]> git.ipfire.org Git - thirdparty/systemd.git/blame - man/systemd.nspawn.xml
projects / thirdparty / systemd.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Merge pull request #3428 from toanju/networkd/brvlan
[thirdparty/systemd.git] / man / systemd.nspawn.xml
CommitLineData
f757855e
LP		 1<?xml version='1.0'?> <!--*- Mode: nxml; nxml-child-indent: 2; indent-tabs-mode: nil -*-->
2<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
3 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
4<!ENTITY % entities SYSTEM "custom-entities.ent" >
5%entities;
6]>
7
8<!--
9 This file is part of systemd.
10
11 Copyright 2015 Lennart Poettering
12
13 systemd is free software; you can redistribute it and/or modify it
14 under the terms of the GNU Lesser General Public License as published by
15 the Free Software Foundation; either version 2.1 of the License, or
16 (at your option) any later version.
17
18 systemd is distributed in the hope that it will be useful, but
19 WITHOUT ANY WARRANTY; without even the implied warranty of
20 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
21 Lesser General Public License for more details.
22
23 You should have received a copy of the GNU Lesser General Public License
24 along with systemd; If not, see <http://www.gnu.org/licenses/>.
25-->
26
27<refentry id="systemd.nspawn">
28
29 <refentryinfo>
30 <title>systemd.nspawn</title>
31 <productname>systemd</productname>
32
33 <authorgroup>
34 <author>
35 <contrib>Developer</contrib>
36 <firstname>Lennart</firstname>
37 <surname>Poettering</surname>
38 <email>lennart@poettering.net</email>
39 </author>
40 </authorgroup>
41 </refentryinfo>
42
43 <refmeta>
44 <refentrytitle>systemd.nspawn</refentrytitle>
45 <manvolnum>5</manvolnum>
46 </refmeta>
47
48 <refnamediv>
49 <refname>systemd.nspawn</refname>
50 <refpurpose>Container settings</refpurpose>
51 </refnamediv>
52
53 <refsynopsisdiv>
54 <para><filename>/etc/systemd/nspawn/<replaceable>machine</replaceable>.nspawn</filename></para>
55 <para><filename>/run/systemd/nspawn/<replaceable>machine</replaceable>.nspawn</filename></para>
56 <para><filename>/var/lib/machines/<replaceable>machine</replaceable>.nspawn</filename></para>
57 </refsynopsisdiv>
58
59 <refsect1>
60 <title>Description</title>
61
62 <para>An nspawn container settings file (suffix
63 <filename>.nspawn</filename>) encodes additional runtime
64 information about a local container, and is searched, read and
65 used by
66 <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>
67 when starting a container. Files of this type are named after the
68 containers they define settings for. They are optional, and only
69 required for containers whose execution environment shall differ
70 from the defaults. Files of this type mostly contain settings that
71 may also be set on the <command>systemd-nspawn</command> command
72 line, and make it easier to persistently attach specific settings
73 to specific containers. The syntax of these files is inspired by
74 <filename>.desktop</filename> files following the <ulink
75 url="http://standards.freedesktop.org/desktop-entry-spec/latest/">XDG
a8eaaee7 76 Desktop Entry Specification</ulink>, which in turn are inspired by
f757855e
LP		 77 Microsoft Windows <filename>.ini</filename> files.</para>
78
79 <para>Boolean arguments used in these settings files can be
b938cb90 80 written in various formats. For positive settings, the strings
f757855e
LP		 81 <option>1</option>, <option>yes</option>, <option>true</option>
82 and <option>on</option> are equivalent. For negative settings, the
83 strings <option>0</option>, <option>no</option>,
84 <option>false</option> and <option>off</option> are
85 equivalent.</para>
86
87 <para>Empty lines and lines starting with # or ; are
88 ignored. This may be used for commenting. Lines ending
89 in a backslash are concatenated with the following
90 line while reading and the backslash is replaced by a
91 space character. This may be used to wrap long lines.</para>
92
93 </refsect1>
94
95 <refsect1>
96 <title><filename>.nspawn</filename> File Discovery</title>
97
98 <para>Files are searched by appending the
99 <filename>.nspawn</filename> suffix to the machine name of the
100 container, as specified with the <option>--machine=</option>
101 switch of <command>systemd-nspawn</command>, or derived from the
102 directory or image file name. This file is first searched in
103 <filename>/etc/systemd/nspawn/</filename> and
104 <filename>/run/systemd/nspawn/</filename>. If found in these
b938cb90 105 directories, its settings are read and all of them take full effect
4f76ef04 106 (but are possibly overridden by corresponding command line
b938cb90 107 arguments). If not found, the file will then be searched next to
f757855e 108 the image file or in the immediate parent of the root directory of
b938cb90 109 the container. If the file is found there, only a subset of the
f757855e
LP		 110 settings will take effect however. All settings that possibly
111 elevate privileges or grant additional access to resources of the
112 host (such as files or directories) are ignored. To which options
113 this applies is documented below.</para>
114
a8eaaee7 115 <para>Persistent settings files created and maintained by the
f757855e
LP		 116 administrator (and thus trusted) should be placed in
117 <filename>/etc/systemd/nspawn/</filename>, while automatically
118 downloaded (and thus potentially untrusted) settings files are
119 placed in <filename>/var/lib/machines/</filename> instead (next to
120 the container images), where their security impact is limited. In
121 order to add privileged settings to <filename>.nspawn</filename>
b938cb90 122 files acquired from the image vendor, it is recommended to copy the
f757855e
LP		 123 settings files into <filename>/etc/systemd/nspawn/</filename> and
124 edit them there, so that the privileged options become
a8eaaee7 125 available. The precise algorithm for how the files are searched and
f757855e
LP		 126 interpreted may be configured with
127 <command>systemd-nspawn</command>'s <option>--settings=</option>
128 switch, see
129 <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>
130 for details.</para>
131 </refsect1>
132
133 <refsect1>
134 <title>[Exec] Section Options</title>
135
136 <para>Settings files may include an <literal>[Exec]</literal>
137 section, which carries various execution parameters:</para>
138
139 <variablelist>
140
141 <varlistentry>
142 <term><varname>Boot=</varname></term>
143
7732f92b
LP		 144 <listitem><para>Takes a boolean argument, which defaults to off. If enabled, <command>systemd-nspawn</command>
145 will automatically search for an <filename>init</filename> executable and invoke it. In this case, the
146 specified parameters using <varname>Parameters=</varname> are passed as additional arguments to the
147 <filename>init</filename> process. This setting corresponds to the <option>--boot</option> switch on the
148 <command>systemd-nspawn</command> command line. This option may not be combined with
149 <varname>ProcessTwo=yes</varname>.</para></listitem>
150 </varlistentry>
151
152 <varlistentry>
153 <term><varname>ProcessTwo=</varname></term>
154
155 <listitem><para>Takes a boolean argument, which defaults to off. If enabled, the specified program is run as
156 PID 2. A stub init process is run as PID 1. This setting corresponds to the <option>--as-pid2</option> switch
157 on the <command>systemd-nspawn</command> command line. This option may not be combined with
158 <varname>Boot=yes</varname>.</para></listitem>
f757855e
LP		 159 </varlistentry>
160
161 <varlistentry>
162 <term><varname>Parameters=</varname></term>
163
b938cb90 164 <listitem><para>Takes a space-separated list of
f757855e
LP		 165 arguments. This is either a command line, beginning with the
166 binary name to execute, or – if <varname>Boot=</varname> is
167 enabled – the list of arguments to pass to the init
168 process. This setting corresponds to the command line
169 parameters passed on the <command>systemd-nspawn</command>
170 command line.</para></listitem>
171 </varlistentry>
172
173 <varlistentry>
174 <term><varname>Environment=</varname></term>
175
176 <listitem><para>Takes an environment variable assignment
177 consisting of key and value, separated by
178 <literal>=</literal>. Sets an environment variable for the
179 main process invoked in the container. This setting may be
180 used multiple times to set multiple environment variables. It
181 corresponds to the <option>--setenv=</option> command line
182 switch.</para></listitem>
183 </varlistentry>
184
185 <varlistentry>
186 <term><varname>User=</varname></term>
187
188 <listitem><para>Takes a UNIX user name. Specifies the user
189 name to invoke the main process of the container as. This user
190 must be known in the container's user database. This
191 corresponds to the <option>--user=</option> command line
5f932eb9
LP		 192 switch.</para></listitem>
193 </varlistentry>
194
195 <varlistentry>
196 <term><varname>WorkingDirectory=</varname></term>
197
198 <listitem><para>Selects the working directory for the process invoked in the container. Expects an absolute
199 path in the container's file system namespace. This corresponds to the <option>--chdir=</option> command line
f757855e
LP		 200 switch.</para></listitem>
201 </varlistentry>
202
203 <varlistentry>
204 <term><varname>Capability=</varname></term>
205 <term><varname>DropCapability=</varname></term>
206
b938cb90 207 <listitem><para>Takes a space-separated list of Linux process
f757855e 208 capabilities (see
524f3e5c 209 <citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
f757855e
LP		 210 for details). The <varname>Capability=</varname> setting
211 specifies additional capabilities to pass on top of the
4f76ef04 212 default set of capabilities. The
f757855e
LP		 213 <varname>DropCapability=</varname> setting specifies
214 capabilities to drop from the default set. These settings
215 correspond to the <option>--capability=</option> and
216 <option>--drop-capability=</option> command line
217 switches. Note that <varname>Capability=</varname> is a
218 privileged setting, and only takes effect in
219 <filename>.nspawn</filename> files in
220 <filename>/etc/systemd/nspawn/</filename> and
221 <filename>/run/system/nspawn/</filename> (see above). On the
b938cb90 222 other hand, <varname>DropCapability=</varname> takes effect in
f757855e
LP		 223 all cases.</para></listitem>
224 </varlistentry>
225
b3969f73 226 <varlistentry>
c9648aa6 227 <term><varname>KillSignal=</varname></term>
b3969f73
PA		 228
229 <listitem><para>Specify the process signal to send to the
230 container's PID 1 when nspawn itself receives SIGTERM, in
231 order to trigger an orderly shutdown of the container.
232 Defaults to SIGRTMIN+3 if <option>Boot=</option> is used
233 (on systemd-compatible init systems SIGRTMIN+3 triggers an
234 orderly shutdown). For a list of valid signals, see
235 <citerefentry project='man-pages'><refentrytitle>signal</refentrytitle><manvolnum>7</manvolnum></citerefentry>.</para></listitem>
236 </varlistentry>
237
f757855e
LP		 238 <varlistentry>
239 <term><varname>Personality=</varname></term>
240
241 <listitem><para>Configures the kernel personality for the
242 container. This is equivalent to the
243 <option>--personality=</option> switch.</para></listitem>
244 </varlistentry>
245
246 <varlistentry>
247 <term><varname>MachineID=</varname></term>
248
b938cb90 249 <listitem><para>Configures the 128-bit machine ID (UUID) to pass to
f757855e
LP		 250 the container. This is equivalent to the
251 <option>--uuid=</option> command line switch. This option is
252 privileged (see above). </para></listitem>
253 </varlistentry>
d2e5535f
LP		 254
255 <varlistentry>
256 <term><varname>PrivateUsers=</varname></term>
257
258 <listitem><para>Configures support for usernamespacing. This is equivalent to the
259 <option>--private-users=</option> command line switch, and takes the same options. This option is privileged
260 (see above). </para></listitem>
261 </varlistentry>
f757855e
LP		 262 </variablelist>
263 </refsect1>
264
265 <refsect1>
266 <title>[Files] Section Options</title>
267
268 <para>Settings files may include a <literal>[Files]</literal>
269 section, which carries various parameters configuring the file
270 system of the container:</para>
271
272 <variablelist>
273
274 <varlistentry>
275 <term><varname>ReadOnly=</varname></term>
276
a8eaaee7 277 <listitem><para>Takes a boolean argument, which defaults to off. If
b938cb90 278 specified, the container will be run with a read-only file
f757855e
LP		 279 system. This setting corresponds to the
280 <option>--read-only</option> command line
281 switch.</para></listitem>
282 </varlistentry>
283
284 <varlistentry>
285 <term><varname>Volatile=</varname></term>
286
287 <listitem><para>Takes a boolean argument, or the special value
288 <literal>state</literal>. This configures whether to run the
289 container with volatile state and/or configuration. This
290 option is equivalent to <option>--volatile=</option>, see
291 <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>
292 for details about the specific options
293 supported.</para></listitem>
294 </varlistentry>
295
296 <varlistentry>
297 <term><varname>Bind=</varname></term>
298 <term><varname>BindReadOnly=</varname></term>
299
300 <listitem><para>Adds a bind mount from the host into the
301 container. Takes a single path, a pair of two paths separated
302 by a colon, or a triplet of two paths plus an option string
303 separated by colons. This option may be used multiple times to
304 configure multiple bind mounts. This option is equivalent to
305 the command line switches <option>--bind=</option> and
306 <option>--bind-ro=</option>, see
307 <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>
308 for details about the specific options supported. This setting
309 is privileged (see above).</para></listitem>
310 </varlistentry>
311
312 <varlistentry>
313 <term><varname>TemporaryFileSystem=</varname></term>
314
315 <listitem><para>Adds a <literal>tmpfs</literal> mount to the
316 container. Takes a path or a pair of path and option string,
4f76ef04 317 separated by a colon. This option may be used multiple times to
f757855e
LP		 318 configure multiple <literal>tmpfs</literal> mounts. This
319 option is equivalent to the command line switch
320 <option>--tmpfs=</option>, see
321 <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>
322 for details about the specific options supported. This setting
323 is privileged (see above).</para></listitem>
324 </varlistentry>
d2e5535f
LP		 325
326 <varlistentry>
327 <term><varname>PrivateUsersChown=</varname></term>
328
329 <listitem><para>Configures whether the ownership of the files and directories in the container tree shall be
330 adjusted to the UID/GID range used, if necessary and user namespacing is enabled. This is equivalent to the
331 <option>--private-users-chown</option> command line switch. This option is privileged (see
332 above). </para></listitem>
333 </varlistentry>
334
f757855e
LP		 335 </variablelist>
336 </refsect1>
337
338 <refsect1>
339 <title>[Network] Section Options</title>
340
341 <para>Settings files may include a <literal>[Network]</literal>
342 section, which carries various parameters configuring the network
343 connectivity of the container:</para>
344
345 <variablelist>
346
347 <varlistentry>
348 <term><varname>Private=</varname></term>
349
a8eaaee7 350 <listitem><para>Takes a boolean argument, which defaults to off. If
b938cb90 351 enabled, the container will run in its own network namespace
f757855e
LP		 352 and not share network interfaces and configuration with the
353 host. This setting corresponds to the
354 <option>--private-network</option> command line
355 switch.</para></listitem>
356 </varlistentry>
357
358 <varlistentry>
359 <term><varname>VirtualEthernet=</varname></term>
360
361 <listitem><para>Takes a boolean argument. Configures whether
a8eaaee7 362 to create a virtual Ethernet connection
f757855e
LP		 363 (<literal>veth</literal>) between host and the container. This
364 setting implies <varname>Private=yes</varname>. This setting
365 corresponds to the <option>--network-veth</option> command
366 line switch. This option is privileged (see
367 above).</para></listitem>
368 </varlistentry>
369
f6d6bad1
LP		 370 <varlistentry>
371 <term><varname>VirtualEthernetExtra=</varname></term>
372
373 <listitem><para>Takes a colon-separated pair of interface
374 names. Configures an additional virtual Ethernet connection
375 (<literal>veth</literal>) between host and the container. The
376 first specified name is the interface name on the host, the
377 second the interface name in the container. The latter may be
378 omitted in which case it is set to the same name as the host
379 side interface. This setting implies
380 <varname>Private=yes</varname>. This setting corresponds to
381 the <option>--network-veth-extra=</option> command line
382 switch, and maybe be used multiple times. It is independent of
383 <varname>VirtualEthernet=</varname>. This option is privileged
384 (see above).</para></listitem>
385 </varlistentry>
386
f757855e
LP		 387 <varlistentry>
388 <term><varname>Interface=</varname></term>
389
b938cb90 390 <listitem><para>Takes a space-separated list of interfaces to
f757855e
LP		 391 add to the container. This option corresponds to the
392 <option>--network-interface=</option> command line switch and
393 implies <varname>Private=yes</varname>. This option is
394 privileged (see above).</para></listitem>
395 </varlistentry>
396
397 <varlistentry>
398 <term><varname>MACVLAN=</varname></term>
399 <term><varname>IPVLAN=</varname></term>
400
b938cb90 401 <listitem><para>Takes a space-separated list of interfaces to
f757855e
LP		 402 add MACLVAN or IPVLAN interfaces to, which are then added to
403 the container. These options correspond to the
404 <option>--network-macvlan=</option> and
405 <option>--network-ipvlan=</option> command line switches and
406 imply <varname>Private=yes</varname>. These options are
407 privileged (see above).</para></listitem>
408 </varlistentry>
409
410 <varlistentry>
411 <term><varname>Bridge=</varname></term>
412
413 <listitem><para>Takes an interface name. This setting implies
414 <varname>VirtualEthernet=yes</varname> and
415 <varname>Private=yes</varname> and has the effect that the
416 host side of the created virtual Ethernet link is connected to
417 the specified bridge interface. This option corresponds to the
418 <option>--network-bridge=</option> command line switch. This
419 option is privileged (see above).</para></listitem>
420 </varlistentry>
421
938d2579
LP		 422 <varlistentry>
423 <term><varname>Zone=</varname></term>
424
425 <listitem><para>Takes a network zone name. This setting implies <varname>VirtualEthernet=yes</varname> and
426 <varname>Private=yes</varname> and has the effect that the host side of the created virtual Ethernet link is
427 connected to an automatically managed bridge interface named after the passed argument, prefixed with
428 <literal>vz-</literal>. This option corresponds to the <option>--network-zone=</option> command line
429 switch. This option is privileged (see above).</para></listitem>
430 </varlistentry>
431
f757855e
LP		 432 <varlistentry>
433 <term><varname>Port=</varname></term>
434
435 <listitem><para>Exposes a TCP or UDP port of the container on
436 the host. This option corresponds to the
437 <option>--port=</option> command line switch, see
438 <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>
439 for the precise syntax of the argument this option takes. This
440 option is privileged (see above).</para></listitem>
441 </varlistentry>
442 </variablelist>
443 </refsect1>
444
445 <refsect1>
446 <title>See Also</title>
447 <para>
448 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
449 <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
450 <citerefentry><refentrytitle>systemd.directives</refentrytitle><manvolnum>7</manvolnum></citerefentry>
451 </para>
452 </refsect1>
453
454</refentry>
Unnamed repository; edit this file 'description' to name the repository.