d38ffc9c92daeb62de7d28c409bdaeff98f82775Pavel Březina

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina<!ENTITY seealso SYSTEM "@builddir@/see_also.sgml">

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina]>

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina<refentry>

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina <docinfo><date>@LXC_GENERATE_DATE@</date></docinfo>

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina <refmeta>

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina <refentrytitle>lxc.conf</refentrytitle>

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina <manvolnum>5</manvolnum>

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina </refmeta>

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina <refnamediv>

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina <refname>lxc.conf</refname>

a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina <refpurpose>

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina linux container configuration file

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina </refpurpose>

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina </refnamediv>

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina <refsect1>

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina <title>Description</title>

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina <para>

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina The linux containers (<command>lxc</command>) are always created

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina before being used. This creation defines a set of system

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina resources to be virtualized / isolated when a process is using

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina the container. By default, the pids, sysv ipc and mount points

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina are virtualized and isolated. The other system resources are

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina shared across containers, until they are explicitly defined in

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina the configuration file. For example, if there is no network

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina configuration, the network will be shared between the creator of

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina the container and the container itself, but if the network is

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina specified, a new network stack is created for the container and

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina the container can no longer use the network of its ancestor.

1b3144586978c47506eaa39db505e6231e3b0c0aJakub Hrozek </para>

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina

a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov <para>

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina The configuration file defines the different system resources to

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina be assigned for the container. At present, the utsname, the

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina network, the mount points, the root file system and the control

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina groups are supported.

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina </para>

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina <para>

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina Each option in the configuration file has the form <command>key

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina = value</command> fitting in one line. The '#' character means

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina the line is a comment.

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina </para>

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina <refsect2>

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina <title>Architecture</title>

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina <para>

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina Allows to set the architecture for the container. For example,

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina set a 32bits architecture for a container running 32bits

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina binaries on a 64bits host. That fix the container scripts

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina which rely on the architecture to do some work like

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina downloading the packages.

573e86dc3156e481ce53d39ac901da2e99cfa0caJakub Hrozek </para>

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina

573e86dc3156e481ce53d39ac901da2e99cfa0caJakub Hrozek <variablelist>

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina <varlistentry>

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina <term>

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina <option>lxc.arch</option>

a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov </term>

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina <listitem>

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina <para>

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina Specify the architecture for the container.

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina </para>

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina <para>

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina Valid options are

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina <option>x86</option>,

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina <option>i686</option>,

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina <option>x86_64</option>,

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina <option>amd64</option>

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina </para>

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina </listitem>

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina </varlistentry>

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina </variablelist>

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina </refsect2>

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina <refsect2>

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina <title>Hostname</title>

573e86dc3156e481ce53d39ac901da2e99cfa0caJakub Hrozek <para>

573e86dc3156e481ce53d39ac901da2e99cfa0caJakub Hrozek The utsname section defines the hostname to be set for the

573e86dc3156e481ce53d39ac901da2e99cfa0caJakub Hrozek container. That means the container can set its own hostname

87f8bee53ee1b4ca87b602ff8536bc5fd5b5b595Lukas Slebodnik without changing the one from the system. That makes the

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina hostname private for the container.

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina </para>

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina <variablelist>

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina <varlistentry>

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina <term>

573e86dc3156e481ce53d39ac901da2e99cfa0caJakub Hrozek <option>lxc.utsname</option>

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina </term>

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina <listitem>

573e86dc3156e481ce53d39ac901da2e99cfa0caJakub Hrozek <para>

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina specify the hostname for the container

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina </para>

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina </listitem>

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina </varlistentry>

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina </variablelist>

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina </refsect2>

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina <refsect2>

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina <title>Network</title>

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina <para>

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina The network section defines how the network is virtualized in

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina the container. The network virtualization acts at layer

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina two. In order to use the network virtualization, parameters

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina must be specified to define the network interfaces of the

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina container. Several virtual interfaces can be assigned and used

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina in a container even if the system has only one physical

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina network interface.

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina </para>

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina <variablelist>

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina <varlistentry>

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina <term>

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina <option>lxc.network.type</option>

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina </term>

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina <listitem>

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina <para>

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina specify what kind of network virtualization to be used

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina for the container. Each time

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina a <option>lxc.network.type</option> field is found a new

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina round of network configuration begins. In this way,

a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov several network virtualization types can be specified

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina for the same container, as well as assigning several

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina network interfaces for one container. The different

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina virtualization types can be:

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina </para>

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina <para>

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina <option>empty:</option> will create only the loopback

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina interface.

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina </para>

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina <para>

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina <option>veth:</option> a peer network device is created

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina with one side assigned to the container and the other

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina side is attached to a bridge specified by

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina the <option>lxc.network.link</option>. If the bridge is

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina not specified, then the veth pair device will be created

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina but not attached to any bridge. Otherwise, the bridge

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina has to be setup before on the

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina system, <command>lxc</command> won't handle any

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina configuration outside of the container. By

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina default <command>lxc</command> choose a name for the

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina network device belonging to the outside of the

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina container, this name is handled

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina by <command>lxc</command>, but if you wish to handle

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina this name yourself, you can tell <command>lxc</command>

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina to set a specific name with

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina the <option>lxc.network.veth.pair</option> option.

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina </para>

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina <para>

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina <option>vlan:</option> a vlan interface is linked with

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina the interface specified by

46d3d2c731e8c7e138462e5b60a39a279dc77d81Pavel Březina the <option>lxc.network.link</option> and assigned to

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina the container. The vlan identifier is specified with the

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina option <option>lxc.network.vlan.id</option>.

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina </para>

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina <para>

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina <option>macvlan:</option> a macvlan interface is linked

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina with the interface specified by

5ff1c3c5a12930692cb6284d14f7fda3a974af8ePavel Březina the <option>lxc.network.link</option> and assigned to

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina the container.

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina <option>lxc.network.macvlan.mode</option> specifies the

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina mode the macvlan will use to communicate between

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina different macvlan on the same upper device. The accepted

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina modes are <option>private</option>, the device never

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina communicates with any other device on the same upper_dev (default),

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina <option>vepa</option>, the new Virtual Ethernet Port

5ff1c3c5a12930692cb6284d14f7fda3a974af8ePavel Březina Aggregator (VEPA) mode, it assumes that the adjacent

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina bridge returns all frames where both source and

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina destination are local to the macvlan port, i.e. the

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina bridge is set up as a reflective relay. Broadcast

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina frames coming in from the upper_dev get flooded to all

a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov macvlan interfaces in VEPA mode, local frames are not

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina delivered locallay, or <option>bridge</option>, it

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina provides the behavior of a simple bridge between

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina different macvlan interfaces on the same port. Frames

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina from one interface to another one get delivered directly

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina and are not sent out externally. Broadcast frames get

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina flooded to all other bridge ports and to the external

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina interface, but when they come back from a reflective

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina relay, we don't deliver them again. Since we know all

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina the MAC addresses, the macvlan bridge mode does not

573e86dc3156e481ce53d39ac901da2e99cfa0caJakub Hrozek require learning or STP like the bridge module does.

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina </para>

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina <para>

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina <option>phys:</option> an already existing interface

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina specified by the <option>lxc.network.link</option> is

7379170a0860790f2739e07fffe3d6ec85264566Pavel Březina assigned to the container.

7379170a0860790f2739e07fffe3d6ec85264566Pavel Březina </para>

7379170a0860790f2739e07fffe3d6ec85264566Pavel Březina </listitem>

46d3d2c731e8c7e138462e5b60a39a279dc77d81Pavel Březina </varlistentry>

46d3d2c731e8c7e138462e5b60a39a279dc77d81Pavel Březina

46d3d2c731e8c7e138462e5b60a39a279dc77d81Pavel Březina <varlistentry>

46d3d2c731e8c7e138462e5b60a39a279dc77d81Pavel Březina <term>

46d3d2c731e8c7e138462e5b60a39a279dc77d81Pavel Březina <option>lxc.network.flags</option>

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina </term>

5ff1c3c5a12930692cb6284d14f7fda3a974af8ePavel Březina <listitem>

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina <para>

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina specify an action to do for the

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina network.

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina </para>

573e86dc3156e481ce53d39ac901da2e99cfa0caJakub Hrozek

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina <para><option>up:</option> activates the interface.

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina </para>

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina </listitem>

573e86dc3156e481ce53d39ac901da2e99cfa0caJakub Hrozek </varlistentry>

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina <varlistentry>

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina <term>

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina <option>lxc.network.link</option>

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina </term>

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina <listitem>

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina <para>

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina specify the interface to be used for real network

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina traffic.

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina </para>

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina </listitem>

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina </varlistentry>

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina <varlistentry>

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina <term>

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina <option>lxc.network.name</option>

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina </term>

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina <listitem>

15d41c8f28259061e39715acdbbbaea778b6ecc8Pavel Březina <para>

15d41c8f28259061e39715acdbbbaea778b6ecc8Pavel Březina the interface name is dynamically allocated, but if

15d41c8f28259061e39715acdbbbaea778b6ecc8Pavel Březina another name is needed because the configuration files

15d41c8f28259061e39715acdbbbaea778b6ecc8Pavel Březina being used by the container use a generic name,

15d41c8f28259061e39715acdbbbaea778b6ecc8Pavel Březina eg. eth0, this option will rename the interface in the

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina container.

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina </para>

15d41c8f28259061e39715acdbbbaea778b6ecc8Pavel Březina </listitem>

15d41c8f28259061e39715acdbbbaea778b6ecc8Pavel Březina </varlistentry>

15d41c8f28259061e39715acdbbbaea778b6ecc8Pavel Březina

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina <varlistentry>

46d3d2c731e8c7e138462e5b60a39a279dc77d81Pavel Březina <term>

46d3d2c731e8c7e138462e5b60a39a279dc77d81Pavel Březina <option>lxc.network.hwaddr</option>

a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov </term>

15d41c8f28259061e39715acdbbbaea778b6ecc8Pavel Březina <listitem>

46d3d2c731e8c7e138462e5b60a39a279dc77d81Pavel Březina <para>

15d41c8f28259061e39715acdbbbaea778b6ecc8Pavel Březina the interface mac address is dynamically allocated by

46d3d2c731e8c7e138462e5b60a39a279dc77d81Pavel Březina default to the virtual interface, but in some cases,

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina this is needed to resolve a mac address conflict or to

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina always have the same link-local ipv6 address

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina </para>

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina </listitem>

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina </varlistentry>

a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov

15d41c8f28259061e39715acdbbbaea778b6ecc8Pavel Březina <varlistentry>

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina <term>

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina <option>lxc.network.ipv4</option>

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina </term>

a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov <listitem>

15d41c8f28259061e39715acdbbbaea778b6ecc8Pavel Březina <para>

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina specify the ipv4 address to assign to the virtualized

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina interface. Several lines specify several ipv4 addresses.

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina The address is in format x.y.z.t/m,

a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov eg. 192.168.1.123/24. The broadcast address should be

15d41c8f28259061e39715acdbbbaea778b6ecc8Pavel Březina specified on the same line, right after the ipv4

d38ffc9c92daeb62de7d28c409bdaeff98f82775Pavel Březina address.

d38ffc9c92daeb62de7d28c409bdaeff98f82775Pavel Březina </para>

15d41c8f28259061e39715acdbbbaea778b6ecc8Pavel Březina </listitem>

15d41c8f28259061e39715acdbbbaea778b6ecc8Pavel Březina </varlistentry>

15d41c8f28259061e39715acdbbbaea778b6ecc8Pavel Březina

d38ffc9c92daeb62de7d28c409bdaeff98f82775Pavel Březina <varlistentry>

d38ffc9c92daeb62de7d28c409bdaeff98f82775Pavel Březina <term>

15d41c8f28259061e39715acdbbbaea778b6ecc8Pavel Březina <option>lxc.network.ipv4.gateway</option>

15d41c8f28259061e39715acdbbbaea778b6ecc8Pavel Březina </term>

710472d946f6c337a095699dfd79134fa8b9eab9Pavel Březina <listitem>

d38ffc9c92daeb62de7d28c409bdaeff98f82775Pavel Březina <para>

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3Pavel Březina specify the ipv4 address to use as the gateway inside the

container. The address is in format x.y.z.t, eg.

192.168.1.123.

Can also have the special value <option>auto</option>,

which means to take the primary address from the bridge

interface (as specified by the

<option>lxc.network.link</option> option) and use that as

the gateway. <option>auto</option> is only available when

using the <option>veth</option> and

<option>macvlan</option> network types.

</para>

</listitem>

</varlistentry>

<varlistentry>

<term>

<option>lxc.network.ipv6</option>

</term>

<listitem>

<para>

specify the ipv6 address to assign to the virtualized

interface. Several lines specify several ipv6 addresses.

The address is in format x::y/m,

eg. 2003:db8:1:0:214:1234:fe0b:3596/64

</para>

</listitem>

</varlistentry>

<varlistentry>

<term>

<option>lxc.network.ipv6.gateway</option>

</term>

<listitem>

<para>

specify the ipv6 address to use as the gateway inside the

container. The address is in format x::y,

eg. 2003:db8:1:0::1

Can also have the special value <option>auto</option>,

which means to take the primary address from the bridge

interface (as specified by the

<option>lxc.network.link</option> option) and use that as

the gateway. <option>auto</option> is only available when

using the <option>veth</option> and

<option>macvlan</option> network types.

</para>

</listitem>

</varlistentry>

<varlistentry>

<term>

<option>lxc.network.script.up</option>

</term>

<listitem>

<para>

add a configuration option to specify a script to be

executed after creating and configuring the network used

from the host side. The following arguments are passed

to the script: container name and config section name

(net) Additional arguments depend on the config section

employing a script hook; the following are used by the

network system: execution context (up), network type

(empty/veth/macvlan/phys), Depending on the network

type, other arguments may be passed:

veth/macvlan/phys. And finally (host-sided) device name.

</para>

</listitem>

</varlistentry>

<varlistentry>

<term>

<option>lxc.network.script.down</option>

</term>

<listitem>

<para>

add a configuration option to specify a script to be

executed before destroying the network used from the

host side. The following arguments are passed to the

script: container name and config section name (net)

Additional arguments depend on the config section

employing a script hook; the following are used by the

network system: execution context (down), network type

(empty/veth/macvlan/phys), Depending on the network

type, other arguments may be passed:

veth/macvlan/phys. And finally (host-sided) device name.

</para>

</listitem>

</varlistentry>

</variablelist>

</refsect2>

<refsect2>

<title>New pseudo tty instance (devpts)</title>

<para>

For stricter isolation the container can have its own private

instance of the pseudo tty.

</para>

<variablelist>

<varlistentry>

<term>

<option>lxc.pts</option>

</term>

<listitem>

<para>

If set, the container will have a new pseudo tty

instance, making this private to it. The value specifies

the maximum number of pseudo ttys allowed for a pts

instance (this limitation is not implemented yet).

</para>

</listitem>

</varlistentry>

</variablelist>

</refsect2>

<refsect2>

<title>Container system console</title>

<para>

If the container is configured with a root filesystem and the

inittab file is setup to use the console, you may want to specify

where goes the output of this console.

</para>

<variablelist>

<varlistentry>

<term>

<option>lxc.console</option>

</term>

<listitem>

<para>

Specify a path to a file where the console output will

be written. The keyword 'none' will simply disable the

console. This is dangerous once if have a rootfs with a

console device file where the application can write, the

messages will fall in the host.

</para>

</listitem>

</varlistentry>

</variablelist>

</refsect2>

<refsect2>

<title>Console through the ttys</title>

<para>

If the container is configured with a root filesystem and the

inittab file is setup to launch a getty on the ttys. This

option will specify the number of ttys to be available for the

container. The number of getty in the inittab file of the

container should not be greater than the number of ttys

specified in this configuration file, otherwise the excess

getty sessions will die and respawn indefinitly giving

annoying messages on the console.

</para>

<variablelist>

<varlistentry>

<term>

<option>lxc.tty</option>

</term>

<listitem>

<para>

Specify the number of tty to make available to the

container.

</para>

</listitem>

</varlistentry>

</variablelist>

</refsect2>

<refsect2>

<title>Console devices location</title>

<para>

LXC consoles are provided through Unix98 PTYs created on the

host and bind-mounted over the expected devices in the container.

By default, they are bind-mounted over <filename>/dev/console</filename>

and <filename>/dev/ttyN</filename>. This can prevent package upgrades

in the guest. Therefore you can specify a directory location (under

<filename>/dev</filename> under which LXC will create the files and

bind-mount over them. These will then be symbolically linked to

<filename>/dev/console</filename> and <filename>/dev/ttyN</filename>.

A package upgrade can then succeed as it is able to remove and replace

the symbolic links.

</para>

<variablelist>

<varlistentry>

<term>

<option>lxc.devttydir</option>

</term>

<listitem>

<para>

Specify a directory under <filename>/dev</filename>

under which to create the container console devices.

</para>

</listitem>

</varlistentry>

</variablelist>

</refsect2>

<refsect2>

<title>/dev directory</title>

<para>

By default, lxc does nothing with the container's

<filename>/dev</filename>. This allows the container's

<filename>/dev</filename> to be set up as needed in the container

rootfs. If lxc.autodev is set to 1, then after mounting the container's

rootfs LXC will mount a fresh tmpfs under <filename>/dev</filename>

(limited to 100k) and fill in a minimal set of initial devices.

This is generally required when starting a container containing

a "systemd" based "init" but may be optional at other times. Addional

devices in the containers /dev directory may be created through the

use of the <option>lxc.hook.autodev</option> hook.

</para>

<variablelist>

<varlistentry>

<term>

<option>lxc.autodev</option>

</term>

<listitem>

<para>

Set this to 1 to have LXC mount and populate a minimal

<filename>/dev</filename> when starting the container.

</para>

</listitem>

</varlistentry>

</variablelist>

</refsect2>

<refsect2>

<title>Mount points</title>

<para>

The mount points section specifies the different places to be

mounted. These mount points will be private to the container

and won't be visible by the processes running outside of the

container. This is useful to mount /etc, /var or /home for

examples.

</para>

<variablelist>

<varlistentry>

<term>

<option>lxc.mount</option>

</term>

<listitem>

<para>

specify a file location in

the <filename>fstab</filename> format, containing the

mount informations. If the rootfs is an image file or a

device block and the fstab is used to mount a point

somewhere in this rootfs, the path of the rootfs mount

point should be prefixed with the

<filename>@LXCROOTFSMOUNT@</filename> default path or

the value of <option>lxc.rootfs.mount</option> if

specified.

</para>

</listitem>

</varlistentry>

<varlistentry>

<term>

<option>lxc.mount.entry</option>

</term>

<listitem>

<para>

specify a mount point corresponding to a line in the

fstab format.

</para>

</listitem>

</varlistentry>

</variablelist>

</refsect2>

<refsect2>

<title>Root file system</title>

<para>

The root file system of the container can be different than that

of the host system.

</para>

<variablelist>

<varlistentry>

<term>

<option>lxc.rootfs</option>

</term>

<listitem>

<para>

specify the root file system for the container. It can

be an image file, a directory or a block device. If not

specified, the container shares its root file system

with the host.

</para>

</listitem>

</varlistentry>

<varlistentry>

<term>

<option>lxc.rootfs.mount</option>

</term>

<listitem>

<para>

where to recursively bind <option>lxc.rootfs</option>

before pivoting. This is to ensure success of the

<citerefentry>

<refentrytitle><command>pivot_root</command></refentrytitle>

<manvolnum>8</manvolnum>

</citerefentry>

syscall. Any directory suffices, the default should

generally work.

</para>

</listitem>

</varlistentry>

<varlistentry>

<term>

<option>lxc.pivotdir</option>

</term>

<listitem>

<para>

where to pivot the original root file system under

<option>lxc.rootfs</option>, specified relatively to

that. The default is <filename>mnt</filename>.

It is created if necessary, and also removed after

unmounting everything from it during container setup.

</para>

</listitem>

</varlistentry>

</variablelist>

</refsect2>

<refsect2>

<title>Control group</title>

<para>

The control group section contains the configuration for the

different subsystem. <command>lxc</command> does not check the

correctness of the subsystem name. This has the disadvantage

of not detecting configuration errors until the container is

started, but has the advantage of permitting any future

subsystem.

</para>

<variablelist>

<varlistentry>

<term>

<option>lxc.cgroup.[subsystem name]</option>

</term>

<listitem>

<para>

specify the control group value to be set. The

subsystem name is the literal name of the control group

subsystem. The permitted names and the syntax of their

values is not dictated by LXC, instead it depends on the

features of the Linux kernel running at the time the

container is started,

eg. <option>lxc.cgroup.cpuset.cpus</option>

</para>

</listitem>

</varlistentry>

</variablelist>

</refsect2>

<refsect2>

<title>Capabilities</title>

<para>

The capabilities can be dropped in the container if this one

is run as root.

</para>

<variablelist>

<varlistentry>

<term>

<option>lxc.cap.drop</option>

</term>

<listitem>

<para>

Specify the capability to be dropped in the container. A

single line defining several capabilities with a space

separation is allowed. The format is the lower case of

the capability definition without the "CAP_" prefix,

eg. CAP_SYS_MODULE should be specified as

sys_module. See

<citerefentry>

<refentrytitle><command>capabilities</command></refentrytitle>

<manvolnum>7</manvolnum>

</citerefentry>,

</para>

</listitem>

</varlistentry>

</variablelist>

</refsect2>

<refsect2>

<title>UID mappings</title>

<para>

A container can be started in a private user namespace with

user and group id mappings. For instance, you can map userid

0 in the container to userid 200000 on the host. The root

user in the container will be privileged in the container,

but unprivileged on the host. Normally a system container

will want a range of ids, so you would map, for instance,

user and group ids 0 through 20,000 in the container to the

ids 200,000 through 220,000.

</para>

<variablelist>

<varlistentry>

<term>

<option>lxc.id_map</option>

</term>

<listitem>

<para>

Four values must be provided. First a character, either

'u', or 'g', to specify whether user or group ids are

being mapped. Next is the first userid as seen in the

user namespace of the container. Next is the userid as

seen on the host. Finally, a range indicating the number

of consecutive ids to map.

</para>

</listitem>

</varlistentry>

</variablelist>

</refsect2>

<refsect2>

<title>Startup hooks</title>

<para>

Startup hooks are programs or scripts which can be executed

at various times in a container's lifetime.

</para>

<variablelist>

<varlistentry>

<term>

<option>lxc.hook.pre-start</option>

</term>

<listitem>

<para>

A hook to be run in the host's namespace before the

container ttys, consoles, or mounts are up.

</para>

</listitem>

</varlistentry>

</variablelist>

<variablelist>

<varlistentry>

<term>

<option>lxc.hook.pre-mount</option>

</term>

<listitem>

<para>

A hook to be run in the container's fs namespace but before

the rootfs has been set up. This allows for manipulation

of the rootfs, i.e. to mount an encrypted filesystem. Mounts

done in this hook will not be reflected on the host (apart from

mounts propagation), so they will be automatically cleaned up

when the container shuts down.

</para>

</listitem>

</varlistentry>

</variablelist>

<variablelist>

<varlistentry>

<term>

<option>lxc.hook.mount</option>

</term>

<listitem>

<para>

A hook to be run in the container's namespace after

mounting has been done, but before the pivot_root.

</para>

</listitem>

</varlistentry>

</variablelist>

<variablelist>

<varlistentry>

<term>

<option>lxc.hook.autodev</option>

</term>

<listitem>

<para>

A hook to be run in the container's namespace after

mounting has been done and after any mount hooks have

run, but before the pivot_root, if

<option>lxc.autodev</option> == 1.

The purpose of this hook is to assist in populating the

/dev directory of the container when using the autodev

option for systemd based containers. The container's /dev

directory is relative to the

${<option>LXC_ROOTFS_MOUNT</option>} environment

variable available when the hook is run.

</para>

</listitem>

</varlistentry>

</variablelist>

<variablelist>

<varlistentry>

<term>

<option>lxc.hook.start</option>

</term>

<listitem>

<para>

A hook to be run in the container's namespace immediately

before executing the container's init. This requires the

program to be available in the container.

</para>

</listitem>

</varlistentry>

</variablelist>

<variablelist>

<varlistentry>

<term>

<option>lxc.hook.post-stop</option>

</term>

<listitem>

<para>

A hook to be run in the host's namespace after the

container has been shut down.

</para>

</listitem>

</varlistentry>

</variablelist>

</refsect2>

<refsect2>

<title>Startup hooks Environment Variables</title>

<para>

A number of environment variables are made available to the startup

hooks to provide configuration information and assist in the

functioning of the hooks. Not all variables are valid in all

contexts. In particular, all paths are relative to the host system

and, as such, not valid during the <option>lxc.hook.start</option> hook.

</para>

<variablelist>

<varlistentry>

<term>

<option>LXC_NAME</option>

</term>

<listitem>

<para>

The LXC name of the container. Useful for logging messages

in commmon log environments. [<option>-n</option>]

</para>

</listitem>

</varlistentry>

</variablelist>

<variablelist>

<varlistentry>

<term>

<option>LXC_CONFIG_FILE</option>

</term>

<listitem>

<para>

Host relative path to the container configuration file. This

gives the container to reference the original, top level,

configuration file for the container in order to locate any

addotional configuration information not otherwise made

available. [<option>-f</option>]

</para>

</listitem>

</varlistentry>

</variablelist>

<variablelist>

<varlistentry>

<term>

<option>LXC_CONSOLE</option>

</term>

<listitem>

<para>

The path to the console output of the container if not NULL.

[<option>-c</option>] [<option>lxc.console</option>]

</para>

</listitem>

</varlistentry>

</variablelist>

<variablelist>

<varlistentry>

<term>

<option>LXC_CONSOLE_LOGPATH</option>

</term>

<listitem>

<para>

The path to the console log output of the container if not NULL.

[<option>-L</option>]

</para>

</listitem>

</varlistentry>

</variablelist>

<variablelist>

<varlistentry>

<term>

<option>LXC_ROOTFS_MOUNT</option>

</term>

<listitem>

<para>

The mount location to which the container is initially bound.

This will be the host relative path to the container rootfs

for the container instance being started and is where changes

should be made for that instance.

[<option>lxc.rootfs.mount</option>]

</para>

</listitem>

</varlistentry>

</variablelist>

<variablelist>

<varlistentry>

<term>

<option>LXC_ROOTFS_PATH</option>

</term>

<listitem>

<para>

The host relative path to the container root which has been

mounted to the rootfs.mount location.

[<option>lxc.rootfs</option>]

</para>

</listitem>

</varlistentry>

</variablelist>

</refsect2>

</refsect1>

<refsect1>

<title>Examples</title>

<para>

In addition to the few examples given below, you will find

some other examples of configuration file in @DOCDIR@/examples

</para>

<refsect2>

<title>Network</title>

<para>This configuration sets up a container to use a veth pair

device with one side plugged to a bridge br0 (which has been

configured before on the system by the administrator). The

virtual network device visible in the container is renamed to

eth0.</para>

<programlisting>

lxc.utsname = myhostname

lxc.network.type = veth

lxc.network.flags = up

lxc.network.link = br0

lxc.network.name = eth0

lxc.network.hwaddr = 4a:49:43:49:79:bf

lxc.network.ipv4 = 10.2.3.5/24 10.2.3.255

lxc.network.ipv6 = 2003:db8:1:0:214:1234:fe0b:3597

</programlisting>

</refsect2>

<refsect2>

<title>UID/GID mapping</title>

<para>This configuration will map both user and group ids in the

range 0-9999 in the container to the ids 100000-109999 on the host.

</para>

<programlisting>

lxc.id_map = u 0 100000 10000

lxc.id_map = g 0 100000 10000

</programlisting>

</refsect2>

<refsect2>

<title>Control group</title>

<para>This configuration will setup several control groups for

the application, cpuset.cpus restricts usage of the defined cpu,

cpus.share prioritize the control group, devices.allow makes

usable the specified devices.</para>

<programlisting>

lxc.cgroup.cpuset.cpus = 0,1

lxc.cgroup.cpu.shares = 1234

lxc.cgroup.devices.deny = a

lxc.cgroup.devices.allow = c 1:3 rw

lxc.cgroup.devices.allow = b 8:0 rw

</programlisting>

</refsect2>

<refsect2>

<title>Complex configuration</title>

<para>This example show a complex configuration making a complex

network stack, using the control groups, setting a new hostname,

mounting some locations and a changing root file system.</para>

<programlisting>

lxc.utsname = complex

lxc.network.type = veth

lxc.network.flags = up

lxc.network.link = br0

lxc.network.hwaddr = 4a:49:43:49:79:bf

lxc.network.ipv4 = 10.2.3.5/24 10.2.3.255

lxc.network.ipv6 = 2003:db8:1:0:214:1234:fe0b:3597

lxc.network.ipv6 = 2003:db8:1:0:214:5432:feab:3588

lxc.network.type = macvlan

lxc.network.flags = up

lxc.network.link = eth0

lxc.network.hwaddr = 4a:49:43:49:79:bd

lxc.network.ipv4 = 10.2.3.4/24

lxc.network.ipv4 = 192.168.10.125/24

lxc.network.ipv6 = 2003:db8:1:0:214:1234:fe0b:3596

lxc.network.type = phys

lxc.network.flags = up

lxc.network.link = dummy0

lxc.network.hwaddr = 4a:49:43:49:79:ff

lxc.network.ipv4 = 10.2.3.6/24

lxc.network.ipv6 = 2003:db8:1:0:214:1234:fe0b:3297

lxc.cgroup.cpuset.cpus = 0,1

lxc.cgroup.cpu.shares = 1234

lxc.cgroup.devices.deny = a

lxc.cgroup.devices.allow = c 1:3 rw

lxc.cgroup.devices.allow = b 8:0 rw

lxc.mount = /etc/fstab.complex

lxc.mount.entry = /lib /root/myrootfs/lib none ro,bind 0 0

lxc.rootfs = /mnt/rootfs.complex

lxc.cap.drop = sys_module mknod setuid net_raw

lxc.cap.drop = mac_override

</programlisting>

</refsect2>

</refsect1>

<refsect1>

<title>See Also</title>

<simpara>

<citerefentry>

<refentrytitle><command>chroot</command></refentrytitle>

<manvolnum>1</manvolnum>

</citerefentry>,

<citerefentry>

<refentrytitle><command>pivot_root</command></refentrytitle>

<manvolnum>8</manvolnum>

</citerefentry>,

<citerefentry>

<refentrytitle><filename>fstab</filename></refentrytitle>

<manvolnum>5</manvolnum>

</citerefentry>

</simpara>

</refsect1>

&seealso;

<refsect1>

<title>Author</title>

<para>Daniel Lezcano <email>daniel.lezcano@free.fr</email></para>

</refsect1>

</refentry>