X-Git-Url: https://git.proxmox.com/?p=pve-docs.git;a=blobdiff_plain;f=pct.conf.5-opts.adoc;h=4024154ecaa1c51e0aefdfc2d4586ea52333074f;hp=fbced2d747db41ac22e133abacf374a2a04c22fb;hb=42a167208676dd7b0fd0793a5f3809061a0e8f38;hpb=2489d6df4ac5e916ae18401310bfd1e69c993e55 diff --git a/pct.conf.5-opts.adoc b/pct.conf.5-opts.adoc index fbced2d..4024154 100644 --- a/pct.conf.5-opts.adoc +++ b/pct.conf.5-opts.adoc @@ -1,4 +1,4 @@ -`arch`: `` ('default =' `amd64`):: +`arch`: `` ('default =' `amd64`):: OS architecture type. @@ -30,11 +30,31 @@ NOTE: You can disable fair-scheduler configuration by setting this to 0. Container description. Only used on the configuration web interface. +`features`: `[fuse=<1|0>] [,keyctl=<1|0>] [,mount=] [,nesting=<1|0>]` :: + +Allow containers access to advanced features. + +`fuse`=`` ('default =' `0`);; + +Allow using 'fuse' file systems in a container. Note that interactions between fuse and the freezer cgroup can potentially cause I/O deadlocks. + +`keyctl`=`` ('default =' `0`);; + +For unprivileged containers only: Allow the use of the keyctl() system call. This is required to use docker inside a container. By default unprivileged containers will see this system call as non-existent. This is mostly a workaround for systemd-networkd, as it will treat it as a fatal error when some keyctl() operations are denied by the kernel due to lacking permissions. Essentially, you can choose between running systemd-networkd or docker. + +`mount`=`` ;; + +Allow mounting file systems of specific types. This should be a list of file system types as used with the mount command. Note that this can have negative effects on the container's security. With access to a loop device, mounting a file can circumvent the mknod permission of the devices cgroup, mounting an NFS file system can block the host's I/O completely and prevent it from rebooting, etc. + +`nesting`=`` ('default =' `0`);; + +Allow nesting. Best used with unprivileged containers with additional id mapping. Note that this will expose procfs and sysfs contents of the host to the guest. + `hostname`: `` :: Set a host name for the container. -`lock`: `` :: +`lock`: `` :: Lock/unlock the VM.