Provided by: lxc_0.6.3-1_i386 bug


       lxc.conf - linux container configuration file


       The  linux  containers (lxc) are always created before being used. This
       creation defines a set of system resources to be virtualized / isolated
       when  a  process is using the container. By default, the pids, sysv ipc
       and mount  points  are  virtualized  and  isolated.  The  other  system
       resources  are  shared  across  containers,  until  they are explicitly
       defined in the configuration file. For example, if there is no  network
       configuration,  the  network  will be shared between the creator of the
       container and the container itself, but if the network is specified,  a
       new network stack is created for the container and the container can no
       longer use the network of its ancestor.

       The configuration file defines the different  system  resources  to  be
       assigned  for  the container. At present, the utsname, the network, the
       mount  points,  the  root  file  system  and  the  control  groups  are

       Each  option in the configuration file has the form key = value fitting
       in one line. The ’#’ caracter means the line is a comment.

       The utsname section defines the hostname to be set for  the  container.
       That  means the container can set its own hostname without changing the
       one from the system. That makes the hostname private for the container.

              specify the hostname for the container

       The  network  section  defines  how  the  network is virtualized in the
       container. The network virtualization acts at  the  layer  two,  so  in
       order  to  use  the  network,  a few information should be specified to
       define the network interfaces to be  used  by  the  container.  Several
       virtual  interfaces  can  be assigned and used in a container either if
       the system has only one physical network interface.

              specify what kind of network virtualization to be used  for  the
              container.  Each  time  a field is found a new
              round of network  configuration  begins.  By  this  way  several
              network  virtualization can be specified for the same container,
              as  well  as  assigning  several  network  interfaces  for   one
              container. The different virtualization types can be:

              empty:  a new network stack is created for the container, but it
              will not contain any network interface.

              veth: a new network stack is created, a peer network  device  is
              created  with  one  side assigned to the container and the other
              side attached to a bridge specified by the The
              bridge  has  to  be setup before on the system, lxc won’t handle
              configuration outside of the container.

              macvlan: a new network stack is created, a macvlan interface  is
              linked  with the interface specified by the and
              assigned to the container.

              phys: a new network stack is created and the interface specified
              by the is assigned to the container.

              specify an action to do for the network.

              up: activates the interface.

              specify the interface to be used for real network traffic.

              the  interface  name  is  dynamically allocated, but if an other
              name is needed because the configuration files being used by the
              container  use a generic name, eg. eth0, this option will rename
              the interface in the container.

              the interface mac address is dynamically allocated by default to
              the  virtual  interface,  but  in  some  case, this is needed to
              resolve a mac address conflict or to have always the same  link-
              locak ipv6 address.

              specify the ipv4 address to assign to the virtualized interface.
              Several lines specify several ipv4 addresses.  The address is in
              format x.y.z.t/m, eg.

              specify the ipv6 address to assign to the virtualized interface.
              Several lines specify several ipv6 addresses.  The address is in
              format x::y/m, eg. 2003:db8:1:0:214:1234:fe0b:3596/64

       For  stricter isolation the container can have its own private instance
       of the pseudo tty.

              If set, the container will  have  a  new  pseudo  tty  instance,
              making  this  private  to  it.  The  value specifies the maximum
              number  of  pseudo  ttys  allowed  for  a  pts  instance   (this
              limitation is not implemented yet).

       If  the  container is configured with a root filesystem and the inittab
       file is setup to launch a getty on the ttys. This option  will  specify
       the  number  of  ttys  to be available for the container. The number of
       getty in the inittab file of  the  container  and  the  number  of  tty
       specified  in  this  configuration  file should be equal, otherwise the
       getty will die and respawn indefinitly giving annoying messages on  the

              Specify the number of tty to make available to the container.

       The  mount points section specifies the different places to be mounted.
       These mount points will be  private  to  the  container  and  won’t  be
       visible  by  the  processes  running  outside of the container. This is
       useful to mount /etc, /var or /home for examples.

              specify a file location in  the  fstab  format,  containing  the
              mount informations.

       The root file system is the location where the container will chroot.

              specify  a file location containing the new file tree for a root
              file system.

       The control group section contains the configuration for the  different
       subsystem.  lxc  does  not check the correctness of the subsystem name.
       This has the inconvenient to have the error being detected at  runtime,
       but the advantage to support any future subsystem.

            lxc.cgroup.[subsystem name]
              specify  the  control  group  value to be set. This field is the
              identifier to tell the following keyword is the literal name  of
              the control group subsystem, eg. lxc.cgroup.cpuset.cpus


       This  configuration  sets up a container to use a veth pair device with
       one side plugged to a bridge br0 (which has been configured  before  on
       the system by the administrator). The virtual network device visible in
       the container is renamed to eth0.

       lxc.utsname = myhostname = veth = up = br0 = eth0 = 4a:49:43:49:79:bf = = 2003:db8:1:0:214:1234:fe0b:3597

       This  configuration  will  setup  several  control   groups   for   the
       application, cpuset.cpus restricts usage of the defined cpu, cpus.share
       prioritize the control group, devices.allow makes usable the  specified

       lxc.cgroup.cpuset.cpus = 0,1

       lxc.cgroup.cpu.shares = 1234

       lxc.cgroup.devices.deny = a

       lxc.cgroup.devices.allow = c 1:3 rw

       lxc.cgroup.devices.allow = b 8:0 rw

       This  example  show  a  complex  configuration making a complex network
       stack, using the control groups, setting a new hostname, mounting  some
       locations and a changing the root file system.

       lxc.utsname = complex = veth = up = br0 = 4a:49:43:49:79:bf = = 2003:db8:1:0:214:1234:fe0b:3597 = 2003:db8:1:0:214:5432:feab:3588 = macvlan = up = eth0 = 4a:49:43:49:79:bd = = = 2003:db8:1:0:214:1234:fe0b:3596 = phys = up = dummy0 = 4a:49:43:49:79:ff = = 2003:db8:1:0:214:1234:fe0b:3297

       lxc.cgroup.cpuset.cpus = 0,1

       lxc.cgroup.cpu.shares = 1234

       lxc.cgroup.devices.deny = a

       lxc.cgroup.devices.allow = c 1:3 rw

       lxc.cgroup.devices.allow = b 8:0 rw

       lxc.mount = /etc/fstab.complex

       lxc.rootfs = /mnt/rootfs.complex


       chroot(1), pivot_root(8), fstab(5)


       lxc(1),  lxc-create(1), lxc-destroy(1), lxc-start(1), lxc-stop(1), lxc-
       execute(1), lxc-console(1), lxc-monitor(1), lxc-wait(1), lxc-cgroup(1),
       lxc-ls(1),   lxc-ps(1),  lxc-info(1),  lxc-freeze(1),  lxc-unfreeze(1),


       Daniel Lezcano <>

                                03 August 2009                     LXC.CONF(5)