Project configuration¶
Projects can be configured through a set of key/value configuration options. See Configure a project for instructions on how to set these options.
The key/value configuration is namespaced. The following options are available:
Project features¶
The project features define which entities are isolated in the project and which are inherited from the default project.
If a feature.* option is set to true, the corresponding entity is isolated in the project.
Note
When you create a project without explicitly configuring a specific option, this option is set to the initial value given in the following table.
However, if you unset one of the feature.* options, it does not go back to the initial value, but to the default value.
The default value for all feature.* options is false.
| Key: | features.images |
| Type: | bool |
| Default: |
|
| Initial value: |
|
This setting applies to both images and image aliases.
| Key: | features.networks |
| Type: | bool |
| Default: |
|
| Initial value: |
|
| Key: | features.networks.zones |
| Type: | bool |
| Default: |
|
| Initial value: |
|
| Key: | features.profiles |
| Type: | bool |
| Default: |
|
| Initial value: |
|
| Key: | features.storage.buckets |
| Type: | bool |
| Default: |
|
| Initial value: |
|
Project limits¶
Project limits define a hard upper bound for the resources that can be used by the containers and VMs that belong to a project.
Depending on the limits.* option, the limit applies to the number of entities that are allowed in the project (for example, limits.containers or limits.networks) or to the aggregate value of resource usage for all instances in the project (for example, limits.cpu or limits.processes).
In the latter case, the limit usually applies to the Resource limits that are configured for each instance (either directly or via a profile), and not to the resources that are actually in use.
For example, if you set the project’s limits.memory configuration to 50GiB, the sum of the individual values of all limits.memory configuration keys defined on the project’s instances will be kept under 50 GiB.
Similarly, setting the project’s limits.cpu configuration key to 100 means that the sum of individual limits.cpu values will be kept below 100.
When using project limits, the following conditions must be fulfilled:
When you set one of the
limits.*configurations and there is a corresponding configuration for the instance, all instances in the project must have the corresponding configuration defined (either directly or via a profile). See Resource limits for the instance configuration options.The
limits.cpuconfiguration cannot be used if CPU pinning is enabled. This means that to uselimits.cpuon a project, thelimits.cpuconfiguration of each instance in the project must be set to a number of CPUs, not a set or a range of CPUs.The
limits.memoryconfiguration must be set to an absolute value, not a percentage.
| Key: | limits.containers |
| Type: | integer |
| Key: | limits.cpu |
| Type: | integer |
This value is the maximum value for the sum of the individual limits.cpu configurations set on the instances of the project.
| Key: | limits.disk |
| Type: | string |
This value is the maximum value of the aggregate disk space used by all instance volumes, custom volumes, and images of the project.
| Key: | limits.disk.pool.POOL_NAME |
| Type: | string |
This value is the maximum value of the aggregate disk space used by all instance volumes, custom volumes, and images of the project on this specific storage pool.
When set to 0, the pool is excluded from storage pool list for the project.
| Key: | limits.instances |
| Type: | integer |
| Key: | limits.memory |
| Type: | string |
The value is the maximum value for the sum of the individual limits.memory configurations set on the instances of the project.
| Key: | limits.networks |
| Type: | integer |
limits.networks.uplink_ips.ipv4.NETWORK_NAMEQuota of IPv4 addresses from a specified uplink network that can be used by entities in this project
| Key: | limits.networks.uplink_ips.ipv4.NETWORK_NAME |
| Type: | string |
Maximum number of IPv4 addresses that this project can consume from the specified uplink network. This number of IPs can be consumed by networks, forwards and load balancers in this project.
limits.networks.uplink_ips.ipv6.NETWORK_NAMEQuota of IPv6 addresses from a specified uplink network that can be used by entities in this project
| Key: | limits.networks.uplink_ips.ipv6.NETWORK_NAME |
| Type: | string |
Maximum number of IPv6 addresses that this project can consume from the specified uplink network. This number of IPs can be consumed by networks, forwards and load balancers in this project.
| Key: | limits.processes |
| Type: | integer |
This value is the maximum value for the sum of the individual limits.processes configurations set on the instances of the project.
Project restrictions¶
To prevent the instances of a project from accessing security-sensitive features (such as container nesting or raw LXC configuration), set the restricted configuration option to true.
You can then use the various restricted.* options to pick individual features that would normally be blocked by restricted and allow them, so they can be used by the instances of the project.
For example, to restrict a project and block all security-sensitive features, but allow container nesting, enter the following commands:
lxc project set <project_name> restricted=true
lxc project set <project_name> restricted.containers.nesting=allow
Each security-sensitive feature has an associated restricted.* project configuration option.
If you want to allow the usage of a feature, change the value of its restricted.* option.
Most restricted.* configurations are binary switches that can be set to either block (the default) or allow.
However, some options support other values for more fine-grained control.
Note
You must set the restricted configuration to true for any of the restricted.* options to be effective.
If restricted is set to false, changing a restricted.* option has no effect.
Setting all restricted.* keys to allow is equivalent to setting restricted itself to false.
| Key: | restricted |
| Type: | bool |
| Default: |
|
This option must be enabled to allow the restricted.* keys to take effect.
To temporarily remove the restrictions, you can disable this option instead of clearing the related keys.
| Key: | restricted.backups |
| Type: | string |
| Default: |
|
Possible values are allow or block.
| Key: | restricted.cluster.groups |
| Type: | string |
If specified, this option prevents targeting cluster groups other than the provided ones.
| Key: | restricted.cluster.target |
| Type: | string |
| Default: |
|
Possible values are allow or block.
When set to allow, this option allows targeting of cluster members (either directly or via a group) when creating or moving instances.
| Key: | restricted.containers.interception |
| Type: | string |
| Default: |
|
Possible values are allow, block, or full.
When set to allow, interception options that are usually safe are allowed.
File system mounting remains blocked.
| Key: | restricted.containers.nesting |
| Type: | string |
| Default: |
|
Possible values are allow or block.
When set to allow, security.nesting can be set to true for an instance.
| Key: | restricted.containers.privilege |
| Type: | string |
| Default: |
|
Possible values are unprivileged, isolated, and allow.
When set to
unpriviliged, this option prevents settingsecurity.privilegedtotrue.When set to
isolated, this option prevents settingsecurity.privilegedtotrueand forces using a unique idmap per container usingsecurity.idmap.isolatedset totrue.When set to
allow, there is no restriction.
| Key: | restricted.devices.disk |
| Type: | string |
| Default: |
|
Possible values are allow, block, or managed.
When set to
block, this option prevents using all disk devices except the root one.When set to
managed, this option allows using disk devices only ifpool=is set.When set to
allow, there is no restriction on which disk devices can be used.Important
When allowing all disk devices, make sure to set
restricted.devices.disk.pathsto a list of path prefixes that you want to allow. If you do not restrict the allowed paths, users can attach any disk device, including shifted devices (diskdevices withshiftset totrue), which can be used to gain root access to the system.
| Key: | restricted.devices.disk.paths |
| Type: | string |
If restricted.devices.disk is set to allow, this option controls which source can be used for disk devices.
Specify a comma-separated list of path prefixes that restrict the source setting.
If this option is left empty, all paths are allowed.
| Key: | restricted.devices.gpu |
| Type: | string |
| Default: |
|
Possible values are allow or block.
| Key: | restricted.devices.infiniband |
| Type: | string |
| Default: |
|
Possible values are allow or block.
| Key: | restricted.devices.nic |
| Type: | string |
| Default: |
|
Possible values are allow, block, or managed.
When set to
block, this option prevents using all network devices.When set to
managed, this option allows using network devices only ifnetwork=is set.When set to
allow, there is no restriction on which network devices can be used.
| Key: | restricted.devices.pci |
| Type: | string |
| Default: |
|
Possible values are allow or block.
| Key: | restricted.devices.proxy |
| Type: | string |
| Default: |
|
Possible values are allow or block.
| Key: | restricted.devices.unix-block |
| Type: | string |
| Default: |
|
Possible values are allow or block.
| Key: | restricted.devices.unix-char |
| Type: | string |
| Default: |
|
Possible values are allow or block.
| Key: | restricted.devices.unix-hotplug |
| Type: | string |
| Default: |
|
Possible values are allow or block.
| Key: | restricted.devices.usb |
| Type: | string |
| Default: |
|
Possible values are allow or block.
| Key: | restricted.idmap.gid |
| Type: | string |
This option specifies the host GID ranges that are allowed in the instance’s raw.idmap setting.
| Key: | restricted.idmap.uid |
| Type: | string |
This option specifies the host UID ranges that are allowed in the instance’s raw.idmap setting.
| Key: | restricted.networks.access |
| Type: | string |
Specify a comma-delimited list of network names that are allowed for use in this project. If this option is not set, all networks are accessible.
Note that this setting depends on the restricted.devices.nic setting.
| Key: | restricted.networks.subnets |
| Type: | string |
| Default: |
|
Specify a comma-delimited list of CIDR network routes from the uplink network’s ipv4.routes ipv6.routes that are allowed for use in this project.
Use the form <uplink>:<subnet>.
Example value: lxdbr0:192.0.168.0/24,lxdbr0:10.1.19.5/32
| Key: | restricted.networks.uplinks |
| Type: | string |
| Default: |
|
Specify a comma-delimited list of network names that can be used as uplink for networks in this project.
| Key: | restricted.networks.zones |
| Type: | string |
| Default: |
|
Specify a comma-delimited list of network zones that can be used (or something under them) in this project.
| Key: | restricted.snapshots |
| Type: | string |
| Default: |
|
| Key: | restricted.virtual-machines.lowlevel |
| Type: | string |
| Default: |
|
Possible values are allow or block.
When set to allow, low-level VM options like raw.qemu, volatile.*, etc. can be used.
Project-specific configuration¶
There are some Server configuration options that you can override for a project. In addition, you can add user metadata for a project.
| Key: | backups.compression_algorithm |
| Type: | string |
Specify which compression algorithm to use for backups in this project.
Possible values are bzip2, gzip, lzma, xz, or none.
| Key: | images.auto_update_cached |
| Type: | bool |
| Key: | images.auto_update_interval |
| Type: | integer |
Specify the interval in hours.
To disable looking for updates to cached images, set this option to 0.
| Key: | images.compression_algorithm |
| Type: | string |
Possible values are bzip2, gzip, lzma, xz, or none.
| Key: | images.default_architecture |
| Type: | string |
| Key: | images.remote_cache_expiry |
| Type: | integer |
Specify the number of days after which the unused cached image expires.