doc: document lxc.namespace.[namespace identifier]

Closes #1924. Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

doc: document lxc.namespace.[namespace identifier]
f3c9f122 · Christian Brauner · ece913fe · f3c9f122
Unverified Commit f3c9f122 authored Nov 23, 2017 by Christian Brauner
Hide whitespace changes
Inline Side-by-side

Showing with 59 additions and 0 deletions

lxc.container.conf.sgml.in doc/lxc.container.conf.sgml.in +59 -0

No files found.
--- a/doc/lxc.container.conf.sgml.in
+++ b/doc/lxc.container.conf.sgml.in
@@ -1278,6 +1278,65 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
    </refsect2>

    <refsect2>
+      <title>Namespace Inheritance</title>
+      <para>
+        The capabilities can be dropped in the container if this one
+        is run as root.
+      </para>
+      <variablelist>
+        <varlistentry>
+          <term>
+            <option>lxc.namespace.[namespace identifier]</option>
+          </term>
+          <listitem>
+            <para>
+            Specify a namespace to inherit from another container or process.
+            The <option>[namespace identifier]</option> suffix needs to be
+            replaced with one of the namespaces that appear in the
+            <filename>/proc/PID/ns</filename> directory.
+            </para>
+
+            <para>
+            To inherit the namespace from another process set the
+            <option>lxc.namespace.[namespace identifier]</option> to the PID of
+            the process, e.g. <option>lxc.namespace.net=42</option>.
+            </para>
+
+            <para>
+            To inherit the namespace from another container set the 
+            <option>lxc.namespace.[namespace identifier]</option> to the name of
+            the container, e.g. <option>lxc.namespace.pid=c3</option>.
+            </para>
+
+            <para>
+            To inherit the namespace from another container located in a
+            different path than the standard liblxc path set the
+            <option>lxc.namespace.[namespace identifier]</option> to the full
+            path to the container, e.g.
+            <option>lxc.namespace.user=/opt/c3</option>.
+            </para>
+
+            <para>
+            In order to inherit namespaces the caller needs to have sufficient
+            privilege over the process or container.
+            </para>
+
+            <para>
+            Note that sharing pid namespaces between system containers will
+            likely not work with most init systems.
+            </para>
+
+            <para>
+            Note that if two processes are in different user namespaces and one
+            process wants to inherit the other's network namespace it usually
+            needs to inherit the user namespace as well.
+            </para>
+          </listitem>
+        </varlistentry>
+      </variablelist>
+    </refsect2>
+
+    <refsect2>
      <title>Resource limits</title>
      <para>
        The soft and hard resource limits for the container can be changed.