projects / thirdparty / systemd.git / blame
| Commit | Line | Data |
|---|---|---|
| 514094f9 | 1 | <?xml version='1.0'?> |
| 3a54a157 | 2 | <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" |
| 7a8aa0ec | 3 | "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [ |
| 5fadff33 ZJS |
4 | <!ENTITY % entities SYSTEM "custom-entities.ent" > |
| 5 | %entities; | |
| 7a8aa0ec | 6 | ]> |
| db9ecf05 | 7 | <!-- SPDX-License-Identifier: LGPL-2.1-or-later --> |
| 8f7a3c14 | 8 | |
| dfdebb1b | 9 | <refentry id="systemd-nspawn" |
| 798d3a52 ZJS |
10 | xmlns:xi="http://www.w3.org/2001/XInclude"> |
| 11 | ||
| 12 | <refentryinfo> | |
| 13 | <title>systemd-nspawn</title> | |
| 14 | <productname>systemd</productname> | |
| 798d3a52 ZJS |
15 | </refentryinfo> |
| 16 | ||
| 17 | <refmeta> | |
| 18 | <refentrytitle>systemd-nspawn</refentrytitle> | |
| 19 | <manvolnum>1</manvolnum> | |
| 20 | </refmeta> | |
| 21 | ||
| 22 | <refnamediv> | |
| 23 | <refname>systemd-nspawn</refname> | |
| a7e2e50d | 24 | <refpurpose>Spawn a command or OS in a light-weight container</refpurpose> |
| 798d3a52 ZJS |
25 | </refnamediv> |
| 26 | ||
| 27 | <refsynopsisdiv> | |
| 28 | <cmdsynopsis> | |
| 29 | <command>systemd-nspawn</command> | |
| 30 | <arg choice="opt" rep="repeat">OPTIONS</arg> | |
| 31 | <arg choice="opt"><replaceable>COMMAND</replaceable> | |
| 32 | <arg choice="opt" rep="repeat">ARGS</arg> | |
| 33 | </arg> | |
| 34 | </cmdsynopsis> | |
| 35 | <cmdsynopsis> | |
| 36 | <command>systemd-nspawn</command> | |
| 4447e799 | 37 | <arg choice="plain">--boot</arg> |
| 798d3a52 ZJS |
38 | <arg choice="opt" rep="repeat">OPTIONS</arg> |
| 39 | <arg choice="opt" rep="repeat">ARGS</arg> | |
| 40 | </cmdsynopsis> | |
| 41 | </refsynopsisdiv> | |
| 42 | ||
| 43 | <refsect1> | |
| 44 | <title>Description</title> | |
| 45 | ||
| b09c0bba LP |
46 | <para><command>systemd-nspawn</command> may be used to run a command or OS in a light-weight namespace |
| 47 | container. In many ways it is similar to <citerefentry | |
| 48 | project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>1</manvolnum></citerefentry>, but more powerful | |
| 49 | since it fully virtualizes the file system hierarchy, as well as the process tree, the various IPC subsystems and | |
| 50 | the host and domain name.</para> | |
| 51 | ||
| 5164c3b4 | 52 | <para><command>systemd-nspawn</command> may be invoked on any directory tree containing an operating system tree, |
| b09c0bba | 53 | using the <option>--directory=</option> command line option. By using the <option>--machine=</option> option an OS |
| 5164c3b4 | 54 | tree is automatically searched for in a couple of locations, most importantly in |
| 3b121157 | 55 | <filename>/var/lib/machines/</filename>, the suggested directory to place OS container images installed on the |
| b09c0bba LP |
56 | system.</para> |
| 57 | ||
| 58 | <para>In contrast to <citerefentry | |
| 59 | project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>1</manvolnum></citerefentry> <command>systemd-nspawn</command> | |
| 60 | may be used to boot full Linux-based operating systems in a container.</para> | |
| 61 | ||
| 62 | <para><command>systemd-nspawn</command> limits access to various kernel interfaces in the container to read-only, | |
| 3b121157 | 63 | such as <filename>/sys/</filename>, <filename>/proc/sys/</filename> or <filename>/sys/fs/selinux/</filename>. The |
| b09c0bba LP |
64 | host's network interfaces and the system clock may not be changed from within the container. Device nodes may not |
| 65 | be created. The host system cannot be rebooted and kernel modules may not be loaded from within the | |
| 798d3a52 ZJS |
66 | container.</para> |
| 67 | ||
| b09c0bba LP |
68 | <para>Use a tool like <citerefentry |
| 69 | project='mankier'><refentrytitle>dnf</refentrytitle><manvolnum>8</manvolnum></citerefentry>, <citerefentry | |
| 70 | project='die-net'><refentrytitle>debootstrap</refentrytitle><manvolnum>8</manvolnum></citerefentry>, or | |
| 71 | <citerefentry project='archlinux'><refentrytitle>pacman</refentrytitle><manvolnum>8</manvolnum></citerefentry> to | |
| 72 | set up an OS directory tree suitable as file system hierarchy for <command>systemd-nspawn</command> containers. See | |
| 73 | the Examples section below for details on suitable invocation of these commands.</para> | |
| 74 | ||
| 75 | <para>As a safety check <command>systemd-nspawn</command> will verify the existence of | |
| 76 | <filename>/usr/lib/os-release</filename> or <filename>/etc/os-release</filename> in the container tree before | |
| 77 | starting the container (see | |
| 78 | <citerefentry><refentrytitle>os-release</refentrytitle><manvolnum>5</manvolnum></citerefentry>). It might be | |
| 79 | necessary to add this file to the container tree manually if the OS of the container is too old to contain this | |
| 798d3a52 | 80 | file out-of-the-box.</para> |
| b09c0bba LP |
81 | |
| 82 | <para><command>systemd-nspawn</command> may be invoked directly from the interactive command line or run as system | |
| 83 | service in the background. In this mode each container instance runs as its own service instance; a default | |
| 84 | template unit file <filename>systemd-nspawn@.service</filename> is provided to make this easy, taking the container | |
| 85 | name as instance identifier. Note that different default options apply when <command>systemd-nspawn</command> is | |
| 6dd6a9c4 | 86 | invoked by the template unit file than interactively on the command line. Most importantly the template unit file |
| b09c0bba | 87 | makes use of the <option>--boot</option> which is not the default in case <command>systemd-nspawn</command> is |
| 6dd6a9c4 | 88 | invoked from the interactive command line. Further differences with the defaults are documented along with the |
| b09c0bba LP |
89 | various supported options below.</para> |
| 90 | ||
| 91 | <para>The <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry> tool may | |
| 92 | be used to execute a number of operations on containers. In particular it provides easy-to-use commands to run | |
| 93 | containers as system services using the <filename>systemd-nspawn@.service</filename> template unit | |
| 94 | file.</para> | |
| 95 | ||
| 96 | <para>Along with each container a settings file with the <filename>.nspawn</filename> suffix may exist, containing | |
| 97 | additional settings to apply when running the container. See | |
| 98 | <citerefentry><refentrytitle>systemd.nspawn</refentrytitle><manvolnum>5</manvolnum></citerefentry> for | |
| 99 | details. Settings files override the default options used by the <filename>systemd-nspawn@.service</filename> | |
| 100 | template unit file, making it usually unnecessary to alter this template file directly.</para> | |
| 101 | ||
| 102 | <para>Note that <command>systemd-nspawn</command> will mount file systems private to the container to | |
| 3b121157 | 103 | <filename>/dev/</filename>, <filename>/run/</filename> and similar. These will not be visible outside of the |
| b09c0bba LP |
104 | container, and their contents will be lost when the container exits.</para> |
| 105 | ||
| 106 | <para>Note that running two <command>systemd-nspawn</command> containers from the same directory tree will not make | |
| 107 | processes in them see each other. The PID namespace separation of the two containers is complete and the containers | |
| 108 | will share very few runtime objects except for the underlying file system. Use | |
| 109 | <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>'s | |
| 110 | <command>login</command> or <command>shell</command> commands to request an additional login session in a running | |
| 111 | container.</para> | |
| 112 | ||
| 113 | <para><command>systemd-nspawn</command> implements the <ulink | |
| 53dc5fbc | 114 | url="https://systemd.io/CONTAINER_INTERFACE">Container Interface</ulink> specification.</para> |
| b09c0bba LP |
115 | |
| 116 | <para>While running, containers invoked with <command>systemd-nspawn</command> are registered with the | |
| 117 | <citerefentry><refentrytitle>systemd-machined</refentrytitle><manvolnum>8</manvolnum></citerefentry> service that | |
| 118 | keeps track of running containers, and provides programming interfaces to interact with them.</para> | |
| 798d3a52 ZJS |
119 | </refsect1> |
| 120 | ||
| 121 | <refsect1> | |
| 122 | <title>Options</title> | |
| 123 | ||
| 124 | <para>If option <option>-b</option> is specified, the arguments | |
| 3f2d1365 | 125 | are used as arguments for the init program. Otherwise, |
| 798d3a52 ZJS |
126 | <replaceable>COMMAND</replaceable> specifies the program to launch |
| 127 | in the container, and the remaining arguments are used as | |
| b09c0bba | 128 | arguments for this program. If <option>--boot</option> is not used and |
| ff9b60f3 | 129 | no arguments are specified, a shell is launched in the |
| 798d3a52 ZJS |
130 | container.</para> |
| 131 | ||
| 132 | <para>The following options are understood:</para> | |
| 133 | ||
| 134 | <variablelist> | |
| d99058c9 LP |
135 | |
| 136 | <varlistentry> | |
| 137 | <term><option>-q</option></term> | |
| 138 | <term><option>--quiet</option></term> | |
| 139 | ||
| 140 | <listitem><para>Turns off any status output by the tool | |
| 141 | itself. When this switch is used, the only output from nspawn | |
| 142 | will be the console output of the container OS | |
| 143 | itself.</para></listitem> | |
| 144 | </varlistentry> | |
| 145 | ||
| 146 | <varlistentry> | |
| 147 | <term><option>--settings=</option><replaceable>MODE</replaceable></term> | |
| 148 | ||
| 149 | <listitem><para>Controls whether | |
| 150 | <command>systemd-nspawn</command> shall search for and use | |
| 151 | additional per-container settings from | |
| 152 | <filename>.nspawn</filename> files. Takes a boolean or the | |
| 153 | special values <option>override</option> or | |
| 154 | <option>trusted</option>.</para> | |
| 155 | ||
| 156 | <para>If enabled (the default), a settings file named after the | |
| 157 | machine (as specified with the <option>--machine=</option> | |
| 158 | setting, or derived from the directory or image file name) | |
| 159 | with the suffix <filename>.nspawn</filename> is searched in | |
| 160 | <filename>/etc/systemd/nspawn/</filename> and | |
| 161 | <filename>/run/systemd/nspawn/</filename>. If it is found | |
| 162 | there, its settings are read and used. If it is not found | |
| 163 | there, it is subsequently searched in the same directory as the | |
| 164 | image file or in the immediate parent of the root directory of | |
| 165 | the container. In this case, if the file is found, its settings | |
| 166 | will be also read and used, but potentially unsafe settings | |
| 167 | are ignored. Note that in both these cases, settings on the | |
| 168 | command line take precedence over the corresponding settings | |
| 169 | from loaded <filename>.nspawn</filename> files, if both are | |
| 170 | specified. Unsafe settings are considered all settings that | |
| 171 | elevate the container's privileges or grant access to | |
| 172 | additional resources such as files or directories of the | |
| 173 | host. For details about the format and contents of | |
| 174 | <filename>.nspawn</filename> files, consult | |
| 175 | <citerefentry><refentrytitle>systemd.nspawn</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para> | |
| 176 | ||
| 177 | <para>If this option is set to <option>override</option>, the | |
| 178 | file is searched, read and used the same way, however, the order of | |
| 179 | precedence is reversed: settings read from the | |
| 180 | <filename>.nspawn</filename> file will take precedence over | |
| 181 | the corresponding command line options, if both are | |
| 182 | specified.</para> | |
| 183 | ||
| 184 | <para>If this option is set to <option>trusted</option>, the | |
| 185 | file is searched, read and used the same way, but regardless | |
| 186 | of being found in <filename>/etc/systemd/nspawn/</filename>, | |
| 187 | <filename>/run/systemd/nspawn/</filename> or next to the image | |
| 188 | file or container root directory, all settings will take | |
| 189 | effect, however, command line arguments still take precedence | |
| 190 | over corresponding settings.</para> | |
| 191 | ||
| 192 | <para>If disabled, no <filename>.nspawn</filename> file is read | |
| 193 | and no settings except the ones on the command line are in | |
| 194 | effect.</para></listitem> | |
| 195 | </varlistentry> | |
| 196 | ||
| 197 | </variablelist> | |
| 198 | ||
| 199 | <refsect2> | |
| 200 | <title>Image Options</title> | |
| 201 | ||
| 202 | <variablelist> | |
| 203 | ||
| 798d3a52 ZJS |
204 | <varlistentry> |
| 205 | <term><option>-D</option></term> | |
| 206 | <term><option>--directory=</option></term> | |
| 207 | ||
| 208 | <listitem><para>Directory to use as file system root for the | |
| 209 | container.</para> | |
| 210 | ||
| 211 | <para>If neither <option>--directory=</option>, nor | |
| 212 | <option>--image=</option> is specified the directory is | |
| 32b64cce RM |
213 | determined by searching for a directory named the same as the |
| 214 | machine name specified with <option>--machine=</option>. See | |
| 215 | <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry> | |
| 216 | section "Files and Directories" for the precise search path.</para> | |
| 217 | ||
| 218 | <para>If neither <option>--directory=</option>, | |
| 219 | <option>--image=</option>, nor <option>--machine=</option> | |
| 220 | are specified, the current directory will | |
| 221 | be used. May not be specified together with | |
| 798d3a52 ZJS |
222 | <option>--image=</option>.</para></listitem> |
| 223 | </varlistentry> | |
| 224 | ||
| 225 | <varlistentry> | |
| 226 | <term><option>--template=</option></term> | |
| 227 | ||
| 3f2fa834 LP |
228 | <listitem><para>Directory or <literal>btrfs</literal> subvolume to use as template for the |
| 229 | container's root directory. If this is specified and the container's root directory (as configured by | |
| 230 | <option>--directory=</option>) does not yet exist it is created as <literal>btrfs</literal> snapshot | |
| 231 | (if supported) or plain directory (otherwise) and populated from this template tree. Ideally, the | |
| 232 | specified template path refers to the root of a <literal>btrfs</literal> subvolume, in which case a | |
| 233 | simple copy-on-write snapshot is taken, and populating the root directory is instant. If the | |
| 234 | specified template path does not refer to the root of a <literal>btrfs</literal> subvolume (or not | |
| 235 | even to a <literal>btrfs</literal> file system at all), the tree is copied (though possibly in a | |
| 236 | 'reflink' copy-on-write scheme — if the file system supports that), which can be substantially more | |
| 237 | time-consuming. Note that the snapshot taken is of the specified directory or subvolume, including | |
| 238 | all subdirectories and subvolumes below it, but excluding any sub-mounts. May not be specified | |
| 239 | together with <option>--image=</option> or <option>--ephemeral</option>.</para> | |
| 3fe22bb4 | 240 | |
| 38b38500 | 241 | <para>Note that this switch leaves hostname, machine ID and |
| 3fe22bb4 LP |
242 | all other settings that could identify the instance |
| 243 | unmodified.</para></listitem> | |
| 798d3a52 ZJS |
244 | </varlistentry> |
| 245 | ||
| 246 | <varlistentry> | |
| 247 | <term><option>-x</option></term> | |
| 248 | <term><option>--ephemeral</option></term> | |
| 249 | ||
| 0f3be6ca LP |
250 | <listitem><para>If specified, the container is run with a temporary snapshot of its file system that is removed |
| 251 | immediately when the container terminates. May not be specified together with | |
| 3fe22bb4 | 252 | <option>--template=</option>.</para> |
| 38b38500 | 253 | <para>Note that this switch leaves hostname, machine ID and all other settings that could identify |
| 3f2fa834 LP |
254 | the instance unmodified. Please note that — as with <option>--template=</option> — taking the |
| 255 | temporary snapshot is more efficient on file systems that support subvolume snapshots or 'reflinks' | |
| 256 | natively (<literal>btrfs</literal> or new <literal>xfs</literal>) than on more traditional file | |
| 257 | systems that do not (<literal>ext4</literal>). Note that the snapshot taken is of the specified | |
| 258 | directory or subvolume, including all subdirectories and subvolumes below it, but excluding any | |
| 259 | sub-mounts.</para> | |
| b23f1628 LP |
260 | |
| 261 | <para>With this option no modifications of the container image are retained. Use | |
| 262 | <option>--volatile=</option> (described below) for other mechanisms to restrict persistency of | |
| 263 | container images during runtime.</para> | |
| 264 | </listitem> | |
| 798d3a52 ZJS |
265 | </varlistentry> |
| 266 | ||
| 267 | <varlistentry> | |
| 268 | <term><option>-i</option></term> | |
| 269 | <term><option>--image=</option></term> | |
| 270 | ||
| 271 | <listitem><para>Disk image to mount the root directory for the | |
| 272 | container from. Takes a path to a regular file or to a block | |
| 273 | device node. The file or block device must contain | |
| 274 | either:</para> | |
| 275 | ||
| 276 | <itemizedlist> | |
| 277 | <listitem><para>An MBR partition table with a single | |
| 278 | partition of type 0x83 that is marked | |
| 279 | bootable.</para></listitem> | |
| 280 | ||
| 281 | <listitem><para>A GUID partition table (GPT) with a single | |
| 282 | partition of type | |
| 283 | 0fc63daf-8483-4772-8e79-3d69d8477de4.</para></listitem> | |
| 284 | ||
| 285 | <listitem><para>A GUID partition table (GPT) with a marked | |
| 286 | root partition which is mounted as the root directory of the | |
| 287 | container. Optionally, GPT images may contain a home and/or | |
| 288 | a server data partition which are mounted to the appropriate | |
| 289 | places in the container. All these partitions must be | |
| 290 | identified by the partition types defined by the <ulink | |
| 19ac32cd | 291 | url="https://systemd.io/DISCOVERABLE_PARTITIONS">Discoverable |
| 798d3a52 | 292 | Partitions Specification</ulink>.</para></listitem> |
| 58abb66f LP |
293 | |
| 294 | <listitem><para>No partition table, and a single file system spanning the whole image.</para></listitem> | |
| 798d3a52 ZJS |
295 | </itemizedlist> |
| 296 | ||
| 0f3be6ca LP |
297 | <para>On GPT images, if an EFI System Partition (ESP) is discovered, it is automatically mounted to |
| 298 | <filename>/efi</filename> (or <filename>/boot</filename> as fallback) in case a directory by this name exists | |
| 299 | and is empty.</para> | |
| 300 | ||
| 58abb66f LP |
301 | <para>Partitions encrypted with LUKS are automatically decrypted. Also, on GPT images dm-verity data integrity |
| 302 | hash partitions are set up if the root hash for them is specified using the <option>--root-hash=</option> | |
| 303 | option.</para> | |
| 304 | ||
| e7cbe5cb LB |
305 | <para>Single file system images (i.e. file systems without a surrounding partition table) can be opened using |
| 306 | dm-verity if the integrity data is passed using the <option>--root-hash=</option> and | |
| c2923fdc | 307 | <option>--verity-data=</option> (and optionally <option>--root-hash-sig=</option>) options.</para> |
| e7cbe5cb | 308 | |
| 0f3be6ca LP |
309 | <para>Any other partitions, such as foreign partitions or swap partitions are not mounted. May not be specified |
| 310 | together with <option>--directory=</option>, <option>--template=</option>.</para></listitem> | |
| 798d3a52 | 311 | </varlistentry> |
| 58abb66f | 312 | |
| 3d6c3675 LP |
313 | <varlistentry> |
| 314 | <term><option>--oci-bundle=</option></term> | |
| 315 | ||
| 316 | <listitem><para>Takes the path to an OCI runtime bundle to invoke, as specified in the <ulink | |
| 317 | url="https://github.com/opencontainers/runtime-spec/blob/master/spec.md">OCI Runtime Specification</ulink>. In | |
| 318 | this case no <filename>.nspawn</filename> file is loaded, and the root directory and various settings are read | |
| 319 | from the OCI runtime JSON data (but data passed on the command line takes precedence).</para></listitem> | |
| 320 | </varlistentry> | |
| 321 | ||
| d99058c9 LP |
322 | <varlistentry> |
| 323 | <term><option>--read-only</option></term> | |
| 324 | ||
| 325 | <listitem><para>Mount the container's root file system (and any other file systems container in the container | |
| 326 | image) read-only. This has no effect on additional mounts made with <option>--bind=</option>, | |
| 327 | <option>--tmpfs=</option> and similar options. This mode is implied if the container image file or directory is | |
| 328 | marked read-only itself. It is also implied if <option>--volatile=</option> is used. In this case the container | |
| 329 | image on disk is strictly read-only, while changes are permitted but kept non-persistently in memory only. For | |
| 330 | further details, see below.</para></listitem> | |
| 331 | </varlistentry> | |
| 332 | ||
| 333 | <varlistentry> | |
| 334 | <term><option>--volatile</option></term> | |
| 335 | <term><option>--volatile=</option><replaceable>MODE</replaceable></term> | |
| 336 | ||
| 337 | <listitem><para>Boots the container in volatile mode. When no mode parameter is passed or when mode is | |
| 338 | specified as <option>yes</option>, full volatile mode is enabled. This means the root directory is mounted as a | |
| 339 | mostly unpopulated <literal>tmpfs</literal> instance, and <filename>/usr/</filename> from the OS tree is | |
| 340 | mounted into it in read-only mode (the system thus starts up with read-only OS image, but pristine state and | |
| 341 | configuration, any changes are lost on shutdown). When the mode parameter is specified as | |
| 342 | <option>state</option>, the OS tree is mounted read-only, but <filename>/var/</filename> is mounted as a | |
| 343 | writable <literal>tmpfs</literal> instance into it (the system thus starts up with read-only OS resources and | |
| 344 | configuration, but pristine state, and any changes to the latter are lost on shutdown). When the mode parameter | |
| 345 | is specified as <option>overlay</option> the read-only root file system is combined with a writable | |
| 346 | <filename>tmpfs</filename> instance through <literal>overlayfs</literal>, so that it appears at it normally | |
| 347 | would, but any changes are applied to the temporary file system only and lost when the container is | |
| 348 | terminated. When the mode parameter is specified as <option>no</option> (the default), the whole OS tree is | |
| 349 | made available writable (unless <option>--read-only</option> is specified, see above).</para> | |
| 350 | ||
| 211c99c7 ZJS |
351 | <para>Note that if one of the volatile modes is chosen, its effect is limited to the root file system |
| 352 | (or <filename>/var/</filename> in case of <option>state</option>), and any other mounts placed in the | |
| 353 | hierarchy are unaffected — regardless if they are established automatically (e.g. the EFI system | |
| 354 | partition that might be mounted to <filename>/efi/</filename> or <filename>/boot/</filename>) or | |
| 355 | explicitly (e.g. through an additional command line option such as <option>--bind=</option>, see | |
| 356 | below). This means, even if <option>--volatile=overlay</option> is used changes to | |
| 357 | <filename>/efi/</filename> or <filename>/boot/</filename> are prohibited in case such a partition | |
| 358 | exists in the container image operated on, and even if <option>--volatile=state</option> is used the | |
| 359 | hypothetical file <filename index="false">/etc/foobar</filename> is potentially writable if | |
| 360 | <option>--bind=/etc/foobar</option> if used to mount it from outside the read-only container | |
| 3b121157 | 361 | <filename>/etc/</filename> directory.</para> |
| d99058c9 LP |
362 | |
| 363 | <para>The <option>--ephemeral</option> option is closely related to this setting, and provides similar | |
| 364 | behaviour by making a temporary, ephemeral copy of the whole OS image and executing that. For further details, | |
| 365 | see above.</para> | |
| 366 | ||
| 367 | <para>The <option>--tmpfs=</option> and <option>--overlay=</option> options provide similar functionality, but | |
| 368 | for specific sub-directories of the OS image only. For details, see below.</para> | |
| 369 | ||
| 370 | <para>This option provides similar functionality for containers as the <literal>systemd.volatile=</literal> | |
| 371 | kernel command line switch provides for host systems. See | |
| 372 | <citerefentry><refentrytitle>kernel-command-line</refentrytitle><manvolnum>7</manvolnum></citerefentry> for | |
| 373 | details.</para> | |
| 374 | ||
| 2e542f4e LP |
375 | <para>Note that setting this option to <option>yes</option> or <option>state</option> will only work |
| 376 | correctly with operating systems in the container that can boot up with only | |
| 377 | <filename>/usr/</filename> mounted, and are able to automatically populate <filename>/var/</filename> | |
| 378 | (and <filename>/etc/</filename> in case of <literal>--volatile=yes</literal>). Specifically, this | |
| 379 | means that operating systems that follow the historic split of <filename>/bin/</filename> and | |
| 380 | <filename>/lib/</filename> (and related directories) from <filename>/usr/</filename> (i.e. where the | |
| 381 | former are not symlinks into the latter) are not supported by <literal>--volatile=yes</literal> as | |
| 382 | container payload. The <option>overlay</option> option does not require any particular preparations | |
| 383 | in the OS, but do note that <literal>overlayfs</literal> behaviour differs from regular file systems | |
| 384 | in a number of ways, and hence compatibility is limited.</para></listitem> | |
| d99058c9 LP |
385 | </varlistentry> |
| 386 | ||
| 58abb66f LP |
387 | <varlistentry> |
| 388 | <term><option>--root-hash=</option></term> | |
| 389 | ||
| 390 | <listitem><para>Takes a data integrity (dm-verity) root hash specified in hexadecimal. This option enables data | |
| 391 | integrity checks using dm-verity, if the used image contains the appropriate integrity data (see above). The | |
| ef3116b5 | 392 | specified hash must match the root hash of integrity data, and is usually at least 256 bits (and hence 64 |
| 41488e1f LP |
393 | formatted hexadecimal characters) long (in case of SHA256 for example). If this option is not specified, but |
| 394 | the image file carries the <literal>user.verity.roothash</literal> extended file attribute (see <citerefentry | |
| 395 | project='man-pages'><refentrytitle>xattr</refentrytitle><manvolnum>7</manvolnum></citerefentry>), then the root | |
| 396 | hash is read from it, also as formatted hexadecimal characters. If the extended file attribute is not found (or | |
| ef3116b5 | 397 | is not supported by the underlying file system), but a file with the <filename>.roothash</filename> suffix is |
| e7cbe5cb LB |
398 | found next to the image file, bearing otherwise the same name (except if the image has the |
| 399 | <filename>.raw</filename> suffix, in which case the root hash file must not have it in its name), the root hash | |
| 329cde79 LP |
400 | is read from it and automatically used, also as formatted hexadecimal characters.</para> |
| 401 | ||
| 402 | <para>Note that this configures the root hash for the root file system. Disk images may also contain | |
| 403 | separate file systems for the <filename>/usr/</filename> hierarchy, which may be Verity protected as | |
| 404 | well. The root hash for this protection may be configured via the | |
| 405 | <literal>user.verity.usrhash</literal> extended file attribute or via a <filename>.usrhash</filename> | |
| 406 | file adjacent to the disk image, following the same format and logic as for the root hash for the | |
| 407 | root file system described here. Note that there's currently no switch to configure the root hash for | |
| 9e7600cf ZJS |
408 | the <filename>/usr/</filename> from the command line.</para> |
| 409 | ||
| 410 | <para>Also see the <varname>RootHash=</varname> option in | |
| 411 | <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para> | |
| 412 | </listitem> | |
| e7cbe5cb LB |
413 | </varlistentry> |
| 414 | ||
| c2923fdc LB |
415 | <varlistentry> |
| 416 | <term><option>--root-hash-sig=</option></term> | |
| 417 | ||
| 9e7600cf ZJS |
418 | <listitem><para>Takes a PKCS7 signature of the <option>--root-hash=</option> option. |
| 419 | The semantics are the same as for the <varname>RootHashSignature=</varname> option, see | |
| 420 | <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>. | |
| 421 | </para></listitem> | |
| c2923fdc LB |
422 | </varlistentry> |
| 423 | ||
| e7cbe5cb LB |
424 | <varlistentry> |
| 425 | <term><option>--verity-data=</option></term> | |
| 426 | ||
| 427 | <listitem><para>Takes the path to a data integrity (dm-verity) file. This option enables data integrity checks | |
| 428 | using dm-verity, if a root-hash is passed and if the used image itself does not contains the integrity data. | |
| 429 | The integrity data must be matched by the root hash. If this option is not specified, but a file with the | |
| 430 | <filename>.verity</filename> suffix is found next to the image file, bearing otherwise the same name (except if | |
| 431 | the image has the <filename>.raw</filename> suffix, in which case the verity data file must not have it in its name), | |
| 432 | the verity data is read from it and automatically used.</para></listitem> | |
| 58abb66f | 433 | </varlistentry> |
| 798d3a52 | 434 | |
| d99058c9 LP |
435 | <varlistentry> |
| 436 | <term><option>--pivot-root=</option></term> | |
| 437 | ||
| 438 | <listitem><para>Pivot the specified directory to <filename>/</filename> inside the container, and either unmount the | |
| 439 | container's old root, or pivot it to another specified directory. Takes one of: a path argument — in which case the | |
| 440 | specified path will be pivoted to <filename>/</filename> and the old root will be unmounted; or a colon-separated pair | |
| 441 | of new root path and pivot destination for the old root. The new root path will be pivoted to <filename>/</filename>, | |
| 442 | and the old <filename>/</filename> will be pivoted to the other directory. Both paths must be absolute, and are resolved | |
| 443 | in the container's file system namespace.</para> | |
| 444 | ||
| 445 | <para>This is for containers which have several bootable directories in them; for example, several | |
| 446 | <ulink url="https://ostree.readthedocs.io/en/latest/">OSTree</ulink> deployments. It emulates the behavior of | |
| 447 | the boot loader and initial RAM disk which normally select which directory to mount as the root and start the | |
| 448 | container's PID 1 in.</para></listitem> | |
| 449 | </varlistentry> | |
| 450 | </variablelist> | |
| 451 | ||
| 452 | </refsect2><refsect2> | |
| 453 | <title>Execution Options</title> | |
| 454 | ||
| 455 | <variablelist> | |
| 7732f92b LP |
456 | <varlistentry> |
| 457 | <term><option>-a</option></term> | |
| 458 | <term><option>--as-pid2</option></term> | |
| 459 | ||
| 460 | <listitem><para>Invoke the shell or specified program as process ID (PID) 2 instead of PID 1 (init). By | |
| 3f2d1365 AJ |
461 | default, if neither this option nor <option>--boot</option> is used, the selected program is run as the process |
| 462 | with PID 1, a mode only suitable for programs that are aware of the special semantics that the process with | |
| 463 | PID 1 has on UNIX. For example, it needs to reap all processes reparented to it, and should implement | |
| 7732f92b LP |
464 | <command>sysvinit</command> compatible signal handling (specifically: it needs to reboot on SIGINT, reexecute |
| 465 | on SIGTERM, reload configuration on SIGHUP, and so on). With <option>--as-pid2</option> a minimal stub init | |
| 3f2d1365 | 466 | process is run as PID 1 and the selected program is executed as PID 2 (and hence does not need to implement any |
| 7732f92b LP |
467 | special semantics). The stub init process will reap processes as necessary and react appropriately to |
| 468 | signals. It is recommended to use this mode to invoke arbitrary commands in containers, unless they have been | |
| 469 | modified to run correctly as PID 1. Or in other words: this switch should be used for pretty much all commands, | |
| 470 | except when the command refers to an init or shell implementation, as these are generally capable of running | |
| a6b5216c | 471 | correctly as PID 1. This option may not be combined with <option>--boot</option>.</para> |
| 7732f92b LP |
472 | </listitem> |
| 473 | </varlistentry> | |
| 474 | ||
| 798d3a52 ZJS |
475 | <varlistentry> |
| 476 | <term><option>-b</option></term> | |
| 477 | <term><option>--boot</option></term> | |
| 478 | ||
| 3f2d1365 | 479 | <listitem><para>Automatically search for an init program and invoke it as PID 1, instead of a shell or a user |
| 7732f92b | 480 | supplied program. If this option is used, arguments specified on the command line are used as arguments for the |
| 3f2d1365 | 481 | init program. This option may not be combined with <option>--as-pid2</option>.</para> |
| 7732f92b LP |
482 | |
| 483 | <para>The following table explains the different modes of invocation and relationship to | |
| 484 | <option>--as-pid2</option> (see above):</para> | |
| 485 | ||
| 486 | <table> | |
| 487 | <title>Invocation Mode</title> | |
| 488 | <tgroup cols='2' align='left' colsep='1' rowsep='1'> | |
| 489 | <colspec colname="switch" /> | |
| 490 | <colspec colname="explanation" /> | |
| 491 | <thead> | |
| 492 | <row> | |
| 493 | <entry>Switch</entry> | |
| 494 | <entry>Explanation</entry> | |
| 495 | </row> | |
| 496 | </thead> | |
| 497 | <tbody> | |
| 498 | <row> | |
| 499 | <entry>Neither <option>--as-pid2</option> nor <option>--boot</option> specified</entry> | |
| 4447e799 | 500 | <entry>The passed parameters are interpreted as the command line, which is executed as PID 1 in the container.</entry> |
| 7732f92b LP |
501 | </row> |
| 502 | ||
| 503 | <row> | |
| 504 | <entry><option>--as-pid2</option> specified</entry> | |
| 4447e799 | 505 | <entry>The passed parameters are interpreted as the command line, which is executed as PID 2 in the container. A stub init process is run as PID 1.</entry> |
| 7732f92b LP |
506 | </row> |
| 507 | ||
| 508 | <row> | |
| 509 | <entry><option>--boot</option> specified</entry> | |
| 3f2d1365 | 510 | <entry>An init program is automatically searched for and run as PID 1 in the container. The passed parameters are used as invocation parameters for this process.</entry> |
| 7732f92b LP |
511 | </row> |
| 512 | ||
| 513 | </tbody> | |
| 514 | </tgroup> | |
| 515 | </table> | |
| b09c0bba LP |
516 | |
| 517 | <para>Note that <option>--boot</option> is the default mode of operation if the | |
| 518 | <filename>systemd-nspawn@.service</filename> template unit file is used.</para> | |
| 7732f92b | 519 | </listitem> |
| 798d3a52 ZJS |
520 | </varlistentry> |
| 521 | ||
| 5f932eb9 LP |
522 | <varlistentry> |
| 523 | <term><option>--chdir=</option></term> | |
| 524 | ||
| 525 | <listitem><para>Change to the specified working directory before invoking the process in the container. Expects | |
| 526 | an absolute path in the container's file system namespace.</para></listitem> | |
| 527 | </varlistentry> | |
| 528 | ||
| b53ede69 | 529 | <varlistentry> |
| d99058c9 LP |
530 | <term><option>-E <replaceable>NAME</replaceable>=<replaceable>VALUE</replaceable></option></term> |
| 531 | <term><option>--setenv=<replaceable>NAME</replaceable>=<replaceable>VALUE</replaceable></option></term> | |
| b53ede69 | 532 | |
| d99058c9 LP |
533 | <listitem><para>Specifies an environment variable assignment |
| 534 | to pass to the init process in the container, in the format | |
| 535 | <literal>NAME=VALUE</literal>. This may be used to override | |
| 536 | the default variables or to set additional variables. This | |
| 537 | parameter may be used more than once.</para></listitem> | |
| b53ede69 PW |
538 | </varlistentry> |
| 539 | ||
| 798d3a52 ZJS |
540 | <varlistentry> |
| 541 | <term><option>-u</option></term> | |
| 542 | <term><option>--user=</option></term> | |
| 543 | ||
| e9dd6984 ZJS |
544 | <listitem><para>After transitioning into the container, change to the specified user defined in the |
| 545 | container's user database. Like all other systemd-nspawn features, this is not a security feature and | |
| 546 | provides protection against accidental destructive operations only.</para></listitem> | |
| 798d3a52 ZJS |
547 | </varlistentry> |
| 548 | ||
| d99058c9 LP |
549 | <varlistentry> |
| 550 | <term><option>--kill-signal=</option></term> | |
| 551 | ||
| 552 | <listitem><para>Specify the process signal to send to the container's PID 1 when nspawn itself receives | |
| 553 | <constant>SIGTERM</constant>, in order to trigger an orderly shutdown of the container. Defaults to | |
| 554 | <constant>SIGRTMIN+3</constant> if <option>--boot</option> is used (on systemd-compatible init systems | |
| 555 | <constant>SIGRTMIN+3</constant> triggers an orderly shutdown). If <option>--boot</option> is not used and this | |
| 556 | option is not specified the container's processes are terminated abruptly via <constant>SIGKILL</constant>. For | |
| 557 | a list of valid signals, see <citerefentry | |
| 558 | project='man-pages'><refentrytitle>signal</refentrytitle><manvolnum>7</manvolnum></citerefentry>.</para></listitem> | |
| 559 | </varlistentry> | |
| 560 | ||
| 561 | <varlistentry> | |
| 562 | <term><option>--notify-ready=</option></term> | |
| 563 | ||
| 564 | <listitem><para>Configures support for notifications from the container's init process. | |
| 565 | <option>--notify-ready=</option> takes a boolean (<option>no</option> and <option>yes</option>). | |
| 566 | With option <option>no</option> systemd-nspawn notifies systemd | |
| 567 | with a <literal>READY=1</literal> message when the init process is created. | |
| 568 | With option <option>yes</option> systemd-nspawn waits for the | |
| 569 | <literal>READY=1</literal> message from the init process in the container | |
| 570 | before sending its own to systemd. For more details about notifications | |
| f4e1a425 | 571 | see <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry>.</para></listitem> |
| d99058c9 LP |
572 | </varlistentry> |
| 573 | </variablelist> | |
| 574 | ||
| 575 | </refsect2><refsect2> | |
| 576 | <title>System Identity Options</title> | |
| 577 | ||
| 578 | <variablelist> | |
| 798d3a52 ZJS |
579 | <varlistentry> |
| 580 | <term><option>-M</option></term> | |
| 581 | <term><option>--machine=</option></term> | |
| 582 | ||
| 583 | <listitem><para>Sets the machine name for this container. This | |
| 584 | name may be used to identify this container during its runtime | |
| 585 | (for example in tools like | |
| 586 | <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry> | |
| 587 | and similar), and is used to initialize the container's | |
| 588 | hostname (which the container can choose to override, | |
| 589 | however). If not specified, the last component of the root | |
| 590 | directory path of the container is used, possibly suffixed | |
| 591 | with a random identifier in case <option>--ephemeral</option> | |
| 592 | mode is selected. If the root directory selected is the host's | |
| 593 | root directory the host's hostname is used as default | |
| 594 | instead.</para></listitem> | |
| 595 | </varlistentry> | |
| 596 | ||
| 3a9530e5 LP |
597 | <varlistentry> |
| 598 | <term><option>--hostname=</option></term> | |
| 599 | ||
| 600 | <listitem><para>Controls the hostname to set within the container, if different from the machine name. Expects | |
| 601 | a valid hostname as argument. If this option is used, the kernel hostname of the container will be set to this | |
| 602 | value, otherwise it will be initialized to the machine name as controlled by the <option>--machine=</option> | |
| 603 | option described above. The machine name is used for various aspect of identification of the container from the | |
| 604 | outside, the kernel hostname configurable with this option is useful for the container to identify itself from | |
| 605 | the inside. It is usually a good idea to keep both forms of identification synchronized, in order to avoid | |
| 606 | confusion. It is hence recommended to avoid usage of this option, and use <option>--machine=</option> | |
| 607 | exclusively. Note that regardless whether the container's hostname is initialized from the name set with | |
| 608 | <option>--hostname=</option> or the one set with <option>--machine=</option>, the container can later override | |
| 609 | its kernel hostname freely on its own as well.</para> | |
| 610 | </listitem> | |
| 611 | </varlistentry> | |
| 612 | ||
| 798d3a52 ZJS |
613 | <varlistentry> |
| 614 | <term><option>--uuid=</option></term> | |
| 615 | ||
| 616 | <listitem><para>Set the specified UUID for the container. The | |
| 617 | init system will initialize | |
| 618 | <filename>/etc/machine-id</filename> from this if this file is | |
| e01ff70a MS |
619 | not set yet. Note that this option takes effect only if |
| 620 | <filename>/etc/machine-id</filename> in the container is | |
| 621 | unpopulated.</para></listitem> | |
| 798d3a52 | 622 | </varlistentry> |
| d99058c9 | 623 | </variablelist> |
| 798d3a52 | 624 | |
| d99058c9 LP |
625 | </refsect2><refsect2> |
| 626 | <title>Property Options</title> | |
| 627 | ||
| 628 | <variablelist> | |
| 798d3a52 | 629 | <varlistentry> |
| 4deb5503 | 630 | <term><option>-S</option></term> |
| 798d3a52 ZJS |
631 | <term><option>--slice=</option></term> |
| 632 | ||
| cd2dfc6f LP |
633 | <listitem><para>Make the container part of the specified slice, instead of the default |
| 634 | <filename>machine.slice</filename>. This applies only if the machine is run in its own scope unit, i.e. if | |
| 635 | <option>--keep-unit</option> isn't used.</para> | |
| f36933fe LP |
636 | </listitem> |
| 637 | </varlistentry> | |
| 638 | ||
| 639 | <varlistentry> | |
| 640 | <term><option>--property=</option></term> | |
| 641 | ||
| cd2dfc6f LP |
642 | <listitem><para>Set a unit property on the scope unit to register for the machine. This applies only if the |
| 643 | machine is run in its own scope unit, i.e. if <option>--keep-unit</option> isn't used. Takes unit property | |
| 644 | assignments in the same format as <command>systemctl set-property</command>. This is useful to set memory | |
| 645 | limits and similar for container.</para> | |
| 798d3a52 ZJS |
646 | </listitem> |
| 647 | </varlistentry> | |
| 648 | ||
| d99058c9 LP |
649 | <varlistentry> |
| 650 | <term><option>--register=</option></term> | |
| 651 | ||
| 652 | <listitem><para>Controls whether the container is registered with | |
| 653 | <citerefentry><refentrytitle>systemd-machined</refentrytitle><manvolnum>8</manvolnum></citerefentry>. Takes a | |
| 654 | boolean argument, which defaults to <literal>yes</literal>. This option should be enabled when the container | |
| 655 | runs a full Operating System (more specifically: a system and service manager as PID 1), and is useful to | |
| 656 | ensure that the container is accessible via | |
| 657 | <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry> and shown by | |
| 658 | tools such as <citerefentry | |
| 659 | project='man-pages'><refentrytitle>ps</refentrytitle><manvolnum>1</manvolnum></citerefentry>. If the container | |
| 660 | does not run a service manager, it is recommended to set this option to | |
| 661 | <literal>no</literal>.</para></listitem> | |
| 662 | </varlistentry> | |
| 663 | ||
| 664 | <varlistentry> | |
| 665 | <term><option>--keep-unit</option></term> | |
| 666 | ||
| 667 | <listitem><para>Instead of creating a transient scope unit to run the container in, simply use the service or | |
| 668 | scope unit <command>systemd-nspawn</command> has been invoked in. If <option>--register=yes</option> is set | |
| 669 | this unit is registered with | |
| 670 | <citerefentry><refentrytitle>systemd-machined</refentrytitle><manvolnum>8</manvolnum></citerefentry>. This | |
| 671 | switch should be used if <command>systemd-nspawn</command> is invoked from within a service unit, and the | |
| 672 | service unit's sole purpose is to run a single <command>systemd-nspawn</command> container. This option is not | |
| 673 | available if run from a user session.</para> | |
| 674 | <para>Note that passing <option>--keep-unit</option> disables the effect of <option>--slice=</option> and | |
| 675 | <option>--property=</option>. Use <option>--keep-unit</option> and <option>--register=no</option> in | |
| 676 | combination to disable any kind of unit allocation or registration with | |
| 677 | <command>systemd-machined</command>.</para></listitem> | |
| 678 | </varlistentry> | |
| 679 | </variablelist> | |
| 680 | ||
| 681 | </refsect2><refsect2> | |
| 682 | <title>User Namespacing Options</title> | |
| 683 | ||
| 684 | <variablelist> | |
| 03cfe0d5 LP |
685 | <varlistentry> |
| 686 | <term><option>--private-users=</option></term> | |
| 687 | ||
| d2e5535f LP |
688 | <listitem><para>Controls user namespacing. If enabled, the container will run with its own private set of UNIX |
| 689 | user and group ids (UIDs and GIDs). This involves mapping the private UIDs/GIDs used in the container (starting | |
| 690 | with the container's root user 0 and up) to a range of UIDs/GIDs on the host that are not used for other | |
| 691 | purposes (usually in the range beyond the host's UID/GID 65536). The parameter may be specified as follows:</para> | |
| 692 | ||
| 693 | <orderedlist> | |
| 2dd67817 | 694 | <listitem><para>If one or two colon-separated numbers are specified, user namespacing is turned on. The first |
| ae209204 ZJS |
695 | parameter specifies the first host UID/GID to assign to the container, the second parameter specifies the |
| 696 | number of host UIDs/GIDs to assign to the container. If the second parameter is omitted, 65536 UIDs/GIDs are | |
| 697 | assigned.</para></listitem> | |
| 698 | ||
| 699 | <listitem><para>If the parameter is omitted, or true, user namespacing is turned on. The UID/GID range to | |
| 700 | use is determined automatically from the file ownership of the root directory of the container's directory | |
| 701 | tree. To use this option, make sure to prepare the directory tree in advance, and ensure that all files and | |
| 702 | directories in it are owned by UIDs/GIDs in the range you'd like to use. Also, make sure that used file ACLs | |
| 703 | exclusively reference UIDs/GIDs in the appropriate range. If this mode is used the number of UIDs/GIDs | |
| 704 | assigned to the container for use is 65536, and the UID/GID of the root directory must be a multiple of | |
| 705 | 65536.</para></listitem> | |
| 706 | ||
| 707 | <listitem><para>If the parameter is false, user namespacing is turned off. This is the default.</para> | |
| 708 | </listitem> | |
| 709 | ||
| 710 | <listitem><para>The special value <literal>pick</literal> turns on user namespacing. In this case the UID/GID | |
| 711 | range is automatically chosen. As first step, the file owner of the root directory of the container's | |
| 712 | directory tree is read, and it is checked that it is currently not used by the system otherwise (in | |
| 713 | particular, that no other container is using it). If this check is successful, the UID/GID range determined | |
| 2dd67817 | 714 | this way is used, similar to the behavior if "yes" is specified. If the check is not successful (and thus |
| ae209204 ZJS |
715 | the UID/GID range indicated in the root directory's file owner is already used elsewhere) a new – currently |
| 716 | unused – UID/GID range of 65536 UIDs/GIDs is randomly chosen between the host UID/GIDs of 524288 and | |
| 68709a63 DB |
717 | 1878982656, always starting at a multiple of 65536, and, if possible, consistently hashed from the machine |
| 718 | name. This setting implies | |
| ae209204 ZJS |
719 | <option>--private-users-chown</option> (see below), which has the effect that the files and directories in |
| 720 | the container's directory tree will be owned by the appropriate users of the range picked. Using this option | |
| 2dd67817 | 721 | makes user namespace behavior fully automatic. Note that the first invocation of a previously unused |
| ae209204 ZJS |
722 | container image might result in picking a new UID/GID range for it, and thus in the (possibly expensive) file |
| 723 | ownership adjustment operation. However, subsequent invocations of the container will be cheap (unless of | |
| 724 | course the picked UID/GID range is assigned to a different use by then).</para></listitem> | |
| d2e5535f LP |
725 | </orderedlist> |
| 726 | ||
| 727 | <para>It is recommended to assign at least 65536 UIDs/GIDs to each container, so that the usable UID/GID range in the | |
| 728 | container covers 16 bit. For best security, do not assign overlapping UID/GID ranges to multiple containers. It is | |
| 729 | hence a good idea to use the upper 16 bit of the host 32-bit UIDs/GIDs as container identifier, while the lower 16 | |
| 2dd67817 | 730 | bit encode the container UID/GID used. This is in fact the behavior enforced by the |
| d2e5535f LP |
731 | <option>--private-users=pick</option> option.</para> |
| 732 | ||
| 733 | <para>When user namespaces are used, the GID range assigned to each container is always chosen identical to the | |
| 734 | UID range.</para> | |
| 735 | ||
| 736 | <para>In most cases, using <option>--private-users=pick</option> is the recommended option as it enhances | |
| 737 | container security massively and operates fully automatically in most cases.</para> | |
| 738 | ||
| 739 | <para>Note that the picked UID/GID range is not written to <filename>/etc/passwd</filename> or | |
| 740 | <filename>/etc/group</filename>. In fact, the allocation of the range is not stored persistently anywhere, | |
| aa10469e LP |
741 | except in the file ownership of the files and directories of the container.</para> |
| 742 | ||
| 743 | <para>Note that when user namespacing is used file ownership on disk reflects this, and all of the container's | |
| 744 | files and directories are owned by the container's effective user and group IDs. This means that copying files | |
| 745 | from and to the container image requires correction of the numeric UID/GID values, according to the UID/GID | |
| 746 | shift applied.</para></listitem> | |
| 03cfe0d5 LP |
747 | </varlistentry> |
| 748 | ||
| d2e5535f LP |
749 | <varlistentry> |
| 750 | <term><option>--private-users-chown</option></term> | |
| 751 | ||
| bcf09321 ZJS |
752 | <listitem><para>If specified, all files and directories in the container's directory tree will be |
| 753 | adjusted so that they are owned by the appropriate UIDs/GIDs selected for the container (see above). | |
| 754 | This operation is potentially expensive, as it involves iterating through the full directory tree of | |
| 755 | the container. Besides actual file ownership, file ACLs are adjusted as well.</para> | |
| d2e5535f LP |
756 | |
| 757 | <para>This option is implied if <option>--private-users=pick</option> is used. This option has no effect if | |
| 758 | user namespacing is not used.</para></listitem> | |
| 759 | </varlistentry> | |
| 03cfe0d5 | 760 | |
| 6265bde2 ZJS |
761 | <varlistentry> |
| 762 | <term><option>-U</option></term> | |
| 763 | ||
| 764 | <listitem><para>If the kernel supports the user namespaces feature, equivalent to | |
| 765 | <option>--private-users=pick --private-users-chown</option>, otherwise equivalent to | |
| 766 | <option>--private-users=no</option>.</para> | |
| 767 | ||
| 768 | <para>Note that <option>-U</option> is the default if the | |
| 769 | <filename>systemd-nspawn@.service</filename> template unit file is used.</para> | |
| 770 | ||
| 771 | <para>Note: it is possible to undo the effect of <option>--private-users-chown</option> (or | |
| 772 | <option>-U</option>) on the file system by redoing the operation with the first UID of 0:</para> | |
| 773 | ||
| 774 | <programlisting>systemd-nspawn … --private-users=0 --private-users-chown</programlisting> | |
| 775 | </listitem> | |
| 776 | </varlistentry> | |
| 777 | ||
| d99058c9 LP |
778 | </variablelist> |
| 779 | ||
| 780 | </refsect2><refsect2> | |
| 781 | <title>Networking Options</title> | |
| 782 | ||
| 783 | <variablelist> | |
| 784 | ||
| 798d3a52 ZJS |
785 | <varlistentry> |
| 786 | <term><option>--private-network</option></term> | |
| 787 | ||
| 788 | <listitem><para>Disconnect networking of the container from | |
| 789 | the host. This makes all network interfaces unavailable in the | |
| 790 | container, with the exception of the loopback device and those | |
| 791 | specified with <option>--network-interface=</option> and | |
| 792 | configured with <option>--network-veth</option>. If this | |
| ec562515 | 793 | option is specified, the <constant>CAP_NET_ADMIN</constant> capability will be |
| 798d3a52 | 794 | added to the set of capabilities the container retains. The |
| bc96c63c ZJS |
795 | latter may be disabled by using <option>--drop-capability=</option>. |
| 796 | If this option is not specified (or implied by one of the options | |
| 797 | listed below), the container will have full access to the host network. | |
| 798 | </para></listitem> | |
| 798d3a52 ZJS |
799 | </varlistentry> |
| 800 | ||
| 801 | <varlistentry> | |
| 802 | <term><option>--network-interface=</option></term> | |
| 803 | ||
| 804 | <listitem><para>Assign the specified network interface to the | |
| 805 | container. This will remove the specified interface from the | |
| 806 | calling namespace and place it in the container. When the | |
| 807 | container terminates, it is moved back to the host namespace. | |
| 808 | Note that <option>--network-interface=</option> implies | |
| 809 | <option>--private-network</option>. This option may be used | |
| 810 | more than once to add multiple network interfaces to the | |
| 811 | container.</para></listitem> | |
| 812 | </varlistentry> | |
| 813 | ||
| 814 | <varlistentry> | |
| 815 | <term><option>--network-macvlan=</option></term> | |
| 816 | ||
| 817 | <listitem><para>Create a <literal>macvlan</literal> interface | |
| 818 | of the specified Ethernet network interface and add it to the | |
| 819 | container. A <literal>macvlan</literal> interface is a virtual | |
| 820 | interface that adds a second MAC address to an existing | |
| 821 | physical Ethernet link. The interface in the container will be | |
| 822 | named after the interface on the host, prefixed with | |
| 823 | <literal>mv-</literal>. Note that | |
| 824 | <option>--network-macvlan=</option> implies | |
| 825 | <option>--private-network</option>. This option may be used | |
| 826 | more than once to add multiple network interfaces to the | |
| 827 | container.</para></listitem> | |
| 828 | </varlistentry> | |
| 829 | ||
| 830 | <varlistentry> | |
| 831 | <term><option>--network-ipvlan=</option></term> | |
| 832 | ||
| 833 | <listitem><para>Create an <literal>ipvlan</literal> interface | |
| 834 | of the specified Ethernet network interface and add it to the | |
| 835 | container. An <literal>ipvlan</literal> interface is a virtual | |
| 836 | interface, similar to a <literal>macvlan</literal> interface, | |
| 837 | which uses the same MAC address as the underlying interface. | |
| 838 | The interface in the container will be named after the | |
| 839 | interface on the host, prefixed with <literal>iv-</literal>. | |
| 840 | Note that <option>--network-ipvlan=</option> implies | |
| 841 | <option>--private-network</option>. This option may be used | |
| 842 | more than once to add multiple network interfaces to the | |
| 843 | container.</para></listitem> | |
| 844 | </varlistentry> | |
| 845 | ||
| 846 | <varlistentry> | |
| 847 | <term><option>-n</option></term> | |
| 848 | <term><option>--network-veth</option></term> | |
| 849 | ||
| 5e7423ff LP |
850 | <listitem><para>Create a virtual Ethernet link (<literal>veth</literal>) between host and container. The host |
| 851 | side of the Ethernet link will be available as a network interface named after the container's name (as | |
| 852 | specified with <option>--machine=</option>), prefixed with <literal>ve-</literal>. The container side of the | |
| 853 | Ethernet link will be named <literal>host0</literal>. The <option>--network-veth</option> option implies | |
| 854 | <option>--private-network</option>.</para> | |
| 855 | ||
| 856 | <para>Note that | |
| 857 | <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
| 858 | includes by default a network file <filename>/usr/lib/systemd/network/80-container-ve.network</filename> | |
| 859 | matching the host-side interfaces created this way, which contains settings to enable automatic address | |
| 860 | provisioning on the created virtual link via DHCP, as well as automatic IP routing onto the host's external | |
| 861 | network interfaces. It also contains <filename>/usr/lib/systemd/network/80-container-host0.network</filename> | |
| 862 | matching the container-side interface created this way, containing settings to enable client side address | |
| 863 | assignment via DHCP. In case <filename>systemd-networkd</filename> is running on both the host and inside the | |
| 864 | container, automatic IP communication from the container to the host is thus available, with further | |
| 865 | connectivity to the external network.</para> | |
| b09c0bba LP |
866 | |
| 867 | <para>Note that <option>--network-veth</option> is the default if the | |
| 868 | <filename>systemd-nspawn@.service</filename> template unit file is used.</para> | |
| 6cc68362 LP |
869 | |
| 870 | <para>Note that on Linux network interface names may have a length of 15 characters at maximum, while | |
| 871 | container names may have a length up to 64 characters. As this option derives the host-side interface | |
| 872 | name from the container name the name is possibly truncated. Thus, care needs to be taken to ensure | |
| 873 | that interface names remain unique in this case, or even better container names are generally not | |
| bc5ea049 KK |
874 | chosen longer than 12 characters, to avoid the truncation. If the name is truncated, |
| 875 | <command>systemd-nspawn</command> will automatically append a 4-digit hash value to the name to | |
| 876 | reduce the chance of collisions. However, the hash algorithm is not collision-free. (See | |
| 877 | <citerefentry><refentrytitle>systemd.net-naming-scheme</refentrytitle><manvolnum>7</manvolnum></citerefentry> | |
| 878 | for details on older naming algorithms for this interface). Alternatively, the | |
| 6cc68362 LP |
879 | <option>--network-veth-extra=</option> option may be used, which allows free configuration of the |
| 880 | host-side interface name independently of the container name — but might require a bit more | |
| 881 | additional configuration in case bridging in a fashion similar to <option>--network-bridge=</option> | |
| 882 | is desired.</para> | |
| 5e7423ff | 883 | </listitem> |
| 798d3a52 ZJS |
884 | </varlistentry> |
| 885 | ||
| f6d6bad1 LP |
886 | <varlistentry> |
| 887 | <term><option>--network-veth-extra=</option></term> | |
| 888 | ||
| 889 | <listitem><para>Adds an additional virtual Ethernet link | |
| 890 | between host and container. Takes a colon-separated pair of | |
| 891 | host interface name and container interface name. The latter | |
| 892 | may be omitted in which case the container and host sides will | |
| 893 | be assigned the same name. This switch is independent of | |
| ccddd104 | 894 | <option>--network-veth</option>, and — in contrast — may be |
| f6d6bad1 LP |
895 | used multiple times, and allows configuration of the network |
| 896 | interface names. Note that <option>--network-bridge=</option> | |
| 897 | has no effect on interfaces created with | |
| 898 | <option>--network-veth-extra=</option>.</para></listitem> | |
| 899 | </varlistentry> | |
| 900 | ||
| 798d3a52 ZJS |
901 | <varlistentry> |
| 902 | <term><option>--network-bridge=</option></term> | |
| 903 | ||
| 6cc68362 LP |
904 | <listitem><para>Adds the host side of the Ethernet link created with <option>--network-veth</option> |
| 905 | to the specified Ethernet bridge interface. Expects a valid network interface name of a bridge device | |
| 906 | as argument. Note that <option>--network-bridge=</option> implies <option>--network-veth</option>. If | |
| 907 | this option is used, the host side of the Ethernet link will use the <literal>vb-</literal> prefix | |
| 908 | instead of <literal>ve-</literal>. Regardless of the used naming prefix the same network interface | |
| 909 | name length limits imposed by Linux apply, along with the complications this creates (for details see | |
| 910 | above).</para></listitem> | |
| 798d3a52 ZJS |
911 | </varlistentry> |
| 912 | ||
| 938d2579 LP |
913 | <varlistentry> |
| 914 | <term><option>--network-zone=</option></term> | |
| 915 | ||
| 916 | <listitem><para>Creates a virtual Ethernet link (<literal>veth</literal>) to the container and adds it to an | |
| 917 | automatically managed Ethernet bridge interface. The bridge interface is named after the passed argument, | |
| 918 | prefixed with <literal>vz-</literal>. The bridge interface is automatically created when the first container | |
| 919 | configured for its name is started, and is automatically removed when the last container configured for its | |
| 920 | name exits. Hence, each bridge interface configured this way exists only as long as there's at least one | |
| 921 | container referencing it running. This option is very similar to <option>--network-bridge=</option>, besides | |
| 922 | this automatic creation/removal of the bridge device.</para> | |
| 923 | ||
| 924 | <para>This setting makes it easy to place multiple related containers on a common, virtual Ethernet-based | |
| 925 | broadcast domain, here called a "zone". Each container may only be part of one zone, but each zone may contain | |
| 926 | any number of containers. Each zone is referenced by its name. Names may be chosen freely (as long as they form | |
| 927 | valid network interface names when prefixed with <literal>vz-</literal>), and it is sufficient to pass the same | |
| cf917c27 | 928 | name to the <option>--network-zone=</option> switch of the various concurrently running containers to join |
| 938d2579 LP |
929 | them in one zone.</para> |
| 930 | ||
| 931 | <para>Note that | |
| 932 | <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
| 933 | includes by default a network file <filename>/usr/lib/systemd/network/80-container-vz.network</filename> | |
| 934 | matching the bridge interfaces created this way, which contains settings to enable automatic address | |
| 935 | provisioning on the created virtual network via DHCP, as well as automatic IP routing onto the host's external | |
| 936 | network interfaces. Using <option>--network-zone=</option> is hence in most cases fully automatic and | |
| 937 | sufficient to connect multiple local containers in a joined broadcast domain to the host, with further | |
| 938 | connectivity to the external network.</para> | |
| 939 | </listitem> | |
| 940 | </varlistentry> | |
| 941 | ||
| 798d3a52 | 942 | <varlistentry> |
| d99058c9 | 943 | <term><option>--network-namespace-path=</option></term> |
| 798d3a52 | 944 | |
| d99058c9 LP |
945 | <listitem><para>Takes the path to a file representing a kernel |
| 946 | network namespace that the container shall run in. The specified path | |
| 947 | should refer to a (possibly bind-mounted) network namespace file, as | |
| 948 | exposed by the kernel below <filename>/proc/$PID/ns/net</filename>. | |
| 949 | This makes the container enter the given network namespace. One of the | |
| 950 | typical use cases is to give a network namespace under | |
| 951 | <filename>/run/netns</filename> created by <citerefentry | |
| 952 | project='man-pages'><refentrytitle>ip-netns</refentrytitle><manvolnum>8</manvolnum></citerefentry>, | |
| 953 | for example, <option>--network-namespace-path=/run/netns/foo</option>. | |
| 954 | Note that this option cannot be used together with other | |
| 955 | network-related options, such as <option>--private-network</option> | |
| 956 | or <option>--network-interface=</option>.</para></listitem> | |
| 957 | </varlistentry> | |
| 958 | ||
| 959 | <varlistentry> | |
| 960 | <term><option>-p</option></term> | |
| 961 | <term><option>--port=</option></term> | |
| 962 | ||
| 963 | <listitem><para>If private networking is enabled, maps an IP | |
| 964 | port on the host onto an IP port on the container. Takes a | |
| 965 | protocol specifier (either <literal>tcp</literal> or | |
| 798d3a52 ZJS |
966 | <literal>udp</literal>), separated by a colon from a host port |
| 967 | number in the range 1 to 65535, separated by a colon from a | |
| 968 | container port number in the range from 1 to 65535. The | |
| 969 | protocol specifier and its separating colon may be omitted, in | |
| 970 | which case <literal>tcp</literal> is assumed. The container | |
| 7c918141 | 971 | port number and its colon may be omitted, in which case the |
| 798d3a52 | 972 | same port as the host port is implied. This option is only |
| a8eaaee7 | 973 | supported if private networking is used, such as with |
| 938d2579 | 974 | <option>--network-veth</option>, <option>--network-zone=</option> |
| 798d3a52 ZJS |
975 | <option>--network-bridge=</option>.</para></listitem> |
| 976 | </varlistentry> | |
| d99058c9 | 977 | </variablelist> |
| 798d3a52 | 978 | |
| d99058c9 LP |
979 | </refsect2><refsect2> |
| 980 | <title>Security Options</title> | |
| 798d3a52 | 981 | |
| d99058c9 | 982 | <variablelist> |
| 798d3a52 ZJS |
983 | <varlistentry> |
| 984 | <term><option>--capability=</option></term> | |
| 985 | ||
| ec562515 ZJS |
986 | <listitem><para>List one or more additional capabilities to grant the container. Takes a |
| 987 | comma-separated list of capability names, see <citerefentry | |
| 988 | project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry> | |
| a30504ed | 989 | for more information. Note that the following capabilities will be granted in any way: |
| ec562515 ZJS |
990 | <constant>CAP_AUDIT_CONTROL</constant>, <constant>CAP_AUDIT_WRITE</constant>, |
| 991 | <constant>CAP_CHOWN</constant>, <constant>CAP_DAC_OVERRIDE</constant>, | |
| 992 | <constant>CAP_DAC_READ_SEARCH</constant>, <constant>CAP_FOWNER</constant>, | |
| 993 | <constant>CAP_FSETID</constant>, <constant>CAP_IPC_OWNER</constant>, <constant>CAP_KILL</constant>, | |
| 994 | <constant>CAP_LEASE</constant>, <constant>CAP_LINUX_IMMUTABLE</constant>, | |
| 995 | <constant>CAP_MKNOD</constant>, <constant>CAP_NET_BIND_SERVICE</constant>, | |
| 996 | <constant>CAP_NET_BROADCAST</constant>, <constant>CAP_NET_RAW</constant>, | |
| 997 | <constant>CAP_SETFCAP</constant>, <constant>CAP_SETGID</constant>, <constant>CAP_SETPCAP</constant>, | |
| 998 | <constant>CAP_SETUID</constant>, <constant>CAP_SYS_ADMIN</constant>, | |
| 999 | <constant>CAP_SYS_BOOT</constant>, <constant>CAP_SYS_CHROOT</constant>, | |
| 1000 | <constant>CAP_SYS_NICE</constant>, <constant>CAP_SYS_PTRACE</constant>, | |
| 1001 | <constant>CAP_SYS_RESOURCE</constant>, <constant>CAP_SYS_TTY_CONFIG</constant>. Also | |
| 1002 | <constant>CAP_NET_ADMIN</constant> is retained if <option>--private-network</option> is specified. | |
| 1003 | If the special value <literal>all</literal> is passed, all capabilities are retained.</para> | |
| 8a99bd0c ZJS |
1004 | |
| 1005 | <para>If the special value of <literal>help</literal> is passed, the program will print known | |
| 88fc9c9b TH |
1006 | capability names and exit.</para> |
| 1007 | ||
| 1008 | <para>This option sets the bounding set of capabilities which | |
| 1009 | also limits the ambient capabilities as given with the | |
| 1010 | <option>--ambient-capability=</option>.</para></listitem> | |
| 798d3a52 ZJS |
1011 | </varlistentry> |
| 1012 | ||
| 1013 | <varlistentry> | |
| 1014 | <term><option>--drop-capability=</option></term> | |
| 1015 | ||
| 1016 | <listitem><para>Specify one or more additional capabilities to | |
| 1017 | drop for the container. This allows running the container with | |
| 1018 | fewer capabilities than the default (see | |
| 8a99bd0c ZJS |
1019 | above).</para> |
| 1020 | ||
| 1021 | <para>If the special value of <literal>help</literal> is passed, the program will print known | |
| 88fc9c9b TH |
1022 | capability names and exit.</para> |
| 1023 | ||
| 1024 | <para>This option sets the bounding set of capabilities which | |
| 1025 | also limits the ambient capabilities as given with the | |
| 1026 | <option>--ambient-capability=</option>.</para></listitem> | |
| 1027 | </varlistentry> | |
| 1028 | ||
| 1029 | <varlistentry> | |
| 1030 | <term><option>--ambient-capability=</option></term> | |
| 1031 | ||
| 1032 | <listitem><para>Specify one or more additional capabilities to | |
| 1033 | pass in the inheritable and ambient set to the program started | |
| 1034 | within the container. The value <literal>all</literal> is not | |
| 1035 | supported for this setting.</para> | |
| 1036 | ||
| 1037 | <para>All capabilities specified here must be in the set | |
| 1038 | allowed with the <option>--capability=</option> and | |
| 1039 | <option>--drop-capability=</option> options. Otherwise, an | |
| 1040 | error message will be shown.</para> | |
| 1041 | ||
| 1042 | <para>This option cannot be combined with the boot mode of the | |
| 1043 | container (as requested via <option>--boot</option>).</para> | |
| 1044 | ||
| 1045 | <para>If the special value of <literal>help</literal> is | |
| 1046 | passed, the program will print known capability names and | |
| 1047 | exit.</para></listitem> | |
| 798d3a52 ZJS |
1048 | </varlistentry> |
| 1049 | ||
| 66edd963 LP |
1050 | <varlistentry> |
| 1051 | <term><option>--no-new-privileges=</option></term> | |
| 1052 | ||
| 6b000af4 LP |
1053 | <listitem><para>Takes a boolean argument. Specifies the value of the |
| 1054 | <constant>PR_SET_NO_NEW_PRIVS</constant> flag for the container payload. Defaults to off. When turned | |
| 1055 | on the payload code of the container cannot acquire new privileges, i.e. the "setuid" file bit as | |
| 1056 | well as file system capabilities will not have an effect anymore. See <citerefentry | |
| 1057 | project='man-pages'><refentrytitle>prctl</refentrytitle><manvolnum>2</manvolnum></citerefentry> for | |
| 1058 | details about this flag. </para></listitem> | |
| 66edd963 LP |
1059 | </varlistentry> |
| 1060 | ||
| 960e4569 | 1061 | <varlistentry> |
| 6b000af4 LP |
1062 | <term><option>--system-call-filter=</option></term> <listitem><para>Alter the system call filter |
| 1063 | applied to containers. Takes a space-separated list of system call names or group names (the latter | |
| 1064 | prefixed with <literal>@</literal>, as listed by the <command>syscall-filter</command> command of | |
| c7fc3c4c | 1065 | <citerefentry><refentrytitle>systemd-analyze</refentrytitle><manvolnum>1</manvolnum></citerefentry>). Passed |
| 6b000af4 LP |
1066 | system calls will be permitted. The list may optionally be prefixed by <literal>~</literal>, in which |
| 1067 | case all listed system calls are prohibited. If this command line option is used multiple times the | |
| 1068 | configured lists are combined. If both a positive and a negative list (that is one system call list | |
| 1069 | without and one with the <literal>~</literal> prefix) are configured, the negative list takes | |
| 1070 | precedence over the positive list. Note that <command>systemd-nspawn</command> always implements a | |
| 1071 | system call allow list (as opposed to a deny list!), and this command line option hence adds or | |
| 1072 | removes entries from the default allow list, depending on the <literal>~</literal> prefix. Note that | |
| 1073 | the applied system call filter is also altered implicitly if additional capabilities are passed using | |
| 1074 | the <command>--capabilities=</command>.</para></listitem> | |
| 960e4569 LP |
1075 | </varlistentry> |
| 1076 | ||
| d99058c9 LP |
1077 | <varlistentry> |
| 1078 | <term><option>-Z</option></term> | |
| 1079 | <term><option>--selinux-context=</option></term> | |
| 1080 | ||
| 1081 | <listitem><para>Sets the SELinux security context to be used | |
| 1082 | to label processes in the container.</para> | |
| 1083 | </listitem> | |
| 1084 | </varlistentry> | |
| 1085 | ||
| 1086 | <varlistentry> | |
| 1087 | <term><option>-L</option></term> | |
| 1088 | <term><option>--selinux-apifs-context=</option></term> | |
| 1089 | ||
| 1090 | <listitem><para>Sets the SELinux security context to be used | |
| 1091 | to label files in the virtual API file systems in the | |
| 1092 | container.</para> | |
| 1093 | </listitem> | |
| 1094 | </varlistentry> | |
| 1095 | </variablelist> | |
| 1096 | ||
| 1097 | </refsect2><refsect2> | |
| 1098 | <title>Resource Options</title> | |
| 1099 | ||
| 1100 | <variablelist> | |
| 1101 | ||
| bf428efb LP |
1102 | <varlistentry> |
| 1103 | <term><option>--rlimit=</option></term> | |
| 1104 | ||
| 1105 | <listitem><para>Sets the specified POSIX resource limit for the container payload. Expects an assignment of the | |
| 1106 | form | |
| 1107 | <literal><replaceable>LIMIT</replaceable>=<replaceable>SOFT</replaceable>:<replaceable>HARD</replaceable></literal> | |
| 1108 | or <literal><replaceable>LIMIT</replaceable>=<replaceable>VALUE</replaceable></literal>, where | |
| 1109 | <replaceable>LIMIT</replaceable> should refer to a resource limit type, such as | |
| 1110 | <constant>RLIMIT_NOFILE</constant> or <constant>RLIMIT_NICE</constant>. The <replaceable>SOFT</replaceable> and | |
| 1111 | <replaceable>HARD</replaceable> fields should refer to the numeric soft and hard resource limit values. If the | |
| 1b2ad5d9 | 1112 | second form is used, <replaceable>VALUE</replaceable> may specify a value that is used both as soft and hard |
| bf428efb LP |
1113 | limit. In place of a numeric value the special string <literal>infinity</literal> may be used to turn off |
| 1114 | resource limiting for the specific type of resource. This command line option may be used multiple times to | |
| 1b2ad5d9 | 1115 | control limits on multiple limit types. If used multiple times for the same limit type, the last use |
| bf428efb LP |
1116 | wins. For details about resource limits see <citerefentry |
| 1117 | project='man-pages'><refentrytitle>setrlimit</refentrytitle><manvolnum>2</manvolnum></citerefentry>. By default | |
| 1118 | resource limits for the container's init process (PID 1) are set to the same values the Linux kernel originally | |
| 1119 | passed to the host init system. Note that some resource limits are enforced on resources counted per user, in | |
| 1120 | particular <constant>RLIMIT_NPROC</constant>. This means that unless user namespacing is deployed | |
| 1121 | (i.e. <option>--private-users=</option> is used, see above), any limits set will be applied to the resource | |
| 1122 | usage of the same user on all local containers as well as the host. This means particular care needs to be | |
| 1123 | taken with these limits as they might be triggered by possibly less trusted code. Example: | |
| 1124 | <literal>--rlimit=RLIMIT_NOFILE=8192:16384</literal>.</para></listitem> | |
| 1125 | </varlistentry> | |
| 1126 | ||
| 81f345df LP |
1127 | <varlistentry> |
| 1128 | <term><option>--oom-score-adjust=</option></term> | |
| 1129 | ||
| 1130 | <listitem><para>Changes the OOM ("Out Of Memory") score adjustment value for the container payload. This controls | |
| 1131 | <filename>/proc/self/oom_score_adj</filename> which influences the preference with which this container is | |
| 1132 | terminated when memory becomes scarce. For details see <citerefentry | |
| 1133 | project='man-pages'><refentrytitle>proc</refentrytitle><manvolnum>5</manvolnum></citerefentry>. Takes an | |
| 1134 | integer in the range -1000…1000.</para></listitem> | |
| 1135 | </varlistentry> | |
| 1136 | ||
| d107bb7d LP |
1137 | <varlistentry> |
| 1138 | <term><option>--cpu-affinity=</option></term> | |
| 1139 | ||
| 1140 | <listitem><para>Controls the CPU affinity of the container payload. Takes a comma separated list of CPU numbers | |
| 1141 | or number ranges (the latter's start and end value separated by dashes). See <citerefentry | |
| 1142 | project='man-pages'><refentrytitle>sched_setaffinity</refentrytitle><manvolnum>2</manvolnum></citerefentry> for | |
| 1143 | details.</para></listitem> | |
| 1144 | </varlistentry> | |
| 1145 | ||
| c6c8f6e2 | 1146 | <varlistentry> |
| d99058c9 | 1147 | <term><option>--personality=</option></term> |
| b09c0bba | 1148 | |
| d99058c9 LP |
1149 | <listitem><para>Control the architecture ("personality") |
| 1150 | reported by | |
| 1151 | <citerefentry project='man-pages'><refentrytitle>uname</refentrytitle><manvolnum>2</manvolnum></citerefentry> | |
| 1152 | in the container. Currently, only <literal>x86</literal> and | |
| 1153 | <literal>x86-64</literal> are supported. This is useful when | |
| 1154 | running a 32-bit container on a 64-bit host. If this setting | |
| 1155 | is not used, the personality reported in the container is the | |
| 1156 | same as the one reported on the host.</para></listitem> | |
| 798d3a52 | 1157 | </varlistentry> |
| d99058c9 | 1158 | </variablelist> |
| 798d3a52 | 1159 | |
| d99058c9 LP |
1160 | </refsect2><refsect2> |
| 1161 | <title>Integration Options</title> | |
| 798d3a52 | 1162 | |
| d99058c9 | 1163 | <variablelist> |
| 09d423e9 LP |
1164 | <varlistentry> |
| 1165 | <term><option>--resolv-conf=</option></term> | |
| 1166 | ||
| e309b929 LP |
1167 | <listitem><para>Configures how <filename>/etc/resolv.conf</filename> inside of the container shall be |
| 1168 | handled (i.e. DNS configuration synchronization from host to container). Takes one of | |
| 1169 | <literal>off</literal>, <literal>copy-host</literal>, <literal>copy-static</literal>, | |
| 1170 | <literal>copy-uplink</literal>, <literal>copy-stub</literal>, <literal>replace-host</literal>, | |
| 1171 | <literal>replace-static</literal>, <literal>replace-uplink</literal>, | |
| 1172 | <literal>replace-stub</literal>, <literal>bind-host</literal>, <literal>bind-static</literal>, | |
| 1173 | <literal>bind-uplink</literal>, <literal>bind-stub</literal>, <literal>delete</literal> or | |
| 1174 | <literal>auto</literal>.</para> | |
| 1175 | ||
| 1176 | <para>If set to <literal>off</literal> the <filename>/etc/resolv.conf</filename> file in the | |
| 1177 | container is left as it is included in the image, and neither modified nor bind mounted over.</para> | |
| 1178 | ||
| 1179 | <para>If set to <literal>copy-host</literal>, the <filename>/etc/resolv.conf</filename> file from the | |
| 1180 | host is copied into the container, unless the file exists already and is not a regular file (e.g. a | |
| 1181 | symlink). Similar, if <literal>replace-host</literal> is used the file is copied, replacing any | |
| 1182 | existing inode, including symlinks. Similar, if <literal>bind-host</literal> is used, the file is | |
| 1183 | bind mounted from the host into the container.</para> | |
| 1184 | ||
| 1185 | <para>If set to <literal>copy-static</literal>, <literal>replace-static</literal> or | |
| 1186 | <literal>bind-static</literal> the static <filename>resolv.conf</filename> file supplied with | |
| 1187 | <citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
| 1188 | (specifically: <filename>/usr/lib/systemd/resolv.conf</filename>) is copied or bind mounted into the | |
| 1189 | container.</para> | |
| 1190 | ||
| 1191 | <para>If set to <literal>copy-uplink</literal>, <literal>replace-uplink</literal> or | |
| 1192 | <literal>bind-uplink</literal> the uplink <filename>resolv.conf</filename> file managed by | |
| 1193 | <filename>systemd-resolved.service</filename> (specifically: | |
| 1194 | <filename>/run/systemd/resolve/resolv.conf</filename>) is copied or bind mounted into the | |
| 1195 | container.</para> | |
| 1196 | ||
| 1197 | <para>If set to <literal>copy-stub</literal>, <literal>replace-stub</literal> or | |
| 1198 | <literal>bind-stub</literal> the stub <filename>resolv.conf</filename> file managed by | |
| 1199 | <filename>systemd-resolved.service</filename> (specifically: | |
| 1200 | <filename>/run/systemd/resolve/stub-resolv.conf</filename>) is copied or bind mounted into the | |
| 1201 | container.</para> | |
| 1202 | ||
| 1203 | <para>If set to <literal>delete</literal> the <filename>/etc/resolv.conf</filename> file in the | |
| 1204 | container is deleted if it exists.</para> | |
| 1205 | ||
| 1206 | <para>Finally, if set to <literal>auto</literal> the file is left as it is if private networking is | |
| 1207 | turned on (see <option>--private-network</option>). Otherwise, if | |
| e9dd6984 ZJS |
1208 | <filename>systemd-resolved.service</filename> is running its stub <filename>resolv.conf</filename> |
| 1209 | file is used, and if not the host's <filename>/etc/resolv.conf</filename> file. In the latter cases | |
| 1210 | the file is copied if the image is writable, and bind mounted otherwise.</para> | |
| e309b929 LP |
1211 | |
| 1212 | <para>It's recommended to use <literal>copy-…</literal> or <literal>replace-…</literal> if the | |
| 1213 | container shall be able to make changes to the DNS configuration on its own, deviating from the | |
| 1214 | host's settings. Otherwise <literal>bind</literal> is preferable, as it means direct changes to | |
| 1215 | <filename>/etc/resolv.conf</filename> in the container are not allowed, as it is a read-only bind | |
| 1216 | mount (but note that if the container has enough privileges, it might simply go ahead and unmount the | |
| 1217 | bind mount anyway). Note that both if the file is bind mounted and if it is copied no further | |
| 1218 | propagation of configuration is generally done after the one-time early initialization (this is | |
| 1219 | because the file is usually updated through copying and renaming). Defaults to | |
| 09d423e9 LP |
1220 | <literal>auto</literal>.</para></listitem> |
| 1221 | </varlistentry> | |
| 1222 | ||
| 1688841f LP |
1223 | <varlistentry> |
| 1224 | <term><option>--timezone=</option></term> | |
| 1225 | ||
| e9dd6984 ZJS |
1226 | <listitem><para>Configures how <filename>/etc/localtime</filename> inside of the container |
| 1227 | (i.e. local timezone synchronization from host to container) shall be handled. Takes one of | |
| 1228 | <literal>off</literal>, <literal>copy</literal>, <literal>bind</literal>, <literal>symlink</literal>, | |
| 1229 | <literal>delete</literal> or <literal>auto</literal>. If set to <literal>off</literal> the | |
| 1230 | <filename>/etc/localtime</filename> file in the container is left as it is included in the image, and | |
| 1231 | neither modified nor bind mounted over. If set to <literal>copy</literal> the | |
| 1232 | <filename>/etc/localtime</filename> file of the host is copied into the container. Similarly, if | |
| 1233 | <literal>bind</literal> is used, the file is bind mounted from the host into the container. If set to | |
| 1234 | <literal>symlink</literal>, a symlink is created pointing from <filename>/etc/localtime</filename> in | |
| 1235 | the container to the timezone file in the container that matches the timezone setting on the host. If | |
| 1236 | set to <literal>delete</literal>, the file in the container is deleted, should it exist. If set to | |
| 1237 | <literal>auto</literal> and the <filename>/etc/localtime</filename> file of the host is a symlink, | |
| 1238 | then <literal>symlink</literal> mode is used, and <literal>copy</literal> otherwise, except if the | |
| 1239 | image is read-only in which case <literal>bind</literal> is used instead. Defaults to | |
| 1688841f LP |
1240 | <literal>auto</literal>.</para></listitem> |
| 1241 | </varlistentry> | |
| 1242 | ||
| 798d3a52 | 1243 | <varlistentry> |
| d99058c9 | 1244 | <term><option>--link-journal=</option></term> |
| 798d3a52 | 1245 | |
| d99058c9 LP |
1246 | <listitem><para>Control whether the container's journal shall |
| 1247 | be made visible to the host system. If enabled, allows viewing | |
| 1248 | the container's journal files from the host (but not vice | |
| 1249 | versa). Takes one of <literal>no</literal>, | |
| 1250 | <literal>host</literal>, <literal>try-host</literal>, | |
| 1251 | <literal>guest</literal>, <literal>try-guest</literal>, | |
| 1252 | <literal>auto</literal>. If <literal>no</literal>, the journal | |
| 1253 | is not linked. If <literal>host</literal>, the journal files | |
| 1254 | are stored on the host file system (beneath | |
| 1255 | <filename>/var/log/journal/<replaceable>machine-id</replaceable></filename>) | |
| 1256 | and the subdirectory is bind-mounted into the container at the | |
| 1257 | same location. If <literal>guest</literal>, the journal files | |
| 1258 | are stored on the guest file system (beneath | |
| 1259 | <filename>/var/log/journal/<replaceable>machine-id</replaceable></filename>) | |
| 1260 | and the subdirectory is symlinked into the host at the same | |
| 1261 | location. <literal>try-host</literal> and | |
| 1262 | <literal>try-guest</literal> do the same but do not fail if | |
| 1263 | the host does not have persistent journaling enabled. If | |
| 1264 | <literal>auto</literal> (the default), and the right | |
| 1265 | subdirectory of <filename>/var/log/journal</filename> exists, | |
| 1266 | it will be bind mounted into the container. If the | |
| 1267 | subdirectory does not exist, no linking is performed. | |
| 1268 | Effectively, booting a container once with | |
| 1269 | <literal>guest</literal> or <literal>host</literal> will link | |
| 1270 | the journal persistently if further on the default of | |
| 1271 | <literal>auto</literal> is used.</para> | |
| 1272 | ||
| 1273 | <para>Note that <option>--link-journal=try-guest</option> is the default if the | |
| 1274 | <filename>systemd-nspawn@.service</filename> template unit file is used.</para></listitem> | |
| 798d3a52 ZJS |
1275 | </varlistentry> |
| 1276 | ||
| d99058c9 LP |
1277 | <varlistentry> |
| 1278 | <term><option>-j</option></term> | |
| 1279 | ||
| 1280 | <listitem><para>Equivalent to | |
| 1281 | <option>--link-journal=try-guest</option>.</para></listitem> | |
| 1282 | </varlistentry> | |
| 1283 | ||
| 1284 | </variablelist> | |
| 1285 | ||
| 1286 | </refsect2><refsect2> | |
| 1287 | <title>Mount Options</title> | |
| 1288 | ||
| 1289 | <variablelist> | |
| 1290 | ||
| 798d3a52 ZJS |
1291 | <varlistentry> |
| 1292 | <term><option>--bind=</option></term> | |
| 1293 | <term><option>--bind-ro=</option></term> | |
| 1294 | ||
| 86c0dd4a | 1295 | <listitem><para>Bind mount a file or directory from the host into the container. Takes one of: a path |
| c7a4890c LP |
1296 | argument — in which case the specified path will be mounted from the host to the same path in the container, or |
| 1297 | a colon-separated pair of paths — in which case the first specified path is the source in the host, and the | |
| 1298 | second path is the destination in the container, or a colon-separated triple of source path, destination path | |
| 86c0dd4a | 1299 | and mount options. The source path may optionally be prefixed with a <literal>+</literal> character. If so, the |
| c7a4890c LP |
1300 | source path is taken relative to the image's root directory. This permits setting up bind mounts within the |
| 1301 | container image. The source path may be specified as empty string, in which case a temporary directory below | |
| 3b121157 | 1302 | the host's <filename>/var/tmp/</filename> directory is used. It is automatically removed when the container is |
| c7a4890c LP |
1303 | shut down. Mount options are comma-separated and currently, only <option>rbind</option> and |
| 1304 | <option>norbind</option> are allowed, controlling whether to create a recursive or a regular bind | |
| 1305 | mount. Defaults to "rbind". Backslash escapes are interpreted, so <literal>\:</literal> may be used to embed | |
| 1306 | colons in either path. This option may be specified multiple times for creating multiple independent bind | |
| 994a6364 LP |
1307 | mount points. The <option>--bind-ro=</option> option creates read-only bind mounts.</para> |
| 1308 | ||
| 1309 | <para>Note that when this option is used in combination with <option>--private-users</option>, the resulting | |
| 1310 | mount points will be owned by the <constant>nobody</constant> user. That's because the mount and its files and | |
| 1311 | directories continue to be owned by the relevant host users and groups, which do not exist in the container, | |
| 1312 | and thus show up under the wildcard UID 65534 (nobody). If such bind mounts are created, it is recommended to | |
| 1313 | make them read-only, using <option>--bind-ro=</option>.</para></listitem> | |
| 798d3a52 ZJS |
1314 | </varlistentry> |
| 1315 | ||
| 3d6c3675 LP |
1316 | <varlistentry> |
| 1317 | <term><option>--inaccessible=</option></term> | |
| 1318 | ||
| 1319 | <listitem><para>Make the specified path inaccessible in the container. This over-mounts the specified path | |
| 1320 | (which must exist in the container) with a file node of the same type that is empty and has the most | |
| 1321 | restrictive access mode supported. This is an effective way to mask files, directories and other file system | |
| 1322 | objects from the container payload. This option may be used more than once in case all specified paths are | |
| 1323 | masked.</para></listitem> | |
| 1324 | </varlistentry> | |
| 1325 | ||
| 798d3a52 ZJS |
1326 | <varlistentry> |
| 1327 | <term><option>--tmpfs=</option></term> | |
| 1328 | ||
| b23f1628 LP |
1329 | <listitem><para>Mount a tmpfs file system into the container. Takes a single absolute path argument that |
| 1330 | specifies where to mount the tmpfs instance to (in which case the directory access mode will be chosen as 0755, | |
| 1331 | owned by root/root), or optionally a colon-separated pair of path and mount option string that is used for | |
| 1332 | mounting (in which case the kernel default for access mode and owner will be chosen, unless otherwise | |
| 1333 | specified). Backslash escapes are interpreted in the path, so <literal>\:</literal> may be used to embed colons | |
| 1334 | in the path.</para> | |
| 1335 | ||
| 1336 | <para>Note that this option cannot be used to replace the root file system of the container with a temporary | |
| 1337 | file system. However, the <option>--volatile=</option> option described below provides similar | |
| 1338 | functionality, with a focus on implementing stateless operating system images.</para></listitem> | |
| 798d3a52 ZJS |
1339 | </varlistentry> |
| 1340 | ||
| 5a8af538 LP |
1341 | <varlistentry> |
| 1342 | <term><option>--overlay=</option></term> | |
| 1343 | <term><option>--overlay-ro=</option></term> | |
| 1344 | ||
| 1345 | <listitem><para>Combine multiple directory trees into one | |
| 1346 | overlay file system and mount it into the container. Takes a | |
| 1347 | list of colon-separated paths to the directory trees to | |
| 1348 | combine and the destination mount point.</para> | |
| 1349 | ||
| 2eadf91c RM |
1350 | <para>Backslash escapes are interpreted in the paths, so |
| 1351 | <literal>\:</literal> may be used to embed colons in the paths. | |
| 1352 | </para> | |
| 1353 | ||
| 5a8af538 LP |
1354 | <para>If three or more paths are specified, then the last |
| 1355 | specified path is the destination mount point in the | |
| 1356 | container, all paths specified before refer to directory trees | |
| 1357 | on the host and are combined in the specified order into one | |
| 1358 | overlay file system. The left-most path is hence the lowest | |
| 1359 | directory tree, the second-to-last path the highest directory | |
| 1360 | tree in the stacking order. If <option>--overlay-ro=</option> | |
| b938cb90 | 1361 | is used instead of <option>--overlay=</option>, a read-only |
| 5a8af538 | 1362 | overlay file system is created. If a writable overlay file |
| b938cb90 | 1363 | system is created, all changes made to it are written to the |
| 5a8af538 LP |
1364 | highest directory tree in the stacking order, i.e. the |
| 1365 | second-to-last specified.</para> | |
| 1366 | ||
| 1367 | <para>If only two paths are specified, then the second | |
| 1368 | specified path is used both as the top-level directory tree in | |
| 1369 | the stacking order as seen from the host, as well as the mount | |
| 1370 | point for the overlay file system in the container. At least | |
| 1371 | two paths have to be specified.</para> | |
| 1372 | ||
| 3b121157 ZJS |
1373 | <para>The source paths may optionally be prefixed with <literal>+</literal> character. If so they are |
| 1374 | taken relative to the image's root directory. The uppermost source path may also be specified as an | |
| 1375 | empty string, in which case a temporary directory below the host's <filename>/var/tmp/</filename> is | |
| 1376 | used. The directory is removed automatically when the container is shut down. This behaviour is | |
| 1377 | useful in order to make read-only container directories writable while the container is running. For | |
| 1378 | example, use <literal>--overlay=+/var::/var</literal> in order to automatically overlay a writable | |
| 1379 | temporary directory on a read-only <filename>/var/</filename> directory.</para> | |
| 86c0dd4a | 1380 | |
| 5a8af538 LP |
1381 | <para>For details about overlay file systems, see <ulink |
| 1382 | url="https://www.kernel.org/doc/Documentation/filesystems/overlayfs.txt">overlayfs.txt</ulink>. Note | |
| 1383 | that the semantics of overlay file systems are substantially | |
| 1384 | different from normal file systems, in particular regarding | |
| 1385 | reported device and inode information. Device and inode | |
| 1386 | information may change for a file while it is being written | |
| 1387 | to, and processes might see out-of-date versions of files at | |
| 1388 | times. Note that this switch automatically derives the | |
| 1389 | <literal>workdir=</literal> mount option for the overlay file | |
| 1390 | system from the top-level directory tree, making it a sibling | |
| 1391 | of it. It is hence essential that the top-level directory tree | |
| 1392 | is not a mount point itself (since the working directory must | |
| 1393 | be on the same file system as the top-most directory | |
| 1394 | tree). Also note that the <literal>lowerdir=</literal> mount | |
| 1395 | option receives the paths to stack in the opposite order of | |
| b23f1628 LP |
1396 | this switch.</para> |
| 1397 | ||
| 1398 | <para>Note that this option cannot be used to replace the root file system of the container with an overlay | |
| d99058c9 | 1399 | file system. However, the <option>--volatile=</option> option described above provides similar functionality, |
| b23f1628 | 1400 | with a focus on implementing stateless operating system images.</para></listitem> |
| 5a8af538 | 1401 | </varlistentry> |
| d99058c9 | 1402 | </variablelist> |
| 5a8af538 | 1403 | |
| d99058c9 LP |
1404 | </refsect2><refsect2> |
| 1405 | <title>Input/Output Options</title> | |
| 798d3a52 | 1406 | |
| d99058c9 | 1407 | <variablelist> |
| 3d6c3675 LP |
1408 | <varlistentry> |
| 1409 | <term><option>--console=</option><replaceable>MODE</replaceable></term> | |
| 1410 | ||
| 7a25ba55 ZJS |
1411 | <listitem><para>Configures how to set up standard input, output and error output for the container |
| 1412 | payload, as well as the <filename>/dev/console</filename> device for the container. Takes one of | |
| 10e8a60b LP |
1413 | <option>interactive</option>, <option>read-only</option>, <option>passive</option>, |
| 1414 | <option>pipe</option> or <option>autopipe</option>. If <option>interactive</option>, a pseudo-TTY is | |
| 1415 | allocated and made available as <filename>/dev/console</filename> in the container. It is then | |
| 1416 | bi-directionally connected to the standard input and output passed to | |
| 1417 | <command>systemd-nspawn</command>. <option>read-only</option> is similar but only the output of the | |
| 1418 | container is propagated and no input from the caller is read. If <option>passive</option>, a pseudo | |
| 1419 | TTY is allocated, but it is not connected anywhere. In <option>pipe</option> mode no pseudo TTY is | |
| 1420 | allocated, but the standard input, output and error output file descriptors passed to | |
| 1421 | <command>systemd-nspawn</command> are passed on — as they are — to the container payload, see the | |
| 1422 | following paragraph. Finally, <option>autopipe</option> mode operates like | |
| 1423 | <option>interactive</option> when <command>systemd-nspawn</command> is invoked on a terminal, and | |
| 1424 | like <option>pipe</option> otherwise. Defaults to <option>interactive</option> if | |
| 3d6c3675 | 1425 | <command>systemd-nspawn</command> is invoked from a terminal, and <option>read-only</option> |
| 7a25ba55 ZJS |
1426 | otherwise.</para> |
| 1427 | ||
| 1428 | <para>In <option>pipe</option> mode, <filename>/dev/console</filename> will not exist in the | |
| 1429 | container. This means that the container payload generally cannot be a full init system as init | |
| 1430 | systems tend to require <filename>/dev/console</filename> to be available. On the other hand, in this | |
| 1431 | mode container invocations can be used within shell pipelines. This is because intermediary pseudo | |
| 1432 | TTYs do not permit independent bidirectional propagation of the end-of-file (EOF) condition, which is | |
| 1433 | necessary for shell pipelines to work correctly. <emphasis>Note that the <option>pipe</option> mode | |
| 1434 | should be used carefully</emphasis>, as passing arbitrary file descriptors to less trusted container | |
| 1435 | payloads might open up unwanted interfaces for access by the container payload. For example, if a | |
| 1436 | passed file descriptor refers to a TTY of some form, APIs such as <constant>TIOCSTI</constant> may be | |
| 1437 | used to synthesize input that might be used for escaping the container. Hence <option>pipe</option> | |
| 1438 | mode should only be used if the payload is sufficiently trusted or when the standard | |
| 1439 | input/output/error output file descriptors are known safe, for example pipes.</para></listitem> | |
| 3d6c3675 LP |
1440 | </varlistentry> |
| 1441 | ||
| 1442 | <varlistentry> | |
| 1443 | <term><option>--pipe</option></term> | |
| 1444 | <term><option>-P</option></term> | |
| 1445 | ||
| 1446 | <listitem><para>Equivalent to <option>--console=pipe</option>.</para></listitem> | |
| 1447 | </varlistentry> | |
| 60cc90b9 LP |
1448 | </variablelist> |
| 1449 | ||
| 1450 | </refsect2><refsect2> | |
| 1451 | <title>Credentials</title> | |
| 1452 | ||
| 1453 | <variablelist> | |
| 1454 | <varlistentry> | |
| 1455 | <term><option>--load-credential=</option><replaceable>ID</replaceable>:<replaceable>PATH</replaceable></term> | |
| 1456 | <term><option>--set-credential=</option><replaceable>ID</replaceable>:<replaceable>VALUE</replaceable></term> | |
| 1457 | ||
| 508fa02d | 1458 | <listitem><para>Pass a credential to the container. These two options correspond to the |
| 60cc90b9 LP |
1459 | <varname>LoadCredential=</varname> and <varname>SetCredential=</varname> settings in unit files. See |
| 1460 | <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> for | |
| 1461 | details about these concepts, as well as the syntax of the option's arguments.</para> | |
| 1462 | ||
| 508fa02d ZJS |
1463 | <para>Note: when <command>systemd-nspawn</command> runs as systemd system service it can propagate |
| 1464 | the credentials it received via <varname>LoadCredential=</varname>/<varname>SetCredential=</varname> | |
| 1465 | to the container payload. A systemd service manager running as PID 1 in the container can further | |
| 1466 | propagate them to the services it itself starts. It is thus possible to easily propagate credentials | |
| 1467 | from a parent service manager to a container manager service and from there into its payload. This | |
| 1468 | can even be done recursively.</para> | |
| 1469 | ||
| 1470 | <para>In order to embed binary data into the credential data for <option>--set-credential=</option> | |
| 1471 | use C-style escaping (i.e. <literal>\n</literal> to embed a newline, or <literal>\x00</literal> to | |
| 1472 | embed a <constant>NUL</constant> byte. Note that the invoking shell might already apply unescaping | |
| 1473 | once, hence this might require double escaping!).</para></listitem> | |
| 60cc90b9 LP |
1474 | </varlistentry> |
| 1475 | ||
| 1476 | </variablelist> | |
| 1477 | ||
| 1478 | </refsect2><refsect2> | |
| 1479 | <title>Other</title> | |
| 1480 | ||
| 1481 | <variablelist> | |
| bb068de0 | 1482 | <xi:include href="standard-options.xml" xpointer="no-pager" /> |
| 798d3a52 ZJS |
1483 | <xi:include href="standard-options.xml" xpointer="help" /> |
| 1484 | <xi:include href="standard-options.xml" xpointer="version" /> | |
| 1485 | </variablelist> | |
| d99058c9 | 1486 | </refsect2> |
| 798d3a52 ZJS |
1487 | </refsect1> |
| 1488 | ||
| 4ef3ca34 | 1489 | <xi:include href="common-variables.xml" /> |
| bb068de0 | 1490 | |
| 798d3a52 ZJS |
1491 | <refsect1> |
| 1492 | <title>Examples</title> | |
| 1493 | ||
| 1494 | <example> | |
| 12c4ee0a ZJS |
1495 | <title>Download a |
| 1496 | <ulink url="https://getfedora.org">Fedora</ulink> image and start a shell in it</title> | |
| 798d3a52 | 1497 | |
| 3797fd0a | 1498 | <programlisting># machinectl pull-raw --verify=no \ |
| b12a67ae AZ |
1499 | https://download.fedoraproject.org/pub/fedora/linux/releases/&fedora_latest_version;/Cloud/x86_64/images/Fedora-Cloud-Base-&fedora_latest_version;-&fedora_cloud_release;.x86_64.raw.xz \ |
| 1500 | Fedora-Cloud-Base-&fedora_latest_version;-&fedora_cloud_release;.x86-64 | |
| 1501 | # systemd-nspawn -M Fedora-Cloud-Base-&fedora_latest_version;-&fedora_cloud_release;.x86-64</programlisting> | |
| e0ea94c1 | 1502 | |
| 798d3a52 ZJS |
1503 | <para>This downloads an image using |
| 1504 | <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry> | |
| 1505 | and opens a shell in it.</para> | |
| 1506 | </example> | |
| e0ea94c1 | 1507 | |
| 798d3a52 ZJS |
1508 | <example> |
| 1509 | <title>Build and boot a minimal Fedora distribution in a container</title> | |
| 8f7a3c14 | 1510 | |
| 7a8aa0ec | 1511 | <programlisting># dnf -y --releasever=&fedora_latest_version; --installroot=/var/lib/machines/f&fedora_latest_version; \ |
| 3797fd0a | 1512 | --disablerepo='*' --enablerepo=fedora --enablerepo=updates install \ |
| a345d5c1 | 1513 | systemd passwd dnf fedora-release vim-minimal glibc-minimal-langpack |
| 7a8aa0ec | 1514 | # systemd-nspawn -bD /var/lib/machines/f&fedora_latest_version;</programlisting> |
| 8f7a3c14 | 1515 | |
| 798d3a52 | 1516 | <para>This installs a minimal Fedora distribution into the |
| b0343f8c | 1517 | directory <filename index="false">/var/lib/machines/f&fedora_latest_version;</filename> |
| e9dd6984 | 1518 | and then boots that OS in a namespace container. Because the installation |
| 55107232 ZJS |
1519 | is located underneath the standard <filename>/var/lib/machines/</filename> |
| 1520 | directory, it is also possible to start the machine using | |
| 7a8aa0ec | 1521 | <command>systemd-nspawn -M f&fedora_latest_version;</command>.</para> |
| 798d3a52 | 1522 | </example> |
| 8f7a3c14 | 1523 | |
| 798d3a52 ZJS |
1524 | <example> |
| 1525 | <title>Spawn a shell in a container of a minimal Debian unstable distribution</title> | |
| 8f7a3c14 | 1526 | |
| 7f8b3d1d | 1527 | <programlisting># debootstrap unstable ~/debian-tree/ |
| 25f5971b | 1528 | # systemd-nspawn -D ~/debian-tree/</programlisting> |
| 8f7a3c14 | 1529 | |
| 798d3a52 ZJS |
1530 | <para>This installs a minimal Debian unstable distribution into |
| 1531 | the directory <filename>~/debian-tree/</filename> and then | |
| e9dd6984 | 1532 | spawns a shell from this image in a namespace container.</para> |
| 12c4ee0a ZJS |
1533 | |
| 1534 | <para><command>debootstrap</command> supports | |
| 1535 | <ulink url="https://www.debian.org">Debian</ulink>, | |
| 1536 | <ulink url="https://www.ubuntu.com">Ubuntu</ulink>, | |
| 1537 | and <ulink url="https://www.tanglu.org">Tanglu</ulink> | |
| 1538 | out of the box, so the same command can be used to install any of those. For other | |
| 1539 | distributions from the Debian family, a mirror has to be specified, see | |
| 1540 | <citerefentry project='die-net'><refentrytitle>debootstrap</refentrytitle><manvolnum>8</manvolnum></citerefentry>. | |
| 1541 | </para> | |
| 798d3a52 | 1542 | </example> |
| 8f7a3c14 | 1543 | |
| 798d3a52 | 1544 | <example> |
| 12c4ee0a ZJS |
1545 | <title>Boot a minimal |
| 1546 | <ulink url="https://www.archlinux.org">Arch Linux</ulink> distribution in a container</title> | |
| 68562936 | 1547 | |
| 9a027075 | 1548 | <programlisting># pacstrap -c ~/arch-tree/ base |
| 68562936 WG |
1549 | # systemd-nspawn -bD ~/arch-tree/</programlisting> |
| 1550 | ||
| ff9b60f3 | 1551 | <para>This installs a minimal Arch Linux distribution into the |
| 798d3a52 ZJS |
1552 | directory <filename>~/arch-tree/</filename> and then boots an OS |
| 1553 | in a namespace container in it.</para> | |
| 1554 | </example> | |
| 68562936 | 1555 | |
| f518ee04 | 1556 | <example> |
| 12c4ee0a ZJS |
1557 | <title>Install the |
| 1558 | <ulink url="https://software.opensuse.org/distributions/tumbleweed">OpenSUSE Tumbleweed</ulink> | |
| 1559 | rolling distribution</title> | |
| f518ee04 ZJS |
1560 | |
| 1561 | <programlisting># zypper --root=/var/lib/machines/tumbleweed ar -c \ | |
| 1562 | https://download.opensuse.org/tumbleweed/repo/oss tumbleweed | |
| 1563 | # zypper --root=/var/lib/machines/tumbleweed refresh | |
| 1564 | # zypper --root=/var/lib/machines/tumbleweed install --no-recommends \ | |
| 1565 | systemd shadow zypper openSUSE-release vim | |
| 1566 | # systemd-nspawn -M tumbleweed passwd root | |
| 1567 | # systemd-nspawn -M tumbleweed -b</programlisting> | |
| 1568 | </example> | |
| 1569 | ||
| 798d3a52 | 1570 | <example> |
| 17cbb288 | 1571 | <title>Boot into an ephemeral snapshot of the host system</title> |
| f9f4dd51 | 1572 | |
| 798d3a52 | 1573 | <programlisting># systemd-nspawn -D / -xb</programlisting> |
| f9f4dd51 | 1574 | |
| 17cbb288 LP |
1575 | <para>This runs a copy of the host system in a snapshot which is removed immediately when the container |
| 1576 | exits. All file system changes made during runtime will be lost on shutdown, hence.</para> | |
| 798d3a52 | 1577 | </example> |
| f9f4dd51 | 1578 | |
| 798d3a52 ZJS |
1579 | <example> |
| 1580 | <title>Run a container with SELinux sandbox security contexts</title> | |
| a8828ed9 | 1581 | |
| 798d3a52 | 1582 | <programlisting># chcon system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -R /srv/container |
| 3797fd0a ZJS |
1583 | # systemd-nspawn -L system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 \ |
| 1584 | -Z system_u:system_r:svirt_lxc_net_t:s0:c0,c1 -D /srv/container /bin/sh</programlisting> | |
| 798d3a52 | 1585 | </example> |
| b53ede69 PW |
1586 | |
| 1587 | <example> | |
| 1588 | <title>Run a container with an OSTree deployment</title> | |
| 1589 | ||
| 3797fd0a ZJS |
1590 | <programlisting># systemd-nspawn -b -i ~/image.raw \ |
| 1591 | --pivot-root=/ostree/deploy/$OS/deploy/$CHECKSUM:/sysroot \ | |
| 1592 | --bind=+/sysroot/ostree/deploy/$OS/var:/var</programlisting> | |
| b53ede69 | 1593 | </example> |
| 798d3a52 ZJS |
1594 | </refsect1> |
| 1595 | ||
| 1596 | <refsect1> | |
| 1597 | <title>Exit status</title> | |
| 1598 | ||
| 1599 | <para>The exit code of the program executed in the container is | |
| 1600 | returned.</para> | |
| 1601 | </refsect1> | |
| 1602 | ||
| 1603 | <refsect1> | |
| 1604 | <title>See Also</title> | |
| 1605 | <para> | |
| 1606 | <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
| f757855e | 1607 | <citerefentry><refentrytitle>systemd.nspawn</refentrytitle><manvolnum>5</manvolnum></citerefentry>, |
| 798d3a52 ZJS |
1608 | <citerefentry project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>1</manvolnum></citerefentry>, |
| 1609 | <citerefentry project='mankier'><refentrytitle>dnf</refentrytitle><manvolnum>8</manvolnum></citerefentry>, | |
| 798d3a52 ZJS |
1610 | <citerefentry project='die-net'><refentrytitle>debootstrap</refentrytitle><manvolnum>8</manvolnum></citerefentry>, |
| 1611 | <citerefentry project='archlinux'><refentrytitle>pacman</refentrytitle><manvolnum>8</manvolnum></citerefentry>, | |
| f518ee04 | 1612 | <citerefentry project='mankier'><refentrytitle>zypper</refentrytitle><manvolnum>8</manvolnum></citerefentry>, |
| 798d3a52 ZJS |
1613 | <citerefentry><refentrytitle>systemd.slice</refentrytitle><manvolnum>5</manvolnum></citerefentry>, |
| 1614 | <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
| 3ba3a79d | 1615 | <citerefentry project='man-pages'><refentrytitle>btrfs</refentrytitle><manvolnum>8</manvolnum></citerefentry> |
| 798d3a52 ZJS |
1616 | </para> |
| 1617 | </refsect1> | |
| 8f7a3c14 LP |
1618 | |
| 1619 | </refentry> |