Skip to content

L
lxc
Commit ba1a2aec by Stéphane Graber
Options

tabs/spaces consistency

Signed-off-by: 's avatarStéphane Graber <stgraber@ubuntu.com>
parent 3fb22c29
Showing with 1101 additions and 1101 deletions
doc/lxc.container.conf.sgml.in
...@@ -78,57 +78,57 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA ...@@ -78,57 +78,57 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
<refsect2> <refsect2>
<title>Configuration</title> <title>Configuration</title>
<para> <para>
In order to ease administration of multiple related containers, it In order to ease administration of multiple related containers, it
is possible to have a container configuration file cause another is possible to have a container configuration file cause another
file to be loaded. For instance, network configuration file to be loaded. For instance, network configuration
can be defined in one common file which is included by multiple can be defined in one common file which is included by multiple
containers. Then, if the containers are moved to another host, containers. Then, if the containers are moved to another host,
only one file may need to be updated. only one file may need to be updated.
</para> </para>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term> <term>
<option>lxc.include</option> <option>lxc.include</option>
</term> </term>
<listitem> <listitem>
<para> <para>
Specify the file to be included. The included file must be Specify the file to be included. The included file must be
in the same valid lxc configuration file format. in the same valid lxc configuration file format.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
</refsect2> </refsect2>
<refsect2> <refsect2>
<title>Architecture</title> <title>Architecture</title>
<para> <para>
Allows one to set the architecture for the container. For example, Allows one to set the architecture for the container. For example,
set a 32bits architecture for a container running 32bits set a 32bits architecture for a container running 32bits
binaries on a 64bits host. This fixes the container scripts binaries on a 64bits host. This fixes the container scripts
which rely on the architecture to do some work like which rely on the architecture to do some work like
downloading the packages. downloading the packages.
</para> </para>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term> <term>
<option>lxc.arch</option> <option>lxc.arch</option>
</term> </term>
<listitem> <listitem>
<para> <para>
Specify the architecture for the container. Specify the architecture for the container.
</para> </para>
<para> <para>
Valid options are Valid options are
<option>x86</option>, <option>x86</option>,
<option>i686</option>, <option>i686</option>,
<option>x86_64</option>, <option>x86_64</option>,
<option>amd64</option> <option>amd64</option>
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
</refsect2> </refsect2>
...@@ -136,22 +136,22 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA ...@@ -136,22 +136,22 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
<refsect2> <refsect2>
<title>Hostname</title> <title>Hostname</title>
<para> <para>
The utsname section defines the hostname to be set for the The utsname section defines the hostname to be set for the
container. That means the container can set its own hostname container. That means the container can set its own hostname
without changing the one from the system. That makes the without changing the one from the system. That makes the
hostname private for the container. hostname private for the container.
</para> </para>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term> <term>
<option>lxc.utsname</option> <option>lxc.utsname</option>
</term> </term>
<listitem> <listitem>
<para> <para>
specify the hostname for the container specify the hostname for the container
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
</refsect2> </refsect2>
...@@ -204,388 +204,388 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA ...@@ -204,388 +204,388 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
<refsect2> <refsect2>
<title>Network</title> <title>Network</title>
<para> <para>
The network section defines how the network is virtualized in The network section defines how the network is virtualized in
the container. The network virtualization acts at layer the container. The network virtualization acts at layer
two. In order to use the network virtualization, parameters two. In order to use the network virtualization, parameters
must be specified to define the network interfaces of the must be specified to define the network interfaces of the
container. Several virtual interfaces can be assigned and used container. Several virtual interfaces can be assigned and used
in a container even if the system has only one physical in a container even if the system has only one physical
network interface. network interface.
</para> </para>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term> <term>
<option>lxc.network.type</option> <option>lxc.network.type</option>
</term> </term>
<listitem> <listitem>
<para> <para>
specify what kind of network virtualization to be used specify what kind of network virtualization to be used
for the container. Each time for the container. Each time
a <option>lxc.network.type</option> field is found a new a <option>lxc.network.type</option> field is found a new
round of network configuration begins. In this way, round of network configuration begins. In this way,
several network virtualization types can be specified several network virtualization types can be specified
for the same container, as well as assigning several for the same container, as well as assigning several
network interfaces for one container. The different network interfaces for one container. The different
virtualization types can be: virtualization types can be:
</para> </para>
<para> <para>
<option>none:</option> will cause the container to share <option>none:</option> will cause the container to share
the host's network namespace. This means the host the host's network namespace. This means the host
network devices are usable in the container. It also network devices are usable in the container. It also
means that if both the container and host have upstart as means that if both the container and host have upstart as
init, 'halt' in a container (for instance) will shut down the init, 'halt' in a container (for instance) will shut down the
host. host.
</para> </para>
<para> <para>
<option>empty:</option> will create only the loopback <option>empty:</option> will create only the loopback
interface. interface.
</para> </para>
<para> <para>
<option>veth:</option> a peer network device is created <option>veth:</option> a peer network device is created
with one side assigned to the container and the other with one side assigned to the container and the other
side is attached to a bridge specified by side is attached to a bridge specified by
the <option>lxc.network.link</option>. If the bridge is the <option>lxc.network.link</option>. If the bridge is
not specified, then the veth pair device will be created not specified, then the veth pair device will be created
but not attached to any bridge. Otherwise, the bridge but not attached to any bridge. Otherwise, the bridge
has to be setup before on the has to be setup before on the
system, <command>lxc</command> won't handle any system, <command>lxc</command> won't handle any
configuration outside of the container. By configuration outside of the container. By
default <command>lxc</command> choose a name for the default <command>lxc</command> choose a name for the
network device belonging to the outside of the network device belonging to the outside of the
container, this name is handled container, this name is handled
by <command>lxc</command>, but if you wish to handle by <command>lxc</command>, but if you wish to handle
this name yourself, you can tell <command>lxc</command> this name yourself, you can tell <command>lxc</command>
to set a specific name with to set a specific name with
the <option>lxc.network.veth.pair</option> option (except for the <option>lxc.network.veth.pair</option> option (except for
unprivileged containers where this option is ignored for security unprivileged containers where this option is ignored for security
reasons). reasons).
</para> </para>
<para> <para>
<option>vlan:</option> a vlan interface is linked with <option>vlan:</option> a vlan interface is linked with
the interface specified by the interface specified by
the <option>lxc.network.link</option> and assigned to the <option>lxc.network.link</option> and assigned to
the container. The vlan identifier is specified with the the container. The vlan identifier is specified with the
option <option>lxc.network.vlan.id</option>. option <option>lxc.network.vlan.id</option>.
</para> </para>
<para> <para>
<option>macvlan:</option> a macvlan interface is linked <option>macvlan:</option> a macvlan interface is linked
with the interface specified by with the interface specified by
the <option>lxc.network.link</option> and assigned to the <option>lxc.network.link</option> and assigned to
the container. the container.
<option>lxc.network.macvlan.mode</option> specifies the <option>lxc.network.macvlan.mode</option> specifies the
mode the macvlan will use to communicate between mode the macvlan will use to communicate between
different macvlan on the same upper device. The accepted different macvlan on the same upper device. The accepted
modes are <option>private</option>, the device never modes are <option>private</option>, the device never
communicates with any other device on the same upper_dev (default), communicates with any other device on the same upper_dev (default),
<option>vepa</option>, the new Virtual Ethernet Port <option>vepa</option>, the new Virtual Ethernet Port
Aggregator (VEPA) mode, it assumes that the adjacent Aggregator (VEPA) mode, it assumes that the adjacent
bridge returns all frames where both source and bridge returns all frames where both source and
destination are local to the macvlan port, i.e. the destination are local to the macvlan port, i.e. the
bridge is set up as a reflective relay. Broadcast bridge is set up as a reflective relay. Broadcast
frames coming in from the upper_dev get flooded to all frames coming in from the upper_dev get flooded to all
macvlan interfaces in VEPA mode, local frames are not macvlan interfaces in VEPA mode, local frames are not
delivered locally, or <option>bridge</option>, it delivered locally, or <option>bridge</option>, it
provides the behavior of a simple bridge between provides the behavior of a simple bridge between
different macvlan interfaces on the same port. Frames different macvlan interfaces on the same port. Frames
from one interface to another one get delivered directly from one interface to another one get delivered directly
and are not sent out externally. Broadcast frames get and are not sent out externally. Broadcast frames get
flooded to all other bridge ports and to the external flooded to all other bridge ports and to the external
interface, but when they come back from a reflective interface, but when they come back from a reflective
relay, we don't deliver them again. Since we know all relay, we don't deliver them again. Since we know all
the MAC addresses, the macvlan bridge mode does not the MAC addresses, the macvlan bridge mode does not
require learning or STP like the bridge module does. require learning or STP like the bridge module does.
</para> </para>
<para> <para>
<option>phys:</option> an already existing interface <option>phys:</option> an already existing interface
specified by the <option>lxc.network.link</option> is specified by the <option>lxc.network.link</option> is
assigned to the container. assigned to the container.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term> <term>
<option>lxc.network.flags</option> <option>lxc.network.flags</option>
</term> </term>
<listitem> <listitem>
<para> <para>
specify an action to do for the specify an action to do for the
network. network.
</para> </para>
<para><option>up:</option> activates the interface. <para><option>up:</option> activates the interface.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term> <term>
<option>lxc.network.link</option> <option>lxc.network.link</option>
</term> </term>
<listitem> <listitem>
<para> <para>
specify the interface to be used for real network specify the interface to be used for real network
traffic. traffic.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term> <term>
<option>lxc.network.mtu</option> <option>lxc.network.mtu</option>
</term> </term>
<listitem> <listitem>
<para> <para>
specify the maximum transfer unit for this interface. specify the maximum transfer unit for this interface.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term> <term>
<option>lxc.network.name</option> <option>lxc.network.name</option>
</term> </term>
<listitem> <listitem>
<para> <para>
the interface name is dynamically allocated, but if the interface name is dynamically allocated, but if
another name is needed because the configuration files another name is needed because the configuration files
being used by the container use a generic name, being used by the container use a generic name,
eg. eth0, this option will rename the interface in the eg. eth0, this option will rename the interface in the
container. container.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term> <term>
<option>lxc.network.hwaddr</option> <option>lxc.network.hwaddr</option>
</term> </term>
<listitem> <listitem>
<para> <para>
the interface mac address is dynamically allocated by the interface mac address is dynamically allocated by
default to the virtual interface, but in some cases, default to the virtual interface, but in some cases,
this is needed to resolve a mac address conflict or to this is needed to resolve a mac address conflict or to
always have the same link-local ipv6 address. always have the same link-local ipv6 address.
Any "x" in address will be replaced by random value, Any "x" in address will be replaced by random value,
this allows setting hwaddr templates. this allows setting hwaddr templates.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term> <term>
<option>lxc.network.ipv4</option> <option>lxc.network.ipv4</option>
</term> </term>
<listitem> <listitem>
<para> <para>
specify the ipv4 address to assign to the virtualized specify the ipv4 address to assign to the virtualized
interface. Several lines specify several ipv4 addresses. interface. Several lines specify several ipv4 addresses.
The address is in format x.y.z.t/m, The address is in format x.y.z.t/m,
eg. 192.168.1.123/24. The broadcast address should be eg. 192.168.1.123/24. The broadcast address should be
specified on the same line, right after the ipv4 specified on the same line, right after the ipv4
address. address.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term> <term>
<option>lxc.network.ipv4.gateway</option> <option>lxc.network.ipv4.gateway</option>
</term> </term>
<listitem> <listitem>
<para> <para>
specify the ipv4 address to use as the gateway inside the specify the ipv4 address to use as the gateway inside the
container. The address is in format x.y.z.t, eg. container. The address is in format x.y.z.t, eg.
192.168.1.123. 192.168.1.123.
Can also have the special value <option>auto</option>, Can also have the special value <option>auto</option>,
which means to take the primary address from the bridge which means to take the primary address from the bridge
interface (as specified by the interface (as specified by the
<option>lxc.network.link</option> option) and use that as <option>lxc.network.link</option> option) and use that as
the gateway. <option>auto</option> is only available when the gateway. <option>auto</option> is only available when
using the <option>veth</option> and using the <option>veth</option> and
<option>macvlan</option> network types. <option>macvlan</option> network types.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term> <term>
<option>lxc.network.ipv6</option> <option>lxc.network.ipv6</option>
</term> </term>
<listitem> <listitem>
<para> <para>
specify the ipv6 address to assign to the virtualized specify the ipv6 address to assign to the virtualized
interface. Several lines specify several ipv6 addresses. interface. Several lines specify several ipv6 addresses.
The address is in format x::y/m, The address is in format x::y/m,
eg. 2003:db8:1:0:214:1234:fe0b:3596/64 eg. 2003:db8:1:0:214:1234:fe0b:3596/64
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term> <term>
<option>lxc.network.ipv6.gateway</option> <option>lxc.network.ipv6.gateway</option>
</term> </term>
<listitem> <listitem>
<para> <para>
specify the ipv6 address to use as the gateway inside the specify the ipv6 address to use as the gateway inside the
container. The address is in format x::y, container. The address is in format x::y,
eg. 2003:db8:1:0::1 eg. 2003:db8:1:0::1
Can also have the special value <option>auto</option>, Can also have the special value <option>auto</option>,
which means to take the primary address from the bridge which means to take the primary address from the bridge
interface (as specified by the interface (as specified by the
<option>lxc.network.link</option> option) and use that as <option>lxc.network.link</option> option) and use that as
the gateway. <option>auto</option> is only available when the gateway. <option>auto</option> is only available when
using the <option>veth</option> and using the <option>veth</option> and
<option>macvlan</option> network types. <option>macvlan</option> network types.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term> <term>
<option>lxc.network.script.up</option> <option>lxc.network.script.up</option>
</term> </term>
<listitem> <listitem>
<para> <para>
add a configuration option to specify a script to be add a configuration option to specify a script to be
executed after creating and configuring the network used executed after creating and configuring the network used
from the host side. The following arguments are passed from the host side. The following arguments are passed
to the script: container name and config section name to the script: container name and config section name
(net) Additional arguments depend on the config section (net) Additional arguments depend on the config section
employing a script hook; the following are used by the employing a script hook; the following are used by the
network system: execution context (up), network type network system: execution context (up), network type
(empty/veth/macvlan/phys), Depending on the network (empty/veth/macvlan/phys), Depending on the network
type, other arguments may be passed: type, other arguments may be passed:
veth/macvlan/phys. And finally (host-sided) device name. veth/macvlan/phys. And finally (host-sided) device name.
</para> </para>
<para> <para>
Standard output from the script is logged at debug level. Standard output from the script is logged at debug level.
Standard error is not logged, but can be captured by the Standard error is not logged, but can be captured by the
hook redirecting its standard error to standard output. hook redirecting its standard error to standard output.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term> <term>
<option>lxc.network.script.down</option> <option>lxc.network.script.down</option>
</term> </term>
<listitem> <listitem>
<para> <para>
add a configuration option to specify a script to be add a configuration option to specify a script to be
executed before destroying the network used from the executed before destroying the network used from the
host side. The following arguments are passed to the host side. The following arguments are passed to the
script: container name and config section name (net) script: container name and config section name (net)
Additional arguments depend on the config section Additional arguments depend on the config section
employing a script hook; the following are used by the employing a script hook; the following are used by the
network system: execution context (down), network type network system: execution context (down), network type
(empty/veth/macvlan/phys), Depending on the network (empty/veth/macvlan/phys), Depending on the network
type, other arguments may be passed: type, other arguments may be passed:
veth/macvlan/phys. And finally (host-sided) device name. veth/macvlan/phys. And finally (host-sided) device name.
</para> </para>
<para> <para>
Standard output from the script is logged at debug level. Standard output from the script is logged at debug level.
Standard error is not logged, but can be captured by the Standard error is not logged, but can be captured by the
hook redirecting its standard error to standard output. hook redirecting its standard error to standard output.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
</refsect2> </refsect2>
<refsect2> <refsect2>
<title>New pseudo tty instance (devpts)</title> <title>New pseudo tty instance (devpts)</title>
<para> <para>
For stricter isolation the container can have its own private For stricter isolation the container can have its own private
instance of the pseudo tty. instance of the pseudo tty.
</para> </para>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term> <term>
<option>lxc.pts</option> <option>lxc.pts</option>
</term> </term>
<listitem> <listitem>
<para> <para>
If set, the container will have a new pseudo tty If set, the container will have a new pseudo tty
instance, making this private to it. The value specifies instance, making this private to it. The value specifies
the maximum number of pseudo ttys allowed for a pts the maximum number of pseudo ttys allowed for a pts
instance (this limitation is not implemented yet). instance (this limitation is not implemented yet).
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
</refsect2> </refsect2>
<refsect2> <refsect2>
<title>Container system console</title> <title>Container system console</title>
<para> <para>
If the container is configured with a root filesystem and the If the container is configured with a root filesystem and the
inittab file is setup to use the console, you may want to specify inittab file is setup to use the console, you may want to specify
where the output of this console goes. where the output of this console goes.
</para> </para>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term> <term>
<option>lxc.console.logfile</option> <option>lxc.console.logfile</option>
</term> </term>
<listitem> <listitem>
<para> <para>
Specify a path to a file where the console output will Specify a path to a file where the console output will
be written. be written.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term> <term>
<option>lxc.console</option> <option>lxc.console</option>
</term> </term>
<listitem> <listitem>
<para> <para>
Specify a path to a device to which the console will be Specify a path to a device to which the console will be
attached. The keyword 'none' will simply disable the attached. The keyword 'none' will simply disable the
console. This is dangerous once if have a rootfs with a console. This is dangerous once if have a rootfs with a
console device file where the application can write, the console device file where the application can write, the
messages will fall in the host. messages will fall in the host.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
</refsect2> </refsect2>
<refsect2> <refsect2>
<title>Console through the ttys</title> <title>Console through the ttys</title>
<para> <para>
This option is useful if the container is configured with a root This option is useful if the container is configured with a root
filesystem and the inittab file is setup to launch a getty on the filesystem and the inittab file is setup to launch a getty on the
ttys. The option specifies the number of ttys to be available for ttys. The option specifies the number of ttys to be available for
the container. The number of gettys in the inittab file of the the container. The number of gettys in the inittab file of the
container should not be greater than the number of ttys specified container should not be greater than the number of ttys specified
in this option, otherwise the excess getty sessions will die and in this option, otherwise the excess getty sessions will die and
respawn indefinitely giving annoying messages on the console or in respawn indefinitely giving annoying messages on the console or in
<filename>/var/log/messages</filename>. <filename>/var/log/messages</filename>.
</para> </para>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term> <term>
<option>lxc.tty</option> <option>lxc.tty</option>
</term> </term>
<listitem> <listitem>
<para> <para>
Specify the number of tty to make available to the Specify the number of tty to make available to the
container. container.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
</refsect2> </refsect2>
...@@ -593,58 +593,58 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA ...@@ -593,58 +593,58 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
<title>Console devices location</title> <title>Console devices location</title>
<para> <para>
LXC consoles are provided through Unix98 PTYs created on the LXC consoles are provided through Unix98 PTYs created on the
host and bind-mounted over the expected devices in the container. host and bind-mounted over the expected devices in the container.
By default, they are bind-mounted over <filename>/dev/console</filename> By default, they are bind-mounted over <filename>/dev/console</filename>
and <filename>/dev/ttyN</filename>. This can prevent package upgrades and <filename>/dev/ttyN</filename>. This can prevent package upgrades
in the guest. Therefore you can specify a directory location (under in the guest. Therefore you can specify a directory location (under
<filename>/dev</filename> under which LXC will create the files and <filename>/dev</filename> under which LXC will create the files and
bind-mount over them. These will then be symbolically linked to bind-mount over them. These will then be symbolically linked to
<filename>/dev/console</filename> and <filename>/dev/ttyN</filename>. <filename>/dev/console</filename> and <filename>/dev/ttyN</filename>.
A package upgrade can then succeed as it is able to remove and replace A package upgrade can then succeed as it is able to remove and replace
the symbolic links. the symbolic links.
</para> </para>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term> <term>
<option>lxc.devttydir</option> <option>lxc.devttydir</option>
</term> </term>
<listitem> <listitem>
<para> <para>
Specify a directory under <filename>/dev</filename> Specify a directory under <filename>/dev</filename>
under which to create the container console devices. under which to create the container console devices.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
</refsect2> </refsect2>
<refsect2> <refsect2>
<title>/dev directory</title> <title>/dev directory</title>
<para> <para>
By default, lxc creates a few symbolic links (fd,stdin,stdout,stderr) By default, lxc creates a few symbolic links (fd,stdin,stdout,stderr)
in the container's <filename>/dev</filename> directory but does not in the container's <filename>/dev</filename> directory but does not
automatically create device node entries. This allows the container's automatically create device node entries. This allows the container's
<filename>/dev</filename> to be set up as needed in the container <filename>/dev</filename> to be set up as needed in the container
rootfs. If lxc.autodev is set to 1, then after mounting the container's rootfs. If lxc.autodev is set to 1, then after mounting the container's
rootfs LXC will mount a fresh tmpfs under <filename>/dev</filename> rootfs LXC will mount a fresh tmpfs under <filename>/dev</filename>
(limited to 100k) and fill in a minimal set of initial devices. (limited to 100k) and fill in a minimal set of initial devices.
This is generally required when starting a container containing This is generally required when starting a container containing
a "systemd" based "init" but may be optional at other times. Additional a "systemd" based "init" but may be optional at other times. Additional
devices in the containers /dev directory may be created through the devices in the containers /dev directory may be created through the
use of the <option>lxc.hook.autodev</option> hook. use of the <option>lxc.hook.autodev</option> hook.
</para> </para>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term> <term>
<option>lxc.autodev</option> <option>lxc.autodev</option>
</term> </term>
<listitem> <listitem>
<para> <para>
Set this to 1 to have LXC mount and populate a minimal Set this to 1 to have LXC mount and populate a minimal
<filename>/dev</filename> when starting the container. <filename>/dev</filename> when starting the container.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
</refsect2> </refsect2>
...@@ -670,211 +670,211 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA ...@@ -670,211 +670,211 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
<refsect2> <refsect2>
<title>Mount points</title> <title>Mount points</title>
<para> <para>
The mount points section specifies the different places to be The mount points section specifies the different places to be
mounted. These mount points will be private to the container mounted. These mount points will be private to the container
and won't be visible by the processes running outside of the and won't be visible by the processes running outside of the
container. This is useful to mount /etc, /var or /home for container. This is useful to mount /etc, /var or /home for
examples. examples.
</para> </para>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term> <term>
<option>lxc.mount</option> <option>lxc.mount</option>
</term> </term>
<listitem> <listitem>
<para> <para>
specify a file location in specify a file location in
the <filename>fstab</filename> format, containing the the <filename>fstab</filename> format, containing the
mount information. The mount target location can and in mount information. The mount target location can and in
most cases should be a relative path, which will become most cases should be a relative path, which will become
relative to the mounted container root. For instance, relative to the mounted container root. For instance,
</para> </para>
<screen> <screen>
proc proc proc nodev,noexec,nosuid 0 0 proc proc proc nodev,noexec,nosuid 0 0
</screen> </screen>
<para> <para>
Will mount a proc filesystem under the container's /proc, Will mount a proc filesystem under the container's /proc,
regardless of where the root filesystem comes from. This regardless of where the root filesystem comes from. This
is resilient to block device backed filesystems as well as is resilient to block device backed filesystems as well as
container cloning. container cloning.
</para> </para>
<para> <para>
Note that when mounting a filesystem from an Note that when mounting a filesystem from an
image file or block device the third field (fs_vfstype) image file or block device the third field (fs_vfstype)
cannot be auto as with cannot be auto as with
<citerefentry> <citerefentry>
<refentrytitle>mount</refentrytitle> <refentrytitle>mount</refentrytitle>
<manvolnum>8</manvolnum> <manvolnum>8</manvolnum>
</citerefentry> </citerefentry>
but must be explicitly specified. but must be explicitly specified.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term> <term>
<option>lxc.mount.entry</option> <option>lxc.mount.entry</option>
</term> </term>
<listitem> <listitem>
<para> <para>
specify a mount point corresponding to a line in the specify a mount point corresponding to a line in the
fstab format. fstab format.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term> <term>
<option>lxc.mount.auto</option> <option>lxc.mount.auto</option>
</term> </term>
<listitem> <listitem>
<para> <para>
specify which standard kernel file systems should be specify which standard kernel file systems should be
automatically mounted. This may dramatically simplify automatically mounted. This may dramatically simplify
the configuration. The file systems are: the configuration. The file systems are:
</para> </para>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para> <para>
<option>proc:mixed</option> (or <option>proc</option>): <option>proc:mixed</option> (or <option>proc</option>):
mount <filename>/proc</filename> as read-write, but mount <filename>/proc</filename> as read-write, but
remount <filename>/proc/sys</filename> and remount <filename>/proc/sys</filename> and
<filename>/proc/sysrq-trigger</filename> read-only <filename>/proc/sysrq-trigger</filename> read-only
for security / container isolation purposes. for security / container isolation purposes.
</para> </para>
</listitem> </listitem>
<listitem> <listitem>
<para> <para>
<option>proc:rw</option>: mount <option>proc:rw</option>: mount
<filename>/proc</filename> as read-write <filename>/proc</filename> as read-write
</para> </para>
</listitem> </listitem>
<listitem> <listitem>
<para> <para>
<option>sys:ro</option> (or <option>sys</option>): <option>sys:ro</option> (or <option>sys</option>):
mount <filename>/sys</filename> as read-only mount <filename>/sys</filename> as read-only
for security / container isolation purposes. for security / container isolation purposes.
</para> </para>
</listitem> </listitem>
<listitem> <listitem>
<para> <para>
<option>sys:rw</option>: mount <option>sys:rw</option>: mount
<filename>/sys</filename> as read-write <filename>/sys</filename> as read-write
</para> </para>
</listitem> </listitem>
<listitem> <listitem>
<para> <para>
<option>cgroup:mixed</option>: <option>cgroup:mixed</option>:
mount a tmpfs to <filename>/sys/fs/cgroup</filename>, mount a tmpfs to <filename>/sys/fs/cgroup</filename>,
create directories for all hierarchies to which create directories for all hierarchies to which
the container is added, create subdirectories the container is added, create subdirectories
there with the name of the cgroup, and bind-mount there with the name of the cgroup, and bind-mount
the container's own cgroup into that directory. the container's own cgroup into that directory.
The container will be able to write to its own The container will be able to write to its own
cgroup directory, but not the parents, since they cgroup directory, but not the parents, since they
will be remounted read-only will be remounted read-only
</para> </para>
</listitem> </listitem>
<listitem> <listitem>
<para> <para>
<option>cgroup:ro</option>: similar to <option>cgroup:ro</option>: similar to
<option>cgroup:mixed</option>, but everything will <option>cgroup:mixed</option>, but everything will
be mounted read-only. be mounted read-only.
</para> </para>
</listitem> </listitem>
<listitem> <listitem>
<para> <para>
<option>cgroup:rw</option>: similar to <option>cgroup:rw</option>: similar to
<option>cgroup:mixed</option>, but everything will <option>cgroup:mixed</option>, but everything will
be mounted read-write. Note that the paths leading be mounted read-write. Note that the paths leading
up to the container's own cgroup will be writable, up to the container's own cgroup will be writable,
but will not be a cgroup filesystem but just part but will not be a cgroup filesystem but just part
of the tmpfs of <filename>/sys/fs/cgroup</filename> of the tmpfs of <filename>/sys/fs/cgroup</filename>
</para> </para>
</listitem> </listitem>
<listitem> <listitem>
<para> <para>
<option>cgroup</option> (without specifier): <option>cgroup</option> (without specifier):
defaults to <option>cgroup:rw</option> if the defaults to <option>cgroup:rw</option> if the
container retains the CAP_SYS_ADMIN capability, container retains the CAP_SYS_ADMIN capability,
<option>cgroup:mixed</option> otherwise. <option>cgroup:mixed</option> otherwise.
</para> </para>
</listitem> </listitem>
<listitem> <listitem>
<para> <para>
<option>cgroup-full:mixed</option>: <option>cgroup-full:mixed</option>:
mount a tmpfs to <filename>/sys/fs/cgroup</filename>, mount a tmpfs to <filename>/sys/fs/cgroup</filename>,
create directories for all hierarchies to which create directories for all hierarchies to which
the container is added, bind-mount the hierarchies the container is added, bind-mount the hierarchies
from the host to the container and make everything from the host to the container and make everything
read-only except the container's own cgroup. Note read-only except the container's own cgroup. Note
that compared to <option>cgroup</option>, where that compared to <option>cgroup</option>, where
all paths leading up to the container's own cgroup all paths leading up to the container's own cgroup
are just simple directories in the underlying are just simple directories in the underlying
tmpfs, here tmpfs, here
<filename>/sys/fs/cgroup/$hierarchy</filename> <filename>/sys/fs/cgroup/$hierarchy</filename>
will contain the host's full cgroup hierarchy, will contain the host's full cgroup hierarchy,
albeit read-only outside the container's own cgroup. albeit read-only outside the container's own cgroup.
This may leak quite a bit of information into the This may leak quite a bit of information into the
container. container.
</para> </para>
</listitem> </listitem>
<listitem> <listitem>
<para> <para>
<option>cgroup-full:ro</option>: similar to <option>cgroup-full:ro</option>: similar to
<option>cgroup-full:mixed</option>, but everything <option>cgroup-full:mixed</option>, but everything
will be mounted read-only. will be mounted read-only.
</para> </para>
</listitem> </listitem>
<listitem> <listitem>
<para> <para>
<option>cgroup-full:rw</option>: similar to <option>cgroup-full:rw</option>: similar to
<option>cgroup-full:mixed</option>, but everything <option>cgroup-full:mixed</option>, but everything
will be mounted read-write. Note that in this case, will be mounted read-write. Note that in this case,
the container may escape its own cgroup. (Note also the container may escape its own cgroup. (Note also
that if the container has CAP_SYS_ADMIN support that if the container has CAP_SYS_ADMIN support
and can mount the cgroup filesystem itself, it may and can mount the cgroup filesystem itself, it may
do so anyway.) do so anyway.)
</para> </para>
</listitem> </listitem>
<listitem> <listitem>
<para> <para>
<option>cgroup-full</option> (without specifier): <option>cgroup-full</option> (without specifier):
defaults to <option>cgroup-full:rw</option> if the defaults to <option>cgroup-full:rw</option> if the
container retains the CAP_SYS_ADMIN capability, container retains the CAP_SYS_ADMIN capability,
<option>cgroup-full:mixed</option> otherwise. <option>cgroup-full:mixed</option> otherwise.
</para> </para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<para> <para>
Note that if automatic mounting of the cgroup filesystem Note that if automatic mounting of the cgroup filesystem
is enabled, the tmpfs under is enabled, the tmpfs under
<filename>/sys/fs/cgroup</filename> will always be <filename>/sys/fs/cgroup</filename> will always be
mounted read-write (but for the <option>:mixed</option> mounted read-write (but for the <option>:mixed</option>
and <option>:ro</option> cases, the individual and <option>:ro</option> cases, the individual
hierarchies, hierarchies,
<filename>/sys/fs/cgroup/$hierarchy</filename>, will be <filename>/sys/fs/cgroup/$hierarchy</filename>, will be
read-only). This is in order to work around a quirk in read-only). This is in order to work around a quirk in
Ubuntu's Ubuntu's
<citerefentry> <citerefentry>
<refentrytitle>mountall</refentrytitle> <refentrytitle>mountall</refentrytitle>
<manvolnum>8</manvolnum> <manvolnum>8</manvolnum>
</citerefentry> </citerefentry>
command that will cause containers to wait for user command that will cause containers to wait for user
input at boot if input at boot if
<filename>/sys/fs/cgroup</filename> is mounted read-only <filename>/sys/fs/cgroup</filename> is mounted read-only
and the container can't remount it read-write due to a and the container can't remount it read-write due to a
lack of CAP_SYS_ADMIN. lack of CAP_SYS_ADMIN.
</para> </para>
<para> <para>
Examples: Examples:
</para> </para>
<programlisting> <programlisting>
lxc.mount.auto = proc sys cgroup lxc.mount.auto = proc sys cgroup
lxc.mount.auto = proc:rw sys:rw cgroup-full:rw lxc.mount.auto = proc:rw sys:rw cgroup-full:rw
</programlisting> </programlisting>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
</refsect2> </refsect2>
...@@ -882,189 +882,189 @@ proc proc proc nodev,noexec,nosuid 0 0 ...@@ -882,189 +882,189 @@ proc proc proc nodev,noexec,nosuid 0 0
<refsect2> <refsect2>
<title>Root file system</title> <title>Root file system</title>
<para> <para>
The root file system of the container can be different than that The root file system of the container can be different than that
of the host system. of the host system.
</para> </para>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term> <term>
<option>lxc.rootfs</option> <option>lxc.rootfs</option>
</term> </term>
<listitem> <listitem>
<para> <para>
specify the root file system for the container. It can specify the root file system for the container. It can
be an image file, a directory or a block device. If not be an image file, a directory or a block device. If not
specified, the container shares its root file system specified, the container shares its root file system
with the host. with the host.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term> <term>
<option>lxc.rootfs.mount</option> <option>lxc.rootfs.mount</option>
</term> </term>
<listitem> <listitem>
<para> <para>
where to recursively bind <option>lxc.rootfs</option> where to recursively bind <option>lxc.rootfs</option>
before pivoting. This is to ensure success of the before pivoting. This is to ensure success of the
<citerefentry> <citerefentry>
<refentrytitle><command>pivot_root</command></refentrytitle> <refentrytitle><command>pivot_root</command></refentrytitle>
<manvolnum>8</manvolnum> <manvolnum>8</manvolnum>
</citerefentry> </citerefentry>
syscall. Any directory suffices, the default should syscall. Any directory suffices, the default should
generally work. generally work.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term> <term>
<option>lxc.rootfs.options</option> <option>lxc.rootfs.options</option>
</term> </term>
<listitem> <listitem>
<para> <para>
extra mount options to use when mounting the rootfs. extra mount options to use when mounting the rootfs.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term> <term>
<option>lxc.pivotdir</option> <option>lxc.pivotdir</option>
</term> </term>
<listitem> <listitem>
<para> <para>
where to pivot the original root file system under where to pivot the original root file system under
<option>lxc.rootfs</option>, specified relatively to <option>lxc.rootfs</option>, specified relatively to
that. The default is <filename>mnt</filename>. that. The default is <filename>mnt</filename>.
It is created if necessary, and also removed after It is created if necessary, and also removed after
unmounting everything from it during container setup. unmounting everything from it during container setup.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
</refsect2> </refsect2>
<refsect2> <refsect2>
<title>Control group</title> <title>Control group</title>
<para> <para>
The control group section contains the configuration for the The control group section contains the configuration for the
different subsystem. <command>lxc</command> does not check the different subsystem. <command>lxc</command> does not check the
correctness of the subsystem name. This has the disadvantage correctness of the subsystem name. This has the disadvantage
of not detecting configuration errors until the container is of not detecting configuration errors until the container is
started, but has the advantage of permitting any future started, but has the advantage of permitting any future
subsystem. subsystem.
</para> </para>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term> <term>
<option>lxc.cgroup.[subsystem name]</option> <option>lxc.cgroup.[subsystem name]</option>
</term> </term>
<listitem> <listitem>
<para> <para>
specify the control group value to be set. The specify the control group value to be set. The
subsystem name is the literal name of the control group subsystem name is the literal name of the control group
subsystem. The permitted names and the syntax of their subsystem. The permitted names and the syntax of their
values is not dictated by LXC, instead it depends on the values is not dictated by LXC, instead it depends on the
features of the Linux kernel running at the time the features of the Linux kernel running at the time the
container is started, container is started,
eg. <option>lxc.cgroup.cpuset.cpus</option> eg. <option>lxc.cgroup.cpuset.cpus</option>
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
</refsect2> </refsect2>
<refsect2> <refsect2>
<title>Capabilities</title> <title>Capabilities</title>
<para> <para>
The capabilities can be dropped in the container if this one The capabilities can be dropped in the container if this one
is run as root. is run as root.
</para> </para>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term> <term>
<option>lxc.cap.drop</option> <option>lxc.cap.drop</option>
</term> </term>
<listitem> <listitem>
<para> <para>
Specify the capability to be dropped in the container. A Specify the capability to be dropped in the container. A
single line defining several capabilities with a space single line defining several capabilities with a space
separation is allowed. The format is the lower case of separation is allowed. The format is the lower case of
the capability definition without the "CAP_" prefix, the capability definition without the "CAP_" prefix,
eg. CAP_SYS_MODULE should be specified as eg. CAP_SYS_MODULE should be specified as
sys_module. See sys_module. See
<citerefentry> <citerefentry>
<refentrytitle><command>capabilities</command></refentrytitle> <refentrytitle><command>capabilities</command></refentrytitle>
<manvolnum>7</manvolnum> <manvolnum>7</manvolnum>
</citerefentry>, </citerefentry>,
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term> <term>
<option>lxc.cap.keep</option> <option>lxc.cap.keep</option>
</term> </term>
<listitem> <listitem>
<para> <para>
Specify the capability to be kept in the container. All other Specify the capability to be kept in the container. All other
capabilities will be dropped. capabilities will be dropped.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
</refsect2> </refsect2>
<refsect2> <refsect2>
<title>Apparmor profile</title> <title>Apparmor profile</title>
<para> <para>
If lxc was compiled and installed with apparmor support, and the host If lxc was compiled and installed with apparmor support, and the host
system has apparmor enabled, then the apparmor profile under which the system has apparmor enabled, then the apparmor profile under which the
container should be run can be specified in the container container should be run can be specified in the container
configuration. The default is <command>lxc-container-default</command>. configuration. The default is <command>lxc-container-default</command>.
</para> </para>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term> <term>
<option>lxc.aa_profile</option> <option>lxc.aa_profile</option>
</term> </term>
<listitem> <listitem>
<para> <para>
Specify the apparmor profile under which the container should Specify the apparmor profile under which the container should
be run. To specify that the container should be unconfined, be run. To specify that the container should be unconfined,
use use
</para> </para>
<programlisting>lxc.aa_profile = unconfined</programlisting> <programlisting>lxc.aa_profile = unconfined</programlisting>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
</refsect2> </refsect2>
<refsect2> <refsect2>
<title>SELinux context</title> <title>SELinux context</title>
<para> <para>
If lxc was compiled and installed with SELinux support, and the host If lxc was compiled and installed with SELinux support, and the host
system has SELinux enabled, then the SELinux context under which the system has SELinux enabled, then the SELinux context under which the
container should be run can be specified in the container container should be run can be specified in the container
configuration. The default is <command>unconfined_t</command>, configuration. The default is <command>unconfined_t</command>,
which means that lxc will not attempt to change contexts. which means that lxc will not attempt to change contexts.
See @DATADIR@/lxc/selinux/lxc.te for an example policy and more See @DATADIR@/lxc/selinux/lxc.te for an example policy and more
information. information.
</para> </para>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term> <term>
<option>lxc.se_context</option> <option>lxc.se_context</option>
</term> </term>
<listitem> <listitem>
<para> <para>
Specify the SELinux context under which the container should Specify the SELinux context under which the container should
be run or <command>unconfined_t</command>. For example be run or <command>unconfined_t</command>. For example
</para> </para>
<programlisting>lxc.se_context = system_u:system_r:lxc_t:s0:c22</programlisting> <programlisting>lxc.se_context = system_u:system_r:lxc_t:s0:c22</programlisting>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
</refsect2> </refsect2>
...@@ -1072,17 +1072,17 @@ proc proc proc nodev,noexec,nosuid 0 0 ...@@ -1072,17 +1072,17 @@ proc proc proc nodev,noexec,nosuid 0 0
<title>Seccomp configuration</title> <title>Seccomp configuration</title>
<para> <para>
A container can be started with a reduced set of available A container can be started with a reduced set of available
system calls by loading a seccomp profile at startup. The system calls by loading a seccomp profile at startup. The
seccomp configuration file must begin with a version number seccomp configuration file must begin with a version number
on the first line, a policy type on the second line, followed on the first line, a policy type on the second line, followed
by the configuration. by the configuration.
</para> </para>
<para> <para>
Versions 1 and 2 are currently supported. In version 1, the Versions 1 and 2 are currently supported. In version 1, the
policy is a simple whitelist. The second line therefore must policy is a simple whitelist. The second line therefore must
read "whitelist", with the rest of the file containing one (numeric) read "whitelist", with the rest of the file containing one (numeric)
sycall number per line. Each syscall number is whitelisted, sycall number per line. Each syscall number is whitelisted,
while every unlisted number is blacklisted for use in the container while every unlisted number is blacklisted for use in the container
</para> </para>
<para> <para>
...@@ -1101,17 +1101,17 @@ blacklist ...@@ -1101,17 +1101,17 @@ blacklist
mknod errno 0 mknod errno 0
</screen> </screen>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term> <term>
<option>lxc.seccomp</option> <option>lxc.seccomp</option>
</term> </term>
<listitem> <listitem>
<para> <para>
Specify a file containing the seccomp configuration to Specify a file containing the seccomp configuration to
load before the container starts. load before the container starts.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
</refsect2> </refsect2>
...@@ -1119,30 +1119,30 @@ mknod errno 0 ...@@ -1119,30 +1119,30 @@ mknod errno 0
<title>UID mappings</title> <title>UID mappings</title>
<para> <para>
A container can be started in a private user namespace with A container can be started in a private user namespace with
user and group id mappings. For instance, you can map userid user and group id mappings. For instance, you can map userid
0 in the container to userid 200000 on the host. The root 0 in the container to userid 200000 on the host. The root
user in the container will be privileged in the container, user in the container will be privileged in the container,
but unprivileged on the host. Normally a system container but unprivileged on the host. Normally a system container
will want a range of ids, so you would map, for instance, will want a range of ids, so you would map, for instance,
user and group ids 0 through 20,000 in the container to the user and group ids 0 through 20,000 in the container to the
ids 200,000 through 220,000. ids 200,000 through 220,000.
</para> </para>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term> <term>
<option>lxc.id_map</option> <option>lxc.id_map</option>
</term> </term>
<listitem> <listitem>
<para> <para>
Four values must be provided. First a character, either Four values must be provided. First a character, either
'u', or 'g', to specify whether user or group ids are 'u', or 'g', to specify whether user or group ids are
being mapped. Next is the first userid as seen in the being mapped. Next is the first userid as seen in the
user namespace of the container. Next is the userid as user namespace of the container. Next is the userid as
seen on the host. Finally, a range indicating the number seen on the host. Finally, a range indicating the number
of consecutive ids to map. of consecutive ids to map.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
</refsect2> </refsect2>
...@@ -1150,28 +1150,28 @@ mknod errno 0 ...@@ -1150,28 +1150,28 @@ mknod errno 0
<title>Container hooks</title> <title>Container hooks</title>
<para> <para>
Container hooks are programs or scripts which can be executed Container hooks are programs or scripts which can be executed
at various times in a container's lifetime. at various times in a container's lifetime.
</para> </para>
<para> <para>
When a container hook is executed, information is passed both When a container hook is executed, information is passed both
as command line arguments and through environment variables. as command line arguments and through environment variables.
The arguments are: The arguments are:
<itemizedlist> <itemizedlist>
<listitem><para> Container name. </para></listitem> <listitem><para> Container name. </para></listitem>
<listitem><para> Section (always 'lxc'). </para></listitem> <listitem><para> Section (always 'lxc'). </para></listitem>
<listitem><para> The hook type (i.e. 'clone' or 'pre-mount'). </para></listitem> <listitem><para> The hook type (i.e. 'clone' or 'pre-mount'). </para></listitem>
<listitem><para> Additional arguments In the <listitem><para> Additional arguments In the
case of the clone hook, any extra arguments passed to case of the clone hook, any extra arguments passed to
lxc-clone will appear as further arguments to the hook. </para></listitem> lxc-clone will appear as further arguments to the hook. </para></listitem>
</itemizedlist> </itemizedlist>
The following environment variables are set: The following environment variables are set:
<itemizedlist> <itemizedlist>
<listitem><para> LXC_NAME: is the container's name. </para></listitem> <listitem><para> LXC_NAME: is the container's name. </para></listitem>
<listitem><para> LXC_ROOTFS_MOUNT: the path to the mounted root filesystem. </para></listitem> <listitem><para> LXC_ROOTFS_MOUNT: the path to the mounted root filesystem. </para></listitem>
<listitem><para> LXC_CONFIG_FILE: the path to the container configuration file. </para></listitem> <listitem><para> LXC_CONFIG_FILE: the path to the container configuration file. </para></listitem>
<listitem><para> LXC_SRC_NAME: in the case of the clone hook, this is the original container's name. </para></listitem> <listitem><para> LXC_SRC_NAME: in the case of the clone hook, this is the original container's name. </para></listitem>
<listitem><para> LXC_ROOTFS_PATH: this is the lxc.rootfs entry for the container. Note this is likely not where the mounted rootfs is to be found, use LXC_ROOTFS_MOUNT for that. </para></listitem> <listitem><para> LXC_ROOTFS_PATH: this is the lxc.rootfs entry for the container. Note this is likely not where the mounted rootfs is to be found, use LXC_ROOTFS_MOUNT for that. </para></listitem>
</itemizedlist> </itemizedlist>
</para> </para>
<para> <para>
Standard output from the hooks is logged at debug level. Standard output from the hooks is logged at debug level.
...@@ -1179,109 +1179,109 @@ mknod errno 0 ...@@ -1179,109 +1179,109 @@ mknod errno 0
hook redirecting its standard error to standard output. hook redirecting its standard error to standard output.
</para> </para>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term> <term>
<option>lxc.hook.pre-start</option> <option>lxc.hook.pre-start</option>
</term> </term>
<listitem> <listitem>
<para> <para>
A hook to be run in the host's namespace before the A hook to be run in the host's namespace before the
container ttys, consoles, or mounts are up. container ttys, consoles, or mounts are up.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term> <term>
<option>lxc.hook.pre-mount</option> <option>lxc.hook.pre-mount</option>
</term> </term>
<listitem> <listitem>
<para> <para>
A hook to be run in the container's fs namespace but before A hook to be run in the container's fs namespace but before
the rootfs has been set up. This allows for manipulation the rootfs has been set up. This allows for manipulation
of the rootfs, i.e. to mount an encrypted filesystem. Mounts of the rootfs, i.e. to mount an encrypted filesystem. Mounts
done in this hook will not be reflected on the host (apart from done in this hook will not be reflected on the host (apart from
mounts propagation), so they will be automatically cleaned up mounts propagation), so they will be automatically cleaned up
when the container shuts down. when the container shuts down.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term> <term>
<option>lxc.hook.mount</option> <option>lxc.hook.mount</option>
</term> </term>
<listitem> <listitem>
<para> <para>
A hook to be run in the container's namespace after A hook to be run in the container's namespace after
mounting has been done, but before the pivot_root. mounting has been done, but before the pivot_root.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term> <term>
<option>lxc.hook.autodev</option> <option>lxc.hook.autodev</option>
</term> </term>
<listitem> <listitem>
<para> <para>
A hook to be run in the container's namespace after A hook to be run in the container's namespace after
mounting has been done and after any mount hooks have mounting has been done and after any mount hooks have
run, but before the pivot_root, if run, but before the pivot_root, if
<option>lxc.autodev</option> == 1. <option>lxc.autodev</option> == 1.
The purpose of this hook is to assist in populating the The purpose of this hook is to assist in populating the
/dev directory of the container when using the autodev /dev directory of the container when using the autodev
option for systemd based containers. The container's /dev option for systemd based containers. The container's /dev
directory is relative to the directory is relative to the
${<option>LXC_ROOTFS_MOUNT</option>} environment ${<option>LXC_ROOTFS_MOUNT</option>} environment
variable available when the hook is run. variable available when the hook is run.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term> <term>
<option>lxc.hook.start</option> <option>lxc.hook.start</option>
</term> </term>
<listitem> <listitem>
<para> <para>
A hook to be run in the container's namespace immediately A hook to be run in the container's namespace immediately
before executing the container's init. This requires the before executing the container's init. This requires the
program to be available in the container. program to be available in the container.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term> <term>
<option>lxc.hook.post-stop</option> <option>lxc.hook.post-stop</option>
</term> </term>
<listitem> <listitem>
<para> <para>
A hook to be run in the host's namespace after the A hook to be run in the host's namespace after the
container has been shut down. container has been shut down.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term> <term>
<option>lxc.hook.clone</option> <option>lxc.hook.clone</option>
</term> </term>
<listitem> <listitem>
<para> <para>
A hook to be run when the container is cloned to a new one. A hook to be run when the container is cloned to a new one.
See <citerefentry><refentrytitle><command>lxc-clone</command></refentrytitle> See <citerefentry><refentrytitle><command>lxc-clone</command></refentrytitle>
<manvolnum>1</manvolnum></citerefentry> for more information. <manvolnum>1</manvolnum></citerefentry> for more information.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
</refsect2> </refsect2>
...@@ -1295,89 +1295,89 @@ mknod errno 0 ...@@ -1295,89 +1295,89 @@ mknod errno 0
and, as such, not valid during the <option>lxc.hook.start</option> hook. and, as such, not valid during the <option>lxc.hook.start</option> hook.
</para> </para>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term> <term>
<option>LXC_NAME</option> <option>LXC_NAME</option>
</term> </term>
<listitem> <listitem>
<para> <para>
The LXC name of the container. Useful for logging messages The LXC name of the container. Useful for logging messages
in common log environments. [<option>-n</option>] in common log environments. [<option>-n</option>]
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term> <term>
<option>LXC_CONFIG_FILE</option> <option>LXC_CONFIG_FILE</option>
</term> </term>
<listitem> <listitem>
<para> <para>
Host relative path to the container configuration file. This Host relative path to the container configuration file. This
gives the container to reference the original, top level, gives the container to reference the original, top level,
configuration file for the container in order to locate any configuration file for the container in order to locate any
additional configuration information not otherwise made additional configuration information not otherwise made
available. [<option>-f</option>] available. [<option>-f</option>]
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term> <term>
<option>LXC_CONSOLE</option> <option>LXC_CONSOLE</option>
</term> </term>
<listitem> <listitem>
<para> <para>
The path to the console output of the container if not NULL. The path to the console output of the container if not NULL.
[<option>-c</option>] [<option>lxc.console</option>] [<option>-c</option>] [<option>lxc.console</option>]
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term> <term>
<option>LXC_CONSOLE_LOGPATH</option> <option>LXC_CONSOLE_LOGPATH</option>
</term> </term>
<listitem> <listitem>
<para> <para>
The path to the console log output of the container if not NULL. The path to the console log output of the container if not NULL.
[<option>-L</option>] [<option>-L</option>]
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term> <term>
<option>LXC_ROOTFS_MOUNT</option> <option>LXC_ROOTFS_MOUNT</option>
</term> </term>
<listitem> <listitem>
<para> <para>
The mount location to which the container is initially bound. The mount location to which the container is initially bound.
This will be the host relative path to the container rootfs This will be the host relative path to the container rootfs
for the container instance being started and is where changes for the container instance being started and is where changes
should be made for that instance. should be made for that instance.
[<option>lxc.rootfs.mount</option>] [<option>lxc.rootfs.mount</option>]
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term> <term>
<option>LXC_ROOTFS_PATH</option> <option>LXC_ROOTFS_PATH</option>
</term> </term>
<listitem> <listitem>
<para> <para>
The host relative path to the container root which has been The host relative path to the container root which has been
mounted to the rootfs.mount location. mounted to the rootfs.mount location.
[<option>lxc.rootfs</option>] [<option>lxc.rootfs</option>]
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
</refsect2> </refsect2>
...@@ -1397,36 +1397,36 @@ mknod errno 0 ...@@ -1397,36 +1397,36 @@ mknod errno 0
command line options to <command>lxc-start</command>. command line options to <command>lxc-start</command>.
</para> </para>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
<term> <term>
<option>lxc.loglevel</option> <option>lxc.loglevel</option>
</term> </term>
<listitem> <listitem>
<para> <para>
The level at which to log. The log level is an integer in The level at which to log. The log level is an integer in
the range of 0..8 inclusive, where a lower number means more the range of 0..8 inclusive, where a lower number means more
verbose debugging. In particular 0 = trace, 1 = debug, 2 = verbose debugging. In particular 0 = trace, 1 = debug, 2 =
info, 3 = notice, 4 = warn, 5 = error, 6 = critical, 7 = info, 3 = notice, 4 = warn, 5 = error, 6 = critical, 7 =
alert, and 8 = fatal. If unspecified, the level defaults alert, and 8 = fatal. If unspecified, the level defaults
to 5 (error), so that only errors and above are logged. to 5 (error), so that only errors and above are logged.
</para> </para>
<para> <para>
Note that when a script (such as either a hook script or a Note that when a script (such as either a hook script or a
network interface up or down script) is called, the script's network interface up or down script) is called, the script's
standard output is logged at level 1, debug. standard output is logged at level 1, debug.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term> <term>
<option>lxc.logfile</option> <option>lxc.logfile</option>
</term> </term>
<listitem> <listitem>
<para> <para>
The file to which logging info should be written. The file to which logging info should be written.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
</refsect2> </refsect2>
...@@ -1515,25 +1515,25 @@ mknod errno 0 ...@@ -1515,25 +1515,25 @@ mknod errno 0
<refsect1> <refsect1>
<title>Examples</title> <title>Examples</title>
<para> <para>
In addition to the few examples given below, you will find In addition to the few examples given below, you will find
some other examples of configuration file in @DOCDIR@/examples some other examples of configuration file in @DOCDIR@/examples
</para> </para>
<refsect2> <refsect2>
<title>Network</title> <title>Network</title>
<para>This configuration sets up a container to use a veth pair <para>This configuration sets up a container to use a veth pair
device with one side plugged to a bridge br0 (which has been device with one side plugged to a bridge br0 (which has been
configured before on the system by the administrator). The configured before on the system by the administrator). The
virtual network device visible in the container is renamed to virtual network device visible in the container is renamed to
eth0.</para> eth0.</para>
<programlisting> <programlisting>
lxc.utsname = myhostname lxc.utsname = myhostname
lxc.network.type = veth lxc.network.type = veth
lxc.network.flags = up lxc.network.flags = up
lxc.network.link = br0 lxc.network.link = br0
lxc.network.name = eth0 lxc.network.name = eth0
lxc.network.hwaddr = 4a:49:43:49:79:bf lxc.network.hwaddr = 4a:49:43:49:79:bf
lxc.network.ipv4 = 10.2.3.5/24 10.2.3.255 lxc.network.ipv4 = 10.2.3.5/24 10.2.3.255
lxc.network.ipv6 = 2003:db8:1:0:214:1234:fe0b:3597 lxc.network.ipv6 = 2003:db8:1:0:214:1234:fe0b:3597
</programlisting> </programlisting>
</refsect2> </refsect2>
...@@ -1543,8 +1543,8 @@ mknod errno 0 ...@@ -1543,8 +1543,8 @@ mknod errno 0
range 0-9999 in the container to the ids 100000-109999 on the host. range 0-9999 in the container to the ids 100000-109999 on the host.
</para> </para>
<programlisting> <programlisting>
lxc.id_map = u 0 100000 10000 lxc.id_map = u 0 100000 10000
lxc.id_map = g 0 100000 10000 lxc.id_map = g 0 100000 10000
</programlisting> </programlisting>
</refsect2> </refsect2>
...@@ -1555,11 +1555,11 @@ mknod errno 0 ...@@ -1555,11 +1555,11 @@ mknod errno 0
cpus.share prioritize the control group, devices.allow makes cpus.share prioritize the control group, devices.allow makes
usable the specified devices.</para> usable the specified devices.</para>
<programlisting> <programlisting>
lxc.cgroup.cpuset.cpus = 0,1 lxc.cgroup.cpuset.cpus = 0,1
lxc.cgroup.cpu.shares = 1234 lxc.cgroup.cpu.shares = 1234
lxc.cgroup.devices.deny = a lxc.cgroup.devices.deny = a
lxc.cgroup.devices.allow = c 1:3 rw lxc.cgroup.devices.allow = c 1:3 rw
lxc.cgroup.devices.allow = b 8:0 rw lxc.cgroup.devices.allow = b 8:0 rw
</programlisting> </programlisting>
</refsect2> </refsect2>
...@@ -1569,37 +1569,37 @@ mknod errno 0 ...@@ -1569,37 +1569,37 @@ mknod errno 0
network stack, using the control groups, setting a new hostname, network stack, using the control groups, setting a new hostname,
mounting some locations and a changing root file system.</para> mounting some locations and a changing root file system.</para>
<programlisting> <programlisting>
lxc.utsname = complex lxc.utsname = complex
lxc.network.type = veth lxc.network.type = veth
lxc.network.flags = up lxc.network.flags = up
lxc.network.link = br0 lxc.network.link = br0
lxc.network.hwaddr = 4a:49:43:49:79:bf lxc.network.hwaddr = 4a:49:43:49:79:bf
lxc.network.ipv4 = 10.2.3.5/24 10.2.3.255 lxc.network.ipv4 = 10.2.3.5/24 10.2.3.255
lxc.network.ipv6 = 2003:db8:1:0:214:1234:fe0b:3597 lxc.network.ipv6 = 2003:db8:1:0:214:1234:fe0b:3597
lxc.network.ipv6 = 2003:db8:1:0:214:5432:feab:3588 lxc.network.ipv6 = 2003:db8:1:0:214:5432:feab:3588
lxc.network.type = macvlan lxc.network.type = macvlan
lxc.network.flags = up lxc.network.flags = up
lxc.network.link = eth0 lxc.network.link = eth0
lxc.network.hwaddr = 4a:49:43:49:79:bd lxc.network.hwaddr = 4a:49:43:49:79:bd
lxc.network.ipv4 = 10.2.3.4/24 lxc.network.ipv4 = 10.2.3.4/24
lxc.network.ipv4 = 192.168.10.125/24 lxc.network.ipv4 = 192.168.10.125/24
lxc.network.ipv6 = 2003:db8:1:0:214:1234:fe0b:3596 lxc.network.ipv6 = 2003:db8:1:0:214:1234:fe0b:3596
lxc.network.type = phys lxc.network.type = phys
lxc.network.flags = up lxc.network.flags = up
lxc.network.link = dummy0 lxc.network.link = dummy0
lxc.network.hwaddr = 4a:49:43:49:79:ff lxc.network.hwaddr = 4a:49:43:49:79:ff
lxc.network.ipv4 = 10.2.3.6/24 lxc.network.ipv4 = 10.2.3.6/24
lxc.network.ipv6 = 2003:db8:1:0:214:1234:fe0b:3297 lxc.network.ipv6 = 2003:db8:1:0:214:1234:fe0b:3297
lxc.cgroup.cpuset.cpus = 0,1 lxc.cgroup.cpuset.cpus = 0,1
lxc.cgroup.cpu.shares = 1234 lxc.cgroup.cpu.shares = 1234
lxc.cgroup.devices.deny = a lxc.cgroup.devices.deny = a
lxc.cgroup.devices.allow = c 1:3 rw lxc.cgroup.devices.allow = c 1:3 rw
lxc.cgroup.devices.allow = b 8:0 rw lxc.cgroup.devices.allow = b 8:0 rw
lxc.mount = /etc/fstab.complex lxc.mount = /etc/fstab.complex
lxc.mount.entry = /lib /root/myrootfs/lib none ro,bind 0 0 lxc.mount.entry = /lib /root/myrootfs/lib none ro,bind 0 0
lxc.rootfs = /mnt/rootfs.complex lxc.rootfs = /mnt/rootfs.complex
lxc.cap.drop = sys_module mknod setuid net_raw lxc.cap.drop = sys_module mknod setuid net_raw
lxc.cap.drop = mac_override lxc.cap.drop = mac_override
</programlisting> </programlisting>
</refsect2> </refsect2>
...@@ -1609,23 +1609,23 @@ mknod errno 0 ...@@ -1609,23 +1609,23 @@ mknod errno 0
<title>See Also</title> <title>See Also</title>
<simpara> <simpara>
<citerefentry> <citerefentry>
<refentrytitle><command>chroot</command></refentrytitle> <refentrytitle><command>chroot</command></refentrytitle>
<manvolnum>1</manvolnum> <manvolnum>1</manvolnum>
</citerefentry>, </citerefentry>,
<citerefentry> <citerefentry>
<refentrytitle><command>pivot_root</command></refentrytitle> <refentrytitle><command>pivot_root</command></refentrytitle>
<manvolnum>8</manvolnum> <manvolnum>8</manvolnum>
</citerefentry>, </citerefentry>,
<citerefentry> <citerefentry>
<refentrytitle><filename>fstab</filename></refentrytitle> <refentrytitle><filename>fstab</filename></refentrytitle>
<manvolnum>5</manvolnum> <manvolnum>5</manvolnum>
</citerefentry>, </citerefentry>,
<citerefentry> <citerefentry>
<refentrytitle><filename>capabilities</filename></refentrytitle> <refentrytitle><filename>capabilities</filename></refentrytitle>
<manvolnum>7</manvolnum> <manvolnum>7</manvolnum>
</citerefentry> </citerefentry>
</simpara> </simpara>
</refsect1> </refsect1>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment