kernel security bug rather than a LXC issue. LXC people think
unprivileged containers are safe by design.
+
+Configuration
+-------------
+
+The '/etc/pve/lxc/<CTID>.conf' files stores container configuration,
+where '<CTID>' is the numeric ID of the given container. Note that
+CTIDs < 100 are reserved for internal purposes, and CTIDs need to be
+cluster wide unique. Files are stored inside '/etc/pve/', so they get
+automatically replicated to all other cluster nodes.
+
+.Example Container Configuration
+----
+ostype: debian
+arch: amd64
+hostname: www
+memory: 512
+swap: 512
+net0: bridge=vmbr0,hwaddr=66:64:66:64:64:36,ip=dhcp,name=eth0,type=veth
+rootfs: local:107/vm-107-disk-1.raw,size=7G
+----
+
+Those configuration files are simple text files, and you can edit them
+using a normal text editor ('vi', 'nano', ...). This is sometimes
+useful to do small corrections, but keep in mind that you need to
+restart the container to apply such changes.
+
+For that reason, it is usually better to use the 'pct' command to
+generate and modify those files, or do the whole thing using the GUI.
+Our toolkit is smart enough to instantaneously apply most changes to
+running containers. This feature is called "hot plug", and there is no
+need to restart the container in that case.
+
+File Format
+~~~~~~~~~~~
+
+Container configuration files use a simple colon separated key/value
+format. Each line has the following format:
+
+ # this is a comment
+ OPTION: value
+
+Blank lines in those files are ignored, and lines starting with a '#'
+character are treated as comments and are also ignored.
+
+It is possible to add low-level, LXC style configuration directly, for
+example:
+
+ lxc.init_cmd: /sbin/my_own_init
+
+or
+
+ lxc.init_cmd = /sbin/my_own_init
+
+Those settings are directly passed to the LXC low-level tools.
+
+Snapshots
+~~~~~~~~~
+
+When you create a snapshot, 'pct' stores the configuration at snapshot
+time into a separate snapshot section within the same configuration
+file. For example, after creating a snapshot called 'testsnapshot',
+your configuration file will look like this:
+
+.Container Configuration with Snapshot
+----
+memory: 512
+swap: 512
+parent: testsnaphot
+...
+
+[testsnaphot]
+memory: 512
+swap: 512
+snaptime: 1457170803
+...
+----
+
+There are a view snapshot related properties like 'parent' and
+'snaptime'. They 'parent' property is used to store the parent/child
+relationship between snapshots. 'snaptime' is the snapshot creation
+time stamp (unix epoch).
+
+Guest Operating System Configuration
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+We normally try to detect the operating system type inside the
+container, and then modify some files inside the container to make
+them work as expected. Here is a short list of things we do at
+container startup:
+
+set /etc/hostname:: to set the container name
+
+modify /etc/hosts:: allow to lookup the local hostname
+
+network setup:: pass the complete network setup to the container
+
+configure DNS:: pass information about DNS servers
+
+adopt the init system:: for example, fix the number os spawned getty processes
+
+set the root password:: when creating a new container
+
+rewrite ssh_host_keys:: so that each container has unique keys
+
+randomize crontab:: so that cron does not start at same time on all containers
+
+Above task depends on the OS type, so the implementation is different
+for each OS type. You can also disable any modifications by manually
+setting the 'ostype' to 'unmanaged'.
+
+OS type detection is done by testing for certain files inside the
+container:
+
+Ubuntu:: inspect /etc/lsb-release ('DISTRIB_ID=Ubuntu')
+
+Debian:: test /etc/debian_version
+
+Fedora:: test /etc/fedora-release
+
+RedHat or CentOS:: test /etc/redhat-release
+
+ArchLinux:: test /etc/arch-release
+
+Alpine:: test /etc/alpine-release
+
+NOTE: Container start fails is configured 'ostype' differs from auto
+detected type.
+
+
+Container Images
+----------------
+
+Container Images, somtimes also referred as "templates" or
+"appliances", are 'tar' archives which contains everything to run a
+container. You can think of it as a tidy container backup. Like most
+modern container toolkits, 'pct' uses those images when you create a
+new container, for example:
+
+ pct create 999 local:vztmpl/debian-8.0-standard_8.0-1_amd64.tar.gz
+
+Proxmox itself ships a set of basic templates for most common
+operating systems, and you can download them using the 'pveam' (short
+for {pve} Appliance Manager) command line utility. You can also
+download https://www.turnkeylinux.org/[TurnKey Linux] containers using
+that tool (or the graphical user interface).
+
+Our image repositories contain a list of available images, and there
+is a cron job run each day to download that list. You can trigger that
+update manually with:
+
+ pveam update
+
+After that you can view the list of available images using:
+
+ pveam available
+
+You can restrict this large list by specifying the 'section' you are
+interested in, for example basic 'system' images:
+
+.List available system images
+----
+# pveam available --section system
+system archlinux-base_2015-24-29-1_x86_64.tar.gz
+system centos-7-default_20160205_amd64.tar.xz
+system debian-6.0-standard_6.0-7_amd64.tar.gz
+system debian-7.0-standard_7.0-3_amd64.tar.gz
+system debian-8.0-standard_8.0-1_amd64.tar.gz
+system ubuntu-12.04-standard_12.04-1_amd64.tar.gz
+system ubuntu-14.04-standard_14.04-1_amd64.tar.gz
+system ubuntu-15.04-standard_15.04-1_amd64.tar.gz
+system ubuntu-15.10-standard_15.10-1_amd64.tar.gz
+----
+
+Before you can use such template, you need to download them into one
+of your storages. You can simply use storage 'local' for that
+purpose. For clustered installations, it is preferred to use a shared
+storage so that all nodes can access those images.
+
+ pveam download local debian-8.0-standard_8.0-1_amd64.tar.gz
+
+You are now ready to create containers using that image, and you can
+list all downloaded images on storage 'local' with:
+
+----
+# pveam list local
+local:vztmpl/debian-8.0-standard_8.0-1_amd64.tar.gz 190.20MB
+----
+
+Above command shown you full {pve} volume identifiers. They includes
+the storage name, and most other {pve} commands can use them. For
+examply you can delete that image later with:
+
+ pveam remove local:vztmpl/debian-8.0-standard_8.0-1_amd64.tar.gz
+
+
Container Storage
-----------------
Managing Containers with 'pct'
------------------------------
-'pct' is a tool to manages Linux Containers (LXC). You can create and
-destroy containers, and control execution
-(start/stop/suspend/resume). Besides that, you can use pct to set
-parameters in the associated config file, like network configuration
-or memory.
+'pct' is the tool to manage Linux Containers on {pve}. You can create
+and destroy containers, and control execution (start, stop, migrate,
+...). You can use pct to set parameters in the associated config file,
+like network configuration or memory.
CLI Usage Examples
------------------
Files
------
-'/etc/pve/lxc/<vmid>.conf'::
+'/etc/pve/lxc/<CTID>.conf'::
-Configuration file for the container <vmid>
+Configuration file for the container '<CTID>'.
Container Advantages
projects / pve-docs.git / blobdiff