Specifies network class identifier which will be tagged by container's network packets.
**--linux-network-priorities**=[]
Specifies network priorities of network traffic, format is NAME:PRIORITY.
e.g. --linux-network-priorities=eth0:123
This option can be specified multiple times. If a interface name was specified more than once, the last PRIORITY makes sense.
The special *PRIORITY* -1 removes existing setting for interface NAME.
**--linux-pids-limit**=PIDSLIMIT
Set maximum number of PIDs.
**--linux-realtime-period**=REALTIMEPERIOD
Sets the CPU period to be used for realtime scheduling (in usecs). Same as **--linux-cpu-period** but applies to realtime scheduler only.
**--linux-realtime-runtime**=REALTIMERUNTIME
Specifies a period of time in microseconds for the longest continuous period in which the tasks in a cgroup have access to CPU resources.
**--masked-paths**=[]
Specifies paths can not be read inside container. e.g. --masked-paths=/proc/kcore
This option can be specified multiple times.
**--mount-cgroups**=[rw|ro|no]
Mount cgroups. The default is *no*.
**--mount-label**=MOUNTLABEL
Mount Label
Depending on your SELinux policy, you would specify a label that looks like
this:
"system_u:object_r:svirt_sandbox_file_t:s0:c1,c2"
Note you would want your ROOTFS directory to be labeled with a context that
this process type can use.
"system_u:object_r:usr_t:s0" might be a good label for a readonly container,
"system_u:system_r:svirt_sandbox_file_t:s0:c1,c2" for a read/write container.
**--no-new-privileges**=true|false
Set no new privileges bit for the container process. Setting this flag
will block the container processes from gaining any additional privileges
using tools like setuid apps. It is a good idea to run unprivileged
containers with this flag.
**--oom-score-adj**=adj
Specifies oom_score_adj for the container.
**--os**=OS
Operating system used within the container.
**--output**=PATH
Instead of writing the configuration JSON to stdout, write it to a
file at *PATH* (overwriting the existing content if a file already
exists at *PATH*).
**--poststart**=CMD[:ARGS...]
Set command to run in poststart hooks. Can be specified multiple times.
The multiple commands will be run in order before the container process
gets launched but after the container environment and main process has been
created.
**--poststop**=CMD[:ARGS...]
Set command to run in poststop hooks. Can be specified multiple times.
The multiple commands will be run in order after the container process
is stopped.
**--prestart**=CMD[:ARGS...]
Set command to run in prestart hooks. Can be specified multiple times.
The multiple commands will be run in order after the container process
has been created but before it executes the user-configured code.
**--privileged**=true|false
Give extended privileges to this container. The default is *false*.
By default, OCI containers are
“unprivileged” (=false) and cannot do some of the things a normal root process can do.
When the operator executes **oci-runtime-tool generate --privileged**, OCI will enable access to all devices on the host as well as disable some of the confinement mechanisms like AppArmor, SELinux, and seccomp from blocking access to privileged processes. This gives the container processes nearly all the same access to the host as processes generating outside of a container on the host.
**--readonly-paths**=[]
Specifies paths readonly inside container. e.g. --readonly-paths=/proc/sys
This option can be specified multiple times.
**--rootfs-path**=ROOTFSPATH
Path to the rootfs, which can be an absolute path or relative to bundle path.
e.g the absolute path of rootfs is /to/bundle/rootfs, bundle path is /to/bundle,
then the value set as ROOTFSPATH should be `/to/bundle/rootfs` or `rootfs`. The default is *rootfs*.
**--rootfs-propagation**=PROPOGATIONMODE
Mount propagation for root filesystem.
Values are "shared, rshared, private, rprivate, slave, rslave"
**--rootfs-readonly**=true|false
Mount the container's root filesystem as read only.
By default a container will have its root filesystem writable allowing processes to write files anywhere. By specifying the `--rootfs-readonly` flag the container will have its root filesystem mounted as read only prohibiting any writes.
**--rlimits-add**=[]
Specifies resource limits, format is RLIMIT:HARD:SOFT. e.g. --rlimits-add=RLIMIT_NOFILE:1024:1024
This option can be specified multiple times. When same RLIMIT specified over once, the last one make sense.
**--rlimits-remove**=[]
Remove the specified resource limits for process inside the container.
This option can be specified multiple times.
**--rlimits-remove-all**=true|false
Remove all resource limits for process inside the container. The default is *false*.
**--seccomp-allow**=SYSCALL
Specifies syscalls to be added to the ALLOW list.
See --seccomp-syscalls for setting limits on arguments.
**--seccomp-arch**=ARCH
Specifies Additional architectures permitted to be used for system calls.
By default if you turn on seccomp, only the host architecture will be allowed.
**--seccomp-default**=ACTION
Specifies the the default action of Seccomp syscall restrictions and removes existing restrictions with the specified action
Values: KILL,ERRNO,TRACE,ALLOW
**--seccomp-default-force**=ACTION
Specifies the the default action of Seccomp syscall restrictions
Values: KILL,ERRNO,TRACE,ALLOW
**--seccomp-errno**=SYSCALL
Specifies syscalls to create seccomp rule to respond with ERRNO.
**--seccomp-kill**=SYSCALL
Specifies syscalls to create seccomp rule to respond with KILL.
**--seccomp-only**
Option to only export the seccomp section of output
**--seccomp-remove**
Specifies syscall restrictions to remove from the configuration.
**--seccomp-remove-all**
Option to remove all syscall restrictions.
**--seccomp-trace**=SYSCALL
Specifies syscalls to create seccomp rule to respond with TRACE.
**--seccomp-trap**=SYSCALL
Specifies syscalls to create seccomp rule to respond with TRAP.
**--selinux-label**=PROCESSLABEL
SELinux Label
Depending on your SELinux policy, you would specify a label that looks like
this:
"system_u:system_r:svirt_lxc_net_t:s0:c1,c2"
Note you would want your ROOTFS directory to be labeled with a context that
this process type can use.
"system_u:object_r:usr_t:s0" might be a good label for a readonly container,
"system_u:object_r:svirt_sandbox_file_t:s0:c1,c2" for a read/write container.
**--sysctl**=SYSCTLSETTING
Add sysctl settings e.g net.ipv4.forward=1, only allowed if the syctl is
namespaced.
**--template**=PATH
Override the default template with your own.
Additional options will only adjust the relevant portions of your template.
**--tmpfs**=[] Create a tmpfs mount
Mount a temporary filesystem (`tmpfs`) mount into a container, for example:
This command mounts a `tmpfs` at `/tmp` within the container. The supported mount options are the same as the Linux default `mount` flags. If you do not specify any options, the systems uses the following options:
`rw,noexec,nosuid,nodev,size=65536k`.
**--tty**=true|false
Allocate a new tty for the container process. The default is *false*.
You can use SELinux to add security to the container. You must specify the process label to run the init process inside of the container using the --selinux-label.
Not in the above example we used a type of svirt_lxc_net_t and an MCS Label of s0:c1,c2. If you want to guarantee separation between containers, you need to make sure that each container gets launched with a different MCS Label pair.
Also the underlying rootfs must be labeled with a matching label. For the example above, you would execute a command like:
This will set up the labeling of the rootfs so that the process launched would be able to write to the container. If you wanted to only allow it to read/execute the content in rootfs, you could execute:
When using SELinux, be aware that the host has no knowledge of container SELinux
policy. Therefore, in the above example, if SELinux policy is enforced, the
`/var/db` directory is not writable to the container. A "Permission Denied"
message will occur and an avc: message in the host's syslog.
To work around this, the following command needs to be generate in order for the proper SELinux policy type label to be attached to the host directory:
