1
.\" This manpage has been automatically generated by docbook2man
2
.\" from a DocBook document. This tool can be found at:
3
.\" <http://shell.ipoline.com/~elmert/comp/docbook2X/>
4
.\" Please send any bug reports, improvements, comments, patches,
5
.\" etc. to Steve Cheng <steve@ggi-project.org>.
6
.TH "LXC.CONF" "5" "23 November 2009" "" ""
9
lxc.conf \- linux container configuration file
12
The linux containers (\fBlxc\fR) are always created
13
before being used. This creation defines a set of system
14
resources to be virtualized / isolated when a process is using
15
the container. By default, the pids, sysv ipc and mount points
16
are virtualized and isolated. The other system resources are
17
shared across containers, until they are explicitly defined in
18
the configuration file. For example, if there is no network
19
configuration, the network will be shared between the creator of
20
the container and the container itself, but if the network is
21
specified, a new network stack is created for the container and
22
the container can no longer use the network of its ancestor.
24
The configuration file defines the different system resources to
25
be assigned for the container. At present, the utsname, the
26
network, the mount points, the root file system and the control
29
Each option in the configuration file has the form \fBkey
30
= value\fR fitting in one line. The '#' caracter means
31
the line is a comment.
34
The utsname section defines the hostname to be set for the
35
container. That means the container can set its own hostname
36
without changing the one from the system. That makes the
37
hostname private for the container.
40
specify the hostname for the container
43
The network section defines how the network is virtualized in
44
the container. The network virtualization acts at the layer
45
two, so in order to use the network, a few information should
46
be specified to define the network interfaces to be used by
47
the container. Several virtual interfaces can be assigned and
48
used in a container either if the system has only one physical
51
\fB lxc.network.type \fR
52
specify what kind of network virtualization to be used
53
for the container. Each time
54
a \fBlxc.network.type\fR field is found a new
55
round of network configuration begins. By this way
56
several network virtualization can be specified for the
57
same container, as well as assigning several network
58
interfaces for one container. The different
59
virtualization types can be:
61
\fBempty:\fR a new network stack is created
62
for the container, but it will not contain any network
65
\fBveth:\fR a new network stack is created, a
66
peer network device is created with one side assigned to
67
the container and the other side attached to a bridge
68
specified by the \fBlxc.network.link\fR\&. The
69
bridge has to be setup before on the
70
system, \fBlxc\fR won't handle
71
configuration outside of the container.
73
\fBmacvlan:\fR a new network stack is
74
created, a macvlan interface is linked with the
75
interface specified by
76
the \fBlxc.network.link\fR and assigned to
79
\fBphys:\fR a new network stack is created
80
and the interface specified by
81
the \fBlxc.network.link\fR is assigned to the
84
\fB lxc.network.flags \fR
85
specify an action to do for the
88
\fBup:\fR activates the interface.
90
\fB lxc.network.link \fR
91
specify the interface to be used for real network
94
\fB lxc.network.name \fR
95
the interface name is dynamically allocated, but if an
96
other name is needed because the configuration files
97
being used by the container use a generic name,
98
eg. eth0, this option will rename the interface in the
101
\fB lxc.network.hwaddr \fR
102
the interface mac address is dynamically allocated by
103
default to the virtual interface, but in some case, this
104
is needed to resolve a mac address conflict or to have
105
always the same link-locak ipv6 address.
107
\fB lxc.network.ipv4 \fR
108
specify the ipv4 address to assign to the virtualized
109
interface. Several lines specify several ipv4 addresses.
110
The address is in format x.y.z.t/m,
111
eg. 192.168.1.123/24.
113
\fB lxc.network.ipv6 \fR
114
specify the ipv6 address to assign to the virtualized
115
interface. Several lines specify several ipv6 addresses.
116
The address is in format x::y/m,
117
eg. 2003:db8:1:0:214:1234:fe0b:3596/64
118
.SS "NEW PSEUDO TTY INSTANCE (DEVPTS)"
120
For stricter isolation the container can have its own private
121
instance of the pseudo tty.
124
If set, the container will have a new pseudo tty
125
instance, making this private to it. The value specifies
126
the maximum number of pseudo ttys allowed for a pts
127
instance (this limitation is not implemented yet).
128
.SS "CONSOLE THROUGH THE TTYS"
130
If the container is configured with a root filesystem and the
131
inittab file is setup to launch a getty on the ttys. This
132
option will specify the number of ttys to be available for the
133
container. The number of getty in the inittab file of the
134
container and the number of tty specified in this
135
configuration file should be equal, otherwise the getty will
136
die and respawn indefinitly giving annoying messages on the
140
Specify the number of tty to make available to the
144
The mount points section specifies the different places to be
145
mounted. These mount points will be private to the container
146
and won't be visible by the processes running outside of the
147
container. This is useful to mount /etc, /var or /home for
151
specify a file location in
152
the \fIfstab\fR format, containing the
155
\fB lxc.mount.entry \fR
156
specify a mount point corresponding to a line in the
158
.SS "ROOT FILE SYSTEM"
160
The root file system is the location where the container will
164
specify a file location containing the new file tree for
168
The control group section contains the configuration for the
169
different subsystem. \fBlxc\fR does not check the
170
correctness of the subsystem name. This has the inconvenient
171
to have the error being detected at runtime, but the advantage
172
to support any future subsystem.
174
\fB lxc.cgroup.[subsystem name] \fR
175
specify the control group value to be set. This field is
176
the identifier to tell the following keyword is the
177
literal name of the control group subsystem,
178
eg. \fBlxc.cgroup.cpuset.cpus\fR
182
This configuration sets up a container to use a veth pair
183
device with one side plugged to a bridge br0 (which has been
184
configured before on the system by the administrator). The
185
virtual network device visible in the container is renamed to
188
\fBlxc.utsname = myhostname\fR
190
\fBlxc.network.type = veth\fR
192
\fBlxc.network.flags = up\fR
194
\fBlxc.network.link = br0\fR
196
\fBlxc.network.name = eth0\fR
198
\fBlxc.network.hwaddr = 4a:49:43:49:79:bf\fR
200
\fBlxc.network.ipv4 = 1.2.3.5/24\fR
202
\fBlxc.network.ipv6 = 2003:db8:1:0:214:1234:fe0b:3597\fR
205
This configuration will setup several control groups for
206
the application, cpuset.cpus restricts usage of the defined cpu,
207
cpus.share prioritize the control group, devices.allow makes
208
usable the specified devices.
210
\fBlxc.cgroup.cpuset.cpus = 0,1\fR
212
\fBlxc.cgroup.cpu.shares = 1234\fR
214
\fBlxc.cgroup.devices.deny = a\fR
216
\fBlxc.cgroup.devices.allow = c 1:3 rw\fR
218
\fBlxc.cgroup.devices.allow = b 8:0 rw\fR
219
.SS "COMPLEX CONFIGURATION"
221
This example show a complex configuration making a complex
222
network stack, using the control groups, setting a new hostname,
223
mounting some locations and a changing the root file
226
\fBlxc.utsname = complex\fR
228
\fBlxc.network.type = veth\fR
230
\fBlxc.network.flags = up\fR
232
\fBlxc.network.link = br0\fR
234
\fBlxc.network.hwaddr = 4a:49:43:49:79:bf\fR
236
\fBlxc.network.ipv4 = 1.2.3.5/24\fR
238
\fBlxc.network.ipv6 = 2003:db8:1:0:214:1234:fe0b:3597\fR
240
\fBlxc.network.ipv6 = 2003:db8:1:0:214:5432:feab:3588\fR
242
\fBlxc.network.type = macvlan\fR
244
\fBlxc.network.flags = up\fR
246
\fBlxc.network.link = eth0\fR
248
\fBlxc.network.hwaddr = 4a:49:43:49:79:bd\fR
250
\fBlxc.network.ipv4 = 1.2.3.4/24\fR
252
\fBlxc.network.ipv4 = 192.168.10.125/24\fR
254
\fBlxc.network.ipv6 = 2003:db8:1:0:214:1234:fe0b:3596\fR
256
\fBlxc.network.type = phys\fR
258
\fBlxc.network.flags = up\fR
260
\fBlxc.network.link = dummy0\fR
262
\fBlxc.network.hwaddr = 4a:49:43:49:79:ff\fR
264
\fBlxc.network.ipv4 = 1.2.3.6/24\fR
266
\fBlxc.network.ipv6 = 2003:db8:1:0:214:1234:fe0b:3297\fR
268
\fBlxc.cgroup.cpuset.cpus = 0,1\fR
270
\fBlxc.cgroup.cpu.shares = 1234\fR
272
\fBlxc.cgroup.devices.deny = a\fR
274
\fBlxc.cgroup.devices.allow = c 1:3 rw\fR
276
\fBlxc.cgroup.devices.allow = b 8:0 rw\fR
278
\fBlxc.mount = /etc/fstab.complex\fR
280
\fBlxc.mount.entry = /lib /root/myrootfs/lib none ro,bind 0 0\fR
282
\fBlxc.rootfs = /mnt/rootfs.complex\fR
292
\fBlxc-destroy\fR(1),
295
\fBlxc-execute\fR(1),
296
\fBlxc-console\fR(1),
297
\fBlxc-monitor\fR(1),
304
\fBlxc-unfreeze\fR(1),
308
Daniel Lezcano <daniel.lezcano@free.fr>
added
removed
doc/lxc.conf.5
