lxc.conf.sgml.in revision cccc74b5146cb1b88facef29a530c653dbe0cb90
2670cd577aa57eb9f915a4f4220ae48c9b4fc5fbTimo Sirainenlxc: linux Container library
2670cd577aa57eb9f915a4f4220ae48c9b4fc5fbTimo Sirainen(C) Copyright IBM Corp. 2007, 2008
ece0a20249ce26208db3415ba2e79423678856f8Timo SirainenDaniel Lezcano <dlezcano at fr.ibm.com>
2670cd577aa57eb9f915a4f4220ae48c9b4fc5fbTimo SirainenThis library is free software; you can redistribute it and/or
2670cd577aa57eb9f915a4f4220ae48c9b4fc5fbTimo Sirainenmodify it under the terms of the GNU Lesser General Public
2670cd577aa57eb9f915a4f4220ae48c9b4fc5fbTimo SirainenLicense as published by the Free Software Foundation; either
2670cd577aa57eb9f915a4f4220ae48c9b4fc5fbTimo Sirainenversion 2.1 of the License, or (at your option) any later version.
300e4e43ed1ca46d0614459161ca2fb460ef661aTimo SirainenThis library is distributed in the hope that it will be useful,
ece0a20249ce26208db3415ba2e79423678856f8Timo Sirainenbut WITHOUT ANY WARRANTY; without even the implied warranty of
2670cd577aa57eb9f915a4f4220ae48c9b4fc5fbTimo SirainenMERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
2670cd577aa57eb9f915a4f4220ae48c9b4fc5fbTimo SirainenLesser General Public License for more details.
2670cd577aa57eb9f915a4f4220ae48c9b4fc5fbTimo SirainenYou should have received a copy of the GNU Lesser General Public
2670cd577aa57eb9f915a4f4220ae48c9b4fc5fbTimo SirainenLicense along with this library; if not, write to the Free Software
2670cd577aa57eb9f915a4f4220ae48c9b4fc5fbTimo SirainenFoundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
3f3ad16ff74d694796d22501250a9a29997c0729Timo Sirainen<!DOCTYPE refentry PUBLIC "-//Davenport//DTD DocBook V3.0//EN" [
2670cd577aa57eb9f915a4f4220ae48c9b4fc5fbTimo Sirainen<!ENTITY seealso SYSTEM "@builddir@/see_also.sgml">
db3b95d5a33ddce552d41136ae68d7331f8bf5feTimo Sirainen <docinfo><date>@LXC_GENERATE_DATE@</date></docinfo>
b44033e45e9f48f8a6e1ac5905234fec5de6d6ccAki Tuomi <refpurpose>
b44033e45e9f48f8a6e1ac5905234fec5de6d6ccAki Tuomi linux container configuration file
b44033e45e9f48f8a6e1ac5905234fec5de6d6ccAki Tuomi </refpurpose>
b44033e45e9f48f8a6e1ac5905234fec5de6d6ccAki Tuomi </refnamediv>
b44033e45e9f48f8a6e1ac5905234fec5de6d6ccAki Tuomi The linux containers (<command>lxc</command>) are always created
ece0a20249ce26208db3415ba2e79423678856f8Timo Sirainen before being used. This creation defines a set of system
ece0a20249ce26208db3415ba2e79423678856f8Timo Sirainen resources to be virtualized / isolated when a process is using
ece0a20249ce26208db3415ba2e79423678856f8Timo Sirainen the container. By default, the pids, sysv ipc and mount points
dd19de9b6382c9a47b65df6b2396789df37a19fbTimo Sirainen are virtualized and isolated. The other system resources are
ece0a20249ce26208db3415ba2e79423678856f8Timo Sirainen shared across containers, until they are explicitly defined in
ece0a20249ce26208db3415ba2e79423678856f8Timo Sirainen the configuration file. For example, if there is no network
ece0a20249ce26208db3415ba2e79423678856f8Timo Sirainen configuration, the network will be shared between the creator of
b44033e45e9f48f8a6e1ac5905234fec5de6d6ccAki Tuomi the container and the container itself, but if the network is
4dc8d682c855ca78db8874e04302e885465c1d65Timo Sirainen specified, a new network stack is created for the container and
4dc8d682c855ca78db8874e04302e885465c1d65Timo Sirainen the container can no longer use the network of its ancestor.
5754fa860405e9af20c38981942f6aa97ce3158dTimo Sirainen The configuration file defines the different system resources to
dd19de9b6382c9a47b65df6b2396789df37a19fbTimo Sirainen be assigned for the container. At present, the utsname, the
dd19de9b6382c9a47b65df6b2396789df37a19fbTimo Sirainen network, the mount points, the root file system and the control
dd19de9b6382c9a47b65df6b2396789df37a19fbTimo Sirainen groups are supported.
ece0a20249ce26208db3415ba2e79423678856f8Timo Sirainen Each option in the configuration file has the form <command>key
ece0a20249ce26208db3415ba2e79423678856f8Timo Sirainen = value</command> fitting in one line. The '#' character means
ece0a20249ce26208db3415ba2e79423678856f8Timo Sirainen the line is a comment.
ece0a20249ce26208db3415ba2e79423678856f8Timo Sirainen Allows to set the architecture for the container. For example,
2670cd577aa57eb9f915a4f4220ae48c9b4fc5fbTimo Sirainen set a 32bits architecture for a container running 32bits
6468191d64827a2d1481c091ec499874583c834eTimo Sirainen binaries on a 64bits host. That fix the container scripts
6468191d64827a2d1481c091ec499874583c834eTimo Sirainen which rely on the architecture to do some work like
6468191d64827a2d1481c091ec499874583c834eTimo Sirainen downloading the packages.
6468191d64827a2d1481c091ec499874583c834eTimo Sirainen <variablelist>
6468191d64827a2d1481c091ec499874583c834eTimo Sirainen <varlistentry>
6468191d64827a2d1481c091ec499874583c834eTimo Sirainen Specify the architecture for the container.
6468191d64827a2d1481c091ec499874583c834eTimo Sirainen Valid options are
db3b95d5a33ddce552d41136ae68d7331f8bf5feTimo Sirainen </varlistentry>
6468191d64827a2d1481c091ec499874583c834eTimo Sirainen </variablelist>
6468191d64827a2d1481c091ec499874583c834eTimo Sirainen The utsname section defines the hostname to be set for the
6468191d64827a2d1481c091ec499874583c834eTimo Sirainen container. That means the container can set its own hostname
6468191d64827a2d1481c091ec499874583c834eTimo Sirainen without changing the one from the system. That makes the
6468191d64827a2d1481c091ec499874583c834eTimo Sirainen hostname private for the container.
5545acdd3aa90a6e0cca2b665f909ec4c2fb2513Baofeng <variablelist>
6468191d64827a2d1481c091ec499874583c834eTimo Sirainen <varlistentry>
5545acdd3aa90a6e0cca2b665f909ec4c2fb2513Baofeng specify the hostname for the container
6468191d64827a2d1481c091ec499874583c834eTimo Sirainen </varlistentry>
6468191d64827a2d1481c091ec499874583c834eTimo Sirainen </variablelist>
6468191d64827a2d1481c091ec499874583c834eTimo Sirainen The network section defines how the network is virtualized in
009217abb57a24a4076092e8e4e165545747839eStephan Bosch the container. The network virtualization acts at layer
6468191d64827a2d1481c091ec499874583c834eTimo Sirainen two. In order to use the network virtualization, parameters
6468191d64827a2d1481c091ec499874583c834eTimo Sirainen must be specified to define the network interfaces of the
6468191d64827a2d1481c091ec499874583c834eTimo Sirainen container. Several virtual interfaces can be assigned and used
6468191d64827a2d1481c091ec499874583c834eTimo Sirainen in a container even if the system has only one physical
6468191d64827a2d1481c091ec499874583c834eTimo Sirainen network interface.
6468191d64827a2d1481c091ec499874583c834eTimo Sirainen <variablelist>
6468191d64827a2d1481c091ec499874583c834eTimo Sirainen <varlistentry>
5545acdd3aa90a6e0cca2b665f909ec4c2fb2513Baofeng specify what kind of network virtualization to be used
6468191d64827a2d1481c091ec499874583c834eTimo Sirainen for the container. Each time
6468191d64827a2d1481c091ec499874583c834eTimo Sirainen a <option>lxc.network.type</option> field is found a new
6468191d64827a2d1481c091ec499874583c834eTimo Sirainen round of network configuration begins. In this way,
6468191d64827a2d1481c091ec499874583c834eTimo Sirainen several network virtualization types can be specified
6468191d64827a2d1481c091ec499874583c834eTimo Sirainen for the same container, as well as assigning several
6468191d64827a2d1481c091ec499874583c834eTimo Sirainen network interfaces for one container. The different
6468191d64827a2d1481c091ec499874583c834eTimo Sirainen virtualization types can be:
2670cd577aa57eb9f915a4f4220ae48c9b4fc5fbTimo Sirainen <option>empty:</option> will create only the loopback
e4194f4703eeec32b432371ae30fc8f25ab720d8Timo Sirainen <option>veth:</option> a peer network device is created
2670cd577aa57eb9f915a4f4220ae48c9b4fc5fbTimo Sirainen with one side assigned to the container and the other
2670cd577aa57eb9f915a4f4220ae48c9b4fc5fbTimo Sirainen side is attached to a bridge specified by
2670cd577aa57eb9f915a4f4220ae48c9b4fc5fbTimo Sirainen the <option>lxc.network.link</option>. If the bridge is
2670cd577aa57eb9f915a4f4220ae48c9b4fc5fbTimo Sirainen not specified, then the veth pair device will be created
2670cd577aa57eb9f915a4f4220ae48c9b4fc5fbTimo Sirainen but not attached to any bridge. Otherwise, the bridge
e34d170f8f0e084bd94bfbc1a7085ece67e508dfTimo Sirainen has to be setup before on the
2670cd577aa57eb9f915a4f4220ae48c9b4fc5fbTimo Sirainen system, <command>lxc</command> won't handle any
2670cd577aa57eb9f915a4f4220ae48c9b4fc5fbTimo Sirainen configuration outside of the container. By
2670cd577aa57eb9f915a4f4220ae48c9b4fc5fbTimo Sirainen default <command>lxc</command> choose a name for the
db693bf6fcae96d834567f1782257517b7207655Timo Sirainen network device belonging to the outside of the
2670cd577aa57eb9f915a4f4220ae48c9b4fc5fbTimo Sirainen container, this name is handled
2670cd577aa57eb9f915a4f4220ae48c9b4fc5fbTimo Sirainen by <command>lxc</command>, but if you wish to handle
faec0abfd648c647030027e86de2ce8911df683bTimo Sirainen this name yourself, you can tell <command>lxc</command>
6468191d64827a2d1481c091ec499874583c834eTimo Sirainen to set a specific name with
b4ddb5b3c3722620a8fef387dd8c47bb411a5643Timo Sirainen the <option>lxc.network.veth.pair</option> option.
9dd8a75971a2d9e46fb0c80feddc0aaec1181defTimo Sirainen <option>vlan:</option> a vlan interface is linked with
300e4e43ed1ca46d0614459161ca2fb460ef661aTimo Sirainen the interface specified by
300e4e43ed1ca46d0614459161ca2fb460ef661aTimo Sirainen the <option>lxc.network.link</option> and assigned to
300e4e43ed1ca46d0614459161ca2fb460ef661aTimo Sirainen the container. The vlan identifier is specified with the
6468191d64827a2d1481c091ec499874583c834eTimo Sirainen <option>macvlan:</option> a macvlan interface is linked
6468191d64827a2d1481c091ec499874583c834eTimo Sirainen with the interface specified by
6468191d64827a2d1481c091ec499874583c834eTimo Sirainen the <option>lxc.network.link</option> and assigned to
6468191d64827a2d1481c091ec499874583c834eTimo Sirainen the container.
6468191d64827a2d1481c091ec499874583c834eTimo Sirainen <option>lxc.network.macvlan.mode</option> specifies the
6468191d64827a2d1481c091ec499874583c834eTimo Sirainen mode the macvlan will use to communicate between
6468191d64827a2d1481c091ec499874583c834eTimo Sirainen different macvlan on the same upper device. The accepted
6468191d64827a2d1481c091ec499874583c834eTimo Sirainen modes are <option>private</option>, the device never
6468191d64827a2d1481c091ec499874583c834eTimo Sirainen communicates with any other device on the same upper_dev (default),
6468191d64827a2d1481c091ec499874583c834eTimo Sirainen <option>vepa</option>, the new Virtual Ethernet Port
6468191d64827a2d1481c091ec499874583c834eTimo Sirainen Aggregator (VEPA) mode, it assumes that the adjacent
6468191d64827a2d1481c091ec499874583c834eTimo Sirainen bridge returns all frames where both source and
6468191d64827a2d1481c091ec499874583c834eTimo Sirainen destination are local to the macvlan port, i.e. the
861f53be0cc2fa5665f3c107a7576e2a53bb2eb0Timo Sirainen bridge is set up as a reflective relay. Broadcast
b4ddb5b3c3722620a8fef387dd8c47bb411a5643Timo Sirainen frames coming in from the upper_dev get flooded to all
db3b95d5a33ddce552d41136ae68d7331f8bf5feTimo Sirainen macvlan interfaces in VEPA mode, local frames are not
db3b95d5a33ddce552d41136ae68d7331f8bf5feTimo Sirainen delivered locallay, or <option>bridge</option>, it
db3b95d5a33ddce552d41136ae68d7331f8bf5feTimo Sirainen provides the behavior of a simple bridge between
db3b95d5a33ddce552d41136ae68d7331f8bf5feTimo Sirainen different macvlan interfaces on the same port. Frames
db3b95d5a33ddce552d41136ae68d7331f8bf5feTimo Sirainen from one interface to another one get delivered directly
db3b95d5a33ddce552d41136ae68d7331f8bf5feTimo Sirainen and are not sent out externally. Broadcast frames get
db3b95d5a33ddce552d41136ae68d7331f8bf5feTimo Sirainen flooded to all other bridge ports and to the external
db3b95d5a33ddce552d41136ae68d7331f8bf5feTimo Sirainen interface, but when they come back from a reflective
6468191d64827a2d1481c091ec499874583c834eTimo Sirainen relay, we don't deliver them again. Since we know all
6468191d64827a2d1481c091ec499874583c834eTimo Sirainen the MAC addresses, the macvlan bridge mode does not
6468191d64827a2d1481c091ec499874583c834eTimo Sirainen require learning or STP like the bridge module does.
6468191d64827a2d1481c091ec499874583c834eTimo Sirainen <option>phys:</option> an already existing interface
6468191d64827a2d1481c091ec499874583c834eTimo Sirainen specified by the <option>lxc.network.link</option> is
6468191d64827a2d1481c091ec499874583c834eTimo Sirainen assigned to the container.
9dd8a75971a2d9e46fb0c80feddc0aaec1181defTimo Sirainen </varlistentry>
2670cd577aa57eb9f915a4f4220ae48c9b4fc5fbTimo Sirainen <varlistentry>
4ee00532a265bdfb38539d811fcd12d51210ac35Timo Sirainen specify an action to do for the
2670cd577aa57eb9f915a4f4220ae48c9b4fc5fbTimo Sirainen <para><option>up:</option> activates the interface.
2efe19d9045768d985a3bd549cff12f65ba40cc8Timo Sirainen </varlistentry>
2670cd577aa57eb9f915a4f4220ae48c9b4fc5fbTimo Sirainen <varlistentry>
2670cd577aa57eb9f915a4f4220ae48c9b4fc5fbTimo Sirainen specify the interface to be used for real network
5b4d189a01d248458496068f838128f1bafdcf2eTimo Sirainen </varlistentry>
6ecc5475f7efd4dcdf4ce727191693de24c5cf51Timo Sirainen <varlistentry>
2670cd577aa57eb9f915a4f4220ae48c9b4fc5fbTimo Sirainen the interface name is dynamically allocated, but if
009217abb57a24a4076092e8e4e165545747839eStephan Bosch another name is needed because the configuration files
2670cd577aa57eb9f915a4f4220ae48c9b4fc5fbTimo Sirainen being used by the container use a generic name,
958e5ae51a755558b6d022a39b194614726b4225Timo Sirainen eg. eth0, this option will rename the interface in the
958e5ae51a755558b6d022a39b194614726b4225Timo Sirainen </varlistentry>
ece0a20249ce26208db3415ba2e79423678856f8Timo Sirainen <varlistentry>
c1d01419ffbeb0e00f86a653db70bfd47110e7fcTimo Sirainen the interface mac address is dynamically allocated by
2670cd577aa57eb9f915a4f4220ae48c9b4fc5fbTimo Sirainen default to the virtual interface, but in some cases,
2670cd577aa57eb9f915a4f4220ae48c9b4fc5fbTimo Sirainen this is needed to resolve a mac address conflict or to
2670cd577aa57eb9f915a4f4220ae48c9b4fc5fbTimo Sirainen always have the same link-local ipv6 address
c3a2a487e23a282e59254b82deb9344ed0306bb2Timo Sirainen </varlistentry>
16a5712c1a774b7bd3bbf22032b61ccc9398499eAki Tuomi <varlistentry>
cf9d67e4a9bfee31cf3be05244555d51a3d1b9feTimo Sirainen specify the ipv4 address to assign to the virtualized
edd318d5866ac3fbc6e8df28fb24a4dfef93c884Timo Sirainen interface. Several lines specify several ipv4 addresses.
69b22a0c0c84087e5bdeec71faae7ea77295240fTimo Sirainen The address is in format x.y.z.t/m,
2670cd577aa57eb9f915a4f4220ae48c9b4fc5fbTimo Sirainen </varlistentry>
2670cd577aa57eb9f915a4f4220ae48c9b4fc5fbTimo Sirainen <varlistentry>
2670cd577aa57eb9f915a4f4220ae48c9b4fc5fbTimo Sirainen specify the ipv6 address to assign to the virtualized
c3a2a487e23a282e59254b82deb9344ed0306bb2Timo Sirainen interface. Several lines specify several ipv6 addresses.
2670cd577aa57eb9f915a4f4220ae48c9b4fc5fbTimo Sirainen The address is in format x::y/m,
2670cd577aa57eb9f915a4f4220ae48c9b4fc5fbTimo Sirainen </varlistentry>
2670cd577aa57eb9f915a4f4220ae48c9b4fc5fbTimo Sirainen </variablelist>
412b772c337428b72149605c1410524c2353e5d4Timo Sirainen <title>New pseudo tty instance (devpts)</title>
009217abb57a24a4076092e8e4e165545747839eStephan Bosch For stricter isolation the container can have its own private
2670cd577aa57eb9f915a4f4220ae48c9b4fc5fbTimo Sirainen instance of the pseudo tty.
00e7c3010f7da4a49881a7feb05e413af353af0aTimo Sirainen <variablelist>
00e7c3010f7da4a49881a7feb05e413af353af0aTimo Sirainen <varlistentry>
00e7c3010f7da4a49881a7feb05e413af353af0aTimo Sirainen If set, the container will have a new pseudo tty
00e7c3010f7da4a49881a7feb05e413af353af0aTimo Sirainen instance, making this private to it. The value specifies
00e7c3010f7da4a49881a7feb05e413af353af0aTimo Sirainen the maximum number of pseudo ttys allowed for a pts
009217abb57a24a4076092e8e4e165545747839eStephan Bosch instance (this limitation is not implemented yet).
00e7c3010f7da4a49881a7feb05e413af353af0aTimo Sirainen </varlistentry>
00e7c3010f7da4a49881a7feb05e413af353af0aTimo Sirainen </variablelist>
2670cd577aa57eb9f915a4f4220ae48c9b4fc5fbTimo Sirainen If the container is configured with a root filesystem and the
2670cd577aa57eb9f915a4f4220ae48c9b4fc5fbTimo Sirainen inittab file is setup to use the console, you may want to specify
2670cd577aa57eb9f915a4f4220ae48c9b4fc5fbTimo Sirainen where goes the output of this console.
00e7c3010f7da4a49881a7feb05e413af353af0aTimo Sirainen <variablelist>
1df39b899804fd1dbc560f75382364822935c857Timo Sirainen <varlistentry>
00e7c3010f7da4a49881a7feb05e413af353af0aTimo Sirainen Specify a path to a file where the console output will
d6b3cfd855c0eebed68be50d3111de1b5a6afeb0Timo Sirainen </varlistentry>
00e7c3010f7da4a49881a7feb05e413af353af0aTimo Sirainen </variablelist>
2670cd577aa57eb9f915a4f4220ae48c9b4fc5fbTimo Sirainen If the container is configured with a root filesystem and the
lxc.utsname = myhostname
lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = br0
lxc.network.name = eth0
lxc.network.hwaddr = 4a:49:43:49:79:bf
lxc.network.ipv6 = 2003:db8:1:0:214:1234:fe0b:3597
the application, cpuset.cpus restricts usage of the defined cpu,
lxc.cgroup.cpuset.cpus = 0,1
lxc.cgroup.cpu.shares = 1234
lxc.cgroup.devices.allow = c 1:3 rw
lxc.cgroup.devices.allow = b 8:0 rw
lxc.utsname = complex
lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = br0
lxc.network.hwaddr = 4a:49:43:49:79:bf
lxc.network.ipv6 = 2003:db8:1:0:214:1234:fe0b:3597
lxc.network.ipv6 = 2003:db8:1:0:214:5432:feab:3588
lxc.network.type = macvlan
lxc.network.flags = up
lxc.network.link = eth0
lxc.network.hwaddr = 4a:49:43:49:79:bd
lxc.network.ipv6 = 2003:db8:1:0:214:1234:fe0b:3596
lxc.network.type = phys
lxc.network.flags = up
lxc.network.link = dummy0
lxc.network.hwaddr = 4a:49:43:49:79:ff
lxc.network.ipv6 = 2003:db8:1:0:214:1234:fe0b:3297
lxc.cgroup.cpuset.cpus = 0,1
lxc.cgroup.cpu.shares = 1234
lxc.cgroup.devices.allow = c 1:3 rw
lxc.cgroup.devices.allow = b 8:0 rw
lxc.cap.drop = sys_module mknod setuid net_raw
lxc.cap.drop = mac_override