mirror of
https://git.proxmox.com/git/mirror_lxc
synced 2025-08-09 19:29:15 +00:00
lxc.conf.sgml.in: fill in missing configuration file statements
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
This commit is contained in:
Serge Hallyn
parent
1897e3bcd3
commit
64f782ca69
@ -75,6 +75,32 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
|||||||
the line is a comment.
|
the line is a comment.
|
||||||
</para>
|
</para>
|
||||||
|
|
||||||
|
<refsect2>
|
||||||
|
<title>Configuration</title>
|
||||||
|
<para>
|
||||||
|
In order to ease administration of multiple related containers, it
|
||||||
|
is possible to have a container configuration file cause another
|
||||||
|
file to be loaded. For instance, network configuration
|
||||||
|
can be defined in one common file which is included by multiple
|
||||||
|
containers. Then, if the containers are moved to another host,
|
||||||
|
only one file may need to be updated.
|
||||||
|
</para>
|
||||||
|
|
||||||
|
<variablelist>
|
||||||
|
<varlistentry>
|
||||||
|
<term>
|
||||||
|
<option>lxc.include</option>
|
||||||
|
</term>
|
||||||
|
<listitem>
|
||||||
|
<para>
|
||||||
|
Specify the file to be included. The included file must be
|
||||||
|
in the same valid lxc configuration file format.
|
||||||
|
</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
</variablelist>
|
||||||
|
</refsect2>
|
||||||
|
|
||||||
<refsect2>
|
<refsect2>
|
||||||
<title>Architecture</title>
|
<title>Architecture</title>
|
||||||
<para>
|
<para>
|
||||||
@ -395,6 +421,11 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
|||||||
type, other arguments may be passed:
|
type, other arguments may be passed:
|
||||||
veth/macvlan/phys. And finally (host-sided) device name.
|
veth/macvlan/phys. And finally (host-sided) device name.
|
||||||
</para>
|
</para>
|
||||||
|
<para>
|
||||||
|
Standard output from the script is logged at debug level.
|
||||||
|
Standard error is not logged, but can be captured by the
|
||||||
|
hook redirecting its standard error to standard output.
|
||||||
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -415,6 +446,11 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
|||||||
type, other arguments may be passed:
|
type, other arguments may be passed:
|
||||||
veth/macvlan/phys. And finally (host-sided) device name.
|
veth/macvlan/phys. And finally (host-sided) device name.
|
||||||
</para>
|
</para>
|
||||||
|
<para>
|
||||||
|
Standard output from the script is logged at debug level.
|
||||||
|
Standard error is not logged, but can be captured by the
|
||||||
|
hook redirecting its standard error to standard output.
|
||||||
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
@ -738,6 +774,56 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
|||||||
</variablelist>
|
</variablelist>
|
||||||
</refsect2>
|
</refsect2>
|
||||||
|
|
||||||
|
<refsect2>
|
||||||
|
<title>Apparmor profile</title>
|
||||||
|
<para>
|
||||||
|
If lxc was compiled and installed with apparmor support, and the host
|
||||||
|
system has apparmor enabled, then the apparmor profile under which the
|
||||||
|
container should be run can be specified in the container
|
||||||
|
configuration. The default is <command>lxc-container-default</command>.
|
||||||
|
</para>
|
||||||
|
<variablelist>
|
||||||
|
<varlistentry>
|
||||||
|
<term>
|
||||||
|
<option>lxc.aa_profile</option>
|
||||||
|
</term>
|
||||||
|
<listitem>
|
||||||
|
<para>
|
||||||
|
Specify the apparmor profile under which the container should
|
||||||
|
be run. To specify that the container should be unconfined,
|
||||||
|
use
|
||||||
|
</para>
|
||||||
|
<programlisting>lxc.aa_profile = unconfined</programlisting>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
</variablelist>
|
||||||
|
</refsect2>
|
||||||
|
|
||||||
|
<refsect2>
|
||||||
|
<title>Seccomp configuration</title>
|
||||||
|
<para>
|
||||||
|
A container can be started with a reduced set of available
|
||||||
|
system calls by loading a seccomp profile at startup. The
|
||||||
|
seccomp configuration file should begin with a version number
|
||||||
|
(which currently must be 1) on the first line, a policy type
|
||||||
|
(which must be 'whitelist') on the second line, followed by a
|
||||||
|
list of allowed system call numbers, one per line.
|
||||||
|
</para>
|
||||||
|
<variablelist>
|
||||||
|
<varlistentry>
|
||||||
|
<term>
|
||||||
|
<option>lxc.seccomp</option>
|
||||||
|
</term>
|
||||||
|
<listitem>
|
||||||
|
<para>
|
||||||
|
Specify a file containing the seccomp configuration to
|
||||||
|
load before the container starts.
|
||||||
|
</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
</variablelist>
|
||||||
|
</refsect2>
|
||||||
|
|
||||||
<refsect2>
|
<refsect2>
|
||||||
<title>UID mappings</title>
|
<title>UID mappings</title>
|
||||||
<para>
|
<para>
|
||||||
@ -775,6 +861,11 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
|||||||
Container hooks are programs or scripts which can be executed
|
Container hooks are programs or scripts which can be executed
|
||||||
at various times in a container's lifetime.
|
at various times in a container's lifetime.
|
||||||
</para>
|
</para>
|
||||||
|
<para>
|
||||||
|
Standard output from the hooks is logged at debug level.
|
||||||
|
Standard error is not logged, but can be captured by the
|
||||||
|
hook redirecting its standard error to standard output.
|
||||||
|
</para>
|
||||||
<variablelist>
|
<variablelist>
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>
|
<term>
|
||||||
@ -978,6 +1069,54 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
|||||||
</variablelist>
|
</variablelist>
|
||||||
|
|
||||||
</refsect2>
|
</refsect2>
|
||||||
|
<refsect2>
|
||||||
|
<title> Logging</title>
|
||||||
|
<para>
|
||||||
|
Logging can be configured on a per-container basis. By default,
|
||||||
|
depending upon how the lxc package was compiled, container startup
|
||||||
|
is logged only at the ERROR level, and logged to a file named after
|
||||||
|
the container (with '.log' appended) either under the container path,
|
||||||
|
or under @LOGPATH@.
|
||||||
|
</para>
|
||||||
|
<para>
|
||||||
|
Both the default log level and the log file can be specified in the
|
||||||
|
container configuration file, overriding the default behavior. Note
|
||||||
|
that the configuration file entries can in turn be overridden by the
|
||||||
|
command line options to <command>lxc-start</command>.
|
||||||
|
</para>
|
||||||
|
<variablelist>
|
||||||
|
<varlistentry>
|
||||||
|
<term>
|
||||||
|
<option>lxc.loglevel</option>
|
||||||
|
</term>
|
||||||
|
<listitem>
|
||||||
|
<para>
|
||||||
|
The level at which to log. The log level is an integer in
|
||||||
|
the range of 0..8 inclusive, where a lower number means more
|
||||||
|
verbose debugging. In particular 0 = trace, 1 = debug, 2 =
|
||||||
|
info, 3 = notice, 4 = warn, 5 = error, 6 = critical, 7 =
|
||||||
|
alert, and 8 = fatal. If unspecified, the level defaults
|
||||||
|
to 5 (error), so that only errors and above are logged.
|
||||||
|
</para>
|
||||||
|
<para>
|
||||||
|
Note that when a script (such as either a hook script or a
|
||||||
|
network interface up or down script) is called, the script's
|
||||||
|
standard output is logged at level 1, debug.
|
||||||
|
</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
<varlistentry>
|
||||||
|
<term>
|
||||||
|
<option>lxc.logfile</option>
|
||||||
|
</term>
|
||||||
|
<listitem>
|
||||||
|
<para>
|
||||||
|
The file to which logging info should be written.
|
||||||
|
</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
</variablelist>
|
||||||
|
</refsect2>
|
||||||
|
|
||||||
</refsect1>
|
</refsect1>
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user