lxc-attach(1)                                                                       lxc-attach(1)



NAME
       lxc-attach - start a process inside a running container.

SYNOPSIS
       lxc-attach {-n name} [-a arch] [-e] [-s namespaces] [-R] [--keep-env] [--clear-env] [--
                  command]

DESCRIPTION
       lxc-attach runs the specified command inside the container specified by name. The contain‐
       er has to be running already.

       If  no command is specified, the current default shell of the user running lxc-attach will
       be looked up inside the container and executed. This will fail if no such user exists  in‐
       side the container or the container does not have a working nsswitch mechanism.

OPTIONS
       -a, --arch arch
              Specify  the  architecture  which  the kernel should appear to be running as to the
              command executed. This option will accept the same settings as the lxc.arch  option
              in  container configuration files, see lxc.conf(5). By default, the current archic‐
              tecture of the running container will be used.

       -e, --elevated-privileges privileges
              Do not drop privileges when running command inside the container. If this option is
              specified,  the  new  process will not be added to the container's cgroup(s) and it
              will not drop its capabilities before executing.

              You may specify privileges, in case you do not want to elevate all of  them,  as  a
              pipe-separated  list, e.g.  CGROUP|LSM. Allowed values are CGROUP, CAP and LSM rep‐
              resenting cgroup, capabilities and restriction privileges respectively.

              Warning: This may leak privileges into the container if the command starts  subpro‐
              cesses  that  remain active after the main process that was attached is terminated.
              The (re-)starting of daemons inside the container is problematic, especially if the
              daemon starts a lot of subprocesses such as cron or sshd.  Use with great care.

       -s, --namespaces namespaces
              Specify  the  namespaces  to attach to, as a pipe-separated list, e.g. NETWORK|IPC.
              Allowed values are MOUNT, PID, UTSNAME, IPC, USER and NETWORK. This allows  one  to
              change  the  context  of the process to e.g. the network namespace of the container
              while retaining the other namespaces as those of the host.

              Important: This option implies -e.

       -R, --remount-sys-proc
              When using -s and the mount namespace is not included, this flag will cause lxc-at‐
              tach to remount /proc and /sys to reflect the current other namespace contexts.

              Please see the Notes section for more details.

              This option will be ignored if one tries to attach to the mount namespace anyway.

       --keep-env
              Keep the current environment for attached programs. This is the current default be‐
              haviour (as of version 0.9), but is is likely to change in the future,  since  this
              may leak undesirable information into the container. If you rely on the environment
              being available for the attached program, please use  this  option  to  be  future-
              proof. In addition to current environment variables, container=lxc will be set.

       --clear-env
              Clear  the environment before attaching, so no undesired environment variables leak
              into the container. The variable container=lxc will be the  only  environment  with
              which the attached program starts.

COMMON OPTIONS
       These options are common to most of lxc commands.

       -?, -h, --help
              Print a longer usage message than normal.

       --usage
              Give the usage message

       -q, --quiet
              mute on

       -P, --lxcpath=PATH
              Use an alternate container path. The default is /var/lib/lxc.

       -o, --logfile=FILE
              Output to an alternate log FILE. The default is no log.

       -l, --logpriority=LEVEL
              Set log priority to LEVEL. The default log priority is ERROR. Possible values are :
              FATAL, CRIT, WARN, ERROR, NOTICE, INFO, DEBUG.

              Note that this option is setting the priority of the events log  in  the  alternate
              log file. It do not have effect on the ERROR events log on stderr.

       -n, --name=NAME
              Use  container identifier NAME.  The container identifier format is an alphanumeric
              string.

EXAMPLES
       To spawn a new shell running inside an existing container, use

                 lxc-attach -n container


       To restart the cron service of a running Debian container, use

                 lxc-attach -n container -- /etc/init.d/cron restart


       To deactivate the network link eth1 of a running container that does not have the  NET_AD‐
       MIN  capability,  use  either the -e option to use increased capabilities, assuming the ip
       tool is installed:

                 lxc-attach -n container -e -- /sbin/ip link delete eth1


       Or, alternatively, use the -s to use the tools installed on the host outside the  contain‐
       er:

                 lxc-attach -n container -s NETWORK -- /sbin/ip link delete eth1


COMPATIBILITY
       Attaching  completely  (including  the pid and mount namespaces) to a container requires a
       kernel of version 3.8 or higher, or a patched kernel, please see the lxc website  for  de‐
       tails.  lxc-attach  will fail in that case if used with an unpatched kernel of version 3.7
       and prior.

       Nevertheless, it will succeed on an unpatched kernel of version 3.0 or higher  if  the  -s
       option  is used to restrict the namespaces that the process is to be attached to to one or
       more of NETWORK, IPC and UTSNAME.

       Attaching to user namespaces is supported by kernel  3.8  or  higher  with  enabling  user
       namespace.

NOTES
       The  Linux  /proc  and /sys filesystems contain information about some quantities that are
       affected by namespaces, such as the directories named after process ids in  /proc  or  the
       network interface information in /sys/class/net. The namespace of the process mounting the
       pseudo-filesystems determines what information is shown, not the namespace of the  process
       accessing /proc or /sys.

       If  one uses the -s option to only attach to the pid namespace of a container, but not its
       mount namespace (which will contain the /proc of the container and not the host), the con‐
       tents  of /proc will reflect that of the host and not the container. Analogously, the same
       issue occurs when reading the contents of /sys/class/net and attaching to just the network
       namespace.

       To  work around this problem, the -R flag provides the option to remount /proc and /sys in
       order for them to reflect the network/pid namespace context of the  attached  process.  In
       order  not to interfere with the host's actual filesystem, the mount namespace will be un‐
       shared (like lxc-unshare does) before this is done, esentially giving the  process  a  new
       mount  namespace,  which  is identical to the hosts's mount namespace except for the /proc
       and /sys filesystems.

SECURITY
       The -e and -s options should be used with care, as it may break the isolation of the  con‐
       tainers if used improperly.

SEE ALSO
       lxc(7), lxc-create(1), lxc-destroy(1), lxc-start(1), lxc-stop(1), lxc-execute(1), lxc-con‐
       sole(1),  lxc-monitor(1),  lxc-wait(1),  lxc-cgroup(1),   lxc-ls(1),   lxc-info(1),   lxc-
       freeze(1), lxc-unfreeze(1), lxc-attach(1), lxc.conf(5)

AUTHOR
       Daniel Lezcano <daniel.lezcano AT free.fr>



                                   Sat Apr 29 06:45:43 UTC 2017                     lxc-attach(1)