Project configuration¶
Projects can be configured through a set of key/value configuration options. See Configure a project for instructions on how to set these options.
The key/value configuration is namespaced. The following options are available:
Project features¶
The project features define which entities are isolated in the project and which are inherited from the default
project.
If a feature.*
option is set to true
, the corresponding entity is isolated in the project.
Note
When you create a project without explicitly configuring a specific option, this option is set to the initial value given in the following table.
However, if you unset one of the feature.*
options, it does not go back to the initial value, but to the default value.
The default value for all feature.*
options is false
.
Key: | features.images |
Type: | bool |
Default: |
|
Initial value: |
|
This setting applies to both images and image aliases.
Key: | features.networks |
Type: | bool |
Default: |
|
Initial value: |
|
Key: | features.networks.zones |
Type: | bool |
Default: |
|
Initial value: |
|
Key: | features.profiles |
Type: | bool |
Default: |
|
Initial value: |
|
Key: | features.storage.buckets |
Type: | bool |
Default: |
|
Initial value: |
|
Project limits¶
Project limits define a hard upper bound for the resources that can be used by the containers and VMs that belong to a project.
Depending on the limits.*
option, the limit applies to the number of entities that are allowed in the project (for example, limits.containers
or limits.networks
) or to the aggregate value of resource usage for all instances in the project (for example, limits.cpu
or limits.processes
).
In the latter case, the limit usually applies to the Resource limits that are configured for each instance (either directly or via a profile), and not to the resources that are actually in use.
For example, if you set the project’s limits.memory
configuration to 50GiB
, the sum of the individual values of all limits.memory
configuration keys defined on the project’s instances will be kept under 50 GiB.
Similarly, setting the project’s limits.cpu
configuration key to 100
means that the sum of individual limits.cpu
values will be kept below 100.
When using project limits, the following conditions must be fulfilled:
When you set one of the
limits.*
configurations and there is a corresponding configuration for the instance, all instances in the project must have the corresponding configuration defined (either directly or via a profile). See Resource limits for the instance configuration options.The
limits.cpu
configuration cannot be used if CPU pinning is enabled. This means that to uselimits.cpu
on a project, thelimits.cpu
configuration of each instance in the project must be set to a number of CPUs, not a set or a range of CPUs.The
limits.memory
configuration must be set to an absolute value, not a percentage.
Key: | limits.containers |
Type: | integer |
Key: | limits.cpu |
Type: | integer |
This value is the maximum value for the sum of the individual limits.cpu
configurations set on the instances of the project.
Key: | limits.disk |
Type: | string |
This value is the maximum value of the aggregate disk space used by all instance volumes, custom volumes, and images of the project.
Key: | limits.disk.pool.POOL_NAME |
Type: | string |
This value is the maximum value of the aggregate disk space used by all instance volumes, custom volumes, and images of the project on this specific storage pool.
When set to 0, the pool is excluded from storage pool list for the project.
Key: | limits.instances |
Type: | integer |
Key: | limits.memory |
Type: | string |
The value is the maximum value for the sum of the individual limits.memory
configurations set on the instances of the project.
Key: | limits.networks |
Type: | integer |
Key: | limits.processes |
Type: | integer |
This value is the maximum value for the sum of the individual limits.processes
configurations set on the instances of the project.
Project restrictions¶
To prevent the instances of a project from accessing security-sensitive features (such as container nesting or raw LXC configuration), set the restricted
configuration option to true
.
You can then use the various restricted.*
options to pick individual features that would normally be blocked by restricted
and allow them, so they can be used by the instances of the project.
For example, to restrict a project and block all security-sensitive features, but allow container nesting, enter the following commands:
lxc project set <project_name> restricted=true
lxc project set <project_name> restricted.containers.nesting=allow
Each security-sensitive feature has an associated restricted.*
project configuration option.
If you want to allow the usage of a feature, change the value of its restricted.*
option.
Most restricted.*
configurations are binary switches that can be set to either block
(the default) or allow
.
However, some options support other values for more fine-grained control.
Note
You must set the restricted
configuration to true
for any of the restricted.*
options to be effective.
If restricted
is set to false
, changing a restricted.*
option has no effect.
Setting all restricted.*
keys to allow
is equivalent to setting restricted
itself to false
.
Key: | restricted |
Type: | bool |
Default: |
|
This option must be enabled to allow the restricted.*
keys to take effect.
To temporarily remove the restrictions, you can disable this option instead of clearing the related keys.
Key: | restricted.backups |
Type: | string |
Default: |
|
Possible values are allow
or block
.
Key: | restricted.cluster.groups |
Type: | string |
If specified, this option prevents targeting cluster groups other than the provided ones.
Key: | restricted.cluster.target |
Type: | string |
Default: |
|
Possible values are allow
or block
.
When set to allow
, this option allows targeting of cluster members (either directly or via a group) when creating or moving instances.
Key: | restricted.containers.interception |
Type: | string |
Default: |
|
Possible values are allow
, block
, or full
.
When set to allow
, interception options that are usually safe are allowed.
File system mounting remains blocked.
Key: | restricted.containers.nesting |
Type: | string |
Default: |
|
Possible values are allow
or block
.
When set to allow
, security.nesting
can be set to true
for an instance.
Key: | restricted.containers.privilege |
Type: | string |
Default: |
|
Possible values are unprivileged
, isolated
, and allow
.
When set to
unpriviliged
, this option prevents settingsecurity.privileged
totrue
.When set to
isolated
, this option prevents settingsecurity.privileged
totrue
and forces using a unique idmap per container usingsecurity.idmap.isolated
set totrue
.When set to
allow
, there is no restriction.
Key: | restricted.devices.disk |
Type: | string |
Default: |
|
Possible values are allow
, block
, or managed
.
When set to
block
, this option prevents using all disk devices except the root one.When set to
managed
, this option allows using disk devices only ifpool=
is set.When set to
allow
, there is no restriction on which disk devices can be used.Important
When allowing all disk devices, make sure to set
restricted.devices.disk.paths
to a list of path prefixes that you want to allow. If you do not restrict the allowed paths, users can attach any disk device, including shifted devices (disk
devices withshift
set totrue
), which can be used to gain root access to the system.
Key: | restricted.devices.disk.paths |
Type: | string |
If restricted.devices.disk
is set to allow
, this option controls which source
can be used for disk
devices.
Specify a comma-separated list of path prefixes that restrict the source
setting.
If this option is left empty, all paths are allowed.
Key: | restricted.devices.gpu |
Type: | string |
Default: |
|
Possible values are allow
or block
.
Key: | restricted.devices.infiniband |
Type: | string |
Default: |
|
Possible values are allow
or block
.
Key: | restricted.devices.nic |
Type: | string |
Default: |
|
Possible values are allow
, block
, or managed
.
When set to
block
, this option prevents using all network devices.When set to
managed
, this option allows using network devices only ifnetwork=
is set.When set to
allow
, there is no restriction on which network devices can be used.
Key: | restricted.devices.pci |
Type: | string |
Default: |
|
Possible values are allow
or block
.
Key: | restricted.devices.proxy |
Type: | string |
Default: |
|
Possible values are allow
or block
.
Key: | restricted.devices.unix-block |
Type: | string |
Default: |
|
Possible values are allow
or block
.
Key: | restricted.devices.unix-char |
Type: | string |
Default: |
|
Possible values are allow
or block
.
Key: | restricted.devices.unix-hotplug |
Type: | string |
Default: |
|
Possible values are allow
or block
.
Key: | restricted.devices.usb |
Type: | string |
Default: |
|
Possible values are allow
or block
.
Key: | restricted.idmap.gid |
Type: | string |
This option specifies the host GID ranges that are allowed in the instance’s raw.idmap
setting.
Key: | restricted.idmap.uid |
Type: | string |
This option specifies the host UID ranges that are allowed in the instance’s raw.idmap
setting.
Key: | restricted.networks.access |
Type: | string |
Specify a comma-delimited list of network names that are allowed for use in this project. If this option is not set, all networks are accessible.
Note that this setting depends on the restricted.devices.nic
setting.
Key: | restricted.networks.subnets |
Type: | string |
Default: |
|
Specify a comma-delimited list of CIDR network routes from the uplink network’s ipv4.routes
ipv6.routes
that are allowed for use in this project.
Use the form <uplink>:<subnet>
.
Key: | restricted.networks.uplinks |
Type: | string |
Default: |
|
Specify a comma-delimited list of network names that can be used as uplink for networks in this project.
Key: | restricted.networks.zones |
Type: | string |
Default: |
|
Specify a comma-delimited list of network zones that can be used (or something under them) in this project.
Key: | restricted.snapshots |
Type: | string |
Default: |
|
Key: | restricted.virtual-machines.lowlevel |
Type: | string |
Default: |
|
Possible values are allow
or block
.
When set to allow
, low-level VM options like raw.qemu
, volatile.*
, etc. can be used.
Project-specific configuration¶
There are some Server configuration options that you can override for a project. In addition, you can add user metadata for a project.
Key: | backups.compression_algorithm |
Type: | string |
Specify which compression algorithm to use for backups in this project.
Possible values are bzip2
, gzip
, lzma
, xz
, or none
.
Key: | images.auto_update_cached |
Type: | bool |
Key: | images.auto_update_interval |
Type: | integer |
Specify the interval in hours.
To disable looking for updates to cached images, set this option to 0
.
Key: | images.compression_algorithm |
Type: | string |
Possible values are bzip2
, gzip
, lzma
, xz
, or none
.
Key: | images.default_architecture |
Type: | string |
Key: | images.remote_cache_expiry |
Type: | integer |
Specify the number of days after which the unused cached image expires.