Provided by: lxc_1.0.3-0ubuntu3_amd64 bug

NAME

       lxc.container.conf - LXC container configuration file

DESCRIPTION

       The  linux  containers (lxc) are always created before being used. This creation defines a
       set of system resources to  be  virtualized  /  isolated  when  a  process  is  using  the
       container.  By  default, the pids, sysv ipc and mount points are virtualized and isolated.
       The other system resources are shared across containers, until they are explicitly defined
       in  the configuration file. For example, if there is no network configuration, the network
       will be shared between the creator of the container and the container itself, but  if  the
       network  is  specified, a new network stack is created for the container and the container
       can no longer use the network of its ancestor.

       The configuration file defines the different system  resources  to  be  assigned  for  the
       container.  At  present, the utsname, the network, the mount points, the root file system,
       the user namespace, and the control groups are supported.

       Each option in the configuration file has the form key = value fitting in  one  line.  The
       '#' character means the line is a comment.

   CONFIGURATION
       In  order  to ease administration of multiple related containers, it is possible to have a
       container configuration file cause another  file  to  be  loaded.  For  instance,  network
       configuration  can be defined in one common file which is included by multiple containers.
       Then, if the containers are moved to another host, only one file may need to be updated.

       lxc.include
              Specify the file to be included. The included file must be in the  same  valid  lxc
              configuration file format.

   ARCHITECTURE
       Allows  one  to  set  the  architecture  for  the  container.  For  example,  set a 32bits
       architecture for a container running 32bits binaries on a  64bits  host.  This  fixes  the
       container  scripts  which  rely  on  the architecture to do some work like downloading the
       packages.

       lxc.arch
              Specify the architecture for the container.

              Valid options are x86, i686, x86_64, amd64

   HOSTNAME
       The utsname section defines the hostname to be set  for  the  container.  That  means  the
       container  can  set  its own hostname without changing the one from the system. That makes
       the hostname private for the container.

       lxc.utsname
              specify the hostname for the container

   HALT SIGNAL
       Allows one to specify signal name or number, sent by  lxc-stop  to  the  container's  init
       process  to  cleanly  shutdown  the  container. Different init systems could use different
       signals to perform clean shutdown sequence. This option allows the signal to be  specified
       in  kill(1)  fashion,  e.g.  SIGPWR, SIGRTMIN+14, SIGRTMAX-10 or plain number. The default
       signal is SIGPWR.

       lxc.haltsignal
              specify the signal used to halt the container

   STOP SIGNAL
       Allows one to specify signal name or number, sent by lxc-stop  to  forcibly  shutdown  the
       container.  This  option  allows  signal to be specified in kill(1) fashion, e.g. SIGKILL,
       SIGRTMIN+14, SIGRTMAX-10 or plain number.  The default signal is SIGKILL.

       lxc.stopsignal
              specify the signal used to stop the container

   NETWORK
       The network section defines how the network is virtualized in the container.  The  network
       virtualization  acts  at layer two. In order to use the network virtualization, parameters
       must be specified to define the network  interfaces  of  the  container.  Several  virtual
       interfaces  can  be  assigned  and  used  in  a  container even if the system has only one
       physical network interface.

       lxc.network.type
              specify what kind of network virtualization to be used for the container. Each time
              a  lxc.network.type  field is found a new round of network configuration begins. In
              this way, several network virtualization  types  can  be  specified  for  the  same
              container,  as  well as assigning several network interfaces for one container. The
              different virtualization types can be:

              none: will cause the container to share the host's network  namespace.  This  means
              the  host  network  devices are usable in the container. It also means that if both
              the container and host have upstart as init, 'halt' in a container  (for  instance)
              will shut down the host.

              empty: will create only the loopback interface.

              veth:  a peer network device is created with one side assigned to the container and
              the other side is attached to a bridge specified by the  lxc.network.link.  If  the
              bridge is not specified, then the veth pair device will be created but not attached
              to any bridge. Otherwise, the bridge has to be setup  before  on  the  system,  lxc
              won't  handle  any  configuration outside of the container. By default lxc choose a
              name for the network device belonging to the outside of the container, this name is
              handled  by  lxc, but if you wish to handle this name yourself, you can tell lxc to
              set a specific name with the lxc.network.veth.pair option.

              vlan:  a  vlan  interface  is  linked  with  the   interface   specified   by   the
              lxc.network.link  and  assigned  to the container. The vlan identifier is specified
              with the option lxc.network.vlan.id.

              macvlan: a macvlan  interface  is  linked  with  the  interface  specified  by  the
              lxc.network.link and assigned to the container.  lxc.network.macvlan.mode specifies
              the mode the macvlan will use to communicate between different macvlan on the  same
              upper  device.  The  accepted modes are private, the device never communicates with
              any other device on the same upper_dev (default), vepa, the  new  Virtual  Ethernet
              Port Aggregator (VEPA) mode, it assumes that the adjacent bridge returns all frames
              where both source and destination are local to the macvlan port, i.e. the bridge is
              set  up  as  a  reflective relay. Broadcast frames coming in from the upper_dev get
              flooded to all macvlan interfaces in VEPA mode,  local  frames  are  not  delivered
              locally,  or  bridge, it provides the behavior of a simple bridge between different
              macvlan interfaces on the same port. Frames from one interface to another  one  get
              delivered directly and are not sent out externally. Broadcast frames get flooded to
              all other bridge ports and to the external interface, but when they come back  from
              a  reflective  relay,  we  don't  deliver  them  again.  Since  we know all the MAC
              addresses, the macvlan bridge mode does not require learning or STP like the bridge
              module does.

              phys:  an  already existing interface specified by the lxc.network.link is assigned
              to the container.

       lxc.network.flags
              specify an action to do for the network.

              up: activates the interface.

       lxc.network.link
              specify the interface to be used for real network traffic.

       lxc.network.mtu
              specify the maximum transfer unit for this interface.

       lxc.network.name
              the interface name is dynamically allocated, but if another name is needed  because
              the  configuration  files being used by the container use a generic name, eg. eth0,
              this option will rename the interface in the container.

       lxc.network.hwaddr
              the interface mac address is  dynamically  allocated  by  default  to  the  virtual
              interface,  but  in some cases, this is needed to resolve a mac address conflict or
              to always have the same link-local ipv6  address.   Any  "x"  in  address  will  be
              replaced by random value, this allows setting hwaddr templates.

       lxc.network.ipv4
              specify  the  ipv4  address  to  assign to the virtualized interface. Several lines
              specify  several  ipv4  addresses.   The  address  is  in  format  x.y.z.t/m,   eg.
              192.168.1.123/24. The broadcast address should be specified on the same line, right
              after the ipv4 address.

       lxc.network.ipv4.gateway
              specify the ipv4 address to use as the gateway inside the container. The address is
              in format x.y.z.t, eg.  192.168.1.123.  Can also have the special value auto, which
              means to take the primary address from the bridge interface (as  specified  by  the
              lxc.network.link  option)  and use that as the gateway. auto is only available when
              using the veth and macvlan network types.

       lxc.network.ipv6
              specify the ipv6 address to assign to  the  virtualized  interface.  Several  lines
              specify   several   ipv6   addresses.    The  address  is  in  format  x::y/m,  eg.
              2003:db8:1:0:214:1234:fe0b:3596/64

       lxc.network.ipv6.gateway
              specify the ipv6 address to use as the gateway inside the container. The address is
              in  format  x::y,  eg.  2003:db8:1:0::1 Can also have the special value auto, which
              means to take the primary address from the bridge interface (as  specified  by  the
              lxc.network.link  option)  and use that as the gateway. auto is only available when
              using the veth and macvlan network types.

       lxc.network.script.up
              add a configuration option to specify a script to be executed  after  creating  and
              configuring the network used from the host side. The following arguments are passed
              to the script: container name and config section name  (net)  Additional  arguments
              depend on the config section employing a script hook; the following are used by the
              network system: execution context  (up),  network  type  (empty/veth/macvlan/phys),
              Depending  on  the  network type, other arguments may be passed: veth/macvlan/phys.
              And finally (host-sided) device name.

              Standard output from the script is logged at debug level.  Standard  error  is  not
              logged,  but can be captured by the hook redirecting its standard error to standard
              output.

       lxc.network.script.down
              add a configuration option to specify a script to be executed before destroying the
              network  used from the host side. The following arguments are passed to the script:
              container name and config section name (net) Additional  arguments  depend  on  the
              config  section  employing  a  script  hook;  the following are used by the network
              system: execution context (down), network type (empty/veth/macvlan/phys), Depending
              on  the network type, other arguments may be passed: veth/macvlan/phys. And finally
              (host-sided) device name.

              Standard output from the script is logged at debug level.  Standard  error  is  not
              logged,  but can be captured by the hook redirecting its standard error to standard
              output.

   NEW PSEUDO TTY INSTANCE (DEVPTS)
       For stricter isolation the container can have its own private instance of the pseudo tty.

       lxc.pts
              If set, the container will have a new pseudo tty instance, making this  private  to
              it.  The  value  specifies  the  maximum  number  of  pseudo ttys allowed for a pts
              instance (this limitation is not implemented yet).

   CONTAINER SYSTEM CONSOLE
       If the container is configured with a root filesystem and the inittab file is setup to use
       the console, you may want to specify where the output of this console goes.

       lxc.console
              Specify  a  path  to  a  file where the console output will be written. The keyword
              'none' will simply disable the console. This is dangerous once  if  have  a  rootfs
              with  a console device file where the application can write, the messages will fall
              in the host.

   CONSOLE THROUGH THE TTYS
       This option is useful if the container is  configured  with  a  root  filesystem  and  the
       inittab  file  is  setup to launch a getty on the ttys. The option specifies the number of
       ttys to be available for the container. The number of gettys in the inittab  file  of  the
       container  should  not  be  greater  than  the  number  of  ttys specified in this option,
       otherwise the excess getty sessions will die  and  respawn  indefinitely  giving  annoying
       messages on the console or in /var/log/messages.

       lxc.tty
              Specify the number of tty to make available to the container.

   CONSOLE DEVICES LOCATION
       LXC  consoles  are  provided through Unix98 PTYs created on the host and bind-mounted over
       the  expected  devices  in  the  container.   By  default,  they  are  bind-mounted   over
       /dev/console  and /dev/ttyN. This can prevent package upgrades in the guest. Therefore you
       can specify a directory location (under /dev under which LXC will  create  the  files  and
       bind-mount  over  them.  These  will  then  be  symbolically  linked  to  /dev/console and
       /dev/ttyN.  A package upgrade can then succeed as it is able to  remove  and  replace  the
       symbolic links.

       lxc.devttydir
              Specify a directory under /dev under which to create the container console devices.

   /DEV DIRECTORY
       By  default,  lxc creates a few symbolic links (fd,stdin,stdout,stderr) in the container's
       /dev directory but does not automatically create device  node  entries.  This  allows  the
       container's  /dev to be set up as needed in the container rootfs. If lxc.autodev is set to
       1, then after mounting the container's rootfs LXC will mount  a  fresh  tmpfs  under  /dev
       (limited  to  100k)  and  fill  in  a  minimal  set of initial devices.  This is generally
       required when starting a container containing a "systemd" based "init" but may be optional
       at other times. Additional devices in the containers /dev directory may be created through
       the use of the lxc.hook.autodev hook.

       lxc.autodev
              Set this to 1 to have LXC mount and populate  a  minimal  /dev  when  starting  the
              container.

   ENABLE KMSG SYMLINK
       Enable creating /dev/kmsg as symlink to /dev/console. This defaults to 1.

       lxc.kmsg
              Set this to 0 to disable /dev/kmsg symlinking.

   MOUNT POINTS
       The  mount points section specifies the different places to be mounted. These mount points
       will be private to the container and won't be visible by the processes running outside  of
       the container. This is useful to mount /etc, /var or /home for examples.

       lxc.mount
              specify  a  file location in the fstab format, containing the mount information. If
              the rootfs is an image file or a block device and the fstab  is  used  to  mount  a
              point  somewhere  in  this  rootfs,  the  path  of the rootfs mount point should be
              prefixed with the  /usr/lib/x86_64-linux-gnu/lxc  default  path  or  the  value  of
              lxc.rootfs.mount  if  specified. Note that when mounting a filesystem from an image
              file or block device the third field (fs_vfstype) cannot be auto as  with  mount(8)
              but must be explicitly specified.

       lxc.mount.entry
              specify a mount point corresponding to a line in the fstab format.

       lxc.mount.auto
              specify  which  standard  kernel file systems should be automatically mounted. This
              may dramatically simplify the configuration. The file systems are:

              · proc:mixed (or proc): mount  /proc  as  read-write,  but  remount  /proc/sys  and
                /proc/sysrq-trigger read-only for security / container isolation purposes.

              · proc:rw: mount /proc as read-write

              · sys:ro  (or  sys):  mount  /sys  as  read-only for security / container isolation
                purposes.

              · sys:rw: mount /sys as read-write

              · cgroup:mixed (or cgroup): mount a tmpfs to /sys/fs/cgroup, create directories for
                all hierarchies to which the container is added, create subdirectories there with
                the name of the cgroup, and bind-mount  the  container's  own  cgroup  into  that
                directory.   The container will be able to write to its own cgroup directory, but
                not the parents, since they will be remounted read-only

              · cgroup:ro: similar to cgroup:mixed, but everything will be mounted read-only.

              · cgroup:rw: similar to cgroup:mixed, but everything will  be  mounted  read-write.
                Note  that  the  paths leading up to the container's own cgroup will be writable,
                but will not be a cgroup filesystem but just part of the tmpfs of /sys/fs/cgroup

              · cgroup-full:mixed (or cgroup-full):  mount  a  tmpfs  to  /sys/fs/cgroup,  create
                directories  for  all hierarchies to which the container is added, bind-mount the
                hierarchies from the host to the container and make everything  read-only  except
                the container's own cgroup. Note that compared to cgroup, where all paths leading
                up to the container's own cgroup are just simple directories  in  the  underlying
                tmpfs,  here  /sys/fs/cgroup/$hierarchy  will  contain  the  host's  full  cgroup
                hierarchy, albeit read-only outside the container's own cgroup.   This  may  leak
                quite a bit of information into the container.

              · cgroup-full:ro:  similar  to  cgroup-full:mixed,  but  everything will be mounted
                read-only.

              · cgroup-full:rw: similar to cgroup-full:mixed,  but  everything  will  be  mounted
                read-write.  Note  that  in  this  case, the container may escape its own cgroup.
                (Note also that if the container has CAP_SYS_ADMIN  support  and  can  mount  the
                cgroup filesystem itself, it may do so anyway.)

       Examples:

                  lxc.mount.auto = proc sys cgroup
                  lxc.mount.auto = proc:rw sys:rw cgroup-full:rw

   ROOT FILE SYSTEM
       The root file system of the container can be different than that of the host system.

       lxc.rootfs
              specify  the  root  file  system  for  the  container.  It  can be an image file, a
              directory or a block device. If not specified, the container shares its  root  file
              system with the host.

       lxc.rootfs.mount
              where  to recursively bind lxc.rootfs before pivoting. This is to ensure success of
              the pivot_root(8) syscall. Any directory suffices,  the  default  should  generally
              work.

       lxc.rootfs.options
              extra mount options to use when mounting the rootfs.

       lxc.pivotdir
              where to pivot the original root file system under lxc.rootfs, specified relatively
              to that. The default is mnt.  It is created if necessary, and  also  removed  after
              unmounting everything from it during container setup.

   CONTROL GROUP
       The control group section contains the configuration for the different subsystem. lxc does
       not check the correctness of  the  subsystem  name.  This  has  the  disadvantage  of  not
       detecting  configuration  errors  until the container is started, but has the advantage of
       permitting any future subsystem.

       lxc.cgroup.[subsystem name]
              specify the control group value to be set. The subsystem name is the  literal  name
              of  the control group subsystem. The permitted names and the syntax of their values
              is not dictated by LXC, instead it depends on the  features  of  the  Linux  kernel
              running at the time the container is started, eg. lxc.cgroup.cpuset.cpus

   CAPABILITIES
       The capabilities can be dropped in the container if this one is run as root.

       lxc.cap.drop
              Specify  the  capability  to  be  dropped  in the container. A single line defining
              several capabilities with a space separation is allowed. The format  is  the  lower
              case  of  the  capability  definition without the "CAP_" prefix, eg. CAP_SYS_MODULE
              should be specified as sys_module. See capabilities(7),

       lxc.cap.keep
              Specify the capability to be kept in the container. All other capabilities will  be
              dropped.

   APPARMOR PROFILE
       If  lxc was compiled and installed with apparmor support, and the host system has apparmor
       enabled, then the apparmor profile  under  which  the  container  should  be  run  can  be
       specified in the container configuration. The default is lxc-container-default.

       lxc.aa_profile
              Specify  the  apparmor  profile under which the container should be run. To specify
              that the container should be unconfined, use

              lxc.aa_profile = unconfined

   SELINUX CONTEXT
       If lxc was compiled and installed with SELinux support, and the host  system  has  SELinux
       enabled, then the SELinux context under which the container should be run can be specified
       in the container configuration. The default is unconfined_t, which means that lxc will not
       attempt to change contexts.

       lxc.se_context
              Specify   the   SELinux  context  under  which  the  container  should  be  run  or
              unconfined_t. For example

              lxc.se_context = unconfined_u:unconfined_r:lxc_t:s0-s0:c0.c1023

   SECCOMP CONFIGURATION
       A container can be started with a reduced set of  available  system  calls  by  loading  a
       seccomp  profile  at  startup.  The  seccomp  configuration file must begin with a version
       number on the first line, a policy type on the second line, followed by the configuration.

       Versions 1 and 2 are currently supported. In version 1, the policy is a simple  whitelist.
       The  second line therefore must read "whitelist", with the rest of the file containing one
       (numeric) sycall number per line. Each syscall number is whitelisted, while every unlisted
       number is blacklisted for use in the container

       In  version  2, the policy may be blacklist or whitelist, supports per-rule and per-policy
       default actions, and supports per-architecture system call resolution from textual names.

       An example blacklist policy, in which all system calls are allowed except for mknod, which
       will simply do nothing and return 0 (success), looks like:

       2
       blacklist
       mknod errno 0
       .fi

       lxc.seccomp
              Specify a file containing the seccomp configuration to
              load before the container starts.

   UID MAPPINGS
       A  container  can  be started in a private user namespace with user and group id mappings.
       For instance, you can map userid 0 in the container to userid 200000 on the host. The root
       user  in  the container will be privileged in the container, but unprivileged on the host.
       Normally a system container will want a range of ids, so you would map, for instance, user
       and group ids 0 through 20,000 in the container to the ids 200,000 through 220,000.

       lxc.id_map
              Four  values  must  be  provided. First a character, either 'u', or 'g', to specify
              whether user or group ids are being mapped. Next is the first userid as seen in the
              user namespace of the container. Next is the userid as seen on the host. Finally, a
              range indicating the number of consecutive ids to map.

   CONTAINER HOOKS
       Container hooks are programs or scripts which can  be  executed  at  various  times  in  a
       container's lifetime.

       When  a  container  hook is executed, information is passed both as command line arguments
       and through environment variables.  The arguments are:

       · Container name.

       · Section (always 'lxc').

       · The hook type (i.e. 'clone' or 'pre-mount').

       · Additional arguments In the case of the clone hook, any extra arguments passed  to  lxc-
         clone will appear as further arguments to the hook.

       The following environment variables are set:

       · LXC_NAME: is the container's name.

       · LXC_ROOTFS_MOUNT: the path to the mounted root filesystem.

       · LXC_CONFIG_FILE: the path to the container configuration file.

       · LXC_SRC_NAME: in the case of the clone hook, this is the original container's name.

       · LXC_ROOTFS_PATH: this is the lxc.rootfs entry for the container. Note this is likely not
         where the mounted rootfs is to be found, use LXC_ROOTFS_MOUNT for that.

       Standard output from the hooks is logged at debug level.  Standard error  is  not  logged,
       but can be captured by the hook redirecting its standard error to standard output.

       lxc.hook.pre-start
              A  hook  to  be run in the host's namespace before the container ttys, consoles, or
              mounts are up.

       lxc.hook.pre-mount
              A hook to be run in the container's fs namespace but before the rootfs has been set
              up.  This  allows  for  manipulation  of  the  rootfs,  i.e.  to mount an encrypted
              filesystem. Mounts done in this hook will not be reflected on the host (apart  from
              mounts  propagation),  so  they will be automatically cleaned up when the container
              shuts down.

       lxc.hook.mount
              A hook to be run in the container's namespace after mounting  has  been  done,  but
              before the pivot_root.

       lxc.hook.autodev
              A  hook  to  be  run  in the container's namespace after mounting has been done and
              after any mount hooks have run, but before the pivot_root,  if  lxc.autodev  ==  1.
              The  purpose  of  this  hook  is  to assist in populating the /dev directory of the
              container  when  using  the  autodev  option  for  systemd  based  containers.  The
              container's  /dev  directory  is  relative  to  the ${LXC_ROOTFS_MOUNT} environment
              variable available when the hook is run.

       lxc.hook.start
              A hook to be run in the container's  namespace  immediately  before  executing  the
              container's init. This requires the program to be available in the container.

       lxc.hook.post-stop
              A hook to be run in the host's namespace after the container has been shut down.

       lxc.hook.clone
              A  hook  to be run when the container is cloned to a new one.  See lxc-clone(1) for
              more information.

   CONTAINER HOOKS ENVIRONMENT VARIABLES
       A number of environment variables are made available  to  the  startup  hooks  to  provide
       configuration  information  and  assist in the functioning of the hooks. Not all variables
       are valid in all contexts. In particular, all paths are relative to the host  system  and,
       as such, not valid during the lxc.hook.start hook.

       LXC_NAME
              The  LXC  name  of  the  container.  Useful  for  logging  messages  in  common log
              environments. [-n]

       LXC_CONFIG_FILE
              Host relative path to the container configuration file. This gives the container to
              reference the original, top level, configuration file for the container in order to
              locate any additional configuration information not otherwise made available. [-f]

       LXC_CONSOLE
              The path to the console output of the container if not NULL.  [-c] [lxc.console]

       LXC_CONSOLE_LOGPATH
              The path to the console log output of the container if not NULL.  [-L]

       LXC_ROOTFS_MOUNT
              The mount location to which the container is initially bound.   This  will  be  the
              host relative path to the container rootfs for the container instance being started
              and is where changes should be made for that instance.  [lxc.rootfs.mount]

       LXC_ROOTFS_PATH
              The host relative path to  the  container  root  which  has  been  mounted  to  the
              rootfs.mount location.  [lxc.rootfs]

   LOGGING
       Logging can be configured on a per-container basis. By default, depending upon how the lxc
       package was compiled, container startup is logged only at the ERROR level, and logged to a
       file  named after the container (with '.log' appended) either under the container path, or
       under /var/log/lxc.

       Both the  default  log  level  and  the  log  file  can  be  specified  in  the  container
       configuration  file,  overriding  the  default  behavior. Note that the configuration file
       entries can in turn be overridden by the command line options to lxc-start.

       lxc.loglevel
              The level at which to log. The log level  is  an  integer  in  the  range  of  0..8
              inclusive,  where  a  lower  number means more verbose debugging. In particular 0 =
              trace, 1 = debug, 2 = info, 3 = notice, 4 = warn, 5 = error,  6  =  critical,  7  =
              alert, and 8 = fatal. If unspecified, the level defaults to 5 (error), so that only
              errors and above are logged.

              Note that when a script (such as either a hook script or a network interface up  or
              down script) is called, the script's standard output is logged at level 1, debug.

       lxc.logfile
              The file to which logging info should be written.

   AUTOSTART
       The  autostart options support marking which containers should be auto-started and in what
       order. These options may be used by LXC tools directly or by external tooling provided  by
       the distributions.

       lxc.start.auto
              Whether the container should be auto-started.  Valid values are 0 (off) and 1 (on).

       lxc.start.delay
              How  long  to  wait (in seconds) after the container is started before starting the
              next one.

       lxc.start.order
              An integer used to sort the containers when auto-starting a series of containers at
              once.

       lxc.group
              A  multi-value key (can be used multiple times) to put the container in a container
              group. Those groups can then be used (amongst other things) to start  a  series  of
              related containers.

EXAMPLES

       In  addition  to  the  few  examples  given  below,  you  will find some other examples of
       configuration file in /usr/share/doc/lxc/examples

   NETWORK
       This configuration sets up a container to use a veth pair device with one side plugged  to
       a  bridge  br0  (which has been configured before on the system by the administrator). The
       virtual network device visible in the container is renamed to eth0.

            lxc.utsname = myhostname
            lxc.network.type = veth
            lxc.network.flags = up
            lxc.network.link = br0
            lxc.network.name = eth0
            lxc.network.hwaddr = 4a:49:43:49:79:bf
            lxc.network.ipv4 = 10.2.3.5/24 10.2.3.255
            lxc.network.ipv6 = 2003:db8:1:0:214:1234:fe0b:3597

   UID/GID MAPPING
       This configuration will map both user and group ids in the range 0-9999 in  the  container
       to the ids 100000-109999 on the host.

            lxc.id_map = u 0 100000 10000
            lxc.id_map = g 0 100000 10000

   CONTROL GROUP
       This  configuration  will  setup  several  control groups for the application, cpuset.cpus
       restricts usage of the defined cpu, cpus.share prioritize the control group, devices.allow
       makes usable the specified devices.

            lxc.cgroup.cpuset.cpus = 0,1
            lxc.cgroup.cpu.shares = 1234
            lxc.cgroup.devices.deny = a
            lxc.cgroup.devices.allow = c 1:3 rw
            lxc.cgroup.devices.allow = b 8:0 rw

   COMPLEX CONFIGURATION
       This  example  show  a  complex  configuration  making  a complex network stack, using the
       control groups, setting a new hostname, mounting some locations and a changing  root  file
       system.

            lxc.utsname = complex
            lxc.network.type = veth
            lxc.network.flags = up
            lxc.network.link = br0
            lxc.network.hwaddr = 4a:49:43:49:79:bf
            lxc.network.ipv4 = 10.2.3.5/24 10.2.3.255
            lxc.network.ipv6 = 2003:db8:1:0:214:1234:fe0b:3597
            lxc.network.ipv6 = 2003:db8:1:0:214:5432:feab:3588
            lxc.network.type = macvlan
            lxc.network.flags = up
            lxc.network.link = eth0
            lxc.network.hwaddr = 4a:49:43:49:79:bd
            lxc.network.ipv4 = 10.2.3.4/24
            lxc.network.ipv4 = 192.168.10.125/24
            lxc.network.ipv6 = 2003:db8:1:0:214:1234:fe0b:3596
            lxc.network.type = phys
            lxc.network.flags = up
            lxc.network.link = dummy0
            lxc.network.hwaddr = 4a:49:43:49:79:ff
            lxc.network.ipv4 = 10.2.3.6/24
            lxc.network.ipv6 = 2003:db8:1:0:214:1234:fe0b:3297
            lxc.cgroup.cpuset.cpus = 0,1
            lxc.cgroup.cpu.shares = 1234
            lxc.cgroup.devices.deny = a
            lxc.cgroup.devices.allow = c 1:3 rw
            lxc.cgroup.devices.allow = b 8:0 rw
            lxc.mount = /etc/fstab.complex
            lxc.mount.entry = /lib /root/myrootfs/lib none ro,bind 0 0
            lxc.rootfs = /mnt/rootfs.complex
            lxc.cap.drop = sys_module mknod setuid net_raw
            lxc.cap.drop = mac_override

SEE ALSO

       chroot(1), pivot_root(8), fstab(5), capabilities(7)

SEE ALSO

       lxc(7),  lxc-create(1),  lxc-destroy(1),  lxc-start(1),  lxc-stop(1), lxc-execute(1), lxc-
       console(1),  lxc-monitor(1),  lxc-wait(1),  lxc-cgroup(1),  lxc-ls(1),  lxc-info(1),  lxc-
       freeze(1), lxc-unfreeze(1), lxc-attach(1), lxc.conf(5)

AUTHOR

       Daniel Lezcano <daniel.lezcano@free.fr>

                                   Mon Apr 14 15:49:22 UTC 2014             lxc.container.conf(5)