lxc.container.conf(5) lxc.container.conf(5) NAME lxc.container.conf - LXC linux (lxc) . . pid, sysv ipc, . , . , , . , . . . utsname, , , , . key = value . '#' . capability cgroup , . . , . , . , . lxc.include include . include lxc . . , 64 32 32 . . lxc.arch . . x86, i686, x86_64, amd64 utsname . . , . lxc.uts.name . lxc-stop . init . kill(1) . SIGPWR, SIGRTMIN+14, SIGRTMAX-10 . SIGPWR. lxc.signal.halt . lxc-stop . kill(1) . SIGINT, SIGRTMIN+14, SIGRTMAX-10 . SIGINT. lxc.signal.reboot . lxc-stop . kill(1) . > SIGKILL, SIGRTMIN+14, SIGRTMAX-10 . SIGKILL. lxc.signal.stop . INIT init . lxc-execute . /sbin/init. lxc.init.cmd init . INIT ID lxc-execute init UID/GID . lxc-execute . : UID(0), GID(0) lxc.init.uid init UID. lxc.init.gid init GID. , . lxc.ephemeral 0 1. 1 , . . 2 . , . , . lxc.net . lxc.net.[i].type . lxc.net.[i].type . . . . empty: . veth: , lxc.net.[i].link (veth) . , veth . . lxc . lxc . , lxc lxc.net.[i].veth.pair . ( . ) vlan: vlan lxc.net.[i].link , . vlan lxc.net.[i].vlan.id . macvlan: macvlan lxc.net.[i].link , . lxc.net.[i].macvlan.mode macvlan . privatevepabridgepassthru. private . () (Virtual Ethernet Port Aggregator), vepa macvlan . , reflective relay . macvlan . . bridge macvlan . . . . reflective relay , . MAC , macvlan STP . passthru macvlan . passthru . phys: lxc.net.[i].link . lxc.net.[i].flags . up: . lxc.net.[i].link . lxc.net.[i].mtu (MTU) . lxc.net.[i].name . , , (: eth0) . lxc.net.[i].hwaddr MAC . MAC , IPv6 , . "x" . . lxc.net.[i].ipv4.address IPv4 . IPv4 . x.y.z.t/m, 192.168.1.123/24. . lxc.net.[i].ipv4.gateway IPv4 . x.y.z.t, 192.168.1.123. auto . (lxc.net.[i].link ) . auto veth macvlan . lxc.net.[i].ipv6.address IPv6 . IPv6 . x::y/m, 2003:db8:1:0:214:1234:fe0b:3596/64. lxc.net.[i].ipv6.gateway IPv4 . x::y, 2003:db8:1:0::1. auto . (lxc.net.[i].link ) . auto veth macvlan . lxc.net.[i].script.up . : , (net). . : (up), (empty/veth/macvlan/phys). : veth/macvlan/phys , ( ) . debug . , . lxc.net.[i].script.down . : , (net). . : (down), (empty/veth/macvlan/phys). : veth/macvlan/phys , ( ) . debug . , . PSEUDO TTY (DEVPTS) pseudo tty . lxc.pty.max , pseudo tty . . pseudo tty . ( ) inittab , . lxc.console.logfile . lxc.console.path . 'none' . , . TTY inittab tty getty , . tty . inittab getty tty . getty /var/log/messages . lxc.tty.max tty . LXC Unix98 PTY . /dev/console /dev/ttyN . . /dev LXC . /dev/console /dev/ttyN . . lxc.tty.dir /dev . /DEV lxc (fd, stdin, stdout, stderr) /dev . . /dev . lxc.autodev 1 , , LXC /dev tmpfs( 500k) . . "systemd" "init" , . lxc.hook.autodev /dev . lxc.autodev /dev /dev . 0 . KMSG /dev/console /dev/kmsg . lxc.kmsg 1 /dev/kmsg . . . /etc, /var, /home . - LXC . . ( .) , , /home/joe path , path , home , TOCTTOU ( : Time of check to time of use) . lxc.mount.fstab fstab . , . proc proc proc nodev,noexec,nosuid 0 0 .fi proc /proc . . , 3 (fs_vfstype) mount(8) auto , . lxc.mount.entry fstab , . 2 . LXC . optional , . create=dir create=file , (dir) (file) . lxc.mount.auto . . . o proc:mixed (or proc): /proc / , /proc/sys /proc/sysrq-trigger ( ) o proc:rw: /proc / o sys:mixed (or sys): /sys/devices/virtual/net , /sys . o sys:ro: /sys ( ) o sys:rw: /sys / o cgroup:mixed: /sys/fs/cgroup tmpfs . . cgroup . cgroup . cgroup . o cgroup:ro: cgroup:mixed , , o cgroup:rw: cgroup:mixed , , / . cgroup , cgroup /sys/fs/cgroup tmpfs . o cgroup ( ): CAP_SYS_ADMIN capability cgroup:rw . cgroup:mixed . o cgroup-full:mixed: /sys/fs/cgroup tmpfs . . cgroup . , cgroup cgroup tmpfs . , cgroup /sys/fs/cgroup/$hierarchy cgroup . . o cgroup-full:ro: cgroup-full:mixed , , o cgroup-full:rw: cgroup-full:mixed , , / . cgroup . ( CAP_SYS_ADMIN , cgroup . ) o cgroup-full ( ): CAP_SYS_ADMIN capability cgroup-full:rw . cgroup-full:mixed . cgroup , cgroup . , . cgroup , /sys/fs/cgroup tmpfs / .(, :mixed :ro /sys/fs/cgroup/$hierarchy ) Ubuntu . mountall(8) /sys/fs/cgroup , CAP_SYS_ADMIN / , . : lxc.mount.auto = proc sys cgroup lxc.mount.auto = proc:rw sys:rw cgroup-full:rw . lxc.rootfs.path . . . . nbd , nbd:file:1 file nbd 1 . nbd:file nbd . overlayfs:/lower:/upper /lower /upper / . aufs:/lower:/upper aufs . overlayfs aufs /lower . loop:/file lxc /file loop loop . lxc.rootfs.mount , lxc.rootfs.path . pivot_root(8) . , . lxc.rootfs.options . (lxc) . lxc . . . lxc.cgroup.[subsystem name] . . LXC , . lxc.cgroup.cpuset.cpus. CAPABILITIES root , capability . lxc.cap.drop capability . capability (space) . capability "CAP_" . CAP_SYS_MODULE sys_module. . capabilities(7) , capability . (lxc.cap.drop .) lxc.cap.keep capability . capability . "none" , lxc capability . capability "none" . APPARMOR lxc apparmor , apparmor , apparmor . cgroup lxc-container-default- cgns, lxc-container-default. lxc.apparmor.profile apparmor . apparmor , . lxc.apparmor.profile = unconfined apparmor ( , confined ), . lxc.apparmor.profile = unchanged lxc.apparmor.allow_incomplete apparmor , . upstream . , apparmor . 0(), apparmor . . apparmor , 1 . SELINUX lxc SELinux , SELinux , SELinux . unconfined_t. lxc . /usr/share/lxc/selinux/lxc.te . lxc.selinux.context SELinux , unconfined_t . . lxc.selinux.context = system_u:system_r:lxc_t:s0:c22 SECCOMP seccomp . seccomp , , . 1 2 . 1 . "allowlist" . . . 2 . , , . . mknod . mknod 0() . 2 denylist mknod errno 0 .fi lxc.seccomp.profile seccomp . PR_SET_NO_NEW_PRIVS PR_SET_NO_NEW_PRIVS , execve(), execve() . ( , set-user-ID set-group-ID , .) . fork() clone() , execve() . PR_SET_NO_NEW_PRIVS AppArmor SELinux . lxc.no_new_privs PR_SET_NO_NEW_PRIVS . 1 . UID ID . UID 0 UID 200000 . , . ID . , UID GID 0 ~ 20,000 200,000 ~ 220,000 . lxc.idmap 4 . 'u', 'g', 'b' UID, GID, UID GID . UID, UID, ID . . , . : o o ( 'lxc') o ('clone', 'pre-mount' ) o . clone , lxc-clone . stop , . : o LXC_NAME: o LXC_ROOTFS_MOUNT: o LXC_CONFIG_FILE: o LXC_SRC_NAME: clone , o LXC_ROOTFS_PATH: lxc.rootfs.path . . LXC_ROOTFS_MOUNT . debug . , . lxc.hook.pre-start tty, , . lxc.hook.pre-mount . . . (mounts propagation ) . lxc.hook.mount pivot_root , . lxc.hook.autodev lxc.autodev == 1 pivot_root, . systemd autodev /dev . , /dev ${LXC_ROOTFS_MOUNT} . lxc.hook.start init . . lxc.hook.stop . . , . /proc/PID/ns . mnt:/proc/PID/fd/12 . lxc.hook.post-stop . lxc.hook.clone . . lxc-clone(1) lxc.hook.destroy . . . , , lxc.hook.start . LXC_NAME LXC . . [-n] LXC_CONFIG_FILE . , . [-f] LXC_CONSOLE NULL , . [-c] [lxc.console.path] LXC_CONSOLE_LOGPATH NULL , . [-L] LXC_ROOTFS_MOUNT . . . [lxc.rootfs.mount] LXC_ROOTFS_PATH rootfs.mount . [lxc.rootfs.path] LXC_SRC_NAME clone . . LXC_TARGET stop . "stop" , "reboot" . LXC_CGNS_AWARE , lxc cgroup . 1, lxc cgroup . , kernel cgroup . lxcfs . . lxc , error . /var/log/lxc ( '.log' ) . , . lxc-start . lxc.log.level . 0 ~ 8 . . 0 = trace, 1 = debug, 2 = info, 3 = notice, 4 = warn, 5 = error, 6 = critical, 7 = alert, 8 = fatal. , 5 (error), . ( up/down ) , 1 , debug . lxc.log . lxc.log.syslog syslog . lxc.log.level . syslog . : daemon, local0, local1, local2, local3, local4, local5, local5, local7 . LXC . lxc.start.auto . 0 (off) 1 (on). lxc.start.delay (). lxc.start.order , . lxc.monitor.unshare 0 , (pre-start ) unshare . CAP_SYS_ADMIN . 0. lxc.group . , . . . , NULL . "onboot" . LXC , lxc.start.auto == 1 "onboot" . lxc.start.order . lxc.start.delay , > , . "onboot" , LXC lxc.start.auto == 1 (NULL ) . ( init ), lxc.environment . . . /proc/PID/environ . , . lxc.environment . : lxc.environment = APP_ENV=production lxc.environment = SYSLOG_SERVER=192.0.2.42 /usr/share/doc/lxc/examples . ( ) br0 veth . eth0 . lxc.uts.name = myhostname lxc.net.0.type = veth lxc.net.0.flags = up lxc.net.0.link = br0 lxc.net.0.name = eth0 lxc.net.0.hwaddr = 4a:49:43:49:79:bf lxc.net.0.ipv4.address = 1.2.3.5/24 1.2.3.255 lxc.net.0.ipv6.address = 2003:db8:1:0:214:1234:fe0b:3597 UID/GID UID GID 0 ~ 9999 100000 ~ 109999 . lxc.idmap = u 0 100000 10000 lxc.idmap = g 0 100000 10000 . cpuset.cpus cpu . cpus.share (cpu) . devices.allow . lxc.cgroup.cpuset.cpus = 0,1 lxc.cgroup.cpu.shares = 1234 lxc.cgroup.devices.deny = a lxc.cgroup.devices.allow = c 1:3 rw lxc.cgroup.devices.allow = b 8:0 rw , , , , . lxc.uts.name = complex lxc.net.0.type = veth lxc.net.0.flags = up lxc.net.0.link = br0 lxc.net.0.hwaddr = 4a:49:43:49:79:bf lxc.net.0.ipv4.address = 10.2.3.5/24 10.2.3.255 lxc.net.0.ipv6.address = 2003:db8:1:0:214:1234:fe0b:3597 lxc.net.0.ipv6.address = 2003:db8:1:0:214:5432:feab:3588 lxc.net.1.type = macvlan lxc.net.1.flags = up lxc.net.1.link = eth0 lxc.net.1.hwaddr = 4a:49:43:49:79:bd lxc.net.1.ipv4.address = 10.2.3.4/24 lxc.net.1.ipv4.address = 192.168.10.125/24 lxc.net.1.ipv6.address = 2003:db8:1:0:214:1234:fe0b:3596 lxc.net.2.type = phys lxc.net.2.flags = up lxc.net.2.link = random0 lxc.net.2.hwaddr = 4a:49:43:49:79:ff lxc.net.2.ipv4.address = 10.2.3.6/24 lxc.net.2.ipv6.address = 2003:db8:1:0:214:1234:fe0b:3297 lxc.cgroup.cpuset.cpus = 0,1 lxc.cgroup.cpu.shares = 1234 lxc.cgroup.devices.deny = a lxc.cgroup.devices.allow = c 1:3 rw lxc.cgroup.devices.allow = b 8:0 rw lxc.mount.fstab = /etc/fstab.complex lxc.mount.entry = /lib /root/myrootfs/lib none ro,bind 0 0 lxc.rootfs.path = dir:/mnt/rootfs.complex lxc.cap.drop = sys_module mknod setuid net_raw lxc.cap.drop = mac_override chroot(1), pivot_root(8), fstab(5) capabilities(7) lxc(7), lxc-create(1), lxc-copy(1), lxc-destroy(1), lxc-start(1), lxc- stop(1), lxc-execute(1), lxc-console(1), lxc-monitor(1), lxc-wait(1), lxc-cgroup(1), lxc-ls(1), lxc-info(1), lxc-freeze(1), lxc-unfreeze(1), lxc-attach(1), lxc.conf(5) 2024-04-28 lxc.container.conf(5)