[lxc-devel] [PATCH 1/1] lxc.conf.sgml.in: fill in missing configuration file statements
Serge Hallyn
serge.hallyn at ubuntu.com
Tue May 28 19:08:45 UTC 2013
Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
---
doc/lxc.conf.sgml.in | 139 +++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 139 insertions(+)
diff --git a/doc/lxc.conf.sgml.in b/doc/lxc.conf.sgml.in
index af8663a..6500e50 100644
--- a/doc/lxc.conf.sgml.in
+++ b/doc/lxc.conf.sgml.in
@@ -76,6 +76,32 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
</para>
<refsect2>
+ <title>Configuration</title>
+ <para>
+ In order to ease administration of multiple related containers, it
+ is possible to have a container configuration file cause another
+ file to be loaded. For instance, network configuration
+ can be defined in one common file which is included by multiple
+ containers. Then, if the containers are moved to another host,
+ only one file may need to be updated.
+ </para>
+
+ <variablelist>
+ <varlistentry>
+ <term>
+ <option>lxc.include</option>
+ </term>
+ <listitem>
+ <para>
+ Specify the file to be included. The included file must be
+ in the same valid lxc configuration file format.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect2>
+
+ <refsect2>
<title>Architecture</title>
<para>
Allows to set the architecture for the container. For example,
@@ -395,6 +421,11 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
type, other arguments may be passed:
veth/macvlan/phys. And finally (host-sided) device name.
</para>
+ <para>
+ Standard output from the script is logged at debug level.
+ Standard error is not logged, but can be captured by the
+ hook redirecting its standard error to standard output.
+ </para>
</listitem>
</varlistentry>
@@ -415,6 +446,11 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
type, other arguments may be passed:
veth/macvlan/phys. And finally (host-sided) device name.
</para>
+ <para>
+ Standard output from the script is logged at debug level.
+ Standard error is not logged, but can be captured by the
+ hook redirecting its standard error to standard output.
+ </para>
</listitem>
</varlistentry>
</variablelist>
@@ -739,6 +775,56 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
</refsect2>
<refsect2>
+ <title>Apparmor profile</title>
+ <para>
+ If lxc was compiled and installed with apparmor support, and the host
+ system has apparmor enabled, then the apparmor profile under which the
+ container should be run can be specified in the container
+ configuration. The default is <command>lxc-container-default</command>.
+ </para>
+ <variablelist>
+ <varlistentry>
+ <term>
+ <option>lxc.aa_profile</option>
+ </term>
+ <listitem>
+ <para>
+ Specify the apparmor profile under which the container should
+ be run. To specify that the container should be unconfined,
+ use
+ </para>
+ <programlisting>lxc.aa_profile = unconfined</programlisting>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect2>
+
+ <refsect2>
+ <title>Seccomp configuration</title>
+ <para>
+ A container can be started with a reduced set of available
+ system calls by loading a seccomp profile at startup. The
+ seccomp configuration file should begin with a version number
+ (which currently must be 1) on the first line, a policy type
+ (which must be 'whitelist') on the second line, followed by a
+ list of allowed system call numbers, one per line.
+ </para>
+ <variablelist>
+ <varlistentry>
+ <term>
+ <option>lxc.seccomp</option>
+ </term>
+ <listitem>
+ <para>
+ Specify a file containing the seccomp configuration to
+ load before the container starts.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect2>
+
+ <refsect2>
<title>UID mappings</title>
<para>
A container can be started in a private user namespace with
@@ -775,6 +861,11 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Container hooks are programs or scripts which can be executed
at various times in a container's lifetime.
</para>
+ <para>
+ Standard output from the hooks is logged at debug level.
+ Standard error is not logged, but can be captured by the
+ hook redirecting its standard error to standard output.
+ </para>
<variablelist>
<varlistentry>
<term>
@@ -978,6 +1069,54 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
</variablelist>
</refsect2>
+ <refsect2>
+ <title> Logging</title>
+ <para>
+ Logging can be configured on a per-container basis. By default,
+ depending upon how the lxc package was compiled, container startup
+ is logged only at the ERROR level, and logged to a file named after
+ the container (with '.log' appended) either under the container path,
+ or under @LOGPATH at .
+ </para>
+ <para>
+ Both the default log level and the log file can be specified in the
+ container configuration file, overriding the default behavior. Note
+ that the configuration file entries can in turn be overridden by the
+ command line options to <command>lxc-start</command>.
+ </para>
+ <variablelist>
+ <varlistentry>
+ <term>
+ <option>lxc.loglevel</option>
+ </term>
+ <listitem>
+ <para>
+ The level at which to log. The log level is an integer in
+ the range of 0..8 inclusive, where a lower number means more
+ verbose debugging. In particular 0 = trace, 1 = debug, 2 =
+ info, 3 = notice, 4 = warn, 5 = error, 6 = critical, 7 =
+ alert, and 8 = fatal. If unspecified, the level defaults
+ to 5 (error), so that only errors and above are logged.
+ </para>
+ <para>
+ Note that when a script (such as either a hook script or a
+ network interface up or down script) is called, the script's
+ standard output is logged at level 1, debug.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>lxc.logfile</option>
+ </term>
+ <listitem>
+ <para>
+ The file to which logging info should be written.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect2>
</refsect1>
--
1.8.1.2
More information about the lxc-devel
mailing list