From: Christian Seiler Date: Tue, 24 Sep 2013 20:45:09 +0000 (+0200) Subject: Automatic mounting: document options in lxc.conf(5) manpage X-Git-Tag: lxc-1.0.0.alpha2~82 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a2ff31c71070f1f42b8e844a294577812284097b;p=thirdparty%2Flxc.git Automatic mounting: document options in lxc.conf(5) manpage Signed-off-by: Christian Seiler Signed-off-by: Serge Hallyn --- diff --git a/doc/lxc.conf.sgml.in b/doc/lxc.conf.sgml.in index bad553c17..f03dcd97e 100644 --- a/doc/lxc.conf.sgml.in +++ b/doc/lxc.conf.sgml.in @@ -656,6 +656,105 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + + + + + + + specify which standard kernel file systems should be + automatically mounted. This may dramatically simplify + the configuration. The file systems are: + + + + (or ): + mount /proc as read-write, but + remount /proc/sys and + /proc/sysrq-trigger read-only + for security / container isolation purposes. + + + : mount + /proc as read-write + + + (or ): + mount /sys as read-only + for security / container isolation purposes. + + + : mount + /sys as read-write + + + (or + ): + mount a tmpfs to /sys/fs/cgroup, + create directories for all hierarchies to which + the container is added, create subdirectories + there with the name of the cgroup, and bind-mount + the container's own cgroup into that directory. + The container will be able to write to its own + cgroup directory, but not the parents, since they + will be remounted read-only + + + : similar to + , but everything will + be mounted read-only. + + + : similar to + , but everything will + be mounted read-write. Note that the paths leading + up to the container's own cgroup will be writable, + but will not be a cgroup filesystem but just part + of the tmpfs of /sys/fs/cgroup + + + (or + ): + mount a tmpfs to /sys/fs/cgroup, + create directories for all hierarchies to which + the container is added, bind-mount the hierarchies + from the host to the container and make everything + read-only except the container's own cgroup. Note + that compared to , where + all paths leading up to the container's own cgroup + are just simple directories in the underlying + tmpfs, here + /sys/fs/cgroup/$hierarchy + will contain the host's full cgroup hierarchy, + albeit read-only outside the container's own cgroup. + This may leak quite a bit of information into the + container. + + + : similar to + , but everything + will be mounted read-only. + + + : similar to + , but everything + will be mounted read-write. Note that in this case, + the container may escape its own cgroup. (Note also + that if the container has CAP_SYS_ADMIN support + and can mount the cgroup filesystem itself, it may + do so anyway.) + + + + Examples: + + + lxc.mount.auto = proc sys cgroup + lxc.mount.auto = proc:rw sys:rw cgroup-full:rw + + + +