49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler

4d69b2939ce09fbe624636dc01734a542e050ef9Nikola Kotur

7f95145833bb24f54e037f73ecc37444d6635697Dwight Engen<!DOCTYPE refentry PUBLIC @docdtd@ [

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler<!ENTITY commonoptions SYSTEM "@builddir@/common_options.sgml">

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler<!ENTITY seealso SYSTEM "@builddir@/see_also.sgml">

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler]>

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler<refentry>

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler <docinfo><date>@LXC_GENERATE_DATE@</date></docinfo>

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler <refmeta>

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler <refentrytitle>lxc-attach</refentrytitle>

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler <manvolnum>1</manvolnum>

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler </refmeta>

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler <refnamediv>

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler <refname>lxc-attach</refname>

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler <refpurpose>

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler start a process inside a running container.

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler </refpurpose>

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler </refnamediv>

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler <refsynopsisdiv>

b4578c5b380130a41a69b5b49c970157acaf1dbbDwight Engen <cmdsynopsis>

b4578c5b380130a41a69b5b49c970157acaf1dbbDwight Engen <command>lxc-attach</command>

be3ee4adbabb62f0d5a8564e21c8b47fd13793c9KATOH Yasufumi <arg choice="req">-n, --name <replaceable>name</replaceable></arg>

be3ee4adbabb62f0d5a8564e21c8b47fd13793c9KATOH Yasufumi <arg choice="opt">-f, --rcfile <replaceable>config_file</replaceable></arg>

be3ee4adbabb62f0d5a8564e21c8b47fd13793c9KATOH Yasufumi <arg choice="opt">-a, --arch <replaceable>arch</replaceable></arg>

be3ee4adbabb62f0d5a8564e21c8b47fd13793c9KATOH Yasufumi <arg choice="opt">-e, --elevated-privileges <replaceable>privileges</replaceable></arg>

be3ee4adbabb62f0d5a8564e21c8b47fd13793c9KATOH Yasufumi <arg choice="opt">-s, --namespaces <replaceable>namespaces</replaceable></arg>

be3ee4adbabb62f0d5a8564e21c8b47fd13793c9KATOH Yasufumi <arg choice="opt">-R, --remount-sys-proc</arg>

799f96fdd8fc9c0685fffee5998aab2287ebc25fChristian Seiler <arg choice="opt">--keep-env</arg>

799f96fdd8fc9c0685fffee5998aab2287ebc25fChristian Seiler <arg choice="opt">--clear-env</arg>

be3ee4adbabb62f0d5a8564e21c8b47fd13793c9KATOH Yasufumi <arg choice="opt">-L, --pty-log <replaceable>file</replaceable></arg>

be3ee4adbabb62f0d5a8564e21c8b47fd13793c9KATOH Yasufumi <arg choice="opt">-v, --set-var <replaceable>variable</replaceable></arg>

be3ee4adbabb62f0d5a8564e21c8b47fd13793c9KATOH Yasufumi <arg choice="opt">--keep-var <replaceable>variable</replaceable></arg>

b4578c5b380130a41a69b5b49c970157acaf1dbbDwight Engen <arg choice="opt">-- <replaceable>command</replaceable></arg>

b4578c5b380130a41a69b5b49c970157acaf1dbbDwight Engen </cmdsynopsis>

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler </refsynopsisdiv>

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler <refsect1>

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler <title>Description</title>

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler <para>

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler <command>lxc-attach</command> runs the specified

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler <replaceable>command</replaceable> inside the container

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler specified by <replaceable>name</replaceable>. The container

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler has to be running already.

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler </para>

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler <para>

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler If no <replaceable>command</replaceable> is specified, the

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler current default shell of the user running

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler <command>lxc-attach</command> will be looked up inside the

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler container and executed. This will fail if no such user exists

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler inside the container or the container does not have a working

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler nsswitch mechanism.

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler </para>

e986ea3dfa4a2957f71ae9bfaed406dd6e1ffff6Christian Brauner <para>

e986ea3dfa4a2957f71ae9bfaed406dd6e1ffff6Christian Brauner Previous versions of <command>lxc-attach</command> simply attached to the

478dda766ac987ac54df79a126209bbd30792b49Christian Brauner specified namespaces of a container and ran a shell or the specified command

478dda766ac987ac54df79a126209bbd30792b49Christian Brauner without first allocating a pseudo terminal. This made them vulnerable to

e986ea3dfa4a2957f71ae9bfaed406dd6e1ffff6Christian Brauner input faking via a TIOCSTI <command>ioctl</command> call after switching

02e5d92b70562457a963f0803f0069053ce3292bChristian Brauner between userspace execution contexts with different privilege levels. Newer

e986ea3dfa4a2957f71ae9bfaed406dd6e1ffff6Christian Brauner versions of <command>lxc-attach</command> will try to allocate a pseudo

478dda766ac987ac54df79a126209bbd30792b49Christian Brauner terminal master/slave pair on the host and attach any standard file

478dda766ac987ac54df79a126209bbd30792b49Christian Brauner descriptors which refer to a terminal to the slave side of the pseudo

478dda766ac987ac54df79a126209bbd30792b49Christian Brauner terminal before executing a shell or command. Note, that if none of the

478dda766ac987ac54df79a126209bbd30792b49Christian Brauner standard file descriptors refer to a terminal <command>lxc-attach</command>

478dda766ac987ac54df79a126209bbd30792b49Christian Brauner will not try to allocate a pseudo terminal. Instead it will simply attach

478dda766ac987ac54df79a126209bbd30792b49Christian Brauner to the containers namespaces and run a shell or the specified command.

e986ea3dfa4a2957f71ae9bfaed406dd6e1ffff6Christian Brauner </para>

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler </refsect1>

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler <refsect1>

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler <title>Options</title>

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler <variablelist>

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler

be3ee4adbabb62f0d5a8564e21c8b47fd13793c9KATOH Yasufumi <varlistentry>

be3ee4adbabb62f0d5a8564e21c8b47fd13793c9KATOH Yasufumi <term>

be3ee4adbabb62f0d5a8564e21c8b47fd13793c9KATOH Yasufumi <option>-f, --rcfile <replaceable>config_file</replaceable></option>

be3ee4adbabb62f0d5a8564e21c8b47fd13793c9KATOH Yasufumi </term>

be3ee4adbabb62f0d5a8564e21c8b47fd13793c9KATOH Yasufumi <listitem>

be3ee4adbabb62f0d5a8564e21c8b47fd13793c9KATOH Yasufumi <para>

be3ee4adbabb62f0d5a8564e21c8b47fd13793c9KATOH Yasufumi Specify the configuration file to configure the virtualization

be3ee4adbabb62f0d5a8564e21c8b47fd13793c9KATOH Yasufumi and isolation functionalities for the container.

be3ee4adbabb62f0d5a8564e21c8b47fd13793c9KATOH Yasufumi </para>

be3ee4adbabb62f0d5a8564e21c8b47fd13793c9KATOH Yasufumi <para>

be3ee4adbabb62f0d5a8564e21c8b47fd13793c9KATOH Yasufumi This configuration file if present will be used even if there is

be3ee4adbabb62f0d5a8564e21c8b47fd13793c9KATOH Yasufumi already a configuration file present in the previously created

be3ee4adbabb62f0d5a8564e21c8b47fd13793c9KATOH Yasufumi container (via lxc-create).

be3ee4adbabb62f0d5a8564e21c8b47fd13793c9KATOH Yasufumi </para>

be3ee4adbabb62f0d5a8564e21c8b47fd13793c9KATOH Yasufumi </listitem>

be3ee4adbabb62f0d5a8564e21c8b47fd13793c9KATOH Yasufumi </varlistentry>

be3ee4adbabb62f0d5a8564e21c8b47fd13793c9KATOH Yasufumi

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler <varlistentry>

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler <term>

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler <option>-a, --arch <replaceable>arch</replaceable></option>

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler </term>

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler <listitem>

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler <para>

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler Specify the architecture which the kernel should appear to be

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler running as to the command executed. This option will accept the

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler same settings as the <option>lxc.arch</option> option in

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler container configuration files, see

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler <citerefentry>

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler <refentrytitle><filename>lxc.conf</filename></refentrytitle>

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler <manvolnum>5</manvolnum>

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler </citerefentry>. By default, the current archictecture of the

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler running container will be used.

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler </para>

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler </listitem>

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler </varlistentry>

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler <varlistentry>

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler <term>

4d69b2939ce09fbe624636dc01734a542e050ef9Nikola Kotur <option>

4d69b2939ce09fbe624636dc01734a542e050ef9Nikola Kotur -e, --elevated-privileges <replaceable>privileges</replaceable>

4d69b2939ce09fbe624636dc01734a542e050ef9Nikola Kotur </option>

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler </term>

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler <listitem>

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler <para>

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler Do not drop privileges when running

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler <replaceable>command</replaceable> inside the container. If

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler this option is specified, the new process will

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler <emphasis>not</emphasis> be added to the container's cgroup(s)

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler and it will not drop its capabilities before executing.

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler </para>

4d69b2939ce09fbe624636dc01734a542e050ef9Nikola Kotur <para>

4d69b2939ce09fbe624636dc01734a542e050ef9Nikola Kotur You may specify privileges, in case you do not want to elevate all of

4d69b2939ce09fbe624636dc01734a542e050ef9Nikola Kotur them, as a pipe-separated list, e.g.

4d69b2939ce09fbe624636dc01734a542e050ef9Nikola Kotur <replaceable>CGROUP|LSM</replaceable>. Allowed values are

4d69b2939ce09fbe624636dc01734a542e050ef9Nikola Kotur <replaceable>CGROUP</replaceable>, <replaceable>CAP</replaceable> and

4d69b2939ce09fbe624636dc01734a542e050ef9Nikola Kotur <replaceable>LSM</replaceable> representing cgroup, capabilities and

759d521b1fd7bb6c82fc5f7759a1fefc397a7969Christian Brauner restriction privileges respectively. (The pipe symbol needs to be escaped,

759d521b1fd7bb6c82fc5f7759a1fefc397a7969Christian Brauner e.g. <replaceable>CGROUP\|LSM</replaceable> or quoted, e.g.

759d521b1fd7bb6c82fc5f7759a1fefc397a7969Christian Brauner <replaceable>"CGROUP|LSM"</replaceable>.)

4d69b2939ce09fbe624636dc01734a542e050ef9Nikola Kotur </para>

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler <para>

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler <emphasis>Warning:</emphasis> This may leak privileges into the

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler container if the command starts subprocesses that remain active

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler after the main process that was attached is terminated. The

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler (re-)starting of daemons inside the container is problematic,

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler especially if the daemon starts a lot of subprocesses such as

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler <command>cron</command> or <command>sshd</command>.

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler <emphasis>Use with great care.</emphasis>

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler </para>

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler </listitem>

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler </varlistentry>

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler

e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler <varlistentry>

e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler <term>

e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler <option>-s, --namespaces <replaceable>namespaces</replaceable></option>

e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler </term>

e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler <listitem>

e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler <para>

037ba55cbee97bb9e1be95423c358ac1a7b33a2aDwight Engen Specify the namespaces to attach to, as a pipe-separated list,

e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler e.g. <replaceable>NETWORK|IPC</replaceable>. Allowed values are

e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler <replaceable>MOUNT</replaceable>, <replaceable>PID</replaceable>,

e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler <replaceable>UTSNAME</replaceable>, <replaceable>IPC</replaceable>,

e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler <replaceable>USER </replaceable> and

e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler <replaceable>NETWORK</replaceable>. This allows one to change

e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler the context of the process to e.g. the network namespace of the

e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler container while retaining the other namespaces as those of the

759d521b1fd7bb6c82fc5f7759a1fefc397a7969Christian Brauner host. (The pipe symbol needs to be escaped, e.g.

759d521b1fd7bb6c82fc5f7759a1fefc397a7969Christian Brauner <replaceable>MOUNT\|PID</replaceable> or quoted, e.g.

759d521b1fd7bb6c82fc5f7759a1fefc397a7969Christian Brauner <replaceable>"MOUNT|PID"</replaceable>.)

e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler </para>

e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler <para>

e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler <emphasis>Important:</emphasis> This option implies

e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler <option>-e</option>.

e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler </para>

e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler </listitem>

e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler </varlistentry>

e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler

7a0b0b5672a33c190eefb4b2d3e3693241c130f2Christian Seiler <varlistentry>

7a0b0b5672a33c190eefb4b2d3e3693241c130f2Christian Seiler <term>

7a0b0b5672a33c190eefb4b2d3e3693241c130f2Christian Seiler <option>-R, --remount-sys-proc</option>

7a0b0b5672a33c190eefb4b2d3e3693241c130f2Christian Seiler </term>

7a0b0b5672a33c190eefb4b2d3e3693241c130f2Christian Seiler <listitem>

7a0b0b5672a33c190eefb4b2d3e3693241c130f2Christian Seiler <para>

7a0b0b5672a33c190eefb4b2d3e3693241c130f2Christian Seiler When using <option>-s</option> and the mount namespace is not

7a0b0b5672a33c190eefb4b2d3e3693241c130f2Christian Seiler included, this flag will cause <command>lxc-attach</command>

7a0b0b5672a33c190eefb4b2d3e3693241c130f2Christian Seiler to remount <replaceable>/proc</replaceable> and

7a0b0b5672a33c190eefb4b2d3e3693241c130f2Christian Seiler <replaceable>/sys</replaceable> to reflect the current other

7a0b0b5672a33c190eefb4b2d3e3693241c130f2Christian Seiler namespace contexts.

7a0b0b5672a33c190eefb4b2d3e3693241c130f2Christian Seiler </para>

7a0b0b5672a33c190eefb4b2d3e3693241c130f2Christian Seiler <para>

7a0b0b5672a33c190eefb4b2d3e3693241c130f2Christian Seiler Please see the <emphasis>Notes</emphasis> section for more

7a0b0b5672a33c190eefb4b2d3e3693241c130f2Christian Seiler details.

7a0b0b5672a33c190eefb4b2d3e3693241c130f2Christian Seiler </para>

7a0b0b5672a33c190eefb4b2d3e3693241c130f2Christian Seiler <para>

7a0b0b5672a33c190eefb4b2d3e3693241c130f2Christian Seiler This option will be ignored if one tries to attach to the

7a0b0b5672a33c190eefb4b2d3e3693241c130f2Christian Seiler mount namespace anyway.

7a0b0b5672a33c190eefb4b2d3e3693241c130f2Christian Seiler </para>

7a0b0b5672a33c190eefb4b2d3e3693241c130f2Christian Seiler </listitem>

7a0b0b5672a33c190eefb4b2d3e3693241c130f2Christian Seiler </varlistentry>

7a0b0b5672a33c190eefb4b2d3e3693241c130f2Christian Seiler

799f96fdd8fc9c0685fffee5998aab2287ebc25fChristian Seiler <varlistentry>

799f96fdd8fc9c0685fffee5998aab2287ebc25fChristian Seiler <term>

799f96fdd8fc9c0685fffee5998aab2287ebc25fChristian Seiler <option>--keep-env</option>

799f96fdd8fc9c0685fffee5998aab2287ebc25fChristian Seiler </term>

799f96fdd8fc9c0685fffee5998aab2287ebc25fChristian Seiler <listitem>

799f96fdd8fc9c0685fffee5998aab2287ebc25fChristian Seiler <para>

799f96fdd8fc9c0685fffee5998aab2287ebc25fChristian Seiler Keep the current environment for attached programs. This is

799f96fdd8fc9c0685fffee5998aab2287ebc25fChristian Seiler the current default behaviour (as of version 0.9), but is

799f96fdd8fc9c0685fffee5998aab2287ebc25fChristian Seiler is likely to change in the future, since this may leak

799f96fdd8fc9c0685fffee5998aab2287ebc25fChristian Seiler undesirable information into the container. If you rely on

799f96fdd8fc9c0685fffee5998aab2287ebc25fChristian Seiler the environment being available for the attached program,

799f96fdd8fc9c0685fffee5998aab2287ebc25fChristian Seiler please use this option to be future-proof. In addition to

799f96fdd8fc9c0685fffee5998aab2287ebc25fChristian Seiler current environment variables, container=lxc will be set.

799f96fdd8fc9c0685fffee5998aab2287ebc25fChristian Seiler </para>

799f96fdd8fc9c0685fffee5998aab2287ebc25fChristian Seiler </listitem>

799f96fdd8fc9c0685fffee5998aab2287ebc25fChristian Seiler </varlistentry>

799f96fdd8fc9c0685fffee5998aab2287ebc25fChristian Seiler

799f96fdd8fc9c0685fffee5998aab2287ebc25fChristian Seiler <varlistentry>

799f96fdd8fc9c0685fffee5998aab2287ebc25fChristian Seiler <term>

799f96fdd8fc9c0685fffee5998aab2287ebc25fChristian Seiler <option>--clear-env</option>

799f96fdd8fc9c0685fffee5998aab2287ebc25fChristian Seiler </term>

799f96fdd8fc9c0685fffee5998aab2287ebc25fChristian Seiler <listitem>

799f96fdd8fc9c0685fffee5998aab2287ebc25fChristian Seiler <para>

799f96fdd8fc9c0685fffee5998aab2287ebc25fChristian Seiler Clear the environment before attaching, so no undesired

799f96fdd8fc9c0685fffee5998aab2287ebc25fChristian Seiler environment variables leak into the container. The variable

799f96fdd8fc9c0685fffee5998aab2287ebc25fChristian Seiler container=lxc will be the only environment with which the

799f96fdd8fc9c0685fffee5998aab2287ebc25fChristian Seiler attached program starts.

799f96fdd8fc9c0685fffee5998aab2287ebc25fChristian Seiler </para>

799f96fdd8fc9c0685fffee5998aab2287ebc25fChristian Seiler </listitem>

799f96fdd8fc9c0685fffee5998aab2287ebc25fChristian Seiler </varlistentry>

799f96fdd8fc9c0685fffee5998aab2287ebc25fChristian Seiler

54e478606b53e5983aba84c1f6619d55923ff605Christian Brauner <varlistentry>

54e478606b53e5983aba84c1f6619d55923ff605Christian Brauner <term>

54e478606b53e5983aba84c1f6619d55923ff605Christian Brauner <option>-L, --pty-log <replaceable>file</replaceable></option>

54e478606b53e5983aba84c1f6619d55923ff605Christian Brauner </term>

54e478606b53e5983aba84c1f6619d55923ff605Christian Brauner <listitem>

54e478606b53e5983aba84c1f6619d55923ff605Christian Brauner <para>

54e478606b53e5983aba84c1f6619d55923ff605Christian Brauner Specify a file where the output of <command>lxc-attach</command> will be

54e478606b53e5983aba84c1f6619d55923ff605Christian Brauner logged.

54e478606b53e5983aba84c1f6619d55923ff605Christian Brauner </para>

54e478606b53e5983aba84c1f6619d55923ff605Christian Brauner <para>

54e478606b53e5983aba84c1f6619d55923ff605Christian Brauner <emphasis>Important:</emphasis> When a standard file descriptor

659ce93a2e405f928cd4e1a457270572571a8db8Stéphane Graber does not refer to a pty output produced on it will not be logged.

54e478606b53e5983aba84c1f6619d55923ff605Christian Brauner </para>

54e478606b53e5983aba84c1f6619d55923ff605Christian Brauner </listitem>

54e478606b53e5983aba84c1f6619d55923ff605Christian Brauner </varlistentry>

54e478606b53e5983aba84c1f6619d55923ff605Christian Brauner

be3ee4adbabb62f0d5a8564e21c8b47fd13793c9KATOH Yasufumi <varlistentry>

be3ee4adbabb62f0d5a8564e21c8b47fd13793c9KATOH Yasufumi <term>

be3ee4adbabb62f0d5a8564e21c8b47fd13793c9KATOH Yasufumi <option>-v, --set-var <replaceable>variable</replaceable></option>

be3ee4adbabb62f0d5a8564e21c8b47fd13793c9KATOH Yasufumi </term>

be3ee4adbabb62f0d5a8564e21c8b47fd13793c9KATOH Yasufumi <listitem>

be3ee4adbabb62f0d5a8564e21c8b47fd13793c9KATOH Yasufumi <para>

be3ee4adbabb62f0d5a8564e21c8b47fd13793c9KATOH Yasufumi Set an additional environment variable that is seen by the

be3ee4adbabb62f0d5a8564e21c8b47fd13793c9KATOH Yasufumi attached program in the container. It is specified in the

be3ee4adbabb62f0d5a8564e21c8b47fd13793c9KATOH Yasufumi form of "VAR=VALUE", and can be specified multiple times.

be3ee4adbabb62f0d5a8564e21c8b47fd13793c9KATOH Yasufumi </para>

be3ee4adbabb62f0d5a8564e21c8b47fd13793c9KATOH Yasufumi </listitem>

be3ee4adbabb62f0d5a8564e21c8b47fd13793c9KATOH Yasufumi </varlistentry>

be3ee4adbabb62f0d5a8564e21c8b47fd13793c9KATOH Yasufumi

be3ee4adbabb62f0d5a8564e21c8b47fd13793c9KATOH Yasufumi <varlistentry>

be3ee4adbabb62f0d5a8564e21c8b47fd13793c9KATOH Yasufumi <term>

be3ee4adbabb62f0d5a8564e21c8b47fd13793c9KATOH Yasufumi <option>--keep-var <replaceable>variable</replaceable></option>

be3ee4adbabb62f0d5a8564e21c8b47fd13793c9KATOH Yasufumi </term>

be3ee4adbabb62f0d5a8564e21c8b47fd13793c9KATOH Yasufumi <listitem>

be3ee4adbabb62f0d5a8564e21c8b47fd13793c9KATOH Yasufumi <para>

be3ee4adbabb62f0d5a8564e21c8b47fd13793c9KATOH Yasufumi Keep a specified environment variable. It can only be

be3ee4adbabb62f0d5a8564e21c8b47fd13793c9KATOH Yasufumi specified in conjunction

be3ee4adbabb62f0d5a8564e21c8b47fd13793c9KATOH Yasufumi with <replaceable>--clear-env</replaceable>, and can be

be3ee4adbabb62f0d5a8564e21c8b47fd13793c9KATOH Yasufumi specified multiple times.

be3ee4adbabb62f0d5a8564e21c8b47fd13793c9KATOH Yasufumi </para>

be3ee4adbabb62f0d5a8564e21c8b47fd13793c9KATOH Yasufumi </listitem>

be3ee4adbabb62f0d5a8564e21c8b47fd13793c9KATOH Yasufumi </varlistentry>

be3ee4adbabb62f0d5a8564e21c8b47fd13793c9KATOH Yasufumi

7a0b0b5672a33c190eefb4b2d3e3693241c130f2Christian Seiler </variablelist>

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler </refsect1>

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler &commonoptions;

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler <refsect1>

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler <title>Examples</title>

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler <para>

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler To spawn a new shell running inside an existing container, use

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler <programlisting>

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler lxc-attach -n container

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler </programlisting>

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler </para>

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler <para>

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler To restart the cron service of a running Debian container, use

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler <programlisting>

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler lxc-attach -n container -- /etc/init.d/cron restart

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler </programlisting>

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler </para>

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler <para>

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler To deactivate the network link eth1 of a running container that

e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler does not have the NET_ADMIN capability, use either the

e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler <option>-e</option> option to use increased capabilities,

e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler assuming the <command>ip</command> tool is installed:

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler <programlisting>

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler lxc-attach -n container -e -- /sbin/ip link delete eth1

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler </programlisting>

e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler Or, alternatively, use the <option>-s</option> to use the

e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler tools installed on the host outside the container:

e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler <programlisting>

e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler lxc-attach -n container -s NETWORK -- /sbin/ip link delete eth1

e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler </programlisting>

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler </para>

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler </refsect1>

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler

e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler <refsect1>

e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler <title>Compatibility</title>

e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler <para>

e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler Attaching completely (including the pid and mount namespaces) to a

a600d021adf34e58b3991269a9ceca3737c63aa8KATOH Yasufumi container requires a kernel of version 3.8 or higher, or a

a600d021adf34e58b3991269a9ceca3737c63aa8KATOH Yasufumi patched kernel, please see the lxc website for

e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler details. <command>lxc-attach</command> will fail in that case if

a600d021adf34e58b3991269a9ceca3737c63aa8KATOH Yasufumi used with an unpatched kernel of version 3.7 and prior.

e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler </para>

e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler <para>

e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler Nevertheless, it will succeed on an unpatched kernel of version 3.0

e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler or higher if the <option>-s</option> option is used to restrict the

aa8d013ec5b09cd1cd904173d6234ef126eb2126Peter Simons namespaces that the process is to be attached to to one or more of

e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler <replaceable>NETWORK</replaceable>, <replaceable>IPC</replaceable>

e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler and <replaceable>UTSNAME</replaceable>.

e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler </para>

e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler <para>

a600d021adf34e58b3991269a9ceca3737c63aa8KATOH Yasufumi Attaching to user namespaces is supported by kernel 3.8 or higher

a600d021adf34e58b3991269a9ceca3737c63aa8KATOH Yasufumi with enabling user namespace.

e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler </para>

e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler </refsect1>

e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler

e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler <refsect1>

e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler <title>Notes</title>

e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler <para>

e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler The Linux <replaceable>/proc</replaceable> and

e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler <replaceable>/sys</replaceable> filesystems contain information

e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler about some quantities that are affected by namespaces, such as

e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler the directories named after process ids in

36b33520f67cd1a83be8031fccc3c2d7d7255e06Stéphane Graber <replaceable>/proc</replaceable> or the network interface information

e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler in <replaceable>/sys/class/net</replaceable>. The namespace of the

e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler process mounting the pseudo-filesystems determines what information

e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler is shown, <emphasis>not</emphasis> the namespace of the process

e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler accessing <replaceable>/proc</replaceable> or

e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler <replaceable>/sys</replaceable>.

e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler </para>

e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler <para>

e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler If one uses the <option>-s</option> option to only attach to

e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler the pid namespace of a container, but not its mount namespace

e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler (which will contain the <replaceable>/proc</replaceable> of the

e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler container and not the host), the contents of <option>/proc</option>

e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler will reflect that of the host and not the container. Analogously,

e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler the same issue occurs when reading the contents of

e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler <replaceable>/sys/class/net</replaceable> and attaching to just

e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler the network namespace.

e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler </para>

e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler <para>

7a0b0b5672a33c190eefb4b2d3e3693241c130f2Christian Seiler To work around this problem, the <option>-R</option> flag provides

7a0b0b5672a33c190eefb4b2d3e3693241c130f2Christian Seiler the option to remount <replaceable>/proc</replaceable> and

7a0b0b5672a33c190eefb4b2d3e3693241c130f2Christian Seiler <replaceable>/sys</replaceable> in order for them to reflect the

7a0b0b5672a33c190eefb4b2d3e3693241c130f2Christian Seiler network/pid namespace context of the attached process. In order

7a0b0b5672a33c190eefb4b2d3e3693241c130f2Christian Seiler not to interfere with the host's actual filesystem, the mount

7a0b0b5672a33c190eefb4b2d3e3693241c130f2Christian Seiler namespace will be unshared (like <command>lxc-unshare</command>

e9555a6bc7056cd887ee19c80b6c59627ac61255Evgeni Golov does) before this is done, essentially giving the process a new

7a0b0b5672a33c190eefb4b2d3e3693241c130f2Christian Seiler mount namespace, which is identical to the hosts's mount namespace

7a0b0b5672a33c190eefb4b2d3e3693241c130f2Christian Seiler except for the <replaceable>/proc</replaceable> and

7a0b0b5672a33c190eefb4b2d3e3693241c130f2Christian Seiler <replaceable>/sys</replaceable> filesystems.

e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler </para>

e986ea3dfa4a2957f71ae9bfaed406dd6e1ffff6Christian Brauner <para>

e986ea3dfa4a2957f71ae9bfaed406dd6e1ffff6Christian Brauner Previous versions of <command>lxc-attach</command> suffered a bug whereby

e986ea3dfa4a2957f71ae9bfaed406dd6e1ffff6Christian Brauner a user could attach to a containers namespace without being placed in a

e986ea3dfa4a2957f71ae9bfaed406dd6e1ffff6Christian Brauner writeable cgroup for some critical subsystems. Newer versions of

e986ea3dfa4a2957f71ae9bfaed406dd6e1ffff6Christian Brauner <command>lxc-attach</command> will check whether a user is in a writeable

e986ea3dfa4a2957f71ae9bfaed406dd6e1ffff6Christian Brauner cgroup for those critical subsystems. <command>lxc-attach</command> might

e986ea3dfa4a2957f71ae9bfaed406dd6e1ffff6Christian Brauner thus fail unexpectedly for some users (E.g. on systems where an

e986ea3dfa4a2957f71ae9bfaed406dd6e1ffff6Christian Brauner unprivileged user is not placed in a writeable cgroup in critical

e986ea3dfa4a2957f71ae9bfaed406dd6e1ffff6Christian Brauner subsystems on login.). However, this behavior is correct and more secure.

e986ea3dfa4a2957f71ae9bfaed406dd6e1ffff6Christian Brauner </para>

e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler </refsect1>

e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler <refsect1>

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler <title>Security</title>

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler <para>

e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler The <option>-e</option> and <option>-s</option> options should

e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler be used with care, as it may break the isolation of the containers

e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler if used improperly.

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler </para>

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler </refsect1>

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler &seealso;

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler <refsect1>

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler <title>Author</title>

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler <para>Daniel Lezcano <email>daniel.lezcano@free.fr</email></para>

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler </refsect1>

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler</refentry>

49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler