]> git.proxmox.com Git - mirror_lxc.git/blame - doc/lxc.container.conf.sgml.in
projects / mirror_lxc.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
spelling: syscall
[mirror_lxc.git] / doc / lxc.container.conf.sgml.in
CommitLineData
55fc19a1
SG		 1<!--
2
3lxc: linux Container library
4
5(C) Copyright IBM Corp. 2007, 2008
6
7Authors:
8Daniel Lezcano <daniel.lezcano at free.fr>
9
10This library is free software; you can redistribute it and/or
11modify it under the terms of the GNU Lesser General Public
12License as published by the Free Software Foundation; either
13version 2.1 of the License, or (at your option) any later version.
14
15This library is distributed in the hope that it will be useful,
16but WITHOUT ANY WARRANTY; without even the implied warranty of
17MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
18Lesser General Public License for more details.
19
20You should have received a copy of the GNU Lesser General Public
21License along with this library; if not, write to the Free Software
22Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
23
24-->
25
26<!DOCTYPE refentry PUBLIC @docdtd@ [
27
28<!ENTITY seealso SYSTEM "@builddir@/see_also.sgml">
29]>
30
31<refentry>
32
33 <docinfo><date>@LXC_GENERATE_DATE@</date></docinfo>
34
35 <refmeta>
36 <refentrytitle>lxc.container.conf</refentrytitle>
37 <manvolnum>5</manvolnum>
38 </refmeta>
39
40 <refnamediv>
41 <refname>lxc.container.conf</refname>
42
43 <refpurpose>
44 LXC container configuration file
45 </refpurpose>
46 </refnamediv>
47
48 <refsect1>
49 <title>Description</title>
50
51 <para>
b9986e43
CB		 52 LXC is the well-known and heavily tested low-level Linux container
53 runtime. It is in active development since 2008 and has proven itself in
54 critical production environments world-wide. Some of its core contributors
55 are the same people that helped to implement various well-known
56 containerization features inside the Linux kernel.
55fc19a1
SG		 57 </para>
58
59 <para>
b9986e43
CB		 60 LXC's main focus is system containers. That is, containers which offer an
61 environment as close as possible as the one you'd get from a VM but
62 without the overhead that comes with running a separate kernel and
63 simulating all the hardware.
55fc19a1
SG		 64 </para>
65
66 <para>
b9986e43
CB		 67 This is achieved through a combination of kernel security features such as
68 namespaces, mandatory access control and control groups.
69 </para>
70
71 <para>
eb4225a0 72 LXC has support for unprivileged containers. Unprivileged containers are
b9986e43
CB		 73 containers that are run without any privilege. This requires support for
74 user namespaces in the kernel that the container is run on. LXC was the
75 first runtime to support unprivileged containers after user namespaces
76 were merged into the mainline kernel.
77 </para>
78
79 <para>
80 In essence, user namespaces isolate given sets of UIDs and GIDs. This is
81 achieved by establishing a mapping between a range of UIDs and GIDs on the
82 host to a different (unprivileged) range of UIDs and GIDs in the
83 container. The kernel will translate this mapping in such a way that
84 inside the container all UIDs and GIDs appear as you would expect from the
85 host whereas on the host these UIDs and GIDs are in fact unprivileged. For
86 example, a process running as UID and GID 0 inside the container might
87 appear as UID and GID 100000 on the host. The implementation and working
88 details can be gathered from the corresponding user namespace man page.
bdcbb6b3 89 UID and GID mappings can be defined with the <option>lxc.idmap</option>
b9986e43
CB		 90 key.
91 </para>
92
93 <para>
94 Linux containers are defined with a simple configuration file. Each
95 option in the configuration file has the form <command>key =
96 value</command> fitting in one line. The "#" character means the line is a
97 comment. List options, like capabilities and cgroups options, can be used
98 with no value to clear any previously defined values of that option.
99 </para>
100
101 <para>
eb4225a0 102 LXC namespaces configuration keys use single dots. This means complex
7fa3f2e9 103 configuration keys such as <option>lxc.net.0</option> expose various
104 subkeys such as <option>lxc.net.0.type</option>,
2e44ae28 105 <option>lxc.net.0.link</option>, <option>lxc.net.0.ipv6.address</option>, and
b9986e43 106 others for even more fine-grained configuration.
55fc19a1
SG		 107 </para>
108
109 <refsect2>
110 <title>Configuration</title>
111 <para>
b9986e43
CB		 112 In order to ease administration of multiple related containers, it is
113 possible to have a container configuration file cause another file to be
114 loaded. For instance, network configuration can be defined in one common
115 file which is included by multiple containers. Then, if the containers
116 are moved to another host, only one file may need to be updated.
55fc19a1
SG		 117 </para>
118
119 <variablelist>
c464fd7e
SG		 120 <varlistentry>
121 <term>
122 <option>lxc.include</option>
123 </term>
124 <listitem>
125 <para>
126 Specify the file to be included. The included file must be
127 in the same valid lxc configuration file format.
128 </para>
129 </listitem>
130 </varlistentry>
55fc19a1
SG		 131 </variablelist>
132 </refsect2>
133
134 <refsect2>
135 <title>Architecture</title>
136 <para>
b9986e43
CB		 137 Allows one to set the architecture for the container. For example, set a
138 32bits architecture for a container running 32bits binaries on a 64bits
139 host. This fixes the container scripts which rely on the architecture to
140 do some work like downloading the packages.
55fc19a1
SG		 141 </para>
142
143 <variablelist>
c464fd7e
SG		 144 <varlistentry>
145 <term>
146 <option>lxc.arch</option>
147 </term>
148 <listitem>
149 <para>
150 Specify the architecture for the container.
151 </para>
152 <para>
b9986e43 153 Some valid options are
c464fd7e
SG		 154 <option>x86</option>,
155 <option>i686</option>,
156 <option>x86_64</option>,
157 <option>amd64</option>
158 </para>
159 </listitem>
160 </varlistentry>
55fc19a1
SG		 161 </variablelist>
162
163 </refsect2>
164
165 <refsect2>
166 <title>Hostname</title>
167 <para>
b9986e43
CB		 168 The utsname section defines the hostname to be set for the container.
169 That means the container can set its own hostname without changing the
170 one from the system. That makes the hostname private for the container.
55fc19a1
SG		 171 </para>
172 <variablelist>
c464fd7e
SG		 173 <varlistentry>
174 <term>
b67771bc 175 <option>lxc.uts.name</option>
c464fd7e
SG		 176 </term>
177 <listitem>
178 <para>
179 specify the hostname for the container
180 </para>
181 </listitem>
182 </varlistentry>
55fc19a1
SG		 183 </variablelist>
184 </refsect2>
185
186 <refsect2>
187 <title>Halt signal</title>
188 <para>
b9986e43
CB		 189 Allows one to specify signal name or number sent to the container's
190 init process to cleanly shutdown the container. Different init systems
191 could use different signals to perform clean shutdown sequence. This
192 option allows the signal to be specified in kill(1) fashion, e.g.
193 SIGPWR, SIGRTMIN+14, SIGRTMAX-10 or plain number. The default signal is
194 SIGPWR.
55fc19a1
SG		 195 </para>
196 <variablelist>
936762f3
BP		 197 <varlistentry>
198 <term>
55c84efc 199 <option>lxc.signal.halt</option>
936762f3
BP		 200 </term>
201 <listitem>
202 <para>
203 specify the signal used to halt the container
204 </para>
205 </listitem>
206 </varlistentry>
207 </variablelist>
208 </refsect2>
209
210 <refsect2>
211 <title>Reboot signal</title>
212 <para>
b9986e43
CB		 213 Allows one to specify signal name or number to reboot the container.
214 This option allows signal to be specified in kill(1) fashion, e.g.
215 SIGTERM, SIGRTMIN+14, SIGRTMAX-10 or plain number. The default signal
216 is SIGINT.
936762f3
BP		 217 </para>
218 <variablelist>
219 <varlistentry>
220 <term>
55c84efc 221 <option>lxc.signal.reboot</option>
936762f3
BP		 222 </term>
223 <listitem>
224 <para>
225 specify the signal used to reboot the container
226 </para>
227 </listitem>
228 </varlistentry>
55fc19a1
SG		 229 </variablelist>
230 </refsect2>
231
232 <refsect2>
233 <title>Stop signal</title>
234 <para>
b9986e43
CB		 235 Allows one to specify signal name or number to forcibly shutdown the
236 container. This option allows signal to be specified in kill(1) fashion,
237 e.g. SIGKILL, SIGRTMIN+14, SIGRTMAX-10 or plain number. The default
238 signal is SIGKILL.
936762f3
BP		 239 </para>
240 <variablelist>
241 <varlistentry>
242 <term>
55c84efc 243 <option>lxc.signal.stop</option>
936762f3
BP		 244 </term>
245 <listitem>
246 <para>
247 specify the signal used to stop the container
248 </para>
249 </listitem>
250 </varlistentry>
55fc19a1
SG		 251 </variablelist>
252 </refsect2>
253
67c660d0
SG		 254 <refsect2>
255 <title>Init command</title>
256 <para>
257 Sets the command to use as the init system for the containers.
67c660d0 258 </para>
5cda27c1
SH		 259 <variablelist>
260 <varlistentry>
261 <term>
262 <option>lxc.execute.cmd</option>
263 </term>
264 <listitem>
265 <para>
266 Absolute path from container rootfs to the binary to run by default. This
fcd95ae9 267 mostly makes sense for <command>lxc-execute</command>.
5cda27c1
SH		 268 </para>
269 </listitem>
270 </varlistentry>
271 </variablelist>
67c660d0 272 <variablelist>
936762f3
BP		 273 <varlistentry>
274 <term>
9dcf7b4d 275 <option>lxc.init.cmd</option>
936762f3
BP		 276 </term>
277 <listitem>
278 <para>
fcd95ae9
KY		 279 Absolute path from container rootfs to the binary to use as init. This
280 mostly makes sense for <command>lxc-start</command>. Default is <command>/sbin/init</command>.
936762f3
BP		 281 </para>
282 </listitem>
283 </varlistentry>
67c660d0
SG		 284 </variablelist>
285 </refsect2>
286
3c491553
L		 287 <refsect2>
288 <title>Init working directory</title>
289 <para>
290 Sets the absolute path inside the container as the working directory for the containers.
291 LXC will switch to this directory before executing init.
292 </para>
293 <variablelist>
294 <varlistentry>
295 <term>
296 <option>lxc.init.cwd</option>
297 </term>
298 <listitem>
299 <para>
300 Absolute path inside the container to use as the working directory.
301 </para>
302 </listitem>
303 </varlistentry>
304 </variablelist>
305 </refsect2>
306
dbca9237
PT		 307 <refsect2>
308 <title>Init ID</title>
309 <para>
b9986e43 310 Sets the UID/GID to use for the init system, and subsequent commands.
14a7b0f9 311 Note that using a non-root UID when booting a system container will
b9986e43 312 likely not work due to missing privileges. Setting the UID/GID is mostly
14a7b0f9 313 useful when running application containers.
dbca9237
PT		 314
315 Defaults to: UID(0), GID(0)
316 </para>
317 <variablelist>
318 <varlistentry>
319 <term>
9dcf7b4d 320 <option>lxc.init.uid</option>
dbca9237
PT		 321 </term>
322 <listitem>
323 <para>
b9986e43 324 UID to use for init.
dbca9237
PT		 325 </para>
326 </listitem>
327 </varlistentry>
328 <varlistentry>
329 <term>
9dcf7b4d 330 <option>lxc.init.gid</option>
dbca9237
PT		 331 </term>
332 <listitem>
333 <para>
b9986e43 334 GID to use for init.
dbca9237
PT		 335 </para>
336 </listitem>
337 </varlistentry>
338 </variablelist>
339 </refsect2>
340
61d7a733
YT		 341 <refsect2>
342 <title>Proc</title>
343 <para>
344 Configure proc filesystem for the container.
345 </para>
346 <variablelist>
347 <varlistentry>
348 <term>
349 <option>lxc.proc.[proc file name]</option>
350 </term>
351 <listitem>
352 <para>
eb4225a0 353 Specify the proc file name to be set. The file names available
61d7a733
YT		 354 are those listed under /proc/PID/.
355 Example:
356 </para>
357 <programlisting>
358 lxc.proc.oom_score_adj = 10
359 </programlisting>
360 </listitem>
361 </varlistentry>
362 </variablelist>
363 </refsect2>
364
4e6eb26b
CB		 365 <refsect2>
366 <title>Ephemeral</title>
367 <para>
368 Allows one to specify whether a container will be destroyed on shutdown.
369 </para>
370 <variablelist>
371 <varlistentry>
372 <term>
373 <option>lxc.ephemeral</option>
374 </term>
375 <listitem>
376 <para>
377 The only allowed values are 0 and 1. Set this to 1 to destroy a
378 container on shutdown.
379 </para>
380 </listitem>
381 </varlistentry>
382 </variablelist>
383 </refsect2>
384
55fc19a1
SG		 385 <refsect2>
386 <title>Network</title>
387 <para>
c464fd7e
SG		 388 The network section defines how the network is virtualized in
389 the container. The network virtualization acts at layer
390 two. In order to use the network virtualization, parameters
391 must be specified to define the network interfaces of the
392 container. Several virtual interfaces can be assigned and used
393 in a container even if the system has only one physical
394 network interface.
55fc19a1
SG		 395 </para>
396 <variablelist>
020104c3
MH		 397 <varlistentry>
398 <term>
7fa3f2e9 399 <option>lxc.net</option>
020104c3
MH		 400 </term>
401 <listitem>
402 <para>
403 may be used without a value to clear all previous network options.
404 </para>
405 </listitem>
406 </varlistentry>
c464fd7e
SG		 407 <varlistentry>
408 <term>
7fa3f2e9 409 <option>lxc.net.[i].type</option>
c464fd7e
SG		 410 </term>
411 <listitem>
412 <para>
413 specify what kind of network virtualization to be used
b9986e43
CB		 414 for the container.
415 Multiple networks can be specified by using an additional index
416 <option>i</option>
7fa3f2e9 417 after all <option>lxc.net.*</option> keys. For example,
418 <option>lxc.net.0.type = veth</option> and
419 <option>lxc.net.1.type = veth</option> specify two different
b9986e43
CB		 420 networks of the same type. All keys sharing the same index
421 <option>i</option> will be treated as belonging to the same
7fa3f2e9 422 network. For example, <option>lxc.net.0.link = br0</option>
423 will belong to <option>lxc.net.0.type</option>.
b9986e43 424 Currently, the different virtualization types can be:
c464fd7e
SG		 425 </para>
426
427 <para>
428 <option>none:</option> will cause the container to share
429 the host's network namespace. This means the host
430 network devices are usable in the container. It also
431 means that if both the container and host have upstart as
432 init, 'halt' in a container (for instance) will shut down the
e4b3e369
AK		 433 host. Note that unprivileged containers do not work with this
434 setting due to an inability to mount sysfs. An unsafe workaround
435 would be to bind mount the host's sysfs.
c464fd7e
SG		 436 </para>
437
438 <para>
439 <option>empty:</option> will create only the loopback
440 interface.
441 </para>
442
443 <para>
38005c54
MA		 444 <option>veth:</option> a virtual ethernet pair
445 device is created with one side assigned to the container
446 and the other side attached to a bridge specified by
7fa3f2e9 447 the <option>lxc.net.[i].link</option> option.
38005c54
MA		 448 If the bridge is not specified, then the veth pair device
449 will be created but not attached to any bridge.
450 Otherwise, the bridge has to be created on the system
451 before starting the container.
452 <command>lxc</command> won't handle any
453 configuration outside of the container.
454 By default, <command>lxc</command> chooses a name for the
c464fd7e 455 network device belonging to the outside of the
38005c54
MA		 456 container, but if you wish to handle
457 this name yourselves, you can tell <command>lxc</command>
c464fd7e 458 to set a specific name with
7fa3f2e9 459 the <option>lxc.net.[i].veth.pair</option> option (except for
c464fd7e
SG		 460 unprivileged containers where this option is ignored for security
461 reasons).
462 </para>
463
464 <para>
465 <option>vlan:</option> a vlan interface is linked with
466 the interface specified by
7fa3f2e9 467 the <option>lxc.net.[i].link</option> and assigned to
c464fd7e 468 the container. The vlan identifier is specified with the
7fa3f2e9 469 option <option>lxc.net.[i].vlan.id</option>.
c464fd7e
SG		 470 </para>
471
472 <para>
473 <option>macvlan:</option> a macvlan interface is linked
474 with the interface specified by
7fa3f2e9 475 the <option>lxc.net.[i].link</option> and assigned to
c464fd7e 476 the container.
7fa3f2e9 477 <option>lxc.net.[i].macvlan.mode</option> specifies the
c464fd7e
SG		 478 mode the macvlan will use to communicate between
479 different macvlan on the same upper device. The accepted
c15ea607
EL		 480 modes are <option>private</option>, <option>vepa</option>,
481 <option>bridge</option> and <option>passthru</option>.
482 In <option>private</option> mode, the device never
483 communicates with any other device on the same upper_dev (default).
484 In <option>vepa</option> mode, the new Virtual Ethernet Port
c464fd7e
SG		 485 Aggregator (VEPA) mode, it assumes that the adjacent
486 bridge returns all frames where both source and
487 destination are local to the macvlan port, i.e. the
488 bridge is set up as a reflective relay. Broadcast
489 frames coming in from the upper_dev get flooded to all
490 macvlan interfaces in VEPA mode, local frames are not
c15ea607 491 delivered locally. In <option>bridge</option> mode, it
c464fd7e
SG		 492 provides the behavior of a simple bridge between
493 different macvlan interfaces on the same port. Frames
494 from one interface to another one get delivered directly
495 and are not sent out externally. Broadcast frames get
496 flooded to all other bridge ports and to the external
497 interface, but when they come back from a reflective
498 relay, we don't deliver them again. Since we know all
499 the MAC addresses, the macvlan bridge mode does not
c15ea607
EL		 500 require learning or STP like the bridge module does. In
501 <option>passthru</option> mode, all frames received by
502 the physical interface are forwarded to the macvlan
503 interface. Only one macvlan interface in <option>passthru</option>
504 mode is possible for one physical interface.
c464fd7e
SG		 505 </para>
506
507 <para>
508 <option>phys:</option> an already existing interface
7fa3f2e9 509 specified by the <option>lxc.net.[i].link</option> is
c464fd7e
SG		 510 assigned to the container.
511 </para>
512 </listitem>
513 </varlistentry>
514
515 <varlistentry>
516 <term>
7fa3f2e9 517 <option>lxc.net.[i].flags</option>
c464fd7e
SG		 518 </term>
519 <listitem>
520 <para>
b9986e43 521 Specify an action to do for the network.
c464fd7e
SG		 522 </para>
523
524 <para><option>up:</option> activates the interface.
525 </para>
526 </listitem>
527 </varlistentry>
528
529 <varlistentry>
530 <term>
7fa3f2e9 531 <option>lxc.net.[i].link</option>
c464fd7e
SG		 532 </term>
533 <listitem>
534 <para>
b9986e43
CB		 535 Specify the interface to be used for real network traffic.
536 </para>
c464fd7e
SG		 537 </listitem>
538 </varlistentry>
539
540 <varlistentry>
541 <term>
7fa3f2e9 542 <option>lxc.net.[i].mtu</option>
c464fd7e
SG		 543 </term>
544 <listitem>
545 <para>
b9986e43 546 Specify the maximum transfer unit for this interface.
c464fd7e
SG		 547 </para>
548 </listitem>
549 </varlistentry>
550
551 <varlistentry>
552 <term>
7fa3f2e9 553 <option>lxc.net.[i].name</option>
c464fd7e
SG		 554 </term>
555 <listitem>
556 <para>
b9986e43
CB		 557 The interface name is dynamically allocated, but if another name
558 is needed because the configuration files being used by the
559 container use a generic name, eg. eth0, this option will rename
560 the interface in the container.
c464fd7e
SG		 561 </para>
562 </listitem>
563 </varlistentry>
564
565 <varlistentry>
566 <term>
7fa3f2e9 567 <option>lxc.net.[i].hwaddr</option>
c464fd7e
SG		 568 </term>
569 <listitem>
570 <para>
b9986e43
CB		 571 The interface mac address is dynamically allocated by default to
572 the virtual interface, but in some cases, this is needed to
573 resolve a mac address conflict or to always have the same
574 link-local ipv6 address. Any "x" in address will be replaced by
575 random value, this allows setting hwaddr templates.
c464fd7e
SG		 576 </para>
577 </listitem>
578 </varlistentry>
579
580 <varlistentry>
581 <term>
9ff60df2 582 <option>lxc.net.[i].ipv4.address</option>
c464fd7e
SG		 583 </term>
584 <listitem>
585 <para>
b9986e43
CB		 586 Specify the ipv4 address to assign to the virtualized interface.
587 Several lines specify several ipv4 addresses. The address is in
588 format x.y.z.t/m, eg. 192.168.1.123/24.
c464fd7e
SG		 589 </para>
590 </listitem>
591 </varlistentry>
592
593 <varlistentry>
594 <term>
7fa3f2e9 595 <option>lxc.net.[i].ipv4.gateway</option>
c464fd7e
SG		 596 </term>
597 <listitem>
598 <para>
b9986e43
CB		 599 Specify the ipv4 address to use as the gateway inside the
600 container. The address is in format x.y.z.t, eg. 192.168.1.123.
c464fd7e
SG		 601
602 Can also have the special value <option>auto</option>,
603 which means to take the primary address from the bridge
604 interface (as specified by the
7fa3f2e9 605 <option>lxc.net.[i].link</option> option) and use that as
c464fd7e
SG		 606 the gateway. <option>auto</option> is only available when
607 using the <option>veth</option> and
608 <option>macvlan</option> network types.
609 </para>
610 </listitem>
611 </varlistentry>
612
c464fd7e
SG		 613 <varlistentry>
614 <term>
2e44ae28 615 <option>lxc.net.[i].ipv6.address</option>
c464fd7e
SG		 616 </term>
617 <listitem>
618 <para>
b9986e43
CB		 619 Specify the ipv6 address to assign to the virtualized
620 interface. Several lines specify several ipv6 addresses. The
621 address is in format x::y/m, eg.
622 2003:db8:1:0:214:1234:fe0b:3596/64
c464fd7e
SG		 623 </para>
624 </listitem>
625 </varlistentry>
626
627 <varlistentry>
628 <term>
7fa3f2e9 629 <option>lxc.net.[i].ipv6.gateway</option>
c464fd7e
SG		 630 </term>
631 <listitem>
632 <para>
b9986e43
CB		 633 Specify the ipv6 address to use as the gateway inside the
634 container. The address is in format x::y, eg. 2003:db8:1:0::1
c464fd7e
SG		 635
636 Can also have the special value <option>auto</option>,
637 which means to take the primary address from the bridge
638 interface (as specified by the
7fa3f2e9 639 <option>lxc.net.[i].link</option> option) and use that as
c464fd7e
SG		 640 the gateway. <option>auto</option> is only available when
641 using the <option>veth</option> and
642 <option>macvlan</option> network types.
643 </para>
644 </listitem>
645 </varlistentry>
646
647 <varlistentry>
648 <term>
7fa3f2e9 649 <option>lxc.net.[i].script.up</option>
c464fd7e
SG		 650 </term>
651 <listitem>
652 <para>
b9986e43 653 Add a configuration option to specify a script to be
c464fd7e 654 executed after creating and configuring the network used
14a7b0f9
CB		 655 from the host side.
656 </para>
657
658 <para>
659 In addition to the information available to all hooks. The
660 following information is provided to the script:
661 <itemizedlist>
662 <listitem>
663 <para>
664 LXC_HOOK_TYPE: the hook type. This is either 'up' or 'down'.
665 </para>
666 </listitem>
667
668 <listitem>
669 <para>
670 LXC_HOOK_SECTION: the section type 'net'.
671 </para>
672 </listitem>
673
674 <listitem>
675 <para>
676 LXC_NET_TYPE: the network type. This is one of the valid
677 network types listed here (e.g. 'macvlan', 'veth').
678 </para>
679 </listitem>
680
681 <listitem>
682 <para>
683 LXC_NET_PARENT: the parent device on the host. This is only
684 set for network types 'mavclan', 'veth', 'phys'.
685 </para>
686 </listitem>
687
688 <listitem>
689 <para>
690 LXC_NET_PEER: the name of the peer device on the host. This is
691 only set for 'veth' network types. Note that this information
692 is only available when <option>lxc.hook.version</option> is set
693 to 1.
694 </para>
695 </listitem>
696 </itemizedlist>
697
698 Whether this information is provided in the form of environment
699 variables or as arguments to the script depends on the value of
700 <option>lxc.hook.version</option>. If set to 1 then information is
701 provided in the form of environment variables. If set to 0
702 information is provided as arguments to the script.
c464fd7e 703 </para>
14a7b0f9 704
c464fd7e
SG		 705 <para>
706 Standard output from the script is logged at debug level.
707 Standard error is not logged, but can be captured by the
708 hook redirecting its standard error to standard output.
709 </para>
710 </listitem>
711 </varlistentry>
712
713 <varlistentry>
714 <term>
7fa3f2e9 715 <option>lxc.net.[i].script.down</option>
c464fd7e
SG		 716 </term>
717 <listitem>
718 <para>
b9986e43 719 Add a configuration option to specify a script to be
c464fd7e 720 executed before destroying the network used from the
14a7b0f9
CB		 721 host side.
722 </para>
723
724 <para>
725 In addition to the information available to all hooks. The
726 following information is provided to the script:
727 <itemizedlist>
728 <listitem>
729 <para>
730 LXC_HOOK_TYPE: the hook type. This is either 'up' or 'down'.
731 </para>
732 </listitem>
733
734 <listitem>
735 <para>
736 LXC_HOOK_SECTION: the section type 'net'.
737 </para>
738 </listitem>
739
740 <listitem>
741 <para>
742 LXC_NET_TYPE: the network type. This is one of the valid
743 network types listed here (e.g. 'macvlan', 'veth').
744 </para>
745 </listitem>
746
747 <listitem>
748 <para>
749 LXC_NET_PARENT: the parent device on the host. This is only
750 set for network types 'mavclan', 'veth', 'phys'.
751 </para>
752 </listitem>
753
754 <listitem>
755 <para>
756 LXC_NET_PEER: the name of the peer device on the host. This is
757 only set for 'veth' network types. Note that this information
758 is only available when <option>lxc.hook.version</option> is set
759 to 1.
760 </para>
761 </listitem>
762 </itemizedlist>
763
764 Whether this information is provided in the form of environment
765 variables or as arguments to the script depends on the value of
766 <option>lxc.hook.version</option>. If set to 1 then information is
767 provided in the form of environment variables. If set to 0
768 information is provided as arguments to the script.
c464fd7e 769 </para>
14a7b0f9 770
c464fd7e
SG		 771 <para>
772 Standard output from the script is logged at debug level.
773 Standard error is not logged, but can be captured by the
774 hook redirecting its standard error to standard output.
775 </para>
776 </listitem>
777 </varlistentry>
55fc19a1
SG		 778 </variablelist>
779 </refsect2>
780
781 <refsect2>
782 <title>New pseudo tty instance (devpts)</title>
783 <para>
c464fd7e
SG		 784 For stricter isolation the container can have its own private
785 instance of the pseudo tty.
55fc19a1
SG		 786 </para>
787 <variablelist>
c464fd7e
SG		 788 <varlistentry>
789 <term>
232763d6 790 <option>lxc.pty.max</option>
c464fd7e
SG		 791 </term>
792 <listitem>
793 <para>
794 If set, the container will have a new pseudo tty
795 instance, making this private to it. The value specifies
55fc19a1
SG		 796 the maximum number of pseudo ttys allowed for a pts
797 instance (this limitation is not implemented yet).
c464fd7e
SG		 798 </para>
799 </listitem>
800 </varlistentry>
55fc19a1
SG		 801 </variablelist>
802 </refsect2>
803
804 <refsect2>
805 <title>Container system console</title>
806 <para>
c464fd7e
SG		 807 If the container is configured with a root filesystem and the
808 inittab file is setup to use the console, you may want to specify
809 where the output of this console goes.
55fc19a1
SG		 810 </para>
811 <variablelist>
28f3b1cd
CB		 812
813 <varlistentry>
814 <term>
815 <option>lxc.console.buffer.size</option>
816 </term>
817 <listitem>
818 <para>
819 Setting this option instructs liblxc to allocate an in-memory
820 ringbuffer. The container's console output will be written to the
821 ringbuffer. Note that ringbuffer must be at least as big as a
822 standard page size. When passed a value smaller than a single page
823 size liblxc will allocate a ringbuffer of a single page size. A page
39ebeb72 824 size is usually 4KB.
28f3b1cd
CB		 825
826 The keyword 'auto' will cause liblxc to allocate a ringbuffer of
39ebeb72 827 128KB.
28f3b1cd
CB		 828
829 When manually specifying a size for the ringbuffer the value should
830 be a power of 2 when converted to bytes. Valid size prefixes are
39ebeb72 831 'KB', 'MB', 'GB'. (Note that all conversions are based on multiples
832 of 1024. That means 'KB' == 'KiB', 'MB' == 'MiB', 'GB' == 'GiB'.
6d276edc
CB		 833 Additionally, the case of the suffix is ignored, i.e. 'kB', 'KB' and
834 'Kb' are treated equally.)
28f3b1cd
CB		 835 </para>
836 </listitem>
837 </varlistentry>
838
861813e5
CB		 839 <varlistentry>
840 <term>
841 <option>lxc.console.size</option>
842 </term>
843 <listitem>
844 <para>
845 Setting this option instructs liblxc to place a limit on the size of
846 the console log file specified in
847 <option>lxc.console.logfile</option>. Note that size of the log file
848 must be at least as big as a standard page size. When passed a value
849 smaller than a single page size liblxc will set the size of log file
39ebeb72 850 to a single page size. A page size is usually 4KB.
861813e5 851
39ebeb72 852 The keyword 'auto' will cause liblxc to place a limit of 128KB on
861813e5
CB		 853 the log file.
854
855 When manually specifying a size for the log file the value should
856 be a power of 2 when converted to bytes. Valid size prefixes are
39ebeb72 857 'KB', 'MB', 'GB'. (Note that all conversions are based on multiples
858 of 1024. That means 'KB' == 'KiB', 'MB' == 'MiB', 'GB' == 'GiB'.
6d276edc
CB		 859 Additionally, the case of the suffix is ignored, i.e. 'kB', 'KB' and
860 'Kb' are treated equally.)
861813e5
CB		 861
862 If users want to mirror the console ringbuffer on disk they should set
863 <option>lxc.console.size</option> equal to
864 <option>lxc.console.buffer.size</option>.
865 </para>
866 </listitem>
867 </varlistentry>
868
c464fd7e
SG		 869 <varlistentry>
870 <term>
871 <option>lxc.console.logfile</option>
872 </term>
873 <listitem>
874 <para>
d91adfa6
CB		 875 Specify a path to a file where the console output will be written.
876 Note that in contrast to the on-disk ringbuffer logfile this file
877 will keep growing potentially filling up the users disks if not
878 rotated and deleted. This problem can also be avoided by using the
879 in-memory ringbuffer options
880 <option>lxc.console.buffer.size</option> and
881 <option>lxc.console.buffer.logfile</option>.
c464fd7e
SG		 882 </para>
883 </listitem>
884 </varlistentry>
d91adfa6
CB		 885
886 <varlistentry>
887 <term>
888 <option>lxc.console.rotate</option>
889 </term>
890 <listitem>
891 <para>
892 Whether to rotate the console logfile specified in
893 <option>lxc.console.logfile</option>. Users can send an API
894 request to rotate the logfile. Note that the old logfile will have
895 the same name as the original with the suffix ".1" appended.
896
897 Users wishing to prevent the console log file from filling the
898 disk should rotate the logfile and delete it if unneeded. This
899 problem can also be avoided by using the in-memory ringbuffer
900 options <option>lxc.console.buffer.size</option> and
901 <option>lxc.console.buffer.logfile</option>.
902 </para>
903 </listitem>
904 </varlistentry>
905
c464fd7e
SG		 906 <varlistentry>
907 <term>
3aed4934 908 <option>lxc.console.path</option>
c464fd7e
SG		 909 </term>
910 <listitem>
911 <para>
912 Specify a path to a device to which the console will be
6e3bb289
CB		 913 attached. The keyword 'none' will simply disable the
914 console. Note, when specifying 'none' and creating a device node
915 for the console in the container at /dev/console or bind-mounting
916 the hosts's /dev/console into the container at /dev/console the
917 container will have direct access to the hosts's /dev/console.
918 This is dangerous when the container has write access to the
919 device and should thus be used with caution.
c464fd7e
SG		 920 </para>
921 </listitem>
922 </varlistentry>
55fc19a1
SG		 923 </variablelist>
924 </refsect2>
925
926 <refsect2>
927 <title>Console through the ttys</title>
928 <para>
c464fd7e
SG		 929 This option is useful if the container is configured with a root
930 filesystem and the inittab file is setup to launch a getty on the
931 ttys. The option specifies the number of ttys to be available for
932 the container. The number of gettys in the inittab file of the
933 container should not be greater than the number of ttys specified
934 in this option, otherwise the excess getty sessions will die and
935 respawn indefinitely giving annoying messages on the console or in
936 <filename>/var/log/messages</filename>.
55fc19a1
SG		 937 </para>
938 <variablelist>
c464fd7e
SG		 939 <varlistentry>
940 <term>
fe1c5887 941 <option>lxc.tty.max</option>
c464fd7e
SG		 942 </term>
943 <listitem>
944 <para>
945 Specify the number of tty to make available to the
946 container.
947 </para>
948 </listitem>
949 </varlistentry>
55fc19a1
SG		 950 </variablelist>
951 </refsect2>
952
953 <refsect2>
954 <title>Console devices location</title>
955 <para>
956 LXC consoles are provided through Unix98 PTYs created on the
c464fd7e
SG		 957 host and bind-mounted over the expected devices in the container.
958 By default, they are bind-mounted over <filename>/dev/console</filename>
959 and <filename>/dev/ttyN</filename>. This can prevent package upgrades
960 in the guest. Therefore you can specify a directory location (under
961 <filename>/dev</filename> under which LXC will create the files and
962 bind-mount over them. These will then be symbolically linked to
963 <filename>/dev/console</filename> and <filename>/dev/ttyN</filename>.
964 A package upgrade can then succeed as it is able to remove and replace
965 the symbolic links.
55fc19a1
SG		 966 </para>
967 <variablelist>
c464fd7e
SG		 968 <varlistentry>
969 <term>
fe1c5887 970 <option>lxc.tty.dir</option>
c464fd7e
SG		 971 </term>
972 <listitem>
973 <para>
974 Specify a directory under <filename>/dev</filename>
6e3bb289
CB		 975 under which to create the container console devices. Note that LXC
976 will move any bind-mounts or device nodes for /dev/console into
977 this directory.
c464fd7e
SG		 978 </para>
979 </listitem>
980 </varlistentry>
55fc19a1
SG		 981 </variablelist>
982 </refsect2>
983
984 <refsect2>
985 <title>/dev directory</title>
986 <para>
c464fd7e
SG		 987 By default, lxc creates a few symbolic links (fd,stdin,stdout,stderr)
988 in the container's <filename>/dev</filename> directory but does not
989 automatically create device node entries. This allows the container's
990 <filename>/dev</filename> to be set up as needed in the container
991 rootfs. If lxc.autodev is set to 1, then after mounting the container's
992 rootfs LXC will mount a fresh tmpfs under <filename>/dev</filename>
c35d2909 993 (limited to 500k) and fill in a minimal set of initial devices.
55fc19a1
SG		 994 This is generally required when starting a container containing
995 a "systemd" based "init" but may be optional at other times. Additional
996 devices in the containers /dev directory may be created through the
997 use of the <option>lxc.hook.autodev</option> hook.
998 </para>
999 <variablelist>
c464fd7e
SG		 1000 <varlistentry>
1001 <term>
1002 <option>lxc.autodev</option>
1003 </term>
1004 <listitem>
1005 <para>
124fa0a8 1006 Set this to 0 to stop LXC from mounting and populating a minimal
c464fd7e
SG		 1007 <filename>/dev</filename> when starting the container.
1008 </para>
1009 </listitem>
1010 </varlistentry>
55fc19a1 1011 </variablelist>
55fc19a1
SG		 1012 </refsect2>
1013
1014 <refsect2>
1015 <title>Mount points</title>
1016 <para>
c464fd7e
SG		 1017 The mount points section specifies the different places to be
1018 mounted. These mount points will be private to the container
1019 and won't be visible by the processes running outside of the
1020 container. This is useful to mount /etc, /var or /home for
1021 examples.
55fc19a1 1022 </para>
592fd47a
SH		 1023 <para>
1024 NOTE - LXC will generally ensure that mount targets and relative
1025 bind-mount sources are properly confined under the container
1026 root, to avoid attacks involving over-mounting host directories
1027 and files. (Symbolic links in absolute mount sources are ignored)
1028 However, if the container configuration first mounts a directory which
1029 is under the control of the container user, such as /home/joe, into
1030 the container at some <filename>path</filename>, and then mounts
1031 under <filename>path</filename>, then a TOCTTOU attack would be
1032 possible where the container user modifies a symbolic link under
1033 his home directory at just the right time.
1034 </para>
55fc19a1 1035 <variablelist>
c464fd7e
SG		 1036 <varlistentry>
1037 <term>
47148e96 1038 <option>lxc.mount.fstab</option>
c464fd7e
SG		 1039 </term>
1040 <listitem>
1041 <para>
1042 specify a file location in
1043 the <filename>fstab</filename> format, containing the
1044 mount information. The mount target location can and in
1045 most cases should be a relative path, which will become
1046 relative to the mounted container root. For instance,
1047 </para>
b9986e43
CB		 1048 <programlisting>
1049 proc proc proc nodev,noexec,nosuid 0 0
1050 </programlisting>
c464fd7e
SG		 1051 <para>
1052 Will mount a proc filesystem under the container's /proc,
1053 regardless of where the root filesystem comes from. This
1054 is resilient to block device backed filesystems as well as
1055 container cloning.
1056 </para>
1057 <para>
1058 Note that when mounting a filesystem from an
1059 image file or block device the third field (fs_vfstype)
1060 cannot be auto as with
55fc19a1 1061 <citerefentry>
c464fd7e 1062 <refentrytitle>mount</refentrytitle>
55fc19a1
SG		 1063 <manvolnum>8</manvolnum>
1064 </citerefentry>
1065 but must be explicitly specified.
c464fd7e
SG		 1066 </para>
1067 </listitem>
1068 </varlistentry>
1069
1070 <varlistentry>
1071 <term>
1072 <option>lxc.mount.entry</option>
1073 </term>
1074 <listitem>
1075 <para>
d840039e 1076 Specify a mount point corresponding to a line in the
c464fd7e 1077 fstab format.
f5b67b36 1078
d840039e
YT		 1079 Moreover lxc supports mount propagation, such as rslave or
1080 rprivate, and adds three additional mount options.
f5b67b36
NC		 1081 <option>optional</option> don't fail if mount does not work.
1082 <option>create=dir</option> or <option>create=file</option>
1083 to create dir (or file) when the point will be mounted.
181437fd
YT		 1084 <option>relative</option> source path is taken to be relative to
1085 the mounted container root. For instance,
1086 </para>
1087<screen>
1088dev/null proc/kcore none bind,relative 0 0
1089</screen>
1090 <para>
1091 Will expand dev/null to ${<option>LXC_ROOTFS_MOUNT</option>}/dev/null,
1092 and mount it to proc/kcore inside the container.
1093 </para>
c464fd7e
SG		 1094 </listitem>
1095 </varlistentry>
1096
1097 <varlistentry>
1098 <term>
1099 <option>lxc.mount.auto</option>
1100 </term>
1101 <listitem>
1102 <para>
1103 specify which standard kernel file systems should be
1104 automatically mounted. This may dramatically simplify
1105 the configuration. The file systems are:
1106 </para>
1107 <itemizedlist>
1108 <listitem>
1109 <para>
1110 <option>proc:mixed</option> (or <option>proc</option>):
1111 mount <filename>/proc</filename> as read-write, but
1112 remount <filename>/proc/sys</filename> and
1113 <filename>/proc/sysrq-trigger</filename> read-only
1114 for security / container isolation purposes.
1115 </para>
1116 </listitem>
1117 <listitem>
1118 <para>
1119 <option>proc:rw</option>: mount
1120 <filename>/proc</filename> as read-write
1121 </para>
1122 </listitem>
1123 <listitem>
1124 <para>
f24a52d5
SG		 1125 <option>sys:mixed</option> (or <option>sys</option>):
1126 mount <filename>/sys</filename> as read-only but with
1127 /sys/devices/virtual/net writable.
1128 </para>
1129 </listitem>
1130 <listitem>
1131 <para>
1132 <option>sys:ro</option>:
c464fd7e
SG		 1133 mount <filename>/sys</filename> as read-only
1134 for security / container isolation purposes.
1135 </para>
1136 </listitem>
1137 <listitem>
1138 <para>
1139 <option>sys:rw</option>: mount
1140 <filename>/sys</filename> as read-write
1141 </para>
1142 </listitem>
3f69fb12 1143
c464fd7e
SG		 1144 <listitem>
1145 <para>
1146 <option>cgroup:mixed</option>:
3f69fb12
SY		 1147 Mount a tmpfs to <filename>/sys/fs/cgroup</filename>,
1148 create directories for all hierarchies to which the container
1149 is added, create subdirectories in those hierarchies with the
1150 name of the cgroup, and bind-mount the container's own cgroup
1151 into that directory. The container will be able to write to
1152 its own cgroup directory, but not the parents, since they will
1153 be remounted read-only.
c464fd7e
SG		 1154 </para>
1155 </listitem>
3f69fb12 1156
c464fd7e
SG		 1157 <listitem>
1158 <para>
3f69fb12
SY		 1159 <option>cgroup:mixed:force</option>:
1160 The <option>force</option> option will cause LXC to perform
1161 the cgroup mounts for the container under all circumstances.
1162 Otherwise it is similar to <option>cgroup:mixed</option>.
1163 This is mainly useful when the cgroup namespaces are enabled
1164 where LXC will normally leave mounting cgroups to the init
1165 binary of the container since it is perfectly safe to do so.
c464fd7e
SG		 1166 </para>
1167 </listitem>
3f69fb12
SY		 1168
1169 <listitem>
1170 <para>
1171 <option>cgroup:ro</option>:
1172 similar to <option>cgroup:mixed</option>, but everything will
1173 be mounted read-only.
1174 </para>
1175 </listitem>
1176
1177 <listitem>
1178 <para>
1179 <option>cgroup:ro:force</option>:
1180 The <option>force</option> option will cause LXC to perform
1181 the cgroup mounts for the container under all circumstances.
1182 Otherwise it is similar to <option>cgroup:ro</option>.
1183 This is mainly useful when the cgroup namespaces are enabled
1184 where LXC will normally leave mounting cgroups to the init
1185 binary of the container since it is perfectly safe to do so.
1186 </para>
1187 </listitem>
1188
c464fd7e
SG		 1189 <listitem>
1190 <para>
1191 <option>cgroup:rw</option>: similar to
3f69fb12
SY		 1192 <option>cgroup:mixed</option>, but everything will be mounted
1193 read-write. Note that the paths leading up to the container's
1194 own cgroup will be writable, but will not be a cgroup
1195 filesystem but just part of the tmpfs of
1196 <filename>/sys/fs/cgroup</filename>
1197 </para>
1198 </listitem>
1199
1200 <listitem>
1201 <para>
1202 <option>cgroup:rw:force</option>:
1203 The <option>force</option> option will cause LXC to perform
1204 the cgroup mounts for the container under all circumstances.
1205 Otherwise it is similar to <option>cgroup:rw</option>.
1206 This is mainly useful when the cgroup namespaces are enabled
1207 where LXC will normally leave mounting cgroups to the init
1208 binary of the container since it is perfectly safe to do so.
c464fd7e
SG		 1209 </para>
1210 </listitem>
3f69fb12 1211
c464fd7e
SG		 1212 <listitem>
1213 <para>
1214 <option>cgroup</option> (without specifier):
1215 defaults to <option>cgroup:rw</option> if the
1216 container retains the CAP_SYS_ADMIN capability,
1217 <option>cgroup:mixed</option> otherwise.
1218 </para>
1219 </listitem>
e7806b2e 1220
c464fd7e
SG		 1221 <listitem>
1222 <para>
1223 <option>cgroup-full:mixed</option>:
1224 mount a tmpfs to <filename>/sys/fs/cgroup</filename>,
1225 create directories for all hierarchies to which
1226 the container is added, bind-mount the hierarchies
1227 from the host to the container and make everything
1228 read-only except the container's own cgroup. Note
1229 that compared to <option>cgroup</option>, where
1230 all paths leading up to the container's own cgroup
1231 are just simple directories in the underlying
1232 tmpfs, here
1233 <filename>/sys/fs/cgroup/$hierarchy</filename>
1234 will contain the host's full cgroup hierarchy,
1235 albeit read-only outside the container's own cgroup.
1236 This may leak quite a bit of information into the
1237 container.
1238 </para>
1239 </listitem>
e7806b2e
CB		 1240
1241 <listitem>
1242 <para>
1243 <option>cgroup-full:mixed:force</option>:
1244 The <option>force</option> option will cause LXC to perform
1245 the cgroup mounts for the container under all circumstances.
1246 Otherwise it is similar to <option>cgroup-full:mixed</option>.
1247 This is mainly useful when the cgroup namespaces are enabled
1248 where LXC will normally leave mounting cgroups to the init
1249 binary of the container since it is perfectly safe to do so.
1250 </para>
1251 </listitem>
1252
c464fd7e
SG		 1253 <listitem>
1254 <para>
1255 <option>cgroup-full:ro</option>: similar to
1256 <option>cgroup-full:mixed</option>, but everything
1257 will be mounted read-only.
1258 </para>
1259 </listitem>
e7806b2e
CB		 1260
1261 <listitem>
1262 <para>
1263 <option>cgroup-full:ro:force</option>:
1264 The <option>force</option> option will cause LXC to perform
1265 the cgroup mounts for the container under all circumstances.
1266 Otherwise it is similar to <option>cgroup-full:ro</option>.
1267 This is mainly useful when the cgroup namespaces are enabled
1268 where LXC will normally leave mounting cgroups to the init
1269 binary of the container since it is perfectly safe to do so.
1270 </para>
1271 </listitem>
1272
c464fd7e
SG		 1273 <listitem>
1274 <para>
1275 <option>cgroup-full:rw</option>: similar to
1276 <option>cgroup-full:mixed</option>, but everything
1277 will be mounted read-write. Note that in this case,
1278 the container may escape its own cgroup. (Note also
1279 that if the container has CAP_SYS_ADMIN support
1280 and can mount the cgroup filesystem itself, it may
1281 do so anyway.)
1282 </para>
1283 </listitem>
e7806b2e
CB		 1284
1285 <listitem>
1286 <para>
1287 <option>cgroup-full:rw:force</option>:
1288 The <option>force</option> option will cause LXC to perform
1289 the cgroup mounts for the container under all circumstances.
1290 Otherwise it is similar to <option>cgroup-full:rw</option>.
1291 This is mainly useful when the cgroup namespaces are enabled
1292 where LXC will normally leave mounting cgroups to the init
1293 binary of the container since it is perfectly safe to do so.
1294 </para>
1295 </listitem>
1296
c464fd7e
SG		 1297 <listitem>
1298 <para>
1299 <option>cgroup-full</option> (without specifier):
1300 defaults to <option>cgroup-full:rw</option> if the
1301 container retains the CAP_SYS_ADMIN capability,
1302 <option>cgroup-full:mixed</option> otherwise.
1303 </para>
1304 </listitem>
e7806b2e 1305
c464fd7e 1306 </itemizedlist>
4608594e
SH		 1307 <para>
1308 If cgroup namespaces are enabled, then any <option>cgroup</option>
1309 auto-mounting request will be ignored, since the container can
1310 mount the filesystems itself, and automounting can confuse the
1311 container init.
1312 </para>
c464fd7e
SG		 1313 <para>
1314 Note that if automatic mounting of the cgroup filesystem
1315 is enabled, the tmpfs under
1316 <filename>/sys/fs/cgroup</filename> will always be
1317 mounted read-write (but for the <option>:mixed</option>
1318 and <option>:ro</option> cases, the individual
1319 hierarchies,
1320 <filename>/sys/fs/cgroup/$hierarchy</filename>, will be
1321 read-only). This is in order to work around a quirk in
1322 Ubuntu's
b46f0553 1323 <citerefentry>
c464fd7e 1324 <refentrytitle>mountall</refentrytitle>
b46f0553
CS		 1325 <manvolnum>8</manvolnum>
1326 </citerefentry>
c464fd7e
SG		 1327 command that will cause containers to wait for user
1328 input at boot if
1329 <filename>/sys/fs/cgroup</filename> is mounted read-only
1330 and the container can't remount it read-write due to a
1331 lack of CAP_SYS_ADMIN.
1332 </para>
1333 <para>
1334 Examples:
1335 </para>
1336 <programlisting>
1337 lxc.mount.auto = proc sys cgroup
1338 lxc.mount.auto = proc:rw sys:rw cgroup-full:rw
1339 </programlisting>
1340 </listitem>
1341 </varlistentry>
55fc19a1
SG		 1342
1343 </variablelist>
1344 </refsect2>
1345
1346 <refsect2>
1347 <title>Root file system</title>
1348 <para>
c464fd7e
SG		 1349 The root file system of the container can be different than that
1350 of the host system.
55fc19a1
SG		 1351 </para>
1352 <variablelist>
c464fd7e
SG		 1353 <varlistentry>
1354 <term>
7a96a068 1355 <option>lxc.rootfs.path</option>
c464fd7e
SG		 1356 </term>
1357 <listitem>
1358 <para>
1359 specify the root file system for the container. It can
1360 be an image file, a directory or a block device. If not
1361 specified, the container shares its root file system
1362 with the host.
1363 </para>
1364 <para>
f1c26f2c
SH		 1365 For directory or simple block-device backed containers,
1366 a pathname can be used. If the rootfs is backed by a nbd
1367 device, then <filename>nbd:file:1</filename> specifies that
1368 <filename>file</filename> should be attached to a nbd device,
1369 and partition 1 should be mounted as the rootfs.
1370 <filename>nbd:file</filename> specifies that the nbd device
1371 itself should be mounted. <filename>overlayfs:/lower:/upper</filename>
1372 specifies that the rootfs should be an overlay with <filename>/upper</filename>
1373 being mounted read-write over a read-only mount of <filename>/lower</filename>.
12e6ab5d 1374 For <filename>overlay</filename> multiple <filename>/lower</filename>
280d2379 1375 directories can be specified. <filename>loop:/file</filename> tells lxc to attach
f1c26f2c 1376 <filename>/file</filename> to a loop device and mount the loop device.
c464fd7e
SG		 1377 </para>
1378 </listitem>
1379 </varlistentry>
1380
1381 <varlistentry>
1382 <term>
1383 <option>lxc.rootfs.mount</option>
1384 </term>
1385 <listitem>
1386 <para>
7a96a068 1387 where to recursively bind <option>lxc.rootfs.path</option>
c464fd7e
SG		 1388 before pivoting. This is to ensure success of the
1389 <citerefentry>
1390 <refentrytitle><command>pivot_root</command></refentrytitle>
1391 <manvolnum>8</manvolnum>
1392 </citerefentry>
1393 syscall. Any directory suffices, the default should
1394 generally work.
1395 </para>
1396 </listitem>
1397 </varlistentry>
1398
1399 <varlistentry>
1400 <term>
1401 <option>lxc.rootfs.options</option>
1402 </term>
1403 <listitem>
1404 <para>
1405 extra mount options to use when mounting the rootfs.
1406 </para>
1407 </listitem>
1408 </varlistentry>
a17b1e65 1409
55fc19a1
SG		 1410 </variablelist>
1411 </refsect2>
1412
1413 <refsect2>
1414 <title>Control group</title>
1415 <para>
c464fd7e
SG		 1416 The control group section contains the configuration for the
1417 different subsystem. <command>lxc</command> does not check the
1418 correctness of the subsystem name. This has the disadvantage
1419 of not detecting configuration errors until the container is
1420 started, but has the advantage of permitting any future
1421 subsystem.
55fc19a1
SG		 1422 </para>
1423 <variablelist>
c464fd7e
SG		 1424 <varlistentry>
1425 <term>
54860ed0 1426 <option>lxc.cgroup.[controller name]</option>
c464fd7e
SG		 1427 </term>
1428 <listitem>
1429 <para>
54860ed0
CB		 1430 Specify the control group value to be set on a legacy cgroup
1431 hierarchy. The controller name is the literal name of the control
1432 group. The permitted names and the syntax of their values is not
1433 dictated by LXC, instead it depends on the features of the Linux
1434 kernel running at the time the container is started, eg.
1435 <option>lxc.cgroup.cpuset.cpus</option>
1436 </para>
1437 </listitem>
1438 </varlistentry>
1439 <varlistentry>
1440 <term>
1441 <option>lxc.cgroup2.[controller name]</option>
1442 </term>
1443 <listitem>
1444 <para>
1445 Specify the control group value to be set on the unified cgroup
d0d68468 1446 hierarchy. The controller name is the literal name of the control
54860ed0
CB		 1447 group. The permitted names and the syntax of their values is not
1448 dictated by LXC, instead it depends on the features of the Linux
1449 kernel running at the time the container is started, eg.
1450 <option>lxc.cgroup2.memory.high</option>
c464fd7e
SG		 1451 </para>
1452 </listitem>
1453 </varlistentry>
bdcbb6b3
CB		 1454 <varlistentry>
1455 <term>
1456 <option>lxc.cgroup.dir</option>
1457 </term>
1458 <listitem>
1459 <para>
1460 specify a directory or path in which the container's cgroup will
1461 be created. For example, setting
1462 <option>lxc.cgroup.dir = my-cgroup/first</option> for a container
1463 named "c1" will create the container's cgroup as a sub-cgroup of
1464 "my-cgroup". For example, if the user's current cgroup "my-user"
78be8d75 1465 is located in the root cgroup of the cpuset controller in a
bdcbb6b3
CB		 1466 cgroup v1 hierarchy this would create the cgroup
1467 "/sys/fs/cgroup/cpuset/my-user/my-cgroup/first/c1" for the
1468 container. Any missing cgroups will be created by LXC. This
1469 presupposes that the user has write access to its current cgroup.
1470 </para>
1471 </listitem>
1472 </varlistentry>
55fc19a1
SG		 1473 </variablelist>
1474 </refsect2>
1475
1476 <refsect2>
1477 <title>Capabilities</title>
1478 <para>
c464fd7e
SG		 1479 The capabilities can be dropped in the container if this one
1480 is run as root.
55fc19a1
SG		 1481 </para>
1482 <variablelist>
c464fd7e
SG		 1483 <varlistentry>
1484 <term>
1485 <option>lxc.cap.drop</option>
1486 </term>
1487 <listitem>
1488 <para>
1489 Specify the capability to be dropped in the container. A
1490 single line defining several capabilities with a space
1491 separation is allowed. The format is the lower case of
1492 the capability definition without the "CAP_" prefix,
1493 eg. CAP_SYS_MODULE should be specified as
1494 sys_module. See
1495 <citerefentry>
1496 <refentrytitle><command>capabilities</command></refentrytitle>
1497 <manvolnum>7</manvolnum>
7eff30fd
MH		 1498 </citerefentry>.
1499 If used with no value, lxc will clear any drop capabilities
1500 specified up to this point.
c464fd7e
SG		 1501 </para>
1502 </listitem>
1503 </varlistentry>
1504 <varlistentry>
1505 <term>
1506 <option>lxc.cap.keep</option>
1507 </term>
1508 <listitem>
1509 <para>
1510 Specify the capability to be kept in the container. All other
1511 capabilities will be dropped. When a special value of "none" is
1512 encountered, lxc will clear any keep capabilities specified up
1513 to this point. A value of "none" alone can be used to drop all
1514 capabilities.
1515 </para>
1516 </listitem>
1517 </varlistentry>
55fc19a1
SG		 1518 </variablelist>
1519 </refsect2>
1520
f3c9f122 1521 <refsect2>
46186acd 1522 <title>Namespaces</title>
f3c9f122 1523 <para>
46186acd
CB		 1524 A namespace can be cloned (<option>lxc.namespace.clone</option>),
1525 kept (<option>lxc.namespace.keep</option>) or shared
1526 (<option>lxc.namespace.share.[namespace identifier]</option>).
f3c9f122
CB		 1527 </para>
1528 <variablelist>
46186acd
CB		 1529 <varlistentry>
1530 <term>
1531 <option>lxc.namespace.clone</option>
1532 </term>
1533 <listitem>
1534 <para>
1535 Specify namespaces which the container is supposed to be created
1536 with. The namespaces to create are specified as a space separated
1537 list. Each namespace must correspond to one of the standard
1538 namespace identifiers as seen in the
1539 <filename>/proc/PID/ns</filename> directory.
1540 When <option>lxc.namespace.clone</option> is not explicitly set all
1541 namespaces supported by the kernel and the current configuration
1542 will be used.
1543 </para>
1544
1545 <para>
1546 To create a new mount, net and ipc namespace set
1547 <option>lxc.namespace.clone=mount net ipc</option>.
1548 </para>
1549 </listitem>
1550 </varlistentry>
1551
1552 <varlistentry>
1553 <term>
1554 <option>lxc.namespace.keep</option>
1555 </term>
1556 <listitem>
1557 <para>
1558 Specify namespaces which the container is supposed to inherit from
1559 the process that created it. The namespaces to keep are specified as
1560 a space separated list. Each namespace must correspond to one of the
1561 standard namespace identifiers as seen in the
1562 <filename>/proc/PID/ns</filename> directory.
1563 The <option>lxc.namespace.keep</option> is a
1564 blacklist option, i.e. it is useful when enforcing that containers
1565 must keep a specific set of namespaces.
1566 </para>
1567
1568 <para>
1569 To keep the network, user and ipc namespace set
1570 <option>lxc.namespace.keep=user net ipc</option>.
1571 </para>
1572
1573 <para>
1574 Note that sharing pid namespaces will likely not work with most init
1575 systems.
1576 </para>
1577
1578 <para>
1579 Note that if the container requests a new user namespace and the
1580 container wants to inherit the network namespace it needs to inherit
1581 the user namespace as well.
1582 </para>
1583 </listitem>
1584 </varlistentry>
1585
f3c9f122
CB		 1586 <varlistentry>
1587 <term>
b074bbf1 1588 <option>lxc.namespace.share.[namespace identifier]</option>
f3c9f122
CB		 1589 </term>
1590 <listitem>
1591 <para>
1592 Specify a namespace to inherit from another container or process.
1593 The <option>[namespace identifier]</option> suffix needs to be
1594 replaced with one of the namespaces that appear in the
1595 <filename>/proc/PID/ns</filename> directory.
1596 </para>
1597
1598 <para>
1599 To inherit the namespace from another process set the
b074bbf1
CB		 1600 <option>lxc.namespace.share.[namespace identifier]</option> to the PID of
1601 the process, e.g. <option>lxc.namespace.share.net=42</option>.
f3c9f122
CB		 1602 </para>
1603
1604 <para>
1605 To inherit the namespace from another container set the
b074bbf1
CB		 1606 <option>lxc.namespace.share.[namespace identifier]</option> to the name of
1607 the container, e.g. <option>lxc.namespace.share.pid=c3</option>.
f3c9f122
CB		 1608 </para>
1609
1610 <para>
1611 To inherit the namespace from another container located in a
1612 different path than the standard liblxc path set the
b074bbf1 1613 <option>lxc.namespace.share.[namespace identifier]</option> to the full
f3c9f122 1614 path to the container, e.g.
b074bbf1 1615 <option>lxc.namespace.share.user=/opt/c3</option>.
f3c9f122
CB		 1616 </para>
1617
1618 <para>
1619 In order to inherit namespaces the caller needs to have sufficient
1620 privilege over the process or container.
1621 </para>
1622
1623 <para>
1624 Note that sharing pid namespaces between system containers will
1625 likely not work with most init systems.
1626 </para>
1627
1628 <para>
1629 Note that if two processes are in different user namespaces and one
1630 process wants to inherit the other's network namespace it usually
1631 needs to inherit the user namespace as well.
1632 </para>
1633 </listitem>
1634 </varlistentry>
1635 </variablelist>
1636 </refsect2>
1637
93f9e90d
WB		 1638 <refsect2>
1639 <title>Resource limits</title>
1640 <para>
1641 The soft and hard resource limits for the container can be changed.
1642 Unprivileged containers can only lower them. Resources which are not
1643 explicitly specified will be inherited.
1644 </para>
1645 <variablelist>
1646 <varlistentry>
1647 <term>
240d4b74 1648 <option>lxc.prlimit.[limit name]</option>
93f9e90d
WB		 1649 </term>
1650 <listitem>
1651 <para>
1652 Specify the resource limit to be set. A limit is specified as two
1653 colon separated values which are either numeric or the word
1654 'unlimited'. A single value can be used as a shortcut to set both
1655 soft and hard limit to the same value. The permitted names the
1656 "RLIMIT_" resource names in lowercase without the "RLIMIT_"
1657 prefix, eg. RLIMIT_NOFILE should be specified as "nofile". See
1658 <citerefentry>
1659 <refentrytitle><command>setrlimit</command></refentrytitle>
1660 <manvolnum>2</manvolnum>
1661 </citerefentry>.
1662 If used with no value, lxc will clear the resource limit
1663 specified up to this point. A resource with no explicitly
1664 configured limitation will be inherited from the process starting
1665 up the container.
1666 </para>
1667 </listitem>
1668 </varlistentry>
1669 </variablelist>
1670 </refsect2>
1671
7edd0540
L		 1672 <refsect2>
1673 <title>Sysctl</title>
1674 <para>
1675 Configure kernel parameters for the container.
1676 </para>
1677 <variablelist>
1678 <varlistentry>
1679 <term>
1680 <option>lxc.sysctl.[kernel parameters name]</option>
1681 </term>
1682 <listitem>
1683 <para>
1684 Specify the kernel parameters to be set. The parameters available
1685 are those listed under /proc/sys/.
e409b214 1686 Note that not all sysctls are namespaced. Changing Non-namespaced
7edd0540
L		 1687 sysctls will cause the system-wide setting to be modified.
1688 <citerefentry>
1689 <refentrytitle><command>sysctl</command></refentrytitle>
1690 <manvolnum>8</manvolnum>
1691 </citerefentry>.
1692 If used with no value, lxc will clear the parameters specified up
1693 to this point.
1694 </para>
1695 </listitem>
1696 </varlistentry>
1697 </variablelist>
1698 </refsect2>
1699
55fc19a1
SG		 1700 <refsect2>
1701 <title>Apparmor profile</title>
1702 <para>
c464fd7e
SG		 1703 If lxc was compiled and installed with apparmor support, and the host
1704 system has apparmor enabled, then the apparmor profile under which the
1705 container should be run can be specified in the container
7a126ae1
SH		 1706 configuration. The default is <command>lxc-container-default-cgns</command>
1707 if the host kernel is cgroup namespace aware, or
69e3b3be 1708 <command>lxc-container-default</command> otherwise.
55fc19a1
SG		 1709 </para>
1710 <variablelist>
c464fd7e
SG		 1711 <varlistentry>
1712 <term>
a1d5fdfd 1713 <option>lxc.apparmor.profile</option>
c464fd7e
SG		 1714 </term>
1715 <listitem>
1716 <para>
1717 Specify the apparmor profile under which the container should
1718 be run. To specify that the container should be unconfined,
1719 use
1720 </para>
a1d5fdfd 1721 <programlisting>lxc.apparmor.profile = unconfined</programlisting>
7a126ae1
SH		 1722 <para>
1723 If the apparmor profile should remain unchanged (i.e. if you
1724 are nesting containers and are already confined), then use
1725 </para>
a1d5fdfd 1726 <programlisting>lxc.apparmor.profile = unchanged</programlisting>
c464fd7e
SG		 1727 </listitem>
1728 </varlistentry>
1729 <varlistentry>
1730 <term>
69e38e00 1731 <option>lxc.apparmor.allow_incomplete</option>
c464fd7e
SG		 1732 </term>
1733 <listitem>
1734 <para>
1735 Apparmor profiles are pathname based. Therefore many file
1736 restrictions require mount restrictions to be effective against
1737 a determined attacker. However, these mount restrictions are not
1738 yet implemented in the upstream kernel. Without the mount
1739 restrictions, the apparmor profiles still protect against accidental
1740 damager.
1741 </para>
1742 <para>
1743 If this flag is 0 (default), then the container will not be
1744 started if the kernel lacks the apparmor mount features, so that a
1745 regression after a kernel upgrade will be detected. To start the
1746 container under partial apparmor protection, set this flag to 1.
1747 </para>
1748 </listitem>
1749 </varlistentry>
55fc19a1
SG		 1750 </variablelist>
1751 </refsect2>
1752
1753 <refsect2>
1754 <title>SELinux context</title>
1755 <para>
c464fd7e
SG		 1756 If lxc was compiled and installed with SELinux support, and the host
1757 system has SELinux enabled, then the SELinux context under which the
1758 container should be run can be specified in the container
1759 configuration. The default is <command>unconfined_t</command>,
1760 which means that lxc will not attempt to change contexts.
1761 See @DATADIR@/lxc/selinux/lxc.te for an example policy and more
1762 information.
55fc19a1
SG		 1763 </para>
1764 <variablelist>
c464fd7e
SG		 1765 <varlistentry>
1766 <term>
b84702ab 1767 <option>lxc.selinux.context</option>
c464fd7e
SG		 1768 </term>
1769 <listitem>
1770 <para>
1771 Specify the SELinux context under which the container should
1772 be run or <command>unconfined_t</command>. For example
1773 </para>
b84702ab 1774 <programlisting>lxc.selinux.context = system_u:system_r:lxc_t:s0:c22</programlisting>
c464fd7e
SG		 1775 </listitem>
1776 </varlistentry>
55fc19a1
SG		 1777 </variablelist>
1778 </refsect2>
1779
1780 <refsect2>
1781 <title>Seccomp configuration</title>
1782 <para>
1783 A container can be started with a reduced set of available
c464fd7e
SG		 1784 system calls by loading a seccomp profile at startup. The
1785 seccomp configuration file must begin with a version number
1786 on the first line, a policy type on the second line, followed
1787 by the configuration.
55fc19a1 1788 </para>
a7c27357
SH		 1789 <para>
1790 Versions 1 and 2 are currently supported. In version 1, the
c464fd7e
SG		 1791 policy is a simple whitelist. The second line therefore must
1792 read "whitelist", with the rest of the file containing one (numeric)
8927207b 1793 syscall number per line. Each syscall number is whitelisted,
c464fd7e 1794 while every unlisted number is blacklisted for use in the container
a7c27357
SH		 1795 </para>
1796
1797 <para>
1798 In version 2, the policy may be blacklist or whitelist,
1799 supports per-rule and per-policy default actions, and supports
1800 per-architecture system call resolution from textual names.
1801 </para>
1802 <para>
1803 An example blacklist policy, in which all system calls are
1804 allowed except for mknod, which will simply do nothing and
1805 return 0 (success), looks like:
1806 </para>
b9986e43
CB		 1807
1808 <programlisting>
1809 2
1810 blacklist
1811 mknod errno 0
1812 </programlisting>
1813
55fc19a1 1814 <variablelist>
c464fd7e
SG		 1815 <varlistentry>
1816 <term>
0b427da0 1817 <option>lxc.seccomp.profile</option>
c464fd7e
SG		 1818 </term>
1819 <listitem>
1820 <para>
1821 Specify a file containing the seccomp configuration to
1822 load before the container starts.
1823 </para>
1824 </listitem>
1825 </varlistentry>
55fc19a1
SG		 1826 </variablelist>
1827 </refsect2>
1828
222ddc91
CB		 1829 <refsect2>
1830 <title>PR_SET_NO_NEW_PRIVS</title>
1831 <para>
1832 With PR_SET_NO_NEW_PRIVS active execve() promises not to grant
1833 privileges to do anything that could not have been done without
1834 the execve() call (for example, rendering the set-user-ID and
1835 set-group-ID mode bits, and file capabilities non-functional).
1836 Once set, this bit cannot be unset. The setting of this bit is
1837 inherited by children created by fork() and clone(), and preserved
1838 across execve().
1839 Note that PR_SET_NO_NEW_PRIVS is applied after the container has
1840 changed into its intended AppArmor profile or SElinux context.
1841 </para>
1842 <variablelist>
1843 <varlistentry>
1844 <term>
1845 <option>lxc.no_new_privs</option>
1846 </term>
1847 <listitem>
1848 <para>
1849 Specify whether the PR_SET_NO_NEW_PRIVS flag should be set for the
1850 container. Set to 1 to activate.
1851 </para>
1852 </listitem>
1853 </varlistentry>
1854 </variablelist>
1855 </refsect2>
1856
55fc19a1
SG		 1857 <refsect2>
1858 <title>UID mappings</title>
1859 <para>
1860 A container can be started in a private user namespace with
c464fd7e
SG		 1861 user and group id mappings. For instance, you can map userid
1862 0 in the container to userid 200000 on the host. The root
1863 user in the container will be privileged in the container,
1864 but unprivileged on the host. Normally a system container
1865 will want a range of ids, so you would map, for instance,
1866 user and group ids 0 through 20,000 in the container to the
1867 ids 200,000 through 220,000.
55fc19a1
SG		 1868 </para>
1869 <variablelist>
c464fd7e
SG		 1870 <varlistentry>
1871 <term>
bdcbb6b3 1872 <option>lxc.idmap</option>
c464fd7e
SG		 1873 </term>
1874 <listitem>
1875 <para>
1876 Four values must be provided. First a character, either
1877 'u', or 'g', to specify whether user or group ids are
1878 being mapped. Next is the first userid as seen in the
1879 user namespace of the container. Next is the userid as
1880 seen on the host. Finally, a range indicating the number
1881 of consecutive ids to map.
1882 </para>
1883 </listitem>
1884 </varlistentry>
55fc19a1
SG		 1885 </variablelist>
1886 </refsect2>
1887
1888 <refsect2>
1889 <title>Container hooks</title>
1890 <para>
1891 Container hooks are programs or scripts which can be executed
c464fd7e 1892 at various times in a container's lifetime.
55fc19a1
SG		 1893 </para>
1894 <para>
44ae0fb6
CB		 1895 When a container hook is executed, additional information is passed
1896 along. The <option>lxc.hook.version</option> argument can be used to
1897 determine if the following arguments are passed as command line
1898 arguments or through environment variables. The arguments are:
c464fd7e
SG		 1899 <itemizedlist>
1900 <listitem><para> Container name. </para></listitem>
1901 <listitem><para> Section (always 'lxc'). </para></listitem>
1902 <listitem><para> The hook type (i.e. 'clone' or 'pre-mount'). </para></listitem>
0a2b5ab1 1903 <listitem><para> Additional arguments. In the
a9145d62
CB		 1904 case of the clone hook, any extra arguments passed will appear as
1905 further arguments to the hook. In the case of the stop hook, paths to
1906 filedescriptors for each of the container's namespaces along with
1907 their types are passed. </para></listitem>
c464fd7e
SG		 1908 </itemizedlist>
1909 The following environment variables are set:
1910 <itemizedlist>
44ae0fb6
CB		 1911 <listitem><para> LXC_CGNS_AWARE: indicator whether the container is
1912 cgroup namespace aware. </para></listitem>
1913 <listitem><para> LXC_CONFIG_FILE: the path to the container
1914 configuration file. </para></listitem>
1915 <listitem><para> LXC_HOOK_TYPE: the hook type (e.g. 'clone', 'mount',
1916 'pre-mount'). Note that the existence of this environment variable is
1917 conditional on the value of <option>lxc.hook.version</option>. If it
1918 is set to 1 then LXC_HOOK_TYPE will be set.
1919 </para></listitem>
1920 <listitem><para> LXC_HOOK_SECTION: the section type (e.g. 'lxc',
1921 'net'). Note that the existence of this environment variable is
1922 conditional on the value of <option>lxc.hook.version</option>. If it
1923 is set to 1 then LXC_HOOK_SECTION will be set.
1924 </para></listitem>
a2c09be0
CB		 1925 <listitem><para> LXC_HOOK_VERSION: the version of the hooks. This
1926 value is identical to the value of the container's
1927 <option>lxc.hook.version</option> config item. If it is set to 0 then
1928 old-style hooks are used. If it is set to 1 then new-style hooks are
1929 used. </para></listitem>
44ae0fb6 1930 <listitem><para> LXC_LOG_LEVEL: the container's log level. </para></listitem>
c464fd7e 1931 <listitem><para> LXC_NAME: is the container's name. </para></listitem>
18b3b9c1
CB		 1932 <listitem><para> LXC_[NAMESPACE IDENTIFIER]_NS: path under
1933 /proc/PID/fd/ to a file descriptor referring to the container's
1934 namespace. For each preserved namespace type there will be a separate
1935 environment variable. These environment variables will only be set if
1936 <option>lxc.hook.version</option> is set to 1. </para></listitem>
c464fd7e 1937 <listitem><para> LXC_ROOTFS_MOUNT: the path to the mounted root filesystem. </para></listitem>
44ae0fb6
CB		 1938 <listitem><para> LXC_ROOTFS_PATH: this is the lxc.rootfs.path entry
1939 for the container. Note this is likely not where the mounted rootfs is
1940 to be found, use LXC_ROOTFS_MOUNT for that. </para></listitem>
1941 <listitem><para> LXC_SRC_NAME: in the case of the clone hook, this is
1942 the original container's name. </para></listitem>
c464fd7e 1943 </itemizedlist>
55fc19a1
SG		 1944 </para>
1945 <para>
1946 Standard output from the hooks is logged at debug level.
1947 Standard error is not logged, but can be captured by the
1948 hook redirecting its standard error to standard output.
1949 </para>
1950 <variablelist>
44ae0fb6
CB		 1951 <varlistentry>
1952 <term>
1953 <option>lxc.hook.version</option>
1954 </term>
1955 <listitem>
1956 <para>
1957 To pass the arguments in new style via environment variables set to
1958 1 otherwise set to 0 to pass them as arguments.
1959 This setting affects all hooks arguments that were traditionally
1960 passed as arguments to the script. Specifically, it affects the
1961 container name, section (e.g. 'lxc', 'net') and hook type (e.g.
1962 'clone', 'mount', 'pre-mount') arguments. If new-style hooks are
1963 used then the arguments will be available as environment variables.
1964 The container name will be set in LXC_NAME. (This is set
1965 independently of the value used for this config item.) The section
1966 will be set in LXC_HOOK_SECTION and the hook type will be set in
1967 LXC_HOOK_TYPE.
18b3b9c1
CB		 1968 It also affects how the paths to file descriptors referring to the
1969 container's namespaces are passed. If set to 1 then for each
1970 namespace a separate environment variable LXC_[NAMESPACE
1971 IDENTIFIER]_NS will be set. If set to 0 then the paths will be
1972 passed as arguments to the stop hook.
44ae0fb6
CB		 1973 </para>
1974 </listitem>
1975 </varlistentry>
1976 </variablelist>
1977 <variablelist>
c464fd7e
SG		 1978 <varlistentry>
1979 <term>
1980 <option>lxc.hook.pre-start</option>
1981 </term>
1982 <listitem>
1983 <para>
1984 A hook to be run in the host's namespace before the
1985 container ttys, consoles, or mounts are up.
1986 </para>
1987 </listitem>
1988 </varlistentry>
55fc19a1
SG		 1989 </variablelist>
1990 <variablelist>
c464fd7e
SG		 1991 <varlistentry>
1992 <term>
1993 <option>lxc.hook.pre-mount</option>
1994 </term>
1995 <listitem>
1996 <para>
1997 A hook to be run in the container's fs namespace but before
1998 the rootfs has been set up. This allows for manipulation
1999 of the rootfs, i.e. to mount an encrypted filesystem. Mounts
2000 done in this hook will not be reflected on the host (apart from
2001 mounts propagation), so they will be automatically cleaned up
2002 when the container shuts down.
2003 </para>
2004 </listitem>
2005 </varlistentry>
55fc19a1
SG		 2006 </variablelist>
2007 <variablelist>
c464fd7e
SG		 2008 <varlistentry>
2009 <term>
2010 <option>lxc.hook.mount</option>
2011 </term>
2012 <listitem>
2013 <para>
2014 A hook to be run in the container's namespace after
2015 mounting has been done, but before the pivot_root.
2016 </para>
2017 </listitem>
2018 </varlistentry>
55fc19a1
SG		 2019 </variablelist>
2020 <variablelist>
c464fd7e
SG		 2021 <varlistentry>
2022 <term>
2023 <option>lxc.hook.autodev</option>
2024 </term>
2025 <listitem>
2026 <para>
2027 A hook to be run in the container's namespace after
2028 mounting has been done and after any mount hooks have
2029 run, but before the pivot_root, if
2030 <option>lxc.autodev</option> == 1.
2031 The purpose of this hook is to assist in populating the
2032 /dev directory of the container when using the autodev
2033 option for systemd based containers. The container's /dev
2034 directory is relative to the
2035 ${<option>LXC_ROOTFS_MOUNT</option>} environment
2036 variable available when the hook is run.
2037 </para>
2038 </listitem>
2039 </varlistentry>
55fc19a1 2040 </variablelist>
08dd2805
SH		 2041 <variablelist>
2042 <varlistentry>
2043 <term>
2044 <option>lxc.hook.start-host</option>
2045 </term>
2046 <listitem>
2047 <para>
2048 A hook to be run in the host's namespace after the
2049 container has been setup, and immediately before starting
2050 the container init.
2051 </para>
2052 </listitem>
2053 </varlistentry>
2054 </variablelist>
55fc19a1 2055 <variablelist>
c464fd7e
SG		 2056 <varlistentry>
2057 <term>
2058 <option>lxc.hook.start</option>
2059 </term>
2060 <listitem>
2061 <para>
2062 A hook to be run in the container's namespace immediately
2063 before executing the container's init. This requires the
2064 program to be available in the container.
2065 </para>
2066 </listitem>
2067 </varlistentry>
55fc19a1 2068 </variablelist>
0a2b5ab1
WB		 2069 <variablelist>
2070 <varlistentry>
2071 <term>
2072 <option>lxc.hook.stop</option>
2073 </term>
2074 <listitem>
2075 <para>
2076 A hook to be run in the host's namespace with references
2077 to the container's namespaces after the container has been shut
2078 down. For each namespace an extra argument is passed to the hook
2079 containing the namespace's type and a filename that can be used to
2080 obtain a file descriptor to the corresponding namespace, separated
2081 by a colon. The type is the name as it would appear in the
2082 <filename>/proc/PID/ns</filename> directory.
2083 For instance for the mount namespace the argument usually looks
2084 like <filename>mnt:/proc/PID/fd/12</filename>.
2085 </para>
2086 </listitem>
2087 </varlistentry>
2088 </variablelist>
55fc19a1 2089 <variablelist>
c464fd7e
SG		 2090 <varlistentry>
2091 <term>
2092 <option>lxc.hook.post-stop</option>
2093 </term>
2094 <listitem>
2095 <para>
2096 A hook to be run in the host's namespace after the
2097 container has been shut down.
2098 </para>
2099 </listitem>
2100 </varlistentry>
55fc19a1
SG		 2101 </variablelist>
2102 <variablelist>
c464fd7e
SG		 2103 <varlistentry>
2104 <term>
2105 <option>lxc.hook.clone</option>
2106 </term>
2107 <listitem>
2108 <para>
2109 A hook to be run when the container is cloned to a new one.
2110 See <citerefentry><refentrytitle><command>lxc-clone</command></refentrytitle>
2111 <manvolnum>1</manvolnum></citerefentry> for more information.
2112 </para>
2113 </listitem>
2114 </varlistentry>
55fc19a1 2115 </variablelist>
37cf711b
SY		 2116 <variablelist>
2117 <varlistentry>
2118 <term>
2119 <option>lxc.hook.destroy</option>
2120 </term>
2121 <listitem>
2122 <para>
2123 A hook to be run when the container is destroyed.
2124 </para>
2125 </listitem>
2126 </varlistentry>
2127 </variablelist>
55fc19a1
SG		 2128 </refsect2>
2129
2130 <refsect2>
2131 <title>Container hooks Environment Variables</title>
2132 <para>
2133 A number of environment variables are made available to the startup
2134 hooks to provide configuration information and assist in the
2135 functioning of the hooks. Not all variables are valid in all
2136 contexts. In particular, all paths are relative to the host system
2137 and, as such, not valid during the <option>lxc.hook.start</option> hook.
2138 </para>
2139 <variablelist>
c464fd7e
SG		 2140 <varlistentry>
2141 <term>
2142 <option>LXC_NAME</option>
2143 </term>
2144 <listitem>
2145 <para>
2146 The LXC name of the container. Useful for logging messages
2147 in common log environments. [<option>-n</option>]
2148 </para>
2149 </listitem>
2150 </varlistentry>
55fc19a1
SG		 2151 </variablelist>
2152 <variablelist>
c464fd7e
SG		 2153 <varlistentry>
2154 <term>
2155 <option>LXC_CONFIG_FILE</option>
2156 </term>
2157 <listitem>
2158 <para>
2159 Host relative path to the container configuration file. This
2160 gives the container to reference the original, top level,
2161 configuration file for the container in order to locate any
2162 additional configuration information not otherwise made
2163 available. [<option>-f</option>]
2164 </para>
2165 </listitem>
2166 </varlistentry>
55fc19a1
SG		 2167 </variablelist>
2168 <variablelist>
c464fd7e
SG		 2169 <varlistentry>
2170 <term>
2171 <option>LXC_CONSOLE</option>
2172 </term>
2173 <listitem>
2174 <para>
2175 The path to the console output of the container if not NULL.
3aed4934 2176 [<option>-c</option>] [<option>lxc.console.path</option>]
c464fd7e
SG		 2177 </para>
2178 </listitem>
2179 </varlistentry>
55fc19a1
SG		 2180 </variablelist>
2181 <variablelist>
c464fd7e
SG		 2182 <varlistentry>
2183 <term>
2184 <option>LXC_CONSOLE_LOGPATH</option>
2185 </term>
2186 <listitem>
2187 <para>
2188 The path to the console log output of the container if not NULL.
2189 [<option>-L</option>]
2190 </para>
2191 </listitem>
2192 </varlistentry>
55fc19a1
SG		 2193 </variablelist>
2194 <variablelist>
c464fd7e
SG		 2195 <varlistentry>
2196 <term>
2197 <option>LXC_ROOTFS_MOUNT</option>
2198 </term>
2199 <listitem>
2200 <para>
2201 The mount location to which the container is initially bound.
2202 This will be the host relative path to the container rootfs
2203 for the container instance being started and is where changes
2204 should be made for that instance.
2205 [<option>lxc.rootfs.mount</option>]
2206 </para>
2207 </listitem>
2208 </varlistentry>
55fc19a1
SG		 2209 </variablelist>
2210 <variablelist>
c464fd7e
SG		 2211 <varlistentry>
2212 <term>
2213 <option>LXC_ROOTFS_PATH</option>
2214 </term>
2215 <listitem>
2216 <para>
2217 The host relative path to the container root which has been
2218 mounted to the rootfs.mount location.
7a96a068 2219 [<option>lxc.rootfs.path</option>]
c464fd7e
SG		 2220 </para>
2221 </listitem>
2222 </varlistentry>
55fc19a1 2223 </variablelist>
07945418
KY		 2224 <variablelist>
2225 <varlistentry>
2226 <term>
2227 <option>LXC_SRC_NAME</option>
2228 </term>
2229 <listitem>
2230 <para>
2231 Only for the clone hook. Is set to the original container name.
2232 </para>
2233 </listitem>
2234 </varlistentry>
2235 </variablelist>
c154af98
SG		 2236 <variablelist>
2237 <varlistentry>
2238 <term>
2239 <option>LXC_TARGET</option>
2240 </term>
2241 <listitem>
2242 <para>
2243 Only for the stop hook. Is set to "stop" for a container
2244 shutdown or "reboot" for a container reboot.
2245 </para>
2246 </listitem>
2247 </varlistentry>
c4cafa08
SH		 2248 </variablelist>
2249 <variablelist>
2250 <varlistentry>
2251 <term>
2252 <option>LXC_CGNS_AWARE</option>
2253 </term>
2254 <listitem>
2255 <para>
2256 If unset, then this version of lxc is not aware of cgroup
2257 namespaces. If set, it will be set to 1, and lxc is aware
2258 of cgroup namespaces. Note this does not guarantee that
2259 cgroup namespaces are enabled in the kernel. This is used
2260 by the lxcfs mount hook.
2261 </para>
2262 </listitem>
2263 </varlistentry>
c154af98 2264 </variablelist>
55fc19a1
SG		 2265 </refsect2>
2266 <refsect2>
2267 <title>Logging</title>
2268 <para>
2269 Logging can be configured on a per-container basis. By default,
2270 depending upon how the lxc package was compiled, container startup
2271 is logged only at the ERROR level, and logged to a file named after
2272 the container (with '.log' appended) either under the container path,
2273 or under @LOGPATH@.
2274 </para>
2275 <para>
2276 Both the default log level and the log file can be specified in the
2277 container configuration file, overriding the default behavior. Note
2278 that the configuration file entries can in turn be overridden by the
2279 command line options to <command>lxc-start</command>.
2280 </para>
2281 <variablelist>
c464fd7e
SG		 2282 <varlistentry>
2283 <term>
46cc906d 2284 <option>lxc.log.level</option>
c464fd7e
SG		 2285 </term>
2286 <listitem>
2287 <para>
2288 The level at which to log. The log level is an integer in
2289 the range of 0..8 inclusive, where a lower number means more
2290 verbose debugging. In particular 0 = trace, 1 = debug, 2 =
2291 info, 3 = notice, 4 = warn, 5 = error, 6 = critical, 7 =
2292 alert, and 8 = fatal. If unspecified, the level defaults
2293 to 5 (error), so that only errors and above are logged.
2294 </para>
2295 <para>
2296 Note that when a script (such as either a hook script or a
2297 network interface up or down script) is called, the script's
2298 standard output is logged at level 1, debug.
2299 </para>
2300 </listitem>
2301 </varlistentry>
2302 <varlistentry>
2303 <term>
5757588f 2304 <option>lxc.log.file</option>
c464fd7e
SG		 2305 </term>
2306 <listitem>
2307 <para>
2308 The file to which logging info should be written.
2309 </para>
2310 </listitem>
2311 </varlistentry>
204dfdf2
BD		 2312 <varlistentry>
2313 <term>
46cc906d 2314 <option>lxc.log.syslog</option>
204dfdf2
BD		 2315 </term>
2316 <listitem>
2317 <para>
2318 Send logging info to syslog. It respects the log level defined in
46cc906d 2319 <command>lxc.log.level</command>. The argument should be the syslog
204dfdf2 2320 facility to use, valid ones are: daemon, local0, local1, local2,
917420dd 2321 local3, local4, local5, local5, local6, local7.
204dfdf2
BD		 2322 </para>
2323 </listitem>
2324 </varlistentry>
55fc19a1
SG		 2325 </variablelist>
2326 </refsect2>
2327
2328 <refsect2>
2329 <title>Autostart</title>
2330 <para>
2331 The autostart options support marking which containers should be
2332 auto-started and in what order. These options may be used by LXC tools
2333 directly or by external tooling provided by the distributions.
2334 </para>
2335
2336 <variablelist>
2337 <varlistentry>
2338 <term>
2339 <option>lxc.start.auto</option>
2340 </term>
2341 <listitem>
2342 <para>
2343 Whether the container should be auto-started.
2344 Valid values are 0 (off) and 1 (on).
2345 </para>
2346 </listitem>
2347 </varlistentry>
2348 <varlistentry>
2349 <term>
2350 <option>lxc.start.delay</option>
2351 </term>
2352 <listitem>
2353 <para>
2354 How long to wait (in seconds) after the container is
2355 started before starting the next one.
2356 </para>
2357 </listitem>
2358 </varlistentry>
2359 <varlistentry>
2360 <term>
2361 <option>lxc.start.order</option>
2362 </term>
2363 <listitem>
2364 <para>
2365 An integer used to sort the containers when auto-starting
2366 a series of containers at once.
2367 </para>
2368 </listitem>
2369 </varlistentry>
a8dfe4e0
WB		 2370 <varlistentry>
2371 <term>
2372 <option>lxc.monitor.unshare</option>
2373 </term>
2374 <listitem>
2375 <para>
2376 If not zero the mount namespace will be unshared from the host
2377 before initializing the container (before running any pre-start
6039eaa2
WB		 2378 hooks). This requires the CAP_SYS_ADMIN capability at startup.
2379 Default is 0.
a8dfe4e0
WB		 2380 </para>
2381 </listitem>
2382 </varlistentry>
258f8051
CB		 2383 <varlistentry>
2384 <term>
2385 <option>lxc.monitor.signal.pdeath</option>
2386 </term>
2387 <listitem>
2388 <para>
2389 Set the signal to be sent to the container's init when the lxc
2390 monitor exits. By default it is set to SIGKILL which will cause
2391 all container processes to be killed when the lxc monitor process
2392 dies.
2393 To ensure that containers stay alive even if lxc monitor dies set
2394 this to 0.
2395 </para>
2396 </listitem>
2397 </varlistentry>
55fc19a1
SG		 2398 <varlistentry>
2399 <term>
2400 <option>lxc.group</option>
2401 </term>
2402 <listitem>
2403 <para>
2404 A multi-value key (can be used multiple times) to put the
2405 container in a container group. Those groups can then be
2406 used (amongst other things) to start a series of related
2407 containers.
2408 </para>
2409 </listitem>
2410 </varlistentry>
2411 </variablelist>
2412 </refsect2>
015f0dd7
MW		 2413
2414 <refsect2>
2415 <title>Autostart and System Boot</title>
2416 <para>
2417 Each container can be part of any number of groups or no group at all.
2418 Two groups are special. One is the NULL group, i.e. the container does
2419 not belong to any group. The other group is the "onboot" group.
2420 </para>
2421
2422 <para>
2423 When the system boots with the LXC service enabled, it will first
2424 attempt to boot any containers with lxc.start.auto == 1 that is a member
2425 of the "onboot" group. The startup will be in order of lxc.start.order.
2426 If an lxc.start.delay has been specified, that delay will be honored
2427 before attempting to start the next container to give the current
2428 container time to begin initialization and reduce overloading the host
2429 system. After starting the members of the "onboot" group, the LXC system
2430 will proceed to boot containers with lxc.start.auto == 1 which are not
2431 members of any group (the NULL group) and proceed as with the onboot
2432 group.
2433 </para>
2434
2435 </refsect2>
7c661726
MP		 2436
2437 <refsect2>
2438 <title>Container Environment</title>
2439 <para>
c464fd7e
SG		 2440 If you want to pass environment variables into the container (that
2441 is, environment variables which will be available to init and all of
2442 its descendents), you can use <command>lxc.environment</command>
2443 parameters to do so. Be careful that you do not pass in anything
2444 sensitive; any process in the container which doesn't have its
2445 environment scrubbed will have these variables available to it, and
2446 environment variables are always available via
2447 <command>/proc/PID/environ</command>.
7c661726
MP		 2448 </para>
2449
2450 <para>
2451 This configuration parameter can be specified multiple times; once
2452 for each environment variable you wish to configure.
2453 </para>
2454
2455 <variablelist>
c464fd7e
SG		 2456 <varlistentry>
2457 <term>
2458 <option>lxc.environment</option>
2459 </term>
2460 <listitem>
2461 <para>
2462 Specify an environment variable to pass into the container.
2463 Example:
2464 </para>
2465 <programlisting>
2466 lxc.environment = APP_ENV=production
2467 lxc.environment = SYSLOG_SERVER=192.0.2.42
2468 </programlisting>
5eab47bc
CB		 2469 <para>
2470 It is possible to inherit host environment variables by setting the
2471 name of the variable without a "=" sign. For example:
2472 </para>
2473 <programlisting>
2474 lxc.environment = PATH
2475 </programlisting>
c464fd7e
SG		 2476 </listitem>
2477 </varlistentry>
7c661726
MP		 2478 </variablelist>
2479 </refsect2>
2480
55fc19a1
SG		 2481 </refsect1>
2482
2483 <refsect1>
2484 <title>Examples</title>
2485 <para>
c464fd7e
SG		 2486 In addition to the few examples given below, you will find
2487 some other examples of configuration file in @DOCDIR@/examples
55fc19a1
SG		 2488 </para>
2489 <refsect2>
2490 <title>Network</title>
2491 <para>This configuration sets up a container to use a veth pair
c464fd7e
SG		 2492 device with one side plugged to a bridge br0 (which has been
2493 configured before on the system by the administrator). The
2494 virtual network device visible in the container is renamed to
2495 eth0.</para>
55fc19a1 2496 <programlisting>
b67771bc 2497 lxc.uts.name = myhostname
7fa3f2e9 2498 lxc.net.0.type = veth
2499 lxc.net.0.flags = up
2500 lxc.net.0.link = br0
2501 lxc.net.0.name = eth0
2502 lxc.net.0.hwaddr = 4a:49:43:49:79:bf
9ff60df2 2503 lxc.net.0.ipv4.address = 10.2.3.5/24 10.2.3.255
2e44ae28 2504 lxc.net.0.ipv6.address = 2003:db8:1:0:214:1234:fe0b:3597
55fc19a1
SG		 2505 </programlisting>
2506 </refsect2>
2507
2508 <refsect2>
2509 <title>UID/GID mapping</title>
2510 <para>This configuration will map both user and group ids in the
2511 range 0-9999 in the container to the ids 100000-109999 on the host.
2512 </para>
2513 <programlisting>
bdcbb6b3
CB		 2514 lxc.idmap = u 0 100000 10000
2515 lxc.idmap = g 0 100000 10000
55fc19a1
SG		 2516 </programlisting>
2517 </refsect2>
2518
2519 <refsect2>
2520 <title>Control group</title>
2521 <para>This configuration will setup several control groups for
2522 the application, cpuset.cpus restricts usage of the defined cpu,
2523 cpus.share prioritize the control group, devices.allow makes
2524 usable the specified devices.</para>
2525 <programlisting>
c464fd7e
SG		 2526 lxc.cgroup.cpuset.cpus = 0,1
2527 lxc.cgroup.cpu.shares = 1234
2528 lxc.cgroup.devices.deny = a
2529 lxc.cgroup.devices.allow = c 1:3 rw
2530 lxc.cgroup.devices.allow = b 8:0 rw
55fc19a1
SG		 2531 </programlisting>
2532 </refsect2>
2533
2534 <refsect2>
2535 <title>Complex configuration</title>
2536 <para>This example show a complex configuration making a complex
2537 network stack, using the control groups, setting a new hostname,
2538 mounting some locations and a changing root file system.</para>
2539 <programlisting>
b67771bc 2540 lxc.uts.name = complex
7fa3f2e9 2541 lxc.net.0.type = veth
2542 lxc.net.0.flags = up
2543 lxc.net.0.link = br0
2544 lxc.net.0.hwaddr = 4a:49:43:49:79:bf
9ff60df2 2545 lxc.net.0.ipv4.address = 10.2.3.5/24 10.2.3.255
2e44ae28
CB		 2546 lxc.net.0.ipv6.address = 2003:db8:1:0:214:1234:fe0b:3597
2547 lxc.net.0.ipv6.address = 2003:db8:1:0:214:5432:feab:3588
7fa3f2e9 2548 lxc.net.1.type = macvlan
2549 lxc.net.1.flags = up
2550 lxc.net.1.link = eth0
2551 lxc.net.1.hwaddr = 4a:49:43:49:79:bd
9ff60df2
CB		 2552 lxc.net.1.ipv4.address = 10.2.3.4/24
2553 lxc.net.1.ipv4.address = 192.168.10.125/24
2e44ae28 2554 lxc.net.1.ipv6.address = 2003:db8:1:0:214:1234:fe0b:3596
7fa3f2e9 2555 lxc.net.2.type = phys
2556 lxc.net.2.flags = up
2557 lxc.net.2.link = dummy0
2558 lxc.net.2.hwaddr = 4a:49:43:49:79:ff
9ff60df2 2559 lxc.net.2.ipv4.address = 10.2.3.6/24
2e44ae28 2560 lxc.net.2.ipv6.address = 2003:db8:1:0:214:1234:fe0b:3297
c464fd7e
SG		 2561 lxc.cgroup.cpuset.cpus = 0,1
2562 lxc.cgroup.cpu.shares = 1234
2563 lxc.cgroup.devices.deny = a
2564 lxc.cgroup.devices.allow = c 1:3 rw
2565 lxc.cgroup.devices.allow = b 8:0 rw
47148e96 2566 lxc.mount.fstab = /etc/fstab.complex
c464fd7e 2567 lxc.mount.entry = /lib /root/myrootfs/lib none ro,bind 0 0
7a96a068 2568 lxc.rootfs.path = dir:/mnt/rootfs.complex
c464fd7e
SG		 2569 lxc.cap.drop = sys_module mknod setuid net_raw
2570 lxc.cap.drop = mac_override
55fc19a1
SG		 2571 </programlisting>
2572 </refsect2>
2573
2574 </refsect1>
2575
2576 <refsect1>
2577 <title>See Also</title>
2578 <simpara>
2579 <citerefentry>
c464fd7e
SG		 2580 <refentrytitle><command>chroot</command></refentrytitle>
2581 <manvolnum>1</manvolnum>
55fc19a1
SG		 2582 </citerefentry>,
2583
2584 <citerefentry>
c464fd7e
SG		 2585 <refentrytitle><command>pivot_root</command></refentrytitle>
2586 <manvolnum>8</manvolnum>
55fc19a1
SG		 2587 </citerefentry>,
2588
2589 <citerefentry>
c464fd7e
SG		 2590 <refentrytitle><filename>fstab</filename></refentrytitle>
2591 <manvolnum>5</manvolnum>
55fc19a1
SG		 2592 </citerefentry>,
2593
2594 <citerefentry>
c464fd7e
SG		 2595 <refentrytitle><filename>capabilities</filename></refentrytitle>
2596 <manvolnum>7</manvolnum>
55fc19a1
SG		 2597 </citerefentry>
2598 </simpara>
2599 </refsect1>
2600
2601 &seealso;
2602
2603 <refsect1>
2604 <title>Author</title>
2605 <para>Daniel Lezcano <email>daniel.lezcano@free.fr</email></para>
2606 </refsect1>
2607
2608</refentry>
2609
2610<!-- Keep this comment at the end of the file
2611Local variables:
2612mode: sgml
2613sgml-omittag:t
2614sgml-shorttag:t
2615sgml-minimize-attributes:nil
2616sgml-always-quote-attributes:t
2617sgml-indent-step:2
2618sgml-indent-data:t
2619sgml-parent-document:nil
2620sgml-default-dtd-file:nil
2621sgml-exposed-tags:nil
2622sgml-local-catalogs:nil
2623sgml-local-ecat-files:nil
2624End:
2625-->
LXC mirror