3 lxc: linux Container library
5 (C) Copyright IBM Corp. 2007, 2008
8 Daniel Lezcano <daniel.lezcano at free.fr>
10 This library is free software; you can redistribute it and/or
11 modify it under the terms of the GNU Lesser General Public
12 License as published by the Free Software Foundation; either
13 version 2.1 of the License, or (at your option) any later version.
15 This library is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
18 Lesser General Public License for more details.
20 You should have received a copy of the GNU Lesser General Public
21 License along with this library; if not, write to the Free Software
22 Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
27 <!DOCTYPE refentry PUBLIC @docdtd@ [
29 <!ENTITY commonoptions SYSTEM "@builddir@/common_options.sgml">
30 <!ENTITY seealso SYSTEM "@builddir@/see_also.sgml">
35 <docinfo><date>@LXC_GENERATE_DATE@</date></docinfo>
38 <refentrytitle>lxc-attach</refentrytitle>
39 <manvolnum>1</manvolnum>
43 <refname>lxc-attach</refname>
46 start a process inside a running container.
52 <command>lxc-attach</command>
53 <arg choice="req">-n, --name <replaceable>name</replaceable></arg>
54 <arg choice="opt">-f, --rcfile <replaceable>config_file</replaceable></arg>
55 <arg choice="opt">-a, --arch <replaceable>arch</replaceable></arg>
56 <arg choice="opt">-e, --elevated-privileges <replaceable>privileges</replaceable></arg>
57 <arg choice="opt">-s, --namespaces <replaceable>namespaces</replaceable></arg>
58 <arg choice="opt">-R, --remount-sys-proc</arg>
59 <arg choice="opt">--keep-env</arg>
60 <arg choice="opt">--clear-env</arg>
61 <arg choice="opt">-v, --set-var <replaceable>variable</replaceable></arg>
62 <arg choice="opt">--keep-var <replaceable>variable</replaceable></arg>
63 <arg choice="opt">-u, --uid <replaceable>uid</replaceable></arg>
64 <arg choice="opt">-g, --gid <replaceable>gid</replaceable></arg>
65 <arg choice="opt">-- <replaceable>command</replaceable></arg>
70 <title>Description</title>
73 <command>lxc-attach</command> runs the specified
74 <replaceable>command</replaceable> inside the container
75 specified by <replaceable>name</replaceable>. The container
76 has to be running already.
79 If no <replaceable>command</replaceable> is specified, the
80 current default shell of the user running
81 <command>lxc-attach</command> will be looked up inside the
82 container and executed. This will fail if no such user exists
83 inside the container or the container does not have a working
87 Previous versions of <command>lxc-attach</command> simply attached to the
88 specified namespaces of a container and ran a shell or the specified command
89 without first allocating a pseudo terminal. This made them vulnerable to
90 input faking via a TIOCSTI <command>ioctl</command> call after switching
91 between userspace execution contexts with different privilege levels. Newer
92 versions of <command>lxc-attach</command> will try to allocate a pseudo
93 terminal file descriptor pair on the host and attach any standard file
94 descriptors which refer to a terminal to the container side of the pseudo
95 terminal before executing a shell or command. Note, that if none of the
96 standard file descriptors refer to a terminal <command>lxc-attach</command>
97 will not try to allocate a pseudo terminal. Instead it will simply attach
98 to the containers namespaces and run a shell or the specified command.
105 <title>Options</title>
111 <option>-f, --rcfile <replaceable>config_file</replaceable></option>
115 Specify the configuration file to configure the virtualization
116 and isolation functionalities for the container.
119 This configuration file if present will be used even if there is
120 already a configuration file present in the previously created
121 container (via lxc-create).
128 <option>-a, --arch <replaceable>arch</replaceable></option>
132 Specify the architecture which the kernel should appear to be
133 running as to the command executed. This option will accept the
134 same settings as the <option>lxc.arch</option> option in
135 container configuration files, see
137 <refentrytitle><filename>lxc.conf</filename></refentrytitle>
138 <manvolnum>5</manvolnum>
139 </citerefentry>. By default, the current architecture of the
140 running container will be used.
148 -e, --elevated-privileges <replaceable>privileges</replaceable>
153 Do not drop privileges when running
154 <replaceable>command</replaceable> inside the container. If
155 this option is specified, the new process will
156 <emphasis>not</emphasis> be added to the container's cgroup(s)
157 and it will not drop its capabilities before executing.
160 You may specify privileges, in case you do not want to elevate all of
161 them, as a pipe-separated list, e.g.
162 <replaceable>CGROUP|LSM</replaceable>. Allowed values are
163 <replaceable>CGROUP</replaceable>, <replaceable>CAP</replaceable> and
164 <replaceable>LSM</replaceable> representing cgroup, capabilities and
165 restriction privileges respectively. (The pipe symbol needs to be escaped,
166 e.g. <replaceable>CGROUP\|LSM</replaceable> or quoted, e.g.
167 <replaceable>"CGROUP|LSM"</replaceable>.)
170 <emphasis>Warning:</emphasis> This may leak privileges into the
171 container if the command starts subprocesses that remain active
172 after the main process that was attached is terminated. The
173 (re-)starting of daemons inside the container is problematic,
174 especially if the daemon starts a lot of subprocesses such as
175 <command>cron</command> or <command>sshd</command>.
176 <emphasis>Use with great care.</emphasis>
183 <option>-s, --namespaces <replaceable>namespaces</replaceable></option>
187 Specify the namespaces to attach to, as a pipe-separated list,
188 e.g. <replaceable>NETWORK|IPC</replaceable>. Allowed values are
189 <replaceable>MOUNT</replaceable>, <replaceable>PID</replaceable>,
190 <replaceable>UTSNAME</replaceable>, <replaceable>IPC</replaceable>,
191 <replaceable>USER </replaceable> and
192 <replaceable>NETWORK</replaceable>. This allows one to change
193 the context of the process to e.g. the network namespace of the
194 container while retaining the other namespaces as those of the
195 host. (The pipe symbol needs to be escaped, e.g.
196 <replaceable>MOUNT\|PID</replaceable> or quoted, e.g.
197 <replaceable>"MOUNT|PID"</replaceable>.)
200 <emphasis>Important:</emphasis> This option implies
208 <option>-R, --remount-sys-proc</option>
212 When using <option>-s</option> and the mount namespace is not
213 included, this flag will cause <command>lxc-attach</command>
214 to remount <replaceable>/proc</replaceable> and
215 <replaceable>/sys</replaceable> to reflect the current other
219 Please see the <emphasis>Notes</emphasis> section for more
223 This option will be ignored if one tries to attach to the
224 mount namespace anyway.
231 <option>--keep-env</option>
235 Keep the current environment for attached programs. This is
236 the current default behaviour (as of version 0.9), but is
237 is likely to change in the future, since this may leak
238 undesirable information into the container. If you rely on
239 the environment being available for the attached program,
240 please use this option to be future-proof. In addition to
241 current environment variables, container=lxc will be set.
248 <option>--clear-env</option>
252 Clear the environment before attaching, so no undesired
253 environment variables leak into the container. The variable
254 container=lxc will be the only environment with which the
255 attached program starts.
262 <option>-v, --set-var <replaceable>variable</replaceable></option>
266 Set an additional environment variable that is seen by the
267 attached program in the container. It is specified in the
268 form of "VAR=VALUE", and can be specified multiple times.
275 <option>--keep-var <replaceable>variable</replaceable></option>
279 Keep a specified environment variable. It can only be
280 specified in conjunction
281 with <replaceable>--clear-env</replaceable>, and can be
282 specified multiple times.
289 <option>--u, --uid <replaceable>uid</replaceable></option>
293 Executes the <replaceable>command</replaceable> with user ID
294 <replaceable>uid</replaceable> inside the container.
301 <option>--g, --gid <replaceable>gid</replaceable></option>
305 Executes the <replaceable>command</replaceable> with group ID
306 <replaceable>gid</replaceable> inside the container.
318 <title>Examples</title>
320 To spawn a new shell running inside an existing container, use
322 lxc-attach -n container
326 To restart the cron service of a running Debian container, use
328 lxc-attach -n container -- /etc/init.d/cron restart
332 To deactivate the network link eth1 of a running container that
333 does not have the NET_ADMIN capability, use either the
334 <option>-e</option> option to use increased capabilities,
335 assuming the <command>ip</command> tool is installed:
337 lxc-attach -n container -e -- /sbin/ip link delete eth1
339 Or, alternatively, use the <option>-s</option> to use the
340 tools installed on the host outside the container:
342 lxc-attach -n container -s NETWORK -- /sbin/ip link delete eth1
348 <title>Compatibility</title>
350 Attaching completely (including the pid and mount namespaces) to a
351 container requires a kernel of version 3.8 or higher, or a
352 patched kernel, please see the lxc website for
353 details. <command>lxc-attach</command> will fail in that case if
354 used with an unpatched kernel of version 3.7 and prior.
357 Nevertheless, it will succeed on an unpatched kernel of version 3.0
358 or higher if the <option>-s</option> option is used to restrict the
359 namespaces that the process is to be attached to to one or more of
360 <replaceable>NETWORK</replaceable>, <replaceable>IPC</replaceable>
361 and <replaceable>UTSNAME</replaceable>.
364 Attaching to user namespaces is supported by kernel 3.8 or higher
365 with enabling user namespace.
372 The Linux <replaceable>/proc</replaceable> and
373 <replaceable>/sys</replaceable> filesystems contain information
374 about some quantities that are affected by namespaces, such as
375 the directories named after process ids in
376 <replaceable>/proc</replaceable> or the network interface information
377 in <replaceable>/sys/class/net</replaceable>. The namespace of the
378 process mounting the pseudo-filesystems determines what information
379 is shown, <emphasis>not</emphasis> the namespace of the process
380 accessing <replaceable>/proc</replaceable> or
381 <replaceable>/sys</replaceable>.
384 If one uses the <option>-s</option> option to only attach to
385 the pid namespace of a container, but not its mount namespace
386 (which will contain the <replaceable>/proc</replaceable> of the
387 container and not the host), the contents of <option>/proc</option>
388 will reflect that of the host and not the container. Analogously,
389 the same issue occurs when reading the contents of
390 <replaceable>/sys/class/net</replaceable> and attaching to just
391 the network namespace.
394 To work around this problem, the <option>-R</option> flag provides
395 the option to remount <replaceable>/proc</replaceable> and
396 <replaceable>/sys</replaceable> in order for them to reflect the
397 network/pid namespace context of the attached process. In order
398 not to interfere with the host's actual filesystem, the mount
399 namespace will be unshared (like <command>lxc-unshare</command>
400 does) before this is done, essentially giving the process a new
401 mount namespace, which is identical to the hosts's mount namespace
402 except for the <replaceable>/proc</replaceable> and
403 <replaceable>/sys</replaceable> filesystems.
406 Previous versions of <command>lxc-attach</command> suffered a bug whereby
407 a user could attach to a containers namespace without being placed in a
408 writeable cgroup for some critical subsystems. Newer versions of
409 <command>lxc-attach</command> will check whether a user is in a writeable
410 cgroup for those critical subsystems. <command>lxc-attach</command> might
411 thus fail unexpectedly for some users (E.g. on systems where an
412 unprivileged user is not placed in a writeable cgroup in critical
413 subsystems on login.). However, this behavior is correct and more secure.
418 <title>Security</title>
420 The <option>-e</option> and <option>-s</option> options should
421 be used with care, as it may break the isolation of the containers
429 <title>Author</title>
430 <para>Daniel Lezcano <email>daniel.lezcano@free.fr</email></para>
435 <!-- Keep this comment at the end of the file
440 sgml-minimize-attributes:nil
441 sgml-always-quote-attributes:t
444 sgml-parent-document:nil
445 sgml-default-dtd-file:nil
446 sgml-exposed-tags:nil
447 sgml-local-catalogs:nil
448 sgml-local-ecat-files:nil
projects / mirror_lxc.git / blob