lxc.container.conf

lxc.container.conf(5) lxc.container.conf(5)

NAME

   lxc.container.conf - LXC container configuration file

DESCRIPTION

   LXC  is  the  well-known  and heavily tested low-level Linux container runtime. It is in active development since 2008 and has proven itself in critical production environments world-
   wide. Some of its core contributors are the same people that helped to implement various well-known containerization features inside the Linux kernel.

   LXC's main focus is system containers. That is, containers which offer an environment as close as possible as the one you'd get from a VM but without the overhead that comes with run
   ning a separate kernel and simulating all the hardware.

   This is achieved through a combination of kernel security features such as namespaces, mandatory access control and control groups.

   LXC has support for unprivileged containers. Unprivileged containers are containers that are run without any privilege. This requires support for user namespaces in  the  kernel  that
   the container is run on. LXC was the first runtime to support unprivileged containers after user namespaces were merged into the mainline kernel.

   In  essence, user namespaces isolate given sets of UIDs and GIDs. This is achieved by establishing a mapping between a range of UIDs and GIDs on the host to a different (unprivileged)
   range of UIDs and GIDs in the container. The kernel will translate this mapping in such a way that inside the container all UIDs and GIDs appear as you  would  expect  from  the  host
   whereas  on the host these UIDs and GIDs are in fact unprivileged. For example, a process running as UID and GID 0 inside the container might appear as UID and GID 100000 on the host.
   The implementation and working details can be gathered from the corresponding user namespace man page.  UID and GID mappings can be defined with the lxc.idmap key.

   Linux containers are defined with a simple configuration file. Each option in the configuration file has the form key = value fitting in one line. The "#" character means the line  is
   a comment. List options, like capabilities and cgroups options, can be used with no value to clear any previously defined values of that option.

   LXC  namespaces  configuration  keys  use  single  dots.  This  means  complex  configuration  keys  such  as  lxc.net.0 expose various subkeys such as lxc.net.0.type, lxc.net.0.link,
   lxc.net.0.ipv6.address, and others for even more fine-grained configuration.

CONFIGURATION

   In order to ease administration of multiple related containers, it is possible to have a container configuration file cause another file to be loaded. For instance, network configura
   tion can be defined in one common file which is included by multiple containers. Then, if the containers are moved to another host, only one file may need to be updated.

   lxc.include
          Specify the file to be included. The included file must be in the same valid lxc configuration file format.

ARCHITECTURE

   Allows one to set the architecture for the container. For example, set a 32bits architecture for a container running 32bits binaries on a 64bits host. This fixes the container scripts
   which rely on the architecture to do some work like downloading the packages.

   lxc.arch
          Specify the architecture for the container.

          Some valid options are x86, i686, x86_64, amd64

HOSTNAME

   The utsname section defines the hostname to be set for the container.  That means the container can set its own hostname without changing the one from the system. That makes the host
   name private for the container.

   lxc.uts.name
          specify the hostname for the container

HALT SIGNAL

   Allows one to specify signal name or number sent to the container's init process to cleanly shutdown the container. Different init systems could use different signals to perform clean
   shutdown sequence. This option allows the signal to be specified in kill(1) fashion, e.g.  SIGPWR, SIGRTMIN+14, SIGRTMAX-10 or plain number. The default signal is SIGPWR.

   lxc.signal.halt
          specify the signal used to halt the container

REBOOT SIGNAL

   Allows one to specify signal name or number to reboot the container.  This option allows signal to be specified in kill(1) fashion, e.g.  SIGTERM, SIGRTMIN+14,  SIGRTMAX-10  or  plain
   number. The default signal is SIGINT.

   lxc.signal.reboot
          specify the signal used to reboot the container

STOP SIGNAL

   Allows one to specify signal name or number to forcibly shutdown the container. This option allows signal to be specified in kill(1) fashion, e.g. SIGKILL, SIGRTMIN+14, SIGRTMAX-10 or
   plain number. The default signal is SIGKILL.

   lxc.signal.stop
          specify the signal used to stop the container

INIT COMMAND

   Sets the command to use as the init system for the containers.

   lxc.execute.cmd
          Absolute path from container rootfs to the binary to run by default. This mostly makes sense for lxc-execute.

   lxc.init.cmd
          Absolute path from container rootfs to the binary to use as init. This mostly makes sense for lxc-start. Default is /sbin/init.

INIT WORKING DIRECTORY

   Sets the absolute path inside the container as the working directory for the containers.  LXC will switch to this directory before executing init.

   lxc.init.cwd
          Absolute path inside the container to use as the working directory.

INIT ID

   Sets  the  UID/GID to use for the init system, and subsequent commands.  Note that using a non-root UID when booting a system container will likely not work due to missing privileges.
   Setting the UID/GID is mostly useful when running application containers.  Defaults to: UID(0), GID(0)

   lxc.init.uid
          UID to use for init.

   lxc.init.gid
          GID to use for init.

CORE SCHEDULING

   Core scheduling defines if the container payload is marked as being schedulable on the same core. Doing so will cause the kernel scheduler to ensure that tasks that  are  not  in  the
   same group never run simultaneously on a core. This can serve as an extra security measure to prevent the container payload from using cross hyper thread attacks.

   lxc.sched.core
          The only allowed values are 0 and 1. Set this to 1 to create a core scheduling domain for the container or 0 to not create one.  If not set explicitly no core scheduling domain
          will be created for the container.

PROC

   Configure proc filesystem for the container.

   lxc.proc.[proc file name]
          Specify the proc file name to be set. The file names available are those listed under /proc/PID/.  Example:

                        lxc.proc.oom_score_adj = 10

EPHEMERAL

   Allows one to specify whether a container will be destroyed on shutdown.

   lxc.ephemeral
          The only allowed values are 0 and 1. Set this to 1 to destroy a container on shutdown.

NETWORK

   The  network section defines how the network is virtualized in the container. The network virtualization acts at layer two. In order to use the network virtualization, parameters must
   be specified to define the network interfaces of the container. Several virtual interfaces can be assigned and used in a container even if the system has only one physical network in
   terface.

   lxc.net
          may be used without a value to clear all previous network options.

   lxc.net.[i].type
          specify what kind of network virtualization to be used for the container.  Must be specified before any other option(s) on the net device.  Multiple networks can  be  specified
          by  using an additional index i after all lxc.net.* keys. For example, lxc.net.0.type = veth and lxc.net.1.type = veth specify two different networks of the same type. All keys
          sharing the same index i will be treated as belonging to the same network. For example, lxc.net.0.link = br0 will belong to lxc.net.0.type.  Currently, the  different  virtual
          ization types can be:

          empty: will create only the loopback interface.

          veth:  a virtual ethernet pair device is created with one side assigned to the container and the other side on the host.  lxc.net.[i].veth.mode specifies the mode the veth par
          ent will use on the host.  The accepted modes are bridge and router.  The mode defaults to bridge if not specified.  In bridge mode the host side is attached to a bridge speci
          fied by the lxc.net.[i].link option.  If the bridge link is not specified, then the veth pair device will be created but not attached to any bridge.  Otherwise, the bridge  has
          to  be  created on the system before starting the container.  lxc won't handle any configuration outside of the container.  In router mode static routes are created on the host
          for the container's IP addresses pointing to the host side veth interface.  Additionally Proxy ARP and Proxy NDP entries are added on the host side veth interface for the gate
          way IPs defined in the container to allow the container to reach the host.  By default, lxc chooses a name for the network device belonging to the outside of the container, but
          if you wish to handle this name yourselves, you can tell lxc to set a specific name with the lxc.net.[i].veth.pair option (except for unprivileged containers where this  option
          is  ignored  for  security reasons).  Static routes can be added on the host pointing to the container using the lxc.net.[i].veth.ipv4.route and lxc.net.[i].veth.ipv6.route op
          tions.  Several lines specify several routes.  The route is in  format  x.y.z.t/m,  eg.  192.168.1.0/24.   In  bridge  mode  untagged  VLAN  membership  can  be  set  with  the
          lxc.net.[i].veth.vlan.id  option.  It  accepts  a  special  value  of  'none' indicating that the container port should be removed from the bridge's default untagged VLAN.  The
          lxc.net.[i].veth.vlan.tagged.id option can be specified multiple times to set the container's bridge port membership to one or more tagged VLANs.

          vlan: a vlan interface is linked with the interface specified by the lxc.net.[i].link and assigned  to  the  container.  The  vlan  identifier  is  specified  with  the  option
          lxc.net.[i].vlan.id.

          macvlan:  a  macvlan  interface  is  linked with the interface specified by the lxc.net.[i].link and assigned to the container.  lxc.net.[i].macvlan.mode specifies the mode the
          macvlan will use to communicate between different macvlan on the same upper device. The accepted modes are private, vepa, bridge and passthru.   In  private  mode,  the  device
          never  communicates  with  any  other  device on the same upper_dev (default).  In vepa mode, the new Virtual Ethernet Port Aggregator (VEPA) mode, it assumes that the adjacent
          bridge returns all frames where both source and destination are local to the macvlan port, i.e. the bridge is set up as a reflective relay. Broadcast frames coming in from  the
          upper_dev  get  flooded to all macvlan interfaces in VEPA mode, local frames are not delivered locally. In bridge mode, it provides the behavior of a simple bridge between dif
          ferent macvlan interfaces on the same port. Frames from one interface to another one get delivered directly and are not sent out externally. Broadcast frames get flooded to all
          other bridge ports and to the external interface, but when they come back from a reflective relay, we don't deliver them again. Since we know all the MAC addresses, the macvlan
          bridge mode does not require learning or STP like the bridge module does. In passthru mode, all frames received by the physical interface are forwarded to  the  macvlan  inter‐
          face. Only one macvlan interface in passthru mode is possible for one physical interface.

          ipvlan: an ipvlan interface is linked with the interface specified by the lxc.net.[i].link and assigned to the container.  lxc.net.[i].ipvlan.mode specifies the mode the ipvlan
          will  use  to  communicate  between different ipvlan on the same upper device. The accepted modes are l3, l3s and l2. It defaults to l3 mode.  In l3 mode TX processing up to L3
          happens on the stack instance attached to the dependent device and packets are switched to the stack instance of the parent device for the L2 processing and routing  from  that
          instance  will be used before packets are queued on the outbound device. In this mode the dependent devices will not receive nor can send multicast / broadcast traffic.  In l3s
          mode TX processing is very similar to the L3 mode except that iptables (conn-tracking) works in this mode and hence it is L3-symmetric (L3s).  This will have slightly less per‐
          formance but that shouldn't matter since you are choosing this mode over plain-L3 mode to make conn-tracking work.  In l2 mode TX processing happens on the stack  instance  at
          tached  to the dependent device and packets are switched and queued to the parent device to send devices out. In this mode the dependent devices will RX/TX multicast and broad
          cast (if applicable) as well.  lxc.net.[i].ipvlan.isolation specifies the isolation mode.  The accepted isolation values are bridge, private and vepa.  It defaults  to  bridge.
          In  bridge  isolation mode dependent devices can cross-talk among themselves apart from talking through the parent device.  In private isolation mode the port is set in private
          mode.  i.e. port won't allow cross communication between dependent devices.  In vepa isolation mode the port is set in VEPA mode.  i.e. port will offload switching  functional‐
          ity to the external entity as described in 802.1Qbg.

          phys: an already existing interface specified by the lxc.net.[i].link is assigned to the container.

   lxc.net.[i].flags
          Specify an action to do for the network.

          up: activates the interface.

   lxc.net.[i].link
          Specify the interface to be used for real network traffic.

   lxc.net.[i].l2proxy
          Controls whether layer 2 IP neighbour proxy entries will be added to the lxc.net.[i].link interface for the IP addresses of the container.  Can be set to 0 or 1. Defaults to 0.
          When  used with IPv4 addresses, the following sysctl values need to be set: net.ipv4.conf.[link].forwarding=1 When used with IPv6 addresses, the following sysctl values need to
          be set: net.ipv6.conf.[link].proxy_ndp=1 net.ipv6.conf.[link].forwarding=1

   lxc.net.[i].mtu
          Specify the maximum transfer unit for this interface.

   lxc.net.[i].name
          The interface name is dynamically allocated, but if another name is needed because the configuration files being used by the container use a generic name, eg. eth0, this option
          will rename the interface in the container.

   lxc.net.[i].hwaddr
          The interface mac address is dynamically allocated by default to the virtual interface, but in some cases, this is needed to resolve a mac address conflict or  to  always  have
          the same link-local ipv6 address. Any "x" in address will be replaced by random value, this allows setting hwaddr templates.

   lxc.net.[i].ipv4.address
          Specify  the  ipv4 address to assign to the virtualized interface.  Several lines specify several ipv4 addresses. The address is in format x.y.z.t/m, eg. 192.168.1.123/24.  You
          can optionally specify the broadcast address after the IP address, e.g. 192.168.1.123/24 255.255.255.255.  Otherwise it is automatically calculated from the IP address.

   lxc.net.[i].ipv4.gateway
          Specify the ipv4 address to use as the gateway inside the container. The address is in format x.y.z.t, eg. 192.168.1.123.  Can also have the special value auto, which means  to
          take  the  primary  address  from  the  bridge  interface (as specified by the lxc.net.[i].link option) and use that as the gateway. auto is only available when using the veth,
          macvlan and ipvlan network types.  Can also have the special value of dev, which means to set the default gateway as a device route.  This is primarily for  use  with  layer  3
          network modes, such as IPVLAN.

   lxc.net.[i].ipv6.address
          Specify   the   ipv6   address   to   assign   to   the  virtualized  interface.  Several  lines  specify  several  ipv6  addresses.  The  address  is  in  format  x::y/m,  eg.
          2003:db8:1:0:214:1234:fe0b:3596/64

   lxc.net.[i].ipv6.gateway
          Specify the ipv6 address to use as the gateway inside the container. The address is in format x::y, eg. 2003:db8:1:0::1 Can also have the special value  auto,  which  means  to
          take  the  primary  address  from  the  bridge  interface (as specified by the lxc.net.[i].link option) and use that as the gateway. auto is only available when using the veth,
          macvlan and ipvlan network types.  Can also have the special value of dev, which means to set the default gateway as a device route.  This is primarily for  use  with  layer  3
          network modes, such as IPVLAN.

   lxc.net.[i].script.up
          Add a configuration option to specify a script to be executed after creating and configuring the network used from the host side.

          In addition to the information available to all hooks. The following information is provided to the script:

          • LXC_HOOK_TYPE: the hook type. This is either 'up' or 'down'.

          • LXC_HOOK_SECTION: the section type 'net'.

          • LXC_NET_TYPE: the network type. This is one of the valid network types listed here (e.g. 'vlan', 'macvlan', 'ipvlan', 'veth').

          • LXC_NET_PARENT: the parent device on the host. This is only set for network types 'mavclan', 'veth', 'phys'.

          • LXC_NET_PEER: the name of the peer device on the host. This is only set for 'veth' network types. Note that this information is only available when lxc.hook.version is set to
            1.

   Whether  this information is provided in the form of environment variables or as arguments to the script depends on the value of lxc.hook.version. If set to 1 then information is pro‐
   vided in the form of environment variables. If set to 0 information is provided as arguments to the script.

   Standard output from the script is logged at debug level.  Standard error is not logged, but can be captured by the hook redirecting its standard error to standard output.

   lxc.net.[i].script.down
          Add a configuration option to specify a script to be executed before destroying the network used from the host side.

          In addition to the information available to all hooks. The following information is provided to the script:

          • LXC_HOOK_TYPE: the hook type. This is either 'up' or 'down'.

          • LXC_HOOK_SECTION: the section type 'net'.

          • LXC_NET_TYPE: the network type. This is one of the valid network types listed here (e.g. 'vlan', 'macvlan', 'ipvlan', 'veth').

          • LXC_NET_PARENT: the parent device on the host. This is only set for network types 'mavclan', 'veth', 'phys'.

          • LXC_NET_PEER: the name of the peer device on the host. This is only set for 'veth' network types. Note that this information is only available when lxc.hook.version is set to
            1.

   Whether this information is provided in the form of environment variables or as arguments to the script depends on the value of lxc.hook.version. If set to 1 then information is  pro
   vided in the form of environment variables. If set to 0 information is provided as arguments to the script.

   Standard output from the script is logged at debug level.  Standard error is not logged, but can be captured by the hook redirecting its standard error to standard output.

NEW PSEUDO TTY INSTANCE (DEVPTS)

   For stricter isolation the container can have its own private instance of the pseudo tty.

   lxc.pty.max
          If  set,  the  container  will have a new pseudo tty instance, making this private to it. The value specifies the maximum number of pseudo ttys allowed for a pty instance (this
          limitation is not implemented yet).

CONTAINER SYSTEM CONSOLE

   If the container is configured with a root filesystem and the inittab file is setup to use the console, you may want to specify where the output of this console goes.

   lxc.console.buffer.size
          Setting this option instructs liblxc to allocate an in-memory ringbuffer. The container's console output will be written to the ringbuffer. Note  that  ringbuffer  must  be  at
          least  as  big as a standard page size. When passed a value smaller than a single page size liblxc will allocate a ringbuffer of a single page size. A page size is usually 4KB.
          The keyword 'auto' will cause liblxc to allocate a ringbuffer of 128KB.  When manually specifying a size for the ringbuffer the value should be a power of 2 when  converted  to
          bytes.  Valid  size prefixes are 'KB', 'MB', 'GB'. (Note that all conversions are based on multiples of 1024. That means 'KB' == 'KiB', 'MB' == 'MiB', 'GB' == 'GiB'.  Addition‐
          ally, the case of the suffix is ignored, i.e. 'kB', 'KB' and 'Kb' are treated equally.)

   lxc.console.size
          Setting this option instructs liblxc to place a limit on the size of the console log file specified in lxc.console.logfile. Note that size of the log file must be at  least  as
          big  as  a  standard page size. When passed a value smaller than a single page size liblxc will set the size of log file to a single page size. A page size is usually 4KB.  The
          keyword 'auto' will cause liblxc to place a limit of 128KB on the log file.  When manually specifying a size for the log file the value should be a power of 2 when converted to
          bytes. Valid size prefixes are 'KB', 'MB', 'GB'. (Note that all conversions are based on multiples of 1024. That means 'KB' == 'KiB', 'MB' == 'MiB', 'GB' ==  'GiB'.   Addition‐
          ally, the case of the suffix is ignored, i.e. 'kB', 'KB' and 'Kb' are treated equally.)  If users want to mirror the console ringbuffer on disk they should set lxc.console.size
          equal to lxc.console.buffer.size.

   lxc.console.logfile
          Specify  a  path to a file where the console output will be written.  Note that in contrast to the on-disk ringbuffer logfile this file will keep growing potentially filling up
          the users disks if not rotated and deleted. This problem can also be avoided by using the in-memory ringbuffer options lxc.console.buffer.size and lxc.console.buffer.logfile.

   lxc.console.rotate
          Whether to rotate the console logfile specified in lxc.console.logfile. Users can send an API request to rotate the logfile. Note that the old logfile will have the  same  name
          as  the  original  with the suffix ".1" appended.  Users wishing to prevent the console log file from filling the disk should rotate the logfile and delete it if unneeded. This
          problem can also be avoided by using the in-memory ringbuffer options lxc.console.buffer.size and lxc.console.buffer.logfile.

   lxc.console.path
          Specify a path to a device to which the console will be attached. The keyword 'none' will simply disable the console. Note, when specifying 'none' and creating  a  device  node
          for  the  console  in  the  container  at /dev/console or bind-mounting the hosts's /dev/console into the container at /dev/console the container will have direct access to the
          hosts's /dev/console.  This is dangerous when the container has write access to the device and should thus be used with caution.

CONSOLE THROUGH THE TTYS

   This option is useful if the container is configured with a root filesystem and the inittab file is setup to launch a getty on the ttys. The option specifies the number of ttys to  be
   available  for  the  container.  The number of gettys in the inittab file of the container should not be greater than the number of ttys specified in this option, otherwise the excess
   getty sessions will die and respawn indefinitely giving annoying messages on the console or in /var/log/messages.

   lxc.tty.max
          Specify the number of tty to make available to the container.

CONSOLE DEVICES LOCATION

   LXC consoles are provided through Unix98 PTYs created on the host and bind-mounted over the expected devices in the container.  By default, they are bind-mounted over /dev/console and
   /dev/ttyN. This can prevent package upgrades in the guest. Therefore you can specify a directory location (under /dev under which LXC will create the files and bind-mount  over  them.
   These will then be symbolically linked to /dev/console and /dev/ttyN.  A package upgrade can then succeed as it is able to remove and replace the symbolic links.

   lxc.tty.dir
          Specify  a  directory  under /dev under which to create the container console devices. Note that LXC will move any bind-mounts or device nodes for /dev/console into this direc
          tory.

/DEV DIRECTORY

   By default, lxc creates a few symbolic links (fd,stdin,stdout,stderr) in the container's /dev directory but does not automatically create device node entries.  This  allows  the  con‐
   tainer's  /dev  to be set up as needed in the container rootfs. If lxc.autodev is set to 1, then after mounting the container's rootfs LXC will mount a fresh tmpfs under /dev (limited
   to 500K by default, unless defined in lxc.autodev.tmpfs.size) and fill in a minimal set of initial devices.  This is generally required when starting a container  containing  a  "sys‐
   temd" based "init" but may be optional at other times. Additional devices in the containers /dev directory may be created through the use of the lxc.hook.autodev hook.

   lxc.autodev
          Set this to 0 to stop LXC from mounting and populating a minimal /dev when starting the container.

   lxc.autodev.tmpfs.size
          Set this to define the size of the /dev tmpfs.  The default value is 500000 (500K). If the parameter is used but without value, the default value is used.

MOUNT POINTS

   The mount points section specifies the different places to be mounted. These mount points will be private to the container and won't be visible by the processes running outside of the
   container. This is useful to mount /etc, /var or /home for examples.

   NOTE  -  LXC will generally ensure that mount targets and relative bind-mount sources are properly confined under the container root, to avoid attacks involving over-mounting host di‐
   rectories and files. (Symbolic links in absolute mount sources are ignored) However, if the container configuration first mounts a directory which is under the  control  of  the  con‐
   tainer  user, such as /home/joe, into the container at some path, and then mounts under path, then a TOCTTOU attack would be possible where the container user modifies a symbolic link
   under their home directory at just the right time.

   lxc.mount.fstab
          specify a file location in the fstab format, containing the mount information. The mount target location can and in most cases should be a relative path, which will become rel‐
          ative to the mounted container root. For instance,

                       proc proc proc nodev,noexec,nosuid 0 0

          Will mount a proc filesystem under the container's /proc, regardless of where the root filesystem comes from. This is resilient to block device backed filesystems  as  well  as
          container cloning.

          Note that when mounting a filesystem from an image file or block device the third field (fs_vfstype) cannot be auto as with mount(8) but must be explicitly specified.

   lxc.mount.entry
          Specify  a  mount  point corresponding to a line in the fstab format.  Moreover lxc supports mount propagation, such as rshared or rprivate, and adds three additional mount op
          tions.  optional don't fail if mount does not work.  create=dir or create=file to create dir (or file) when the point will be mounted.  relative source path is taken to be rel‐
          ative to the mounted container root. For instance,

                       dev/null proc/kcore none bind,relative 0 0

          Will expand dev/null to ${LXC_ROOTFS_MOUNT}/dev/null, and mount it to proc/kcore inside the container.

   lxc.mount.auto
          specify which standard kernel file systems should be automatically mounted. This may dramatically simplify the configuration. The file systems are:

          • proc:mixed (or proc): mount /proc as read-write, but remount /proc/sys and /proc/sysrq-trigger read-only for security / container isolation purposes.

          • proc:rw: mount /proc as read-write

          • sys:mixed (or sys): mount /sys as read-only but with /sys/devices/virtual/net writable.

          • sys:ro: mount /sys as read-only for security / container isolation purposes.

          • sys:rw: mount /sys as read-write

          • cgroup:mixed: Mount a tmpfs to /sys/fs/cgroup, create directories for all hierarchies to which the container is added, create subdirectories in  those  hierarchies  with  the
            name of the cgroup, and bind-mount the container's own cgroup into that directory. The container will be able to write to its own cgroup directory, but not the parents, since
            they will be remounted read-only.

           cgroup:mixed:force: The force option will cause LXC to perform the cgroup mounts for the container under all circumstances.  Otherwise it is similar to cgroup:mixed.  This is
            mainly useful when the cgroup namespaces are enabled where LXC will normally leave mounting cgroups to the init binary of the container since it is perfectly safe to do so.

           cgroup:ro: similar to cgroup:mixed, but everything will be mounted read-only.

           cgroup:ro:force:  The  force  option  will  cause  LXC to perform the cgroup mounts for the container under all circumstances.  Otherwise it is similar to cgroup:ro.  This is
            mainly useful when the cgroup namespaces are enabled where LXC will normally leave mounting cgroups to the init binary of the container since it is perfectly safe to do so.

           cgroup:rw: similar to cgroup:mixed, but everything will be mounted read-write. Note that the paths leading up to the container's own cgroup will be writable, but will not  be
            a cgroup filesystem but just part of the tmpfs of /sys/fs/cgroup

          • cgroup:rw:force:  The  force  option  will  cause  LXC to perform the cgroup mounts for the container under all circumstances.  Otherwise it is similar to cgroup:rw.  This is
            mainly useful when the cgroup namespaces are enabled where LXC will normally leave mounting cgroups to the init binary of the container since it is perfectly safe to do so.

          • cgroup (without specifier): defaults to cgroup:rw if the container retains the CAP_SYS_ADMIN capability, cgroup:mixed otherwise.

          • cgroup-full:mixed: mount a tmpfs to /sys/fs/cgroup, create directories for all hierarchies to which the container is added, bind-mount the hierarchies from the  host  to  the
            container  and  make  everything  read-only except the container's own cgroup. Note that compared to cgroup, where all paths leading up to the container's own cgroup are just
            simple directories in the underlying tmpfs, here /sys/fs/cgroup/$hierarchy will contain the host's full cgroup hierarchy, albeit read-only outside the container's own cgroup.
            This may leak quite a bit of information into the container.

          • cgroup-full:mixed:force: The force option will  cause  LXC  to  perform  the  cgroup  mounts  for  the  container  under  all  circumstances.   Otherwise  it  is  similar  to
            cgroup-full:mixed.   This  is mainly useful when the cgroup namespaces are enabled where LXC will normally leave mounting cgroups to the init binary of the container since it
            is perfectly safe to do so.

          • cgroup-full:ro: similar to cgroup-full:mixed, but everything will be mounted read-only.

          • cgroup-full:ro:force: The force option will cause LXC to perform the cgroup mounts for the container under all circumstances.  Otherwise  it  is  similar  to  cgroup-full:ro.
            This  is mainly useful when the cgroup namespaces are enabled where LXC will normally leave mounting cgroups to the init binary of the container since it is perfectly safe to
            do so.

          • cgroup-full:rw: similar to cgroup-full:mixed, but everything will be mounted read-write. Note that in this case, the container may escape its own cgroup. (Note also  that  if
            the container has CAP_SYS_ADMIN support and can mount the cgroup filesystem itself, it may do so anyway.)

          • cgroup-full:rw:force:  The  force  option  will  cause LXC to perform the cgroup mounts for the container under all circumstances.  Otherwise it is similar to cgroup-full:rw.
            This is mainly useful when the cgroup namespaces are enabled where LXC will normally leave mounting cgroups to the init binary of the container since it is perfectly safe  to
            do so.

          • cgroup-full (without specifier): defaults to cgroup-full:rw if the container retains the CAP_SYS_ADMIN capability, cgroup-full:mixed otherwise.

   If  cgroup  namespaces  are enabled, then any cgroup auto-mounting request will be ignored, since the container can mount the filesystems itself, and automounting can confuse the con‐
   tainer init.

   Note that if automatic mounting of the cgroup filesystem is enabled, the tmpfs under /sys/fs/cgroup will always be mounted read-write (but for the :mixed and :ro cases, the individual
   hierarchies, /sys/fs/cgroup/$hierarchy, will be read-only). This is in order to work around a quirk in Ubuntu's mountall(8) command that will cause containers to wait for  user  input
   at boot if /sys/fs/cgroup is mounted read-only and the container can't remount it read-write due to a lack of CAP_SYS_ADMIN.

   Examples:

                 lxc.mount.auto = proc sys cgroup
                 lxc.mount.auto = proc:rw sys:rw cgroup-full:rw

ROOT FILE SYSTEM

   The root file system of the container can be different than that of the host system.

   lxc.rootfs.path
          specify  the  root  file  system for the container. It can be an image file, a directory or a block device. If not specified, the container shares its root file system with the
          host.

          For directory or simple block-device backed containers, a pathname can be used. If the rootfs is backed by a nbd device, then nbd:file:1 specifies that file should be  attached
          to  a  nbd device, and partition 1 should be mounted as the rootfs.  nbd:file specifies that the nbd device itself should be mounted. overlayfs:/lower:/upper specifies that the
          rootfs should be an overlay with /upper being mounted read-write over a read-only mount of /lower.  For overlay multiple /lower directories can be specified.  loop:/file  tells
          lxc to attach /file to a loop device and mount the loop device.

   lxc.rootfs.mount
          where to recursively bind lxc.rootfs.path before pivoting. This is to ensure success of the pivot_root(8) syscall. Any directory suffices, the default should generally work.

   lxc.rootfs.options
          Specify  extra  mount  options  to  use when mounting the rootfs.  The format of the mount options corresponds to the format used in fstab. In addition, LXC supports the custom
          idmap= mount option. This option can be used to tell LXC to create an idmapped mount for the container's rootfs. This is useful when the user doesn't want to recursively  chown
          the  rootfs of the container to match the idmapping of the user namespace the container is going to use. Instead an idmapped mount can be used to handle this.  The argument for
          idmap= can either be a path pointing to a user namespace file that LXC will open and use to idmap the rootfs or the special value "container" which will instruct LXC to use the
          container's user namespace to idmap the rootfs.

   lxc.rootfs.managed
          Set this to 0 to indicate that LXC is not managing the container storage, then LXC will not modify the container storage. The default is 1.

CONTROL GROUPS ("CGROUPS")

   The control group section contains the configuration for the different subsystem. lxc does not check the correctness of the subsystem name. This has the disadvantage of not  detecting
   configuration errors until the container is started, but has the advantage of permitting any future subsystem.

   The  kernel  implementation of cgroups has changed significantly over the years. With Linux 4.5 support for a new cgroup filesystem was added usually referred to as "cgroup2" or "uni‐
   fied hierarchy". Since then the old cgroup filesystem is usually referred to as "cgroup1" or the "legacy hierarchies". Please see the cgroups manual page for a detailed explanation of
   the differences between the two versions.

   LXC distinguishes settings for the legacy and the unified hierarchy by using different configuration key prefixes. To alter settings for controllers in a legacy hierarchy the key pre
   fix lxc.cgroup. must be used and in order to alter the settings for a controller in the unified hierarchy the lxc.cgroup2. key must be used. Note that LXC will ignore lxc.cgroup. set
   tings on systems that only use the unified hierarchy. Conversely, it will ignore lxc.cgroup2. options on systems that only use legacy hierarchies.

   At its core a cgroup hierarchy is a way to hierarchically organize processes. Usually a cgroup hierarchy will have one or more "controllers" enabled. A "controller" in a cgroup  hier
   archy  is  usually  responsible  for distributing a specific type of system resource along the hierarchy. Controllers include the "pids" controller, the "cpu" controller, the "memory"
   controller and others. Some controllers however do not fall into the category of distributing a system resource, instead they are often referred  to  as  "utility"  controllers.   One
   utility controller is the device controller. Instead of distributing a system resource it allows one to manage device access.

   In  the legacy hierarchy the device controller was implemented like most other controllers as a set of files that could be written to. These files where named "devices.allow" and "de‐
   vices.deny". The legacy device controller allowed the implementation of both "allowlists" and "denylists".

   An allowlist is a device program that by default blocks access to all devices. In order to access specific devices "allow rules" for particular devices or device classes must be spec
   ified. In contrast, a denylist is a device program that by default allows access to all devices. In order to restrict access to specific devices "deny rules" for particular devices or
   device classes must be specified.

   In the unified cgroup  hierarchy  the  implementation  of  the  device  controller  has  completely  changed.  Instead  of  files  to  read  from  and  write  to  a  eBPF  program  of
   BPF_PROG_TYPE_CGROUP_DEVICE  can  be attached to a cgroup. Even though the kernel implementation has changed completely LXC tries to allow for the same semantics to be followed in the
   legacy device cgroup and the unified eBPF-based device controller. The following paragraphs explain the semantics for the unified eBPF-based device controller.

   As mentioned the format for specifying device rules for the unified eBPF-based device controller is the same as for the legacy cgroup device controller;  only  the  configuration  key
   prefix  has changed.  Specifically, device rules for the legacy cgroup device controller are specified via lxc.cgroup.devices.allow and lxc.cgroup.devices.deny whereas for the cgroup2
   eBPF-based device controller lxc.cgroup2.devices.allow and lxc.cgroup2.devices.deny must be used.

    A denylist device rule

                  lxc.cgroup2.devices.deny = a

     will cause LXC to instruct the kernel to block access to all devices by default. To grant access to devices allow device rules must be added via the  lxc.cgroup2.devices.allow  key.
     This is referred to as a "allowlist" device program.

    An allowlist device rule

                  lxc.cgroup2.devices.allow = a

     will cause LXC to instruct the kernel to allow access to all devices by default. To deny access to devices deny device rules must be added via lxc.cgroup2.devices.deny key.  This is
     referred to as a "denylist" device program.

    Specifying any of the aforementioned two rules will cause all previous rules to be cleared, i.e. the device list will be reset.

    When an allowlist program is requested, i.e. access to all devices is blocked by default, specific deny rules for individual devices or device classes are ignored.

    When a denylist program is requested, i.e. access to all devices is allowed by default, specific allow rules for individual devices or device classes are ignored.

   For example the set of rules:

             lxc.cgroup2.devices.deny = a
             lxc.cgroup2.devices.allow = c *:* m
             lxc.cgroup2.devices.allow = b *:* m
             lxc.cgroup2.devices.allow = c 1:3 rwm

   implements  an  allowlist device program, i.e. the kernel will block access to all devices not specifically allowed in this list. This particular program states that all character and
   block devices may be created but only /dev/null might be read or written.

   If we instead switch to the following set of rules:

             lxc.cgroup2.devices.allow = a
             lxc.cgroup2.devices.deny = c *:* m
             lxc.cgroup2.devices.deny = b *:* m
             lxc.cgroup2.devices.deny = c 1:3 rwm

   then LXC would instruct the kernel to implement a denylist, i.e. the kernel will allow access to all devices not specifically denied in this list. This particular program states  that
   no character devices or block devices might be created and that /dev/null is not allow allowed to be read, written, or created.

   Now consider the same program but followed by a "global rule" which determines the type of device program (allowlist or denylist) as explained above:

             lxc.cgroup2.devices.allow = a
             lxc.cgroup2.devices.deny = c *:* m
             lxc.cgroup2.devices.deny = b *:* m
             lxc.cgroup2.devices.deny = c 1:3 rwm
             lxc.cgroup2.devices.allow = a

   The last line will cause LXC to reset the device list without changing the type of device program.

   If we specify:

             lxc.cgroup2.devices.allow = a
             lxc.cgroup2.devices.deny = c *:* m
             lxc.cgroup2.devices.deny = b *:* m
             lxc.cgroup2.devices.deny = c 1:3 rwm
             lxc.cgroup2.devices.deny = a

   instead then the last line will cause LXC to reset the device list and switch from an allowlist program to a denylist program.

   lxc.cgroup.[controller name].[controller file]
          Specify  the  control  group  value  to be set on a legacy cgroup hierarchy. The controller name is the literal name of the control group. The permitted names and the syntax of
          their values is not dictated by LXC, instead it depends on the features of the Linux kernel running at the time the container is started, eg.  lxc.cgroup.cpuset.cpus

   lxc.cgroup2.[controller name].[controller file]
          Specify the control group value to be set on the unified cgroup hierarchy. The controller name is the literal name of the control group. The permitted names and the  syntax  of
          their values is not dictated by LXC, instead it depends on the features of the Linux kernel running at the time the container is started, eg.  lxc.cgroup2.memory.high

   lxc.cgroup.dir
          specify  a  directory  or path in which the container's cgroup will be created. For example, setting lxc.cgroup.dir = my-cgroup/first for a container named "c1" will create the
          container's cgroup as a sub-cgroup of "my-cgroup". For example, if the user's current cgroup "my-user" is located in the root cgroup of the cpuset controller in a cgroup v1 hi‐
          erarchy this would create the cgroup "/sys/fs/cgroup/cpuset/my-user/my-cgroup/first/c1" for the container. Any missing cgroups will be created by LXC. This presupposes that the
          user has write access to its current cgroup.

   lxc.cgroup.dir.container
          This is similar to lxc.cgroup.dir, but must be used together with lxc.cgroup.dir.monitor and affects only the container's cgroup path. This option is  mutually  exclusive  with
          lxc.cgroup.dir.  Note that the final path the container attaches to may be extended further by the lxc.cgroup.dir.container.inner option.

   lxc.cgroup.dir.monitor
          This is the monitor process counterpart to lxc.cgroup.dir.container.

   lxc.cgroup.dir.monitor.pivot
          On  container  termination the PID of the monitor process is attached to this cgroup.  This path should not be a subpath of any other configured cgroup dir to ensure proper re
          moval of other cgroup paths on container termination.

   lxc.cgroup.dir.container.inner
          Specify an additional subdirectory where the cgroup namespace will be created.  With  this  option,  the  cgroup  limits  will  be  applied  to  the  outer  path  specified  in
          lxc.cgroup.dir.container, which is not accessible from within the container, making it possible to better enforce limits for privileged containers in a way they cannot override
          them.  This only works in conjunction with the lxc.cgroup.dir.container and lxc.cgroup.dir.monitor options and has otherwise no effect.

   lxc.cgroup.relative
          Set  this  to  1  to instruct LXC to never escape to the root cgroup. This makes it easy for users to adhere to restrictions enforced by cgroup2 and systemd. Specifically, this
          makes it possible to run LXC containers as systemd services.

CAPABILITIES

   The capabilities can be dropped in the container if this one is run as root.

   lxc.cap.drop
          Specify the capability to be dropped in the container. A single line defining several capabilities with a space separation is allowed. The format is the lower case of the capa
          bility definition without the "CAP_" prefix, eg. CAP_SYS_MODULE should be specified as sys_module. See capabilities(7).  If used with no value, lxc will clear any drop capabil
          ities specified up to this point.

   lxc.cap.keep
          Specify the capability to be kept in the container. All other capabilities will be dropped. When a special value of "none" is encountered, lxc will clear any keep  capabilities
          specified up to this point. A value of "none" alone can be used to drop all capabilities.

NAMESPACES

   A namespace can be cloned (lxc.namespace.clone), kept (lxc.namespace.keep) or shared (lxc.namespace.share.[namespace identifier]).

   lxc.namespace.clone
          Specify  namespaces  which the container is supposed to be created with. The namespaces to create are specified as a space separated list. Each namespace must correspond to one
          of the standard namespace identifiers as seen in the /proc/PID/ns directory.  When lxc.namespace.clone is not explicitly set all namespaces supported by the kernel and the cur
          rent configuration will be used.

          To create a new mount, net and ipc namespace set lxc.namespace.clone=mount net ipc.

   lxc.namespace.keep
          Specify namespaces which the container is supposed to inherit from the process that created it. The namespaces to keep are specified as a space separated list.  Each  namespace
          must correspond to one of the standard namespace identifiers as seen in the /proc/PID/ns directory.  The lxc.namespace.keep is a denylist option, i.e. it is useful when enforc
          ing that containers must keep a specific set of namespaces.

          To keep the network, user and ipc namespace set lxc.namespace.keep=user net ipc.

          Note that sharing pid namespaces will likely not work with most init systems.

          Note that if the container requests a new user namespace and the container wants to inherit the network namespace it needs to inherit the user namespace as well.

   lxc.namespace.share.[namespace identifier]
          Specify  a  namespace  to  inherit  from  another  container  or  process.  The [namespace identifier] suffix needs to be replaced with one of the namespaces that appear in the
          /proc/PID/ns directory.

          To inherit the namespace from another process set the lxc.namespace.share.[namespace identifier] to the PID of the process, e.g. lxc.namespace.share.net=42.

          To inherit the namespace from another container set the lxc.namespace.share.[namespace identifier] to the name of the container, e.g. lxc.namespace.share.pid=c3.

          To inherit the namespace from another container located in a different path than the standard liblxc path set the lxc.namespace.share.[namespace identifier] to the full path to
          the container, e.g.  lxc.namespace.share.user=/opt/c3.

          In order to inherit namespaces the caller needs to have sufficient privilege over the process or container.

          Note that sharing pid namespaces between system containers will likely not work with most init systems.

          Note that if two processes are in different user namespaces and one process wants to inherit the other's network namespace it usually needs to inherit  the  user  namespace  as
          well.

          Note that without careful additional configuration of an LSM, sharing user+pid namespaces with a task may allow that task to escalate privileges to that of the task calling li
          blxc.

   lxc.time.offset.boot
          Specify  a  positive  or  negative  offset for the boottime clock. The format accepts hours (h), minutes (m), seconds (s), milliseconds (ms), microseconds (us), and nanoseconds
          (ns).

   lxc.time.offset.monotonic
          Specify a positive or negative offset for the monotonic clock. The format accepts hours (h), minutes (m), seconds (s), milliseconds (ms),  microseconds  (us),  and  nanoseconds
          (ns).

RESOURCE LIMITS

   The soft and hard resource limits for the container can be changed.  Unprivileged containers can only lower them. Resources which are not explicitly specified will be inherited.

   lxc.prlimit.[limit name]
          Specify  the  resource  limit  to  be  set. A limit is specified as two colon separated values which are either numeric or the word 'unlimited'. A single value can be used as a
          shortcut to set both soft and hard limit to the same value. The permitted names the "RLIMIT_" resource names in lowercase without the "RLIMIT_" prefix, eg. RLIMIT_NOFILE should
          be specified as "nofile". See setrlimit(2).  If used with no value, lxc will clear the resource limit specified up to this point. A resource with no explicitly configured limi
          tation will be inherited from the process starting up the container.

SYSCTL

   Configure kernel parameters for the container.

   lxc.sysctl.[kernel parameters name]
          Specify the kernel parameters to be set. The parameters available are those listed under /proc/sys/.  Note that not all sysctls are namespaced. Changing Non-namespaced  sysctls
          will cause the system-wide setting to be modified.  sysctl(8).  If used with no value, lxc will clear the parameters specified up to this point.

APPARMOR PROFILE

   If  lxc  was compiled and installed with apparmor support, and the host system has apparmor enabled, then the apparmor profile under which the container should be run can be specified
   in the container configuration. The default is lxc-container-default-cgns if the host kernel is cgroup namespace aware, or lxc-container-default otherwise.

   lxc.apparmor.profile
          Specify the apparmor profile under which the container should be run. To specify that the container should be unconfined, use

          lxc.apparmor.profile = unconfined

          If the apparmor profile should remain unchanged (i.e. if you are nesting containers and are already confined), then use

          lxc.apparmor.profile = unchanged

          If you instruct LXC to generate the apparmor profile, then use

          lxc.apparmor.profile = generated

   lxc.apparmor.allow_incomplete
          Apparmor profiles are pathname based. Therefore many file restrictions require mount restrictions to be effective against a determined attacker. However, these  mount  restric
          tions are not yet implemented in the upstream kernel. Without the mount restrictions, the apparmor profiles still protect against accidental damager.

          If  this  flag  is  0 (default), then the container will not be started if the kernel lacks the apparmor mount features, so that a regression after a kernel upgrade will be de
          tected. To start the container under partial apparmor protection, set this flag to 1.

   lxc.apparmor.allow_nesting
          If set this to 1, causes the following changes. When generated apparmor profiles are used, they will contain the necessary changes to allow creating a nested container. In  ad
          dition  to the usual mount points, /dev/.lxc/proc and /dev/.lxc/sys will contain procfs and sysfs mount points without the lxcfs overlays, which, if generated apparmor profiles
          are being used, will not be read/writable directly.

   lxc.apparmor.raw
          A list of raw AppArmor profile lines to append to the profile. Only valid when using generated profiles.

SELINUX CONTEXT

   If lxc was compiled and installed with SELinux support, and the host system has SELinux enabled, then the SELinux context under which the container should be run can be  specified  in
   the  container  configuration. The default is unconfined_t, which means that lxc will not attempt to change contexts.  See /usr/share/lxc/selinux/lxc.te for an example policy and more
   information.

   lxc.selinux.context
          Specify the SELinux context under which the container should be run or unconfined_t. For example

          lxc.selinux.context = system_u:system_r:lxc_t:s0:c22

   lxc.selinux.context.keyring
          Specify the SELinux context under which the container's keyring should be created. By default this the same as lxc.selinux.context, or the context  lxc  is  executed  under  if
          lxc.selinux.context has not been set.

          lxc.selinux.context.keyring = system_u:system_r:lxc_t:s0:c22

KERNEL KEYRING

   The  Linux  Keyring  facility is primarily a way for various kernel components to retain or cache security data, authentication keys, encryption keys, and other data in the kernel. By
   default lxc will create a new session keyring for the started application.

   lxc.keyring.session
          Disable the creation of new session keyring by lxc. The started application will then inherit the current session keyring.  By default, or when  passing  the  value  1,  a  new
          keyring will be created.

          lxc.keyring.session = 0

SECCOMP CONFIGURATION

   A container can be started with a reduced set of available system calls by loading a seccomp profile at startup. The seccomp configuration file must begin with a version number on the
   first line, a policy type on the second line, followed by the configuration.

   Versions  1  and  2  are currently supported. In version 1, the policy is a simple allowlist. The second line therefore must read "allowlist", with the rest of the file containing one
   (numeric) syscall number per line. Each syscall number is allowlisted, while every unlisted number is denylisted for use in the container

   In version 2, the policy may be denylist or allowlist, supports per-rule and per-policy default actions, and supports per-architecture system call resolution from textual names.

   An example denylist policy, in which all system calls are allowed except for mknod, which will simply do nothing and return 0 (success), looks like:

         2
         denylist
         mknod errno 0
         ioctl notify

   Specifying "errno" as action will cause LXC to register a seccomp filter that will cause a specific errno to be returned to the caller. The errno value can be specified after the "er‐
   rno" action word.

   Specifying "notify" as action will cause LXC to register a seccomp listener and retrieve a listener file descriptor from the kernel. When a syscall is made that is registered as  "no‐
   tify"  the kernel will generate a poll event and send a message over the file descriptor. The caller can read this message, inspect the syscalls including its arguments. Based on this
   information the caller is expected to send back a message informing the kernel which action to take. Until that message is sent the kernel will block the calling process.  The  format
   of the messages to read and sent is documented in seccomp itself.

   lxc.seccomp.profile
          Specify a file containing the seccomp configuration to load before the container starts.

   lxc.seccomp.allow_nesting
          If  this flag is set to 1, then seccomp filters will be stacked regardless of whether a seccomp profile is already loaded.  This allows nested containers to load their own sec
          comp profile.  The default setting is 0.

   lxc.seccomp.notify.proxy
          Specify a unix socket to which LXC will connect and forward seccomp events to. The path must be in the form unix:/path/to/socket or unix:@socket. The former specifies  a  path-
          bound unix domain socket while the latter specifies an abstract unix domain socket.

   lxc.seccomp.notify.cookie
          An additional string sent along with proxied seccomp notification requests.

PR_SET_NO_NEW_PRIVS

   With  PR_SET_NO_NEW_PRIVS active execve() promises not to grant privileges to do anything that could not have been done without the execve() call (for example, rendering the set-user-
   ID and set-group-ID mode bits, and file capabilities non-functional).  Once set, this bit cannot be unset. The setting of this bit is inherited  by  children  created  by  fork()  and
   clone(), and preserved across execve().  Note that PR_SET_NO_NEW_PRIVS is applied after the container has changed into its intended AppArmor profile or SElinux context.

   lxc.no_new_privs
          Specify whether the PR_SET_NO_NEW_PRIVS flag should be set for the container. Set to 1 to activate.

UID MAPPINGS

   A container can be started in a private user namespace with user and group id mappings. For instance, you can map userid 0 in the container to userid 200000 on the host. The root user
   in  the  container  will  be  privileged in the container, but unprivileged on the host. Normally a system container will want a range of ids, so you would map, for instance, user and
   group ids 0 through 20,000 in the container to the ids 200,000 through 220,000.

   lxc.idmap
          Four values must be provided. First a character, either 'u', or 'g', to specify whether user or group ids are being mapped. Next is the first userid as seen in the  user  name
          space of the container. Next is the userid as seen on the host. Finally, a range indicating the number of consecutive ids to map.

CONTAINER HOOKS

   Container hooks are programs or scripts which can be executed at various times in a container's lifetime.

   When a container hook is executed, additional information is passed along. The lxc.hook.version argument can be used to determine if the following arguments are passed as command line
   arguments or through environment variables. The arguments are:

   • Container name.

   • Section (always 'lxc').

   • The hook type (i.e. 'clone' or 'pre-mount').

   • Additional  arguments. In the case of the clone hook, any extra arguments passed will appear as further arguments to the hook. In the case of the stop hook, paths to filedescriptors
     for each of the container's namespaces along with their types are passed.

   The following environment variables are set:

    LXC_CGNS_AWARE: indicator whether the container is cgroup namespace aware.

    LXC_CONFIG_FILE: the path to the container configuration file.

    LXC_HOOK_TYPE: the hook type (e.g. 'clone', 'mount', 'pre-mount'). Note that the existence of this environment variable is conditional on the value of lxc.hook.version. If it is set
     to 1 then LXC_HOOK_TYPE will be set.

    LXC_HOOK_SECTION: the section type (e.g. 'lxc', 'net'). Note that the existence of this environment variable is conditional on the value of lxc.hook.version. If it is set to 1  then
     LXC_HOOK_SECTION will be set.

    LXC_HOOK_VERSION: the version of the hooks. This value is identical to the value of the container's lxc.hook.version config item. If it is set to 0 then old-style hooks are used. If
     it is set to 1 then new-style hooks are used.

   • LXC_LOG_LEVEL: the container's log level.

    LXC_NAME: is the container's name.

   • LXC_[NAMESPACE IDENTIFIER]_NS: path under /proc/PID/fd/ to a file descriptor referring to the container's namespace. For each preserved namespace type there will be a separate envi
     ronment variable. These environment variables will only be set if lxc.hook.version is set to 1.

    LXC_ROOTFS_MOUNT: the path to the mounted root filesystem.

    LXC_ROOTFS_PATH: this is the lxc.rootfs.path entry for the container. Note this is likely not where the mounted rootfs is to be found, use LXC_ROOTFS_MOUNT for that.

    LXC_SRC_NAME: in the case of the clone hook, this is the original container's name.

   Standard output from the hooks is logged at debug level.  Standard error is not logged, but can be captured by the hook redirecting its standard error to standard output.

   lxc.hook.version
          To  pass  the arguments in new style via environment variables set to 1 otherwise set to 0 to pass them as arguments.  This setting affects all hooks arguments that were tradi‐
          tionally passed as arguments to the script. Specifically, it affects the container name, section (e.g. 'lxc', 'net') and hook type (e.g.  'clone', 'mount',  'pre-mount')  argu‐
          ments. If new-style hooks are used then the arguments will be available as environment variables.  The container name will be set in LXC_NAME. (This is set independently of the
          value used for this config item.) The section will be set in LXC_HOOK_SECTION and the hook type will be set in LXC_HOOK_TYPE.  It also affects how the paths to file descriptors
          referring  to  the container's namespaces are passed. If set to 1 then for each namespace a separate environment variable LXC_[NAMESPACE IDENTIFIER]_NS will be set. If set to 0
          then the paths will be passed as arguments to the stop hook.

   lxc.hook.pre-start
          A hook to be run in the host's namespace before the container ttys, consoles, or mounts are up.

   lxc.hook.pre-mount
          A hook to be run in the container's fs namespace but before the rootfs has been set up. This allows for manipulation of the rootfs,  i.e.  to  mount  an  encrypted  filesystem.
          Mounts done in this hook will not be reflected on the host (apart from mounts propagation), so they will be automatically cleaned up when the container shuts down.

   lxc.hook.mount
          A hook to be run in the container's namespace after mounting has been done, but before the pivot_root.

   lxc.hook.autodev
          A  hook  to be run in the container's namespace after mounting has been done and after any mount hooks have run, but before the pivot_root, if lxc.autodev == 1.  The purpose of
          this hook is to assist in populating the /dev directory of the container when using the autodev option for systemd based containers. The container's /dev directory is  relative
          to the ${LXC_ROOTFS_MOUNT} environment variable available when the hook is run.

   lxc.hook.start-host
          A hook to be run in the host's namespace after the container has been setup, and immediately before starting the container init.

   lxc.hook.start
          A hook to be run in the container's namespace immediately before executing the container's init. This requires the program to be available in the container.

   lxc.hook.stop
          A hook to be run in the host's namespace with references to the container's namespaces after the container has been shut down. For each namespace an extra argument is passed to
          the  hook containing the namespace's type and a filename that can be used to obtain a file descriptor to the corresponding namespace, separated by a colon. The type is the name
          as it would appear in the /proc/PID/ns directory.  For instance for the mount namespace the argument usually looks like mnt:/proc/PID/fd/12.

   lxc.hook.post-stop
          A hook to be run in the host's namespace after the container has been shut down.

   lxc.hook.clone
          A hook to be run when the container is cloned to a new one.  See lxc-clone(1) for more information.

   lxc.hook.destroy
          A hook to be run when the container is destroyed.

CONTAINER HOOKS ENVIRONMENT VARIABLES

   A number of environment variables are made available to the startup hooks to provide configuration information and assist in the functioning of the hooks. Not all variables are  valid
   in all contexts. In particular, all paths are relative to the host system and, as such, not valid during the lxc.hook.start hook.

   LXC_NAME
          The LXC name of the container. Useful for logging messages in common log environments. [-n]

   LXC_CONFIG_FILE
          Host  relative  path to the container configuration file. This gives the container to reference the original, top level, configuration file for the container in order to locate
          any additional configuration information not otherwise made available. [-f]

   LXC_CONSOLE
          The path to the console output of the container if not NULL.  [-c] [lxc.console.path]

   LXC_CONSOLE_LOGPATH
          The path to the console log output of the container if not NULL.  [-L]

   LXC_ROOTFS_MOUNT
          The mount location to which the container is initially bound.  This will be the host relative path to the container rootfs for the container instance being started and is where
          changes should be made for that instance.  [lxc.rootfs.mount]

   LXC_ROOTFS_PATH
          The host relative path to the container root which has been mounted to the rootfs.mount location.  [lxc.rootfs.path]

   LXC_SRC_NAME
          Only for the clone hook. Is set to the original container name.

   LXC_TARGET
          Only for the stop hook. Is set to "stop" for a container shutdown or "reboot" for a container reboot.

   LXC_CGNS_AWARE
          If unset, then this version of lxc is not aware of cgroup namespaces. If set, it will be set to 1, and lxc is aware of cgroup namespaces. Note  this  does  not  guarantee  that
          cgroup namespaces are enabled in the kernel. This is used by the lxcfs mount hook.

LOGGING

   Logging  can  be configured on a per-container basis. By default, depending upon how the lxc package was compiled, container startup is logged only at the ERROR level, and logged to a
   file named after the container (with '.log' appended) either under the container path, or under /var/log/lxc.

   Both the default log level and the log file can be specified in the container configuration file, overriding the default behavior. Note that the configuration file entries can in turn
   be overridden by the command line options to lxc-start.

   lxc.log.level
          The level at which to log. The log level is an integer in the range of 0..8 inclusive, where a lower number means more verbose debugging. In particular 0 = trace, 1 = debug,  2
          = info, 3 = notice, 4 = warn, 5 = error, 6 = critical, 7 = alert, and 8 = fatal. If unspecified, the level defaults to 5 (error), so that only errors and above are logged.

          Note that when a script (such as either a hook script or a network interface up or down script) is called, the script's standard output is logged at level 1, debug.

   lxc.log.file
          The file to which logging info should be written.

   lxc.log.syslog
          Send  logging info to syslog. It respects the log level defined in lxc.log.level. The argument should be the syslog facility to use, valid ones are: daemon, local0, local1, lo
          cal2, local3, local4, local5, local5, local6, local7.

AUTOSTART

   The autostart options support marking which containers should be auto-started and in what order. These options may be used by LXC tools directly or by external tooling provided by the
   distributions.

   lxc.start.auto
          Whether the container should be auto-started.  Valid values are 0 (off) and 1 (on).

   lxc.start.delay
          How long to wait (in seconds) after the container is started before starting the next one.

   lxc.start.order
          An integer used to sort the containers when auto-starting a series of containers at once. A lower value means an earlier start.

   lxc.monitor.unshare
          If not zero the mount namespace will be unshared from the host before initializing the container (before running any pre-start hooks). This requires the CAP_SYS_ADMIN  capabil
          ity at startup.  Default is 0.

   lxc.monitor.signal.pdeath
          Set the signal to be sent to the container's init when the lxc monitor exits. By default it is set to SIGKILL which will cause all container processes to be killed when the lxc
          monitor process dies.  To ensure that containers stay alive even if lxc monitor dies set this to 0.

   lxc.group
          A multi-value key (can be used multiple times) to put the container in a container group. Those groups can then be used (amongst other things) to start a series of related con
          tainers.

AUTOSTART AND SYSTEM BOOT

   Each container can be part of any number of groups or no group at all.  Two groups are special. One is the NULL group, i.e. the container does not belong to any group. The other group
   is the "onboot" group.

   When  the  system boots with the LXC service enabled, it will first attempt to boot any containers with lxc.start.auto == 1 that is a member of the "onboot" group. The startup will be
   in order of lxc.start.order.  If an lxc.start.delay has been specified, that delay will be honored before attempting to start the next container to give the current container time  to
   begin  initialization and reduce overloading the host system. After starting the members of the "onboot" group, the LXC system will proceed to boot containers with lxc.start.auto == 1
   which are not members of any group (the NULL group) and proceed as with the onboot group.

CONTAINER ENVIRONMENT

   If you want to pass environment variables into the container (that is, environment variables which will be available to init and all of its descendents), you can  use  lxc.environment
   parameters  to  do so. Be careful that you do not pass in anything sensitive; any process in the container which doesn't have its environment scrubbed will have these variables avail
   able to it, and environment variables are always available via /proc/PID/environ.

   This configuration parameter can be specified multiple times; once for each environment variable you wish to configure.

   lxc.environment
          Specify an environment variable to pass into the container.  Example:

                        lxc.environment = APP_ENV=production
                        lxc.environment = SYSLOG_SERVER=192.0.2.42

          It is possible to inherit host environment variables by setting the name of the variable without a "=" sign. For example:

                        lxc.environment = PATH

EXAMPLES

   In addition to the few examples given below, you will find some other examples of configuration file in /usr/share/doc/lxc/examples

NETWORK

   This configuration sets up a container to use a veth pair device with one side plugged to a bridge br0 (which has been configured before on the system by the administrator). The  vir
   tual network device visible in the container is renamed to eth0.

           lxc.uts.name = myhostname
           lxc.net.0.type = veth
           lxc.net.0.flags = up
           lxc.net.0.link = br0
           lxc.net.0.name = eth0
           lxc.net.0.hwaddr = 4a:49:43:49:79:bf
           lxc.net.0.ipv4.address = 10.2.3.5/24 10.2.3.255
           lxc.net.0.ipv6.address = 2003:db8:1:0:214:1234:fe0b:3597

UID/GID MAPPING

   This configuration will map both user and group ids in the range 0-9999 in the container to the ids 100000-109999 on the host.

           lxc.idmap = u 0 100000 10000
           lxc.idmap = g 0 100000 10000

CONTROL GROUP

   This  configuration will setup several control groups for the application, cpuset.cpus restricts usage of the defined cpu, cpus.share prioritize the control group, devices.allow makes
   usable the specified devices.

           lxc.cgroup.cpuset.cpus = 0,1
           lxc.cgroup.cpu.shares = 1234
           lxc.cgroup.devices.deny = a
           lxc.cgroup.devices.allow = c 1:3 rw
           lxc.cgroup.devices.allow = b 8:0 rw

COMPLEX CONFIGURATION

   This example show a complex configuration making a complex network stack, using the control groups, setting a new hostname, mounting some locations and a changing root file system.

           lxc.uts.name = complex
           lxc.net.0.type = veth
           lxc.net.0.flags = up
           lxc.net.0.link = br0
           lxc.net.0.hwaddr = 4a:49:43:49:79:bf
           lxc.net.0.ipv4.address = 10.2.3.5/24 10.2.3.255
           lxc.net.0.ipv6.address = 2003:db8:1:0:214:1234:fe0b:3597
           lxc.net.0.ipv6.address = 2003:db8:1:0:214:5432:feab:3588
           lxc.net.1.type = macvlan
           lxc.net.1.flags = up
           lxc.net.1.link = eth0
           lxc.net.1.hwaddr = 4a:49:43:49:79:bd
           lxc.net.1.ipv4.address = 10.2.3.4/24
           lxc.net.1.ipv4.address = 192.168.10.125/24
           lxc.net.1.ipv6.address = 2003:db8:1:0:214:1234:fe0b:3596
           lxc.net.2.type = phys
           lxc.net.2.flags = up
           lxc.net.2.link = random0
           lxc.net.2.hwaddr = 4a:49:43:49:79:ff
           lxc.net.2.ipv4.address = 10.2.3.6/24
           lxc.net.2.ipv6.address = 2003:db8:1:0:214:1234:fe0b:3297
           lxc.cgroup.cpuset.cpus = 0,1
           lxc.cgroup.cpu.shares = 1234
           lxc.cgroup.devices.deny = a
           lxc.cgroup.devices.allow = c 1:3 rw
           lxc.cgroup.devices.allow = b 8:0 rw
           lxc.mount.fstab = /etc/fstab.complex
           lxc.mount.entry = /lib /root/myrootfs/lib none ro,bind 0 0
           lxc.rootfs.path = dir:/mnt/rootfs.complex
           lxc.rootfs.options = idmap=container
           lxc.cap.drop = sys_module mknod setuid net_raw
           lxc.cap.drop = mac_override

SEE ALSO

   chroot(1), pivot_root(8), fstab(5), capabilities(7)

SEE ALSO

   lxc(7), lxc-create(1), lxc-copy(1), lxc-destroy(1), lxc-start(1), lxc-stop(1), lxc-execute(1), lxc-console(1), lxc-monitor(1), lxc-wait(1), lxc-cgroup(1), lxc-ls(1), lxc-info(1), lxc-
   freeze(1), lxc-unfreeze(1), lxc-attach(1), lxc.conf(5)

                                                                                      2025-07-30                                                                     lxc.container.conf(5)