[lxc-devel] [PATCH 4/4] Automatic mounting: document options in lxc.conf(5) manpage
Christian Seiler
christian at iwakd.de
Tue Sep 24 20:45:09 UTC 2013
Signed-off-by: Christian Seiler <christian at iwakd.de>
---
doc/lxc.conf.sgml.in | 99 ++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 99 insertions(+)
diff --git a/doc/lxc.conf.sgml.in b/doc/lxc.conf.sgml.in
index dc416e8..d904b56 100644
--- a/doc/lxc.conf.sgml.in
+++ b/doc/lxc.conf.sgml.in
@@ -656,6 +656,105 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>
+ <option>lxc.mount.auto</option>
+ </term>
+ <listitem>
+ <para>
+ specify which standard kernel file systems should be
+ automatically mounted. This may dramatically simplify
+ the configuration. The file systems are:
+ </para>
+ <itemizedlist>
+ <listitem>
+ <option>proc:mixed</option> (or <option>proc</option>):
+ mount <filename>/proc</filename> as read-write, but
+ remount <filename>/proc/sys</filename> and
+ <filename>/proc/sysrq-trigger</filename> read-only
+ for security / container isolation purposes.
+ </listitem>
+ <listitem>
+ <option>proc:rw</option>: mount
+ <filename>/proc</filename> as read-write
+ </listitem>
+ <listitem>
+ <option>sys:ro</option> (or <option>sys</option>):
+ mount <filename>/sys</filename> as read-only
+ for security / container isolation purposes.
+ </listitem>
+ <listitem>
+ <option>sys:rw</option>: mount
+ <filename>/sys</filename> as read-write
+ </listitem>
+ <listitem>
+ <option>cgroup:mixed</option> (or
+ <option>cgroup</option>):
+ mount a tmpfs to <filename>/sys/fs/cgroup</filename>,
+ create directories for all hierarchies to which
+ the container is added, create subdirectories
+ there with the name of the cgroup, and bind-mount
+ the container's own cgroup into that directory.
+ The container will be able to write to its own
+ cgroup directory, but not the parents, since they
+ will be remounted read-only
+ </listitem>
+ <listitem>
+ <option>cgroup:ro</option>: similar to
+ <option>cgroup:mixed</option>, but everything will
+ be mounted read-only.
+ </listitem>
+ <listitem>
+ <option>cgroup:rw</option>: similar to
+ <option>cgroup:mixed</option>, but everything will
+ be mounted read-write. Note that the paths leading
+ up to the container's own cgroup will be writable,
+ but will not be a cgroup filesystem but just part
+ of the tmpfs of <filename>/sys/fs/cgroup</filename>
+ </listitem>
+ <listitem>
+ <option>cgroup-full:mixed</option> (or
+ <option>cgroup-full</option>):
+ mount a tmpfs to <filename>/sys/fs/cgroup</filename>,
+ create directories for all hierarchies to which
+ the container is added, bind-mount the hierarchies
+ from the host to the container and make everything
+ read-only except the container's own cgroup. Note
+ that compared to <option>cgroup</option>, where
+ all paths leading up to the container's own cgroup
+ are just simple directories in the underlying
+ tmpfs, here
+ <filename>/sys/fs/cgroup/$hierarchy</filename>
+ will contain the host's full cgroup hierarchy,
+ albeit read-only outside the container's own cgroup.
+ This may leak quite a bit of information into the
+ container.
+ </listitem>
+ <listitem>
+ <option>cgroup-full:ro</option>: similar to
+ <option>cgroup-full:mixed</option>, but everything
+ will be mounted read-only.
+ </listitem>
+ <listitem>
+ <option>cgroup-full:rw</option>: similar to
+ <option>cgroup-full:mixed</option>, but everything
+ will be mounted read-write. Note that in this case,
+ the container may escape its own cgroup. (Note also
+ that if the container has CAP_SYS_ADMIN support
+ and can mount the cgroup filesystem itself, it may
+ do so anyway.)
+ </listitem>
+ </itemizedlist>
+ <para>
+ Examples:
+ </para>
+ <programlisting>
+ lxc.mount.auto = proc sys cgroup
+ lxc.mount.auto = proc:rw sys:rw cgroup-full:rw
+ </programlisting>
+ </listitem>
+ </varlistentry>
+
</variablelist>
</refsect2>
--
1.7.10.4
More information about the lxc-devel
mailing list