lxc-attach(1)
NAME
lxc-attach - start a process inside a running container.
SYNOPSIS
lxc-attach {-n, --name name} [-f, --rcfile config_file] [-a, --arch
arch] [-e, --elevated-privileges privileges] [-s,
--namespaces namespaces] [-R, --remount-sys-proc] [--keep-
env] [--clear-env] [-L, --pty-log file] [-v, --set-var
variable] [--keep-var variable] [-- command]
DESCRIPTION
lxc-attach runs the specified command inside the container specified by name. The container has to be running already. If no command is specified, the current default shell of the user running lxc-attach will be looked up inside the container and executed. This will fail if no such user exists inside the container or the container does not have a working nsswitch mechanism. Previous versions of lxc-attach simply attached to the specified namespaces of a container and ran a shell or the specified command without first allocating a pseudo terminal. This made them vulnerable to input faking via a TIOCSTI ioctl call after switching between userspace execution contexts with different privilege levels. Newer versions of lxc-attach will try to allocate a pseudo terminal master/slave pair on the host and attach any standard file descriptors which refer to a terminal to the slave side of the pseudo terminal before executing a shell or command. Note, that if none of the standard file descriptors refer to a terminal lxc-attach will not try to allocate a pseudo terminal. Instead it will simply attach to the containers namespaces and run a shell or the specified command.
OPTIONS
-f, --rcfile config_file
Specify the configuration file to configure the virtualization
and isolation functionalities for the container.
This configuration file if present will be used even if there is
already a configuration file present in the previously created
container (via lxc-create).
-a, --arch arch
Specify the architecture which the kernel should appear to be
running as to the command executed. This option will accept the
same settings as the lxc.arch option in container configuration
files, see lxc.conf(5). By default, the current archictecture of
the running container will be used.
-e, --elevated-privileges privileges
Do not drop privileges when running command inside the
container. If this option is specified, the new process will not
be added to the container's cgroup(s) and it will not drop its
capabilities before executing.
You may specify privileges, in case you do not want to elevate
all of them, as a pipe-separated list, e.g. CGROUP|LSM. Allowed
values are CGROUP, CAP and LSM representing cgroup, capabilities
and restriction privileges respectively. (The pipe symbol needs
to be escaped, e.g. CGROUP\|LSM or quoted, e.g. "CGROUP|LSM".)
Warning: This may leak privileges into the container if the
command starts subprocesses that remain active after the main
process that was attached is terminated. The (re-)starting of
daemons inside the container is problematic, especially if the
daemon starts a lot of subprocesses such as cron or sshd. Use
with great care.
-s, --namespaces namespaces
Specify the namespaces to attach to, as a pipe-separated list,
e.g. NETWORK|IPC. Allowed values are MOUNT, PID, UTSNAME, IPC,
USER and NETWORK. This allows one to change the context of the
process to e.g. the network namespace of the container while
retaining the other namespaces as those of the host. (The pipe
symbol needs to be escaped, e.g. MOUNT\|PID or quoted, e.g.
"MOUNT|PID".)
Important: This option implies -e.
-R, --remount-sys-proc
When using -s and the mount namespace is not included, this flag
will cause lxc-attach to remount /proc and /sys to reflect the
current other namespace contexts.
Please see the Notes section for more details.
This option will be ignored if one tries to attach to the mount
namespace anyway.
--keep-env
Keep the current environment for attached programs. This is the
current default behaviour (as of version 0.9), but is is likely
to change in the future, since this may leak undesirable
information into the container. If you rely on the environment
being available for the attached program, please use this option
to be future-proof. In addition to current environment
variables, container=lxc will be set.
--clear-env
Clear the environment before attaching, so no undesired
environment variables leak into the container. The variable
container=lxc will be the only environment with which the
attached program starts.
-L, --pty-log file
Specify a file where the output of lxc-attach will be logged.
Important: When a standard file descriptor does not refer to a
pty output produced on it will not be logged.
-v, --set-var variable
Set an additional environment variable that is seen by the
attached program in the container. It is specified in the form
of "VAR=VALUE", and can be specified multiple times.
--keep-var variable
Keep a specified environment variable. It can only be specified
in conjunction with --clear-env, and can be specified multiple
times.
COMMON OPTIONS
These options are common to most of lxc commands.
-?, -h, --help
Print a longer usage message than normal.
--usage
Give the usage message
-q, --quiet
mute on
-P, --lxcpath=PATH
Use an alternate container path. The default is /var/lib/lxc.
-o, --logfile=FILE
Output to an alternate log FILE. The default is no log.
-l, --logpriority=LEVEL
Set log priority to LEVEL. The default log priority is ERROR.
Possible values are : FATAL, CRIT, WARN, ERROR, NOTICE, INFO,
DEBUG.
Note that this option is setting the priority of the events log
in the alternate log file. It do not have effect on the ERROR
events log on stderr.
-n, --name=NAME
Use container identifier NAME. The container identifier format
is an alphanumeric string.
--rcfile=FILE
Specify the configuration file to configure the virtualization
and isolation functionalities for the container.
This configuration file if present will be used even if there is
already a configuration file present in the previously created
container (via lxc-create).
--version
Show the version number.
EXAMPLES
To spawn a new shell running inside an existing container, use
lxc-attach -n container
To restart the cron service of a running Debian container, use
lxc-attach -n container -- /etc/init.d/cron restart
To deactivate the network link eth1 of a running container that does
not have the NET_ADMIN capability, use either the -e option to use
increased capabilities, assuming the ip tool is installed:
lxc-attach -n container -e -- /sbin/ip link delete eth1
Or, alternatively, use the -s to use the tools installed on the host
outside the container:
lxc-attach -n container -s NETWORK -- /sbin/ip link delete eth1
COMPATIBILITY
Attaching completely (including the pid and mount namespaces) to a container requires a kernel of version 3.8 or higher, or a patched kernel, please see the lxc website for details. lxc-attach will fail in that case if used with an unpatched kernel of version 3.7 and prior. Nevertheless, it will succeed on an unpatched kernel of version 3.0 or higher if the -s option is used to restrict the namespaces that the process is to be attached to to one or more of NETWORK, IPC and UTSNAME. Attaching to user namespaces is supported by kernel 3.8 or higher with enabling user namespace.
NOTES
The Linux /proc and /sys filesystems contain information about some quantities that are affected by namespaces, such as the directories named after process ids in /proc or the network interface information in /sys/class/net. The namespace of the process mounting the pseudo- filesystems determines what information is shown, not the namespace of the process accessing /proc or /sys. If one uses the -s option to only attach to the pid namespace of a container, but not its mount namespace (which will contain the /proc of the container and not the host), the contents of /proc will reflect that of the host and not the container. Analogously, the same issue occurs when reading the contents of /sys/class/net and attaching to just the network namespace. To work around this problem, the -R flag provides the option to remount /proc and /sys in order for them to reflect the network/pid namespace context of the attached process. In order not to interfere with the host's actual filesystem, the mount namespace will be unshared (like lxc-unshare does) before this is done, essentially giving the process a new mount namespace, which is identical to the hosts's mount namespace except for the /proc and /sys filesystems. Previous versions of lxc-attach suffered a bug whereby a user could attach to a containers namespace without being placed in a writeable cgroup for some critical subsystems. Newer versions of lxc-attach will check whether a user is in a writeable cgroup for those critical subsystems. lxc-attach might thus fail unexpectedly for some users (E.g. on systems where an unprivileged user is not placed in a writeable cgroup in critical subsystems on login.). However, this behavior is correct and more secure.
SECURITY
The -e and -s options should be used with care, as it may break the isolation of the containers if used improperly.
SEE ALSO
lxc(7), lxc-create(1), lxc-copy(1), lxc-destroy(1), lxc-start(1), lxc- stop(1), lxc-execute(1), lxc-console(1), lxc-monitor(1), lxc-wait(1), lxc-cgroup(1), lxc-ls(1), lxc-info(1), lxc-freeze(1), lxc-unfreeze(1), lxc-attach(1), lxc.conf(5)
AUTHOR
Daniel Lezcano <[email protected]> 2017-01-04 lxc-attach(1)
Opportunity
Personal Opportunity - Free software gives you access to billions of dollars of software at no cost. Use this software for your business, personal use or to develop a profitable skill. Access to source code provides access to a level of capabilities/information that companies protect though copyrights. Open source is a core component of the Internet and it is available to you. Leverage the billions of dollars in resources and capabilities to build a career, establish a business or change the world. The potential is endless for those who understand the opportunity.
Business Opportunity - Goldman Sachs, IBM and countless large corporations are leveraging open source to reduce costs, develop products and increase their bottom lines. Learn what these companies know about open source and how open source can give you the advantage.
Free Software
Free Software provides computer programs and capabilities at no cost but more importantly, it provides the freedom to run, edit, contribute to, and share the software. The importance of free software is a matter of access, not price. Software at no cost is a benefit but ownership rights to the software and source code is far more significant.
Free Office Software - The Libre Office suite provides top desktop productivity tools for free. This includes, a word processor, spreadsheet, presentation engine, drawing and flowcharting, database and math applications. Libre Office is available for Linux or Windows.
Free Books
The Free Books Library is a collection of thousands of the most popular public domain books in an online readable format. The collection includes great classical literature and more recent works where the U.S. copyright has expired. These books are yours to read and use without restrictions.
Source Code - Want to change a program or know how it works? Open Source provides the source code for its programs so that anyone can use, modify or learn how to write those programs themselves. Visit the GNU source code repositories to download the source.
Education
Study at Harvard, Stanford or MIT - Open edX provides free online courses from Harvard, MIT, Columbia, UC Berkeley and other top Universities. Hundreds of courses for almost all major subjects and course levels. Open edx also offers some paid courses and selected certifications.
Linux Manual Pages - A man or manual page is a form of software documentation found on Linux/Unix operating systems. Topics covered include computer programs (including library and system calls), formal standards and conventions, and even abstract concepts.
