X-Git-Url: https://git.proxmox.com/?p=pve-docs.git;a=blobdiff_plain;f=pct.adoc;h=95856da31bc5196ff32af9d787d2abe5f12bb3d9;hp=2619974bf93686fa6ebe0d13a692fb36117ab88c;hb=0585f29ac4ed08d13d073ccc77a344ec0e951d43;hpb=eeecce951623a1b549493fb75f491badd30011fd diff --git a/pct.adoc b/pct.adoc index 2619974..95856da 100644 --- a/pct.adoc +++ b/pct.adoc @@ -101,11 +101,13 @@ unprivileged containers are safe by design. Configuration ------------- -The '/etc/pve/lxc/.conf' files stores container configuration, -where '' is the numeric ID of the given container. Note that -CTIDs < 100 are reserved for internal purposes, and CTIDs need to be -unique cluster wide. Files are stored inside '/etc/pve/', so they get -automatically replicated to all other cluster nodes. +The '/etc/pve/lxc/.conf' file stores container configuration, +where '' is the numeric ID of the given container. Like all +other files stored inside '/etc/pve/', they get automatically +replicated to all other cluster nodes. + +NOTE: CTIDs < 100 are reserved for internal purposes, and CTIDs need to be +unique cluster wide. .Example Container Configuration ---- @@ -323,6 +325,95 @@ local storage inside containers with zero overhead. Such bind mounts also provide an easy way to share data between different containers. +Mount Points +~~~~~~~~~~~~ + +Beside the root directory the container can also have additional mount points. +Currently there are basically three types of mount points: storage backed +mount points, bind mounts and device mounts. + +Storage backed mount points are managed by the {pve} storage subsystem and come +in three different flavors: + +- Image based: These are raw images containing a single ext4 formatted file + system. +- ZFS Subvolumes: These are technically bind mounts, but with managed storage, + and thus allow resizing and snapshotting. +- Directories: passing `size=0` triggers a special case where instead of a raw + image a directory is created. + +Bind mounts are considered to not be managed by the storage subsystem, so you +cannot make snapshots or deal with quotas from inside the container, and with +unprivileged containers you might run into permission problems caused by the +user mapping, and cannot use ACLs from inside an unprivileged container. + +Similarly device mounts are not managed by the storage, but for these the +`quota` and `acl` options will be honored. + +WARNING: Because of existing issues in the Linux kernel's freezer +subsystem the usage of FUSE mounts inside a container is strongly +advised against, as containers need to be frozen for suspend or +snapshot mode backups. If FUSE mounts cannot be replaced by other +mounting mechanisms or storage technologies, it is possible to +establish the FUSE mount on the Proxmox host and use a bind +mount point to make it accessible inside the container. + +The root mount point is configured with the 'rootfs' property, and you can +configure up to 10 additional mount points. The corresponding options +are called 'mp0' to 'mp9', and they can contain the following setting: + +include::pct-mountpoint-opts.adoc[] + +.Typical Container 'rootfs' configuration +---- +rootfs: thin1:base-100-disk-1,size=8G +---- + +Using quotas inside containers +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Quotas allow to set limits inside a container for the amount of disk +space that each user can use. This only works on ext4 image based +storage types and currently does not work with unprivileged +containers. + +Activating the `quota` option causes the following mount options to be +used for a mount point: +`usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv0` + +This allows quotas to be used like you would on any other system. You +can initialize the `/aquota.user` and `/aquota.group` files by running + +---- +quotacheck -cmug / +quotaon / +---- + +and edit the quotas via the `edquota` command. Refer to the documentation +of the distribution running inside the container for details. + +NOTE: You need to run the above commands for every mount point by passing +the mount point's path instead of just `/`. + + +Using ACLs inside containers +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The standard Posix Access Control Lists are also available inside containers. +ACLs allow you to set more detailed file ownership than the traditional user/ +group/others model. + + +Container Network +----------------- + +You can configure up to 10 network interfaces for a single +container. The corresponding options are called 'net0' to 'net9', and +they can contain the following setting: + +include::pct-network-opts.adoc[] + + Managing Containers with 'pct' ------------------------------ @@ -332,7 +423,7 @@ and destroy containers, and control execution (start, stop, migrate, like network configuration or memory limits. CLI Usage Examples ------------------- +~~~~~~~~~~~~~~~~~~ Create a container based on a Debian template (provided you have already downloaded the template via the webgui) @@ -362,7 +453,8 @@ set the address and gateway, while it's running Reduce the memory of the container to 512MB - pct set -memory 512 100 + pct set 100 -memory 512 + Files ------ @@ -372,32 +464,6 @@ Files Configuration file for the container ''. -Container Mountpoints ---------------------- - -Beside the root directory the container can also have additional mountpoints. -Currently there are basically three types of mountpoints: storage backed -mountpoints, bind mounts and device mounts. - -Storage backed mountpoints are managed by the {pve} storage subsystem and come -in three different flavors: - -- Image based: These are raw images containing a single ext4 formatted file - system. -- ZFS Subvolumes: These are technically bind mounts, but with managed storage, - and thus allow resizing and snapshotting. -- Directories: passing `size=0` triggers a special case where instead of a raw - image a directory is created. - -Bind mounts are considered to not be managed by the storage subsystem, so you -cannot make snapshots or deal with quotas from inside the container, and with -unprivileged containers you might run into permission problems caused by the -user mapping, and cannot use ACLs from inside an unprivileged container. - -Similarly device mounts are not managed by the storage, but for these the -`quota` and `acl` options will be honored. - - Container Advantages -------------------- @@ -436,7 +502,7 @@ Technology Overview - CRIU: for live migration (planned) -- We use latest available kernels (4.2.X) +- We use latest available kernels (4.4.X) - Image based deployment (templates)