Difference between revisions of "Manual: pct.conf"

From Proxmox VE
Jump to: navigation, search
 
(One intermediate revision by the same user not shown)
Line 26: Line 26:
 
Those settings are directly passed to the LXC low-level tools.
 
Those settings are directly passed to the LXC low-level tools.
 
Options
 
Options
arch: <amd64 | i386> (default = amd64)
+
arch: <amd64 | arm64 | armhf | i386> (default = amd64)
 
OS architecture type.
 
OS architecture type.
 
cmode: <console | shell | tty> (default = tty)
 
cmode: <console | shell | tty> (default = tty)
Line 42: Line 42:
 
description: <string>
 
description: <string>
 
Container description. Only used on the configuration web interface.
 
Container description. Only used on the configuration web interface.
 +
features: [fuse=<1|0>] [,keyctl=<1|0>] [,mount=<fstype;fstype;...>] [,nesting=<1|0>]
 +
Allow containers access to advanced features.
 +
fuse=<boolean> (default = 0)
 +
Allow using fuse file systems in a container. Note that interactions between fuse and the freezer cgroup can potentially cause I/O deadlocks.
 +
keyctl=<boolean> (default = 0)
 +
For unprivileged containers only: Allow the use of the keyctl() system call. This is required to use docker inside a container. By default unprivileged containers will see this system call as non-existent. This is mostly a workaround for systemd-networkd, as it will treat it as a fatal error when some keyctl() operations are denied by the kernel due to lacking permissions. Essentially, you can choose between running systemd-networkd or docker.
 +
mount=<fstype;fstype;...>
 +
Allow mounting file systems of specific types. This should be a list of file system types as used with the mount command. Note that this can have negative effects on the container’s security. With access to a loop device, mounting a file can circumvent the mknod permission of the devices cgroup, mounting an NFS file system can block the host’s I/O completely and prevent it from rebooting, etc.
 +
nesting=<boolean> (default = 0)
 +
Allow nesting. Best used with unprivileged containers with additional id mapping. Note that this will expose procfs and sysfs contents of the host to the guest.
 +
hookscript: <string>
 +
Script that will be exectued during various steps in the containers lifetime.
 
hostname: <string>
 
hostname: <string>
 
Set a host name for the container.
 
Set a host name for the container.
lock: <backup | migrate | rollback | snapshot>
+
lock: <backup | create | disk | fstrim | migrate | mounted | rollback | snapshot | snapshot-delete>
 
Lock/unlock the VM.
 
Lock/unlock the VM.
 
memory: <integer> (16 - N) (default = 512)
 
memory: <integer> (16 - N) (default = 512)
 
Amount of RAM for the VM in MB.
 
Amount of RAM for the VM in MB.
mp[n]: [volume=]<volume> ,mp=<Path> [,acl=<1|0>] [,backup=<1|0>] [,quota=<1|0>] [,replicate=<1|0>] [,ro=<1|0>] [,shared=<1|0>] [,size=<DiskSize>]
+
mp[n]: [volume=]<volume> ,mp=<Path> [,acl=<1|0>] [,backup=<1|0>] [,mountoptions=<opt[;opt...]>] [,quota=<1|0>] [,replicate=<1|0>] [,ro=<1|0>] [,shared=<1|0>] [,size=<DiskSize>]
 
Use volume as container mount point.
 
Use volume as container mount point.
 
acl=<boolean>
 
acl=<boolean>
Line 54: Line 66:
 
backup=<boolean>
 
backup=<boolean>
 
Whether to include the mount point in backups (only used for volume mount points).
 
Whether to include the mount point in backups (only used for volume mount points).
 +
mountoptions=<opt[;opt...]>
 +
Extra mount options for rootfs/mps.
 
mp=<Path>
 
mp=<Path>
 
Path to the mount point as seen from inside the container.
 
Path to the mount point as seen from inside the container.
Line 83: Line 97:
 
Default gateway for IPv6 traffic.
 
Default gateway for IPv6 traffic.
 
hwaddr=<XX:XX:XX:XX:XX:XX>
 
hwaddr=<XX:XX:XX:XX:XX:XX>
The interface MAC address. This is dynamically allocated by default, but you can set that statically if needed, for example to always have the same link-local IPv6 address. (lxc.network.hwaddr)
+
A common MAC address with the I/G (Individual/Group) bit not set.
 
ip=<(IPv4/CIDR|dhcp|manual)>
 
ip=<(IPv4/CIDR|dhcp|manual)>
 
IPv4 address in CIDR format.
 
IPv4 address in CIDR format.
Line 106: Line 120:
 
protection: <boolean> (default = 0)
 
protection: <boolean> (default = 0)
 
Sets the protection flag of the container. This will prevent the CT or CT’s disk remove/update operation.
 
Sets the protection flag of the container. This will prevent the CT or CT’s disk remove/update operation.
rootfs: [volume=]<volume> [,acl=<1|0>] [,quota=<1|0>] [,replicate=<1|0>] [,ro=<1|0>] [,shared=<1|0>] [,size=<DiskSize>]
+
rootfs: [volume=]<volume> [,acl=<1|0>] [,mountoptions=<opt[;opt...]>] [,quota=<1|0>] [,replicate=<1|0>] [,ro=<1|0>] [,shared=<1|0>] [,size=<DiskSize>]
 
Use volume as container root.
 
Use volume as container root.
 
acl=<boolean>
 
acl=<boolean>
 
Explicitly enable or disable ACL support.
 
Explicitly enable or disable ACL support.
 +
mountoptions=<opt[;opt...]>
 +
Extra mount options for rootfs/mps.
 
quota=<boolean>
 
quota=<boolean>
 
Enable user quotas inside the container (not supported with zfs subvolumes)
 
Enable user quotas inside the container (not supported with zfs subvolumes)
Line 138: Line 154:
 
Reference to unused volumes. This is used internally, and should not be modified manually.
 
Reference to unused volumes. This is used internally, and should not be modified manually.
 
Copyright and Disclaimer
 
Copyright and Disclaimer
Copyright © 2007-2017 Proxmox Server Solutions GmbH
+
Copyright © 2007-2019 Proxmox Server Solutions GmbH
 
This program is free software: you can redistribute it and/or modify
 
This program is free software: you can redistribute it and/or modify
 
it under the terms of the GNU Affero General Public License as
 
it under the terms of the GNU Affero General Public License as

Latest revision as of 11:23, 16 July 2019

NAME

pct.conf - Proxmox VE Container Configuration

SYNOPSIS

/etc/pve/lxc/<CTID>.conf

DESCRIPTION

The /etc/pve/lxc/<CTID>.conf files stores container configuration, where CTID is the numeric ID of the given container.

Note IDs ⇐ 100 are reserved for internal purposes.

File Format

The file uses a simple colon separated key/value format. Each line has the following format:

OPTION: value

Blank lines in the file are ignored, and lines starting with a # character are treated as comments and are also ignored.

One can use the pct command to generate and modify those files.

It is also possible to add low-level LXC-style configuration directly, for example:

lxc.init_cmd: /sbin/my_own_init

or

lxc.init_cmd = /sbin/my_own_init

Those settings are directly passed to the LXC low-level tools.

Options

arch: <amd64 | arm64 | armhf | i386> (default = amd64)

OS architecture type.

cmode: <console | shell | tty> (default = tty)

Console mode. By default, the console command tries to open a connection to one of the available tty devices. By setting cmode to console it tries to attach to /dev/console instead. If you set cmode to shell, it simply invokes a shell inside the container (no login).

console: <boolean> (default = 1)

Attach a console device (/dev/console) to the container.

cores: <integer> (1 - 128)

The number of cores assigned to the container. A container can use all available cores by default.

cpulimit: <number> (0 - 128) (default = 0)

Limit of CPU usage.

Note If the computer has 2 CPUs, it has a total of 2 CPU time. Value 0 indicates no CPU limit.
cpuunits: <integer> (0 - 500000) (default = 1024)

CPU weight for a VM. Argument is used in the kernel fair scheduler. The larger the number is, the more CPU time this VM gets. Number is relative to the weights of all the other running VMs.

Note You can disable fair-scheduler configuration by setting this to 0.
description: <string>

Container description. Only used on the configuration web interface.

features: [fuse=<1|0>] [,keyctl=<1|0>] [,mount=<fstype;fstype;...>] [,nesting=<1|0>]

Allow containers access to advanced features.

fuse=<boolean> (default = 0)

Allow using fuse file systems in a container. Note that interactions between fuse and the freezer cgroup can potentially cause I/O deadlocks.

keyctl=<boolean> (default = 0)

For unprivileged containers only: Allow the use of the keyctl() system call. This is required to use docker inside a container. By default unprivileged containers will see this system call as non-existent. This is mostly a workaround for systemd-networkd, as it will treat it as a fatal error when some keyctl() operations are denied by the kernel due to lacking permissions. Essentially, you can choose between running systemd-networkd or docker.

mount=<fstype;fstype;...>

Allow mounting file systems of specific types. This should be a list of file system types as used with the mount command. Note that this can have negative effects on the container’s security. With access to a loop device, mounting a file can circumvent the mknod permission of the devices cgroup, mounting an NFS file system can block the host’s I/O completely and prevent it from rebooting, etc.

nesting=<boolean> (default = 0)

Allow nesting. Best used with unprivileged containers with additional id mapping. Note that this will expose procfs and sysfs contents of the host to the guest.

hookscript: <string>

Script that will be exectued during various steps in the containers lifetime.

hostname: <string>

Set a host name for the container.

lock: <backup | create | disk | fstrim | migrate | mounted | rollback | snapshot | snapshot-delete>

Lock/unlock the VM.

memory: <integer> (16 - N) (default = 512)

Amount of RAM for the VM in MB.

mp[n]: [volume=]<volume> ,mp=<Path> [,acl=<1|0>] [,backup=<1|0>] [,mountoptions=<opt[;opt...]>] [,quota=<1|0>] [,replicate=<1|0>] [,ro=<1|0>] [,shared=<1|0>] [,size=<DiskSize>]

Use volume as container mount point.

acl=<boolean>

Explicitly enable or disable ACL support.

backup=<boolean>

Whether to include the mount point in backups (only used for volume mount points).

mountoptions=<opt[;opt...]>

Extra mount options for rootfs/mps.

mp=<Path>

Path to the mount point as seen from inside the container.

Note Must not contain any symlinks for security reasons.
quota=<boolean>

Enable user quotas inside the container (not supported with zfs subvolumes)

replicate=<boolean> (default = 1)

Will include this volume to a storage replica job.

ro=<boolean>

Read-only mount point

shared=<boolean> (default = 0)

Mark this non-volume mount point as available on all nodes.

Warning This option does not share the mount point automatically, it assumes it is shared already!
size=<DiskSize>

Volume size (read only value).

volume=<volume>

Volume, device or directory to mount into the container.

nameserver: <string>

Sets DNS server IP address for a container. Create will automatically use the setting from the host if you neither set searchdomain nor nameserver.

net[n]: name=<string> [,bridge=<bridge>] [,firewall=<1|0>] [,gw=<GatewayIPv4>] [,gw6=<GatewayIPv6>] [,hwaddr=<XX:XX:XX:XX:XX:XX>] [,ip=<(IPv4/CIDR|dhcp|manual)>] [,ip6=<(IPv6/CIDR|auto|dhcp|manual)>] [,mtu=<integer>] [,rate=<mbps>] [,tag=<integer>] [,trunks=<vlanid[;vlanid...]>] [,type=<veth>]

Specifies network interfaces for the container.

bridge=<bridge>

Bridge to attach the network device to.

firewall=<boolean>

Controls whether this interface’s firewall rules should be used.

gw=<GatewayIPv4>

Default gateway for IPv4 traffic.

gw6=<GatewayIPv6>

Default gateway for IPv6 traffic.

hwaddr=<XX:XX:XX:XX:XX:XX>

A common MAC address with the I/G (Individual/Group) bit not set.

ip=<(IPv4/CIDR|dhcp|manual)>

IPv4 address in CIDR format.

ip6=<(IPv6/CIDR|auto|dhcp|manual)>

IPv6 address in CIDR format.

mtu=<integer> (64 - N)

Maximum transfer unit of the interface. (lxc.network.mtu)

name=<string>

Name of the network device as seen from inside the container. (lxc.network.name)

rate=<mbps>

Apply rate limiting to the interface

tag=<integer> (1 - 4094)

VLAN tag for this interface.

trunks=<vlanid[;vlanid...]>

VLAN ids to pass through the interface

type=<veth>

Network interface type.

onboot: <boolean> (default = 0)

Specifies whether a VM will be started during system bootup.

ostype: <alpine | archlinux | centos | debian | fedora | gentoo | opensuse | ubuntu | unmanaged>

OS type. This is used to setup configuration inside the container, and corresponds to lxc setup scripts in /usr/share/lxc/config/<ostype>.common.conf. Value unmanaged can be used to skip and OS specific setup.

protection: <boolean> (default = 0)

Sets the protection flag of the container. This will prevent the CT or CT’s disk remove/update operation.

rootfs: [volume=]<volume> [,acl=<1|0>] [,mountoptions=<opt[;opt...]>] [,quota=<1|0>] [,replicate=<1|0>] [,ro=<1|0>] [,shared=<1|0>] [,size=<DiskSize>]

Use volume as container root.

acl=<boolean>

Explicitly enable or disable ACL support.

mountoptions=<opt[;opt...]>

Extra mount options for rootfs/mps.

quota=<boolean>

Enable user quotas inside the container (not supported with zfs subvolumes)

replicate=<boolean> (default = 1)

Will include this volume to a storage replica job.

ro=<boolean>

Read-only mount point

shared=<boolean> (default = 0)

Mark this non-volume mount point as available on all nodes.

Warning This option does not share the mount point automatically, it assumes it is shared already!
size=<DiskSize>

Volume size (read only value).

volume=<volume>

Volume, device or directory to mount into the container.

searchdomain: <string>

Sets DNS search domains for a container. Create will automatically use the setting from the host if you neither set searchdomain nor nameserver.

startup: `[[order=]\d+] [,up=\d+] [,down=\d+] `

Startup and shutdown behavior. Order is a non-negative number defining the general startup order. Shutdown in done with reverse ordering. Additionally you can set the up or down delay in seconds, which specifies a delay to wait before the next VM is started or stopped.

swap: <integer> (0 - N) (default = 512)

Amount of SWAP for the VM in MB.

template: <boolean> (default = 0)

Enable/disable Template.

tty: <integer> (0 - 6) (default = 2)

Specify the number of tty available to the container

unprivileged: <boolean> (default = 0)

Makes the container run as unprivileged user. (Should not be modified manually.)

unused[n]: <string>

Reference to unused volumes. This is used internally, and should not be modified manually.

Copyright © 2007-2019 Proxmox Server Solutions GmbH

This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more details.

You should have received a copy of the GNU Affero General Public License along with this program. If not, see http://www.gnu.org/licenses/