8:1:0:214:1234:fe0b:3596 |
7fa3f2e9 | 2024 | lxc.net.2.type = phys |
2025 | lxc.net.2.flags = up | |
2026 | lxc.net.2.link = dummy0 | |
2027 | lxc.net.2.hwaddr = 4a:49:43:49:79:ff | |
9ff60df2 | 2028 | lxc.net.2.ipv4.address = 10.2.3.6/24 |
2e44ae28 | 2029 | lxc.net.2.ipv6.address = 2003:db8:1:0:214:1234:fe0b:3297 |
c464fd7e SG |
2030 | lxc.cgroup.cpuset.cpus = 0,1 |
2031 | lxc.cgroup.cpu.shares = 1234 | |
2032 | lxc.cgroup.devices.deny = a | |
2033 | lxc.cgroup.devices.allow = c 1:3 rw | |
2034 | lxc.cgroup.devices.allow = b 8:0 rw | |
47148e96 | 2035 | lxc.mount.fstab = /etc/fstab.complex |
c464fd7e | 2036 | lxc.mount.entry = /lib /root/myrootfs/lib none ro,bind 0 0 |
7a96a068 | 2037 | lxc.rootfs.path = dir:/mnt/rootfs.complex |
c464fd7e SG |
2038 | lxc.cap.drop = sys_module mknod setuid net_raw |
2039 | lxc.cap.drop = mac_override | |
55fc19a1 SG |
2040 | </programlisting> |
2041 | </refsect2> | |
2042 | ||
2043 | </refsect1> | |
2044 | ||
2045 | <refsect1> | |
2046 | <title>See Also</title> | |
2047 | <simpara> | |
2048 | <citerefentry> | |
c464fd7e SG |
2049 | <refentrytitle><command>chroot</command></refentrytitle> |
2050 | <manvolnum>1</manvolnum> | |
55fc19a1 SG |
2051 | </citerefentry>, |
2052 | ||
2053 | <citerefentry> | |
c464fd7e SG |
2054 | <refentrytitle><command>pivot_root</command></refentrytitle> |
2055 | <manvolnum>8</manvolnum> | |
55fc19a1 SG |
2056 | </citerefentry>, |
2057 | ||
2058 | <citerefentry> | |
c464fd7e SG |
2059 | <refentrytitle><filename>fstab</filename></refentrytitle> |
2060 | <manvolnum>5</manvolnum> | |
55fc19a1 SG |
2061 | </citerefentry>, |
2062 | ||
2063 | <citerefentry> | |
c464fd7e SG |
2064 | <refentrytitle><filename>capabilities</filename></refentrytitle> |
2065 | <manvolnum>7</manvolnum> | |
55fc19a1 SG |
2066 | </citerefentry> |
2067 | </simpara> | |
2068 | </refsect1> | |
2069 | ||
2070 | &seealso; | |
2071 | ||
2072 | <refsect1> | |
2073 | <title>Author</title> | |
2074 | <para>Daniel Lezcano <email>daniel.lezcano@free.fr</email></para> | |
2075 | </refsect1> | |
2076 | ||
2077 | </refentry> | |
2078 | ||
2079 | <!-- Keep this comment at the end of the file | |
2080 | Local variables: | |
2081 | mode: sgml | |
2082 | sgml-omittag:t | |
2083 | sgml-shorttag:t | |
2084 | sgml-minimize-attributes:nil | |
2085 | sgml-always-quote-attributes:t | |
2086 | sgml-indent-step:2 | |
2087 | sgml-indent-data:t | |
2088 | sgml-parent-document:nil | |
2089 | sgml-default-dtd-file:nil | |
2090 | sgml-exposed-tags:nil | |
2091 | sgml-local-catalogs:nil | |
2092 | sgml-local-ecat-files:nil | |
2093 | End: | |
2094 | --> |