1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
|
=head1 NAME
virt-sandbox-service clone - clone an existing Secure container
=head1 SYNOPSIS
Clone a Security container
virt-sandbox-service [-c URI] clone [-h] [-p PATH] [-s SECURITY-OPTS] SOURCE DEST
=head1 DESCRIPTION
virt-sandbox-service is used to manage secure sandboxed system services.
These applications will be launched via libvirt and run within a virtualization
technology such as LinuX Containers (LXC), or optionally QEMU/KVM. The
container / virtual machines will be secured by SELinux and resource
separated using cgroups.
The clone command will clone the SOURCE security sandbox container into the DEST security sandbox container.
=head1 OPTIONS
=over 4
=item B<-h>, B<--help>
Display help message
=item B<-c> URI, B<--connect URI>
The connection URI for the hypervisor (currently only LXC URIs are
supported).
=item B<-p PATH>, B<--path PATH>
Set path to copy container content from/to. This argument must match the value of
the C<-p> arg given when creating the original source container.
Default: C</var/lib/libvirt/filesystems>.
=item B<-s SECURITY-OPTIONS>, B<--security=SECURITY-OPTIONS>
Use alternative security options. SECURITY-OPTIONS is a set of key=val pairs,
separated by commas. The following options are valid for SELinux
=over 4
=item dynamic
Dynamically allocate an SELinux label, using the default base context.
The default base context is system_u:system_r:svirt_lxc_net_t:s0 for LXC,
system_u:system_r:svirt_t:s0 for KVM, system_u:system_r:svirt_tcg_t:s0
for QEMU.
=item dynamic,label=USER:ROLE:TYPE:LEVEL
Dynamically allocate an SELinux label, using the base context
USER:ROLE:TYPE:LEVEL, instead of the default base context.
=item static,label=USER:ROLE:TYPE:LEVEL
To set a completely static label. For example,
static,label=system_u:system_r:svirt_t:s0:c412,c355
=back
=back
=head1 EXAMPLE
Execute /bin/sh in httpd1 container
# virt-sandbox-service clone -s static,label=system_u:system_r:svirt_lxc_net_t:s0:c1,c2 httpd1 httpd2
=head1 SEE ALSO
C<libvirt(8)>, C<selinux(8)>, C<systemd(8)>, C<virt-sandbox-service(1)>
=head1 FILES
Container content will be stored in subdirectories of
/var/lib/libvirt/filesystems, by default. You can manage the
content in these directories outside of the container and
processes within the container will see the content.
=head1 AUTHORS
Daniel Walsh <dwalsh@redhat.com>
Daniel P. Berrange <dan@berrange.com>
=head1 COPYRIGHT
Copyright (C) 2011-2013 Red Hat, Inc.
=head1 LICENSE
virt-sandbox is distributed under the terms of the GNU LGPL v2+.
This is free software; see the source for copying conditions.
There is NO warranty; not even for MERCHANTABILITY or FITNESS
FOR A PARTICULAR PURPOSE
|
