1lxc-attach(1)                                                    lxc-attach(1)
2
3
4

NAME

6       lxc-attach - start a process inside a running container.
7

SYNOPSIS

9       lxc-attach {-n, --name name} [-f, --rcfile config_file] [-a, --arch
10                  arch] [-e, --elevated-privileges privileges] [-s,
11                  --namespaces namespaces] [-R, --remount-sys-proc] [--keep-
12                  env] [--clear-env] [-v, --set-var variable] [--keep-var
13                  variable] [-u, --uid uid] [-g, --gid gid] [-- command]
14

DESCRIPTION

16       lxc-attach runs the specified command inside the container specified by
17       name. The container has to be running already.
18
19       If no command is specified, the current default shell of the user  run‐
20       ning  lxc-attach  will  be looked up inside the container and executed.
21       This will fail if no such user exists inside the container or the  con‐
22       tainer does not have a working nsswitch mechanism.
23
24       Previous versions of lxc-attach simply attached to the specified names‐
25       paces of a container and ran a shell or the specified  command  without
26       first  allocating a pseudo terminal. This made them vulnerable to input
27       faking via a TIOCSTI ioctl call after switching between userspace  exe‐
28       cution contexts with different privilege levels. Newer versions of lxc-
29       attach will try to allocate a pseudo terminal file descriptor  pair  on
30       the host and attach any standard file descriptors which refer to a ter‐
31       minal to the container side of the pseudo terminal before  executing  a
32       shell  or  command. Note, that if none of the standard file descriptors
33       refer to a terminal lxc-attach will not try to allocate a pseudo termi‐
34       nal. Instead it will simply attach to the containers namespaces and run
35       a shell or the specified command.
36

OPTIONS

38       -f, --rcfile config_file
39              Specify the configuration file to configure  the  virtualization
40              and isolation functionalities for the container.
41
42              This configuration file if present will be used even if there is
43              already a configuration file present in the  previously  created
44              container (via lxc-create).
45
46       -a, --arch arch
47              Specify  the  architecture  which the kernel should appear to be
48              running as to the command executed. This option will accept  the
49              same  settings as the lxc.arch option in container configuration
50              files, see lxc.conf(5). By default, the current architecture  of
51              the running container will be used.
52
53       -e, --elevated-privileges privileges
54              Do  not drop privileges when running command inside the contain‐
55              er. If this option is specified, the new  process  will  not  be
56              added  to the container's cgroup(s) and it will not drop its ca‐
57              pabilities before executing.
58
59              You may specify privileges, in case you do not want  to  elevate
60              all of them, as a pipe-separated list, e.g.  CGROUP|LSM. Allowed
61              values are CGROUP, CAP and LSM representing cgroup, capabilities
62              and  restriction privileges respectively. (The pipe symbol needs
63              to be escaped, e.g. CGROUP\|LSM or quoted, e.g.  "CGROUP|LSM".)
64
65              Warning: This may leak privileges into the container if the com‐
66              mand  starts  subprocesses  that  remain  active  after the main
67              process that was attached is terminated.  The  (re-)starting  of
68              daemons  inside  the container is problematic, especially if the
69              daemon starts a lot of subprocesses such as cron or  sshd.   Use
70              with great care.
71
72       -s, --namespaces namespaces
73              Specify  the  namespaces to attach to, as a pipe-separated list,
74              e.g. NETWORK|IPC. Allowed values are MOUNT, PID,  UTSNAME,  IPC,
75              USER  and  NETWORK. This allows one to change the context of the
76              process to e.g. the network namespace of the container while re‐
77              taining  the  other  namespaces  as those of the host. (The pipe
78              symbol needs to be escaped, e.g.   MOUNT\|PID  or  quoted,  e.g.
79              "MOUNT|PID".)
80
81              Important: This option implies -e.
82
83       -R, --remount-sys-proc
84              When using -s and the mount namespace is not included, this flag
85              will cause lxc-attach to remount /proc and /sys to  reflect  the
86              current other namespace contexts.
87
88              Please see the Notes section for more details.
89
90              This  option will be ignored if one tries to attach to the mount
91              namespace anyway.
92
93       --keep-env
94              Keep the current environment for attached programs. This is  the
95              current  default behaviour (as of version 0.9), but is is likely
96              to change in the future, since this may leak undesirable  infor‐
97              mation  into the container. If you rely on the environment being
98              available for the attached program, please use this option to be
99              future-proof. In addition to current environment variables, con‐
100              tainer=lxc will be set.
101
102       --clear-env
103              Clear the environment before attaching, so no undesired environ‐
104              ment  variables  leak  into the container. The variable contain‐
105              er=lxc will be the only environment with which the attached pro‐
106              gram starts.
107
108       -v, --set-var variable
109              Set  an  additional environment variable that is seen by the at‐
110              tached program in the container. It is specified in the form  of
111              "VAR=VALUE", and can be specified multiple times.
112
113       --keep-var variable
114              Keep  a specified environment variable. It can only be specified
115              in conjunction with --clear-env, and can be  specified  multiple
116              times.
117
118       --u, --uid uid
119              Executes the command with user ID uid inside the container.
120
121       --g, --gid gid
122              Executes the command with group ID gid inside the container.
123

COMMON OPTIONS

125       These options are common to most of lxc commands.
126
127       -?, -h, --help
128              Print a longer usage message than normal.
129
130       --usage
131              Give the usage message
132
133       -q, --quiet
134              mute on
135
136       -P, --lxcpath=PATH
137              Use an alternate container path. The default is /var/lib/lxc.
138
139       -o, --logfile=FILE
140              Output to an alternate log FILE. The default is no log.
141
142       -l, --logpriority=LEVEL
143              Set  log  priority  to LEVEL. The default log priority is ERROR.
144              Possible values are : FATAL, CRIT, WARN,  ERROR,  NOTICE,  INFO,
145              DEBUG.
146
147              Note  that this option is setting the priority of the events log
148              in the alternate log file. It do not have effect  on  the  ERROR
149              events log on stderr.
150
151       -n, --name=NAME
152              Use  container identifier NAME.  The container identifier format
153              is an alphanumeric string.
154
155       --rcfile=FILE
156              Specify the configuration file to configure  the  virtualization
157              and isolation functionalities for the container.
158
159              This configuration file if present will be used even if there is
160              already a configuration file present in the  previously  created
161              container (via lxc-create).
162
163       --version
164              Show the version number.
165

EXAMPLES

167       To spawn a new shell running inside an existing container, use
168
169                 lxc-attach -n container
170
171
172       To restart the cron service of a running Debian container, use
173
174                 lxc-attach -n container -- /etc/init.d/cron restart
175
176
177       To  deactivate  the  network link eth1 of a running container that does
178       not have the NET_ADMIN capability, use either the -e option to use  in‐
179       creased capabilities, assuming the ip tool is installed:
180
181                 lxc-attach -n container -e -- /sbin/ip link delete eth1
182
183
184       Or,  alternatively,  use  the -s to use the tools installed on the host
185       outside the container:
186
187                 lxc-attach -n container -s NETWORK -- /sbin/ip link delete eth1
188
189

COMPATIBILITY

191       Attaching completely (including the pid and mount namespaces) to a con‐
192       tainer requires a kernel of version 3.8 or higher, or a patched kernel,
193       please see the lxc website for details. lxc-attach will  fail  in  that
194       case if used with an unpatched kernel of version 3.7 and prior.
195
196       Nevertheless,  it will succeed on an unpatched kernel of version 3.0 or
197       higher if the -s option is used to restrict  the  namespaces  that  the
198       process  is  to  be  attached to to one or more of NETWORK, IPC and UT‐
199       SNAME.
200
201       Attaching to user namespaces is supported by kernel 3.8 or higher  with
202       enabling user namespace.
203

NOTES

205       The  Linux  /proc  and  /sys filesystems contain information about some
206       quantities that are affected by namespaces,  such  as  the  directories
207       named  after  process ids in /proc or the network interface information
208       in /sys/class/net. The namespace of the process  mounting  the  pseudo-
209       filesystems  determines what information is shown, not the namespace of
210       the process accessing /proc or /sys.
211
212       If one uses the -s option to only attach to the pid namespace of a con‐
213       tainer,  but  not  its mount namespace (which will contain the /proc of
214       the container and not the host), the contents  of  /proc  will  reflect
215       that of the host and not the container. Analogously, the same issue oc‐
216       curs when reading the contents of /sys/class/net and attaching to  just
217       the network namespace.
218
219       To work around this problem, the -R flag provides the option to remount
220       /proc and /sys in order for them to reflect the  network/pid  namespace
221       context  of  the  attached  process. In order not to interfere with the
222       host's actual filesystem, the mount namespace will  be  unshared  (like
223       lxc-unshare does) before this is done, essentially giving the process a
224       new mount namespace, which is identical to the hosts's mount  namespace
225       except for the /proc and /sys filesystems.
226
227       Previous versions of lxc-attach suffered a bug whereby a user could at‐
228       tach to a containers namespace without  being  placed  in  a  writeable
229       cgroup  for some critical subsystems. Newer versions of lxc-attach will
230       check whether a user is in a writeable cgroup for those  critical  sub‐
231       systems.  lxc-attach  might thus fail unexpectedly for some users (E.g.
232       on systems where an unprivileged user is  not  placed  in  a  writeable
233       cgroup  in  critical  subsystems  on login.). However, this behavior is
234       correct and more secure.
235

SECURITY

237       The -e and -s options should be used with care, as  it  may  break  the
238       isolation of the containers if used improperly.
239

SEE ALSO

241       lxc(7),  lxc-create(1), lxc-copy(1), lxc-destroy(1), lxc-start(1), lxc-
242       stop(1), lxc-execute(1), lxc-console(1),  lxc-monitor(1),  lxc-wait(1),
243       lxc-cgroup(1),  lxc-ls(1), lxc-info(1), lxc-freeze(1), lxc-unfreeze(1),
244       lxc-attach(1), lxc.conf(5)
245

AUTHOR

247       Daniel Lezcano <daniel.lezcano@free.fr>
248
249
250
251                                  2020-01-29                     lxc-attach(1)
Impressum