virt-sandbox-service-clone.pod 2.64 KB
Newer Older
1 2 3 4 5 6 7 8
=head1 NAME

virt-sandbox-service clone - clone an existing Secure container

=head1 SYNOPSIS

Clone a Security container

9
  virt-sandbox-service [-c URI] clone [-h] [-p PATH] [-s SECURITY-OPTS] SOURCE DEST
10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30

=head1 DESCRIPTION

virt-sandbox-service is used to manage secure sandboxed system services.
These applications will be launched via libvirt and run within a virtualization
technology such as LinuX Containers (LXC), or optionally QEMU/KVM. The
container / virtual machines will be secured by SELinux and resource
separated using cgroups.

The clone command will clone the SOURCE security sandbox container into the DEST security sandbox container.

=head1 OPTIONS

=over 4

=item B<-h>, B<--help>

Display help message

=item B<-c> URI, B<--connect URI>

31 32
The connection URI for the hypervisor (currently only LXC URIs are
supported).
33

34 35 36 37 38 39 40
=item B<-p PATH>, B<--path PATH>

Set path to copy container content from/to. This argument must match the value of
the C<-p> arg given when creating the original source container.

Default: C</var/lib/libvirt/filesystems>.

41
=item B<-s SECURITY-OPTIONS>, B<--security=SECURITY-OPTIONS>
42

43 44 45 46 47 48 49 50 51
Use alternative security options. SECURITY-OPTIONS is a set of key=val pairs,
separated by commas. The following options are valid for SELinux

=over 4

=item dynamic

Dynamically allocate an SELinux label, using the default base context.
The default base context is system_u:system_r:svirt_lxc_net_t:s0 for LXC,
52 53
system_u:system_r:svirt_t:s0 for KVM, system_u:system_r:svirt_tcg_t:s0
for QEMU.
54 55 56 57 58 59 60 61 62

=item dynamic,label=USER:ROLE:TYPE:LEVEL

Dynamically allocate an SELinux label, using the base context
USER:ROLE:TYPE:LEVEL, instead of the default base context.

=item static,label=USER:ROLE:TYPE:LEVEL

To set a completely static label. For example,
63
static,label=system_u:system_r:svirt_t:s0:c412,c355
64 65

=back
66 67 68 69 70 71 72

=back

=head1 EXAMPLE

Execute /bin/sh in httpd1 container

73
 # virt-sandbox-service clone -s static,label=system_u:system_r:svirt_lxc_net_t:s0:c1,c2 httpd1 httpd2
74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100

=head1 SEE ALSO

C<libvirt(8)>, C<selinux(8)>, C<systemd(8)>, C<virt-sandbox-service(1)>

=head1 FILES

Container content will be stored in subdirectories of
/var/lib/libvirt/filesystems, by default.  You can manage the
content in these directories outside of the container and
processes within the container will see the content.

=head1 AUTHORS

Daniel Walsh <dwalsh@redhat.com>
Daniel P. Berrange <dan@berrange.com>

=head1 COPYRIGHT

Copyright (C) 2011-2013 Red Hat, Inc.

=head1 LICENSE

virt-sandbox is distributed under the terms of the GNU LGPL v2+.
This is free software; see the source for copying conditions.
There is NO warranty; not even for MERCHANTABILITY or FITNESS
FOR A PARTICULAR PURPOSE