lxc-attach.sgml.in revision 54e478606b53e5983aba84c1f6619d55923ff605
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH Yasufumilxc: linux Container library
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH Yasufumi(C) Copyright IBM Corp. 2007, 2008
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH YasufumiDaniel Lezcano <daniel.lezcano at free.fr>
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH YasufumiThis library is free software; you can redistribute it and/or
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH Yasufumimodify it under the terms of the GNU Lesser General Public
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH YasufumiLicense as published by the Free Software Foundation; either
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH Yasufumiversion 2.1 of the License, or (at your option) any later version.
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH YasufumiThis library is distributed in the hope that it will be useful,
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH Yasufumibut WITHOUT ANY WARRANTY; without even the implied warranty of
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH YasufumiMERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH YasufumiLesser General Public License for more details.
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH YasufumiYou should have received a copy of the GNU Lesser General Public
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH YasufumiLicense along with this library; if not, write to the Free Software
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH YasufumiFoundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH Yasufumi<!ENTITY commonoptions SYSTEM "@builddir@/common_options.sgml">
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH Yasufumi<!ENTITY seealso SYSTEM "@builddir@/see_also.sgml">
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH Yasufumi <docinfo><date>@LXC_GENERATE_DATE@</date></docinfo>
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH Yasufumi start a process inside a running container.
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH Yasufumi </refpurpose>
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH Yasufumi </refnamediv>
6127da6b3f5815028bee187ac98840cd94313841KATOH Yasufumi <refsynopsisdiv>
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH Yasufumi <cmdsynopsis>
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH Yasufumi <arg choice="req">-n <replaceable>name</replaceable></arg>
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH Yasufumi <arg choice="opt">-a <replaceable>arch</replaceable></arg>
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH Yasufumi <arg choice="opt">-s <replaceable>namespaces</replaceable></arg>
99e616a6681f83ac1364d27eface9f0a7bb22527KATOH Yasufumi <arg choice="opt">-- <replaceable>command</replaceable></arg>
99e616a6681f83ac1364d27eface9f0a7bb22527KATOH Yasufumi <arg choice="opt">-L <replaceable>file</replaceable></arg>
99e616a6681f83ac1364d27eface9f0a7bb22527KATOH Yasufumi </cmdsynopsis>
99e616a6681f83ac1364d27eface9f0a7bb22527KATOH Yasufumi </refsynopsisdiv>
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH Yasufumi <command>lxc-attach</command> runs the specified
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH Yasufumi <replaceable>command</replaceable> inside the container
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH Yasufumi specified by <replaceable>name</replaceable>. The container
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH Yasufumi has to be running already.
7c3d3950528671460bcd333af842a6158e4166b6KATOH Yasufumi If no <replaceable>command</replaceable> is specified, the
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH Yasufumi current default shell of the user running
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH Yasufumi <command>lxc-attach</command> will be looked up inside the
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH Yasufumi container and executed. This will fail if no such user exists
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH Yasufumi inside the container or the container does not have a working
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH Yasufumi nsswitch mechanism.
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH Yasufumi Previous versions of <command>lxc-attach</command> simply attached to the
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH Yasufumi specified namespaces of a container and ran a shell or the specified command
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH Yasufumi without first allocating a pseudo terminal. This made them vulnerable to
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH Yasufumi input faking via a TIOCSTI <command>ioctl</command> call after switching
dc421f3aac1f0e516c763dd156629a8ed2a7b4caKATOH Yasufumi between userspace execution contexts with different privilege levels. Newer
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH Yasufumi versions of <command>lxc-attach</command> will try to allocate a pseudo
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH Yasufumi terminal master/slave pair on the host and attach any standard file
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH Yasufumi descriptors which refer to a terminal to the slave side of the pseudo
a9b21284fceafaf57b1bb58cf59f939dcf68141aKATOH Yasufumi terminal before executing a shell or command. Note, that if none of the
a9b21284fceafaf57b1bb58cf59f939dcf68141aKATOH Yasufumi standard file descriptors refer to a terminal <command>lxc-attach</command>
a9b21284fceafaf57b1bb58cf59f939dcf68141aKATOH Yasufumi will not try to allocate a pseudo terminal. Instead it will simply attach
a9b21284fceafaf57b1bb58cf59f939dcf68141aKATOH Yasufumi to the containers namespaces and run a shell or the specified command.
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH Yasufumi <variablelist>
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH Yasufumi <varlistentry>
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH Yasufumi <option>-a, --arch <replaceable>arch</replaceable></option>
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH Yasufumi Specify the architecture which the kernel should appear to be
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH Yasufumi running as to the command executed. This option will accept the
dc421f3aac1f0e516c763dd156629a8ed2a7b4caKATOH Yasufumi same settings as the <option>lxc.arch</option> option in
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH Yasufumi container configuration files, see
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH Yasufumi <citerefentry>
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH Yasufumi <refentrytitle><filename>lxc.conf</filename></refentrytitle>
99e616a6681f83ac1364d27eface9f0a7bb22527KATOH Yasufumi </citerefentry>. By default, the current archictecture of the
99e616a6681f83ac1364d27eface9f0a7bb22527KATOH Yasufumi running container will be used.
99e616a6681f83ac1364d27eface9f0a7bb22527KATOH Yasufumi </varlistentry>
99e616a6681f83ac1364d27eface9f0a7bb22527KATOH Yasufumi <varlistentry>
99e616a6681f83ac1364d27eface9f0a7bb22527KATOH Yasufumi -e, --elevated-privileges <replaceable>privileges</replaceable>
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH Yasufumi Do not drop privileges when running
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH Yasufumi <replaceable>command</replaceable> inside the container. If
f7f1ba77b76e4d4dc18638cfdc859c3dc1750a9eStéphane Graber this option is specified, the new process will
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH Yasufumi <emphasis>not</emphasis> be added to the container's cgroup(s)
dc421f3aac1f0e516c763dd156629a8ed2a7b4caKATOH Yasufumi and it will not drop its capabilities before executing.
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH Yasufumi You may specify privileges, in case you do not want to elevate all of
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH Yasufumi them, as a pipe-separated list, e.g.
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH Yasufumi <replaceable>CGROUP|LSM</replaceable>. Allowed values are
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH Yasufumi <replaceable>CGROUP</replaceable>, <replaceable>CAP</replaceable> and
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH Yasufumi <replaceable>LSM</replaceable> representing cgroup, capabilities and
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH Yasufumi restriction privileges respectively. (The pipe symbol needs to be escaped,
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH Yasufumi e.g. <replaceable>CGROUP\|LSM</replaceable> or quoted, e.g.
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH Yasufumi <emphasis>Warning:</emphasis> This may leak privileges into the
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH Yasufumi container if the command starts subprocesses that remain active
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH Yasufumi after the main process that was attached is terminated. The
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH Yasufumi (re-)starting of daemons inside the container is problematic,
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH Yasufumi especially if the daemon starts a lot of subprocesses such as
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH Yasufumi <command>cron</command> or <command>sshd</command>.
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH Yasufumi </varlistentry>
dc421f3aac1f0e516c763dd156629a8ed2a7b4caKATOH Yasufumi <varlistentry>
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH Yasufumi <option>-s, --namespaces <replaceable>namespaces</replaceable></option>
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH Yasufumi Specify the namespaces to attach to, as a pipe-separated list,
7c3d3950528671460bcd333af842a6158e4166b6KATOH Yasufumi e.g. <replaceable>NETWORK|IPC</replaceable>. Allowed values are
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH Yasufumi <replaceable>MOUNT</replaceable>, <replaceable>PID</replaceable>,
7c3d3950528671460bcd333af842a6158e4166b6KATOH Yasufumi <replaceable>UTSNAME</replaceable>, <replaceable>IPC</replaceable>,
7c3d3950528671460bcd333af842a6158e4166b6KATOH Yasufumi <replaceable>NETWORK</replaceable>. This allows one to change
7c3d3950528671460bcd333af842a6158e4166b6KATOH Yasufumi the context of the process to e.g. the network namespace of the
7c3d3950528671460bcd333af842a6158e4166b6KATOH Yasufumi container while retaining the other namespaces as those of the
7c3d3950528671460bcd333af842a6158e4166b6KATOH Yasufumi host. (The pipe symbol needs to be escaped, e.g.
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH Yasufumi <replaceable>MOUNT\|PID</replaceable> or quoted, e.g.
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH Yasufumi <emphasis>Important:</emphasis> This option implies
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH Yasufumi </varlistentry>
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH Yasufumi <varlistentry>
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH Yasufumi When using <option>-s</option> and the mount namespace is not
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH Yasufumi included, this flag will cause <command>lxc-attach</command>
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH Yasufumi to remount <replaceable>/proc</replaceable> and
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH Yasufumi <replaceable>/sys</replaceable> to reflect the current other
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH Yasufumi namespace contexts.
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH Yasufumi Please see the <emphasis>Notes</emphasis> section for more
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH Yasufumi This option will be ignored if one tries to attach to the
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH Yasufumi mount namespace anyway.
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH Yasufumi </varlistentry>
a5ba96715d4ef264c43d4f187251de491ba198c0KATOH Yasufumi <varlistentry>
thus fail unexpectedly for some users (E.g. on systems where an