The following options can be used to reconfigure the
already-created virtual ethernet interface. To select the interface to
configure, use --ifname name option.
- --mac XX:XX:XX:XX:XX:XX
- MAC address of interface inside a container.
- --host_ifname name
- interface name for virtual interface in the host system.
- --host_mac XX:XX:XX:XX:XX:XX
- MAC address of interface in the host system.
- --bridge name
- Bridge name. Custom network start scripts can use this value to
automatically add the interface to a bridge.
- --mac_filter on|off
- Enables/disables MAC address filtering for the Container veth device and
the possibility of configuring the MAC address of this device from inside
the Container. If the filtering is turned on:
• the veth device accepts only those packets that have a MAC address
in their headers corresponding to that of this device (excluding all
broadcast and multicast packets);
• it is impossible to modify the veth MAC address from inside the
Container.
By default, this functionality is enabled for all veth devices
existing inside the Container.
- Resource limits
-
The following options sets barrier and limit for various user
beancounters. Each option requires one or two arguments. In case of one
argument, vzctl sets barrier and limit to the same value. In case
of two colon-separated arguments, the first is a barrier, and the second
is a limit. Each argument is either a number, a number with a suffix, or
a special value unlimited.
Arguments are in items, pages or bytes. Note that page size is
architecture-specific, it is 4096 bytes on IA32 platform.
You can also specify different suffixes for set
parameters (except for the parameters which names start with
num). For example, vzctl set CTID --privvmpages
5M:6M should set privvmpages' barrier to 5 megabytes and its
limit to 6 megabytes.
Available suffixes are:
g, G -- gigabytes.
m, M -- megabytes.
k, K -- kilobytes.
p, P -- pages (page is 4096 bytes on x86 architecture, other
architectures may differ).
You can also specify the literal word unlimited in
place of a number. In that case the corresponding value will be set to
LONG_MAX, i. e. the maximum possible value.
- --numproc items[:items]
- Maximum number of processes and kernel-level threads. Setting the barrier
and the limit to different values does not make practical sense.
- --numtcpsock items[:items]
- Maximum number of TCP sockets. This parameter limits the number of TCP
connections and, thus, the number of clients the server application can
handle in parallel. Setting the barrier and the limit to different values
does not make practical sense.
- --numothersock items[:items]
- Maximum number of non-TCP sockets (local sockets, UDP and other types of
sockets). Setting the barrier and the limit to different values does not
make practical sense.
- --vmguarpages pages[:pages]
- Memory allocation guarantee. This parameter controls how much memory is
available to a container. The barrier is the amount of memory that
container's applications are guaranteed to be able to allocate. The
meaning of the limit is currently unspecified; it should be set to
unlimited.
- --kmemsize bytes[:bytes]
- Maximum amount of kernel memory used. This parameter is related to
--numproc. Each process consumes certain amount of kernel memory -
16 KB at least, 30-50 KB typically. Very large processes may consume a bit
more. It is important to have a certain safety gap between the barrier and
the limit of this parameter: equal barrier and limit may lead to the
situation where the kernel will need to kill container's applications to
keep the kmemsize usage under the limit.
- --tcpsndbuf bytes[:bytes]
- Maximum size of TCP send buffers. Barrier should be not less than 64 KB,
and difference between barrier and limit should be equal to or more than
value of numtcpsock multiplied by 2.5 KB.
- --tcprcvbuf bytes[:bytes]
- Maximum size of TCP receive buffers. Barrier should be not less than 64
KB, and difference between barrier and limit should be equal to or more
than value of numtcpsock multiplied by 2.5 KB.
- --othersockbuf bytes[:bytes]
- Maximum size of other (non-TCP) socket send buffers. If container's
processes needs to send very large datagrams, the barrier should be set
accordingly. Increased limit is necessary for high performance of
communications through local (UNIX-domain) sockets.
- --dgramrcvbuf bytes[:bytes]
- Maximum size of other (non-TCP) socket receive buffers. If container's
processes needs to receive very large datagrams, the barrier should be set
accordingly. The difference between the barrier and the limit is not
needed.
- --oomguarpages pages[:pages]
- Guarantees against OOM kill. Under this beancounter the kernel accounts
the total amount of memory and swap space used by the container's
processes. The barrier of this parameter is the out-of-memory guarantee.
If the oomguarpages usage is below the barrier, processes of this
container are guaranteed not to be killed in out-of-memory situations. The
meaning of limit is currently unspecified; it should be set to
unlimited.
- --lockedpages pages[:pages]
- Maximum number of pages acquired by mlock(2).
- --privvmpages pages[:pages]
- Allows controlling the amount of memory allocated by the applications. For
shared (mapped as MAP_SHARED) pages, each container really using a
memory page is charged for the fraction of the page (depending on the
number of others using it). For "potentially private" pages
(mapped as MAP_PRIVATE), container is charged either for a fraction
of the size or for the full size if the allocated address space. In the
latter case, the physical pages associated with the allocated address
space may be in memory, in swap or not physically allocated yet.
The barrier and the limit of this parameter control the upper
boundary of the total size of allocated memory. Note that this upper
boundary does not guarantee that container will be able to allocate that
much memory. The primary mechanism to control memory allocation is the
--vmguarpages guarantee.
- --shmpages pages[:pages]
- Maximum IPC SHM segment size. Setting the barrier and the limit to
different values does not make practical sense.
- --numfile items[:items]
- Maximum number of open files. In most cases the barrier and the limit
should be set to the same value. Setting the barrier to 0
effectively disables pre-charging optimization for this beancounter in the
kernel, which leads to the held value being precise but could slightly
degrade file open performance.
- --numflock items[:items]
- Maximum number of file locks. Safety gap should be between barrier and
limit.
- --numpty items[:items]
- Number of pseudo-terminals (PTY). Note that in OpenVZ each container can
have not more than 255 PTYs. Setting the barrier and the limit to
different values does not make practical sense.
- --numsiginfo items[:items]
- Number of siginfo structures. Setting the barrier and the limit to
different values does not make practical sense.
- --dcachesize bytes[:bytes]
- Maximum size of filesystem-related caches, such as directory entry and
inode caches. Exists as a separate parameter to impose a limit causing
file operations to sense memory shortage and return an errno to
applications, protecting from memory shortages during critical operations
that should not fail. Safety gap should be between barrier and limit.
- --numiptent num[:num]
- Number of iptables (netfilter) entries. Setting the barrier and the limit
to different values does not make practical sense.
- --physpages pages[:pages]
- This is currently an accounting-only parameter. It shows the usage of RAM
by this container. Barrier should be set to 0, and limit should be set to
unlimited.
- --swappages pages[:pages]
- The limit, if set, is used to show a total amount of swap space available
inside the container. The barrier of this parameter is currently ignored.
The default value is unlimited, meaning total swap will be reported
as 0.
Note that in order for the value to be shown as total swap
space, --meminfo parameter should be set to value other than
none.
- CPU fair scheduler parameters
-
These parameters control CPU usage by container.
- --cpuunits num
- CPU weight for a container. Argument is positive non-zero number, passed
to and used in the kernel fair scheduler. The larger the number is, the
more CPU time this container gets. Maximum value is 500000, minimal is 8.
Number is relative to weights of all the other running containers. If
cpuunits are not specified, default value of 1000 is used.
You can set CPU weight for CT0 (host system itself) as well
(use vzctl set 0 --cpuunits num). Usually, OpenVZ
initscript (/etc/init.d/vz) takes care of setting this.
- --cpulimit num[%]
- Limit of CPU usage for the container, in per cent. Note if the computer
has 2 CPUs, it has total of 200% CPU time. Default CPU limit is 0
(no CPU limit).
- --cpus num
- sets number of CPUs available in the container.
- Memory output parameters
-
This parameter control output of /proc/meminfo inside a
container.
- --meminfo none
- No /proc/meminfo virtualization (the same as on host system).
- --meminfo mode:value
- Configure total memory output in a container. Reported free memory is
evaluated accordingly to the mode being set. Reported swap is evaluated
according to the settings of --swappages parameter.
You can use the following modes for mode:
• pages:value - sets total memory in pages;
• privvmpages:value - sets total memory as
privvmpages * value.
Default is privvmpages:1.
- Iptables control parameters
- --iptables name
- Allow to use the functionality of name iptables module inside the
container. To specify multiple names, repeat --iptables for each,
or use space-separated list as an argument (enclosed in single or double
quotes to protect spaces).
The default list of enabled iptables modules is specified by
the IPTABLES variable in vz.conf(5).
You can use the following values for name:
iptable_filter, iptable_mangle, ipt_limit,
ipt_multiport, ipt_tos, ipt_TOS, ipt_REJECT,
ipt_TCPMSS, ipt_tcpmss, ipt_ttl, ipt_LOG,
ipt_length, ip_conntrack, ip_conntrack_ftp,
ip_conntrack_irc, ipt_conntrack, ipt_state,
ipt_helper, iptable_nat, ip_nat_ftp,
ip_nat_irc, ipt_REDIRECT, xt_mac,
ipt_owner.
- Network devices control parameters
- --netdev_add name
- move network device from the host system to a specified container
- --netdev_del name
- delete network device from a specified container
- Disk quota parameters
- --diskspace num[:num]
- sets soft and hard disk quotas, in blocks. First parameter is soft quota,
second is hard quota. One block is currently equal to 1Kb. Also suffixes
G, M, K can be specified (see Resource limits
section for more info).
- --diskinodes num[:num]
- sets soft and hard disk quotas, in i-nodes. First parameter is soft quota,
second is hard quota.
- --quotatime seconds
- sets soft overusage time limit for disk quota (also known as grace
period).
- --quotaugidlimit num
- sets maximum number of user/group IDs in a container for which disk quota
inside the container will be accounted. If this value is set to 0,
user and group quotas inside the container will not be accounted.
Note that if you have previously set value of this parameter
to 0, changing it while the container is running will not take
effect.
- Mount option
- --noatime yes | no
- Sets noatime flag (do not update inode access times) on file system.
- Capability option
- --capability capname:on|off
- Sets a capability for a container. Note that setting capability when the
container is running does not take immediate effect; restart the container
in order for the changes to take effect. Note a container has default set
of capabilities, thus any operation on capabilities is "logical
and" with the default capability mask.
You can use the following values for capname:
chown, dac_override, dac_read_search,
fowner, fsetid, kill, setgid, setuid,
setpcap, linux_immutable, net_bind_service,
net_broadcast, net_admin, net_raw, ipc_lock,
ipc_owner, sys_module, sys_rawio,
sys_chroot, sys_ptrace, sys_pacct,
sys_admin, sys_boot, sys_nice, sys_resource,
sys_time, sys_tty_config, mknod, lease,
setveid, ve_admin. For detailed description, see
capabilities(7).
WARNING: setting some of those capabilities may have
far reaching security implications, so do not do it unless you know what
you are doing. Also note that setting setpcap:on for a container
will most probably lead to inability to start it.
- Device access management
- --devnodes device:[r][w][q]|none
- Give the container an access (r - read, w - write, q
- disk quota management, none - no access) to a device designated
by the special file /dev/device. Device file is created in a
container by vzctl. Example: vzctl set 777 --devnodes
sdb:rwq.
- --devices
b|c:major:minor|all:[r][w][q]|none
- Give the container an access to a block or character device
designated by its major and minor numbers. Device file have
to be created manually.
- Features management
- --features name:on|off
- Enable or disable a specific container feature. Known features are:
sysfs, nfs, sit, ipip, ppp.
- Apply config
- --applyconfig name
- Read container parameters from the container sample configuration file
/etc/vz/conf/ve-name.conf-sample,
and apply them, if --save option specified save to the container
config file. The following parameters are not changed: HOSTNAME,
IP_ADDRESS, OSTEMPLATE, VE_ROOT, and
VE_PRIVATE.
- --applyconfig_map group
- Apply container config parameters selected by group. Now only name
argument is supported, to restore container name based on NAME
variable in container configuration file.
- I/O priority management
- --ioprio priority
- Assigns I/O priority to container. Priority range is 0-7.
The greater priority is, the more time for I/O activity container
has. By default each container has priority of 4.