doc/lxc-attach.sgml.in

   1 <!--
   2
   3 lxc: linux Container library
   4
   5 (C) Copyright IBM Corp. 2007, 2008
   6
   7 Authors:
   8 Daniel Lezcano <daniel.lezcano at free.fr>
   9
  10 This library is free software; you can redistribute it and/or
  11 modify it under the terms of the GNU Lesser General Public
  12 License as published by the Free Software Foundation; either
  13 version 2.1 of the License, or (at your option) any later version.
  14
  15 This library is distributed in the hope that it will be useful,
  16 but WITHOUT ANY WARRANTY; without even the implied warranty of
  17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  18 Lesser General Public License for more details.
  19
  20 You should have received a copy of the GNU Lesser General Public
  21 License along with this library; if not, write to the Free Software
  22 Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
  23
  24 -->
  25
  26
  27 <!DOCTYPE refentry PUBLIC @docdtd@ [
  28
  29 <!ENTITY commonoptions SYSTEM "@builddir@/common_options.sgml">
  30 <!ENTITY seealso SYSTEM "@builddir@/see_also.sgml">
  31 ]>
  32
  33 <refentry>
  34
  35   <docinfo><date>@LXC_GENERATE_DATE@</date></docinfo>
  36
  37   <refmeta>
  38     <refentrytitle>lxc-attach</refentrytitle>
  39     <manvolnum>1</manvolnum>
  40   </refmeta>
  41
  42   <refnamediv>
  43     <refname>lxc-attach</refname>
  44
  45     <refpurpose>
  46       start a process inside a running container.
  47     </refpurpose>
  48   </refnamediv>
  49
  50   <refsynopsisdiv>
  51     <cmdsynopsis>
  52       <command>lxc-attach</command>
  53       <arg choice="req">-n, --name <replaceable>name</replaceable></arg>
  54       <arg choice="opt">-f, --rcfile <replaceable>config_file</replaceable></arg>
  55       <arg choice="opt">-a, --arch <replaceable>arch</replaceable></arg>
  56       <arg choice="opt">-e, --elevated-privileges <replaceable>privileges</replaceable></arg>
  57       <arg choice="opt">-s, --namespaces <replaceable>namespaces</replaceable></arg>
  58       <arg choice="opt">-R, --remount-sys-proc</arg>
  59       <arg choice="opt">--keep-env</arg>
  60       <arg choice="opt">--clear-env</arg>
  61       <arg choice="opt">-v, --set-var <replaceable>variable</replaceable></arg>
  62       <arg choice="opt">--keep-var <replaceable>variable</replaceable></arg>
  63       <arg choice="opt">-- <replaceable>command</replaceable></arg>
  64     </cmdsynopsis>
  65   </refsynopsisdiv>
  66
  67   <refsect1>
  68     <title>Description</title>
  69
  70     <para>
  71       <command>lxc-attach</command> runs the specified
  72       <replaceable>command</replaceable> inside the container
  73       specified by <replaceable>name</replaceable>. The container
  74       has to be running already.
  75     </para>
  76     <para>
  77       If no <replaceable>command</replaceable> is specified, the
  78       current default shell of the user running
  79       <command>lxc-attach</command> will be looked up inside the
  80       container and executed. This will fail if no such user exists
  81       inside the container or the container does not have a working
  82       nsswitch mechanism.
  83     </para>
  84     <para>
  85     Previous versions of <command>lxc-attach</command> simply attached to the
  86     specified namespaces of a container and ran a shell or the specified command
  87     without first allocating a pseudo terminal. This made them vulnerable to
  88     input faking via a TIOCSTI <command>ioctl</command> call after switching
  89     between userspace execution contexts with different privilege levels. Newer
  90     versions of <command>lxc-attach</command> will try to allocate a pseudo
  91     terminal master/slave pair on the host and attach any standard file
  92     descriptors which refer to a terminal to the slave side of the pseudo
  93     terminal before executing a shell or command. Note, that if none of the
  94     standard file descriptors refer to a terminal <command>lxc-attach</command>
  95     will not try to allocate a pseudo terminal. Instead it will simply attach
  96     to the containers namespaces and run a shell or the specified command.
  97     </para>
  98
  99   </refsect1>
 100
 101   <refsect1>
 102
 103     <title>Options</title>
 104
 105     <variablelist>
 106
 107       <varlistentry>
 108         <term>
 109           <option>-f, --rcfile <replaceable>config_file</replaceable></option>
 110         </term>
 111         <listitem>
 112           <para>
 113             Specify the configuration file to configure the virtualization
 114             and isolation functionalities for the container.
 115           </para>
 116           <para>
 117            This configuration file if present will be used even if there is
 118            already a configuration file present in the previously created
 119            container (via lxc-create).
 120           </para>
 121         </listitem>
 122       </varlistentry>
 123
 124       <varlistentry>
 125         <term>
 126           <option>-a, --arch <replaceable>arch</replaceable></option>
 127         </term>
 128         <listitem>
 129           <para>
 130             Specify the architecture which the kernel should appear to be
 131             running as to the command executed. This option will accept the
 132             same settings as the <option>lxc.arch</option> option in
 133             container configuration files, see
 134             <citerefentry>
 135               <refentrytitle><filename>lxc.conf</filename></refentrytitle>
 136               <manvolnum>5</manvolnum>
 137             </citerefentry>. By default, the current archictecture of the
 138             running container will be used.
 139           </para>
 140         </listitem>
 141       </varlistentry>
 142
 143       <varlistentry>
 144         <term>
 145           <option>
 146       -e, --elevated-privileges <replaceable>privileges</replaceable>
 147     </option>
 148         </term>
 149         <listitem>
 150           <para>
 151             Do not drop privileges when running
 152             <replaceable>command</replaceable> inside the container. If
 153             this option is specified, the new process will
 154             <emphasis>not</emphasis> be added to the container's cgroup(s)
 155             and it will not drop its capabilities before executing.
 156           </para>
 157     <para>
 158       You may specify privileges, in case you do not want to elevate all of
 159       them, as a pipe-separated list, e.g.
 160       <replaceable>CGROUP|LSM</replaceable>. Allowed values are
 161       <replaceable>CGROUP</replaceable>, <replaceable>CAP</replaceable> and
 162       <replaceable>LSM</replaceable> representing cgroup, capabilities and
 163       restriction privileges respectively. (The pipe symbol needs to be escaped,
 164       e.g. <replaceable>CGROUP\|LSM</replaceable> or quoted, e.g.
 165       <replaceable>"CGROUP|LSM"</replaceable>.)
 166     </para>
 167           <para>
 168             <emphasis>Warning:</emphasis> This may leak privileges into the
 169             container if the command starts subprocesses that remain active
 170             after the main process that was attached is terminated. The
 171             (re-)starting of daemons inside the container is problematic,
 172             especially if the daemon starts a lot of subprocesses such as
 173             <command>cron</command> or <command>sshd</command>.
 174             <emphasis>Use with great care.</emphasis>
 175           </para>
 176         </listitem>
 177       </varlistentry>
 178
 179       <varlistentry>
 180         <term>
 181           <option>-s, --namespaces <replaceable>namespaces</replaceable></option>
 182         </term>
 183         <listitem>
 184           <para>
 185             Specify the namespaces to attach to, as a pipe-separated list,
 186             e.g. <replaceable>NETWORK|IPC</replaceable>. Allowed values are
 187             <replaceable>MOUNT</replaceable>, <replaceable>PID</replaceable>,
 188             <replaceable>UTSNAME</replaceable>, <replaceable>IPC</replaceable>,
 189             <replaceable>USER </replaceable> and
 190             <replaceable>NETWORK</replaceable>. This allows one to change
 191             the context of the process to e.g. the network namespace of the
 192             container while retaining the other namespaces as those of the
 193             host. (The pipe symbol needs to be escaped, e.g.
 194             <replaceable>MOUNT\|PID</replaceable> or quoted, e.g.
 195             <replaceable>"MOUNT|PID"</replaceable>.)
 196           </para>
 197           <para>
 198             <emphasis>Important:</emphasis> This option implies
 199             <option>-e</option>.
 200           </para>
 201         </listitem>
 202       </varlistentry>
 203
 204       <varlistentry>
 205         <term>
 206           <option>-R, --remount-sys-proc</option>
 207         </term>
 208         <listitem>
 209           <para>
 210             When using <option>-s</option> and the mount namespace is not
 211             included, this flag will cause <command>lxc-attach</command>
 212             to remount <replaceable>/proc</replaceable> and
 213             <replaceable>/sys</replaceable> to reflect the current other
 214             namespace contexts.
 215           </para>
 216           <para>
 217             Please see the <emphasis>Notes</emphasis> section for more
 218             details.
 219           </para>
 220           <para>
 221             This option will be ignored if one tries to attach to the
 222             mount namespace anyway.
 223           </para>
 224         </listitem>
 225       </varlistentry>
 226
 227       <varlistentry>
 228         <term>
 229           <option>--keep-env</option>
 230         </term>
 231         <listitem>
 232           <para>
 233             Keep the current environment for attached programs. This is
 234             the current default behaviour (as of version 0.9), but is
 235             is likely to change in the future, since this may leak
 236             undesirable information into the container. If you rely on
 237             the environment being available for the attached program,
 238             please use this option to be future-proof. In addition to
 239             current environment variables, container=lxc will be set.
 240           </para>
 241         </listitem>
 242       </varlistentry>
 243
 244       <varlistentry>
 245         <term>
 246           <option>--clear-env</option>
 247         </term>
 248         <listitem>
 249           <para>
 250             Clear the environment before attaching, so no undesired
 251             environment variables leak into the container. The variable
 252             container=lxc will be the only environment with which the
 253             attached program starts.
 254           </para>
 255         </listitem>
 256       </varlistentry>
 257
 258       <varlistentry>
 259         <term>
 260           <option>-v, --set-var <replaceable>variable</replaceable></option>
 261         </term>
 262         <listitem>
 263           <para>
 264             Set an additional environment variable that is seen by the
 265             attached program in the container. It is specified in the
 266             form of "VAR=VALUE", and can be specified multiple times.
 267           </para>
 268         </listitem>
 269       </varlistentry>
 270
 271       <varlistentry>
 272         <term>
 273           <option>--keep-var <replaceable>variable</replaceable></option>
 274         </term>
 275         <listitem>
 276           <para>
 277             Keep a specified environment variable. It can only be
 278             specified in conjunction
 279             with <replaceable>--clear-env</replaceable>, and can be
 280             specified multiple times.
 281           </para>
 282         </listitem>
 283       </varlistentry>
 284
 285      </variablelist>
 286
 287   </refsect1>
 288
 289   &commonoptions;
 290
 291   <refsect1>
 292     <title>Examples</title>
 293       <para>
 294         To spawn a new shell running inside an existing container, use
 295         <programlisting>
 296           lxc-attach -n container
 297         </programlisting>
 298       </para>
 299       <para>
 300         To restart the cron service of a running Debian container, use
 301         <programlisting>
 302           lxc-attach -n container -- /etc/init.d/cron restart
 303         </programlisting>
 304       </para>
 305       <para>
 306         To deactivate the network link eth1 of a running container that
 307         does not have the NET_ADMIN capability, use either the
 308         <option>-e</option> option to use increased capabilities,
 309         assuming the <command>ip</command> tool is installed:
 310         <programlisting>
 311           lxc-attach -n container -e -- /sbin/ip link delete eth1
 312         </programlisting>
 313         Or, alternatively, use the <option>-s</option> to use the
 314         tools installed on the host outside the container:
 315         <programlisting>
 316           lxc-attach -n container -s NETWORK -- /sbin/ip link delete eth1
 317         </programlisting>
 318       </para>
 319   </refsect1>
 320
 321   <refsect1>
 322     <title>Compatibility</title>
 323     <para>
 324       Attaching completely (including the pid and mount namespaces) to a
 325       container requires a kernel of version 3.8 or higher, or a
 326       patched kernel, please see the lxc website for
 327       details. <command>lxc-attach</command> will fail in that case if
 328       used with an unpatched kernel of version 3.7 and prior.
 329     </para>
 330     <para>
 331       Nevertheless, it will succeed on an unpatched kernel of version 3.0
 332       or higher if the <option>-s</option> option is used to restrict the
 333       namespaces that the process is to be attached to to one or more of
 334       <replaceable>NETWORK</replaceable>, <replaceable>IPC</replaceable>
 335       and <replaceable>UTSNAME</replaceable>.
 336     </para>
 337     <para>
 338       Attaching to user namespaces is supported by kernel 3.8 or higher
 339       with enabling user namespace.
 340     </para>
 341   </refsect1>
 342
 343   <refsect1>
 344     <title>Notes</title>
 345     <para>
 346       The Linux <replaceable>/proc</replaceable> and
 347       <replaceable>/sys</replaceable> filesystems contain information
 348       about some quantities that are affected by namespaces, such as
 349       the directories named after process ids in
 350       <replaceable>/proc</replaceable> or the network interface information
 351       in <replaceable>/sys/class/net</replaceable>. The namespace of the
 352       process mounting the pseudo-filesystems determines what information
 353       is shown, <emphasis>not</emphasis> the namespace of the process
 354       accessing <replaceable>/proc</replaceable> or
 355       <replaceable>/sys</replaceable>.
 356     </para>
 357     <para>
 358       If one uses the <option>-s</option> option to only attach to
 359       the pid namespace of a container, but not its mount namespace
 360       (which will contain the <replaceable>/proc</replaceable> of the
 361       container and not the host), the contents of <option>/proc</option>
 362       will reflect that of the host and not the container. Analogously,
 363       the same issue occurs when reading the contents of
 364       <replaceable>/sys/class/net</replaceable> and attaching to just
 365       the network namespace.
 366     </para>
 367     <para>
 368       To work around this problem, the <option>-R</option> flag provides
 369       the option to remount <replaceable>/proc</replaceable> and
 370       <replaceable>/sys</replaceable> in order for them to reflect the
 371       network/pid namespace context of the attached process. In order
 372       not to interfere with the host's actual filesystem, the mount
 373       namespace will be unshared (like <command>lxc-unshare</command>
 374       does) before this is done, essentially giving the process a new
 375       mount namespace, which is identical to the hosts's mount namespace
 376       except for the <replaceable>/proc</replaceable> and
 377       <replaceable>/sys</replaceable> filesystems.
 378     </para>
 379     <para>
 380       Previous versions of <command>lxc-attach</command> suffered a bug whereby
 381       a user could attach to a containers namespace without being placed in a
 382       writeable cgroup for some critical subsystems. Newer versions of
 383       <command>lxc-attach</command> will check whether a user is in a writeable
 384       cgroup for those critical subsystems. <command>lxc-attach</command> might
 385       thus fail unexpectedly for some users (E.g. on systems where an
 386       unprivileged user is not placed in a writeable cgroup in critical
 387       subsystems on login.). However, this behavior is correct and more secure.
 388     </para>
 389   </refsect1>
 390
 391   <refsect1>
 392     <title>Security</title>
 393     <para>
 394       The <option>-e</option> and <option>-s</option> options should
 395       be used with care, as it may break the isolation of the containers
 396       if used improperly.
 397     </para>
 398   </refsect1>
 399
 400   &seealso;
 401
 402   <refsect1>
 403     <title>Author</title>
 404     <para>Daniel Lezcano <email>daniel.lezcano@free.fr</email></para>
 405   </refsect1>
 406
 407 </refentry>
 408
 409 <!-- Keep this comment at the end of the file
 410 Local variables:
 411 mode: sgml
 412 sgml-omittag:t
 413 sgml-shorttag:t
 414 sgml-minimize-attributes:nil
 415 sgml-always-quote-attributes:t
 416 sgml-indent-step:2
 417 sgml-indent-data:t
 418 sgml-parent-document:nil
 419 sgml-default-dtd-file:nil
 420 sgml-exposed-tags:nil
 421 sgml-local-catalogs:nil
 422 sgml-local-ecat-files:nil
 423 End:
 424 -->