When calling "man lxc.container.conf", an internal "man" keyword is displayed :
$ man lxc.container.conf
[...]
lxc.mount.entry
Specify a mount point corresponding to a line in the fstab format. Moreover lxc supports mount propagation, such as
rslave or rprivate, and adds three additional mount options. optional don't fail if mount does not work. create=dir
or create=file to create dir (or file) when the point will be mounted. relative source path is taken to be relative to
the mounted container root. For instance,
dev/null proc/kcore none bind,relative 0 0
.fi <-----------------------------------UNEXPECTED KEYWORD !!!!
The problem seems to come from the missing blanks before "dev/null proc/kcore none bind,relative 0 0"
Moreover, for homogeneity purposes, it is better to use the "programlisting" tag used in the rest of the text instead of "screen".
Signed-off-by: Rachid Koucha <rachid.koucha@gmail.com>
This is the translation for the following description:
- lxc.seccomp.notify.proxy (commit 8a64375)
- host side veth device static routes (commit d4a7da4)
- IPVLAN (commit c9f5238)
- Layer 2 proxy mode (commit 6509154)
- gateway device route mode (commit a2f9a67)
and fix typo in English man page.
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
Adds ability to specify "dev" as the gateway value, which will cause a device route to be set as default gateway.
Signed-off-by: tomponline <thomas.parrott@canonical.com>
Adds the lxc.net.[i].l2proxy flag that can be either 0 or 1.
Defaults to 0.
This, when used with lxc.net.[i].link, will add IP neighbour proxy entries on the linked device
for any IPv4 and IPv6 addresses on the container's network device.
Additionally, for IPv6 addresses it will check the following sysctl values and fail with an error if not set:
net.ipv6.conf.[link].proxy_ndp=1
net.ipv6.conf.[link].forwarding=1
Signed-off-by: tomponline <thomas.parrott@canonical.com>
This adds the lxc.seccomp.allow_nesting api extension. If
lxc.seccomp.allow_nesting is set to 1 then seccomp profiles will be
stacked. This way nested containers can load their own seccomp policy on
top of the policy that the outer container might have applied.
Cc: Simon Fels <simon.fels@canonical.com>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
This is modeled after LXD's API extension checks. This allows API users
to query the given LXC instance whether a given API extension is
supported.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Current we have a few minor grammatical errors in the documentation for
lxc container configuration.
Fix minor grammatical errors.
Signed-off-by: Tobin C. Harding <me@tobin.cc>
Unprivileged containers are not compatible with sharing the
host namespace due to an inability to mount sysfs. Add docs
in lxc.container.conf to document that out.
Refs #2463
Signed-off-by: Alexandros Kosiaris <akosiaris@gmail.com>
Set the signal to be sent to the container's init when the lxc monitor exits.
By default it is set to SIGKILL which will cause all container processes to be
killed when the lxc monitor process dies.
To ensure that containers stay alive even if lxc monitor dies set this to 0.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
When a bare environment variable is specified then retrieve the value from the
current environment. For example, setting
lxc.environment = PATH
will cause LXC to inherit the value of PATH from the current environment.
Suggested-by: Jonathan Calmels <jcalmels@nvidia.com>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
We've announced quite a while back and printed out errors and warning everytime
someone used the aufs driver.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
- remove legacy binaries
- conditionalize creation of docs and tests for the command line tools and the
shared library helper commands
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
This allows users to only compile the shared libray without having to compile
any of the command line tools or command helpers for the shared library.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
lxc.console.size regulates the size of the console log file. This is intended
to replace lxc.console.buffer.logfile. The current semantics are:
- if lxc.console.size is not set:
- no limit is placed on the size of the log file
- if lxc.console.size is set:
- if lxc.console.rotate is set and the next write would exceed the limit:
- write as much as possible into the old log file
- rotate the log file
- write as much as posible into the new log file
- discard remaining bytes (scenario shouldn't be possible in normal
circumstances)
- if lxc.console.rotate is not set and the next write would exceed the limit:
- keep overwriting the current log file
To make the log file a mirror of the in-memory ringbuffer simply set:
lxc.console.buffer.size == lxc.console.size.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
This lets users specify
lxc.mount.auto = cgroup:mixed:force
or
lxc.mount.auto = cgroup:ro:force
or
lxc.mount.auto = cgroup:rw:force
When cgroup namespaces are supported LXC will not mount cgroups for the
container since it assumes that the init system will mount cgroups itself if it
wants to. This assumption already broke when users wanted to run containers
without CAP_SYS_ADMIN. For example, systemd based containers wouldn't start
since systemd needs to mount cgroups (named systemd hierarchy for legacy
cgroups and the unified hierarchy for unified cgroups) to track processes. This
problem was solved by detecting whether the container had CAP_SYS_ADMIN. If it
didn't we performed the cgroup mounts for it.
However, there are more cases when we should be able to mount cgroups for the
container when cgroup namespaces are supported:
- init systems not mounting cgroups themselves:
A init system that doesn't mount cgroups would not have cgroups available
especially when combined with custom LSM profiles to prevent cgroup
{u}mount()ing inside containers.
- application containers:
Application containers will usually not mount by cgroups themselves.
- read-only cgroups:
It is useful to be able to mount cgroups read-only to e.g. prevent
changing cgroup limits from inside the container while at the same time
allowing the applications to perform introspection on their own cgroups. This
again is mostly useful for application containers. System containers running
systemd will usually not work correctly when cgroups are mounted read-only.
To be fair, all of those use-cases could be covered by custom hooks or
lxc.mount.entry entries but exposing it through lxc.mount.auto takes care of
setting correct mount options and adding the necessary logic to e.g. mount
filesystem read-only correctly.
Currently we only extend this to cgroup:{mixed,ro,rw} but technically there's
no reason not to enable the same behavior for cgroup-full:{mixed,ro,rw} as
well. If someone requests this we can simply treat it as a bug and add "force"
for cgroup-full.
Replaces #2136.
Signed-off-by: Shukui Yang <yangshukui@huawei.com>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
