]> git.proxmox.com Git - mirror_lxc.git/blame - doc/lxc.container.conf.sgml.in
projects / mirror_lxc.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Merge pull request #1920 from brauner/2017-11-12/console_exit_clean_on_sigterm
[mirror_lxc.git] / doc / lxc.container.conf.sgml.in
CommitLineData
55fc19a1
SG		 1<!--
2
3lxc: linux Container library
4
5(C) Copyright IBM Corp. 2007, 2008
6
7Authors:
8Daniel Lezcano <daniel.lezcano at free.fr>
9
10This library is free software; you can redistribute it and/or
11modify it under the terms of the GNU Lesser General Public
12License as published by the Free Software Foundation; either
13version 2.1 of the License, or (at your option) any later version.
14
15This library is distributed in the hope that it will be useful,
16but WITHOUT ANY WARRANTY; without even the implied warranty of
17MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
18Lesser General Public License for more details.
19
20You should have received a copy of the GNU Lesser General Public
21License along with this library; if not, write to the Free Software
22Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
23
24-->
25
26<!DOCTYPE refentry PUBLIC @docdtd@ [
27
28<!ENTITY seealso SYSTEM "@builddir@/see_also.sgml">
29]>
30
31<refentry>
32
33 <docinfo><date>@LXC_GENERATE_DATE@</date></docinfo>
34
35 <refmeta>
36 <refentrytitle>lxc.container.conf</refentrytitle>
37 <manvolnum>5</manvolnum>
38 </refmeta>
39
40 <refnamediv>
41 <refname>lxc.container.conf</refname>
42
43 <refpurpose>
44 LXC container configuration file
45 </refpurpose>
46 </refnamediv>
47
48 <refsect1>
49 <title>Description</title>
50
51 <para>
b9986e43
CB		 52 LXC is the well-known and heavily tested low-level Linux container
53 runtime. It is in active development since 2008 and has proven itself in
54 critical production environments world-wide. Some of its core contributors
55 are the same people that helped to implement various well-known
56 containerization features inside the Linux kernel.
55fc19a1
SG		 57 </para>
58
59 <para>
b9986e43
CB		 60 LXC's main focus is system containers. That is, containers which offer an
61 environment as close as possible as the one you'd get from a VM but
62 without the overhead that comes with running a separate kernel and
63 simulating all the hardware.
55fc19a1
SG		 64 </para>
65
66 <para>
b9986e43
CB		 67 This is achieved through a combination of kernel security features such as
68 namespaces, mandatory access control and control groups.
69 </para>
70
71 <para>
72 LXC has supports unprivileged containers. Unprivileged containers are
73 containers that are run without any privilege. This requires support for
74 user namespaces in the kernel that the container is run on. LXC was the
75 first runtime to support unprivileged containers after user namespaces
76 were merged into the mainline kernel.
77 </para>
78
79 <para>
80 In essence, user namespaces isolate given sets of UIDs and GIDs. This is
81 achieved by establishing a mapping between a range of UIDs and GIDs on the
82 host to a different (unprivileged) range of UIDs and GIDs in the
83 container. The kernel will translate this mapping in such a way that
84 inside the container all UIDs and GIDs appear as you would expect from the
85 host whereas on the host these UIDs and GIDs are in fact unprivileged. For
86 example, a process running as UID and GID 0 inside the container might
87 appear as UID and GID 100000 on the host. The implementation and working
88 details can be gathered from the corresponding user namespace man page.
bdcbb6b3 89 UID and GID mappings can be defined with the <option>lxc.idmap</option>
b9986e43
CB		 90 key.
91 </para>
92
93 <para>
94 Linux containers are defined with a simple configuration file. Each
95 option in the configuration file has the form <command>key =
96 value</command> fitting in one line. The "#" character means the line is a
97 comment. List options, like capabilities and cgroups options, can be used
98 with no value to clear any previously defined values of that option.
99 </para>
100
101 <para>
102 LXC namespaces configuration keys by using single dots. This means complex
7fa3f2e9 103 configuration keys such as <option>lxc.net.0</option> expose various
104 subkeys such as <option>lxc.net.0.type</option>,
2e44ae28 105 <option>lxc.net.0.link</option>, <option>lxc.net.0.ipv6.address</option>, and
b9986e43 106 others for even more fine-grained configuration.
55fc19a1
SG		 107 </para>
108
109 <refsect2>
110 <title>Configuration</title>
111 <para>
b9986e43
CB		 112 In order to ease administration of multiple related containers, it is
113 possible to have a container configuration file cause another file to be
114 loaded. For instance, network configuration can be defined in one common
115 file which is included by multiple containers. Then, if the containers
116 are moved to another host, only one file may need to be updated.
55fc19a1
SG		 117 </para>
118
119 <variablelist>
c464fd7e
SG		 120 <varlistentry>
121 <term>
122 <option>lxc.include</option>
123 </term>
124 <listitem>
125 <para>
126 Specify the file to be included. The included file must be
127 in the same valid lxc configuration file format.
128 </para>
129 </listitem>
130 </varlistentry>
55fc19a1
SG		 131 </variablelist>
132 </refsect2>
133
134 <refsect2>
135 <title>Architecture</title>
136 <para>
b9986e43
CB		 137 Allows one to set the architecture for the container. For example, set a
138 32bits architecture for a container running 32bits binaries on a 64bits
139 host. This fixes the container scripts which rely on the architecture to
140 do some work like downloading the packages.
55fc19a1
SG		 141 </para>
142
143 <variablelist>
c464fd7e
SG		 144 <varlistentry>
145 <term>
146 <option>lxc.arch</option>
147 </term>
148 <listitem>
149 <para>
150 Specify the architecture for the container.
151 </para>
152 <para>
b9986e43 153 Some valid options are
c464fd7e
SG		 154 <option>x86</option>,
155 <option>i686</option>,
156 <option>x86_64</option>,
157 <option>amd64</option>
158 </para>
159 </listitem>
160 </varlistentry>
55fc19a1
SG		 161 </variablelist>
162
163 </refsect2>
164
165 <refsect2>
166 <title>Hostname</title>
167 <para>
b9986e43
CB		 168 The utsname section defines the hostname to be set for the container.
169 That means the container can set its own hostname without changing the
170 one from the system. That makes the hostname private for the container.
55fc19a1
SG		 171 </para>
172 <variablelist>
c464fd7e
SG		 173 <varlistentry>
174 <term>
b67771bc 175 <option>lxc.uts.name</option>
c464fd7e
SG		 176 </term>
177 <listitem>
178 <para>
179 specify the hostname for the container
180 </para>
181 </listitem>
182 </varlistentry>
55fc19a1
SG		 183 </variablelist>
184 </refsect2>
185
186 <refsect2>
187 <title>Halt signal</title>
188 <para>
b9986e43
CB		 189 Allows one to specify signal name or number sent to the container's
190 init process to cleanly shutdown the container. Different init systems
191 could use different signals to perform clean shutdown sequence. This
192 option allows the signal to be specified in kill(1) fashion, e.g.
193 SIGPWR, SIGRTMIN+14, SIGRTMAX-10 or plain number. The default signal is
194 SIGPWR.
55fc19a1
SG		 195 </para>
196 <variablelist>
936762f3
BP		 197 <varlistentry>
198 <term>
55c84efc 199 <option>lxc.signal.halt</option>
936762f3
BP		 200 </term>
201 <listitem>
202 <para>
203 specify the signal used to halt the container
204 </para>
205 </listitem>
206 </varlistentry>
207 </variablelist>
208 </refsect2>
209
210 <refsect2>
211 <title>Reboot signal</title>
212 <para>
b9986e43
CB		 213 Allows one to specify signal name or number to reboot the container.
214 This option allows signal to be specified in kill(1) fashion, e.g.
215 SIGTERM, SIGRTMIN+14, SIGRTMAX-10 or plain number. The default signal
216 is SIGINT.
936762f3
BP		 217 </para>
218 <variablelist>
219 <varlistentry>
220 <term>
55c84efc 221 <option>lxc.signal.reboot</option>
936762f3
BP		 222 </term>
223 <listitem>
224 <para>
225 specify the signal used to reboot the container
226 </para>
227 </listitem>
228 </varlistentry>
55fc19a1
SG		 229 </variablelist>
230 </refsect2>
231
232 <refsect2>
233 <title>Stop signal</title>
234 <para>
b9986e43
CB		 235 Allows one to specify signal name or number to forcibly shutdown the
236 container. This option allows signal to be specified in kill(1) fashion,
237 e.g. SIGKILL, SIGRTMIN+14, SIGRTMAX-10 or plain number. The default
238 signal is SIGKILL.
936762f3
BP		 239 </para>
240 <variablelist>
241 <varlistentry>
242 <term>
55c84efc 243 <option>lxc.signal.stop</option>
936762f3
BP		 244 </term>
245 <listitem>
246 <para>
247 specify the signal used to stop the container
248 </para>
249 </listitem>
250 </varlistentry>
55fc19a1
SG		 251 </variablelist>
252 </refsect2>
253
67c660d0
SG		 254 <refsect2>
255 <title>Init command</title>
256 <para>
257 Sets the command to use as the init system for the containers.
67c660d0 258 </para>
5cda27c1
SH		 259 <variablelist>
260 <varlistentry>
261 <term>
262 <option>lxc.execute.cmd</option>
263 </term>
264 <listitem>
265 <para>
266 Absolute path from container rootfs to the binary to run by default. This
fcd95ae9 267 mostly makes sense for <command>lxc-execute</command>.
5cda27c1
SH		 268 </para>
269 </listitem>
270 </varlistentry>
271 </variablelist>
67c660d0 272 <variablelist>
936762f3
BP		 273 <varlistentry>
274 <term>
9dcf7b4d 275 <option>lxc.init.cmd</option>
936762f3
BP		 276 </term>
277 <listitem>
278 <para>
fcd95ae9
KY		 279 Absolute path from container rootfs to the binary to use as init. This
280 mostly makes sense for <command>lxc-start</command>. Default is <command>/sbin/init</command>.
936762f3
BP		 281 </para>
282 </listitem>
283 </varlistentry>
67c660d0
SG		 284 </variablelist>
285 </refsect2>
286
dbca9237
PT		 287 <refsect2>
288 <title>Init ID</title>
289 <para>
b9986e43
CB		 290 Sets the UID/GID to use for the init system, and subsequent commands.
291 Note that using a non-root uid when booting a system container will
292 likely not work due to missing privileges. Setting the UID/GID is mostly
293 useful when running application container.
dbca9237
PT		 294
295 Defaults to: UID(0), GID(0)
296 </para>
297 <variablelist>
298 <varlistentry>
299 <term>
9dcf7b4d 300 <option>lxc.init.uid</option>
dbca9237
PT		 301 </term>
302 <listitem>
303 <para>
b9986e43 304 UID to use for init.
dbca9237
PT		 305 </para>
306 </listitem>
307 </varlistentry>
308 <varlistentry>
309 <term>
9dcf7b4d 310 <option>lxc.init.gid</option>
dbca9237
PT		 311 </term>
312 <listitem>
313 <para>
b9986e43 314 GID to use for init.
dbca9237
PT		 315 </para>
316 </listitem>
317 </varlistentry>
318 </variablelist>
319 </refsect2>
320
4e6eb26b
CB		 321 <refsect2>
322 <title>Ephemeral</title>
323 <para>
324 Allows one to specify whether a container will be destroyed on shutdown.
325 </para>
326 <variablelist>
327 <varlistentry>
328 <term>
329 <option>lxc.ephemeral</option>
330 </term>
331 <listitem>
332 <para>
333 The only allowed values are 0 and 1. Set this to 1 to destroy a
334 container on shutdown.
335 </para>
336 </listitem>
337 </varlistentry>
338 </variablelist>
339 </refsect2>
340
55fc19a1
SG		 341 <refsect2>
342 <title>Network</title>
343 <para>
c464fd7e
SG		 344 The network section defines how the network is virtualized in
345 the container. The network virtualization acts at layer
346 two. In order to use the network virtualization, parameters
347 must be specified to define the network interfaces of the
348 container. Several virtual interfaces can be assigned and used
349 in a container even if the system has only one physical
350 network interface.
55fc19a1
SG		 351 </para>
352 <variablelist>
020104c3
MH		 353 <varlistentry>
354 <term>
7fa3f2e9 355 <option>lxc.net</option>
020104c3
MH		 356 </term>
357 <listitem>
358 <para>
359 may be used without a value to clear all previous network options.
360 </para>
361 </listitem>
362 </varlistentry>
c464fd7e
SG		 363 <varlistentry>
364 <term>
7fa3f2e9 365 <option>lxc.net.[i].type</option>
c464fd7e
SG		 366 </term>
367 <listitem>
368 <para>
369 specify what kind of network virtualization to be used
b9986e43
CB		 370 for the container.
371 Multiple networks can be specified by using an additional index
372 <option>i</option>
7fa3f2e9 373 after all <option>lxc.net.*</option> keys. For example,
374 <option>lxc.net.0.type = veth</option> and
375 <option>lxc.net.1.type = veth</option> specify two different
b9986e43
CB		 376 networks of the same type. All keys sharing the same index
377 <option>i</option> will be treated as belonging to the same
7fa3f2e9 378 network. For example, <option>lxc.net.0.link = br0</option>
379 will belong to <option>lxc.net.0.type</option>.
b9986e43 380 Currently, the different virtualization types can be:
c464fd7e
SG		 381 </para>
382
383 <para>
384 <option>none:</option> will cause the container to share
385 the host's network namespace. This means the host
386 network devices are usable in the container. It also
387 means that if both the container and host have upstart as
388 init, 'halt' in a container (for instance) will shut down the
389 host.
390 </para>
391
392 <para>
393 <option>empty:</option> will create only the loopback
394 interface.
395 </para>
396
397 <para>
38005c54
MA		 398 <option>veth:</option> a virtual ethernet pair
399 device is created with one side assigned to the container
400 and the other side attached to a bridge specified by
7fa3f2e9 401 the <option>lxc.net.[i].link</option> option.
38005c54
MA		 402 If the bridge is not specified, then the veth pair device
403 will be created but not attached to any bridge.
404 Otherwise, the bridge has to be created on the system
405 before starting the container.
406 <command>lxc</command> won't handle any
407 configuration outside of the container.
408 By default, <command>lxc</command> chooses a name for the
c464fd7e 409 network device belonging to the outside of the
38005c54
MA		 410 container, but if you wish to handle
411 this name yourselves, you can tell <command>lxc</command>
c464fd7e 412 to set a specific name with
7fa3f2e9 413 the <option>lxc.net.[i].veth.pair</option> option (except for
c464fd7e
SG		 414 unprivileged containers where this option is ignored for security
415 reasons).
416 </para>
417
418 <para>
419 <option>vlan:</option> a vlan interface is linked with
420 the interface specified by
7fa3f2e9 421 the <option>lxc.net.[i].link</option> and assigned to
c464fd7e 422 the container. The vlan identifier is specified with the
7fa3f2e9 423 option <option>lxc.net.[i].vlan.id</option>.
c464fd7e
SG		 424 </para>
425
426 <para>
427 <option>macvlan:</option> a macvlan interface is linked
428 with the interface specified by
7fa3f2e9 429 the <option>lxc.net.[i].link</option> and assigned to
c464fd7e 430 the container.
7fa3f2e9 431 <option>lxc.net.[i].macvlan.mode</option> specifies the
c464fd7e
SG		 432 mode the macvlan will use to communicate between
433 different macvlan on the same upper device. The accepted
c15ea607
EL		 434 modes are <option>private</option>, <option>vepa</option>,
435 <option>bridge</option> and <option>passthru</option>.
436 In <option>private</option> mode, the device never
437 communicates with any other device on the same upper_dev (default).
438 In <option>vepa</option> mode, the new Virtual Ethernet Port
c464fd7e
SG		 439 Aggregator (VEPA) mode, it assumes that the adjacent
440 bridge returns all frames where both source and
441 destination are local to the macvlan port, i.e. the
442 bridge is set up as a reflective relay. Broadcast
443 frames coming in from the upper_dev get flooded to all
444 macvlan interfaces in VEPA mode, local frames are not
c15ea607 445 delivered locally. In <option>bridge</option> mode, it
c464fd7e
SG		 446 provides the behavior of a simple bridge between
447 different macvlan interfaces on the same port. Frames
448 from one interface to another one get delivered directly
449 and are not sent out externally. Broadcast frames get
450 flooded to all other bridge ports and to the external
451 interface, but when they come back from a reflective
452 relay, we don't deliver them again. Since we know all
453 the MAC addresses, the macvlan bridge mode does not
c15ea607
EL		 454 require learning or STP like the bridge module does. In
455 <option>passthru</option> mode, all frames received by
456 the physical interface are forwarded to the macvlan
457 interface. Only one macvlan interface in <option>passthru</option>
458 mode is possible for one physical interface.
c464fd7e
SG		 459 </para>
460
461 <para>
462 <option>phys:</option> an already existing interface
7fa3f2e9 463 specified by the <option>lxc.net.[i].link</option> is
c464fd7e
SG		 464 assigned to the container.
465 </para>
466 </listitem>
467 </varlistentry>
468
469 <varlistentry>
470 <term>
7fa3f2e9 471 <option>lxc.net.[i].flags</option>
c464fd7e
SG		 472 </term>
473 <listitem>
474 <para>
b9986e43 475 Specify an action to do for the network.
c464fd7e
SG		 476 </para>
477
478 <para><option>up:</option> activates the interface.
479 </para>
480 </listitem>
481 </varlistentry>
482
483 <varlistentry>
484 <term>
7fa3f2e9 485 <option>lxc.net.[i].link</option>
c464fd7e
SG		 486 </term>
487 <listitem>
488 <para>
b9986e43
CB		 489 Specify the interface to be used for real network traffic.
490 </para>
c464fd7e
SG		 491 </listitem>
492 </varlistentry>
493
494 <varlistentry>
495 <term>
7fa3f2e9 496 <option>lxc.net.[i].mtu</option>
c464fd7e
SG		 497 </term>
498 <listitem>
499 <para>
b9986e43 500 Specify the maximum transfer unit for this interface.
c464fd7e
SG		 501 </para>
502 </listitem>
503 </varlistentry>
504
505 <varlistentry>
506 <term>
7fa3f2e9 507 <option>lxc.net.[i].name</option>
c464fd7e
SG		 508 </term>
509 <listitem>
510 <para>
b9986e43
CB		 511 The interface name is dynamically allocated, but if another name
512 is needed because the configuration files being used by the
513 container use a generic name, eg. eth0, this option will rename
514 the interface in the container.
c464fd7e
SG		 515 </para>
516 </listitem>
517 </varlistentry>
518
519 <varlistentry>
520 <term>
7fa3f2e9 521 <option>lxc.net.[i].hwaddr</option>
c464fd7e
SG		 522 </term>
523 <listitem>
524 <para>
b9986e43
CB		 525 The interface mac address is dynamically allocated by default to
526 the virtual interface, but in some cases, this is needed to
527 resolve a mac address conflict or to always have the same
528 link-local ipv6 address. Any "x" in address will be replaced by
529 random value, this allows setting hwaddr templates.
c464fd7e
SG		 530 </para>
531 </listitem>
532 </varlistentry>
533
534 <varlistentry>
535 <term>
9ff60df2 536 <option>lxc.net.[i].ipv4.address</option>
c464fd7e
SG		 537 </term>
538 <listitem>
539 <para>
b9986e43
CB		 540 Specify the ipv4 address to assign to the virtualized interface.
541 Several lines specify several ipv4 addresses. The address is in
542 format x.y.z.t/m, eg. 192.168.1.123/24.
c464fd7e
SG		 543 </para>
544 </listitem>
545 </varlistentry>
546
547 <varlistentry>
548 <term>
7fa3f2e9 549 <option>lxc.net.[i].ipv4.gateway</option>
c464fd7e
SG		 550 </term>
551 <listitem>
552 <para>
b9986e43
CB		 553 Specify the ipv4 address to use as the gateway inside the
554 container. The address is in format x.y.z.t, eg. 192.168.1.123.
c464fd7e
SG		 555
556 Can also have the special value <option>auto</option>,
557 which means to take the primary address from the bridge
558 interface (as specified by the
7fa3f2e9 559 <option>lxc.net.[i].link</option> option) and use that as
c464fd7e
SG		 560 the gateway. <option>auto</option> is only available when
561 using the <option>veth</option> and
562 <option>macvlan</option> network types.
563 </para>
564 </listitem>
565 </varlistentry>
566
567
568 <varlistentry>
569 <term>
2e44ae28 570 <option>lxc.net.[i].ipv6.address</option>
c464fd7e
SG		 571 </term>
572 <listitem>
573 <para>
b9986e43
CB		 574 Specify the ipv6 address to assign to the virtualized
575 interface. Several lines specify several ipv6 addresses. The
576 address is in format x::y/m, eg.
577 2003:db8:1:0:214:1234:fe0b:3596/64
c464fd7e
SG		 578 </para>
579 </listitem>
580 </varlistentry>
581
582 <varlistentry>
583 <term>
7fa3f2e9 584 <option>lxc.net.[i].ipv6.gateway</option>
c464fd7e
SG		 585 </term>
586 <listitem>
587 <para>
b9986e43
CB		 588 Specify the ipv6 address to use as the gateway inside the
589 container. The address is in format x::y, eg. 2003:db8:1:0::1
c464fd7e
SG		 590
591 Can also have the special value <option>auto</option>,
592 which means to take the primary address from the bridge
593 interface (as specified by the
7fa3f2e9 594 <option>lxc.net.[i].link</option> option) and use that as
c464fd7e
SG		 595 the gateway. <option>auto</option> is only available when
596 using the <option>veth</option> and
597 <option>macvlan</option> network types.
598 </para>
599 </listitem>
600 </varlistentry>
601
602 <varlistentry>
603 <term>
7fa3f2e9 604 <option>lxc.net.[i].script.up</option>
c464fd7e
SG		 605 </term>
606 <listitem>
607 <para>
b9986e43 608 Add a configuration option to specify a script to be
c464fd7e
SG		 609 executed after creating and configuring the network used
610 from the host side. The following arguments are passed
611 to the script: container name and config section name
612 (net) Additional arguments depend on the config section
613 employing a script hook; the following are used by the
614 network system: execution context (up), network type
615 (empty/veth/macvlan/phys), Depending on the network
616 type, other arguments may be passed:
617 veth/macvlan/phys. And finally (host-sided) device name.
618 </para>
619 <para>
620 Standard output from the script is logged at debug level.
621 Standard error is not logged, but can be captured by the
622 hook redirecting its standard error to standard output.
623 </para>
624 </listitem>
625 </varlistentry>
626
627 <varlistentry>
628 <term>
7fa3f2e9 629 <option>lxc.net.[i].script.down</option>
c464fd7e
SG		 630 </term>
631 <listitem>
632 <para>
b9986e43 633 Add a configuration option to specify a script to be
c464fd7e
SG		 634 executed before destroying the network used from the
635 host side. The following arguments are passed to the
636 script: container name and config section name (net)
637 Additional arguments depend on the config section
638 employing a script hook; the following are used by the
639 network system: execution context (down), network type
640 (empty/veth/macvlan/phys), Depending on the network
641 type, other arguments may be passed:
642 veth/macvlan/phys. And finally (host-sided) device name.
643 </para>
644 <para>
645 Standard output from the script is logged at debug level.
646 Standard error is not logged, but can be captured by the
647 hook redirecting its standard error to standard output.
648 </para>
649 </listitem>
650 </varlistentry>
55fc19a1
SG		 651 </variablelist>
652 </refsect2>
653
654 <refsect2>
655 <title>New pseudo tty instance (devpts)</title>
656 <para>
c464fd7e
SG		 657 For stricter isolation the container can have its own private
658 instance of the pseudo tty.
55fc19a1
SG		 659 </para>
660 <variablelist>
c464fd7e
SG		 661 <varlistentry>
662 <term>
232763d6 663 <option>lxc.pty.max</option>
c464fd7e
SG		 664 </term>
665 <listitem>
666 <para>
667 If set, the container will have a new pseudo tty
668 instance, making this private to it. The value specifies
55fc19a1
SG		 669 the maximum number of pseudo ttys allowed for a pts
670 instance (this limitation is not implemented yet).
c464fd7e
SG		 671 </para>
672 </listitem>
673 </varlistentry>
55fc19a1
SG		 674 </variablelist>
675 </refsect2>
676
677 <refsect2>
678 <title>Container system console</title>
679 <para>
c464fd7e
SG		 680 If the container is configured with a root filesystem and the
681 inittab file is setup to use the console, you may want to specify
682 where the output of this console goes.
55fc19a1
SG		 683 </para>
684 <variablelist>
c464fd7e
SG		 685 <varlistentry>
686 <term>
687 <option>lxc.console.logfile</option>
688 </term>
689 <listitem>
690 <para>
691 Specify a path to a file where the console output will
692 be written.
693 </para>
694 </listitem>
695 </varlistentry>
696 <varlistentry>
697 <term>
3aed4934 698 <option>lxc.console.path</option>
c464fd7e
SG		 699 </term>
700 <listitem>
701 <para>
702 Specify a path to a device to which the console will be
6e3bb289
CB		 703 attached. The keyword 'none' will simply disable the
704 console. Note, when specifying 'none' and creating a device node
705 for the console in the container at /dev/console or bind-mounting
706 the hosts's /dev/console into the container at /dev/console the
707 container will have direct access to the hosts's /dev/console.
708 This is dangerous when the container has write access to the
709 device and should thus be used with caution.
c464fd7e
SG		 710 </para>
711 </listitem>
712 </varlistentry>
55fc19a1
SG		 713 </variablelist>
714 </refsect2>
715
716 <refsect2>
717 <title>Console through the ttys</title>
718 <para>
c464fd7e
SG		 719 This option is useful if the container is configured with a root
720 filesystem and the inittab file is setup to launch a getty on the
721 ttys. The option specifies the number of ttys to be available for
722 the container. The number of gettys in the inittab file of the
723 container should not be greater than the number of ttys specified
724 in this option, otherwise the excess getty sessions will die and
725 respawn indefinitely giving annoying messages on the console or in
726 <filename>/var/log/messages</filename>.
55fc19a1
SG		 727 </para>
728 <variablelist>
c464fd7e
SG		 729 <varlistentry>
730 <term>
fe1c5887 731 <option>lxc.tty.max</option>
c464fd7e
SG		 732 </term>
733 <listitem>
734 <para>
735 Specify the number of tty to make available to the
736 container.
737 </para>
738 </listitem>
739 </varlistentry>
55fc19a1
SG		 740 </variablelist>
741 </refsect2>
742
743 <refsect2>
744 <title>Console devices location</title>
745 <para>
746 LXC consoles are provided through Unix98 PTYs created on the
c464fd7e
SG		 747 host and bind-mounted over the expected devices in the container.
748 By default, they are bind-mounted over <filename>/dev/console</filename>
749 and <filename>/dev/ttyN</filename>. This can prevent package upgrades
750 in the guest. Therefore you can specify a directory location (under
751 <filename>/dev</filename> under which LXC will create the files and
752 bind-mount over them. These will then be symbolically linked to
753 <filename>/dev/console</filename> and <filename>/dev/ttyN</filename>.
754 A package upgrade can then succeed as it is able to remove and replace
755 the symbolic links.
55fc19a1
SG		 756 </para>
757 <variablelist>
c464fd7e
SG		 758 <varlistentry>
759 <term>
fe1c5887 760 <option>lxc.tty.dir</option>
c464fd7e
SG		 761 </term>
762 <listitem>
763 <para>
764 Specify a directory under <filename>/dev</filename>
6e3bb289
CB		 765 under which to create the container console devices. Note that LXC
766 will move any bind-mounts or device nodes for /dev/console into
767 this directory.
c464fd7e
SG		 768 </para>
769 </listitem>
770 </varlistentry>
55fc19a1
SG		 771 </variablelist>
772 </refsect2>
773
774 <refsect2>
775 <title>/dev directory</title>
776 <para>
c464fd7e
SG		 777 By default, lxc creates a few symbolic links (fd,stdin,stdout,stderr)
778 in the container's <filename>/dev</filename> directory but does not
779 automatically create device node entries. This allows the container's
780 <filename>/dev</filename> to be set up as needed in the container
781 rootfs. If lxc.autodev is set to 1, then after mounting the container's
782 rootfs LXC will mount a fresh tmpfs under <filename>/dev</filename>
c35d2909 783 (limited to 500k) and fill in a minimal set of initial devices.
55fc19a1
SG		 784 This is generally required when starting a container containing
785 a "systemd" based "init" but may be optional at other times. Additional
786 devices in the containers /dev directory may be created through the
787 use of the <option>lxc.hook.autodev</option> hook.
788 </para>
789 <variablelist>
c464fd7e
SG		 790 <varlistentry>
791 <term>
792 <option>lxc.autodev</option>
793 </term>
794 <listitem>
795 <para>
124fa0a8 796 Set this to 0 to stop LXC from mounting and populating a minimal
c464fd7e
SG		 797 <filename>/dev</filename> when starting the container.
798 </para>
799 </listitem>
800 </varlistentry>
55fc19a1 801 </variablelist>
55fc19a1
SG		 802 </refsect2>
803
804 <refsect2>
805 <title>Mount points</title>
806 <para>
c464fd7e
SG		 807 The mount points section specifies the different places to be
808 mounted. These mount points will be private to the container
809 and won't be visible by the processes running outside of the
810 container. This is useful to mount /etc, /var or /home for
811 examples.
55fc19a1 812 </para>
592fd47a
SH		 813 <para>
814 NOTE - LXC will generally ensure that mount targets and relative
815 bind-mount sources are properly confined under the container
816 root, to avoid attacks involving over-mounting host directories
817 and files. (Symbolic links in absolute mount sources are ignored)
818 However, if the container configuration first mounts a directory which
819 is under the control of the container user, such as /home/joe, into
820 the container at some <filename>path</filename>, and then mounts
821 under <filename>path</filename>, then a TOCTTOU attack would be
822 possible where the container user modifies a symbolic link under
823 his home directory at just the right time.
824 </para>
55fc19a1 825 <variablelist>
c464fd7e
SG		 826 <varlistentry>
827 <term>
47148e96 828 <option>lxc.mount.fstab</option>
c464fd7e
SG		 829 </term>
830 <listitem>
831 <para>
832 specify a file location in
833 the <filename>fstab</filename> format, containing the
834 mount information. The mount target location can and in
835 most cases should be a relative path, which will become
836 relative to the mounted container root. For instance,
837 </para>
b9986e43
CB		 838 <programlisting>
839 proc proc proc nodev,noexec,nosuid 0 0
840 </programlisting>
c464fd7e
SG		 841 <para>
842 Will mount a proc filesystem under the container's /proc,
843 regardless of where the root filesystem comes from. This
844 is resilient to block device backed filesystems as well as
845 container cloning.
846 </para>
847 <para>
848 Note that when mounting a filesystem from an
849 image file or block device the third field (fs_vfstype)
850 cannot be auto as with
55fc19a1 851 <citerefentry>
c464fd7e 852 <refentrytitle>mount</refentrytitle>
55fc19a1
SG		 853 <manvolnum>8</manvolnum>
854 </citerefentry>
855 but must be explicitly specified.
c464fd7e
SG		 856 </para>
857 </listitem>
858 </varlistentry>
859
860 <varlistentry>
861 <term>
862 <option>lxc.mount.entry</option>
863 </term>
864 <listitem>
865 <para>
866 specify a mount point corresponding to a line in the
867 fstab format.
f5b67b36
NC		 868
869 Moreover lxc add two options to mount.
870 <option>optional</option> don't fail if mount does not work.
871 <option>create=dir</option> or <option>create=file</option>
872 to create dir (or file) when the point will be mounted.
c464fd7e
SG		 873 </para>
874 </listitem>
875 </varlistentry>
876
877 <varlistentry>
878 <term>
879 <option>lxc.mount.auto</option>
880 </term>
881 <listitem>
882 <para>
883 specify which standard kernel file systems should be
884 automatically mounted. This may dramatically simplify
885 the configuration. The file systems are:
886 </para>
887 <itemizedlist>
888 <listitem>
889 <para>
890 <option>proc:mixed</option> (or <option>proc</option>):
891 mount <filename>/proc</filename> as read-write, but
892 remount <filename>/proc/sys</filename> and
893 <filename>/proc/sysrq-trigger</filename> read-only
894 for security / container isolation purposes.
895 </para>
896 </listitem>
897 <listitem>
898 <para>
899 <option>proc:rw</option>: mount
900 <filename>/proc</filename> as read-write
901 </para>
902 </listitem>
903 <listitem>
904 <para>
f24a52d5
SG		 905 <option>sys:mixed</option> (or <option>sys</option>):
906 mount <filename>/sys</filename> as read-only but with
907 /sys/devices/virtual/net writable.
908 </para>
909 </listitem>
910 <listitem>
911 <para>
912 <option>sys:ro</option>:
c464fd7e
SG		 913 mount <filename>/sys</filename> as read-only
914 for security / container isolation purposes.
915 </para>
916 </listitem>
917 <listitem>
918 <para>
919 <option>sys:rw</option>: mount
920 <filename>/sys</filename> as read-write
921 </para>
922 </listitem>
923 <listitem>
924 <para>
925 <option>cgroup:mixed</option>:
926 mount a tmpfs to <filename>/sys/fs/cgroup</filename>,
927 create directories for all hierarchies to which
928 the container is added, create subdirectories
929 there with the name of the cgroup, and bind-mount
930 the container's own cgroup into that directory.
931 The container will be able to write to its own
932 cgroup directory, but not the parents, since they
4608594e 933 will be remounted read-only.
c464fd7e
SG		 934 </para>
935 </listitem>
936 <listitem>
937 <para>
938 <option>cgroup:ro</option>: similar to
939 <option>cgroup:mixed</option>, but everything will
940 be mounted read-only.
941 </para>
942 </listitem>
943 <listitem>
944 <para>
945 <option>cgroup:rw</option>: similar to
946 <option>cgroup:mixed</option>, but everything will
947 be mounted read-write. Note that the paths leading
948 up to the container's own cgroup will be writable,
949 but will not be a cgroup filesystem but just part
950 of the tmpfs of <filename>/sys/fs/cgroup</filename>
951 </para>
952 </listitem>
953 <listitem>
954 <para>
955 <option>cgroup</option> (without specifier):
956 defaults to <option>cgroup:rw</option> if the
957 container retains the CAP_SYS_ADMIN capability,
958 <option>cgroup:mixed</option> otherwise.
959 </para>
960 </listitem>
961 <listitem>
962 <para>
963 <option>cgroup-full:mixed</option>:
964 mount a tmpfs to <filename>/sys/fs/cgroup</filename>,
965 create directories for all hierarchies to which
966 the container is added, bind-mount the hierarchies
967 from the host to the container and make everything
968 read-only except the container's own cgroup. Note
969 that compared to <option>cgroup</option>, where
970 all paths leading up to the container's own cgroup
971 are just simple directories in the underlying
972 tmpfs, here
973 <filename>/sys/fs/cgroup/$hierarchy</filename>
974 will contain the host's full cgroup hierarchy,
975 albeit read-only outside the container's own cgroup.
976 This may leak quite a bit of information into the
977 container.
978 </para>
979 </listitem>
980 <listitem>
981 <para>
982 <option>cgroup-full:ro</option>: similar to
983 <option>cgroup-full:mixed</option>, but everything
984 will be mounted read-only.
985 </para>
986 </listitem>
987 <listitem>
988 <para>
989 <option>cgroup-full:rw</option>: similar to
990 <option>cgroup-full:mixed</option>, but everything
991 will be mounted read-write. Note that in this case,
992 the container may escape its own cgroup. (Note also
993 that if the container has CAP_SYS_ADMIN support
994 and can mount the cgroup filesystem itself, it may
995 do so anyway.)
996 </para>
997 </listitem>
998 <listitem>
999 <para>
1000 <option>cgroup-full</option> (without specifier):
1001 defaults to <option>cgroup-full:rw</option> if the
1002 container retains the CAP_SYS_ADMIN capability,
1003 <option>cgroup-full:mixed</option> otherwise.
1004 </para>
1005 </listitem>
1006 </itemizedlist>
4608594e
SH		 1007 <para>
1008 If cgroup namespaces are enabled, then any <option>cgroup</option>
1009 auto-mounting request will be ignored, since the container can
1010 mount the filesystems itself, and automounting can confuse the
1011 container init.
1012 </para>
c464fd7e
SG		 1013 <para>
1014 Note that if automatic mounting of the cgroup filesystem
1015 is enabled, the tmpfs under
1016 <filename>/sys/fs/cgroup</filename> will always be
1017 mounted read-write (but for the <option>:mixed</option>
1018 and <option>:ro</option> cases, the individual
1019 hierarchies,
1020 <filename>/sys/fs/cgroup/$hierarchy</filename>, will be
1021 read-only). This is in order to work around a quirk in
1022 Ubuntu's
b46f0553 1023 <citerefentry>
c464fd7e 1024 <refentrytitle>mountall</refentrytitle>
b46f0553
CS		 1025 <manvolnum>8</manvolnum>
1026 </citerefentry>
c464fd7e
SG		 1027 command that will cause containers to wait for user
1028 input at boot if
1029 <filename>/sys/fs/cgroup</filename> is mounted read-only
1030 and the container can't remount it read-write due to a
1031 lack of CAP_SYS_ADMIN.
1032 </para>
1033 <para>
1034 Examples:
1035 </para>
1036 <programlisting>
1037 lxc.mount.auto = proc sys cgroup
1038 lxc.mount.auto = proc:rw sys:rw cgroup-full:rw
1039 </programlisting>
1040 </listitem>
1041 </varlistentry>
55fc19a1
SG		 1042
1043 </variablelist>
1044 </refsect2>
1045
1046 <refsect2>
1047 <title>Root file system</title>
1048 <para>
c464fd7e
SG		 1049 The root file system of the container can be different than that
1050 of the host system.
55fc19a1
SG		 1051 </para>
1052 <variablelist>
c464fd7e
SG		 1053 <varlistentry>
1054 <term>
7a96a068 1055 <option>lxc.rootfs.path</option>
c464fd7e
SG		 1056 </term>
1057 <listitem>
1058 <para>
1059 specify the root file system for the container. It can
1060 be an image file, a directory or a block device. If not
1061 specified, the container shares its root file system
1062 with the host.
1063 </para>
1064 <para>
f1c26f2c
SH		 1065 For directory or simple block-device backed containers,
1066 a pathname can be used. If the rootfs is backed by a nbd
1067 device, then <filename>nbd:file:1</filename> specifies that
1068 <filename>file</filename> should be attached to a nbd device,
1069 and partition 1 should be mounted as the rootfs.
1070 <filename>nbd:file</filename> specifies that the nbd device
1071 itself should be mounted. <filename>overlayfs:/lower:/upper</filename>
1072 specifies that the rootfs should be an overlay with <filename>/upper</filename>
1073 being mounted read-write over a read-only mount of <filename>/lower</filename>.
1074 <filename>aufs:/lower:/upper</filename> does the same using aufs in place
280d2379
CB		 1075 of overlayfs. For both <filename>overlayfs</filename> and
1076 <filename>aufs</filename> multiple <filename>/lower</filename>
1077 directories can be specified. <filename>loop:/file</filename> tells lxc to attach
f1c26f2c 1078 <filename>/file</filename> to a loop device and mount the loop device.
c464fd7e
SG		 1079 </para>
1080 </listitem>
1081 </varlistentry>
1082
1083 <varlistentry>
1084 <term>
1085 <option>lxc.rootfs.mount</option>
1086 </term>
1087 <listitem>
1088 <para>
7a96a068 1089 where to recursively bind <option>lxc.rootfs.path</option>
c464fd7e
SG		 1090 before pivoting. This is to ensure success of the
1091 <citerefentry>
1092 <refentrytitle><command>pivot_root</command></refentrytitle>
1093 <manvolnum>8</manvolnum>
1094 </citerefentry>
1095 syscall. Any directory suffices, the default should
1096 generally work.
1097 </para>
1098 </listitem>
1099 </varlistentry>
1100
1101 <varlistentry>
1102 <term>
1103 <option>lxc.rootfs.options</option>
1104 </term>
1105 <listitem>
1106 <para>
1107 extra mount options to use when mounting the rootfs.
1108 </para>
1109 </listitem>
1110 </varlistentry>
a17b1e65 1111
55fc19a1
SG		 1112 </variablelist>
1113 </refsect2>
1114
1115 <refsect2>
1116 <title>Control group</title>
1117 <para>
c464fd7e
SG		 1118 The control group section contains the configuration for the
1119 different subsystem. <command>lxc</command> does not check the
1120 correctness of the subsystem name. This has the disadvantage
1121 of not detecting configuration errors until the container is
1122 started, but has the advantage of permitting any future
1123 subsystem.
55fc19a1
SG		 1124 </para>
1125 <variablelist>
c464fd7e
SG		 1126 <varlistentry>
1127 <term>
1128 <option>lxc.cgroup.[subsystem name]</option>
1129 </term>
1130 <listitem>
1131 <para>
1132 specify the control group value to be set. The
1133 subsystem name is the literal name of the control group
1134 subsystem. The permitted names and the syntax of their
1135 values is not dictated by LXC, instead it depends on the
1136 features of the Linux kernel running at the time the
1137 container is started,
1138 eg. <option>lxc.cgroup.cpuset.cpus</option>
1139 </para>
1140 </listitem>
1141 </varlistentry>
bdcbb6b3
CB		 1142 <varlistentry>
1143 <term>
1144 <option>lxc.cgroup.dir</option>
1145 </term>
1146 <listitem>
1147 <para>
1148 specify a directory or path in which the container's cgroup will
1149 be created. For example, setting
1150 <option>lxc.cgroup.dir = my-cgroup/first</option> for a container
1151 named "c1" will create the container's cgroup as a sub-cgroup of
1152 "my-cgroup". For example, if the user's current cgroup "my-user"
78be8d75 1153 is located in the root cgroup of the cpuset controller in a
bdcbb6b3
CB		 1154 cgroup v1 hierarchy this would create the cgroup
1155 "/sys/fs/cgroup/cpuset/my-user/my-cgroup/first/c1" for the
1156 container. Any missing cgroups will be created by LXC. This
1157 presupposes that the user has write access to its current cgroup.
1158 </para>
1159 </listitem>
1160 </varlistentry>
55fc19a1
SG		 1161 </variablelist>
1162 </refsect2>
1163
1164 <refsect2>
1165 <title>Capabilities</title>
1166 <para>
c464fd7e
SG		 1167 The capabilities can be dropped in the container if this one
1168 is run as root.
55fc19a1
SG		 1169 </para>
1170 <variablelist>
c464fd7e
SG		 1171 <varlistentry>
1172 <term>
1173 <option>lxc.cap.drop</option>
1174 </term>
1175 <listitem>
1176 <para>
1177 Specify the capability to be dropped in the container. A
1178 single line defining several capabilities with a space
1179 separation is allowed. The format is the lower case of
1180 the capability definition without the "CAP_" prefix,
1181 eg. CAP_SYS_MODULE should be specified as
1182 sys_module. See
1183 <citerefentry>
1184 <refentrytitle><command>capabilities</command></refentrytitle>
1185 <manvolnum>7</manvolnum>
7eff30fd
MH		 1186 </citerefentry>.
1187 If used with no value, lxc will clear any drop capabilities
1188 specified up to this point.
c464fd7e
SG		 1189 </para>
1190 </listitem>
1191 </varlistentry>
1192 <varlistentry>
1193 <term>
1194 <option>lxc.cap.keep</option>
1195 </term>
1196 <listitem>
1197 <para>
1198 Specify the capability to be kept in the container. All other
1199 capabilities will be dropped. When a special value of "none" is
1200 encountered, lxc will clear any keep capabilities specified up
1201 to this point. A value of "none" alone can be used to drop all
1202 capabilities.
1203 </para>
1204 </listitem>
1205 </varlistentry>
55fc19a1
SG		 1206 </variablelist>
1207 </refsect2>
1208
93f9e90d
WB		 1209 <refsect2>
1210 <title>Resource limits</title>
1211 <para>
1212 The soft and hard resource limits for the container can be changed.
1213 Unprivileged containers can only lower them. Resources which are not
1214 explicitly specified will be inherited.
1215 </para>
1216 <variablelist>
1217 <varlistentry>
1218 <term>
240d4b74 1219 <option>lxc.prlimit.[limit name]</option>
93f9e90d
WB		 1220 </term>
1221 <listitem>
1222 <para>
1223 Specify the resource limit to be set. A limit is specified as two
1224 colon separated values which are either numeric or the word
1225 'unlimited'. A single value can be used as a shortcut to set both
1226 soft and hard limit to the same value. The permitted names the
1227 "RLIMIT_" resource names in lowercase without the "RLIMIT_"
1228 prefix, eg. RLIMIT_NOFILE should be specified as "nofile". See
1229 <citerefentry>
1230 <refentrytitle><command>setrlimit</command></refentrytitle>
1231 <manvolnum>2</manvolnum>
1232 </citerefentry>.
1233 If used with no value, lxc will clear the resource limit
1234 specified up to this point. A resource with no explicitly
1235 configured limitation will be inherited from the process starting
1236 up the container.
1237 </para>
1238 </listitem>
1239 </varlistentry>
1240 </variablelist>
1241 </refsect2>
1242
55fc19a1
SG		 1243 <refsect2>
1244 <title>Apparmor profile</title>
1245 <para>
c464fd7e
SG		 1246 If lxc was compiled and installed with apparmor support, and the host
1247 system has apparmor enabled, then the apparmor profile under which the
1248 container should be run can be specified in the container
7a126ae1
SH		 1249 configuration. The default is <command>lxc-container-default-cgns</command>
1250 if the host kernel is cgroup namespace aware, or
1251 <command>lxc-container-default</command> othewise.
55fc19a1
SG		 1252 </para>
1253 <variablelist>
c464fd7e
SG		 1254 <varlistentry>
1255 <term>
a1d5fdfd 1256 <option>lxc.apparmor.profile</option>
c464fd7e
SG		 1257 </term>
1258 <listitem>
1259 <para>
1260 Specify the apparmor profile under which the container should
1261 be run. To specify that the container should be unconfined,
1262 use
1263 </para>
a1d5fdfd 1264 <programlisting>lxc.apparmor.profile = unconfined</programlisting>
7a126ae1
SH		 1265 <para>
1266 If the apparmor profile should remain unchanged (i.e. if you
1267 are nesting containers and are already confined), then use
1268 </para>
a1d5fdfd 1269 <programlisting>lxc.apparmor.profile = unchanged</programlisting>
c464fd7e
SG		 1270 </listitem>
1271 </varlistentry>
1272 <varlistentry>
1273 <term>
69e38e00 1274 <option>lxc.apparmor.allow_incomplete</option>
c464fd7e
SG		 1275 </term>
1276 <listitem>
1277 <para>
1278 Apparmor profiles are pathname based. Therefore many file
1279 restrictions require mount restrictions to be effective against
1280 a determined attacker. However, these mount restrictions are not
1281 yet implemented in the upstream kernel. Without the mount
1282 restrictions, the apparmor profiles still protect against accidental
1283 damager.
1284 </para>
1285 <para>
1286 If this flag is 0 (default), then the container will not be
1287 started if the kernel lacks the apparmor mount features, so that a
1288 regression after a kernel upgrade will be detected. To start the
1289 container under partial apparmor protection, set this flag to 1.
1290 </para>
1291 </listitem>
1292 </varlistentry>
55fc19a1
SG		 1293 </variablelist>
1294 </refsect2>
1295
1296 <refsect2>
1297 <title>SELinux context</title>
1298 <para>
c464fd7e
SG		 1299 If lxc was compiled and installed with SELinux support, and the host
1300 system has SELinux enabled, then the SELinux context under which the
1301 container should be run can be specified in the container
1302 configuration. The default is <command>unconfined_t</command>,
1303 which means that lxc will not attempt to change contexts.
1304 See @DATADIR@/lxc/selinux/lxc.te for an example policy and more
1305 information.
55fc19a1
SG		 1306 </para>
1307 <variablelist>
c464fd7e
SG		 1308 <varlistentry>
1309 <term>
b84702ab 1310 <option>lxc.selinux.context</option>
c464fd7e
SG		 1311 </term>
1312 <listitem>
1313 <para>
1314 Specify the SELinux context under which the container should
1315 be run or <command>unconfined_t</command>. For example
1316 </para>
b84702ab 1317 <programlisting>lxc.selinux.context = system_u:system_r:lxc_t:s0:c22</programlisting>
c464fd7e
SG		 1318 </listitem>
1319 </varlistentry>
55fc19a1
SG		 1320 </variablelist>
1321 </refsect2>
1322
1323 <refsect2>
1324 <title>Seccomp configuration</title>
1325 <para>
1326 A container can be started with a reduced set of available
c464fd7e
SG		 1327 system calls by loading a seccomp profile at startup. The
1328 seccomp configuration file must begin with a version number
1329 on the first line, a policy type on the second line, followed
1330 by the configuration.
55fc19a1 1331 </para>
a7c27357
SH		 1332 <para>
1333 Versions 1 and 2 are currently supported. In version 1, the
c464fd7e
SG		 1334 policy is a simple whitelist. The second line therefore must
1335 read "whitelist", with the rest of the file containing one (numeric)
1336 sycall number per line. Each syscall number is whitelisted,
1337 while every unlisted number is blacklisted for use in the container
a7c27357
SH		 1338 </para>
1339
1340 <para>
1341 In version 2, the policy may be blacklist or whitelist,
1342 supports per-rule and per-policy default actions, and supports
1343 per-architecture system call resolution from textual names.
1344 </para>
1345 <para>
1346 An example blacklist policy, in which all system calls are
1347 allowed except for mknod, which will simply do nothing and
1348 return 0 (success), looks like:
1349 </para>
b9986e43
CB		 1350
1351 <programlisting>
1352 2
1353 blacklist
1354 mknod errno 0
1355 </programlisting>
1356
55fc19a1 1357 <variablelist>
c464fd7e
SG		 1358 <varlistentry>
1359 <term>
0b427da0 1360 <option>lxc.seccomp.profile</option>
c464fd7e
SG		 1361 </term>
1362 <listitem>
1363 <para>
1364 Specify a file containing the seccomp configuration to
1365 load before the container starts.
1366 </para>
1367 </listitem>
1368 </varlistentry>
55fc19a1
SG		 1369 </variablelist>
1370 </refsect2>
1371
222ddc91
CB		 1372 <refsect2>
1373 <title>PR_SET_NO_NEW_PRIVS</title>
1374 <para>
1375 With PR_SET_NO_NEW_PRIVS active execve() promises not to grant
1376 privileges to do anything that could not have been done without
1377 the execve() call (for example, rendering the set-user-ID and
1378 set-group-ID mode bits, and file capabilities non-functional).
1379 Once set, this bit cannot be unset. The setting of this bit is
1380 inherited by children created by fork() and clone(), and preserved
1381 across execve().
1382 Note that PR_SET_NO_NEW_PRIVS is applied after the container has
1383 changed into its intended AppArmor profile or SElinux context.
1384 </para>
1385 <variablelist>
1386 <varlistentry>
1387 <term>
1388 <option>lxc.no_new_privs</option>
1389 </term>
1390 <listitem>
1391 <para>
1392 Specify whether the PR_SET_NO_NEW_PRIVS flag should be set for the
1393 container. Set to 1 to activate.
1394 </para>
1395 </listitem>
1396 </varlistentry>
1397 </variablelist>
1398 </refsect2>
1399
55fc19a1
SG		 1400 <refsect2>
1401 <title>UID mappings</title>
1402 <para>
1403 A container can be started in a private user namespace with
c464fd7e
SG		 1404 user and group id mappings. For instance, you can map userid
1405 0 in the container to userid 200000 on the host. The root
1406 user in the container will be privileged in the container,
1407 but unprivileged on the host. Normally a system container
1408 will want a range of ids, so you would map, for instance,
1409 user and group ids 0 through 20,000 in the container to the
1410 ids 200,000 through 220,000.
55fc19a1
SG		 1411 </para>
1412 <variablelist>
c464fd7e
SG		 1413 <varlistentry>
1414 <term>
bdcbb6b3 1415 <option>lxc.idmap</option>
c464fd7e
SG		 1416 </term>
1417 <listitem>
1418 <para>
1419 Four values must be provided. First a character, either
1420 'u', or 'g', to specify whether user or group ids are
1421 being mapped. Next is the first userid as seen in the
1422 user namespace of the container. Next is the userid as
1423 seen on the host. Finally, a range indicating the number
1424 of consecutive ids to map.
1425 </para>
1426 </listitem>
1427 </varlistentry>
55fc19a1
SG		 1428 </variablelist>
1429 </refsect2>
1430
1431 <refsect2>
1432 <title>Container hooks</title>
1433 <para>
1434 Container hooks are programs or scripts which can be executed
c464fd7e 1435 at various times in a container's lifetime.
55fc19a1
SG		 1436 </para>
1437 <para>
1438 When a container hook is executed, information is passed both
c464fd7e
SG		 1439 as command line arguments and through environment variables.
1440 The arguments are:
1441 <itemizedlist>
1442 <listitem><para> Container name. </para></listitem>
1443 <listitem><para> Section (always 'lxc'). </para></listitem>
1444 <listitem><para> The hook type (i.e. 'clone' or 'pre-mount'). </para></listitem>
0a2b5ab1 1445 <listitem><para> Additional arguments. In the
c464fd7e 1446 case of the clone hook, any extra arguments passed to
0a2b5ab1
WB		 1447 lxc-clone will appear as further arguments to the hook.
1448 In the case of the stop hook, paths to filedescriptors
1449 for each of the container's namespaces along with their types
1450 are passed. </para></listitem>
c464fd7e
SG		 1451 </itemizedlist>
1452 The following environment variables are set:
1453 <itemizedlist>
1454 <listitem><para> LXC_NAME: is the container's name. </para></listitem>
1455 <listitem><para> LXC_ROOTFS_MOUNT: the path to the mounted root filesystem. </para></listitem>
1456 <listitem><para> LXC_CONFIG_FILE: the path to the container configuration file. </para></listitem>
1457 <listitem><para> LXC_SRC_NAME: in the case of the clone hook, this is the original container's name. </para></listitem>
7a96a068 1458 <listitem><para> LXC_ROOTFS_PATH: this is the lxc.rootfs.path entry for the container. Note this is likely not where the mounted rootfs is to be found, use LXC_ROOTFS_MOUNT for that. </para></listitem>
b68c6a71
CB		 1459 <listitem><para> LXC_CGNS_AWARE: indicated whether the container is cgroup namespace aware. </para></listitem>
1460 <listitem><para> LXC_LOG_LEVEL: the container's log level. </para></listitem>
c464fd7e 1461 </itemizedlist>
55fc19a1
SG		 1462 </para>
1463 <para>
1464 Standard output from the hooks is logged at debug level.
1465 Standard error is not logged, but can be captured by the
1466 hook redirecting its standard error to standard output.
1467 </para>
1468 <variablelist>
c464fd7e
SG		 1469 <varlistentry>
1470 <term>
1471 <option>lxc.hook.pre-start</option>
1472 </term>
1473 <listitem>
1474 <para>
1475 A hook to be run in the host's namespace before the
1476 container ttys, consoles, or mounts are up.
1477 </para>
1478 </listitem>
1479 </varlistentry>
55fc19a1
SG		 1480 </variablelist>
1481 <variablelist>
c464fd7e
SG		 1482 <varlistentry>
1483 <term>
1484 <option>lxc.hook.pre-mount</option>
1485 </term>
1486 <listitem>
1487 <para>
1488 A hook to be run in the container's fs namespace but before
1489 the rootfs has been set up. This allows for manipulation
1490 of the rootfs, i.e. to mount an encrypted filesystem. Mounts
1491 done in this hook will not be reflected on the host (apart from
1492 mounts propagation), so they will be automatically cleaned up
1493 when the container shuts down.
1494 </para>
1495 </listitem>
1496 </varlistentry>
55fc19a1
SG		 1497 </variablelist>
1498 <variablelist>
c464fd7e
SG		 1499 <varlistentry>
1500 <term>
1501 <option>lxc.hook.mount</option>
1502 </term>
1503 <listitem>
1504 <para>
1505 A hook to be run in the container's namespace after
1506 mounting has been done, but before the pivot_root.
1507 </para>
1508 </listitem>
1509 </varlistentry>
55fc19a1
SG		 1510 </variablelist>
1511 <variablelist>
c464fd7e
SG		 1512 <varlistentry>
1513 <term>
1514 <option>lxc.hook.autodev</option>
1515 </term>
1516 <listitem>
1517 <para>
1518 A hook to be run in the container's namespace after
1519 mounting has been done and after any mount hooks have
1520 run, but before the pivot_root, if
1521 <option>lxc.autodev</option> == 1.
1522 The purpose of this hook is to assist in populating the
1523 /dev directory of the container when using the autodev
1524 option for systemd based containers. The container's /dev
1525 directory is relative to the
1526 ${<option>LXC_ROOTFS_MOUNT</option>} environment
1527 variable available when the hook is run.
1528 </para>
1529 </listitem>
1530 </varlistentry>
55fc19a1 1531 </variablelist>
08dd2805
SH		 1532 <variablelist>
1533 <varlistentry>
1534 <term>
1535 <option>lxc.hook.start-host</option>
1536 </term>
1537 <listitem>
1538 <para>
1539 A hook to be run in the host's namespace after the
1540 container has been setup, and immediately before starting
1541 the container init.
1542 </para>
1543 </listitem>
1544 </varlistentry>
1545 </variablelist>
55fc19a1 1546 <variablelist>
c464fd7e
SG		 1547 <varlistentry>
1548 <term>
1549 <option>lxc.hook.start</option>
1550 </term>
1551 <listitem>
1552 <para>
1553 A hook to be run in the container's namespace immediately
1554 before executing the container's init. This requires the
1555 program to be available in the container.
1556 </para>
1557 </listitem>
1558 </varlistentry>
55fc19a1 1559 </variablelist>
0a2b5ab1
WB		 1560 <variablelist>
1561 <varlistentry>
1562 <term>
1563 <option>lxc.hook.stop</option>
1564 </term>
1565 <listitem>
1566 <para>
1567 A hook to be run in the host's namespace with references
1568 to the container's namespaces after the container has been shut
1569 down. For each namespace an extra argument is passed to the hook
1570 containing the namespace's type and a filename that can be used to
1571 obtain a file descriptor to the corresponding namespace, separated
1572 by a colon. The type is the name as it would appear in the
1573 <filename>/proc/PID/ns</filename> directory.
1574 For instance for the mount namespace the argument usually looks
1575 like <filename>mnt:/proc/PID/fd/12</filename>.
1576 </para>
1577 </listitem>
1578 </varlistentry>
1579 </variablelist>
55fc19a1 1580 <variablelist>
c464fd7e
SG		 1581 <varlistentry>
1582 <term>
1583 <option>lxc.hook.post-stop</option>
1584 </term>
1585 <listitem>
1586 <para>
1587 A hook to be run in the host's namespace after the
1588 container has been shut down.
1589 </para>
1590 </listitem>
1591 </varlistentry>
55fc19a1
SG		 1592 </variablelist>
1593 <variablelist>
c464fd7e
SG		 1594 <varlistentry>
1595 <term>
1596 <option>lxc.hook.clone</option>
1597 </term>
1598 <listitem>
1599 <para>
1600 A hook to be run when the container is cloned to a new one.
1601 See <citerefentry><refentrytitle><command>lxc-clone</command></refentrytitle>
1602 <manvolnum>1</manvolnum></citerefentry> for more information.
1603 </para>
1604 </listitem>
1605 </varlistentry>
55fc19a1 1606 </variablelist>
37cf711b
SY		 1607 <variablelist>
1608 <varlistentry>
1609 <term>
1610 <option>lxc.hook.destroy</option>
1611 </term>
1612 <listitem>
1613 <para>
1614 A hook to be run when the container is destroyed.
1615 </para>
1616 </listitem>
1617 </varlistentry>
1618 </variablelist>
55fc19a1
SG		 1619 </refsect2>
1620
1621 <refsect2>
1622 <title>Container hooks Environment Variables</title>
1623 <para>
1624 A number of environment variables are made available to the startup
1625 hooks to provide configuration information and assist in the
1626 functioning of the hooks. Not all variables are valid in all
1627 contexts. In particular, all paths are relative to the host system
1628 and, as such, not valid during the <option>lxc.hook.start</option> hook.
1629 </para>
1630 <variablelist>
c464fd7e
SG		 1631 <varlistentry>
1632 <term>
1633 <option>LXC_NAME</option>
1634 </term>
1635 <listitem>
1636 <para>
1637 The LXC name of the container. Useful for logging messages
1638 in common log environments. [<option>-n</option>]
1639 </para>
1640 </listitem>
1641 </varlistentry>
55fc19a1
SG		 1642 </variablelist>
1643 <variablelist>
c464fd7e
SG		 1644 <varlistentry>
1645 <term>
1646 <option>LXC_CONFIG_FILE</option>
1647 </term>
1648 <listitem>
1649 <para>
1650 Host relative path to the container configuration file. This
1651 gives the container to reference the original, top level,
1652 configuration file for the container in order to locate any
1653 additional configuration information not otherwise made
1654 available. [<option>-f</option>]
1655 </para>
1656 </listitem>
1657 </varlistentry>
55fc19a1
SG		 1658 </variablelist>
1659 <variablelist>
c464fd7e
SG		 1660 <varlistentry>
1661 <term>
1662 <option>LXC_CONSOLE</option>
1663 </term>
1664 <listitem>
1665 <para>
1666 The path to the console output of the container if not NULL.
3aed4934 1667 [<option>-c</option>] [<option>lxc.console.path</option>]
c464fd7e
SG		 1668 </para>
1669 </listitem>
1670 </varlistentry>
55fc19a1
SG		 1671 </variablelist>
1672 <variablelist>
c464fd7e
SG		 1673 <varlistentry>
1674 <term>
1675 <option>LXC_CONSOLE_LOGPATH</option>
1676 </term>
1677 <listitem>
1678 <para>
1679 The path to the console log output of the container if not NULL.
1680 [<option>-L</option>]
1681 </para>
1682 </listitem>
1683 </varlistentry>
55fc19a1
SG		 1684 </variablelist>
1685 <variablelist>
c464fd7e
SG		 1686 <varlistentry>
1687 <term>
1688 <option>LXC_ROOTFS_MOUNT</option>
1689 </term>
1690 <listitem>
1691 <para>
1692 The mount location to which the container is initially bound.
1693 This will be the host relative path to the container rootfs
1694 for the container instance being started and is where changes
1695 should be made for that instance.
1696 [<option>lxc.rootfs.mount</option>]
1697 </para>
1698 </listitem>
1699 </varlistentry>
55fc19a1
SG		 1700 </variablelist>
1701 <variablelist>
c464fd7e
SG		 1702 <varlistentry>
1703 <term>
1704 <option>LXC_ROOTFS_PATH</option>
1705 </term>
1706 <listitem>
1707 <para>
1708 The host relative path to the container root which has been
1709 mounted to the rootfs.mount location.
7a96a068 1710 [<option>lxc.rootfs.path</option>]
c464fd7e
SG		 1711 </para>
1712 </listitem>
1713 </varlistentry>
55fc19a1 1714 </variablelist>
07945418
KY		 1715 <variablelist>
1716 <varlistentry>
1717 <term>
1718 <option>LXC_SRC_NAME</option>
1719 </term>
1720 <listitem>
1721 <para>
1722 Only for the clone hook. Is set to the original container name.
1723 </para>
1724 </listitem>
1725 </varlistentry>
1726 </variablelist>
c154af98
SG		 1727 <variablelist>
1728 <varlistentry>
1729 <term>
1730 <option>LXC_TARGET</option>
1731 </term>
1732 <listitem>
1733 <para>
1734 Only for the stop hook. Is set to "stop" for a container
1735 shutdown or "reboot" for a container reboot.
1736 </para>
1737 </listitem>
1738 </varlistentry>
c4cafa08
SH		 1739 </variablelist>
1740 <variablelist>
1741 <varlistentry>
1742 <term>
1743 <option>LXC_CGNS_AWARE</option>
1744 </term>
1745 <listitem>
1746 <para>
1747 If unset, then this version of lxc is not aware of cgroup
1748 namespaces. If set, it will be set to 1, and lxc is aware
1749 of cgroup namespaces. Note this does not guarantee that
1750 cgroup namespaces are enabled in the kernel. This is used
1751 by the lxcfs mount hook.
1752 </para>
1753 </listitem>
1754 </varlistentry>
c154af98 1755 </variablelist>
55fc19a1
SG		 1756 </refsect2>
1757 <refsect2>
1758 <title>Logging</title>
1759 <para>
1760 Logging can be configured on a per-container basis. By default,
1761 depending upon how the lxc package was compiled, container startup
1762 is logged only at the ERROR level, and logged to a file named after
1763 the container (with '.log' appended) either under the container path,
1764 or under @LOGPATH@.
1765 </para>
1766 <para>
1767 Both the default log level and the log file can be specified in the
1768 container configuration file, overriding the default behavior. Note
1769 that the configuration file entries can in turn be overridden by the
1770 command line options to <command>lxc-start</command>.
1771 </para>
1772 <variablelist>
c464fd7e
SG		 1773 <varlistentry>
1774 <term>
46cc906d 1775 <option>lxc.log.level</option>
c464fd7e
SG		 1776 </term>
1777 <listitem>
1778 <para>
1779 The level at which to log. The log level is an integer in
1780 the range of 0..8 inclusive, where a lower number means more
1781 verbose debugging. In particular 0 = trace, 1 = debug, 2 =
1782 info, 3 = notice, 4 = warn, 5 = error, 6 = critical, 7 =
1783 alert, and 8 = fatal. If unspecified, the level defaults
1784 to 5 (error), so that only errors and above are logged.
1785 </para>
1786 <para>
1787 Note that when a script (such as either a hook script or a
1788 network interface up or down script) is called, the script's
1789 standard output is logged at level 1, debug.
1790 </para>
1791 </listitem>
1792 </varlistentry>
1793 <varlistentry>
1794 <term>
46cc906d 1795 <option>lxc.log</option>
c464fd7e
SG		 1796 </term>
1797 <listitem>
1798 <para>
1799 The file to which logging info should be written.
1800 </para>
1801 </listitem>
1802 </varlistentry>
204dfdf2
BD		 1803 <varlistentry>
1804 <term>
46cc906d 1805 <option>lxc.log.syslog</option>
204dfdf2
BD		 1806 </term>
1807 <listitem>
1808 <para>
1809 Send logging info to syslog. It respects the log level defined in
46cc906d 1810 <command>lxc.log.level</command>. The argument should be the syslog
204dfdf2 1811 facility to use, valid ones are: daemon, local0, local1, local2,
917420dd 1812 local3, local4, local5, local5, local6, local7.
204dfdf2
BD		 1813 </para>
1814 </listitem>
1815 </varlistentry>
55fc19a1
SG		 1816 </variablelist>
1817 </refsect2>
1818
1819 <refsect2>
1820 <title>Autostart</title>
1821 <para>
1822 The autostart options support marking which containers should be
1823 auto-started and in what order. These options may be used by LXC tools
1824 directly or by external tooling provided by the distributions.
1825 </para>
1826
1827 <variablelist>
1828 <varlistentry>
1829 <term>
1830 <option>lxc.start.auto</option>
1831 </term>
1832 <listitem>
1833 <para>
1834 Whether the container should be auto-started.
1835 Valid values are 0 (off) and 1 (on).
1836 </para>
1837 </listitem>
1838 </varlistentry>
1839 <varlistentry>
1840 <term>
1841 <option>lxc.start.delay</option>
1842 </term>
1843 <listitem>
1844 <para>
1845 How long to wait (in seconds) after the container is
1846 started before starting the next one.
1847 </para>
1848 </listitem>
1849 </varlistentry>
1850 <varlistentry>
1851 <term>
1852 <option>lxc.start.order</option>
1853 </term>
1854 <listitem>
1855 <para>
1856 An integer used to sort the containers when auto-starting
1857 a series of containers at once.
1858 </para>
1859 </listitem>
1860 </varlistentry>
a8dfe4e0
WB		 1861 <varlistentry>
1862 <term>
1863 <option>lxc.monitor.unshare</option>
1864 </term>
1865 <listitem>
1866 <para>
1867 If not zero the mount namespace will be unshared from the host
1868 before initializing the container (before running any pre-start
6039eaa2
WB		 1869 hooks). This requires the CAP_SYS_ADMIN capability at startup.
1870 Default is 0.
a8dfe4e0
WB		 1871 </para>
1872 </listitem>
1873 </varlistentry>
55fc19a1
SG		 1874 <varlistentry>
1875 <term>
1876 <option>lxc.group</option>
1877 </term>
1878 <listitem>
1879 <para>
1880 A multi-value key (can be used multiple times) to put the
1881 container in a container group. Those groups can then be
1882 used (amongst other things) to start a series of related
1883 containers.
1884 </para>
1885 </listitem>
1886 </varlistentry>
1887 </variablelist>
1888 </refsect2>
015f0dd7
MW		 1889
1890 <refsect2>
1891 <title>Autostart and System Boot</title>
1892 <para>
1893 Each container can be part of any number of groups or no group at all.
1894 Two groups are special. One is the NULL group, i.e. the container does
1895 not belong to any group. The other group is the "onboot" group.
1896 </para>
1897
1898 <para>
1899 When the system boots with the LXC service enabled, it will first
1900 attempt to boot any containers with lxc.start.auto == 1 that is a member
1901 of the "onboot" group. The startup will be in order of lxc.start.order.
1902 If an lxc.start.delay has been specified, that delay will be honored
1903 before attempting to start the next container to give the current
1904 container time to begin initialization and reduce overloading the host
1905 system. After starting the members of the "onboot" group, the LXC system
1906 will proceed to boot containers with lxc.start.auto == 1 which are not
1907 members of any group (the NULL group) and proceed as with the onboot
1908 group.
1909 </para>
1910
1911 </refsect2>
7c661726
MP		 1912
1913 <refsect2>
1914 <title>Container Environment</title>
1915 <para>
c464fd7e
SG		 1916 If you want to pass environment variables into the container (that
1917 is, environment variables which will be available to init and all of
1918 its descendents), you can use <command>lxc.environment</command>
1919 parameters to do so. Be careful that you do not pass in anything
1920 sensitive; any process in the container which doesn't have its
1921 environment scrubbed will have these variables available to it, and
1922 environment variables are always available via
1923 <command>/proc/PID/environ</command>.
7c661726
MP		 1924 </para>
1925
1926 <para>
1927 This configuration parameter can be specified multiple times; once
1928 for each environment variable you wish to configure.
1929 </para>
1930
1931 <variablelist>
c464fd7e
SG		 1932 <varlistentry>
1933 <term>
1934 <option>lxc.environment</option>
1935 </term>
1936 <listitem>
1937 <para>
1938 Specify an environment variable to pass into the container.
1939 Example:
1940 </para>
1941 <programlisting>
1942 lxc.environment = APP_ENV=production
1943 lxc.environment = SYSLOG_SERVER=192.0.2.42
1944 </programlisting>
1945 </listitem>
1946 </varlistentry>
7c661726
MP		 1947 </variablelist>
1948 </refsect2>
1949
55fc19a1
SG		 1950 </refsect1>
1951
1952 <refsect1>
1953 <title>Examples</title>
1954 <para>
c464fd7e
SG		 1955 In addition to the few examples given below, you will find
1956 some other examples of configuration file in @DOCDIR@/examples
55fc19a1
SG		 1957 </para>
1958 <refsect2>
1959 <title>Network</title>
1960 <para>This configuration sets up a container to use a veth pair
c464fd7e
SG		 1961 device with one side plugged to a bridge br0 (which has been
1962 configured before on the system by the administrator). The
1963 virtual network device visible in the container is renamed to
1964 eth0.</para>
55fc19a1 1965 <programlisting>
b67771bc 1966 lxc.uts.name = myhostname
7fa3f2e9 1967 lxc.net.0.type = veth
1968 lxc.net.0.flags = up
1969 lxc.net.0.link = br0
1970 lxc.net.0.name = eth0
1971 lxc.net.0.hwaddr = 4a:49:43:49:79:bf
9ff60df2 1972 lxc.net.0.ipv4.address = 10.2.3.5/24 10.2.3.255
2e44ae28 1973 lxc.net.0.ipv6.address = 2003:db8:1:0:214:1234:fe0b:3597
55fc19a1
SG		 1974 </programlisting>
1975 </refsect2>
1976
1977 <refsect2>
1978 <title>UID/GID mapping</title>
1979 <para>This configuration will map both user and group ids in the
1980 range 0-9999 in the container to the ids 100000-109999 on the host.
1981 </para>
1982 <programlisting>
bdcbb6b3
CB		 1983 lxc.idmap = u 0 100000 10000
1984 lxc.idmap = g 0 100000 10000
55fc19a1
SG		 1985 </programlisting>
1986 </refsect2>
1987
1988 <refsect2>
1989 <title>Control group</title>
1990 <para>This configuration will setup several control groups for
1991 the application, cpuset.cpus restricts usage of the defined cpu,
1992 cpus.share prioritize the control group, devices.allow makes
1993 usable the specified devices.</para>
1994 <programlisting>
c464fd7e
SG		 1995 lxc.cgroup.cpuset.cpus = 0,1
1996 lxc.cgroup.cpu.shares = 1234
1997 lxc.cgroup.devices.deny = a
1998 lxc.cgroup.devices.allow = c 1:3 rw
1999 lxc.cgroup.devices.allow = b 8:0 rw
55fc19a1
SG		 2000 </programlisting>
2001 </refsect2>
2002
2003 <refsect2>
2004 <title>Complex configuration</title>
2005 <para>This example show a complex configuration making a complex
2006 network stack, using the control groups, setting a new hostname,
2007 mounting some locations and a changing root file system.</para>
2008 <programlisting>
b67771bc 2009 lxc.uts.name = complex
7fa3f2e9 2010 lxc.net.0.type = veth
2011 lxc.net.0.flags = up
2012 lxc.net.0.link = br0
2013 lxc.net.0.hwaddr = 4a:49:43:49:79:bf
9ff60df2 2014 lxc.net.0.ipv4.address = 10.2.3.5/24 10.2.3.255
2e44ae28
CB		 2015 lxc.net.0.ipv6.address = 2003:db8:1:0:214:1234:fe0b:3597
2016 lxc.net.0.ipv6.address = 2003:db8:1:0:214:5432:feab:3588
7fa3f2e9 2017 lxc.net.1.type = macvlan
2018 lxc.net.1.flags = up
2019 lxc.net.1.link = eth0
2020 lxc.net.1.hwaddr = 4a:49:43:49:79:bd
9ff60df2
CB		 2021 lxc.net.1.ipv4.address = 10.2.3.4/24
2022 lxc.net.1.ipv4.address = 192.168.10.125/24
2e44ae28 2023 lxc.net.1.ipv6.address = 2003:db8:1:0:214:1234:fe0b:3596
7fa3f2e9 2024 lxc.net.2.type = phys
2025 lxc.net.2.flags = up
2026 lxc.net.2.link = dummy0
2027 lxc.net.2.hwaddr = 4a:49:43:49:79:ff
9ff60df2 2028 lxc.net.2.ipv4.address = 10.2.3.6/24
2e44ae28 2029 lxc.net.2.ipv6.address = 2003:db8:1:0:214:1234:fe0b:3297
c464fd7e
SG		 2030 lxc.cgroup.cpuset.cpus = 0,1
2031 lxc.cgroup.cpu.shares = 1234
2032 lxc.cgroup.devices.deny = a
2033 lxc.cgroup.devices.allow = c 1:3 rw
2034 lxc.cgroup.devices.allow = b 8:0 rw
47148e96 2035 lxc.mount.fstab = /etc/fstab.complex
c464fd7e 2036 lxc.mount.entry = /lib /root/myrootfs/lib none ro,bind 0 0
7a96a068 2037 lxc.rootfs.path = dir:/mnt/rootfs.complex
c464fd7e
SG		 2038 lxc.cap.drop = sys_module mknod setuid net_raw
2039 lxc.cap.drop = mac_override
55fc19a1
SG		 2040 </programlisting>
2041 </refsect2>
2042
2043 </refsect1>
2044
2045 <refsect1>
2046 <title>See Also</title>
2047 <simpara>
2048 <citerefentry>
c464fd7e
SG		 2049 <refentrytitle><command>chroot</command></refentrytitle>
2050 <manvolnum>1</manvolnum>
55fc19a1
SG		 2051 </citerefentry>,
2052
2053 <citerefentry>
c464fd7e
SG		 2054 <refentrytitle><command>pivot_root</command></refentrytitle>
2055 <manvolnum>8</manvolnum>
55fc19a1
SG		 2056 </citerefentry>,
2057
2058 <citerefentry>
c464fd7e
SG		 2059 <refentrytitle><filename>fstab</filename></refentrytitle>
2060 <manvolnum>5</manvolnum>
55fc19a1
SG		 2061 </citerefentry>,
2062
2063 <citerefentry>
c464fd7e
SG		 2064 <refentrytitle><filename>capabilities</filename></refentrytitle>
2065 <manvolnum>7</manvolnum>
55fc19a1
SG		 2066 </citerefentry>
2067 </simpara>
2068 </refsect1>
2069
2070 &seealso;
2071
2072 <refsect1>
2073 <title>Author</title>
2074 <para>Daniel Lezcano <email>daniel.lezcano@free.fr</email></para>
2075 </refsect1>
2076
2077</refentry>
2078
2079<!-- Keep this comment at the end of the file
2080Local variables:
2081mode: sgml
2082sgml-omittag:t
2083sgml-shorttag:t
2084sgml-minimize-attributes:nil
2085sgml-always-quote-attributes:t
2086sgml-indent-step:2
2087sgml-indent-data:t
2088sgml-parent-document:nil
2089sgml-default-dtd-file:nil
2090sgml-exposed-tags:nil
2091sgml-local-catalogs:nil
2092sgml-local-ecat-files:nil
2093End:
2094-->
LXC mirror