]>
Commit | Line | Data |
---|---|---|
55fc19a1 SG |
1 | <!-- |
2 | ||
3 | lxc: linux Container library | |
4 | ||
5 | (C) Copyright IBM Corp. 2007, 2008 | |
6 | ||
7 | Authors: | |
8 | Daniel Lezcano <daniel.lezcano at free.fr> | |
9 | ||
10 | This library is free software; you can redistribute it and/or | |
11 | modify it under the terms of the GNU Lesser General Public | |
12 | License as published by the Free Software Foundation; either | |
13 | version 2.1 of the License, or (at your option) any later version. | |
14 | ||
15 | This library is distributed in the hope that it will be useful, | |
16 | but WITHOUT ANY WARRANTY; without even the implied warranty of | |
17 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
18 | Lesser General Public License for more details. | |
19 | ||
20 | You should have received a copy of the GNU Lesser General Public | |
21 | License along with this library; if not, write to the Free Software | |
22 | Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA | |
23 | ||
24 | --> | |
25 | ||
26 | <!DOCTYPE refentry PUBLIC @docdtd@ [ | |
27 | ||
28 | <!ENTITY seealso SYSTEM "@builddir@/see_also.sgml"> | |
29 | ]> | |
30 | ||
31 | <refentry> | |
32 | ||
33 | <docinfo><date>@LXC_GENERATE_DATE@</date></docinfo> | |
34 | ||
35 | <refmeta> | |
36 | <refentrytitle>lxc.container.conf</refentrytitle> | |
37 | <manvolnum>5</manvolnum> | |
38 | </refmeta> | |
39 | ||
40 | <refnamediv> | |
41 | <refname>lxc.container.conf</refname> | |
42 | ||
43 | <refpurpose> | |
44 | LXC container configuration file | |
45 | </refpurpose> | |
46 | </refnamediv> | |
47 | ||
48 | <refsect1> | |
49 | <title>Description</title> | |
50 | ||
51 | <para> | |
b9986e43 CB |
52 | LXC is the well-known and heavily tested low-level Linux container |
53 | runtime. It is in active development since 2008 and has proven itself in | |
54 | critical production environments world-wide. Some of its core contributors | |
55 | are the same people that helped to implement various well-known | |
56 | containerization features inside the Linux kernel. | |
55fc19a1 SG |
57 | </para> |
58 | ||
59 | <para> | |
b9986e43 CB |
60 | LXC's main focus is system containers. That is, containers which offer an |
61 | environment as close as possible as the one you'd get from a VM but | |
62 | without the overhead that comes with running a separate kernel and | |
63 | simulating all the hardware. | |
55fc19a1 SG |
64 | </para> |
65 | ||
66 | <para> | |
b9986e43 CB |
67 | This is achieved through a combination of kernel security features such as |
68 | namespaces, mandatory access control and control groups. | |
69 | </para> | |
70 | ||
71 | <para> | |
eb4225a0 | 72 | LXC has support for unprivileged containers. Unprivileged containers are |
b9986e43 CB |
73 | containers that are run without any privilege. This requires support for |
74 | user namespaces in the kernel that the container is run on. LXC was the | |
75 | first runtime to support unprivileged containers after user namespaces | |
76 | were merged into the mainline kernel. | |
77 | </para> | |
78 | ||
79 | <para> | |
80 | In essence, user namespaces isolate given sets of UIDs and GIDs. This is | |
81 | achieved by establishing a mapping between a range of UIDs and GIDs on the | |
82 | host to a different (unprivileged) range of UIDs and GIDs in the | |
83 | container. The kernel will translate this mapping in such a way that | |
84 | inside the container all UIDs and GIDs appear as you would expect from the | |
85 | host whereas on the host these UIDs and GIDs are in fact unprivileged. For | |
86 | example, a process running as UID and GID 0 inside the container might | |
87 | appear as UID and GID 100000 on the host. The implementation and working | |
88 | details can be gathered from the corresponding user namespace man page. | |
bdcbb6b3 | 89 | UID and GID mappings can be defined with the <option>lxc.idmap</option> |
b9986e43 CB |
90 | key. |
91 | </para> | |
92 | ||
93 | <para> | |
94 | Linux containers are defined with a simple configuration file. Each | |
95 | option in the configuration file has the form <command>key = | |
96 | value</command> fitting in one line. The "#" character means the line is a | |
97 | comment. List options, like capabilities and cgroups options, can be used | |
98 | with no value to clear any previously defined values of that option. | |
99 | </para> | |
100 | ||
101 | <para> | |
eb4225a0 | 102 | LXC namespaces configuration keys use single dots. This means complex |
7fa3f2e9 | 103 | configuration keys such as <option>lxc.net.0</option> expose various |
104 | subkeys such as <option>lxc.net.0.type</option>, | |
2e44ae28 | 105 | <option>lxc.net.0.link</option>, <option>lxc.net.0.ipv6.address</option>, and |
b9986e43 | 106 | others for even more fine-grained configuration. |
55fc19a1 SG |
107 | </para> |
108 | ||
109 | <refsect2> | |
110 | <title>Configuration</title> | |
111 | <para> | |
b9986e43 CB |
112 | In order to ease administration of multiple related containers, it is |
113 | possible to have a container configuration file cause another file to be | |
114 | loaded. For instance, network configuration can be defined in one common | |
115 | file which is included by multiple containers. Then, if the containers | |
116 | are moved to another host, only one file may need to be updated. | |
55fc19a1 SG |
117 | </para> |
118 | ||
119 | <variablelist> | |
c464fd7e SG |
120 | <varlistentry> |
121 | <term> | |
122 | <option>lxc.include</option> | |
123 | </term> | |
124 | <listitem> | |
125 | <para> | |
126 | Specify the file to be included. The included file must be | |
127 | in the same valid lxc configuration file format. | |
128 | </para> | |
129 | </listitem> | |
130 | </varlistentry> | |
55fc19a1 SG |
131 | </variablelist> |
132 | </refsect2> | |
133 | ||
134 | <refsect2> | |
135 | <title>Architecture</title> | |
136 | <para> | |
b9986e43 CB |
137 | Allows one to set the architecture for the container. For example, set a |
138 | 32bits architecture for a container running 32bits binaries on a 64bits | |
139 | host. This fixes the container scripts which rely on the architecture to | |
140 | do some work like downloading the packages. | |
55fc19a1 SG |
141 | </para> |
142 | ||
143 | <variablelist> | |
c464fd7e SG |
144 | <varlistentry> |
145 | <term> | |
146 | <option>lxc.arch</option> | |
147 | </term> | |
148 | <listitem> | |
149 | <para> | |
150 | Specify the architecture for the container. | |
151 | </para> | |
152 | <para> | |
b9986e43 | 153 | Some valid options are |
c464fd7e SG |
154 | <option>x86</option>, |
155 | <option>i686</option>, | |
156 | <option>x86_64</option>, | |
157 | <option>amd64</option> | |
158 | </para> | |
159 | </listitem> | |
160 | </varlistentry> | |
55fc19a1 SG |
161 | </variablelist> |
162 | ||
163 | </refsect2> | |
164 | ||
165 | <refsect2> | |
166 | <title>Hostname</title> | |
167 | <para> | |
b9986e43 CB |
168 | The utsname section defines the hostname to be set for the container. |
169 | That means the container can set its own hostname without changing the | |
170 | one from the system. That makes the hostname private for the container. | |
55fc19a1 SG |
171 | </para> |
172 | <variablelist> | |
c464fd7e SG |
173 | <varlistentry> |
174 | <term> | |
b67771bc | 175 | <option>lxc.uts.name</option> |
c464fd7e SG |
176 | </term> |
177 | <listitem> | |
178 | <para> | |
179 | specify the hostname for the container | |
180 | </para> | |
181 | </listitem> | |
182 | </varlistentry> | |
55fc19a1 SG |
183 | </variablelist> |
184 | </refsect2> | |
185 | ||
186 | <refsect2> | |
187 | <title>Halt signal</title> | |
188 | <para> | |
b9986e43 CB |
189 | Allows one to specify signal name or number sent to the container's |
190 | init process to cleanly shutdown the container. Different init systems | |
191 | could use different signals to perform clean shutdown sequence. This | |
192 | option allows the signal to be specified in kill(1) fashion, e.g. | |
193 | SIGPWR, SIGRTMIN+14, SIGRTMAX-10 or plain number. The default signal is | |
194 | SIGPWR. | |
55fc19a1 SG |
195 | </para> |
196 | <variablelist> | |
936762f3 BP |
197 | <varlistentry> |
198 | <term> | |
55c84efc | 199 | <option>lxc.signal.halt</option> |
936762f3 BP |
200 | </term> |
201 | <listitem> | |
202 | <para> | |
203 | specify the signal used to halt the container | |
204 | </para> | |
205 | </listitem> | |
206 | </varlistentry> | |
207 | </variablelist> | |
208 | </refsect2> | |
209 | ||
210 | <refsect2> | |
211 | <title>Reboot signal</title> | |
212 | <para> | |
b9986e43 CB |
213 | Allows one to specify signal name or number to reboot the container. |
214 | This option allows signal to be specified in kill(1) fashion, e.g. | |
215 | SIGTERM, SIGRTMIN+14, SIGRTMAX-10 or plain number. The default signal | |
216 | is SIGINT. | |
936762f3 BP |
217 | </para> |
218 | <variablelist> | |
219 | <varlistentry> | |
220 | <term> | |
55c84efc | 221 | <option>lxc.signal.reboot</option> |
936762f3 BP |
222 | </term> |
223 | <listitem> | |
224 | <para> | |
225 | specify the signal used to reboot the container | |
226 | </para> | |
227 | </listitem> | |
228 | </varlistentry> | |
55fc19a1 SG |
229 | </variablelist> |
230 | </refsect2> | |
231 | ||
232 | <refsect2> | |
233 | <title>Stop signal</title> | |
234 | <para> | |
b9986e43 CB |
235 | Allows one to specify signal name or number to forcibly shutdown the |
236 | container. This option allows signal to be specified in kill(1) fashion, | |
237 | e.g. SIGKILL, SIGRTMIN+14, SIGRTMAX-10 or plain number. The default | |
238 | signal is SIGKILL. | |
936762f3 BP |
239 | </para> |
240 | <variablelist> | |
241 | <varlistentry> | |
242 | <term> | |
55c84efc | 243 | <option>lxc.signal.stop</option> |
936762f3 BP |
244 | </term> |
245 | <listitem> | |
246 | <para> | |
247 | specify the signal used to stop the container | |
248 | </para> | |
249 | </listitem> | |
250 | </varlistentry> | |
55fc19a1 SG |
251 | </variablelist> |
252 | </refsect2> | |
253 | ||
67c660d0 SG |
254 | <refsect2> |
255 | <title>Init command</title> | |
256 | <para> | |
257 | Sets the command to use as the init system for the containers. | |
67c660d0 | 258 | </para> |
5cda27c1 SH |
259 | <variablelist> |
260 | <varlistentry> | |
261 | <term> | |
262 | <option>lxc.execute.cmd</option> | |
263 | </term> | |
264 | <listitem> | |
265 | <para> | |
266 | Absolute path from container rootfs to the binary to run by default. This | |
fcd95ae9 | 267 | mostly makes sense for <command>lxc-execute</command>. |
5cda27c1 SH |
268 | </para> |
269 | </listitem> | |
270 | </varlistentry> | |
271 | </variablelist> | |
67c660d0 | 272 | <variablelist> |
936762f3 BP |
273 | <varlistentry> |
274 | <term> | |
9dcf7b4d | 275 | <option>lxc.init.cmd</option> |
936762f3 BP |
276 | </term> |
277 | <listitem> | |
278 | <para> | |
fcd95ae9 KY |
279 | Absolute path from container rootfs to the binary to use as init. This |
280 | mostly makes sense for <command>lxc-start</command>. Default is <command>/sbin/init</command>. | |
936762f3 BP |
281 | </para> |
282 | </listitem> | |
283 | </varlistentry> | |
67c660d0 SG |
284 | </variablelist> |
285 | </refsect2> | |
286 | ||
3c491553 L |
287 | <refsect2> |
288 | <title>Init working directory</title> | |
289 | <para> | |
290 | Sets the absolute path inside the container as the working directory for the containers. | |
291 | LXC will switch to this directory before executing init. | |
292 | </para> | |
293 | <variablelist> | |
294 | <varlistentry> | |
295 | <term> | |
296 | <option>lxc.init.cwd</option> | |
297 | </term> | |
298 | <listitem> | |
299 | <para> | |
300 | Absolute path inside the container to use as the working directory. | |
301 | </para> | |
302 | </listitem> | |
303 | </varlistentry> | |
304 | </variablelist> | |
305 | </refsect2> | |
306 | ||
dbca9237 PT |
307 | <refsect2> |
308 | <title>Init ID</title> | |
309 | <para> | |
b9986e43 | 310 | Sets the UID/GID to use for the init system, and subsequent commands. |
14a7b0f9 | 311 | Note that using a non-root UID when booting a system container will |
b9986e43 | 312 | likely not work due to missing privileges. Setting the UID/GID is mostly |
14a7b0f9 | 313 | useful when running application containers. |
dbca9237 PT |
314 | |
315 | Defaults to: UID(0), GID(0) | |
316 | </para> | |
317 | <variablelist> | |
318 | <varlistentry> | |
319 | <term> | |
9dcf7b4d | 320 | <option>lxc.init.uid</option> |
dbca9237 PT |
321 | </term> |
322 | <listitem> | |
323 | <para> | |
b9986e43 | 324 | UID to use for init. |
dbca9237 PT |
325 | </para> |
326 | </listitem> | |
327 | </varlistentry> | |
328 | <varlistentry> | |
329 | <term> | |
9dcf7b4d | 330 | <option>lxc.init.gid</option> |
dbca9237 PT |
331 | </term> |
332 | <listitem> | |
333 | <para> | |
b9986e43 | 334 | GID to use for init. |
dbca9237 PT |
335 | </para> |
336 | </listitem> | |
337 | </varlistentry> | |
338 | </variablelist> | |
339 | </refsect2> | |
340 | ||
61d7a733 YT |
341 | <refsect2> |
342 | <title>Proc</title> | |
343 | <para> | |
344 | Configure proc filesystem for the container. | |
345 | </para> | |
346 | <variablelist> | |
347 | <varlistentry> | |
348 | <term> | |
349 | <option>lxc.proc.[proc file name]</option> | |
350 | </term> | |
351 | <listitem> | |
352 | <para> | |
eb4225a0 | 353 | Specify the proc file name to be set. The file names available |
61d7a733 YT |
354 | are those listed under /proc/PID/. |
355 | Example: | |
356 | </para> | |
357 | <programlisting> | |
358 | lxc.proc.oom_score_adj = 10 | |
359 | </programlisting> | |
360 | </listitem> | |
361 | </varlistentry> | |
362 | </variablelist> | |
363 | </refsect2> | |
364 | ||
4e6eb26b CB |
365 | <refsect2> |
366 | <title>Ephemeral</title> | |
367 | <para> | |
368 | Allows one to specify whether a container will be destroyed on shutdown. | |
369 | </para> | |
370 | <variablelist> | |
371 | <varlistentry> | |
372 | <term> | |
373 | <option>lxc.ephemeral</option> | |
374 | </term> | |
375 | <listitem> | |
376 | <para> | |
377 | The only allowed values are 0 and 1. Set this to 1 to destroy a | |
378 | container on shutdown. | |
379 | </para> | |
380 | </listitem> | |
381 | </varlistentry> | |
382 | </variablelist> | |
383 | </refsect2> | |
384 | ||
55fc19a1 SG |
385 | <refsect2> |
386 | <title>Network</title> | |
387 | <para> | |
c464fd7e SG |
388 | The network section defines how the network is virtualized in |
389 | the container. The network virtualization acts at layer | |
390 | two. In order to use the network virtualization, parameters | |
391 | must be specified to define the network interfaces of the | |
392 | container. Several virtual interfaces can be assigned and used | |
393 | in a container even if the system has only one physical | |
394 | network interface. | |
55fc19a1 SG |
395 | </para> |
396 | <variablelist> | |
020104c3 MH |
397 | <varlistentry> |
398 | <term> | |
7fa3f2e9 | 399 | <option>lxc.net</option> |
020104c3 MH |
400 | </term> |
401 | <listitem> | |
402 | <para> | |
403 | may be used without a value to clear all previous network options. | |
404 | </para> | |
405 | </listitem> | |
406 | </varlistentry> | |
c464fd7e SG |
407 | <varlistentry> |
408 | <term> | |
7fa3f2e9 | 409 | <option>lxc.net.[i].type</option> |
c464fd7e SG |
410 | </term> |
411 | <listitem> | |
412 | <para> | |
413 | specify what kind of network virtualization to be used | |
b9986e43 CB |
414 | for the container. |
415 | Multiple networks can be specified by using an additional index | |
416 | <option>i</option> | |
7fa3f2e9 | 417 | after all <option>lxc.net.*</option> keys. For example, |
418 | <option>lxc.net.0.type = veth</option> and | |
419 | <option>lxc.net.1.type = veth</option> specify two different | |
b9986e43 CB |
420 | networks of the same type. All keys sharing the same index |
421 | <option>i</option> will be treated as belonging to the same | |
7fa3f2e9 | 422 | network. For example, <option>lxc.net.0.link = br0</option> |
423 | will belong to <option>lxc.net.0.type</option>. | |
b9986e43 | 424 | Currently, the different virtualization types can be: |
c464fd7e SG |
425 | </para> |
426 | ||
427 | <para> | |
428 | <option>none:</option> will cause the container to share | |
429 | the host's network namespace. This means the host | |
430 | network devices are usable in the container. It also | |
431 | means that if both the container and host have upstart as | |
432 | init, 'halt' in a container (for instance) will shut down the | |
e4b3e369 AK |
433 | host. Note that unprivileged containers do not work with this |
434 | setting due to an inability to mount sysfs. An unsafe workaround | |
435 | would be to bind mount the host's sysfs. | |
c464fd7e SG |
436 | </para> |
437 | ||
438 | <para> | |
439 | <option>empty:</option> will create only the loopback | |
440 | interface. | |
441 | </para> | |
442 | ||
443 | <para> | |
38005c54 MA |
444 | <option>veth:</option> a virtual ethernet pair |
445 | device is created with one side assigned to the container | |
446 | and the other side attached to a bridge specified by | |
7fa3f2e9 | 447 | the <option>lxc.net.[i].link</option> option. |
38005c54 MA |
448 | If the bridge is not specified, then the veth pair device |
449 | will be created but not attached to any bridge. | |
450 | Otherwise, the bridge has to be created on the system | |
451 | before starting the container. | |
452 | <command>lxc</command> won't handle any | |
453 | configuration outside of the container. | |
454 | By default, <command>lxc</command> chooses a name for the | |
c464fd7e | 455 | network device belonging to the outside of the |
38005c54 MA |
456 | container, but if you wish to handle |
457 | this name yourselves, you can tell <command>lxc</command> | |
c464fd7e | 458 | to set a specific name with |
7fa3f2e9 | 459 | the <option>lxc.net.[i].veth.pair</option> option (except for |
c464fd7e SG |
460 | unprivileged containers where this option is ignored for security |
461 | reasons). | |
462 | </para> | |
463 | ||
464 | <para> | |
465 | <option>vlan:</option> a vlan interface is linked with | |
466 | the interface specified by | |
7fa3f2e9 | 467 | the <option>lxc.net.[i].link</option> and assigned to |
c464fd7e | 468 | the container. The vlan identifier is specified with the |
7fa3f2e9 | 469 | option <option>lxc.net.[i].vlan.id</option>. |
c464fd7e SG |
470 | </para> |
471 | ||
472 | <para> | |
473 | <option>macvlan:</option> a macvlan interface is linked | |
474 | with the interface specified by | |
7fa3f2e9 | 475 | the <option>lxc.net.[i].link</option> and assigned to |
c464fd7e | 476 | the container. |
7fa3f2e9 | 477 | <option>lxc.net.[i].macvlan.mode</option> specifies the |
c464fd7e SG |
478 | mode the macvlan will use to communicate between |
479 | different macvlan on the same upper device. The accepted | |
c15ea607 EL |
480 | modes are <option>private</option>, <option>vepa</option>, |
481 | <option>bridge</option> and <option>passthru</option>. | |
482 | In <option>private</option> mode, the device never | |
483 | communicates with any other device on the same upper_dev (default). | |
484 | In <option>vepa</option> mode, the new Virtual Ethernet Port | |
c464fd7e SG |
485 | Aggregator (VEPA) mode, it assumes that the adjacent |
486 | bridge returns all frames where both source and | |
487 | destination are local to the macvlan port, i.e. the | |
488 | bridge is set up as a reflective relay. Broadcast | |
489 | frames coming in from the upper_dev get flooded to all | |
490 | macvlan interfaces in VEPA mode, local frames are not | |
c15ea607 | 491 | delivered locally. In <option>bridge</option> mode, it |
c464fd7e SG |
492 | provides the behavior of a simple bridge between |
493 | different macvlan interfaces on the same port. Frames | |
494 | from one interface to another one get delivered directly | |
495 | and are not sent out externally. Broadcast frames get | |
496 | flooded to all other bridge ports and to the external | |
497 | interface, but when they come back from a reflective | |
498 | relay, we don't deliver them again. Since we know all | |
499 | the MAC addresses, the macvlan bridge mode does not | |
c15ea607 EL |
500 | require learning or STP like the bridge module does. In |
501 | <option>passthru</option> mode, all frames received by | |
502 | the physical interface are forwarded to the macvlan | |
503 | interface. Only one macvlan interface in <option>passthru</option> | |
504 | mode is possible for one physical interface. | |
c464fd7e SG |
505 | </para> |
506 | ||
507 | <para> | |
508 | <option>phys:</option> an already existing interface | |
7fa3f2e9 | 509 | specified by the <option>lxc.net.[i].link</option> is |
c464fd7e SG |
510 | assigned to the container. |
511 | </para> | |
512 | </listitem> | |
513 | </varlistentry> | |
514 | ||
515 | <varlistentry> | |
516 | <term> | |
7fa3f2e9 | 517 | <option>lxc.net.[i].flags</option> |
c464fd7e SG |
518 | </term> |
519 | <listitem> | |
520 | <para> | |
b9986e43 | 521 | Specify an action to do for the network. |
c464fd7e SG |
522 | </para> |
523 | ||
524 | <para><option>up:</option> activates the interface. | |
525 | </para> | |
526 | </listitem> | |
527 | </varlistentry> | |
528 | ||
529 | <varlistentry> | |
530 | <term> | |
7fa3f2e9 | 531 | <option>lxc.net.[i].link</option> |
c464fd7e SG |
532 | </term> |
533 | <listitem> | |
534 | <para> | |
b9986e43 CB |
535 | Specify the interface to be used for real network traffic. |
536 | </para> | |
c464fd7e SG |
537 | </listitem> |
538 | </varlistentry> | |
539 | ||
540 | <varlistentry> | |
541 | <term> | |
7fa3f2e9 | 542 | <option>lxc.net.[i].mtu</option> |
c464fd7e SG |
543 | </term> |
544 | <listitem> | |
545 | <para> | |
b9986e43 | 546 | Specify the maximum transfer unit for this interface. |
c464fd7e SG |
547 | </para> |
548 | </listitem> | |
549 | </varlistentry> | |
550 | ||
551 | <varlistentry> | |
552 | <term> | |
7fa3f2e9 | 553 | <option>lxc.net.[i].name</option> |
c464fd7e SG |
554 | </term> |
555 | <listitem> | |
556 | <para> | |
b9986e43 CB |
557 | The interface name is dynamically allocated, but if another name |
558 | is needed because the configuration files being used by the | |
559 | container use a generic name, eg. eth0, this option will rename | |
560 | the interface in the container. | |
c464fd7e SG |
561 | </para> |
562 | </listitem> | |
563 | </varlistentry> | |
564 | ||
565 | <varlistentry> | |
566 | <term> | |
7fa3f2e9 | 567 | <option>lxc.net.[i].hwaddr</option> |
c464fd7e SG |
568 | </term> |
569 | <listitem> | |
570 | <para> | |
b9986e43 CB |
571 | The interface mac address is dynamically allocated by default to |
572 | the virtual interface, but in some cases, this is needed to | |
573 | resolve a mac address conflict or to always have the same | |
574 | link-local ipv6 address. Any "x" in address will be replaced by | |
575 | random value, this allows setting hwaddr templates. | |
c464fd7e SG |
576 | </para> |
577 | </listitem> | |
578 | </varlistentry> | |
579 | ||
580 | <varlistentry> | |
581 | <term> | |
9ff60df2 | 582 | <option>lxc.net.[i].ipv4.address</option> |
c464fd7e SG |
583 | </term> |
584 | <listitem> | |
585 | <para> | |
b9986e43 CB |
586 | Specify the ipv4 address to assign to the virtualized interface. |
587 | Several lines specify several ipv4 addresses. The address is in | |
588 | format x.y.z.t/m, eg. 192.168.1.123/24. | |
c464fd7e SG |
589 | </para> |
590 | </listitem> | |
591 | </varlistentry> | |
592 | ||
593 | <varlistentry> | |
594 | <term> | |
7fa3f2e9 | 595 | <option>lxc.net.[i].ipv4.gateway</option> |
c464fd7e SG |
596 | </term> |
597 | <listitem> | |
598 | <para> | |
b9986e43 CB |
599 | Specify the ipv4 address to use as the gateway inside the |
600 | container. The address is in format x.y.z.t, eg. 192.168.1.123. | |
c464fd7e SG |
601 | |
602 | Can also have the special value <option>auto</option>, | |
603 | which means to take the primary address from the bridge | |
604 | interface (as specified by the | |
7fa3f2e9 | 605 | <option>lxc.net.[i].link</option> option) and use that as |
c464fd7e SG |
606 | the gateway. <option>auto</option> is only available when |
607 | using the <option>veth</option> and | |
608 | <option>macvlan</option> network types. | |
609 | </para> | |
610 | </listitem> | |
611 | </varlistentry> | |
612 | ||
c464fd7e SG |
613 | <varlistentry> |
614 | <term> | |
2e44ae28 | 615 | <option>lxc.net.[i].ipv6.address</option> |
c464fd7e SG |
616 | </term> |
617 | <listitem> | |
618 | <para> | |
b9986e43 CB |
619 | Specify the ipv6 address to assign to the virtualized |
620 | interface. Several lines specify several ipv6 addresses. The | |
621 | address is in format x::y/m, eg. | |
622 | 2003:db8:1:0:214:1234:fe0b:3596/64 | |
c464fd7e SG |
623 | </para> |
624 | </listitem> | |
625 | </varlistentry> | |
626 | ||
627 | <varlistentry> | |
628 | <term> | |
7fa3f2e9 | 629 | <option>lxc.net.[i].ipv6.gateway</option> |
c464fd7e SG |
630 | </term> |
631 | <listitem> | |
632 | <para> | |
b9986e43 CB |
633 | Specify the ipv6 address to use as the gateway inside the |
634 | container. The address is in format x::y, eg. 2003:db8:1:0::1 | |
c464fd7e SG |
635 | |
636 | Can also have the special value <option>auto</option>, | |
637 | which means to take the primary address from the bridge | |
638 | interface (as specified by the | |
7fa3f2e9 | 639 | <option>lxc.net.[i].link</option> option) and use that as |
c464fd7e SG |
640 | the gateway. <option>auto</option> is only available when |
641 | using the <option>veth</option> and | |
642 | <option>macvlan</option> network types. | |
643 | </para> | |
644 | </listitem> | |
645 | </varlistentry> | |
646 | ||
647 | <varlistentry> | |
648 | <term> | |
7fa3f2e9 | 649 | <option>lxc.net.[i].script.up</option> |
c464fd7e SG |
650 | </term> |
651 | <listitem> | |
652 | <para> | |
b9986e43 | 653 | Add a configuration option to specify a script to be |
c464fd7e | 654 | executed after creating and configuring the network used |
14a7b0f9 CB |
655 | from the host side. |
656 | </para> | |
657 | ||
658 | <para> | |
659 | In addition to the information available to all hooks. The | |
660 | following information is provided to the script: | |
661 | <itemizedlist> | |
662 | <listitem> | |
663 | <para> | |
664 | LXC_HOOK_TYPE: the hook type. This is either 'up' or 'down'. | |
665 | </para> | |
666 | </listitem> | |
667 | ||
668 | <listitem> | |
669 | <para> | |
670 | LXC_HOOK_SECTION: the section type 'net'. | |
671 | </para> | |
672 | </listitem> | |
673 | ||
674 | <listitem> | |
675 | <para> | |
676 | LXC_NET_TYPE: the network type. This is one of the valid | |
677 | network types listed here (e.g. 'macvlan', 'veth'). | |
678 | </para> | |
679 | </listitem> | |
680 | ||
681 | <listitem> | |
682 | <para> | |
683 | LXC_NET_PARENT: the parent device on the host. This is only | |
684 | set for network types 'mavclan', 'veth', 'phys'. | |
685 | </para> | |
686 | </listitem> | |
687 | ||
688 | <listitem> | |
689 | <para> | |
690 | LXC_NET_PEER: the name of the peer device on the host. This is | |
691 | only set for 'veth' network types. Note that this information | |
692 | is only available when <option>lxc.hook.version</option> is set | |
693 | to 1. | |
694 | </para> | |
695 | </listitem> | |
696 | </itemizedlist> | |
697 | ||
698 | Whether this information is provided in the form of environment | |
699 | variables or as arguments to the script depends on the value of | |
700 | <option>lxc.hook.version</option>. If set to 1 then information is | |
701 | provided in the form of environment variables. If set to 0 | |
702 | information is provided as arguments to the script. | |
c464fd7e | 703 | </para> |
14a7b0f9 | 704 | |
c464fd7e SG |
705 | <para> |
706 | Standard output from the script is logged at debug level. | |
707 | Standard error is not logged, but can be captured by the | |
708 | hook redirecting its standard error to standard output. | |
709 | </para> | |
710 | </listitem> | |
711 | </varlistentry> | |
712 | ||
713 | <varlistentry> | |
714 | <term> | |
7fa3f2e9 | 715 | <option>lxc.net.[i].script.down</option> |
c464fd7e SG |
716 | </term> |
717 | <listitem> | |
718 | <para> | |
b9986e43 | 719 | Add a configuration option to specify a script to be |
c464fd7e | 720 | executed before destroying the network used from the |
14a7b0f9 CB |
721 | host side. |
722 | </para> | |
723 | ||
724 | <para> | |
725 | In addition to the information available to all hooks. The | |
726 | following information is provided to the script: | |
727 | <itemizedlist> | |
728 | <listitem> | |
729 | <para> | |
730 | LXC_HOOK_TYPE: the hook type. This is either 'up' or 'down'. | |
731 | </para> | |
732 | </listitem> | |
733 | ||
734 | <listitem> | |
735 | <para> | |
736 | LXC_HOOK_SECTION: the section type 'net'. | |
737 | </para> | |
738 | </listitem> | |
739 | ||
740 | <listitem> | |
741 | <para> | |
742 | LXC_NET_TYPE: the network type. This is one of the valid | |
743 | network types listed here (e.g. 'macvlan', 'veth'). | |
744 | </para> | |
745 | </listitem> | |
746 | ||
747 | <listitem> | |
748 | <para> | |
749 | LXC_NET_PARENT: the parent device on the host. This is only | |
750 | set for network types 'mavclan', 'veth', 'phys'. | |
751 | </para> | |
752 | </listitem> | |
753 | ||
754 | <listitem> | |
755 | <para> | |
756 | LXC_NET_PEER: the name of the peer device on the host. This is | |
757 | only set for 'veth' network types. Note that this information | |
758 | is only available when <option>lxc.hook.version</option> is set | |
759 | to 1. | |
760 | </para> | |
761 | </listitem> | |
762 | </itemizedlist> | |
763 | ||
764 | Whether this information is provided in the form of environment | |
765 | variables or as arguments to the script depends on the value of | |
766 | <option>lxc.hook.version</option>. If set to 1 then information is | |
767 | provided in the form of environment variables. If set to 0 | |
768 | information is provided as arguments to the script. | |
c464fd7e | 769 | </para> |
14a7b0f9 | 770 | |
c464fd7e SG |
771 | <para> |
772 | Standard output from the script is logged at debug level. | |
773 | Standard error is not logged, but can be captured by the | |
774 | hook redirecting its standard error to standard output. | |
775 | </para> | |
776 | </listitem> | |
777 | </varlistentry> | |
55fc19a1 SG |
778 | </variablelist> |
779 | </refsect2> | |
780 | ||
781 | <refsect2> | |
782 | <title>New pseudo tty instance (devpts)</title> | |
783 | <para> | |
c464fd7e SG |
784 | For stricter isolation the container can have its own private |
785 | instance of the pseudo tty. | |
55fc19a1 SG |
786 | </para> |
787 | <variablelist> | |
c464fd7e SG |
788 | <varlistentry> |
789 | <term> | |
232763d6 | 790 | <option>lxc.pty.max</option> |
c464fd7e SG |
791 | </term> |
792 | <listitem> | |
793 | <para> | |
794 | If set, the container will have a new pseudo tty | |
795 | instance, making this private to it. The value specifies | |
55fc19a1 SG |
796 | the maximum number of pseudo ttys allowed for a pts |
797 | instance (this limitation is not implemented yet). | |
c464fd7e SG |
798 | </para> |
799 | </listitem> | |
800 | </varlistentry> | |
55fc19a1 SG |
801 | </variablelist> |
802 | </refsect2> | |
803 | ||
804 | <refsect2> | |
805 | <title>Container system console</title> | |
806 | <para> | |
c464fd7e SG |
807 | If the container is configured with a root filesystem and the |
808 | inittab file is setup to use the console, you may want to specify | |
809 | where the output of this console goes. | |
55fc19a1 SG |
810 | </para> |
811 | <variablelist> | |
28f3b1cd CB |
812 | |
813 | <varlistentry> | |
814 | <term> | |
815 | <option>lxc.console.buffer.size</option> | |
816 | </term> | |
817 | <listitem> | |
818 | <para> | |
819 | Setting this option instructs liblxc to allocate an in-memory | |
820 | ringbuffer. The container's console output will be written to the | |
821 | ringbuffer. Note that ringbuffer must be at least as big as a | |
822 | standard page size. When passed a value smaller than a single page | |
823 | size liblxc will allocate a ringbuffer of a single page size. A page | |
39ebeb72 | 824 | size is usually 4KB. |
28f3b1cd CB |
825 | |
826 | The keyword 'auto' will cause liblxc to allocate a ringbuffer of | |
39ebeb72 | 827 | 128KB. |
28f3b1cd CB |
828 | |
829 | When manually specifying a size for the ringbuffer the value should | |
830 | be a power of 2 when converted to bytes. Valid size prefixes are | |
39ebeb72 | 831 | 'KB', 'MB', 'GB'. (Note that all conversions are based on multiples |
832 | of 1024. That means 'KB' == 'KiB', 'MB' == 'MiB', 'GB' == 'GiB'. | |
6d276edc CB |
833 | Additionally, the case of the suffix is ignored, i.e. 'kB', 'KB' and |
834 | 'Kb' are treated equally.) | |
28f3b1cd CB |
835 | </para> |
836 | </listitem> | |
837 | </varlistentry> | |
838 | ||
861813e5 CB |
839 | <varlistentry> |
840 | <term> | |
841 | <option>lxc.console.size</option> | |
842 | </term> | |
843 | <listitem> | |
844 | <para> | |
845 | Setting this option instructs liblxc to place a limit on the size of | |
846 | the console log file specified in | |
847 | <option>lxc.console.logfile</option>. Note that size of the log file | |
848 | must be at least as big as a standard page size. When passed a value | |
849 | smaller than a single page size liblxc will set the size of log file | |
39ebeb72 | 850 | to a single page size. A page size is usually 4KB. |
861813e5 | 851 | |
39ebeb72 | 852 | The keyword 'auto' will cause liblxc to place a limit of 128KB on |
861813e5 CB |
853 | the log file. |
854 | ||
855 | When manually specifying a size for the log file the value should | |
856 | be a power of 2 when converted to bytes. Valid size prefixes are | |
39ebeb72 | 857 | 'KB', 'MB', 'GB'. (Note that all conversions are based on multiples |
858 | of 1024. That means 'KB' == 'KiB', 'MB' == 'MiB', 'GB' == 'GiB'. | |
6d276edc CB |
859 | Additionally, the case of the suffix is ignored, i.e. 'kB', 'KB' and |
860 | 'Kb' are treated equally.) | |
861813e5 CB |
861 | |
862 | If users want to mirror the console ringbuffer on disk they should set | |
863 | <option>lxc.console.size</option> equal to | |
864 | <option>lxc.console.buffer.size</option>. | |
865 | </para> | |
866 | </listitem> | |
867 | </varlistentry> | |
868 | ||
c464fd7e SG |
869 | <varlistentry> |
870 | <term> | |
871 | <option>lxc.console.logfile</option> | |
872 | </term> | |
873 | <listitem> | |
874 | <para> | |
d91adfa6 CB |
875 | Specify a path to a file where the console output will be written. |
876 | Note that in contrast to the on-disk ringbuffer logfile this file | |
877 | will keep growing potentially filling up the users disks if not | |
878 | rotated and deleted. This problem can also be avoided by using the | |
879 | in-memory ringbuffer options | |
880 | <option>lxc.console.buffer.size</option> and | |
881 | <option>lxc.console.buffer.logfile</option>. | |
c464fd7e SG |
882 | </para> |
883 | </listitem> | |
884 | </varlistentry> | |
d91adfa6 CB |
885 | |
886 | <varlistentry> | |
887 | <term> | |
888 | <option>lxc.console.rotate</option> | |
889 | </term> | |
890 | <listitem> | |
891 | <para> | |
892 | Whether to rotate the console logfile specified in | |
893 | <option>lxc.console.logfile</option>. Users can send an API | |
894 | request to rotate the logfile. Note that the old logfile will have | |
895 | the same name as the original with the suffix ".1" appended. | |
896 | ||
897 | Users wishing to prevent the console log file from filling the | |
898 | disk should rotate the logfile and delete it if unneeded. This | |
899 | problem can also be avoided by using the in-memory ringbuffer | |
900 | options <option>lxc.console.buffer.size</option> and | |
901 | <option>lxc.console.buffer.logfile</option>. | |
902 | </para> | |
903 | </listitem> | |
904 | </varlistentry> | |
905 | ||
c464fd7e SG |
906 | <varlistentry> |
907 | <term> | |
3aed4934 | 908 | <option>lxc.console.path</option> |
c464fd7e SG |
909 | </term> |
910 | <listitem> | |
911 | <para> | |
912 | Specify a path to a device to which the console will be | |
6e3bb289 CB |
913 | attached. The keyword 'none' will simply disable the |
914 | console. Note, when specifying 'none' and creating a device node | |
915 | for the console in the container at /dev/console or bind-mounting | |
916 | the hosts's /dev/console into the container at /dev/console the | |
917 | container will have direct access to the hosts's /dev/console. | |
918 | This is dangerous when the container has write access to the | |
919 | device and should thus be used with caution. | |
c464fd7e SG |
920 | </para> |
921 | </listitem> | |
922 | </varlistentry> | |
55fc19a1 SG |
923 | </variablelist> |
924 | </refsect2> | |
925 | ||
926 | <refsect2> | |
927 | <title>Console through the ttys</title> | |
928 | <para> | |
c464fd7e SG |
929 | This option is useful if the container is configured with a root |
930 | filesystem and the inittab file is setup to launch a getty on the | |
931 | ttys. The option specifies the number of ttys to be available for | |
932 | the container. The number of gettys in the inittab file of the | |
933 | container should not be greater than the number of ttys specified | |
934 | in this option, otherwise the excess getty sessions will die and | |
935 | respawn indefinitely giving annoying messages on the console or in | |
936 | <filename>/var/log/messages</filename>. | |
55fc19a1 SG |
937 | </para> |
938 | <variablelist> | |
c464fd7e SG |
939 | <varlistentry> |
940 | <term> | |
fe1c5887 | 941 | <option>lxc.tty.max</option> |
c464fd7e SG |
942 | </term> |
943 | <listitem> | |
944 | <para> | |
945 | Specify the number of tty to make available to the | |
946 | container. | |
947 | </para> | |
948 | </listitem> | |
949 | </varlistentry> | |
55fc19a1 SG |
950 | </variablelist> |
951 | </refsect2> | |
952 | ||
953 | <refsect2> | |
954 | <title>Console devices location</title> | |
955 | <para> | |
956 | LXC consoles are provided through Unix98 PTYs created on the | |
c464fd7e SG |
957 | host and bind-mounted over the expected devices in the container. |
958 | By default, they are bind-mounted over <filename>/dev/console</filename> | |
959 | and <filename>/dev/ttyN</filename>. This can prevent package upgrades | |
960 | in the guest. Therefore you can specify a directory location (under | |
961 | <filename>/dev</filename> under which LXC will create the files and | |
962 | bind-mount over them. These will then be symbolically linked to | |
963 | <filename>/dev/console</filename> and <filename>/dev/ttyN</filename>. | |
964 | A package upgrade can then succeed as it is able to remove and replace | |
965 | the symbolic links. | |
55fc19a1 SG |
966 | </para> |
967 | <variablelist> | |
c464fd7e SG |
968 | <varlistentry> |
969 | <term> | |
fe1c5887 | 970 | <option>lxc.tty.dir</option> |
c464fd7e SG |
971 | </term> |
972 | <listitem> | |
973 | <para> | |
974 | Specify a directory under <filename>/dev</filename> | |
6e3bb289 CB |
975 | under which to create the container console devices. Note that LXC |
976 | will move any bind-mounts or device nodes for /dev/console into | |
977 | this directory. | |
c464fd7e SG |
978 | </para> |
979 | </listitem> | |
980 | </varlistentry> | |
55fc19a1 SG |
981 | </variablelist> |
982 | </refsect2> | |
983 | ||
984 | <refsect2> | |
985 | <title>/dev directory</title> | |
986 | <para> | |
c464fd7e SG |
987 | By default, lxc creates a few symbolic links (fd,stdin,stdout,stderr) |
988 | in the container's <filename>/dev</filename> directory but does not | |
989 | automatically create device node entries. This allows the container's | |
990 | <filename>/dev</filename> to be set up as needed in the container | |
991 | rootfs. If lxc.autodev is set to 1, then after mounting the container's | |
992 | rootfs LXC will mount a fresh tmpfs under <filename>/dev</filename> | |
c35d2909 | 993 | (limited to 500k) and fill in a minimal set of initial devices. |
55fc19a1 SG |
994 | This is generally required when starting a container containing |
995 | a "systemd" based "init" but may be optional at other times. Additional | |
996 | devices in the containers /dev directory may be created through the | |
997 | use of the <option>lxc.hook.autodev</option> hook. | |
998 | </para> | |
999 | <variablelist> | |
c464fd7e SG |
1000 | <varlistentry> |
1001 | <term> | |
1002 | <option>lxc.autodev</option> | |
1003 | </term> | |
1004 | <listitem> | |
1005 | <para> | |
124fa0a8 | 1006 | Set this to 0 to stop LXC from mounting and populating a minimal |
c464fd7e SG |
1007 | <filename>/dev</filename> when starting the container. |
1008 | </para> | |
1009 | </listitem> | |
1010 | </varlistentry> | |
55fc19a1 | 1011 | </variablelist> |
55fc19a1 SG |
1012 | </refsect2> |
1013 | ||
1014 | <refsect2> | |
1015 | <title>Mount points</title> | |
1016 | <para> | |
c464fd7e SG |
1017 | The mount points section specifies the different places to be |
1018 | mounted. These mount points will be private to the container | |
1019 | and won't be visible by the processes running outside of the | |
1020 | container. This is useful to mount /etc, /var or /home for | |
1021 | examples. | |
55fc19a1 | 1022 | </para> |
592fd47a SH |
1023 | <para> |
1024 | NOTE - LXC will generally ensure that mount targets and relative | |
1025 | bind-mount sources are properly confined under the container | |
1026 | root, to avoid attacks involving over-mounting host directories | |
1027 | and files. (Symbolic links in absolute mount sources are ignored) | |
1028 | However, if the container configuration first mounts a directory which | |
1029 | is under the control of the container user, such as /home/joe, into | |
1030 | the container at some <filename>path</filename>, and then mounts | |
1031 | under <filename>path</filename>, then a TOCTTOU attack would be | |
1032 | possible where the container user modifies a symbolic link under | |
1033 | his home directory at just the right time. | |
1034 | </para> | |
55fc19a1 | 1035 | <variablelist> |
c464fd7e SG |
1036 | <varlistentry> |
1037 | <term> | |
47148e96 | 1038 | <option>lxc.mount.fstab</option> |
c464fd7e SG |
1039 | </term> |
1040 | <listitem> | |
1041 | <para> | |
1042 | specify a file location in | |
1043 | the <filename>fstab</filename> format, containing the | |
1044 | mount information. The mount target location can and in | |
1045 | most cases should be a relative path, which will become | |
1046 | relative to the mounted container root. For instance, | |
1047 | </para> | |
b9986e43 CB |
1048 | <programlisting> |
1049 | proc proc proc nodev,noexec,nosuid 0 0 | |
1050 | </programlisting> | |
c464fd7e SG |
1051 | <para> |
1052 | Will mount a proc filesystem under the container's /proc, | |
1053 | regardless of where the root filesystem comes from. This | |
1054 | is resilient to block device backed filesystems as well as | |
1055 | container cloning. | |
1056 | </para> | |
1057 | <para> | |
1058 | Note that when mounting a filesystem from an | |
1059 | image file or block device the third field (fs_vfstype) | |
1060 | cannot be auto as with | |
55fc19a1 | 1061 | <citerefentry> |
c464fd7e | 1062 | <refentrytitle>mount</refentrytitle> |
55fc19a1 SG |
1063 | <manvolnum>8</manvolnum> |
1064 | </citerefentry> | |
1065 | but must be explicitly specified. | |
c464fd7e SG |
1066 | </para> |
1067 | </listitem> | |
1068 | </varlistentry> | |
1069 | ||
1070 | <varlistentry> | |
1071 | <term> | |
1072 | <option>lxc.mount.entry</option> | |
1073 | </term> | |
1074 | <listitem> | |
1075 | <para> | |
d840039e | 1076 | Specify a mount point corresponding to a line in the |
c464fd7e | 1077 | fstab format. |
f5b67b36 | 1078 | |
d840039e YT |
1079 | Moreover lxc supports mount propagation, such as rslave or |
1080 | rprivate, and adds three additional mount options. | |
f5b67b36 NC |
1081 | <option>optional</option> don't fail if mount does not work. |
1082 | <option>create=dir</option> or <option>create=file</option> | |
1083 | to create dir (or file) when the point will be mounted. | |
181437fd YT |
1084 | <option>relative</option> source path is taken to be relative to |
1085 | the mounted container root. For instance, | |
1086 | </para> | |
1087 | <screen> | |
1088 | dev/null proc/kcore none bind,relative 0 0 | |
1089 | </screen> | |
1090 | <para> | |
1091 | Will expand dev/null to ${<option>LXC_ROOTFS_MOUNT</option>}/dev/null, | |
1092 | and mount it to proc/kcore inside the container. | |
1093 | </para> | |
c464fd7e SG |
1094 | </listitem> |
1095 | </varlistentry> | |
1096 | ||
1097 | <varlistentry> | |
1098 | <term> | |
1099 | <option>lxc.mount.auto</option> | |
1100 | </term> | |
1101 | <listitem> | |
1102 | <para> | |
1103 | specify which standard kernel file systems should be | |
1104 | automatically mounted. This may dramatically simplify | |
1105 | the configuration. The file systems are: | |
1106 | </para> | |
1107 | <itemizedlist> | |
1108 | <listitem> | |
1109 | <para> | |
1110 | <option>proc:mixed</option> (or <option>proc</option>): | |
1111 | mount <filename>/proc</filename> as read-write, but | |
1112 | remount <filename>/proc/sys</filename> and | |
1113 | <filename>/proc/sysrq-trigger</filename> read-only | |
1114 | for security / container isolation purposes. | |
1115 | </para> | |
1116 | </listitem> | |
1117 | <listitem> | |
1118 | <para> | |
1119 | <option>proc:rw</option>: mount | |
1120 | <filename>/proc</filename> as read-write | |
1121 | </para> | |
1122 | </listitem> | |
1123 | <listitem> | |
1124 | <para> | |
f24a52d5 SG |
1125 | <option>sys:mixed</option> (or <option>sys</option>): |
1126 | mount <filename>/sys</filename> as read-only but with | |
1127 | /sys/devices/virtual/net writable. | |
1128 | </para> | |
1129 | </listitem> | |
1130 | <listitem> | |
1131 | <para> | |
1132 | <option>sys:ro</option>: | |
c464fd7e SG |
1133 | mount <filename>/sys</filename> as read-only |
1134 | for security / container isolation purposes. | |
1135 | </para> | |
1136 | </listitem> | |
1137 | <listitem> | |
1138 | <para> | |
1139 | <option>sys:rw</option>: mount | |
1140 | <filename>/sys</filename> as read-write | |
1141 | </para> | |
1142 | </listitem> | |
3f69fb12 | 1143 | |
c464fd7e SG |
1144 | <listitem> |
1145 | <para> | |
1146 | <option>cgroup:mixed</option>: | |
3f69fb12 SY |
1147 | Mount a tmpfs to <filename>/sys/fs/cgroup</filename>, |
1148 | create directories for all hierarchies to which the container | |
1149 | is added, create subdirectories in those hierarchies with the | |
1150 | name of the cgroup, and bind-mount the container's own cgroup | |
1151 | into that directory. The container will be able to write to | |
1152 | its own cgroup directory, but not the parents, since they will | |
1153 | be remounted read-only. | |
c464fd7e SG |
1154 | </para> |
1155 | </listitem> | |
3f69fb12 | 1156 | |
c464fd7e SG |
1157 | <listitem> |
1158 | <para> | |
3f69fb12 SY |
1159 | <option>cgroup:mixed:force</option>: |
1160 | The <option>force</option> option will cause LXC to perform | |
1161 | the cgroup mounts for the container under all circumstances. | |
1162 | Otherwise it is similar to <option>cgroup:mixed</option>. | |
1163 | This is mainly useful when the cgroup namespaces are enabled | |
1164 | where LXC will normally leave mounting cgroups to the init | |
1165 | binary of the container since it is perfectly safe to do so. | |
c464fd7e SG |
1166 | </para> |
1167 | </listitem> | |
3f69fb12 SY |
1168 | |
1169 | <listitem> | |
1170 | <para> | |
1171 | <option>cgroup:ro</option>: | |
1172 | similar to <option>cgroup:mixed</option>, but everything will | |
1173 | be mounted read-only. | |
1174 | </para> | |
1175 | </listitem> | |
1176 | ||
1177 | <listitem> | |
1178 | <para> | |
1179 | <option>cgroup:ro:force</option>: | |
1180 | The <option>force</option> option will cause LXC to perform | |
1181 | the cgroup mounts for the container under all circumstances. | |
1182 | Otherwise it is similar to <option>cgroup:ro</option>. | |
1183 | This is mainly useful when the cgroup namespaces are enabled | |
1184 | where LXC will normally leave mounting cgroups to the init | |
1185 | binary of the container since it is perfectly safe to do so. | |
1186 | </para> | |
1187 | </listitem> | |
1188 | ||
c464fd7e SG |
1189 | <listitem> |
1190 | <para> | |
1191 | <option>cgroup:rw</option>: similar to | |
3f69fb12 SY |
1192 | <option>cgroup:mixed</option>, but everything will be mounted |
1193 | read-write. Note that the paths leading up to the container's | |
1194 | own cgroup will be writable, but will not be a cgroup | |
1195 | filesystem but just part of the tmpfs of | |
1196 | <filename>/sys/fs/cgroup</filename> | |
1197 | </para> | |
1198 | </listitem> | |
1199 | ||
1200 | <listitem> | |
1201 | <para> | |
1202 | <option>cgroup:rw:force</option>: | |
1203 | The <option>force</option> option will cause LXC to perform | |
1204 | the cgroup mounts for the container under all circumstances. | |
1205 | Otherwise it is similar to <option>cgroup:rw</option>. | |
1206 | This is mainly useful when the cgroup namespaces are enabled | |
1207 | where LXC will normally leave mounting cgroups to the init | |
1208 | binary of the container since it is perfectly safe to do so. | |
c464fd7e SG |
1209 | </para> |
1210 | </listitem> | |
3f69fb12 | 1211 | |
c464fd7e SG |
1212 | <listitem> |
1213 | <para> | |
1214 | <option>cgroup</option> (without specifier): | |
1215 | defaults to <option>cgroup:rw</option> if the | |
1216 | container retains the CAP_SYS_ADMIN capability, | |
1217 | <option>cgroup:mixed</option> otherwise. | |
1218 | </para> | |
1219 | </listitem> | |
e7806b2e | 1220 | |
c464fd7e SG |
1221 | <listitem> |
1222 | <para> | |
1223 | <option>cgroup-full:mixed</option>: | |
1224 | mount a tmpfs to <filename>/sys/fs/cgroup</filename>, | |
1225 | create directories for all hierarchies to which | |
1226 | the container is added, bind-mount the hierarchies | |
1227 | from the host to the container and make everything | |
1228 | read-only except the container's own cgroup. Note | |
1229 | that compared to <option>cgroup</option>, where | |
1230 | all paths leading up to the container's own cgroup | |
1231 | are just simple directories in the underlying | |
1232 | tmpfs, here | |
1233 | <filename>/sys/fs/cgroup/$hierarchy</filename> | |
1234 | will contain the host's full cgroup hierarchy, | |
1235 | albeit read-only outside the container's own cgroup. | |
1236 | This may leak quite a bit of information into the | |
1237 | container. | |
1238 | </para> | |
1239 | </listitem> | |
e7806b2e CB |
1240 | |
1241 | <listitem> | |
1242 | <para> | |
1243 | <option>cgroup-full:mixed:force</option>: | |
1244 | The <option>force</option> option will cause LXC to perform | |
1245 | the cgroup mounts for the container under all circumstances. | |
1246 | Otherwise it is similar to <option>cgroup-full:mixed</option>. | |
1247 | This is mainly useful when the cgroup namespaces are enabled | |
1248 | where LXC will normally leave mounting cgroups to the init | |
1249 | binary of the container since it is perfectly safe to do so. | |
1250 | </para> | |
1251 | </listitem> | |
1252 | ||
c464fd7e SG |
1253 | <listitem> |
1254 | <para> | |
1255 | <option>cgroup-full:ro</option>: similar to | |
1256 | <option>cgroup-full:mixed</option>, but everything | |
1257 | will be mounted read-only. | |
1258 | </para> | |
1259 | </listitem> | |
e7806b2e CB |
1260 | |
1261 | <listitem> | |
1262 | <para> | |
1263 | <option>cgroup-full:ro:force</option>: | |
1264 | The <option>force</option> option will cause LXC to perform | |
1265 | the cgroup mounts for the container under all circumstances. | |
1266 | Otherwise it is similar to <option>cgroup-full:ro</option>. | |
1267 | This is mainly useful when the cgroup namespaces are enabled | |
1268 | where LXC will normally leave mounting cgroups to the init | |
1269 | binary of the container since it is perfectly safe to do so. | |
1270 | </para> | |
1271 | </listitem> | |
1272 | ||
c464fd7e SG |
1273 | <listitem> |
1274 | <para> | |
1275 | <option>cgroup-full:rw</option>: similar to | |
1276 | <option>cgroup-full:mixed</option>, but everything | |
1277 | will be mounted read-write. Note that in this case, | |
1278 | the container may escape its own cgroup. (Note also | |
1279 | that if the container has CAP_SYS_ADMIN support | |
1280 | and can mount the cgroup filesystem itself, it may | |
1281 | do so anyway.) | |
1282 | </para> | |
1283 | </listitem> | |
e7806b2e CB |
1284 | |
1285 | <listitem> | |
1286 | <para> | |
1287 | <option>cgroup-full:rw:force</option>: | |
1288 | The <option>force</option> option will cause LXC to perform | |
1289 | the cgroup mounts for the container under all circumstances. | |
1290 | Otherwise it is similar to <option>cgroup-full:rw</option>. | |
1291 | This is mainly useful when the cgroup namespaces are enabled | |
1292 | where LXC will normally leave mounting cgroups to the init | |
1293 | binary of the container since it is perfectly safe to do so. | |
1294 | </para> | |
1295 | </listitem> | |
1296 | ||
c464fd7e SG |
1297 | <listitem> |
1298 | <para> | |
1299 | <option>cgroup-full</option> (without specifier): | |
1300 | defaults to <option>cgroup-full:rw</option> if the | |
1301 | container retains the CAP_SYS_ADMIN capability, | |
1302 | <option>cgroup-full:mixed</option> otherwise. | |
1303 | </para> | |
1304 | </listitem> | |
e7806b2e | 1305 | |
c464fd7e | 1306 | </itemizedlist> |
4608594e SH |
1307 | <para> |
1308 | If cgroup namespaces are enabled, then any <option>cgroup</option> | |
1309 | auto-mounting request will be ignored, since the container can | |
1310 | mount the filesystems itself, and automounting can confuse the | |
1311 | container init. | |
1312 | </para> | |
c464fd7e SG |
1313 | <para> |
1314 | Note that if automatic mounting of the cgroup filesystem | |
1315 | is enabled, the tmpfs under | |
1316 | <filename>/sys/fs/cgroup</filename> will always be | |
1317 | mounted read-write (but for the <option>:mixed</option> | |
1318 | and <option>:ro</option> cases, the individual | |
1319 | hierarchies, | |
1320 | <filename>/sys/fs/cgroup/$hierarchy</filename>, will be | |
1321 | read-only). This is in order to work around a quirk in | |
1322 | Ubuntu's | |
b46f0553 | 1323 | <citerefentry> |
c464fd7e | 1324 | <refentrytitle>mountall</refentrytitle> |
b46f0553 CS |
1325 | <manvolnum>8</manvolnum> |
1326 | </citerefentry> | |
c464fd7e SG |
1327 | command that will cause containers to wait for user |
1328 | input at boot if | |
1329 | <filename>/sys/fs/cgroup</filename> is mounted read-only | |
1330 | and the container can't remount it read-write due to a | |
1331 | lack of CAP_SYS_ADMIN. | |
1332 | </para> | |
1333 | <para> | |
1334 | Examples: | |
1335 | </para> | |
1336 | <programlisting> | |
1337 | lxc.mount.auto = proc sys cgroup | |
1338 | lxc.mount.auto = proc:rw sys:rw cgroup-full:rw | |
1339 | </programlisting> | |
1340 | </listitem> | |
1341 | </varlistentry> | |
55fc19a1 SG |
1342 | |
1343 | </variablelist> | |
1344 | </refsect2> | |
1345 | ||
1346 | <refsect2> | |
1347 | <title>Root file system</title> | |
1348 | <para> | |
c464fd7e SG |
1349 | The root file system of the container can be different than that |
1350 | of the host system. | |
55fc19a1 SG |
1351 | </para> |
1352 | <variablelist> | |
c464fd7e SG |
1353 | <varlistentry> |
1354 | <term> | |
7a96a068 | 1355 | <option>lxc.rootfs.path</option> |
c464fd7e SG |
1356 | </term> |
1357 | <listitem> | |
1358 | <para> | |
1359 | specify the root file system for the container. It can | |
1360 | be an image file, a directory or a block device. If not | |
1361 | specified, the container shares its root file system | |
1362 | with the host. | |
1363 | </para> | |
1364 | <para> | |
f1c26f2c SH |
1365 | For directory or simple block-device backed containers, |
1366 | a pathname can be used. If the rootfs is backed by a nbd | |
1367 | device, then <filename>nbd:file:1</filename> specifies that | |
1368 | <filename>file</filename> should be attached to a nbd device, | |
1369 | and partition 1 should be mounted as the rootfs. | |
1370 | <filename>nbd:file</filename> specifies that the nbd device | |
1371 | itself should be mounted. <filename>overlayfs:/lower:/upper</filename> | |
1372 | specifies that the rootfs should be an overlay with <filename>/upper</filename> | |
1373 | being mounted read-write over a read-only mount of <filename>/lower</filename>. | |
12e6ab5d | 1374 | For <filename>overlay</filename> multiple <filename>/lower</filename> |
280d2379 | 1375 | directories can be specified. <filename>loop:/file</filename> tells lxc to attach |
f1c26f2c | 1376 | <filename>/file</filename> to a loop device and mount the loop device. |
c464fd7e SG |
1377 | </para> |
1378 | </listitem> | |
1379 | </varlistentry> | |
1380 | ||
1381 | <varlistentry> | |
1382 | <term> | |
1383 | <option>lxc.rootfs.mount</option> | |
1384 | </term> | |
1385 | <listitem> | |
1386 | <para> | |
7a96a068 | 1387 | where to recursively bind <option>lxc.rootfs.path</option> |
c464fd7e SG |
1388 | before pivoting. This is to ensure success of the |
1389 | <citerefentry> | |
1390 | <refentrytitle><command>pivot_root</command></refentrytitle> | |
1391 | <manvolnum>8</manvolnum> | |
1392 | </citerefentry> | |
1393 | syscall. Any directory suffices, the default should | |
1394 | generally work. | |
1395 | </para> | |
1396 | </listitem> | |
1397 | </varlistentry> | |
1398 | ||
1399 | <varlistentry> | |
1400 | <term> | |
1401 | <option>lxc.rootfs.options</option> | |
1402 | </term> | |
1403 | <listitem> | |
1404 | <para> | |
1405 | extra mount options to use when mounting the rootfs. | |
1406 | </para> | |
1407 | </listitem> | |
1408 | </varlistentry> | |
a17b1e65 | 1409 | |
55fc19a1 SG |
1410 | </variablelist> |
1411 | </refsect2> | |
1412 | ||
1413 | <refsect2> | |
1414 | <title>Control group</title> | |
1415 | <para> | |
c464fd7e SG |
1416 | The control group section contains the configuration for the |
1417 | different subsystem. <command>lxc</command> does not check the | |
1418 | correctness of the subsystem name. This has the disadvantage | |
1419 | of not detecting configuration errors until the container is | |
1420 | started, but has the advantage of permitting any future | |
1421 | subsystem. | |
55fc19a1 SG |
1422 | </para> |
1423 | <variablelist> | |
c464fd7e SG |
1424 | <varlistentry> |
1425 | <term> | |
54860ed0 | 1426 | <option>lxc.cgroup.[controller name]</option> |
c464fd7e SG |
1427 | </term> |
1428 | <listitem> | |
1429 | <para> | |
54860ed0 CB |
1430 | Specify the control group value to be set on a legacy cgroup |
1431 | hierarchy. The controller name is the literal name of the control | |
1432 | group. The permitted names and the syntax of their values is not | |
1433 | dictated by LXC, instead it depends on the features of the Linux | |
1434 | kernel running at the time the container is started, eg. | |
1435 | <option>lxc.cgroup.cpuset.cpus</option> | |
1436 | </para> | |
1437 | </listitem> | |
1438 | </varlistentry> | |
1439 | <varlistentry> | |
1440 | <term> | |
1441 | <option>lxc.cgroup2.[controller name]</option> | |
1442 | </term> | |
1443 | <listitem> | |
1444 | <para> | |
1445 | Specify the control group value to be set on the unified cgroup | |
d0d68468 | 1446 | hierarchy. The controller name is the literal name of the control |
54860ed0 CB |
1447 | group. The permitted names and the syntax of their values is not |
1448 | dictated by LXC, instead it depends on the features of the Linux | |
1449 | kernel running at the time the container is started, eg. | |
1450 | <option>lxc.cgroup2.memory.high</option> | |
c464fd7e SG |
1451 | </para> |
1452 | </listitem> | |
1453 | </varlistentry> | |
bdcbb6b3 CB |
1454 | <varlistentry> |
1455 | <term> | |
1456 | <option>lxc.cgroup.dir</option> | |
1457 | </term> | |
1458 | <listitem> | |
1459 | <para> | |
1460 | specify a directory or path in which the container's cgroup will | |
1461 | be created. For example, setting | |
1462 | <option>lxc.cgroup.dir = my-cgroup/first</option> for a container | |
1463 | named "c1" will create the container's cgroup as a sub-cgroup of | |
1464 | "my-cgroup". For example, if the user's current cgroup "my-user" | |
78be8d75 | 1465 | is located in the root cgroup of the cpuset controller in a |
bdcbb6b3 CB |
1466 | cgroup v1 hierarchy this would create the cgroup |
1467 | "/sys/fs/cgroup/cpuset/my-user/my-cgroup/first/c1" for the | |
1468 | container. Any missing cgroups will be created by LXC. This | |
1469 | presupposes that the user has write access to its current cgroup. | |
1470 | </para> | |
1471 | </listitem> | |
1472 | </varlistentry> | |
55fc19a1 SG |
1473 | </variablelist> |
1474 | </refsect2> | |
1475 | ||
1476 | <refsect2> | |
1477 | <title>Capabilities</title> | |
1478 | <para> | |
c464fd7e SG |
1479 | The capabilities can be dropped in the container if this one |
1480 | is run as root. | |
55fc19a1 SG |
1481 | </para> |
1482 | <variablelist> | |
c464fd7e SG |
1483 | <varlistentry> |
1484 | <term> | |
1485 | <option>lxc.cap.drop</option> | |
1486 | </term> | |
1487 | <listitem> | |
1488 | <para> | |
1489 | Specify the capability to be dropped in the container. A | |
1490 | single line defining several capabilities with a space | |
1491 | separation is allowed. The format is the lower case of | |
1492 | the capability definition without the "CAP_" prefix, | |
1493 | eg. CAP_SYS_MODULE should be specified as | |
1494 | sys_module. See | |
1495 | <citerefentry> | |
1496 | <refentrytitle><command>capabilities</command></refentrytitle> | |
1497 | <manvolnum>7</manvolnum> | |
7eff30fd MH |
1498 | </citerefentry>. |
1499 | If used with no value, lxc will clear any drop capabilities | |
1500 | specified up to this point. | |
c464fd7e SG |
1501 | </para> |
1502 | </listitem> | |
1503 | </varlistentry> | |
1504 | <varlistentry> | |
1505 | <term> | |
1506 | <option>lxc.cap.keep</option> | |
1507 | </term> | |
1508 | <listitem> | |
1509 | <para> | |
1510 | Specify the capability to be kept in the container. All other | |
1511 | capabilities will be dropped. When a special value of "none" is | |
1512 | encountered, lxc will clear any keep capabilities specified up | |
1513 | to this point. A value of "none" alone can be used to drop all | |
1514 | capabilities. | |
1515 | </para> | |
1516 | </listitem> | |
1517 | </varlistentry> | |
55fc19a1 SG |
1518 | </variablelist> |
1519 | </refsect2> | |
1520 | ||
f3c9f122 | 1521 | <refsect2> |
46186acd | 1522 | <title>Namespaces</title> |
f3c9f122 | 1523 | <para> |
46186acd CB |
1524 | A namespace can be cloned (<option>lxc.namespace.clone</option>), |
1525 | kept (<option>lxc.namespace.keep</option>) or shared | |
1526 | (<option>lxc.namespace.share.[namespace identifier]</option>). | |
f3c9f122 CB |
1527 | </para> |
1528 | <variablelist> | |
46186acd CB |
1529 | <varlistentry> |
1530 | <term> | |
1531 | <option>lxc.namespace.clone</option> | |
1532 | </term> | |
1533 | <listitem> | |
1534 | <para> | |
1535 | Specify namespaces which the container is supposed to be created | |
1536 | with. The namespaces to create are specified as a space separated | |
1537 | list. Each namespace must correspond to one of the standard | |
1538 | namespace identifiers as seen in the | |
1539 | <filename>/proc/PID/ns</filename> directory. | |
1540 | When <option>lxc.namespace.clone</option> is not explicitly set all | |
1541 | namespaces supported by the kernel and the current configuration | |
1542 | will be used. | |
1543 | </para> | |
1544 | ||
1545 | <para> | |
1546 | To create a new mount, net and ipc namespace set | |
1547 | <option>lxc.namespace.clone=mount net ipc</option>. | |
1548 | </para> | |
1549 | </listitem> | |
1550 | </varlistentry> | |
1551 | ||
1552 | <varlistentry> | |
1553 | <term> | |
1554 | <option>lxc.namespace.keep</option> | |
1555 | </term> | |
1556 | <listitem> | |
1557 | <para> | |
1558 | Specify namespaces which the container is supposed to inherit from | |
1559 | the process that created it. The namespaces to keep are specified as | |
1560 | a space separated list. Each namespace must correspond to one of the | |
1561 | standard namespace identifiers as seen in the | |
1562 | <filename>/proc/PID/ns</filename> directory. | |
1563 | The <option>lxc.namespace.keep</option> is a | |
1564 | blacklist option, i.e. it is useful when enforcing that containers | |
1565 | must keep a specific set of namespaces. | |
1566 | </para> | |
1567 | ||
1568 | <para> | |
1569 | To keep the network, user and ipc namespace set | |
1570 | <option>lxc.namespace.keep=user net ipc</option>. | |
1571 | </para> | |
1572 | ||
1573 | <para> | |
1574 | Note that sharing pid namespaces will likely not work with most init | |
1575 | systems. | |
1576 | </para> | |
1577 | ||
1578 | <para> | |
1579 | Note that if the container requests a new user namespace and the | |
1580 | container wants to inherit the network namespace it needs to inherit | |
1581 | the user namespace as well. | |
1582 | </para> | |
1583 | </listitem> | |
1584 | </varlistentry> | |
1585 | ||
f3c9f122 CB |
1586 | <varlistentry> |
1587 | <term> | |
b074bbf1 | 1588 | <option>lxc.namespace.share.[namespace identifier]</option> |
f3c9f122 CB |
1589 | </term> |
1590 | <listitem> | |
1591 | <para> | |
1592 | Specify a namespace to inherit from another container or process. | |
1593 | The <option>[namespace identifier]</option> suffix needs to be | |
1594 | replaced with one of the namespaces that appear in the | |
1595 | <filename>/proc/PID/ns</filename> directory. | |
1596 | </para> | |
1597 | ||
1598 | <para> | |
1599 | To inherit the namespace from another process set the | |
b074bbf1 CB |
1600 | <option>lxc.namespace.share.[namespace identifier]</option> to the PID of |
1601 | the process, e.g. <option>lxc.namespace.share.net=42</option>. | |
f3c9f122 CB |
1602 | </para> |
1603 | ||
1604 | <para> | |
1605 | To inherit the namespace from another container set the | |
b074bbf1 CB |
1606 | <option>lxc.namespace.share.[namespace identifier]</option> to the name of |
1607 | the container, e.g. <option>lxc.namespace.share.pid=c3</option>. | |
f3c9f122 CB |
1608 | </para> |
1609 | ||
1610 | <para> | |
1611 | To inherit the namespace from another container located in a | |
1612 | different path than the standard liblxc path set the | |
b074bbf1 | 1613 | <option>lxc.namespace.share.[namespace identifier]</option> to the full |
f3c9f122 | 1614 | path to the container, e.g. |
b074bbf1 | 1615 | <option>lxc.namespace.share.user=/opt/c3</option>. |
f3c9f122 CB |
1616 | </para> |
1617 | ||
1618 | <para> | |
1619 | In order to inherit namespaces the caller needs to have sufficient | |
1620 | privilege over the process or container. | |
1621 | </para> | |
1622 | ||
1623 | <para> | |
1624 | Note that sharing pid namespaces between system containers will | |
1625 | likely not work with most init systems. | |
1626 | </para> | |
1627 | ||
1628 | <para> | |
1629 | Note that if two processes are in different user namespaces and one | |
1630 | process wants to inherit the other's network namespace it usually | |
1631 | needs to inherit the user namespace as well. | |
1632 | </para> | |
1633 | </listitem> | |
1634 | </varlistentry> | |
1635 | </variablelist> | |
1636 | </refsect2> | |
1637 | ||
93f9e90d WB |
1638 | <refsect2> |
1639 | <title>Resource limits</title> | |
1640 | <para> | |
1641 | The soft and hard resource limits for the container can be changed. | |
1642 | Unprivileged containers can only lower them. Resources which are not | |
1643 | explicitly specified will be inherited. | |
1644 | </para> | |
1645 | <variablelist> | |
1646 | <varlistentry> | |
1647 | <term> | |
240d4b74 | 1648 | <option>lxc.prlimit.[limit name]</option> |
93f9e90d WB |
1649 | </term> |
1650 | <listitem> | |
1651 | <para> | |
1652 | Specify the resource limit to be set. A limit is specified as two | |
1653 | colon separated values which are either numeric or the word | |
1654 | 'unlimited'. A single value can be used as a shortcut to set both | |
1655 | soft and hard limit to the same value. The permitted names the | |
1656 | "RLIMIT_" resource names in lowercase without the "RLIMIT_" | |
1657 | prefix, eg. RLIMIT_NOFILE should be specified as "nofile". See | |
1658 | <citerefentry> | |
1659 | <refentrytitle><command>setrlimit</command></refentrytitle> | |
1660 | <manvolnum>2</manvolnum> | |
1661 | </citerefentry>. | |
1662 | If used with no value, lxc will clear the resource limit | |
1663 | specified up to this point. A resource with no explicitly | |
1664 | configured limitation will be inherited from the process starting | |
1665 | up the container. | |
1666 | </para> | |
1667 | </listitem> | |
1668 | </varlistentry> | |
1669 | </variablelist> | |
1670 | </refsect2> | |
1671 | ||
7edd0540 L |
1672 | <refsect2> |
1673 | <title>Sysctl</title> | |
1674 | <para> | |
1675 | Configure kernel parameters for the container. | |
1676 | </para> | |
1677 | <variablelist> | |
1678 | <varlistentry> | |
1679 | <term> | |
1680 | <option>lxc.sysctl.[kernel parameters name]</option> | |
1681 | </term> | |
1682 | <listitem> | |
1683 | <para> | |
1684 | Specify the kernel parameters to be set. The parameters available | |
1685 | are those listed under /proc/sys/. | |
e409b214 | 1686 | Note that not all sysctls are namespaced. Changing Non-namespaced |
7edd0540 L |
1687 | sysctls will cause the system-wide setting to be modified. |
1688 | <citerefentry> | |
1689 | <refentrytitle><command>sysctl</command></refentrytitle> | |
1690 | <manvolnum>8</manvolnum> | |
1691 | </citerefentry>. | |
1692 | If used with no value, lxc will clear the parameters specified up | |
1693 | to this point. | |
1694 | </para> | |
1695 | </listitem> | |
1696 | </varlistentry> | |
1697 | </variablelist> | |
1698 | </refsect2> | |
1699 | ||
55fc19a1 SG |
1700 | <refsect2> |
1701 | <title>Apparmor profile</title> | |
1702 | <para> | |
c464fd7e SG |
1703 | If lxc was compiled and installed with apparmor support, and the host |
1704 | system has apparmor enabled, then the apparmor profile under which the | |
1705 | container should be run can be specified in the container | |
7a126ae1 SH |
1706 | configuration. The default is <command>lxc-container-default-cgns</command> |
1707 | if the host kernel is cgroup namespace aware, or | |
69e3b3be | 1708 | <command>lxc-container-default</command> otherwise. |
55fc19a1 SG |
1709 | </para> |
1710 | <variablelist> | |
c464fd7e SG |
1711 | <varlistentry> |
1712 | <term> | |
a1d5fdfd | 1713 | <option>lxc.apparmor.profile</option> |
c464fd7e SG |
1714 | </term> |
1715 | <listitem> | |
1716 | <para> | |
1717 | Specify the apparmor profile under which the container should | |
1718 | be run. To specify that the container should be unconfined, | |
1719 | use | |
1720 | </para> | |
a1d5fdfd | 1721 | <programlisting>lxc.apparmor.profile = unconfined</programlisting> |
7a126ae1 SH |
1722 | <para> |
1723 | If the apparmor profile should remain unchanged (i.e. if you | |
1724 | are nesting containers and are already confined), then use | |
1725 | </para> | |
a1d5fdfd | 1726 | <programlisting>lxc.apparmor.profile = unchanged</programlisting> |
c464fd7e SG |
1727 | </listitem> |
1728 | </varlistentry> | |
1729 | <varlistentry> | |
1730 | <term> | |
69e38e00 | 1731 | <option>lxc.apparmor.allow_incomplete</option> |
c464fd7e SG |
1732 | </term> |
1733 | <listitem> | |
1734 | <para> | |
1735 | Apparmor profiles are pathname based. Therefore many file | |
1736 | restrictions require mount restrictions to be effective against | |
1737 | a determined attacker. However, these mount restrictions are not | |
1738 | yet implemented in the upstream kernel. Without the mount | |
1739 | restrictions, the apparmor profiles still protect against accidental | |
1740 | damager. | |
1741 | </para> | |
1742 | <para> | |
1743 | If this flag is 0 (default), then the container will not be | |
1744 | started if the kernel lacks the apparmor mount features, so that a | |
1745 | regression after a kernel upgrade will be detected. To start the | |
1746 | container under partial apparmor protection, set this flag to 1. | |
1747 | </para> | |
1748 | </listitem> | |
1749 | </varlistentry> | |
55fc19a1 SG |
1750 | </variablelist> |
1751 | </refsect2> | |
1752 | ||
1753 | <refsect2> | |
1754 | <title>SELinux context</title> | |
1755 | <para> | |
c464fd7e SG |
1756 | If lxc was compiled and installed with SELinux support, and the host |
1757 | system has SELinux enabled, then the SELinux context under which the | |
1758 | container should be run can be specified in the container | |
1759 | configuration. The default is <command>unconfined_t</command>, | |
1760 | which means that lxc will not attempt to change contexts. | |
1761 | See @DATADIR@/lxc/selinux/lxc.te for an example policy and more | |
1762 | information. | |
55fc19a1 SG |
1763 | </para> |
1764 | <variablelist> | |
c464fd7e SG |
1765 | <varlistentry> |
1766 | <term> | |
b84702ab | 1767 | <option>lxc.selinux.context</option> |
c464fd7e SG |
1768 | </term> |
1769 | <listitem> | |
1770 | <para> | |
1771 | Specify the SELinux context under which the container should | |
1772 | be run or <command>unconfined_t</command>. For example | |
1773 | </para> | |
b84702ab | 1774 | <programlisting>lxc.selinux.context = system_u:system_r:lxc_t:s0:c22</programlisting> |
c464fd7e SG |
1775 | </listitem> |
1776 | </varlistentry> | |
55fc19a1 SG |
1777 | </variablelist> |
1778 | </refsect2> | |
1779 | ||
1780 | <refsect2> | |
1781 | <title>Seccomp configuration</title> | |
1782 | <para> | |
1783 | A container can be started with a reduced set of available | |
c464fd7e SG |
1784 | system calls by loading a seccomp profile at startup. The |
1785 | seccomp configuration file must begin with a version number | |
1786 | on the first line, a policy type on the second line, followed | |
1787 | by the configuration. | |
55fc19a1 | 1788 | </para> |
a7c27357 SH |
1789 | <para> |
1790 | Versions 1 and 2 are currently supported. In version 1, the | |
c464fd7e SG |
1791 | policy is a simple whitelist. The second line therefore must |
1792 | read "whitelist", with the rest of the file containing one (numeric) | |
8927207b | 1793 | syscall number per line. Each syscall number is whitelisted, |
c464fd7e | 1794 | while every unlisted number is blacklisted for use in the container |
a7c27357 SH |
1795 | </para> |
1796 | ||
1797 | <para> | |
1798 | In version 2, the policy may be blacklist or whitelist, | |
1799 | supports per-rule and per-policy default actions, and supports | |
1800 | per-architecture system call resolution from textual names. | |
1801 | </para> | |
1802 | <para> | |
1803 | An example blacklist policy, in which all system calls are | |
1804 | allowed except for mknod, which will simply do nothing and | |
1805 | return 0 (success), looks like: | |
1806 | </para> | |
b9986e43 CB |
1807 | |
1808 | <programlisting> | |
1809 | 2 | |
1810 | blacklist | |
1811 | mknod errno 0 | |
1812 | </programlisting> | |
1813 | ||
55fc19a1 | 1814 | <variablelist> |
c464fd7e SG |
1815 | <varlistentry> |
1816 | <term> | |
0b427da0 | 1817 | <option>lxc.seccomp.profile</option> |
c464fd7e SG |
1818 | </term> |
1819 | <listitem> | |
1820 | <para> | |
1821 | Specify a file containing the seccomp configuration to | |
1822 | load before the container starts. | |
1823 | </para> | |
1824 | </listitem> | |
1825 | </varlistentry> | |
55fc19a1 SG |
1826 | </variablelist> |
1827 | </refsect2> | |
1828 | ||
222ddc91 CB |
1829 | <refsect2> |
1830 | <title>PR_SET_NO_NEW_PRIVS</title> | |
1831 | <para> | |
1832 | With PR_SET_NO_NEW_PRIVS active execve() promises not to grant | |
1833 | privileges to do anything that could not have been done without | |
1834 | the execve() call (for example, rendering the set-user-ID and | |
1835 | set-group-ID mode bits, and file capabilities non-functional). | |
1836 | Once set, this bit cannot be unset. The setting of this bit is | |
1837 | inherited by children created by fork() and clone(), and preserved | |
1838 | across execve(). | |
1839 | Note that PR_SET_NO_NEW_PRIVS is applied after the container has | |
1840 | changed into its intended AppArmor profile or SElinux context. | |
1841 | </para> | |
1842 | <variablelist> | |
1843 | <varlistentry> | |
1844 | <term> | |
1845 | <option>lxc.no_new_privs</option> | |
1846 | </term> | |
1847 | <listitem> | |
1848 | <para> | |
1849 | Specify whether the PR_SET_NO_NEW_PRIVS flag should be set for the | |
1850 | container. Set to 1 to activate. | |
1851 | </para> | |
1852 | </listitem> | |
1853 | </varlistentry> | |
1854 | </variablelist> | |
1855 | </refsect2> | |
1856 | ||
55fc19a1 SG |
1857 | <refsect2> |
1858 | <title>UID mappings</title> | |
1859 | <para> | |
1860 | A container can be started in a private user namespace with | |
c464fd7e SG |
1861 | user and group id mappings. For instance, you can map userid |
1862 | 0 in the container to userid 200000 on the host. The root | |
1863 | user in the container will be privileged in the container, | |
1864 | but unprivileged on the host. Normally a system container | |
1865 | will want a range of ids, so you would map, for instance, | |
1866 | user and group ids 0 through 20,000 in the container to the | |
1867 | ids 200,000 through 220,000. | |
55fc19a1 SG |
1868 | </para> |
1869 | <variablelist> | |
c464fd7e SG |
1870 | <varlistentry> |
1871 | <term> | |
bdcbb6b3 | 1872 | <option>lxc.idmap</option> |
c464fd7e SG |
1873 | </term> |
1874 | <listitem> | |
1875 | <para> | |
1876 | Four values must be provided. First a character, either | |
1877 | 'u', or 'g', to specify whether user or group ids are | |
1878 | being mapped. Next is the first userid as seen in the | |
1879 | user namespace of the container. Next is the userid as | |
1880 | seen on the host. Finally, a range indicating the number | |
1881 | of consecutive ids to map. | |
1882 | </para> | |
1883 | </listitem> | |
1884 | </varlistentry> | |
55fc19a1 SG |
1885 | </variablelist> |
1886 | </refsect2> | |
1887 | ||
1888 | <refsect2> | |
1889 | <title>Container hooks</title> | |
1890 | <para> | |
1891 | Container hooks are programs or scripts which can be executed | |
c464fd7e | 1892 | at various times in a container's lifetime. |
55fc19a1 SG |
1893 | </para> |
1894 | <para> | |
44ae0fb6 CB |
1895 | When a container hook is executed, additional information is passed |
1896 | along. The <option>lxc.hook.version</option> argument can be used to | |
1897 | determine if the following arguments are passed as command line | |
1898 | arguments or through environment variables. The arguments are: | |
c464fd7e SG |
1899 | <itemizedlist> |
1900 | <listitem><para> Container name. </para></listitem> | |
1901 | <listitem><para> Section (always 'lxc'). </para></listitem> | |
1902 | <listitem><para> The hook type (i.e. 'clone' or 'pre-mount'). </para></listitem> | |
0a2b5ab1 | 1903 | <listitem><para> Additional arguments. In the |
a9145d62 CB |
1904 | case of the clone hook, any extra arguments passed will appear as |
1905 | further arguments to the hook. In the case of the stop hook, paths to | |
1906 | filedescriptors for each of the container's namespaces along with | |
1907 | their types are passed. </para></listitem> | |
c464fd7e SG |
1908 | </itemizedlist> |
1909 | The following environment variables are set: | |
1910 | <itemizedlist> | |
44ae0fb6 CB |
1911 | <listitem><para> LXC_CGNS_AWARE: indicator whether the container is |
1912 | cgroup namespace aware. </para></listitem> | |
1913 | <listitem><para> LXC_CONFIG_FILE: the path to the container | |
1914 | configuration file. </para></listitem> | |
1915 | <listitem><para> LXC_HOOK_TYPE: the hook type (e.g. 'clone', 'mount', | |
1916 | 'pre-mount'). Note that the existence of this environment variable is | |
1917 | conditional on the value of <option>lxc.hook.version</option>. If it | |
1918 | is set to 1 then LXC_HOOK_TYPE will be set. | |
1919 | </para></listitem> | |
1920 | <listitem><para> LXC_HOOK_SECTION: the section type (e.g. 'lxc', | |
1921 | 'net'). Note that the existence of this environment variable is | |
1922 | conditional on the value of <option>lxc.hook.version</option>. If it | |
1923 | is set to 1 then LXC_HOOK_SECTION will be set. | |
1924 | </para></listitem> | |
a2c09be0 CB |
1925 | <listitem><para> LXC_HOOK_VERSION: the version of the hooks. This |
1926 | value is identical to the value of the container's | |
1927 | <option>lxc.hook.version</option> config item. If it is set to 0 then | |
1928 | old-style hooks are used. If it is set to 1 then new-style hooks are | |
1929 | used. </para></listitem> | |
44ae0fb6 | 1930 | <listitem><para> LXC_LOG_LEVEL: the container's log level. </para></listitem> |
c464fd7e | 1931 | <listitem><para> LXC_NAME: is the container's name. </para></listitem> |
18b3b9c1 CB |
1932 | <listitem><para> LXC_[NAMESPACE IDENTIFIER]_NS: path under |
1933 | /proc/PID/fd/ to a file descriptor referring to the container's | |
1934 | namespace. For each preserved namespace type there will be a separate | |
1935 | environment variable. These environment variables will only be set if | |
1936 | <option>lxc.hook.version</option> is set to 1. </para></listitem> | |
c464fd7e | 1937 | <listitem><para> LXC_ROOTFS_MOUNT: the path to the mounted root filesystem. </para></listitem> |
44ae0fb6 CB |
1938 | <listitem><para> LXC_ROOTFS_PATH: this is the lxc.rootfs.path entry |
1939 | for the container. Note this is likely not where the mounted rootfs is | |
1940 | to be found, use LXC_ROOTFS_MOUNT for that. </para></listitem> | |
1941 | <listitem><para> LXC_SRC_NAME: in the case of the clone hook, this is | |
1942 | the original container's name. </para></listitem> | |
c464fd7e | 1943 | </itemizedlist> |
55fc19a1 SG |
1944 | </para> |
1945 | <para> | |
1946 | Standard output from the hooks is logged at debug level. | |
1947 | Standard error is not logged, but can be captured by the | |
1948 | hook redirecting its standard error to standard output. | |
1949 | </para> | |
1950 | <variablelist> | |
44ae0fb6 CB |
1951 | <varlistentry> |
1952 | <term> | |
1953 | <option>lxc.hook.version</option> | |
1954 | </term> | |
1955 | <listitem> | |
1956 | <para> | |
1957 | To pass the arguments in new style via environment variables set to | |
1958 | 1 otherwise set to 0 to pass them as arguments. | |
1959 | This setting affects all hooks arguments that were traditionally | |
1960 | passed as arguments to the script. Specifically, it affects the | |
1961 | container name, section (e.g. 'lxc', 'net') and hook type (e.g. | |
1962 | 'clone', 'mount', 'pre-mount') arguments. If new-style hooks are | |
1963 | used then the arguments will be available as environment variables. | |
1964 | The container name will be set in LXC_NAME. (This is set | |
1965 | independently of the value used for this config item.) The section | |
1966 | will be set in LXC_HOOK_SECTION and the hook type will be set in | |
1967 | LXC_HOOK_TYPE. | |
18b3b9c1 CB |
1968 | It also affects how the paths to file descriptors referring to the |
1969 | container's namespaces are passed. If set to 1 then for each | |
1970 | namespace a separate environment variable LXC_[NAMESPACE | |
1971 | IDENTIFIER]_NS will be set. If set to 0 then the paths will be | |
1972 | passed as arguments to the stop hook. | |
44ae0fb6 CB |
1973 | </para> |
1974 | </listitem> | |
1975 | </varlistentry> | |
1976 | </variablelist> | |
1977 | <variablelist> | |
c464fd7e SG |
1978 | <varlistentry> |
1979 | <term> | |
1980 | <option>lxc.hook.pre-start</option> | |
1981 | </term> | |
1982 | <listitem> | |
1983 | <para> | |
1984 | A hook to be run in the host's namespace before the | |
1985 | container ttys, consoles, or mounts are up. | |
1986 | </para> | |
1987 | </listitem> | |
1988 | </varlistentry> | |
55fc19a1 SG |
1989 | </variablelist> |
1990 | <variablelist> | |
c464fd7e SG |
1991 | <varlistentry> |
1992 | <term> | |
1993 | <option>lxc.hook.pre-mount</option> | |
1994 | </term> | |
1995 | <listitem> | |
1996 | <para> | |
1997 | A hook to be run in the container's fs namespace but before | |
1998 | the rootfs has been set up. This allows for manipulation | |
1999 | of the rootfs, i.e. to mount an encrypted filesystem. Mounts | |
2000 | done in this hook will not be reflected on the host (apart from | |
2001 | mounts propagation), so they will be automatically cleaned up | |
2002 | when the container shuts down. | |
2003 | </para> | |
2004 | </listitem> | |
2005 | </varlistentry> | |
55fc19a1 SG |
2006 | </variablelist> |
2007 | <variablelist> | |
c464fd7e SG |
2008 | <varlistentry> |
2009 | <term> | |
2010 | <option>lxc.hook.mount</option> | |
2011 | </term> | |
2012 | <listitem> | |
2013 | <para> | |
2014 | A hook to be run in the container's namespace after | |
2015 | mounting has been done, but before the pivot_root. | |
2016 | </para> | |
2017 | </listitem> | |
2018 | </varlistentry> | |
55fc19a1 SG |
2019 | </variablelist> |
2020 | <variablelist> | |
c464fd7e SG |
2021 | <varlistentry> |
2022 | <term> | |
2023 | <option>lxc.hook.autodev</option> | |
2024 | </term> | |
2025 | <listitem> | |
2026 | <para> | |
2027 | A hook to be run in the container's namespace after | |
2028 | mounting has been done and after any mount hooks have | |
2029 | run, but before the pivot_root, if | |
2030 | <option>lxc.autodev</option> == 1. | |
2031 | The purpose of this hook is to assist in populating the | |
2032 | /dev directory of the container when using the autodev | |
2033 | option for systemd based containers. The container's /dev | |
2034 | directory is relative to the | |
2035 | ${<option>LXC_ROOTFS_MOUNT</option>} environment | |
2036 | variable available when the hook is run. | |
2037 | </para> | |
2038 | </listitem> | |
2039 | </varlistentry> | |
55fc19a1 | 2040 | </variablelist> |
08dd2805 SH |
2041 | <variablelist> |
2042 | <varlistentry> | |
2043 | <term> | |
2044 | <option>lxc.hook.start-host</option> | |
2045 | </term> | |
2046 | <listitem> | |
2047 | <para> | |
2048 | A hook to be run in the host's namespace after the | |
2049 | container has been setup, and immediately before starting | |
2050 | the container init. | |
2051 | </para> | |
2052 | </listitem> | |
2053 | </varlistentry> | |
2054 | </variablelist> | |
55fc19a1 | 2055 | <variablelist> |
c464fd7e SG |
2056 | <varlistentry> |
2057 | <term> | |
2058 | <option>lxc.hook.start</option> | |
2059 | </term> | |
2060 | <listitem> | |
2061 | <para> | |
2062 | A hook to be run in the container's namespace immediately | |
2063 | before executing the container's init. This requires the | |
2064 | program to be available in the container. | |
2065 | </para> | |
2066 | </listitem> | |
2067 | </varlistentry> | |
55fc19a1 | 2068 | </variablelist> |
0a2b5ab1 WB |
2069 | <variablelist> |
2070 | <varlistentry> | |
2071 | <term> | |
2072 | <option>lxc.hook.stop</option> | |
2073 | </term> | |
2074 | <listitem> | |
2075 | <para> | |
2076 | A hook to be run in the host's namespace with references | |
2077 | to the container's namespaces after the container has been shut | |
2078 | down. For each namespace an extra argument is passed to the hook | |
2079 | containing the namespace's type and a filename that can be used to | |
2080 | obtain a file descriptor to the corresponding namespace, separated | |
2081 | by a colon. The type is the name as it would appear in the | |
2082 | <filename>/proc/PID/ns</filename> directory. | |
2083 | For instance for the mount namespace the argument usually looks | |
2084 | like <filename>mnt:/proc/PID/fd/12</filename>. | |
2085 | </para> | |
2086 | </listitem> | |
2087 | </varlistentry> | |
2088 | </variablelist> | |
55fc19a1 | 2089 | <variablelist> |
c464fd7e SG |
2090 | <varlistentry> |
2091 | <term> | |
2092 | <option>lxc.hook.post-stop</option> | |
2093 | </term> | |
2094 | <listitem> | |
2095 | <para> | |
2096 | A hook to be run in the host's namespace after the | |
2097 | container has been shut down. | |
2098 | </para> | |
2099 | </listitem> | |
2100 | </varlistentry> | |
55fc19a1 SG |
2101 | </variablelist> |
2102 | <variablelist> | |
c464fd7e SG |
2103 | <varlistentry> |
2104 | <term> | |
2105 | <option>lxc.hook.clone</option> | |
2106 | </term> | |
2107 | <listitem> | |
2108 | <para> | |
2109 | A hook to be run when the container is cloned to a new one. | |
2110 | See <citerefentry><refentrytitle><command>lxc-clone</command></refentrytitle> | |
2111 | <manvolnum>1</manvolnum></citerefentry> for more information. | |
2112 | </para> | |
2113 | </listitem> | |
2114 | </varlistentry> | |
55fc19a1 | 2115 | </variablelist> |
37cf711b SY |
2116 | <variablelist> |
2117 | <varlistentry> | |
2118 | <term> | |
2119 | <option>lxc.hook.destroy</option> | |
2120 | </term> | |
2121 | <listitem> | |
2122 | <para> | |
2123 | A hook to be run when the container is destroyed. | |
2124 | </para> | |
2125 | </listitem> | |
2126 | </varlistentry> | |
2127 | </variablelist> | |
55fc19a1 SG |
2128 | </refsect2> |
2129 | ||
2130 | <refsect2> | |
2131 | <title>Container hooks Environment Variables</title> | |
2132 | <para> | |
2133 | A number of environment variables are made available to the startup | |
2134 | hooks to provide configuration information and assist in the | |
2135 | functioning of the hooks. Not all variables are valid in all | |
2136 | contexts. In particular, all paths are relative to the host system | |
2137 | and, as such, not valid during the <option>lxc.hook.start</option> hook. | |
2138 | </para> | |
2139 | <variablelist> | |
c464fd7e SG |
2140 | <varlistentry> |
2141 | <term> | |
2142 | <option>LXC_NAME</option> | |
2143 | </term> | |
2144 | <listitem> | |
2145 | <para> | |
2146 | The LXC name of the container. Useful for logging messages | |
2147 | in common log environments. [<option>-n</option>] | |
2148 | </para> | |
2149 | </listitem> | |
2150 | </varlistentry> | |
55fc19a1 SG |
2151 | </variablelist> |
2152 | <variablelist> | |
c464fd7e SG |
2153 | <varlistentry> |
2154 | <term> | |
2155 | <option>LXC_CONFIG_FILE</option> | |
2156 | </term> | |
2157 | <listitem> | |
2158 | <para> | |
2159 | Host relative path to the container configuration file. This | |
2160 | gives the container to reference the original, top level, | |
2161 | configuration file for the container in order to locate any | |
2162 | additional configuration information not otherwise made | |
2163 | available. [<option>-f</option>] | |
2164 | </para> | |
2165 | </listitem> | |
2166 | </varlistentry> | |
55fc19a1 SG |
2167 | </variablelist> |
2168 | <variablelist> | |
c464fd7e SG |
2169 | <varlistentry> |
2170 | <term> | |
2171 | <option>LXC_CONSOLE</option> | |
2172 | </term> | |
2173 | <listitem> | |
2174 | <para> | |
2175 | The path to the console output of the container if not NULL. | |
3aed4934 | 2176 | [<option>-c</option>] [<option>lxc.console.path</option>] |
c464fd7e SG |
2177 | </para> |
2178 | </listitem> | |
2179 | </varlistentry> | |
55fc19a1 SG |
2180 | </variablelist> |
2181 | <variablelist> | |
c464fd7e SG |
2182 | <varlistentry> |
2183 | <term> | |
2184 | <option>LXC_CONSOLE_LOGPATH</option> | |
2185 | </term> | |
2186 | <listitem> | |
2187 | <para> | |
2188 | The path to the console log output of the container if not NULL. | |
2189 | [<option>-L</option>] | |
2190 | </para> | |
2191 | </listitem> | |
2192 | </varlistentry> | |
55fc19a1 SG |
2193 | </variablelist> |
2194 | <variablelist> | |
c464fd7e SG |
2195 | <varlistentry> |
2196 | <term> | |
2197 | <option>LXC_ROOTFS_MOUNT</option> | |
2198 | </term> | |
2199 | <listitem> | |
2200 | <para> | |
2201 | The mount location to which the container is initially bound. | |
2202 | This will be the host relative path to the container rootfs | |
2203 | for the container instance being started and is where changes | |
2204 | should be made for that instance. | |
2205 | [<option>lxc.rootfs.mount</option>] | |
2206 | </para> | |
2207 | </listitem> | |
2208 | </varlistentry> | |
55fc19a1 SG |
2209 | </variablelist> |
2210 | <variablelist> | |
c464fd7e SG |
2211 | <varlistentry> |
2212 | <term> | |
2213 | <option>LXC_ROOTFS_PATH</option> | |
2214 | </term> | |
2215 | <listitem> | |
2216 | <para> | |
2217 | The host relative path to the container root which has been | |
2218 | mounted to the rootfs.mount location. | |
7a96a068 | 2219 | [<option>lxc.rootfs.path</option>] |
c464fd7e SG |
2220 | </para> |
2221 | </listitem> | |
2222 | </varlistentry> | |
55fc19a1 | 2223 | </variablelist> |
07945418 KY |
2224 | <variablelist> |
2225 | <varlistentry> | |
2226 | <term> | |
2227 | <option>LXC_SRC_NAME</option> | |
2228 | </term> | |
2229 | <listitem> | |
2230 | <para> | |
2231 | Only for the clone hook. Is set to the original container name. | |
2232 | </para> | |
2233 | </listitem> | |
2234 | </varlistentry> | |
2235 | </variablelist> | |
c154af98 SG |
2236 | <variablelist> |
2237 | <varlistentry> | |
2238 | <term> | |
2239 | <option>LXC_TARGET</option> | |
2240 | </term> | |
2241 | <listitem> | |
2242 | <para> | |
2243 | Only for the stop hook. Is set to "stop" for a container | |
2244 | shutdown or "reboot" for a container reboot. | |
2245 | </para> | |
2246 | </listitem> | |
2247 | </varlistentry> | |
c4cafa08 SH |
2248 | </variablelist> |
2249 | <variablelist> | |
2250 | <varlistentry> | |
2251 | <term> | |
2252 | <option>LXC_CGNS_AWARE</option> | |
2253 | </term> | |
2254 | <listitem> | |
2255 | <para> | |
2256 | If unset, then this version of lxc is not aware of cgroup | |
2257 | namespaces. If set, it will be set to 1, and lxc is aware | |
2258 | of cgroup namespaces. Note this does not guarantee that | |
2259 | cgroup namespaces are enabled in the kernel. This is used | |
2260 | by the lxcfs mount hook. | |
2261 | </para> | |
2262 | </listitem> | |
2263 | </varlistentry> | |
c154af98 | 2264 | </variablelist> |
55fc19a1 SG |
2265 | </refsect2> |
2266 | <refsect2> | |
2267 | <title>Logging</title> | |
2268 | <para> | |
2269 | Logging can be configured on a per-container basis. By default, | |
2270 | depending upon how the lxc package was compiled, container startup | |
2271 | is logged only at the ERROR level, and logged to a file named after | |
2272 | the container (with '.log' appended) either under the container path, | |
2273 | or under @LOGPATH@. | |
2274 | </para> | |
2275 | <para> | |
2276 | Both the default log level and the log file can be specified in the | |
2277 | container configuration file, overriding the default behavior. Note | |
2278 | that the configuration file entries can in turn be overridden by the | |
2279 | command line options to <command>lxc-start</command>. | |
2280 | </para> | |
2281 | <variablelist> | |
c464fd7e SG |
2282 | <varlistentry> |
2283 | <term> | |
46cc906d | 2284 | <option>lxc.log.level</option> |
c464fd7e SG |
2285 | </term> |
2286 | <listitem> | |
2287 | <para> | |
2288 | The level at which to log. The log level is an integer in | |
2289 | the range of 0..8 inclusive, where a lower number means more | |
2290 | verbose debugging. In particular 0 = trace, 1 = debug, 2 = | |
2291 | info, 3 = notice, 4 = warn, 5 = error, 6 = critical, 7 = | |
2292 | alert, and 8 = fatal. If unspecified, the level defaults | |
2293 | to 5 (error), so that only errors and above are logged. | |
2294 | </para> | |
2295 | <para> | |
2296 | Note that when a script (such as either a hook script or a | |
2297 | network interface up or down script) is called, the script's | |
2298 | standard output is logged at level 1, debug. | |
2299 | </para> | |
2300 | </listitem> | |
2301 | </varlistentry> | |
2302 | <varlistentry> | |
2303 | <term> | |
5757588f | 2304 | <option>lxc.log.file</option> |
c464fd7e SG |
2305 | </term> |
2306 | <listitem> | |
2307 | <para> | |
2308 | The file to which logging info should be written. | |
2309 | </para> | |
2310 | </listitem> | |
2311 | </varlistentry> | |
204dfdf2 BD |
2312 | <varlistentry> |
2313 | <term> | |
46cc906d | 2314 | <option>lxc.log.syslog</option> |
204dfdf2 BD |
2315 | </term> |
2316 | <listitem> | |
2317 | <para> | |
2318 | Send logging info to syslog. It respects the log level defined in | |
46cc906d | 2319 | <command>lxc.log.level</command>. The argument should be the syslog |
204dfdf2 | 2320 | facility to use, valid ones are: daemon, local0, local1, local2, |
917420dd | 2321 | local3, local4, local5, local5, local6, local7. |
204dfdf2 BD |
2322 | </para> |
2323 | </listitem> | |
2324 | </varlistentry> | |
55fc19a1 SG |
2325 | </variablelist> |
2326 | </refsect2> | |
2327 | ||
2328 | <refsect2> | |
2329 | <title>Autostart</title> | |
2330 | <para> | |
2331 | The autostart options support marking which containers should be | |
2332 | auto-started and in what order. These options may be used by LXC tools | |
2333 | directly or by external tooling provided by the distributions. | |
2334 | </para> | |
2335 | ||
2336 | <variablelist> | |
2337 | <varlistentry> | |
2338 | <term> | |
2339 | <option>lxc.start.auto</option> | |
2340 | </term> | |
2341 | <listitem> | |
2342 | <para> | |
2343 | Whether the container should be auto-started. | |
2344 | Valid values are 0 (off) and 1 (on). | |
2345 | </para> | |
2346 | </listitem> | |
2347 | </varlistentry> | |
2348 | <varlistentry> | |
2349 | <term> | |
2350 | <option>lxc.start.delay</option> | |
2351 | </term> | |
2352 | <listitem> | |
2353 | <para> | |
2354 | How long to wait (in seconds) after the container is | |
2355 | started before starting the next one. | |
2356 | </para> | |
2357 | </listitem> | |
2358 | </varlistentry> | |
2359 | <varlistentry> | |
2360 | <term> | |
2361 | <option>lxc.start.order</option> | |
2362 | </term> | |
2363 | <listitem> | |
2364 | <para> | |
2365 | An integer used to sort the containers when auto-starting | |
2366 | a series of containers at once. | |
2367 | </para> | |
2368 | </listitem> | |
2369 | </varlistentry> | |
a8dfe4e0 WB |
2370 | <varlistentry> |
2371 | <term> | |
2372 | <option>lxc.monitor.unshare</option> | |
2373 | </term> | |
2374 | <listitem> | |
2375 | <para> | |
2376 | If not zero the mount namespace will be unshared from the host | |
2377 | before initializing the container (before running any pre-start | |
6039eaa2 WB |
2378 | hooks). This requires the CAP_SYS_ADMIN capability at startup. |
2379 | Default is 0. | |
a8dfe4e0 WB |
2380 | </para> |
2381 | </listitem> | |
2382 | </varlistentry> | |
258f8051 CB |
2383 | <varlistentry> |
2384 | <term> | |
2385 | <option>lxc.monitor.signal.pdeath</option> | |
2386 | </term> | |
2387 | <listitem> | |
2388 | <para> | |
2389 | Set the signal to be sent to the container's init when the lxc | |
2390 | monitor exits. By default it is set to SIGKILL which will cause | |
2391 | all container processes to be killed when the lxc monitor process | |
2392 | dies. | |
2393 | To ensure that containers stay alive even if lxc monitor dies set | |
2394 | this to 0. | |
2395 | </para> | |
2396 | </listitem> | |
2397 | </varlistentry> | |
55fc19a1 SG |
2398 | <varlistentry> |
2399 | <term> | |
2400 | <option>lxc.group</option> | |
2401 | </term> | |
2402 | <listitem> | |
2403 | <para> | |
2404 | A multi-value key (can be used multiple times) to put the | |
2405 | container in a container group. Those groups can then be | |
2406 | used (amongst other things) to start a series of related | |
2407 | containers. | |
2408 | </para> | |
2409 | </listitem> | |
2410 | </varlistentry> | |
2411 | </variablelist> | |
2412 | </refsect2> | |
015f0dd7 MW |
2413 | |
2414 | <refsect2> | |
2415 | <title>Autostart and System Boot</title> | |
2416 | <para> | |
2417 | Each container can be part of any number of groups or no group at all. | |
2418 | Two groups are special. One is the NULL group, i.e. the container does | |
2419 | not belong to any group. The other group is the "onboot" group. | |
2420 | </para> | |
2421 | ||
2422 | <para> | |
2423 | When the system boots with the LXC service enabled, it will first | |
2424 | attempt to boot any containers with lxc.start.auto == 1 that is a member | |
2425 | of the "onboot" group. The startup will be in order of lxc.start.order. | |
2426 | If an lxc.start.delay has been specified, that delay will be honored | |
2427 | before attempting to start the next container to give the current | |
2428 | container time to begin initialization and reduce overloading the host | |
2429 | system. After starting the members of the "onboot" group, the LXC system | |
2430 | will proceed to boot containers with lxc.start.auto == 1 which are not | |
2431 | members of any group (the NULL group) and proceed as with the onboot | |
2432 | group. | |
2433 | </para> | |
2434 | ||
2435 | </refsect2> | |
7c661726 MP |
2436 | |
2437 | <refsect2> | |
2438 | <title>Container Environment</title> | |
2439 | <para> | |
c464fd7e SG |
2440 | If you want to pass environment variables into the container (that |
2441 | is, environment variables which will be available to init and all of | |
2442 | its descendents), you can use <command>lxc.environment</command> | |
2443 | parameters to do so. Be careful that you do not pass in anything | |
2444 | sensitive; any process in the container which doesn't have its | |
2445 | environment scrubbed will have these variables available to it, and | |
2446 | environment variables are always available via | |
2447 | <command>/proc/PID/environ</command>. | |
7c661726 MP |
2448 | </para> |
2449 | ||
2450 | <para> | |
2451 | This configuration parameter can be specified multiple times; once | |
2452 | for each environment variable you wish to configure. | |
2453 | </para> | |
2454 | ||
2455 | <variablelist> | |
c464fd7e SG |
2456 | <varlistentry> |
2457 | <term> | |
2458 | <option>lxc.environment</option> | |
2459 | </term> | |
2460 | <listitem> | |
2461 | <para> | |
2462 | Specify an environment variable to pass into the container. | |
2463 | Example: | |
2464 | </para> | |
2465 | <programlisting> | |
2466 | lxc.environment = APP_ENV=production | |
2467 | lxc.environment = SYSLOG_SERVER=192.0.2.42 | |
2468 | </programlisting> | |
5eab47bc CB |
2469 | <para> |
2470 | It is possible to inherit host environment variables by setting the | |
2471 | name of the variable without a "=" sign. For example: | |
2472 | </para> | |
2473 | <programlisting> | |
2474 | lxc.environment = PATH | |
2475 | </programlisting> | |
c464fd7e SG |
2476 | </listitem> |
2477 | </varlistentry> | |
7c661726 MP |
2478 | </variablelist> |
2479 | </refsect2> | |
2480 | ||
55fc19a1 SG |
2481 | </refsect1> |
2482 | ||
2483 | <refsect1> | |
2484 | <title>Examples</title> | |
2485 | <para> | |
c464fd7e SG |
2486 | In addition to the few examples given below, you will find |
2487 | some other examples of configuration file in @DOCDIR@/examples | |
55fc19a1 SG |
2488 | </para> |
2489 | <refsect2> | |
2490 | <title>Network</title> | |
2491 | <para>This configuration sets up a container to use a veth pair | |
c464fd7e SG |
2492 | device with one side plugged to a bridge br0 (which has been |
2493 | configured before on the system by the administrator). The | |
2494 | virtual network device visible in the container is renamed to | |
2495 | eth0.</para> | |
55fc19a1 | 2496 | <programlisting> |
b67771bc | 2497 | lxc.uts.name = myhostname |
7fa3f2e9 | 2498 | lxc.net.0.type = veth |
2499 | lxc.net.0.flags = up | |
2500 | lxc.net.0.link = br0 | |
2501 | lxc.net.0.name = eth0 | |
2502 | lxc.net.0.hwaddr = 4a:49:43:49:79:bf | |
9ff60df2 | 2503 | lxc.net.0.ipv4.address = 10.2.3.5/24 10.2.3.255 |
2e44ae28 | 2504 | lxc.net.0.ipv6.address = 2003:db8:1:0:214:1234:fe0b:3597 |
55fc19a1 SG |
2505 | </programlisting> |
2506 | </refsect2> | |
2507 | ||
2508 | <refsect2> | |
2509 | <title>UID/GID mapping</title> | |
2510 | <para>This configuration will map both user and group ids in the | |
2511 | range 0-9999 in the container to the ids 100000-109999 on the host. | |
2512 | </para> | |
2513 | <programlisting> | |
bdcbb6b3 CB |
2514 | lxc.idmap = u 0 100000 10000 |
2515 | lxc.idmap = g 0 100000 10000 | |
55fc19a1 SG |
2516 | </programlisting> |
2517 | </refsect2> | |
2518 | ||
2519 | <refsect2> | |
2520 | <title>Control group</title> | |
2521 | <para>This configuration will setup several control groups for | |
2522 | the application, cpuset.cpus restricts usage of the defined cpu, | |
2523 | cpus.share prioritize the control group, devices.allow makes | |
2524 | usable the specified devices.</para> | |
2525 | <programlisting> | |
c464fd7e SG |
2526 | lxc.cgroup.cpuset.cpus = 0,1 |
2527 | lxc.cgroup.cpu.shares = 1234 | |
2528 | lxc.cgroup.devices.deny = a | |
2529 | lxc.cgroup.devices.allow = c 1:3 rw | |
2530 | lxc.cgroup.devices.allow = b 8:0 rw | |
55fc19a1 SG |
2531 | </programlisting> |
2532 | </refsect2> | |
2533 | ||
2534 | <refsect2> | |
2535 | <title>Complex configuration</title> | |
2536 | <para>This example show a complex configuration making a complex | |
2537 | network stack, using the control groups, setting a new hostname, | |
2538 | mounting some locations and a changing root file system.</para> | |
2539 | <programlisting> | |
b67771bc | 2540 | lxc.uts.name = complex |
7fa3f2e9 | 2541 | lxc.net.0.type = veth |
2542 | lxc.net.0.flags = up | |
2543 | lxc.net.0.link = br0 | |
2544 | lxc.net.0.hwaddr = 4a:49:43:49:79:bf | |
9ff60df2 | 2545 | lxc.net.0.ipv4.address = 10.2.3.5/24 10.2.3.255 |
2e44ae28 CB |
2546 | lxc.net.0.ipv6.address = 2003:db8:1:0:214:1234:fe0b:3597 |
2547 | lxc.net.0.ipv6.address = 2003:db8:1:0:214:5432:feab:3588 | |
7fa3f2e9 | 2548 | lxc.net.1.type = macvlan |
2549 | lxc.net.1.flags = up | |
2550 | lxc.net.1.link = eth0 | |
2551 | lxc.net.1.hwaddr = 4a:49:43:49:79:bd | |
9ff60df2 CB |
2552 | lxc.net.1.ipv4.address = 10.2.3.4/24 |
2553 | lxc.net.1.ipv4.address = 192.168.10.125/24 | |
2e44ae28 | 2554 | lxc.net.1.ipv6.address = 2003:db8:1:0:214:1234:fe0b:3596 |
7fa3f2e9 | 2555 | lxc.net.2.type = phys |
2556 | lxc.net.2.flags = up | |
2557 | lxc.net.2.link = dummy0 | |
2558 | lxc.net.2.hwaddr = 4a:49:43:49:79:ff | |
9ff60df2 | 2559 | lxc.net.2.ipv4.address = 10.2.3.6/24 |
2e44ae28 | 2560 | lxc.net.2.ipv6.address = 2003:db8:1:0:214:1234:fe0b:3297 |
c464fd7e SG |
2561 | lxc.cgroup.cpuset.cpus = 0,1 |
2562 | lxc.cgroup.cpu.shares = 1234 | |
2563 | lxc.cgroup.devices.deny = a | |
2564 | lxc.cgroup.devices.allow = c 1:3 rw | |
2565 | lxc.cgroup.devices.allow = b 8:0 rw | |
47148e96 | 2566 | lxc.mount.fstab = /etc/fstab.complex |
c464fd7e | 2567 | lxc.mount.entry = /lib /root/myrootfs/lib none ro,bind 0 0 |
7a96a068 | 2568 | lxc.rootfs.path = dir:/mnt/rootfs.complex |
c464fd7e SG |
2569 | lxc.cap.drop = sys_module mknod setuid net_raw |
2570 | lxc.cap.drop = mac_override | |
55fc19a1 SG |
2571 | </programlisting> |
2572 | </refsect2> | |
2573 | ||
2574 | </refsect1> | |
2575 | ||
2576 | <refsect1> | |
2577 | <title>See Also</title> | |
2578 | <simpara> | |
2579 | <citerefentry> | |
c464fd7e SG |
2580 | <refentrytitle><command>chroot</command></refentrytitle> |
2581 | <manvolnum>1</manvolnum> | |
55fc19a1 SG |
2582 | </citerefentry>, |
2583 | ||
2584 | <citerefentry> | |
c464fd7e SG |
2585 | <refentrytitle><command>pivot_root</command></refentrytitle> |
2586 | <manvolnum>8</manvolnum> | |
55fc19a1 SG |
2587 | </citerefentry>, |
2588 | ||
2589 | <citerefentry> | |
c464fd7e SG |
2590 | <refentrytitle><filename>fstab</filename></refentrytitle> |
2591 | <manvolnum>5</manvolnum> | |
55fc19a1 SG |
2592 | </citerefentry>, |
2593 | ||
2594 | <citerefentry> | |
c464fd7e SG |
2595 | <refentrytitle><filename>capabilities</filename></refentrytitle> |
2596 | <manvolnum>7</manvolnum> | |
55fc19a1 SG |
2597 | </citerefentry> |
2598 | </simpara> | |
2599 | </refsect1> | |
2600 | ||
2601 | &seealso; | |
2602 | ||
2603 | <refsect1> | |
2604 | <title>Author</title> | |
2605 | <para>Daniel Lezcano <email>daniel.lezcano@free.fr</email></para> | |
2606 | </refsect1> | |
2607 | ||
2608 | </refentry> | |
2609 | ||
2610 | <!-- Keep this comment at the end of the file | |
2611 | Local variables: | |
2612 | mode: sgml | |
2613 | sgml-omittag:t | |
2614 | sgml-shorttag:t | |
2615 | sgml-minimize-attributes:nil | |
2616 | sgml-always-quote-attributes:t | |
2617 | sgml-indent-step:2 | |
2618 | sgml-indent-data:t | |
2619 | sgml-parent-document:nil | |
2620 | sgml-default-dtd-file:nil | |
2621 | sgml-exposed-tags:nil | |
2622 | sgml-local-catalogs:nil | |
2623 | sgml-local-ecat-files:nil | |
2624 | End: | |
2625 | --> |