readme
This commit is contained in:
parent
cf9850f944
commit
a263231ee0
70
README.md
70
README.md
@ -341,13 +341,13 @@ Options:
|
|||||||
--help|-h
|
--help|-h
|
||||||
Help plz..
|
Help plz..
|
||||||
--mode|-M VALUE
|
--mode|-M VALUE
|
||||||
Execution mode (default: o [MODE_STANDALONE_ONCE]):
|
Execution mode (default: 'o' [MODE_STANDALONE_ONCE]):
|
||||||
l: Wait for connections on a TCP port (specified with --port) [MODE_LISTEN_TCP]
|
l: Wait for connections on a TCP port (specified with --port) [MODE_LISTEN_TCP]
|
||||||
o: Immediately launch a single process on the console using clone/execve [MODE_STANDALONE_ONCE]
|
o: Launch a single process on the console using clone/execve [MODE_STANDALONE_ONCE]
|
||||||
e: Immediately launch a single process on the console using execve [MODE_STANDALONE_EXECVE]
|
e: Launch a single process on the console using execve [MODE_STANDALONE_EXECVE]
|
||||||
r: Immediately launch a single process on the console, keep doing it forever [MODE_STANDALONE_RERUN]
|
r: Launch a single process on the console with clone/execve, keep doing it forever [MODE_STANDALONE_RERUN]
|
||||||
--config|-C VALUE
|
--config|-C VALUE
|
||||||
Configuration file in the config.proto ProtoBuf format
|
Configuration file in the config.proto ProtoBuf format (see configs/ directory for examples)
|
||||||
--exec_file|-x VALUE
|
--exec_file|-x VALUE
|
||||||
File to exec (default: argv[0])
|
File to exec (default: argv[0])
|
||||||
--execute_fd
|
--execute_fd
|
||||||
@ -355,7 +355,7 @@ Options:
|
|||||||
--chroot|-c VALUE
|
--chroot|-c VALUE
|
||||||
Directory containing / of the jail (default: none)
|
Directory containing / of the jail (default: none)
|
||||||
--rw
|
--rw
|
||||||
Mount / and /proc as RW (default: RO)
|
Mount chroot dir (/) R/W (default: R/O)
|
||||||
--user|-u VALUE
|
--user|-u VALUE
|
||||||
Username/uid of processess inside the jail (default: your current uid). You can also use inside_ns_uid:outside_ns_uid:count convention here. Can be specified multiple times
|
Username/uid of processess inside the jail (default: your current uid). You can also use inside_ns_uid:outside_ns_uid:count convention here. Can be specified multiple times
|
||||||
--group|-g VALUE
|
--group|-g VALUE
|
||||||
@ -367,7 +367,7 @@ Options:
|
|||||||
--port|-p VALUE
|
--port|-p VALUE
|
||||||
TCP port to bind to (enables MODE_LISTEN_TCP) (default: 0)
|
TCP port to bind to (enables MODE_LISTEN_TCP) (default: 0)
|
||||||
--bindhost VALUE
|
--bindhost VALUE
|
||||||
IP address port to bind to (only in [MODE_LISTEN_TCP]), '::ffff:127.0.0.1' for locahost (default: '::')
|
IP address to bind the port to (only in [MODE_LISTEN_TCP]), (default: '::')
|
||||||
--max_conns_per_ip|-i VALUE
|
--max_conns_per_ip|-i VALUE
|
||||||
Maximum number of connections per one IP (only in [MODE_LISTEN_TCP]), (default: 0 (unlimited))
|
Maximum number of connections per one IP (only in [MODE_LISTEN_TCP]), (default: 0 (unlimited))
|
||||||
--log|-l VALUE
|
--log|-l VALUE
|
||||||
@ -383,37 +383,39 @@ Options:
|
|||||||
--verbose|-v
|
--verbose|-v
|
||||||
Verbose output
|
Verbose output
|
||||||
--quiet|-q
|
--quiet|-q
|
||||||
Only output warning and more important messages
|
Log warning and more important messages only
|
||||||
|
--really_quiet|-Q
|
||||||
|
Log fatal messages only
|
||||||
--keep_env|-e
|
--keep_env|-e
|
||||||
Should all environment variables be passed to the child?
|
Pass all environment variables to the child process (default: all envvars are cleared)
|
||||||
--env|-E VALUE
|
--env|-E VALUE
|
||||||
Environment variable (can be used multiple times)
|
Additional environment variable (can be used multiple times)
|
||||||
--keep_caps
|
--keep_caps
|
||||||
Don't drop capabilities (DANGEROUS)
|
Don't drop any capabilities
|
||||||
--cap VALUE
|
--cap VALUE
|
||||||
Retain this capability in local namespace (e.g. CAP_PTRACE). Can be specified multiple times.
|
Retain this capability, e.g. CAP_PTRACE (can be specified multiple times)
|
||||||
--silent
|
--silent
|
||||||
Redirect child's fd:0/1/2 to /dev/null
|
Redirect child process' fd:0/1/2 to /dev/null
|
||||||
--skip_setsid
|
--skip_setsid
|
||||||
Don't call setsid(), allows for terminal signal handling in the sandboxed process
|
Don't call setsid(), allows for terminal signal handling in the sandboxed process. Dangerous
|
||||||
--pass_fd VALUE
|
--pass_fd VALUE
|
||||||
Don't close this FD before executing child (can be specified multiple times), by default: 0/1/2 are kept open
|
Don't close this FD before executing the child process (can be specified multiple times), by default: 0/1/2 are kept open
|
||||||
--disable_no_new_privs
|
--disable_no_new_privs
|
||||||
Don't set the prctl(NO_NEW_PRIVS, 1) (DANGEROUS)
|
Don't set the prctl(NO_NEW_PRIVS, 1) (DANGEROUS)
|
||||||
--rlimit_as VALUE
|
--rlimit_as VALUE
|
||||||
RLIMIT_AS in MB, 'max' for RLIM_INFINITY, 'def' for the current value (default: 512)
|
RLIMIT_AS in MB, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 512)
|
||||||
--rlimit_core VALUE
|
--rlimit_core VALUE
|
||||||
RLIMIT_CORE in MB, 'max' for RLIM_INFINITY, 'def' for the current value (default: 0)
|
RLIMIT_CORE in MB, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 0)
|
||||||
--rlimit_cpu VALUE
|
--rlimit_cpu VALUE
|
||||||
RLIMIT_CPU, 'max' for RLIM_INFINITY, 'def' for the current value (default: 600)
|
RLIMIT_CPU, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 600)
|
||||||
--rlimit_fsize VALUE
|
--rlimit_fsize VALUE
|
||||||
RLIMIT_FSIZE in MB, 'max' for RLIM_INFINITY, 'def' for the current value (default: 1)
|
RLIMIT_FSIZE in MB, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 1)
|
||||||
--rlimit_nofile VALUE
|
--rlimit_nofile VALUE
|
||||||
RLIMIT_NOFILE, 'max' for RLIM_INFINITY, 'def' for the current value (default: 32)
|
RLIMIT_NOFILE, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 32)
|
||||||
--rlimit_nproc VALUE
|
--rlimit_nproc VALUE
|
||||||
RLIMIT_NPROC, 'max' for RLIM_INFINITY, 'def' for the current value (default: 'def')
|
RLIMIT_NPROC, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 'soft')
|
||||||
--rlimit_stack VALUE
|
--rlimit_stack VALUE
|
||||||
RLIMIT_STACK in MB, 'max' for RLIM_INFINITY, 'def' for the current value (default: 'def')
|
RLIMIT_STACK in MB, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM64_INFINITY (default: 'soft')
|
||||||
--persona_addr_compat_layout
|
--persona_addr_compat_layout
|
||||||
personality(ADDR_COMPAT_LAYOUT)
|
personality(ADDR_COMPAT_LAYOUT)
|
||||||
--persona_mmap_page_zero
|
--persona_mmap_page_zero
|
||||||
@ -425,7 +427,7 @@ Options:
|
|||||||
--persona_addr_no_randomize
|
--persona_addr_no_randomize
|
||||||
personality(ADDR_NO_RANDOMIZE)
|
personality(ADDR_NO_RANDOMIZE)
|
||||||
--disable_clone_newnet|-N
|
--disable_clone_newnet|-N
|
||||||
Don't use CLONE_NEWNET. Enable networking inside the jail
|
Don't use CLONE_NEWNET. Enable global networking inside the jail
|
||||||
--disable_clone_newuser
|
--disable_clone_newuser
|
||||||
Don't use CLONE_NEWUSER. Requires euid==0
|
Don't use CLONE_NEWUSER. Requires euid==0
|
||||||
--disable_clone_newns
|
--disable_clone_newns
|
||||||
@ -439,31 +441,31 @@ Options:
|
|||||||
--disable_clone_newcgroup
|
--disable_clone_newcgroup
|
||||||
Don't use CLONE_NEWCGROUP. Might be required for kernel versions < 4.6
|
Don't use CLONE_NEWCGROUP. Might be required for kernel versions < 4.6
|
||||||
--uid_mapping|-U VALUE
|
--uid_mapping|-U VALUE
|
||||||
Add a custom uid mapping of the form inside_uid:outside_uid:count. Setting this requires newuidmap to be present
|
Add a custom uid mapping of the form inside_uid:outside_uid:count. Setting this requires newuidmap (set-uid) to be present
|
||||||
--gid_mapping|-G VALUE
|
--gid_mapping|-G VALUE
|
||||||
Add a custom gid mapping of the form inside_gid:outside_gid:count. Setting this requires newgidmap to be present
|
Add a custom gid mapping of the form inside_gid:outside_gid:count. Setting this requires newgidmap (set-uid) to be present
|
||||||
--bindmount_ro|-R VALUE
|
--bindmount_ro|-R VALUE
|
||||||
List of mountpoints to be mounted --bind (ro) inside the container. Can be specified multiple times. Supports 'source' syntax, or 'source:dest'
|
List of mountpoints to be mounted --bind (ro) inside the container. Can be specified multiple times. Supports 'source' syntax, or 'source:dest'
|
||||||
--bindmount|-B VALUE
|
--bindmount|-B VALUE
|
||||||
List of mountpoints to be mounted --bind (rw) inside the container. Can be specified multiple times. Supports 'source' syntax, or 'source:dest'
|
List of mountpoints to be mounted --bind (rw) inside the container. Can be specified multiple times. Supports 'source' syntax, or 'source:dest'
|
||||||
--tmpfsmount|-T VALUE
|
--tmpfsmount|-T VALUE
|
||||||
List of mountpoints to be mounted as RW/tmpfs inside the container. Can be specified multiple times. Supports 'dest' syntax
|
List of mountpoints to be mounted as tmpfs (R/W) inside the container. Can be specified multiple times. Supports 'dest' syntax. Alternatively, use '-m none:dest:tmpfs:size=8388608'
|
||||||
--tmpfs_size VALUE
|
|
||||||
Number of bytes to allocate for tmpfsmounts (default: 4194304)
|
|
||||||
--mount|-m VALUE
|
--mount|-m VALUE
|
||||||
Arbitrary mount, format src:dst:fs_type:options
|
Arbitrary mount, format src:dst:fs_type:options
|
||||||
|
--symlink|-s VALUE
|
||||||
|
Symlink, format src:dst
|
||||||
--disable_proc
|
--disable_proc
|
||||||
Disable mounting /proc in the jail
|
Disable mounting procfs in the jail
|
||||||
--proc_path VALUE
|
--proc_path VALUE
|
||||||
Path used to mount procfs (default: '/proc')
|
Path used to mount procfs (default: '/proc')
|
||||||
--proc_rw
|
--proc_rw
|
||||||
Is procfs mount as R/W (default: R/O)
|
Is procfs mounted as R/W (default: R/O)
|
||||||
--seccomp_policy|-P VALUE
|
--seccomp_policy|-P VALUE
|
||||||
Path to file containing seccomp-bpf policy (see kafel/)
|
Path to file containing seccomp-bpf policy (see kafel/)
|
||||||
--seccomp_string VALUE
|
--seccomp_string VALUE
|
||||||
String with kafel seccomp-bpf policy (see kafel/)
|
String with kafel seccomp-bpf policy (see kafel/)
|
||||||
--seccomp_log
|
--seccomp_log
|
||||||
Use SECCOMP_FILTER_FLAG_LOG. Log all actions except SECCOMP_RET_ALLOW. Supported since kernel version 4.14
|
Use SECCOMP_FILTER_FLAG_LOG. Log all actions except SECCOMP_RET_ALLOW). Supported since kernel version 4.14
|
||||||
--cgroup_mem_max VALUE
|
--cgroup_mem_max VALUE
|
||||||
Maximum number of bytes to use in the group (default: '0' - disabled)
|
Maximum number of bytes to use in the group (default: '0' - disabled)
|
||||||
--cgroup_mem_mount VALUE
|
--cgroup_mem_mount VALUE
|
||||||
@ -484,12 +486,12 @@ Options:
|
|||||||
Which pre-existing net_cls cgroup to use as a parent (default: 'NSJAIL')
|
Which pre-existing net_cls cgroup to use as a parent (default: 'NSJAIL')
|
||||||
--cgroup_cpu_ms_per_sec VALUE
|
--cgroup_cpu_ms_per_sec VALUE
|
||||||
Number of us that the process group can use per second (default: '0' - disabled)
|
Number of us that the process group can use per second (default: '0' - disabled)
|
||||||
--cpu_mount VALUE
|
--cgroup_cpu_mount VALUE
|
||||||
Location of cpu cgroup FS (default: '/sys/fs/cgroup/net_cls')
|
Location of cpu cgroup FS (default: '/sys/fs/cgroup/net_cls')
|
||||||
--cpu_parent VALUE
|
--cgroup_cpu_parent VALUE
|
||||||
Which pre-existing cpu cgroup to use as a parent (default: 'NSJAIL')
|
Which pre-existing cpu cgroup to use as a parent (default: 'NSJAIL')
|
||||||
--iface_no_lo
|
--iface_no_lo
|
||||||
Don't bring up the 'lo' interface
|
Don't bring the 'lo' interface up
|
||||||
--iface_own VALUE
|
--iface_own VALUE
|
||||||
Move this existing network interface into the new NET namespace. Can be specified multiple times
|
Move this existing network interface into the new NET namespace. Can be specified multiple times
|
||||||
--macvlan_iface|-I VALUE
|
--macvlan_iface|-I VALUE
|
||||||
|
Loading…
Reference in New Issue
Block a user