Provided by: lxc-utils_5.0.0~git2209-g5a7b9ce67-0ubuntu3_amd64 
NAME
lxc.container.conf - LXC container configuration file
DESCRIPTION
LXC is the well-known and heavily tested low-level Linux container runtime. It is in
active development since 2008 and has proven itself in critical production environments
world-wide. Some of its core contributors are the same people that helped to implement
various well-known containerization features inside the Linux kernel.
LXC's main focus is system containers. That is, containers which offer an environment as
close as possible as the one you'd get from a VM but without the overhead that comes with
running a separate kernel and simulating all the hardware.
This is achieved through a combination of kernel security features such as namespaces,
mandatory access control and control groups.
LXC has support for unprivileged containers. Unprivileged containers are containers that
are run without any privilege. This requires support for user namespaces in the kernel
that the container is run on. LXC was the first runtime to support unprivileged containers
after user namespaces were merged into the mainline kernel.
In essence, user namespaces isolate given sets of UIDs and GIDs. This is achieved by
establishing a mapping between a range of UIDs and GIDs on the host to a different
(unprivileged) range of UIDs and GIDs in the container. The kernel will translate this
mapping in such a way that inside the container all UIDs and GIDs appear as you would
expect from the host whereas on the host these UIDs and GIDs are in fact unprivileged. For
example, a process running as UID and GID 0 inside the container might appear as UID and
GID 100000 on the host. The implementation and working details can be gathered from the
corresponding user namespace man page. UID and GID mappings can be defined with the
lxc.idmap key.
Linux containers are defined with a simple configuration file. Each option in the
configuration file has the form key = value fitting in one line. The "#" character means
the line is a comment. List options, like capabilities and cgroups options, can be used
with no value to clear any previously defined values of that option.
LXC namespaces configuration keys use single dots. This means complex configuration keys
such as lxc.net.0 expose various subkeys such as lxc.net.0.type, lxc.net.0.link,
lxc.net.0.ipv6.address, and others for even more fine-grained configuration.
CONFIGURATION
In order to ease administration of multiple related containers, it is possible to have a
container configuration file cause another file to be loaded. For instance, network
configuration can be defined in one common file which is included by multiple containers.
Then, if the containers are moved to another host, only one file may need to be updated.
lxc.include
Specify the file to be included. The included file must be in the same valid lxc
configuration file format.
ARCHITECTURE
Allows one to set the architecture for the container. For example, set a 32bits
architecture for a container running 32bits binaries on a 64bits host. This fixes the
container scripts which rely on the architecture to do some work like downloading the
packages.
lxc.arch
Specify the architecture for the container.
Some valid options are x86, i686, x86_64, amd64
HOSTNAME
The utsname section defines the hostname to be set for the container. That means the
container can set its own hostname without changing the one from the system. That makes
the hostname private for the container.
lxc.uts.name
specify the hostname for the container
HALT SIGNAL
Allows one to specify signal name or number sent to the container's init process to
cleanly shutdown the container. Different init systems could use different signals to
perform clean shutdown sequence. This option allows the signal to be specified in kill(1)
fashion, e.g. SIGPWR, SIGRTMIN+14, SIGRTMAX-10 or plain number. The default signal is
SIGPWR.
lxc.signal.halt
specify the signal used to halt the container
REBOOT SIGNAL
Allows one to specify signal name or number to reboot the container. This option allows
signal to be specified in kill(1) fashion, e.g. SIGTERM, SIGRTMIN+14, SIGRTMAX-10 or
plain number. The default signal is SIGINT.
lxc.signal.reboot
specify the signal used to reboot the container
STOP SIGNAL
Allows one to specify signal name or number to forcibly shutdown the container. This
option allows signal to be specified in kill(1) fashion, e.g. SIGKILL, SIGRTMIN+14,
SIGRTMAX-10 or plain number. The default signal is SIGKILL.
lxc.signal.stop
specify the signal used to stop the container
INIT COMMAND
Sets the command to use as the init system for the containers.
lxc.execute.cmd
Absolute path from container rootfs to the binary to run by default. This mostly
makes sense for lxc-execute.
lxc.init.cmd
Absolute path from container rootfs to the binary to use as init. This mostly makes
sense for lxc-start. Default is /sbin/init.
INIT WORKING DIRECTORY
Sets the absolute path inside the container as the working directory for the containers.
LXC will switch to this directory before executing init.
lxc.init.cwd
Absolute path inside the container to use as the working directory.
INIT ID
Sets the UID/GID to use for the init system, and subsequent commands. Note that using a
non-root UID when booting a system container will likely not work due to missing
privileges. Setting the UID/GID is mostly useful when running application containers.
Defaults to: UID(0), GID(0)
lxc.init.uid
UID to use for init.
lxc.init.gid
GID to use for init.
CORE SCHEDULING
Core scheduling defines if the container payload is marked as being schedulable on the
same core. Doing so will cause the kernel scheduler to ensure that tasks that are not in
the same group never run simultaneously on a core. This can serve as an extra security
measure to prevent the container payload from using cross hyper thread attacks.
lxc.sched.core
The only allowed values are 0 and 1. Set this to 1 to create a core scheduling
domain for the container or 0 to not create one. If not set explicitly no core
scheduling domain will be created for the container.
PROC
Configure proc filesystem for the container.
lxc.proc.[proc file name]
Specify the proc file name to be set. The file names available are those listed
under /proc/PID/. Example:
lxc.proc.oom_score_adj = 10
EPHEMERAL
Allows one to specify whether a container will be destroyed on shutdown.
lxc.ephemeral
The only allowed values are 0 and 1. Set this to 1 to destroy a container on
shutdown.
NETWORK
The network section defines how the network is virtualized in the container. The network
virtualization acts at layer two. In order to use the network virtualization, parameters
must be specified to define the network interfaces of the container. Several virtual
interfaces can be assigned and used in a container even if the system has only one
physical network interface.
lxc.net
may be used without a value to clear all previous network options.
lxc.net.[i].type
specify what kind of network virtualization to be used for the container. Must be
specified before any other option(s) on the net device. Multiple networks can be
specified by using an additional index i after all lxc.net.* keys. For example,
lxc.net.0.type = veth and lxc.net.1.type = veth specify two different networks of
the same type. All keys sharing the same index i will be treated as belonging to
the same network. For example, lxc.net.0.link = br0 will belong to lxc.net.0.type.
Currently, the different virtualization types can be:
none: will cause the container to share the host's network namespace. This means
the host network devices are usable in the container. It also means that if both
the container and host have upstart as init, 'halt' in a container (for instance)
will shut down the host. Note that unprivileged containers do not work with this
setting due to an inability to mount sysfs. An unsafe workaround would be to bind
mount the host's sysfs.
empty: will create only the loopback interface.
veth: a virtual ethernet pair device is created with one side assigned to the
container and the other side on the host. lxc.net.[i].veth.mode specifies the mode
the veth parent will use on the host. The accepted modes are bridge and router.
The mode defaults to bridge if not specified. In bridge mode the host side is
attached to a bridge specified by the lxc.net.[i].link option. If the bridge link
is not specified, then the veth pair device will be created but not attached to any
bridge. Otherwise, the bridge has to be created on the system before starting the
container. lxc won't handle any configuration outside of the container. In router
mode static routes are created on the host for the container's IP addresses
pointing to the host side veth interface. Additionally Proxy ARP and Proxy NDP
entries are added on the host side veth interface for the gateway IPs defined in
the container to allow the container to reach the host. By default, lxc chooses a
name for the network device belonging to the outside of the container, but if you
wish to handle this name yourselves, you can tell lxc to set a specific name with
the lxc.net.[i].veth.pair option (except for unprivileged containers where this
option is ignored for security reasons). Static routes can be added on the host
pointing to the container using the lxc.net.[i].veth.ipv4.route and
lxc.net.[i].veth.ipv6.route options. Several lines specify several routes. The
route is in format x.y.z.t/m, eg. 192.168.1.0/24. In bridge mode untagged VLAN
membership can be set with the lxc.net.[i].veth.vlan.id option. It accepts a
special value of 'none' indicating that the container port should be removed from
the bridge's default untagged VLAN. The lxc.net.[i].veth.vlan.tagged.id option can
be specified multiple times to set the container's bridge port membership to one or
more tagged VLANs.
vlan: a vlan interface is linked with the interface specified by the
lxc.net.[i].link and assigned to the container. The vlan identifier is specified
with the option lxc.net.[i].vlan.id.
macvlan: a macvlan interface is linked with the interface specified by the
lxc.net.[i].link and assigned to the container. lxc.net.[i].macvlan.mode specifies
the mode the macvlan will use to communicate between different macvlan on the same
upper device. The accepted modes are private, vepa, bridge and passthru. In
private mode, the device never communicates with any other device on the same
upper_dev (default). In vepa mode, the new Virtual Ethernet Port Aggregator (VEPA)
mode, it assumes that the adjacent bridge returns all frames where both source and
destination are local to the macvlan port, i.e. the bridge is set up as a
reflective relay. Broadcast frames coming in from the upper_dev get flooded to all
macvlan interfaces in VEPA mode, local frames are not delivered locally. In bridge
mode, it provides the behavior of a simple bridge between different macvlan
interfaces on the same port. Frames from one interface to another one get delivered
directly and are not sent out externally. Broadcast frames get flooded to all other
bridge ports and to the external interface, but when they come back from a
reflective relay, we don't deliver them again. Since we know all the MAC addresses,
the macvlan bridge mode does not require learning or STP like the bridge module
does. In passthru mode, all frames received by the physical interface are forwarded
to the macvlan interface. Only one macvlan interface in passthru mode is possible
for one physical interface.
ipvlan: an ipvlan interface is linked with the interface specified by the
lxc.net.[i].link and assigned to the container. lxc.net.[i].ipvlan.mode specifies
the mode the ipvlan will use to communicate between different ipvlan on the same
upper device. The accepted modes are l3, l3s and l2. It defaults to l3 mode. In l3
mode TX processing up to L3 happens on the stack instance attached to the dependent
device and packets are switched to the stack instance of the parent device for the
L2 processing and routing from that instance will be used before packets are queued
on the outbound device. In this mode the dependent devices will not receive nor can
send multicast / broadcast traffic. In l3s mode TX processing is very similar to
the L3 mode except that iptables (conn-tracking) works in this mode and hence it is
L3-symmetric (L3s). This will have slightly less performance but that shouldn't
matter since you are choosing this mode over plain-L3 mode to make conn-tracking
work. In l2 mode TX processing happens on the stack instance attached to the
dependent device and packets are switched and queued to the parent device to send
devices out. In this mode the dependent devices will RX/TX multicast and broadcast
(if applicable) as well. lxc.net.[i].ipvlan.isolation specifies the isolation
mode. The accepted isolation values are bridge, private and vepa. It defaults to
bridge. In bridge isolation mode dependent devices can cross-talk among themselves
apart from talking through the parent device. In private isolation mode the port
is set in private mode. i.e. port won't allow cross communication between
dependent devices. In vepa isolation mode the port is set in VEPA mode. i.e. port
will offload switching functionality to the external entity as described in
802.1Qbg.
phys: an already existing interface specified by the lxc.net.[i].link is assigned
to the container.
lxc.net.[i].flags
Specify an action to do for the network.
up: activates the interface.
lxc.net.[i].link
Specify the interface to be used for real network traffic.
lxc.net.[i].l2proxy
Controls whether layer 2 IP neighbour proxy entries will be added to the
lxc.net.[i].link interface for the IP addresses of the container. Can be set to 0
or 1. Defaults to 0. When used with IPv4 addresses, the following sysctl values
need to be set: net.ipv4.conf.[link].forwarding=1 When used with IPv6 addresses,
the following sysctl values need to be set: net.ipv6.conf.[link].proxy_ndp=1
net.ipv6.conf.[link].forwarding=1
lxc.net.[i].mtu
Specify the maximum transfer unit for this interface.
lxc.net.[i].name
The interface name is dynamically allocated, but if another name is needed because
the configuration files being used by the container use a generic name, eg. eth0,
this option will rename the interface in the container.
lxc.net.[i].hwaddr
The interface mac address is dynamically allocated by default to the virtual
interface, but in some cases, this is needed to resolve a mac address conflict or
to always have the same link-local ipv6 address. Any "x" in address will be
replaced by random value, this allows setting hwaddr templates.
lxc.net.[i].ipv4.address
Specify the ipv4 address to assign to the virtualized interface. Several lines
specify several ipv4 addresses. The address is in format x.y.z.t/m, eg.
192.168.1.123/24. You can optionally specify the broadcast address after the IP
address, e.g. 192.168.1.123/24 255.255.255.255. Otherwise it is automatically
calculated from the IP address.
lxc.net.[i].ipv4.gateway
Specify the ipv4 address to use as the gateway inside the container. The address is
in format x.y.z.t, eg. 192.168.1.123. Can also have the special value auto, which
means to take the primary address from the bridge interface (as specified by the
lxc.net.[i].link option) and use that as the gateway. auto is only available when
using the veth, macvlan and ipvlan network types. Can also have the special value
of dev, which means to set the default gateway as a device route. This is
primarily for use with layer 3 network modes, such as IPVLAN.
lxc.net.[i].ipv6.address
Specify the ipv6 address to assign to the virtualized interface. Several lines
specify several ipv6 addresses. The address is in format x::y/m, eg.
2003:db8:1:0:214:1234:fe0b:3596/64
lxc.net.[i].ipv6.gateway
Specify the ipv6 address to use as the gateway inside the container. The address is
in format x::y, eg. 2003:db8:1:0::1 Can also have the special value auto, which
means to take the primary address from the bridge interface (as specified by the
lxc.net.[i].link option) and use that as the gateway. auto is only available when
using the veth, macvlan and ipvlan network types. Can also have the special value
of dev, which means to set the default gateway as a device route. This is
primarily for use with layer 3 network modes, such as IPVLAN.
lxc.net.[i].script.up
Add a configuration option to specify a script to be executed after creating and
configuring the network used from the host side.
In addition to the information available to all hooks. The following information is
provided to the script:
• LXC_HOOK_TYPE: the hook type. This is either 'up' or 'down'.
• LXC_HOOK_SECTION: the section type 'net'.
• LXC_NET_TYPE: the network type. This is one of the valid network types listed
here (e.g. 'vlan', 'macvlan', 'ipvlan', 'veth').
• LXC_NET_PARENT: the parent device on the host. This is only set for network types
'mavclan', 'veth', 'phys'.
• LXC_NET_PEER: the name of the peer device on the host. This is only set for
'veth' network types. Note that this information is only available when
lxc.hook.version is set to 1.
Whether this information is provided in the form of environment variables or as arguments
to the script depends on the value of lxc.hook.version. If set to 1 then information is
provided in the form of environment variables. If set to 0 information is provided as
arguments to the script.
Standard output from the script is logged at debug level. Standard error is not logged,
but can be captured by the hook redirecting its standard error to standard output.
lxc.net.[i].script.down
Add a configuration option to specify a script to be executed before destroying the
network used from the host side.
In addition to the information available to all hooks. The following information is
provided to the script:
• LXC_HOOK_TYPE: the hook type. This is either 'up' or 'down'.
• LXC_HOOK_SECTION: the section type 'net'.
• LXC_NET_TYPE: the network type. This is one of the valid network types listed
here (e.g. 'vlan', 'macvlan', 'ipvlan', 'veth').
• LXC_NET_PARENT: the parent device on the host. This is only set for network types
'mavclan', 'veth', 'phys'.
• LXC_NET_PEER: the name of the peer device on the host. This is only set for
'veth' network types. Note that this information is only available when
lxc.hook.version is set to 1.
Whether this information is provided in the form of environment variables or as arguments
to the script depends on the value of lxc.hook.version. If set to 1 then information is
provided in the form of environment variables. If set to 0 information is provided as
arguments to the script.
Standard output from the script is logged at debug level. Standard error is not logged,
but can be captured by the hook redirecting its standard error to standard output.
NEW PSEUDO TTY INSTANCE (DEVPTS)
For stricter isolation the container can have its own private instance of the pseudo tty.
lxc.pty.max
If set, the container will have a new pseudo tty instance, making this private to
it. The value specifies the maximum number of pseudo ttys allowed for a pty
instance (this limitation is not implemented yet).
CONTAINER SYSTEM CONSOLE
If the container is configured with a root filesystem and the inittab file is setup to use
the console, you may want to specify where the output of this console goes.
lxc.console.buffer.size
Setting this option instructs liblxc to allocate an in-memory ringbuffer. The
container's console output will be written to the ringbuffer. Note that ringbuffer
must be at least as big as a standard page size. When passed a value smaller than a
single page size liblxc will allocate a ringbuffer of a single page size. A page
size is usually 4KB. The keyword 'auto' will cause liblxc to allocate a ringbuffer
of 128KB. When manually specifying a size for the ringbuffer the value should be a
power of 2 when converted to bytes. Valid size prefixes are 'KB', 'MB', 'GB'. (Note
that all conversions are based on multiples of 1024. That means 'KB' == 'KiB', 'MB'
== 'MiB', 'GB' == 'GiB'. Additionally, the case of the suffix is ignored, i.e.
'kB', 'KB' and 'Kb' are treated equally.)
lxc.console.size
Setting this option instructs liblxc to place a limit on the size of the console
log file specified in lxc.console.logfile. Note that size of the log file must be
at least as big as a standard page size. When passed a value smaller than a single
page size liblxc will set the size of log file to a single page size. A page size
is usually 4KB. The keyword 'auto' will cause liblxc to place a limit of 128KB on
the log file. When manually specifying a size for the log file the value should be
a power of 2 when converted to bytes. Valid size prefixes are 'KB', 'MB', 'GB'.
(Note that all conversions are based on multiples of 1024. That means 'KB' ==
'KiB', 'MB' == 'MiB', 'GB' == 'GiB'. Additionally, the case of the suffix is
ignored, i.e. 'kB', 'KB' and 'Kb' are treated equally.) If users want to mirror
the console ringbuffer on disk they should set lxc.console.size equal to
lxc.console.buffer.size.
lxc.console.logfile
Specify a path to a file where the console output will be written. Note that in
contrast to the on-disk ringbuffer logfile this file will keep growing potentially
filling up the users disks if not rotated and deleted. This problem can also be
avoided by using the in-memory ringbuffer options lxc.console.buffer.size and
lxc.console.buffer.logfile.
lxc.console.rotate
Whether to rotate the console logfile specified in lxc.console.logfile. Users can
send an API request to rotate the logfile. Note that the old logfile will have the
same name as the original with the suffix ".1" appended. Users wishing to prevent
the console log file from filling the disk should rotate the logfile and delete it
if unneeded. This problem can also be avoided by using the in-memory ringbuffer
options lxc.console.buffer.size and lxc.console.buffer.logfile.
lxc.console.path
Specify a path to a device to which the console will be attached. The keyword
'none' will simply disable the console. Note, when specifying 'none' and creating a
device node for the console in the container at /dev/console or bind-mounting the
hosts's /dev/console into the container at /dev/console the container will have
direct access to the hosts's /dev/console. This is dangerous when the container
has write access to the device and should thus be used with caution.
CONSOLE THROUGH THE TTYS
This option is useful if the container is configured with a root filesystem and the
inittab file is setup to launch a getty on the ttys. The option specifies the number of
ttys to be available for the container. The number of gettys in the inittab file of the
container should not be greater than the number of ttys specified in this option,
otherwise the excess getty sessions will die and respawn indefinitely giving annoying
messages on the console or in /var/log/messages.
lxc.tty.max
Specify the number of tty to make available to the container.
CONSOLE DEVICES LOCATION
LXC consoles are provided through Unix98 PTYs created on the host and bind-mounted over
the expected devices in the container. By default, they are bind-mounted over
/dev/console and /dev/ttyN. This can prevent package upgrades in the guest. Therefore you
can specify a directory location (under /dev under which LXC will create the files and
bind-mount over them. These will then be symbolically linked to /dev/console and
/dev/ttyN. A package upgrade can then succeed as it is able to remove and replace the
symbolic links.
lxc.tty.dir
Specify a directory under /dev under which to create the container console devices.
Note that LXC will move any bind-mounts or device nodes for /dev/console into this
directory.
/DEV DIRECTORY
By default, lxc creates a few symbolic links (fd,stdin,stdout,stderr) in the container's
/dev directory but does not automatically create device node entries. This allows the
container's /dev to be set up as needed in the container rootfs. If lxc.autodev is set to
1, then after mounting the container's rootfs LXC will mount a fresh tmpfs under /dev
(limited to 500K by default, unless defined in lxc.autodev.tmpfs.size) and fill in a
minimal set of initial devices. This is generally required when starting a container
containing a "systemd" based "init" but may be optional at other times. Additional devices
in the containers /dev directory may be created through the use of the lxc.hook.autodev
hook.
lxc.autodev
Set this to 0 to stop LXC from mounting and populating a minimal /dev when starting
the container.
lxc.autodev.tmpfs.size
Set this to define the size of the /dev tmpfs. The default value is 500000 (500K).
If the parameter is used but without value, the default value is used.
MOUNT POINTS
The mount points section specifies the different places to be mounted. These mount points
will be private to the container and won't be visible by the processes running outside of
the container. This is useful to mount /etc, /var or /home for examples.
NOTE - LXC will generally ensure that mount targets and relative bind-mount sources are
properly confined under the container root, to avoid attacks involving over-mounting host
directories and files. (Symbolic links in absolute mount sources are ignored) However, if
the container configuration first mounts a directory which is under the control of the
container user, such as /home/joe, into the container at some path, and then mounts under
path, then a TOCTTOU attack would be possible where the container user modifies a symbolic
link under their home directory at just the right time.
lxc.mount.fstab
specify a file location in the fstab format, containing the mount information. The
mount target location can and in most cases should be a relative path, which will
become relative to the mounted container root. For instance,
proc proc proc nodev,noexec,nosuid 0 0
Will mount a proc filesystem under the container's /proc, regardless of where the
root filesystem comes from. This is resilient to block device backed filesystems as
well as container cloning.
Note that when mounting a filesystem from an image file or block device the third
field (fs_vfstype) cannot be auto as with mount(8) but must be explicitly
specified.
lxc.mount.entry
Specify a mount point corresponding to a line in the fstab format. Moreover lxc
supports mount propagation, such as rshared or rprivate, and adds three additional
mount options. optional don't fail if mount does not work. create=dir or
create=file to create dir (or file) when the point will be mounted. relative
source path is taken to be relative to the mounted container root. For instance,
dev/null proc/kcore none bind,relative 0 0
Will expand dev/null to ${LXC_ROOTFS_MOUNT}/dev/null, and mount it to proc/kcore
inside the container.
lxc.mount.auto
specify which standard kernel file systems should be automatically mounted. This
may dramatically simplify the configuration. The file systems are:
• proc:mixed (or proc): mount /proc as read-write, but remount /proc/sys and
/proc/sysrq-trigger read-only for security / container isolation purposes.
• proc:rw: mount /proc as read-write
• sys:mixed (or sys): mount /sys as read-only but with /sys/devices/virtual/net
writable.
• sys:ro: mount /sys as read-only for security / container isolation purposes.
• sys:rw: mount /sys as read-write
• cgroup:mixed: Mount a tmpfs to /sys/fs/cgroup, create directories for all
hierarchies to which the container is added, create subdirectories in those
hierarchies with the name of the cgroup, and bind-mount the container's own
cgroup into that directory. The container will be able to write to its own cgroup
directory, but not the parents, since they will be remounted read-only.
• cgroup:mixed:force: The force option will cause LXC to perform the cgroup mounts
for the container under all circumstances. Otherwise it is similar to
cgroup:mixed. This is mainly useful when the cgroup namespaces are enabled where
LXC will normally leave mounting cgroups to the init binary of the container
since it is perfectly safe to do so.
• cgroup:ro: similar to cgroup:mixed, but everything will be mounted read-only.
• cgroup:ro:force: The force option will cause LXC to perform the cgroup mounts for
the container under all circumstances. Otherwise it is similar to cgroup:ro.
This is mainly useful when the cgroup namespaces are enabled where LXC will
normally leave mounting cgroups to the init binary of the container since it is
perfectly safe to do so.
• cgroup:rw: similar to cgroup:mixed, but everything will be mounted read-write.
Note that the paths leading up to the container's own cgroup will be writable,
but will not be a cgroup filesystem but just part of the tmpfs of /sys/fs/cgroup
• cgroup:rw:force: The force option will cause LXC to perform the cgroup mounts for
the container under all circumstances. Otherwise it is similar to cgroup:rw.
This is mainly useful when the cgroup namespaces are enabled where LXC will
normally leave mounting cgroups to the init binary of the container since it is
perfectly safe to do so.
• cgroup (without specifier): defaults to cgroup:rw if the container retains the
CAP_SYS_ADMIN capability, cgroup:mixed otherwise.
• cgroup-full:mixed: mount a tmpfs to /sys/fs/cgroup, create directories for all
hierarchies to which the container is added, bind-mount the hierarchies from the
host to the container and make everything read-only except the container's own
cgroup. Note that compared to cgroup, where all paths leading up to the
container's own cgroup are just simple directories in the underlying tmpfs, here
/sys/fs/cgroup/$hierarchy will contain the host's full cgroup hierarchy, albeit
read-only outside the container's own cgroup. This may leak quite a bit of
information into the container.
• cgroup-full:mixed:force: The force option will cause LXC to perform the cgroup
mounts for the container under all circumstances. Otherwise it is similar to
cgroup-full:mixed. This is mainly useful when the cgroup namespaces are enabled
where LXC will normally leave mounting cgroups to the init binary of the
container since it is perfectly safe to do so.
• cgroup-full:ro: similar to cgroup-full:mixed, but everything will be mounted
read-only.
• cgroup-full:ro:force: The force option will cause LXC to perform the cgroup
mounts for the container under all circumstances. Otherwise it is similar to
cgroup-full:ro. This is mainly useful when the cgroup namespaces are enabled
where LXC will normally leave mounting cgroups to the init binary of the
container since it is perfectly safe to do so.
• cgroup-full:rw: similar to cgroup-full:mixed, but everything will be mounted
read-write. Note that in this case, the container may escape its own cgroup.
(Note also that if the container has CAP_SYS_ADMIN support and can mount the
cgroup filesystem itself, it may do so anyway.)
• cgroup-full:rw:force: The force option will cause LXC to perform the cgroup
mounts for the container under all circumstances. Otherwise it is similar to
cgroup-full:rw. This is mainly useful when the cgroup namespaces are enabled
where LXC will normally leave mounting cgroups to the init binary of the
container since it is perfectly safe to do so.
• cgroup-full (without specifier): defaults to cgroup-full:rw if the container
retains the CAP_SYS_ADMIN capability, cgroup-full:mixed otherwise.
If cgroup namespaces are enabled, then any cgroup auto-mounting request will be ignored,
since the container can mount the filesystems itself, and automounting can confuse the
container init.
Note that if automatic mounting of the cgroup filesystem is enabled, the tmpfs under
/sys/fs/cgroup will always be mounted read-write (but for the :mixed and :ro cases, the
individual hierarchies, /sys/fs/cgroup/$hierarchy, will be read-only). This is in order to
work around a quirk in Ubuntu's mountall(8) command that will cause containers to wait for
user input at boot if /sys/fs/cgroup is mounted read-only and the container can't remount
it read-write due to a lack of CAP_SYS_ADMIN.
Examples:
lxc.mount.auto = proc sys cgroup
lxc.mount.auto = proc:rw sys:rw cgroup-full:rw
ROOT FILE SYSTEM
The root file system of the container can be different than that of the host system.
lxc.rootfs.path
specify the root file system for the container. It can be an image file, a
directory or a block device. If not specified, the container shares its root file
system with the host.
For directory or simple block-device backed containers, a pathname can be used. If
the rootfs is backed by a nbd device, then nbd:file:1 specifies that file should be
attached to a nbd device, and partition 1 should be mounted as the rootfs.
nbd:file specifies that the nbd device itself should be mounted.
overlayfs:/lower:/upper specifies that the rootfs should be an overlay with /upper
being mounted read-write over a read-only mount of /lower. For overlay multiple
/lower directories can be specified. loop:/file tells lxc to attach /file to a loop
device and mount the loop device.
lxc.rootfs.mount
where to recursively bind lxc.rootfs.path before pivoting. This is to ensure
success of the pivot_root(8) syscall. Any directory suffices, the default should
generally work.
lxc.rootfs.options
Specify extra mount options to use when mounting the rootfs. The format of the
mount options corresponds to the format used in fstab. In addition, LXC supports
the custom idmap= mount option. This option can be used to tell LXC to create an
idmapped mount for the container's rootfs. This is useful when the user doesn't
want to recursively chown the rootfs of the container to match the idmapping of the
user namespace the container is going to use. Instead an idmapped mount can be used
to handle this. The argument for idmap= can either be a path pointing to a user
namespace file that LXC will open and use to idmap the rootfs or the special value
"container" which will instruct LXC to use the container's user namespace to idmap
the rootfs.
lxc.rootfs.managed
Set this to 0 to indicate that LXC is not managing the container storage, then LXC
will not modify the container storage. The default is 1.
CONTROL GROUPS ("CGROUPS")
The control group section contains the configuration for the different subsystem. lxc does
not check the correctness of the subsystem name. This has the disadvantage of not
detecting configuration errors until the container is started, but has the advantage of
permitting any future subsystem.
The kernel implementation of cgroups has changed significantly over the years. With Linux
4.5 support for a new cgroup filesystem was added usually referred to as "cgroup2" or
"unified hierarchy". Since then the old cgroup filesystem is usually referred to as
"cgroup1" or the "legacy hierarchies". Please see the cgroups manual page for a detailed
explanation of the differences between the two versions.
LXC distinguishes settings for the legacy and the unified hierarchy by using different
configuration key prefixes. To alter settings for controllers in a legacy hierarchy the
key prefix lxc.cgroup. must be used and in order to alter the settings for a controller in
the unified hierarchy the lxc.cgroup2. key must be used. Note that LXC will ignore
lxc.cgroup. settings on systems that only use the unified hierarchy. Conversely, it will
ignore lxc.cgroup2. options on systems that only use legacy hierarchies.
At its core a cgroup hierarchy is a way to hierarchically organize processes. Usually a
cgroup hierarchy will have one or more "controllers" enabled. A "controller" in a cgroup
hierarchy is usually responsible for distributing a specific type of system resource along
the hierarchy. Controllers include the "pids" controller, the "cpu" controller, the
"memory" controller and others. Some controllers however do not fall into the category of
distributing a system resource, instead they are often referred to as "utility"
controllers. One utility controller is the device controller. Instead of distributing a
system resource it allows one to manage device access.
In the legacy hierarchy the device controller was implemented like most other controllers
as a set of files that could be written to. These files where named "devices.allow" and
"devices.deny". The legacy device controller allowed the implementation of both
"allowlists" and "denylists".
An allowlist is a device program that by default blocks access to all devices. In order to
access specific devices "allow rules" for particular devices or device classes must be
specified. In contrast, a denylist is a device program that by default allows access to
all devices. In order to restrict access to specific devices "deny rules" for particular
devices or device classes must be specified.
In the unified cgroup hierarchy the implementation of the device controller has completely
changed. Instead of files to read from and write to a eBPF program of
BPF_PROG_TYPE_CGROUP_DEVICE can be attached to a cgroup. Even though the kernel
implementation has changed completely LXC tries to allow for the same semantics to be
followed in the legacy device cgroup and the unified eBPF-based device controller. The
following paragraphs explain the semantics for the unified eBPF-based device controller.
As mentioned the format for specifying device rules for the unified eBPF-based device
controller is the same as for the legacy cgroup device controller; only the configuration
key prefix has changed. Specifically, device rules for the legacy cgroup device
controller are specified via lxc.cgroup.devices.allow and lxc.cgroup.devices.deny whereas
for the cgroup2 eBPF-based device controller lxc.cgroup2.devices.allow and
lxc.cgroup2.devices.deny must be used.
• A denylist device rule
lxc.cgroup2.devices.deny = a
will cause LXC to instruct the kernel to block access to all devices by default. To
grant access to devices allow device rules must be added via the
lxc.cgroup2.devices.allow key. This is referred to as a "allowlist" device program.
• An allowlist device rule
lxc.cgroup2.devices.allow = a
will cause LXC to instruct the kernel to allow access to all devices by default. To deny
access to devices deny device rules must be added via lxc.cgroup2.devices.deny key.
This is referred to as a "denylist" device program.
• Specifying any of the aforementioned two rules will cause all previous rules to be
cleared, i.e. the device list will be reset.
• When an allowlist program is requested, i.e. access to all devices is blocked by
default, specific deny rules for individual devices or device classes are ignored.
• When a denylist program is requested, i.e. access to all devices is allowed by default,
specific allow rules for individual devices or device classes are ignored.
For example the set of rules:
lxc.cgroup2.devices.deny = a
lxc.cgroup2.devices.allow = c *:* m
lxc.cgroup2.devices.allow = b *:* m
lxc.cgroup2.devices.allow = c 1:3 rwm
implements an allowlist device program, i.e. the kernel will block access to all devices
not specifically allowed in this list. This particular program states that all character
and block devices may be created but only /dev/null might be read or written.
If we instead switch to the following set of rules:
lxc.cgroup2.devices.allow = a
lxc.cgroup2.devices.deny = c *:* m
lxc.cgroup2.devices.deny = b *:* m
lxc.cgroup2.devices.deny = c 1:3 rwm
then LXC would instruct the kernel to implement a denylist, i.e. the kernel will allow
access to all devices not specifically denied in this list. This particular program states
that no character devices or block devices might be created and that /dev/null is not
allow allowed to be read, written, or created.
Now consider the same program but followed by a "global rule" which determines the type of
device program (allowlist or denylist) as explained above:
lxc.cgroup2.devices.allow = a
lxc.cgroup2.devices.deny = c *:* m
lxc.cgroup2.devices.deny = b *:* m
lxc.cgroup2.devices.deny = c 1:3 rwm
lxc.cgroup2.devices.allow = a
The last line will cause LXC to reset the device list without changing the type of device
program.
If we specify:
lxc.cgroup2.devices.allow = a
lxc.cgroup2.devices.deny = c *:* m
lxc.cgroup2.devices.deny = b *:* m
lxc.cgroup2.devices.deny = c 1:3 rwm
lxc.cgroup2.devices.deny = a
instead then the last line will cause LXC to reset the device list and switch from an
allowlist program to a denylist program.
lxc.cgroup.[controller name].[controller file]
Specify the control group value to be set on a legacy cgroup hierarchy. The
controller name is the literal name of the control group. The permitted names and
the syntax of their values is not dictated by LXC, instead it depends on the
features of the Linux kernel running at the time the container is started, eg.
lxc.cgroup.cpuset.cpus
lxc.cgroup2.[controller name].[controller file]
Specify the control group value to be set on the unified cgroup hierarchy. The
controller name is the literal name of the control group. The permitted names and
the syntax of their values is not dictated by LXC, instead it depends on the
features of the Linux kernel running at the time the container is started, eg.
lxc.cgroup2.memory.high
lxc.cgroup.dir
specify a directory or path in which the container's cgroup will be created. For
example, setting lxc.cgroup.dir = my-cgroup/first for a container named "c1" will
create the container's cgroup as a sub-cgroup of "my-cgroup". For example, if the
user's current cgroup "my-user" is located in the root cgroup of the cpuset
controller in a cgroup v1 hierarchy this would create the cgroup
"/sys/fs/cgroup/cpuset/my-user/my-cgroup/first/c1" for the container. Any missing
cgroups will be created by LXC. This presupposes that the user has write access to
its current cgroup.
lxc.cgroup.dir.container
This is similar to lxc.cgroup.dir, but must be used together with
lxc.cgroup.dir.monitor and affects only the container's cgroup path. This option is
mutually exclusive with lxc.cgroup.dir. Note that the final path the container
attaches to may be extended further by the lxc.cgroup.dir.container.inner option.
lxc.cgroup.dir.monitor
This is the monitor process counterpart to lxc.cgroup.dir.container.
lxc.cgroup.dir.monitor.pivot
On container termination the PID of the monitor process is attached to this cgroup.
This path should not be a subpath of any other configured cgroup dir to ensure
proper removal of other cgroup paths on container termination.
lxc.cgroup.dir.container.inner
Specify an additional subdirectory where the cgroup namespace will be created. With
this option, the cgroup limits will be applied to the outer path specified in
lxc.cgroup.dir.container, which is not accessible from within the container, making
it possible to better enforce limits for privileged containers in a way they cannot
override them. This only works in conjunction with the lxc.cgroup.dir.container
and lxc.cgroup.dir.monitor options and has otherwise no effect.
lxc.cgroup.relative
Set this to 1 to instruct LXC to never escape to the root cgroup. This makes it
easy for users to adhere to restrictions enforced by cgroup2 and systemd.
Specifically, this makes it possible to run LXC containers as systemd services.
CAPABILITIES
The capabilities can be dropped in the container if this one is run as root.
lxc.cap.drop
Specify the capability to be dropped in the container. A single line defining
several capabilities with a space separation is allowed. The format is the lower
case of the capability definition without the "CAP_" prefix, eg. CAP_SYS_MODULE
should be specified as sys_module. See capabilities(7). If used with no value, lxc
will clear any drop capabilities specified up to this point.
lxc.cap.keep
Specify the capability to be kept in the container. All other capabilities will be
dropped. When a special value of "none" is encountered, lxc will clear any keep
capabilities specified up to this point. A value of "none" alone can be used to
drop all capabilities.
NAMESPACES
A namespace can be cloned (lxc.namespace.clone), kept (lxc.namespace.keep) or shared
(lxc.namespace.share.[namespace identifier]).
lxc.namespace.clone
Specify namespaces which the container is supposed to be created with. The
namespaces to create are specified as a space separated list. Each namespace must
correspond to one of the standard namespace identifiers as seen in the /proc/PID/ns
directory. When lxc.namespace.clone is not explicitly set all namespaces supported
by the kernel and the current configuration will be used.
To create a new mount, net and ipc namespace set lxc.namespace.clone=mount net ipc.
lxc.namespace.keep
Specify namespaces which the container is supposed to inherit from the process that
created it. The namespaces to keep are specified as a space separated list. Each
namespace must correspond to one of the standard namespace identifiers as seen in
the /proc/PID/ns directory. The lxc.namespace.keep is a denylist option, i.e. it
is useful when enforcing that containers must keep a specific set of namespaces.
To keep the network, user and ipc namespace set lxc.namespace.keep=user net ipc.
Note that sharing pid namespaces will likely not work with most init systems.
Note that if the container requests a new user namespace and the container wants to
inherit the network namespace it needs to inherit the user namespace as well.
lxc.namespace.share.[namespace identifier]
Specify a namespace to inherit from another container or process. The [namespace
identifier] suffix needs to be replaced with one of the namespaces that appear in
the /proc/PID/ns directory.
To inherit the namespace from another process set the
lxc.namespace.share.[namespace identifier] to the PID of the process, e.g.
lxc.namespace.share.net=42.
To inherit the namespace from another container set the
lxc.namespace.share.[namespace identifier] to the name of the container, e.g.
lxc.namespace.share.pid=c3.
To inherit the namespace from another container located in a different path than
the standard liblxc path set the lxc.namespace.share.[namespace identifier] to the
full path to the container, e.g. lxc.namespace.share.user=/opt/c3.
In order to inherit namespaces the caller needs to have sufficient privilege over
the process or container.
Note that sharing pid namespaces between system containers will likely not work
with most init systems.
Note that if two processes are in different user namespaces and one process wants
to inherit the other's network namespace it usually needs to inherit the user
namespace as well.
Note that without careful additional configuration of an LSM, sharing user+pid
namespaces with a task may allow that task to escalate privileges to that of the
task calling liblxc.
lxc.time.offset.boot
Specify a positive or negative offset for the boottime clock. The format accepts
hours (h), minutes (m), seconds (s), milliseconds (ms), microseconds (us), and
nanoseconds (ns).
lxc.time.offset.monotonic
Specify a positive or negative offset for the monotonic clock. The format accepts
hours (h), minutes (m), seconds (s), milliseconds (ms), microseconds (us), and
nanoseconds (ns).
RESOURCE LIMITS
The soft and hard resource limits for the container can be changed. Unprivileged
containers can only lower them. Resources which are not explicitly specified will be
inherited.
lxc.prlimit.[limit name]
Specify the resource limit to be set. A limit is specified as two colon separated
values which are either numeric or the word 'unlimited'. A single value can be used
as a shortcut to set both soft and hard limit to the same value. The permitted
names the "RLIMIT_" resource names in lowercase without the "RLIMIT_" prefix, eg.
RLIMIT_NOFILE should be specified as "nofile". See setrlimit(2). If used with no
value, lxc will clear the resource limit specified up to this point. A resource
with no explicitly configured limitation will be inherited from the process
starting up the container.
SYSCTL
Configure kernel parameters for the container.
lxc.sysctl.[kernel parameters name]
Specify the kernel parameters to be set. The parameters available are those listed
under /proc/sys/. Note that not all sysctls are namespaced. Changing Non-
namespaced sysctls will cause the system-wide setting to be modified. sysctl(8).
If used with no value, lxc will clear the parameters specified up to this point.
APPARMOR PROFILE
If lxc was compiled and installed with apparmor support, and the host system has apparmor
enabled, then the apparmor profile under which the container should be run can be
specified in the container configuration. The default is lxc-container-default-cgns if the
host kernel is cgroup namespace aware, or lxc-container-default otherwise.
lxc.apparmor.profile
Specify the apparmor profile under which the container should be run. To specify
that the container should be unconfined, use
lxc.apparmor.profile = unconfined
If the apparmor profile should remain unchanged (i.e. if you are nesting containers
and are already confined), then use
lxc.apparmor.profile = unchanged
If you instruct LXC to generate the apparmor profile, then use
lxc.apparmor.profile = generated
lxc.apparmor.allow_incomplete
Apparmor profiles are pathname based. Therefore many file restrictions require
mount restrictions to be effective against a determined attacker. However, these
mount restrictions are not yet implemented in the upstream kernel. Without the
mount restrictions, the apparmor profiles still protect against accidental damager.
If this flag is 0 (default), then the container will not be started if the kernel
lacks the apparmor mount features, so that a regression after a kernel upgrade will
be detected. To start the container under partial apparmor protection, set this
flag to 1.
lxc.apparmor.allow_nesting
If set this to 1, causes the following changes. When generated apparmor profiles
are used, they will contain the necessary changes to allow creating a nested
container. In addition to the usual mount points, /dev/.lxc/proc and /dev/.lxc/sys
will contain procfs and sysfs mount points without the lxcfs overlays, which, if
generated apparmor profiles are being used, will not be read/writable directly.
lxc.apparmor.raw
A list of raw AppArmor profile lines to append to the profile. Only valid when
using generated profiles.
SELINUX CONTEXT
If lxc was compiled and installed with SELinux support, and the host system has SELinux
enabled, then the SELinux context under which the container should be run can be specified
in the container configuration. The default is unconfined_t, which means that lxc will not
attempt to change contexts. See /usr/share/lxc/selinux/lxc.te for an example policy and
more information.
lxc.selinux.context
Specify the SELinux context under which the container should be run or
unconfined_t. For example
lxc.selinux.context = system_u:system_r:lxc_t:s0:c22
lxc.selinux.context.keyring
Specify the SELinux context under which the container's keyring should be created.
By default this the same as lxc.selinux.context, or the context lxc is executed
under if lxc.selinux.context has not been set.
lxc.selinux.context.keyring = system_u:system_r:lxc_t:s0:c22
KERNEL KEYRING
The Linux Keyring facility is primarily a way for various kernel components to retain or
cache security data, authentication keys, encryption keys, and other data in the kernel.
By default lxc will create a new session keyring for the started application.
lxc.keyring.session
Disable the creation of new session keyring by lxc. The started application will
then inherit the current session keyring. By default, or when passing the value 1,
a new keyring will be created.
lxc.keyring.session = 0
SECCOMP CONFIGURATION
A container can be started with a reduced set of available system calls by loading a
seccomp profile at startup. The seccomp configuration file must begin with a version
number on the first line, a policy type on the second line, followed by the configuration.
Versions 1 and 2 are currently supported. In version 1, the policy is a simple allowlist.
The second line therefore must read "allowlist", with the rest of the file containing one
(numeric) syscall number per line. Each syscall number is allowlisted, while every
unlisted number is denylisted for use in the container
In version 2, the policy may be denylist or allowlist, supports per-rule and per-policy
default actions, and supports per-architecture system call resolution from textual names.
An example denylist policy, in which all system calls are allowed except for mknod, which
will simply do nothing and return 0 (success), looks like:
2
denylist
mknod errno 0
ioctl notify
Specifying "errno" as action will cause LXC to register a seccomp filter that will cause a
specific errno to be returned to the caller. The errno value can be specified after the
"errno" action word.
Specifying "notify" as action will cause LXC to register a seccomp listener and retrieve a
listener file descriptor from the kernel. When a syscall is made that is registered as
"notify" the kernel will generate a poll event and send a message over the file
descriptor. The caller can read this message, inspect the syscalls including its
arguments. Based on this information the caller is expected to send back a message
informing the kernel which action to take. Until that message is sent the kernel will
block the calling process. The format of the messages to read and sent is documented in
seccomp itself.
lxc.seccomp.profile
Specify a file containing the seccomp configuration to load before the container
starts.
lxc.seccomp.allow_nesting
If this flag is set to 1, then seccomp filters will be stacked regardless of
whether a seccomp profile is already loaded. This allows nested containers to load
their own seccomp profile. The default setting is 0.
lxc.seccomp.notify.proxy
Specify a unix socket to which LXC will connect and forward seccomp events to. The
path must be in the form unix:/path/to/socket or unix:@socket. The former specifies
a path-bound unix domain socket while the latter specifies an abstract unix domain
socket.
lxc.seccomp.notify.cookie
An additional string sent along with proxied seccomp notification requests.
PR_SET_NO_NEW_PRIVS
With PR_SET_NO_NEW_PRIVS active execve() promises not to grant privileges to do anything
that could not have been done without the execve() call (for example, rendering the set-
user-ID and set-group-ID mode bits, and file capabilities non-functional). Once set, this
bit cannot be unset. The setting of this bit is inherited by children created by fork()
and clone(), and preserved across execve(). Note that PR_SET_NO_NEW_PRIVS is applied
after the container has changed into its intended AppArmor profile or SElinux context.
lxc.no_new_privs
Specify whether the PR_SET_NO_NEW_PRIVS flag should be set for the container. Set
to 1 to activate.
UID MAPPINGS
A container can be started in a private user namespace with user and group id mappings.
For instance, you can map userid 0 in the container to userid 200000 on the host. The root
user in the container will be privileged in the container, but unprivileged on the host.
Normally a system container will want a range of ids, so you would map, for instance, user
and group ids 0 through 20,000 in the container to the ids 200,000 through 220,000.
lxc.idmap
Four values must be provided. First a character, either 'u', or 'g', to specify
whether user or group ids are being mapped. Next is the first userid as seen in the
user namespace of the container. Next is the userid as seen on the host. Finally, a
range indicating the number of consecutive ids to map.
CONTAINER HOOKS
Container hooks are programs or scripts which can be executed at various times in a
container's lifetime.
When a container hook is executed, additional information is passed along. The
lxc.hook.version argument can be used to determine if the following arguments are passed
as command line arguments or through environment variables. The arguments are:
• Container name.
• Section (always 'lxc').
• The hook type (i.e. 'clone' or 'pre-mount').
• Additional arguments. In the case of the clone hook, any extra arguments passed will
appear as further arguments to the hook. In the case of the stop hook, paths to
filedescriptors for each of the container's namespaces along with their types are
passed.
The following environment variables are set:
• LXC_CGNS_AWARE: indicator whether the container is cgroup namespace aware.
• LXC_CONFIG_FILE: the path to the container configuration file.
• LXC_HOOK_TYPE: the hook type (e.g. 'clone', 'mount', 'pre-mount'). Note that the
existence of this environment variable is conditional on the value of lxc.hook.version.
If it is set to 1 then LXC_HOOK_TYPE will be set.
• LXC_HOOK_SECTION: the section type (e.g. 'lxc', 'net'). Note that the existence of this
environment variable is conditional on the value of lxc.hook.version. If it is set to 1
then LXC_HOOK_SECTION will be set.
• LXC_HOOK_VERSION: the version of the hooks. This value is identical to the value of the
container's lxc.hook.version config item. If it is set to 0 then old-style hooks are
used. If it is set to 1 then new-style hooks are used.
• LXC_LOG_LEVEL: the container's log level.
• LXC_NAME: is the container's name.
• LXC_[NAMESPACE IDENTIFIER]_NS: path under /proc/PID/fd/ to a file descriptor referring
to the container's namespace. For each preserved namespace type there will be a separate
environment variable. These environment variables will only be set if lxc.hook.version
is set to 1.
• LXC_ROOTFS_MOUNT: the path to the mounted root filesystem.
• LXC_ROOTFS_PATH: this is the lxc.rootfs.path entry for the container. Note this is
likely not where the mounted rootfs is to be found, use LXC_ROOTFS_MOUNT for that.
• LXC_SRC_NAME: in the case of the clone hook, this is the original container's name.
Standard output from the hooks is logged at debug level. Standard error is not logged,
but can be captured by the hook redirecting its standard error to standard output.
lxc.hook.version
To pass the arguments in new style via environment variables set to 1 otherwise set
to 0 to pass them as arguments. This setting affects all hooks arguments that were
traditionally passed as arguments to the script. Specifically, it affects the
container name, section (e.g. 'lxc', 'net') and hook type (e.g. 'clone', 'mount',
'pre-mount') arguments. If new-style hooks are used then the arguments will be
available as environment variables. The container name will be set in LXC_NAME.
(This is set independently of the value used for this config item.) The section
will be set in LXC_HOOK_SECTION and the hook type will be set in LXC_HOOK_TYPE. It
also affects how the paths to file descriptors referring to the container's
namespaces are passed. If set to 1 then for each namespace a separate environment
variable LXC_[NAMESPACE IDENTIFIER]_NS will be set. If set to 0 then the paths will
be passed as arguments to the stop hook.
lxc.hook.pre-start
A hook to be run in the host's namespace before the container ttys, consoles, or
mounts are up.
lxc.hook.pre-mount
A hook to be run in the container's fs namespace but before the rootfs has been set
up. This allows for manipulation of the rootfs, i.e. to mount an encrypted
filesystem. Mounts done in this hook will not be reflected on the host (apart from
mounts propagation), so they will be automatically cleaned up when the container
shuts down.
lxc.hook.mount
A hook to be run in the container's namespace after mounting has been done, but
before the pivot_root.
lxc.hook.autodev
A hook to be run in the container's namespace after mounting has been done and
after any mount hooks have run, but before the pivot_root, if lxc.autodev == 1.
The purpose of this hook is to assist in populating the /dev directory of the
container when using the autodev option for systemd based containers. The
container's /dev directory is relative to the ${LXC_ROOTFS_MOUNT} environment
variable available when the hook is run.
lxc.hook.start-host
A hook to be run in the host's namespace after the container has been setup, and
immediately before starting the container init.
lxc.hook.start
A hook to be run in the container's namespace immediately before executing the
container's init. This requires the program to be available in the container.
lxc.hook.stop
A hook to be run in the host's namespace with references to the container's
namespaces after the container has been shut down. For each namespace an extra
argument is passed to the hook containing the namespace's type and a filename that
can be used to obtain a file descriptor to the corresponding namespace, separated
by a colon. The type is the name as it would appear in the /proc/PID/ns directory.
For instance for the mount namespace the argument usually looks like
mnt:/proc/PID/fd/12.
lxc.hook.post-stop
A hook to be run in the host's namespace after the container has been shut down.
lxc.hook.clone
A hook to be run when the container is cloned to a new one. See lxc-clone(1) for
more information.
lxc.hook.destroy
A hook to be run when the container is destroyed.
CONTAINER HOOKS ENVIRONMENT VARIABLES
A number of environment variables are made available to the startup hooks to provide
configuration information and assist in the functioning of the hooks. Not all variables
are valid in all contexts. In particular, all paths are relative to the host system and,
as such, not valid during the lxc.hook.start hook.
LXC_NAME
The LXC name of the container. Useful for logging messages in common log
environments. [-n]
LXC_CONFIG_FILE
Host relative path to the container configuration file. This gives the container to
reference the original, top level, configuration file for the container in order to
locate any additional configuration information not otherwise made available. [-f]
LXC_CONSOLE
The path to the console output of the container if not NULL. [-c]
[lxc.console.path]
LXC_CONSOLE_LOGPATH
The path to the console log output of the container if not NULL. [-L]
LXC_ROOTFS_MOUNT
The mount location to which the container is initially bound. This will be the
host relative path to the container rootfs for the container instance being started
and is where changes should be made for that instance. [lxc.rootfs.mount]
LXC_ROOTFS_PATH
The host relative path to the container root which has been mounted to the
rootfs.mount location. [lxc.rootfs.path]
LXC_SRC_NAME
Only for the clone hook. Is set to the original container name.
LXC_TARGET
Only for the stop hook. Is set to "stop" for a container shutdown or "reboot" for a
container reboot.
LXC_CGNS_AWARE
If unset, then this version of lxc is not aware of cgroup namespaces. If set, it
will be set to 1, and lxc is aware of cgroup namespaces. Note this does not
guarantee that cgroup namespaces are enabled in the kernel. This is used by the
lxcfs mount hook.
LOGGING
Logging can be configured on a per-container basis. By default, depending upon how the lxc
package was compiled, container startup is logged only at the ERROR level, and logged to a
file named after the container (with '.log' appended) either under the container path, or
under /var/log/lxc.
Both the default log level and the log file can be specified in the container
configuration file, overriding the default behavior. Note that the configuration file
entries can in turn be overridden by the command line options to lxc-start.
lxc.log.level
The level at which to log. The log level is an integer in the range of 0..8
inclusive, where a lower number means more verbose debugging. In particular 0 =
trace, 1 = debug, 2 = info, 3 = notice, 4 = warn, 5 = error, 6 = critical, 7 =
alert, and 8 = fatal. If unspecified, the level defaults to 5 (error), so that only
errors and above are logged.
Note that when a script (such as either a hook script or a network interface up or
down script) is called, the script's standard output is logged at level 1, debug.
lxc.log.file
The file to which logging info should be written.
lxc.log.syslog
Send logging info to syslog. It respects the log level defined in lxc.log.level.
The argument should be the syslog facility to use, valid ones are: daemon, local0,
local1, local2, local3, local4, local5, local5, local6, local7.
AUTOSTART
The autostart options support marking which containers should be auto-started and in what
order. These options may be used by LXC tools directly or by external tooling provided by
the distributions.
lxc.start.auto
Whether the container should be auto-started. Valid values are 0 (off) and 1 (on).
lxc.start.delay
How long to wait (in seconds) after the container is started before starting the
next one.
lxc.start.order
An integer used to sort the containers when auto-starting a series of containers at
once. A lower value means an earlier start.
lxc.monitor.unshare
If not zero the mount namespace will be unshared from the host before initializing
the container (before running any pre-start hooks). This requires the CAP_SYS_ADMIN
capability at startup. Default is 0.
lxc.monitor.signal.pdeath
Set the signal to be sent to the container's init when the lxc monitor exits. By
default it is set to SIGKILL which will cause all container processes to be killed
when the lxc monitor process dies. To ensure that containers stay alive even if
lxc monitor dies set this to 0.
lxc.group
A multi-value key (can be used multiple times) to put the container in a container
group. Those groups can then be used (amongst other things) to start a series of
related containers.
AUTOSTART AND SYSTEM BOOT
Each container can be part of any number of groups or no group at all. Two groups are
special. One is the NULL group, i.e. the container does not belong to any group. The other
group is the "onboot" group.
When the system boots with the LXC service enabled, it will first attempt to boot any
containers with lxc.start.auto == 1 that is a member of the "onboot" group. The startup
will be in order of lxc.start.order. If an lxc.start.delay has been specified, that delay
will be honored before attempting to start the next container to give the current
container time to begin initialization and reduce overloading the host system. After
starting the members of the "onboot" group, the LXC system will proceed to boot containers
with lxc.start.auto == 1 which are not members of any group (the NULL group) and proceed
as with the onboot group.
CONTAINER ENVIRONMENT
If you want to pass environment variables into the container (that is, environment
variables which will be available to init and all of its descendents), you can use
lxc.environment parameters to do so. Be careful that you do not pass in anything
sensitive; any process in the container which doesn't have its environment scrubbed will
have these variables available to it, and environment variables are always available via
/proc/PID/environ.
This configuration parameter can be specified multiple times; once for each environment
variable you wish to configure.
lxc.environment
Specify an environment variable to pass into the container. Example:
lxc.environment = APP_ENV=production
lxc.environment = SYSLOG_SERVER=192.0.2.42
It is possible to inherit host environment variables by setting the name of the
variable without a "=" sign. For example:
lxc.environment = PATH
EXAMPLES
In addition to the few examples given below, you will find some other examples of
configuration file in /usr/share/doc/lxc/examples
NETWORK
This configuration sets up a container to use a veth pair device with one side plugged to
a bridge br0 (which has been configured before on the system by the administrator). The
virtual network device visible in the container is renamed to eth0.
lxc.uts.name = myhostname
lxc.net.0.type = veth
lxc.net.0.flags = up
lxc.net.0.link = br0
lxc.net.0.name = eth0
lxc.net.0.hwaddr = 4a:49:43:49:79:bf
lxc.net.0.ipv4.address = 10.2.3.5/24 10.2.3.255
lxc.net.0.ipv6.address = 2003:db8:1:0:214:1234:fe0b:3597
UID/GID MAPPING
This configuration will map both user and group ids in the range 0-9999 in the container
to the ids 100000-109999 on the host.
lxc.idmap = u 0 100000 10000
lxc.idmap = g 0 100000 10000
CONTROL GROUP
This configuration will setup several control groups for the application, cpuset.cpus
restricts usage of the defined cpu, cpus.share prioritize the control group, devices.allow
makes usable the specified devices.
lxc.cgroup.cpuset.cpus = 0,1
lxc.cgroup.cpu.shares = 1234
lxc.cgroup.devices.deny = a
lxc.cgroup.devices.allow = c 1:3 rw
lxc.cgroup.devices.allow = b 8:0 rw
COMPLEX CONFIGURATION
This example show a complex configuration making a complex network stack, using the
control groups, setting a new hostname, mounting some locations and a changing root file
system.
lxc.uts.name = complex
lxc.net.0.type = veth
lxc.net.0.flags = up
lxc.net.0.link = br0
lxc.net.0.hwaddr = 4a:49:43:49:79:bf
lxc.net.0.ipv4.address = 10.2.3.5/24 10.2.3.255
lxc.net.0.ipv6.address = 2003:db8:1:0:214:1234:fe0b:3597
lxc.net.0.ipv6.address = 2003:db8:1:0:214:5432:feab:3588
lxc.net.1.type = macvlan
lxc.net.1.flags = up
lxc.net.1.link = eth0
lxc.net.1.hwaddr = 4a:49:43:49:79:bd
lxc.net.1.ipv4.address = 10.2.3.4/24
lxc.net.1.ipv4.address = 192.168.10.125/24
lxc.net.1.ipv6.address = 2003:db8:1:0:214:1234:fe0b:3596
lxc.net.2.type = phys
lxc.net.2.flags = up
lxc.net.2.link = random0
lxc.net.2.hwaddr = 4a:49:43:49:79:ff
lxc.net.2.ipv4.address = 10.2.3.6/24
lxc.net.2.ipv6.address = 2003:db8:1:0:214:1234:fe0b:3297
lxc.cgroup.cpuset.cpus = 0,1
lxc.cgroup.cpu.shares = 1234
lxc.cgroup.devices.deny = a
lxc.cgroup.devices.allow = c 1:3 rw
lxc.cgroup.devices.allow = b 8:0 rw
lxc.mount.fstab = /etc/fstab.complex
lxc.mount.entry = /lib /root/myrootfs/lib none ro,bind 0 0
lxc.rootfs.path = dir:/mnt/rootfs.complex
lxc.rootfs.options = idmap=container
lxc.cap.drop = sys_module mknod setuid net_raw
lxc.cap.drop = mac_override
SEE ALSO
chroot(1), pivot_root(8), fstab(5), capabilities(7)
SEE ALSO
lxc(7), lxc-create(1), lxc-copy(1), lxc-destroy(1), lxc-start(1), lxc-stop(1), lxc-
execute(1), lxc-console(1), lxc-monitor(1), lxc-wait(1), lxc-cgroup(1), lxc-ls(1), lxc-
info(1), lxc-freeze(1), lxc-unfreeze(1), lxc-attach(1), lxc.conf(5)
AUTHOR
Daniel Lezcano <daniel.lezcano@free.fr>
2022-09-07 lxc.container.conf(5)