1lxc-attach(1) lxc-attach(1)
2
3
4
6 lxc-attach - start a process inside a running container.
7
9 lxc-attach {-n, --name name} [-f, --rcfile config_file] [-a, --arch
10 arch] [-e, --elevated-privileges privileges] [-s,
11 --namespaces namespaces] [-R, --remount-sys-proc] [--keep-
12 env] [--clear-env] [-v, --set-var variable] [--keep-var
13 variable] [-u, --uid uid] [-g, --gid gid] [-- command]
14
16 lxc-attach runs the specified command inside the container specified by
17 name. The container has to be running already.
18
19 If no command is specified, the current default shell of the user run‐
20 ning lxc-attach will be looked up inside the container and executed.
21 This will fail if no such user exists inside the container or the con‐
22 tainer does not have a working nsswitch mechanism.
23
24 Previous versions of lxc-attach simply attached to the specified name‐
25 spaces of a container and ran a shell or the specified command without
26 first allocating a pseudo terminal. This made them vulnerable to input
27 faking via a TIOCSTI ioctl call after switching between userspace exe‐
28 cution contexts with different privilege levels. Newer versions of lxc-
29 attach will try to allocate a pseudo terminal file descriptor pair on
30 the host and attach any standard file descriptors which refer to a ter‐
31 minal to the container side of the pseudo terminal before executing a
32 shell or command. Note, that if none of the standard file descriptors
33 refer to a terminal lxc-attach will not try to allocate a pseudo termi‐
34 nal. Instead it will simply attach to the containers namespaces and run
35 a shell or the specified command.
36
38 -f, --rcfile config_file
39 Specify the configuration file to configure the virtualization
40 and isolation functionalities for the container.
41
42 This configuration file if present will be used even if there is
43 already a configuration file present in the previously created
44 container (via lxc-create).
45
46 -a, --arch arch
47 Specify the architecture which the kernel should appear to be
48 running as to the command executed. This option will accept the
49 same settings as the lxc.arch option in container configuration
50 files, see lxc.conf(5). By default, the current architecture of
51 the running container will be used.
52
53 -e, --elevated-privileges privileges
54 Do not drop privileges when running command inside the contain‐
55 er. If this option is specified, the new process will not be
56 added to the container's cgroup(s) and it will not drop its ca‐
57 pabilities before executing.
58
59 You may specify privileges, in case you do not want to elevate
60 all of them, as a pipe-separated list, e.g. CGROUP|LSM. Allowed
61 values are CGROUP, CAP and LSM representing cgroup, capabilities
62 and restriction privileges respectively. (The pipe symbol needs
63 to be escaped, e.g. CGROUP\|LSM or quoted, e.g. "CGROUP|LSM".)
64
65 Warning: This may leak privileges into the container if the com‐
66 mand starts subprocesses that remain active after the main
67 process that was attached is terminated. The (re-)starting of
68 daemons inside the container is problematic, especially if the
69 daemon starts a lot of subprocesses such as cron or sshd. Use
70 with great care.
71
72 -s, --namespaces namespaces
73 Specify the namespaces to attach to, as a pipe-separated list,
74 e.g. NETWORK|IPC. Allowed values are MOUNT, PID, UTSNAME, IPC,
75 USER and NETWORK. This allows one to change the context of the
76 process to e.g. the network namespace of the container while re‐
77 taining the other namespaces as those of the host. (The pipe
78 symbol needs to be escaped, e.g. MOUNT\|PID or quoted, e.g.
79 "MOUNT|PID".)
80
81 Important: This option implies -e.
82
83 -R, --remount-sys-proc
84 When using -s and the mount namespace is not included, this flag
85 will cause lxc-attach to remount /proc and /sys to reflect the
86 current other namespace contexts.
87
88 Please see the Notes section for more details.
89
90 This option will be ignored if one tries to attach to the mount
91 namespace anyway.
92
93 --keep-env
94 Keep the current environment for attached programs. This is the
95 current default behaviour (as of version 0.9), but is is likely
96 to change in the future, since this may leak undesirable infor‐
97 mation into the container. If you rely on the environment being
98 available for the attached program, please use this option to be
99 future-proof. In addition to current environment variables, con‐
100 tainer=lxc will be set.
101
102 --clear-env
103 Clear the environment before attaching, so no undesired environ‐
104 ment variables leak into the container. The variable contain‐
105 er=lxc will be the only environment with which the attached pro‐
106 gram starts.
107
108 -v, --set-var variable
109 Set an additional environment variable that is seen by the at‐
110 tached program in the container. It is specified in the form of
111 "VAR=VALUE", and can be specified multiple times.
112
113 --keep-var variable
114 Keep a specified environment variable. It can only be specified
115 in conjunction with --clear-env, and can be specified multiple
116 times.
117
118 --u, --uid uid
119 Executes the command with user ID uid inside the container.
120
121 --g, --gid gid
122 Executes the command with group ID gid inside the container.
123
125 These options are common to most of lxc commands.
126
127 -?, -h, --help
128 Print a longer usage message than normal.
129
130 --usage
131 Give the usage message
132
133 -q, --quiet
134 mute on
135
136 -P, --lxcpath=PATH
137 Use an alternate container path. The default is /var/lib/lxc.
138
139 -o, --logfile=FILE
140 Output to an alternate log FILE. The default is no log.
141
142 -l, --logpriority=LEVEL
143 Set log priority to LEVEL. The default log priority is ERROR.
144 Possible values are : FATAL, CRIT, WARN, ERROR, NOTICE, INFO,
145 DEBUG.
146
147 Note that this option is setting the priority of the events log
148 in the alternate log file. It do not have effect on the ERROR
149 events log on stderr.
150
151 -n, --name=NAME
152 Use container identifier NAME. The container identifier format
153 is an alphanumeric string.
154
155 --rcfile=FILE
156 Specify the configuration file to configure the virtualization
157 and isolation functionalities for the container.
158
159 This configuration file if present will be used even if there is
160 already a configuration file present in the previously created
161 container (via lxc-create).
162
163 --version
164 Show the version number.
165
167 To spawn a new shell running inside an existing container, use
168
169 lxc-attach -n container
170
171
172 To restart the cron service of a running Debian container, use
173
174 lxc-attach -n container -- /etc/init.d/cron restart
175
176
177 To deactivate the network link eth1 of a running container that does
178 not have the NET_ADMIN capability, use either the -e option to use in‐
179 creased capabilities, assuming the ip tool is installed:
180
181 lxc-attach -n container -e -- /sbin/ip link delete eth1
182
183
184 Or, alternatively, use the -s to use the tools installed on the host
185 outside the container:
186
187 lxc-attach -n container -s NETWORK -- /sbin/ip link delete eth1
188
189
191 Attaching completely (including the pid and mount namespaces) to a con‐
192 tainer requires a kernel of version 3.8 or higher, or a patched kernel,
193 please see the lxc website for details. lxc-attach will fail in that
194 case if used with an unpatched kernel of version 3.7 and prior.
195
196 Nevertheless, it will succeed on an unpatched kernel of version 3.0 or
197 higher if the -s option is used to restrict the namespaces that the
198 process is to be attached to to one or more of NETWORK, IPC and UT‐
199 SNAME.
200
201 Attaching to user namespaces is supported by kernel 3.8 or higher with
202 enabling user namespace.
203
205 The Linux /proc and /sys filesystems contain information about some
206 quantities that are affected by namespaces, such as the directories
207 named after process ids in /proc or the network interface information
208 in /sys/class/net. The namespace of the process mounting the pseudo-
209 filesystems determines what information is shown, not the namespace of
210 the process accessing /proc or /sys.
211
212 If one uses the -s option to only attach to the pid namespace of a con‐
213 tainer, but not its mount namespace (which will contain the /proc of
214 the container and not the host), the contents of /proc will reflect
215 that of the host and not the container. Analogously, the same issue oc‐
216 curs when reading the contents of /sys/class/net and attaching to just
217 the network namespace.
218
219 To work around this problem, the -R flag provides the option to remount
220 /proc and /sys in order for them to reflect the network/pid namespace
221 context of the attached process. In order not to interfere with the
222 host's actual filesystem, the mount namespace will be unshared (like
223 lxc-unshare does) before this is done, essentially giving the process a
224 new mount namespace, which is identical to the hosts's mount namespace
225 except for the /proc and /sys filesystems.
226
227 Previous versions of lxc-attach suffered a bug whereby a user could at‐
228 tach to a containers namespace without being placed in a writeable
229 cgroup for some critical subsystems. Newer versions of lxc-attach will
230 check whether a user is in a writeable cgroup for those critical sub‐
231 systems. lxc-attach might thus fail unexpectedly for some users (E.g.
232 on systems where an unprivileged user is not placed in a writeable
233 cgroup in critical subsystems on login.). However, this behavior is
234 correct and more secure.
235
237 The -e and -s options should be used with care, as it may break the
238 isolation of the containers if used improperly.
239
241 lxc(7), lxc-create(1), lxc-copy(1), lxc-destroy(1), lxc-start(1), lxc-
242 stop(1), lxc-execute(1), lxc-console(1), lxc-monitor(1), lxc-wait(1),
243 lxc-cgroup(1), lxc-ls(1), lxc-info(1), lxc-freeze(1), lxc-unfreeze(1),
244 lxc-attach(1), lxc.conf(5)
245
247 Daniel Lezcano <daniel.lezcano@free.fr>
248
249
250
251 2021-05-08 lxc-attach(1)