X-Git-Url: https://git.proxmox.com/?p=pve-docs.git;a=blobdiff_plain;f=pct.adoc;h=40028b70f4b0796933ad342cc2bf186a7cd5aba5;hp=95856da31bc5196ff32af9d787d2abe5f12bb3d9;hb=51e33128e352041933fd6c7e79ec0fa3a992ed00;hpb=0585f29ac4ed08d13d073ccc77a344ec0e951d43 diff --git a/pct.adoc b/pct.adoc index 95856da..40028b7 100644 --- a/pct.adoc +++ b/pct.adoc @@ -59,7 +59,7 @@ Our primary goal is to offer an environment as one would get from a VM, but without the additional overhead. We call this "System Containers". -NOTE: If you want to run micro-containers (with docker, rct, ...), it +NOTE: If you want to run micro-containers (with docker, rkt, ...), it is best to run them inside a VM. @@ -205,9 +205,28 @@ rewrite ssh_host_keys:: so that each container has unique keys randomize crontab:: so that cron does not start at the same time on all containers -The above task depends on the OS type, so the implementation is different -for each OS type. You can also disable any modifications by manually -setting the 'ostype' to 'unmanaged'. +Changes made by {PVE} are enclosed by comment markers: + +---- +# --- BEGIN PVE --- + +# --- END PVE --- +---- + +Those markers will be inserted at a reasonable location in the +file. If such a section already exists, it will be updated in place +and will not be moved. + +Modification of a file can be prevented by adding a `.pve-ignore.` +file for it. For instance, if the file `/etc/.pve-ignore.hosts` +exists then the `/etc/hosts` file will not be touched. This can be a +simple empty file creatd via: + + # touch /etc/.pve-ignore.hosts + +Most modifications are OS dependent, so they differ between different +distributions and versions. You can completely disable modifications +by manually setting the 'ostype' to 'unmanaged'. OS type detection is done by testing for certain files inside the container: @@ -224,9 +243,16 @@ ArchLinux:: test /etc/arch-release Alpine:: test /etc/alpine-release +Gentoo:: test /etc/gentoo-release + NOTE: Container start fails if the configured 'ostype' differs from the auto detected type. +Options +~~~~~~~ + +include::pct.conf.5-opts.adoc[] + Container Images ---------------- @@ -328,10 +354,17 @@ also provide an easy way to share data between different containers. Mount Points ~~~~~~~~~~~~ -Beside the root directory the container can also have additional mount points. +The root mount point is configured with the `rootfs` property, and you can +configure up to 10 additional mount points. The corresponding options +are called `mp0` to `mp9`, and they can contain the following setting: + +include::pct-mountpoint-opts.adoc[] + Currently there are basically three types of mount points: storage backed mount points, bind mounts and device mounts. +.Storage backed mount points + Storage backed mount points are managed by the {pve} storage subsystem and come in three different flavors: @@ -342,33 +375,41 @@ in three different flavors: - Directories: passing `size=0` triggers a special case where instead of a raw image a directory is created. +.Bind mount points + Bind mounts are considered to not be managed by the storage subsystem, so you cannot make snapshots or deal with quotas from inside the container, and with unprivileged containers you might run into permission problems caused by the user mapping, and cannot use ACLs from inside an unprivileged container. -Similarly device mounts are not managed by the storage, but for these the -`quota` and `acl` options will be honored. +WARNING: For security reasons, bind mounts should only be established +using source directories especially reserved for this purpose, e.g., a +directory hierarchy under `/mnt/bindmounts`. Never bind mount system +directories like `/`, `/var` or `/etc` into a container - this poses a +great security risk. The bind mount source path must not contain any symlinks. + +.Device mount points + +Similar to bind mounts, device mounts are not managed by the storage, but for +these the `quota` and `acl` options will be honored. + +.FUSE mounts WARNING: Because of existing issues in the Linux kernel's freezer subsystem the usage of FUSE mounts inside a container is strongly advised against, as containers need to be frozen for suspend or -snapshot mode backups. If FUSE mounts cannot be replaced by other -mounting mechanisms or storage technologies, it is possible to -establish the FUSE mount on the Proxmox host and use a bind -mount point to make it accessible inside the container. +snapshot mode backups. -The root mount point is configured with the 'rootfs' property, and you can -configure up to 10 additional mount points. The corresponding options -are called 'mp0' to 'mp9', and they can contain the following setting: +If FUSE mounts cannot be replaced by other mounting mechanisms or storage +technologies, it is possible to establish the FUSE mount on the Proxmox host +and use a bind mount point to make it accessible inside the container. -include::pct-mountpoint-opts.adoc[] - -.Typical Container 'rootfs' configuration +.Typical Container `rootfs` configuration ---- rootfs: thin1:base-100-disk-1,size=8G ---- + Using quotas inside containers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -414,6 +455,13 @@ they can contain the following setting: include::pct-network-opts.adoc[] +Backup and Restore +------------------ + +It is possible to use the 'vzdump' tool for container backup. Please +refer to the 'vzdump' manual page for details. + + Managing Containers with 'pct' ------------------------------