lxc-attach.sgml.in revision e986ea3dfa4a2957f71ae9bfaed406dd6e1ffff6
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seilerlxc: linux Container library
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler(C) Copyright IBM Corp. 2007, 2008
9afe19d634946d50eab30e3b90cb5cebcde39eeaDaniel LezcanoDaniel Lezcano <daniel.lezcano at free.fr>
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian SeilerThis library is free software; you can redistribute it and/or
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seilermodify it under the terms of the GNU Lesser General Public
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian SeilerLicense as published by the Free Software Foundation; either
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seilerversion 2.1 of the License, or (at your option) any later version.
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian SeilerThis library is distributed in the hope that it will be useful,
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seilerbut WITHOUT ANY WARRANTY; without even the implied warranty of
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian SeilerMERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian SeilerLesser General Public License for more details.
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian SeilerYou should have received a copy of the GNU Lesser General Public
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian SeilerLicense along with this library; if not, write to the Free Software
250b1eec71b074acdff1c5f6b5a1f0d7d2c20b77Stéphane GraberFoundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler<!ENTITY commonoptions SYSTEM "@builddir@/common_options.sgml">
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler<!ENTITY seealso SYSTEM "@builddir@/see_also.sgml">
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler <docinfo><date>@LXC_GENERATE_DATE@</date></docinfo>
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler start a process inside a running container.
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler </refpurpose>
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler </refnamediv>
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler <refsynopsisdiv>
b4578c5b380130a41a69b5b49c970157acaf1dbbDwight Engen <cmdsynopsis>
b4578c5b380130a41a69b5b49c970157acaf1dbbDwight Engen <arg choice="req">-n <replaceable>name</replaceable></arg>
b4578c5b380130a41a69b5b49c970157acaf1dbbDwight Engen <arg choice="opt">-a <replaceable>arch</replaceable></arg>
e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler <arg choice="opt">-s <replaceable>namespaces</replaceable></arg>
b4578c5b380130a41a69b5b49c970157acaf1dbbDwight Engen <arg choice="opt">-- <replaceable>command</replaceable></arg>
b4578c5b380130a41a69b5b49c970157acaf1dbbDwight Engen </cmdsynopsis>
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler </refsynopsisdiv>
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler <command>lxc-attach</command> runs the specified
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler <replaceable>command</replaceable> inside the container
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler specified by <replaceable>name</replaceable>. The container
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler has to be running already.
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler If no <replaceable>command</replaceable> is specified, the
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler current default shell of the user running
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler <command>lxc-attach</command> will be looked up inside the
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler container and executed. This will fail if no such user exists
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler inside the container or the container does not have a working
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler nsswitch mechanism.
e986ea3dfa4a2957f71ae9bfaed406dd6e1ffff6Christian Brauner Previous versions of <command>lxc-attach</command> simply attached to the
e986ea3dfa4a2957f71ae9bfaed406dd6e1ffff6Christian Brauner specified namespaces of a container and ran a shell or the specified
e986ea3dfa4a2957f71ae9bfaed406dd6e1ffff6Christian Brauner command without allocating a pseudo terminal. This made them vulnerable to
e986ea3dfa4a2957f71ae9bfaed406dd6e1ffff6Christian Brauner input faking via a TIOCSTI <command>ioctl</command> call after switching
e986ea3dfa4a2957f71ae9bfaed406dd6e1ffff6Christian Brauner between userspace execution contexts with different privilegel levels. Newer
e986ea3dfa4a2957f71ae9bfaed406dd6e1ffff6Christian Brauner versions of <command>lxc-attach</command> will try to allocate a pseudo
e986ea3dfa4a2957f71ae9bfaed406dd6e1ffff6Christian Brauner terminal master/slave pair and attach any standard file descriptors which
e986ea3dfa4a2957f71ae9bfaed406dd6e1ffff6Christian Brauner refer to a terminal to the slave side of the pseudo terminal before
e986ea3dfa4a2957f71ae9bfaed406dd6e1ffff6Christian Brauner executing a shell or command. <command>lxc-attach</command> will first try
e986ea3dfa4a2957f71ae9bfaed406dd6e1ffff6Christian Brauner to allocate a pseudo terminal in the container. Should this fail it will try
e986ea3dfa4a2957f71ae9bfaed406dd6e1ffff6Christian Brauner to allocate a pseudo terminal on the host before finally giving up. Note,
e986ea3dfa4a2957f71ae9bfaed406dd6e1ffff6Christian Brauner that if none of the standard file descriptors refer to a terminal
e986ea3dfa4a2957f71ae9bfaed406dd6e1ffff6Christian Brauner <command>lxc-attach</command> will not try to allocate a pseudo terminal.
e986ea3dfa4a2957f71ae9bfaed406dd6e1ffff6Christian Brauner Instead it will simply attach to the containers namespaces and run a shell
e986ea3dfa4a2957f71ae9bfaed406dd6e1ffff6Christian Brauner or the specified command.
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler <variablelist>
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler <varlistentry>
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler <option>-a, --arch <replaceable>arch</replaceable></option>
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler Specify the architecture which the kernel should appear to be
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler running as to the command executed. This option will accept the
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler same settings as the <option>lxc.arch</option> option in
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler container configuration files, see
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler <citerefentry>
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler <refentrytitle><filename>lxc.conf</filename></refentrytitle>
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler </citerefentry>. By default, the current archictecture of the
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler running container will be used.
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler </varlistentry>
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler <varlistentry>
4d69b2939ce09fbe624636dc01734a542e050ef9Nikola Kotur -e, --elevated-privileges <replaceable>privileges</replaceable>
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler Do not drop privileges when running
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler <replaceable>command</replaceable> inside the container. If
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler this option is specified, the new process will
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler <emphasis>not</emphasis> be added to the container's cgroup(s)
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler and it will not drop its capabilities before executing.
4d69b2939ce09fbe624636dc01734a542e050ef9Nikola Kotur You may specify privileges, in case you do not want to elevate all of
4d69b2939ce09fbe624636dc01734a542e050ef9Nikola Kotur them, as a pipe-separated list, e.g.
4d69b2939ce09fbe624636dc01734a542e050ef9Nikola Kotur <replaceable>CGROUP|LSM</replaceable>. Allowed values are
4d69b2939ce09fbe624636dc01734a542e050ef9Nikola Kotur <replaceable>CGROUP</replaceable>, <replaceable>CAP</replaceable> and
4d69b2939ce09fbe624636dc01734a542e050ef9Nikola Kotur <replaceable>LSM</replaceable> representing cgroup, capabilities and
4d69b2939ce09fbe624636dc01734a542e050ef9Nikola Kotur restriction privileges respectively.
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler <emphasis>Warning:</emphasis> This may leak privileges into the
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler container if the command starts subprocesses that remain active
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler after the main process that was attached is terminated. The
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler (re-)starting of daemons inside the container is problematic,
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler especially if the daemon starts a lot of subprocesses such as
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler <command>cron</command> or <command>sshd</command>.
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler </varlistentry>
e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler <varlistentry>
e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler <option>-s, --namespaces <replaceable>namespaces</replaceable></option>
037ba55cbee97bb9e1be95423c358ac1a7b33a2aDwight Engen Specify the namespaces to attach to, as a pipe-separated list,
e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler e.g. <replaceable>NETWORK|IPC</replaceable>. Allowed values are
e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler <replaceable>MOUNT</replaceable>, <replaceable>PID</replaceable>,
e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler <replaceable>UTSNAME</replaceable>, <replaceable>IPC</replaceable>,
e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler <replaceable>NETWORK</replaceable>. This allows one to change
e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler the context of the process to e.g. the network namespace of the
e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler container while retaining the other namespaces as those of the
e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler <emphasis>Important:</emphasis> This option implies
e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler </varlistentry>
7a0b0b5672a33c190eefb4b2d3e3693241c130f2Christian Seiler <varlistentry>
7a0b0b5672a33c190eefb4b2d3e3693241c130f2Christian Seiler When using <option>-s</option> and the mount namespace is not
7a0b0b5672a33c190eefb4b2d3e3693241c130f2Christian Seiler included, this flag will cause <command>lxc-attach</command>
7a0b0b5672a33c190eefb4b2d3e3693241c130f2Christian Seiler to remount <replaceable>/proc</replaceable> and
7a0b0b5672a33c190eefb4b2d3e3693241c130f2Christian Seiler <replaceable>/sys</replaceable> to reflect the current other
7a0b0b5672a33c190eefb4b2d3e3693241c130f2Christian Seiler namespace contexts.
7a0b0b5672a33c190eefb4b2d3e3693241c130f2Christian Seiler Please see the <emphasis>Notes</emphasis> section for more
7a0b0b5672a33c190eefb4b2d3e3693241c130f2Christian Seiler This option will be ignored if one tries to attach to the
7a0b0b5672a33c190eefb4b2d3e3693241c130f2Christian Seiler mount namespace anyway.
7a0b0b5672a33c190eefb4b2d3e3693241c130f2Christian Seiler </varlistentry>
799f96fdd8fc9c0685fffee5998aab2287ebc25fChristian Seiler <varlistentry>
799f96fdd8fc9c0685fffee5998aab2287ebc25fChristian Seiler Keep the current environment for attached programs. This is
799f96fdd8fc9c0685fffee5998aab2287ebc25fChristian Seiler the current default behaviour (as of version 0.9), but is
799f96fdd8fc9c0685fffee5998aab2287ebc25fChristian Seiler is likely to change in the future, since this may leak
799f96fdd8fc9c0685fffee5998aab2287ebc25fChristian Seiler undesirable information into the container. If you rely on
799f96fdd8fc9c0685fffee5998aab2287ebc25fChristian Seiler the environment being available for the attached program,
799f96fdd8fc9c0685fffee5998aab2287ebc25fChristian Seiler please use this option to be future-proof. In addition to
799f96fdd8fc9c0685fffee5998aab2287ebc25fChristian Seiler current environment variables, container=lxc will be set.
799f96fdd8fc9c0685fffee5998aab2287ebc25fChristian Seiler </varlistentry>
799f96fdd8fc9c0685fffee5998aab2287ebc25fChristian Seiler <varlistentry>
799f96fdd8fc9c0685fffee5998aab2287ebc25fChristian Seiler Clear the environment before attaching, so no undesired
799f96fdd8fc9c0685fffee5998aab2287ebc25fChristian Seiler environment variables leak into the container. The variable
799f96fdd8fc9c0685fffee5998aab2287ebc25fChristian Seiler container=lxc will be the only environment with which the
799f96fdd8fc9c0685fffee5998aab2287ebc25fChristian Seiler attached program starts.
799f96fdd8fc9c0685fffee5998aab2287ebc25fChristian Seiler </varlistentry>
7a0b0b5672a33c190eefb4b2d3e3693241c130f2Christian Seiler </variablelist>
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler &commonoptions;
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler To spawn a new shell running inside an existing container, use
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler <programlisting>
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler lxc-attach -n container
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler </programlisting>
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler To restart the cron service of a running Debian container, use
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler <programlisting>
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler lxc-attach -n container -- /etc/init.d/cron restart
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler </programlisting>
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler To deactivate the network link eth1 of a running container that
e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler does not have the NET_ADMIN capability, use either the
e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler <option>-e</option> option to use increased capabilities,
e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler assuming the <command>ip</command> tool is installed:
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler <programlisting>
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler lxc-attach -n container -e -- /sbin/ip link delete eth1
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler </programlisting>
e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler Or, alternatively, use the <option>-s</option> to use the
e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler tools installed on the host outside the container:
e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler <programlisting>
e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler lxc-attach -n container -s NETWORK -- /sbin/ip link delete eth1
e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler </programlisting>
e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler Attaching completely (including the pid and mount namespaces) to a
a600d021adf34e58b3991269a9ceca3737c63aa8KATOH Yasufumi container requires a kernel of version 3.8 or higher, or a
a600d021adf34e58b3991269a9ceca3737c63aa8KATOH Yasufumi patched kernel, please see the lxc website for
e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler details. <command>lxc-attach</command> will fail in that case if
a600d021adf34e58b3991269a9ceca3737c63aa8KATOH Yasufumi used with an unpatched kernel of version 3.7 and prior.
e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler Nevertheless, it will succeed on an unpatched kernel of version 3.0
e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler or higher if the <option>-s</option> option is used to restrict the
aa8d013ec5b09cd1cd904173d6234ef126eb2126Peter Simons namespaces that the process is to be attached to to one or more of
e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler <replaceable>NETWORK</replaceable>, <replaceable>IPC</replaceable>
a600d021adf34e58b3991269a9ceca3737c63aa8KATOH Yasufumi Attaching to user namespaces is supported by kernel 3.8 or higher
a600d021adf34e58b3991269a9ceca3737c63aa8KATOH Yasufumi with enabling user namespace.
e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler The Linux <replaceable>/proc</replaceable> and
e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler <replaceable>/sys</replaceable> filesystems contain information
e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler about some quantities that are affected by namespaces, such as
e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler the directories named after process ids in
36b33520f67cd1a83be8031fccc3c2d7d7255e06Stéphane Graber <replaceable>/proc</replaceable> or the network interface information
e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler in <replaceable>/sys/class/net</replaceable>. The namespace of the
e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler process mounting the pseudo-filesystems determines what information
e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler is shown, <emphasis>not</emphasis> the namespace of the process
e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler accessing <replaceable>/proc</replaceable> or
e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler If one uses the <option>-s</option> option to only attach to
e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler the pid namespace of a container, but not its mount namespace
e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler (which will contain the <replaceable>/proc</replaceable> of the
e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler container and not the host), the contents of <option>/proc</option>
e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler will reflect that of the host and not the container. Analogously,
e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler the same issue occurs when reading the contents of
e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler <replaceable>/sys/class/net</replaceable> and attaching to just
e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler the network namespace.
7a0b0b5672a33c190eefb4b2d3e3693241c130f2Christian Seiler To work around this problem, the <option>-R</option> flag provides
7a0b0b5672a33c190eefb4b2d3e3693241c130f2Christian Seiler the option to remount <replaceable>/proc</replaceable> and
7a0b0b5672a33c190eefb4b2d3e3693241c130f2Christian Seiler <replaceable>/sys</replaceable> in order for them to reflect the
7a0b0b5672a33c190eefb4b2d3e3693241c130f2Christian Seiler network/pid namespace context of the attached process. In order
7a0b0b5672a33c190eefb4b2d3e3693241c130f2Christian Seiler not to interfere with the host's actual filesystem, the mount
7a0b0b5672a33c190eefb4b2d3e3693241c130f2Christian Seiler namespace will be unshared (like <command>lxc-unshare</command>
7a0b0b5672a33c190eefb4b2d3e3693241c130f2Christian Seiler does) before this is done, esentially giving the process a new
7a0b0b5672a33c190eefb4b2d3e3693241c130f2Christian Seiler mount namespace, which is identical to the hosts's mount namespace
7a0b0b5672a33c190eefb4b2d3e3693241c130f2Christian Seiler except for the <replaceable>/proc</replaceable> and
7a0b0b5672a33c190eefb4b2d3e3693241c130f2Christian Seiler <replaceable>/sys</replaceable> filesystems.
e986ea3dfa4a2957f71ae9bfaed406dd6e1ffff6Christian Brauner Previous versions of <command>lxc-attach</command> suffered a bug whereby
e986ea3dfa4a2957f71ae9bfaed406dd6e1ffff6Christian Brauner a user could attach to a containers namespace without being placed in a
e986ea3dfa4a2957f71ae9bfaed406dd6e1ffff6Christian Brauner writeable cgroup for some critical subsystems. Newer versions of
e986ea3dfa4a2957f71ae9bfaed406dd6e1ffff6Christian Brauner <command>lxc-attach</command> will check whether a user is in a writeable
e986ea3dfa4a2957f71ae9bfaed406dd6e1ffff6Christian Brauner cgroup for those critical subsystems. <command>lxc-attach</command> might
e986ea3dfa4a2957f71ae9bfaed406dd6e1ffff6Christian Brauner thus fail unexpectedly for some users (E.g. on systems where an
e986ea3dfa4a2957f71ae9bfaed406dd6e1ffff6Christian Brauner unprivileged user is not placed in a writeable cgroup in critical
e986ea3dfa4a2957f71ae9bfaed406dd6e1ffff6Christian Brauner subsystems on login.). However, this behavior is correct and more secure.
e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler The <option>-e</option> and <option>-s</option> options should
e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler be used with care, as it may break the isolation of the containers
e13eeea2db3743bf8d3fe2833e069a80e2c4102cChristian Seiler if used improperly.
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler <para>Daniel Lezcano <email>daniel.lezcano@free.fr</email></para>
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seiler<!-- Keep this comment at the end of the file
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian SeilerLocal variables:
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seilersgml-omittag:t
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seilersgml-shorttag:t
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seilersgml-minimize-attributes:nil
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seilersgml-always-quote-attributes:t
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seilersgml-indent-step:2
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seilersgml-indent-data:t
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seilersgml-parent-document:nil
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seilersgml-default-dtd-file:nil
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seilersgml-exposed-tags:nil
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seilersgml-local-catalogs:nil
49ee6cdcbf79d8b6fa617479ec8ab753ccca923dChristian Seilersgml-local-ecat-files:nil