50
<cmdsynopsis><command>lxc-attach <replaceable>-n
51
name</replaceable> <optional>-a
52
arch</optional> <optional>-e</optional>
53
<optional>-- command</optional></command></cmdsynopsis>
51
<command>lxc-attach</command>
52
<arg choice="req">-n <replaceable>name</replaceable></arg>
53
<arg choice="opt">-a <replaceable>arch</replaceable></arg>
54
<arg choice="opt">-e</arg>
55
<arg choice="opt">-s <replaceable>namespaces</replaceable></arg>
56
<arg choice="opt">-R</arg>
57
<arg choice="opt">-- <replaceable>command</replaceable></arg>
132
<option>-s, --namespaces <replaceable>namespaces</replaceable></option>
136
Specify the namespaces to attach to, as a pipe-separated list,
137
e.g. <replaceable>NETWORK|IPC</replaceable>. Allowed values are
138
<replaceable>MOUNT</replaceable>, <replaceable>PID</replaceable>,
139
<replaceable>UTSNAME</replaceable>, <replaceable>IPC</replaceable>,
140
<replaceable>USER </replaceable> and
141
<replaceable>NETWORK</replaceable>. This allows one to change
142
the context of the process to e.g. the network namespace of the
143
container while retaining the other namespaces as those of the
147
<emphasis>Important:</emphasis> This option implies
155
<option>-R, --remount-sys-proc</option>
159
When using <option>-s</option> and the mount namespace is not
160
included, this flag will cause <command>lxc-attach</command>
161
to remount <replaceable>/proc</replaceable> and
162
<replaceable>/sys</replaceable> to reflect the current other
166
Please see the <emphasis>Notes</emphasis> section for more
170
This option will be ignored if one tries to attach to the
171
mount namespace anyway.
146
197
To deactivate the network link eth1 of a running container that
147
does not have the NET_ADMIN capability, use the <option>-e</option>
148
option to use increased capabilities:
198
does not have the NET_ADMIN capability, use either the
199
<option>-e</option> option to use increased capabilities,
200
assuming the <command>ip</command> tool is installed:
150
202
lxc-attach -n container -e -- /sbin/ip link delete eth1
151
203
</programlisting>
204
Or, alternatively, use the <option>-s</option> to use the
205
tools installed on the host outside the container:
207
lxc-attach -n container -s NETWORK -- /sbin/ip link delete eth1
213
<title>Compatibility</title>
215
Attaching completely (including the pid and mount namespaces) to a
216
container requires a patched kernel, please see the lxc website for
217
details. <command>lxc-attach</command> will fail in that case if
218
used with an unpatched kernel.
221
Nevertheless, it will succeed on an unpatched kernel of version 3.0
222
or higher if the <option>-s</option> option is used to restrict the
223
namespaces that the process is to be attached to to one or more of
224
<replaceable>NETWORK</replaceable>, <replaceable>IPC</replaceable>
225
and <replaceable>UTSNAME</replaceable>.
228
Attaching to user namespaces is currently completely unsupported
229
by the kernel. <command>lxc-attach</command> should however be able
230
to do this once once future kernel versions implement this.
237
The Linux <replaceable>/proc</replaceable> and
238
<replaceable>/sys</replaceable> filesystems contain information
239
about some quantities that are affected by namespaces, such as
240
the directories named after process ids in
241
<replaceable>/proc</replaceable> or the network interface infromation
242
in <replaceable>/sys/class/net</replaceable>. The namespace of the
243
process mounting the pseudo-filesystems determines what information
244
is shown, <emphasis>not</emphasis> the namespace of the process
245
accessing <replaceable>/proc</replaceable> or
246
<replaceable>/sys</replaceable>.
249
If one uses the <option>-s</option> option to only attach to
250
the pid namespace of a container, but not its mount namespace
251
(which will contain the <replaceable>/proc</replaceable> of the
252
container and not the host), the contents of <option>/proc</option>
253
will reflect that of the host and not the container. Analogously,
254
the same issue occurs when reading the contents of
255
<replaceable>/sys/class/net</replaceable> and attaching to just
256
the network namespace.
259
To work around this problem, the <option>-R</option> flag provides
260
the option to remount <replaceable>/proc</replaceable> and
261
<replaceable>/sys</replaceable> in order for them to reflect the
262
network/pid namespace context of the attached process. In order
263
not to interfere with the host's actual filesystem, the mount
264
namespace will be unshared (like <command>lxc-unshare</command>
265
does) before this is done, esentially giving the process a new
266
mount namespace, which is identical to the hosts's mount namespace
267
except for the <replaceable>/proc</replaceable> and
268
<replaceable>/sys</replaceable> filesystems.
156
273
<title>Security</title>
158
The <option>-e</option> should be used with care, as it may break
159
the isolation of the containers if used improperly.
275
The <option>-e</option> and <option>-s</option> options should
276
be used with care, as it may break the isolation of the containers