[thirdparty/systemd.git] / man / systemd.nspawn.xml

<?xml version='1.0'?> <!--*- Mode: nxml; nxml-child-indent: 2; indent-tabs-mode: nil -*-->
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
<!ENTITY % entities SYSTEM "custom-entities.ent" >
%entities;
]>

<!--
  This file is part of systemd.

  Copyright 2015 Lennart Poettering

  systemd is free software; you can redistribute it and/or modify it
  under the terms of the GNU Lesser General Public License as published by
  the Free Software Foundation; either version 2.1 of the License, or
  (at your option) any later version.

  systemd is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  Lesser General Public License for more details.

  You should have received a copy of the GNU Lesser General Public License
  along with systemd; If not, see <http://www.gnu.org/licenses/>.
-->

<refentry id="systemd.nspawn">

  <refentryinfo>
    <title>systemd.nspawn</title>
    <productname>systemd</productname>

    <authorgroup>
      <author>
        <contrib>Developer</contrib>
        <firstname>Lennart</firstname>
        <surname>Poettering</surname>
        <email>lennart@poettering.net</email>
      </author>
    </authorgroup>
  </refentryinfo>

  <refmeta>
    <refentrytitle>systemd.nspawn</refentrytitle>
    <manvolnum>5</manvolnum>
  </refmeta>

  <refnamediv>
    <refname>systemd.nspawn</refname>
    <refpurpose>Container settings</refpurpose>
  </refnamediv>

  <refsynopsisdiv>
    <para><filename>/etc/systemd/nspawn/<replaceable>machine</replaceable>.nspawn</filename></para>
    <para><filename>/run/systemd/nspawn/<replaceable>machine</replaceable>.nspawn</filename></para>
    <para><filename>/var/lib/machines/<replaceable>machine</replaceable>.nspawn</filename></para>
  </refsynopsisdiv>

  <refsect1>
    <title>Description</title>

    <para>An nspawn container settings file (suffix
    <filename>.nspawn</filename>) encodes additional runtime
    information about a local container, and is searched, read and
    used by
    <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>
    when starting a container. Files of this type are named after the
    containers they define settings for. They are optional, and only
    required for containers whose execution environment shall differ
    from the defaults. Files of this type mostly contain settings that
    may also be set on the <command>systemd-nspawn</command> command
    line, and make it easier to persistently attach specific settings
    to specific containers. The syntax of these files is inspired by
    <filename>.desktop</filename> files following the <ulink
    url="http://standards.freedesktop.org/desktop-entry-spec/latest/">XDG
    Desktop Entry Specification</ulink>, which in turn are inspired by
    Microsoft Windows <filename>.ini</filename> files.</para>

    <para>Boolean arguments used in these settings files can be
    written in various formats. For positive settings, the strings
    <option>1</option>, <option>yes</option>, <option>true</option>
    and <option>on</option> are equivalent. For negative settings, the
    strings <option>0</option>, <option>no</option>,
    <option>false</option> and <option>off</option> are
    equivalent.</para>

    <para>Empty lines and lines starting with # or ; are
    ignored. This may be used for commenting. Lines ending
    in a backslash are concatenated with the following
    line while reading and the backslash is replaced by a
    space character. This may be used to wrap long lines.</para>

  </refsect1>

  <refsect1>
    <title><filename>.nspawn</filename> File Discovery</title>

    <para>Files are searched by appending the
    <filename>.nspawn</filename> suffix to the machine name of the
    container, as specified with the <option>--machine=</option>
    switch of <command>systemd-nspawn</command>, or derived from the
    directory or image file name. This file is first searched in
    <filename>/etc/systemd/nspawn/</filename> and
    <filename>/run/systemd/nspawn/</filename>. If found in these
    directories, its settings are read and all of them take full effect
    (but are possibly overridden by corresponding command line
    arguments). If not found, the file will then be searched next to
    the image file or in the immediate parent of the root directory of
    the container. If the file is found there, only a subset of the
    settings will take effect however. All settings that possibly
    elevate privileges or grant additional access to resources of the
    host (such as files or directories) are ignored. To which options
    this applies is documented below.</para>

    <para>Persistent settings files created and maintained by the
    administrator (and thus trusted) should be placed in
    <filename>/etc/systemd/nspawn/</filename>, while automatically
    downloaded (and thus potentially untrusted) settings files are
    placed in <filename>/var/lib/machines/</filename> instead (next to
    the container images), where their security impact is limited. In
    order to add privileged settings to <filename>.nspawn</filename>
    files acquired from the image vendor, it is recommended to copy the
    settings files into <filename>/etc/systemd/nspawn/</filename> and
    edit them there, so that the privileged options become
    available. The precise algorithm for how the files are searched and
    interpreted may be configured with
    <command>systemd-nspawn</command>'s <option>--settings=</option>
    switch, see
    <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>
    for details.</para>
  </refsect1>

  <refsect1>
    <title>[Exec] Section Options</title>

    <para>Settings files may include an <literal>[Exec]</literal>
    section, which carries various execution parameters:</para>

    <variablelist>

      <varlistentry>
        <term><varname>Boot=</varname></term>

        <listitem><para>Takes a boolean argument, which defaults to off. If enabled, <command>systemd-nspawn</command>
        will automatically search for an <filename>init</filename> executable and invoke it. In this case, the
        specified parameters using <varname>Parameters=</varname> are passed as additional arguments to the
        <filename>init</filename> process. This setting corresponds to the <option>--boot</option> switch on the
        <command>systemd-nspawn</command> command line. This option may not be combined with
        <varname>ProcessTwo=yes</varname>.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>ProcessTwo=</varname></term>

        <listitem><para>Takes a boolean argument, which defaults to off. If enabled, the specified program is run as
        PID 2. A stub init process is run as PID 1. This setting corresponds to the <option>--as-pid2</option> switch
        on the <command>systemd-nspawn</command> command line. This option may not be combined with
        <varname>Boot=yes</varname>.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>Parameters=</varname></term>

        <listitem><para>Takes a space-separated list of
        arguments. This is either a command line, beginning with the
        binary name to execute, or – if <varname>Boot=</varname> is
        enabled – the list of arguments to pass to the init
        process. This setting corresponds to the command line
        parameters passed on the <command>systemd-nspawn</command>
        command line.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>Environment=</varname></term>

        <listitem><para>Takes an environment variable assignment
        consisting of key and value, separated by
        <literal>=</literal>. Sets an environment variable for the
        main process invoked in the container. This setting may be
        used multiple times to set multiple environment variables. It
        corresponds to the <option>--setenv=</option> command line
        switch.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>User=</varname></term>

        <listitem><para>Takes a UNIX user name. Specifies the user
        name to invoke the main process of the container as. This user
        must be known in the container's user database. This
        corresponds to the <option>--user=</option> command line
        switch.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>WorkingDirectory=</varname></term>

        <listitem><para>Selects the working directory for the process invoked in the container. Expects an absolute
        path in the container's file system namespace. This corresponds to the <option>--chdir=</option> command line
        switch.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>Capability=</varname></term>
        <term><varname>DropCapability=</varname></term>

        <listitem><para>Takes a space-separated list of Linux process
        capabilities (see
        <citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
        for details). The <varname>Capability=</varname> setting
        specifies additional capabilities to pass on top of the
        default set of capabilities. The
        <varname>DropCapability=</varname> setting specifies
        capabilities to drop from the default set. These settings
        correspond to the <option>--capability=</option> and
        <option>--drop-capability=</option> command line
        switches. Note that <varname>Capability=</varname> is a
        privileged setting, and only takes effect in
        <filename>.nspawn</filename> files in
        <filename>/etc/systemd/nspawn/</filename> and
        <filename>/run/system/nspawn/</filename> (see above). On the
        other hand, <varname>DropCapability=</varname> takes effect in
        all cases.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>Personality=</varname></term>

        <listitem><para>Configures the kernel personality for the
        container. This is equivalent to the
        <option>--personality=</option> switch.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>MachineID=</varname></term>

        <listitem><para>Configures the 128-bit machine ID (UUID) to pass to
        the container. This is equivalent to the
        <option>--uuid=</option> command line switch. This option is
        privileged (see above). </para></listitem>
      </varlistentry>
    </variablelist>
  </refsect1>

  <refsect1>
    <title>[Files] Section Options</title>

    <para>Settings files may include a <literal>[Files]</literal>
    section, which carries various parameters configuring the file
    system of the container:</para>

    <variablelist>

      <varlistentry>
        <term><varname>ReadOnly=</varname></term>

        <listitem><para>Takes a boolean argument, which defaults to off. If
        specified, the container will be run with a read-only file
        system. This setting corresponds to the
        <option>--read-only</option> command line
        switch.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>Volatile=</varname></term>

        <listitem><para>Takes a boolean argument, or the special value
        <literal>state</literal>. This configures whether to run the
        container with volatile state and/or configuration. This
        option is equivalent to <option>--volatile=</option>, see
        <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>
        for details about the specific options
        supported.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>Bind=</varname></term>
        <term><varname>BindReadOnly=</varname></term>

        <listitem><para>Adds a bind mount from the host into the
        container. Takes a single path, a pair of two paths separated
        by a colon, or a triplet of two paths plus an option string
        separated by colons. This option may be used multiple times to
        configure multiple bind mounts. This option is equivalent to
        the command line switches <option>--bind=</option> and
        <option>--bind-ro=</option>, see
        <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>
        for details about the specific options supported. This setting
        is privileged (see above).</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>TemporaryFileSystem=</varname></term>

        <listitem><para>Adds a <literal>tmpfs</literal> mount to the
        container. Takes a path or a pair of path and option string,
        separated by a colon. This option may be used multiple times to
        configure multiple <literal>tmpfs</literal> mounts. This
        option is equivalent to the command line switch
        <option>--tmpfs=</option>, see
        <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>
        for details about the specific options supported. This setting
        is privileged (see above).</para></listitem>
      </varlistentry>
    </variablelist>
  </refsect1>

  <refsect1>
    <title>[Network] Section Options</title>

    <para>Settings files may include a <literal>[Network]</literal>
    section, which carries various parameters configuring the network
    connectivity of the container:</para>

    <variablelist>

      <varlistentry>
        <term><varname>Private=</varname></term>

        <listitem><para>Takes a boolean argument, which defaults to off. If
        enabled, the container will run in its own network namespace
        and not share network interfaces and configuration with the
        host. This setting corresponds to the
        <option>--private-network</option> command line
        switch.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>VirtualEthernet=</varname></term>

        <listitem><para>Takes a boolean argument. Configures whether
        to create a virtual Ethernet connection
        (<literal>veth</literal>) between host and the container. This
        setting implies <varname>Private=yes</varname>. This setting
        corresponds to the <option>--network-veth</option> command
        line switch. This option is privileged (see
        above).</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>VirtualEthernetExtra=</varname></term>

        <listitem><para>Takes a colon-separated pair of interface
        names. Configures an additional virtual Ethernet connection
        (<literal>veth</literal>) between host and the container. The
        first specified name is the interface name on the host, the
        second the interface name in the container. The latter may be
        omitted in which case it is set to the same name as the host
        side interface. This setting implies
        <varname>Private=yes</varname>. This setting corresponds to
        the <option>--network-veth-extra=</option> command line
        switch, and maybe be used multiple times. It is independent of
        <varname>VirtualEthernet=</varname>. This option is privileged
        (see above).</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>Interface=</varname></term>

        <listitem><para>Takes a space-separated list of interfaces to
        add to the container. This option corresponds to the
        <option>--network-interface=</option> command line switch and
        implies <varname>Private=yes</varname>. This option is
        privileged (see above).</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>MACVLAN=</varname></term>
        <term><varname>IPVLAN=</varname></term>

        <listitem><para>Takes a space-separated list of interfaces to
        add MACLVAN or IPVLAN interfaces to, which are then added to
        the container. These options correspond to the
        <option>--network-macvlan=</option> and
        <option>--network-ipvlan=</option> command line switches and
        imply <varname>Private=yes</varname>. These options are
        privileged (see above).</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>Bridge=</varname></term>

        <listitem><para>Takes an interface name. This setting implies
        <varname>VirtualEthernet=yes</varname> and
        <varname>Private=yes</varname> and has the effect that the
        host side of the created virtual Ethernet link is connected to
        the specified bridge interface. This option corresponds to the
        <option>--network-bridge=</option> command line switch. This
        option is privileged (see above).</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>Port=</varname></term>

        <listitem><para>Exposes a TCP or UDP port of the container on
        the host. This option corresponds to the
        <option>--port=</option> command line switch, see
        <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>
        for the precise syntax of the argument this option takes. This
        option is privileged (see above).</para></listitem>
      </varlistentry>
    </variablelist>
  </refsect1>

  <refsect1>
    <title>See Also</title>
    <para>
      <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>systemd.directives</refentrytitle><manvolnum>7</manvolnum></citerefentry>
    </para>
  </refsect1>

</refentry>
Commit	Line	Data
f757855e LP	1	<?xml version='1.0'?> <!--- Mode: nxml; nxml-child-indent: 2; indent-tabs-mode: nil --->
	2	<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
	3	"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
	4	<!ENTITY % entities SYSTEM "custom-entities.ent" >
	5	%entities;
	6	]>
	7
	8	<!--
	9	This file is part of systemd.
	10
	11	Copyright 2015 Lennart Poettering
	12
	13	systemd is free software; you can redistribute it and/or modify it
	14	under the terms of the GNU Lesser General Public License as published by
	15	the Free Software Foundation; either version 2.1 of the License, or
	16	(at your option) any later version.
	17
	18	systemd is distributed in the hope that it will be useful, but
	19	WITHOUT ANY WARRANTY; without even the implied warranty of
	20	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	21	Lesser General Public License for more details.
	22
	23	You should have received a copy of the GNU Lesser General Public License
	24	along with systemd; If not, see <http://www.gnu.org/licenses/>.
	25	-->
	26
	27	<refentry id="systemd.nspawn">
	28
	29	<refentryinfo>
	30	<title>systemd.nspawn</title>
	31	<productname>systemd</productname>
	32
	33	<authorgroup>
	34	<author>
	35	<contrib>Developer</contrib>
	36	<firstname>Lennart</firstname>
	37	<surname>Poettering</surname>
	38	<email>lennart@poettering.net</email>
	39	</author>
	40	</authorgroup>
	41	</refentryinfo>
	42
	43	<refmeta>
	44	<refentrytitle>systemd.nspawn</refentrytitle>
	45	<manvolnum>5</manvolnum>
	46	</refmeta>
	47
	48	<refnamediv>
	49	<refname>systemd.nspawn</refname>
	50	<refpurpose>Container settings</refpurpose>
	51	</refnamediv>
	52
	53	<refsynopsisdiv>
	54	<para><filename>/etc/systemd/nspawn/<replaceable>machine</replaceable>.nspawn</filename></para>
	55	<para><filename>/run/systemd/nspawn/<replaceable>machine</replaceable>.nspawn</filename></para>
	56	<para><filename>/var/lib/machines/<replaceable>machine</replaceable>.nspawn</filename></para>
	57	</refsynopsisdiv>
	58
	59	<refsect1>
	60	<title>Description</title>
	61
	62	<para>An nspawn container settings file (suffix
	63	<filename>.nspawn</filename>) encodes additional runtime
	64	information about a local container, and is searched, read and
65	used by
66	<citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>
67	when starting a container. Files of this type are named after the
68	containers they define settings for. They are optional, and only
69	required for containers whose execution environment shall differ
70	from the defaults. Files of this type mostly contain settings that
71	may also be set on the <command>systemd-nspawn</command> command
72	line, and make it easier to persistently attach specific settings
73	to specific containers. The syntax of these files is inspired by
74	<filename>.desktop</filename> files following the <ulink
75	url="http://standards.freedesktop.org/desktop-entry-spec/latest/">XDG
a8eaaee7	76	Desktop Entry Specification</ulink>, which in turn are inspired by
f757855e LP	77	Microsoft Windows <filename>.ini</filename> files.</para>
	78
	79	<para>Boolean arguments used in these settings files can be
b938cb90	80	written in various formats. For positive settings, the strings
f757855e LP	81	<option>1</option>, <option>yes</option>, <option>true</option>
	82	and <option>on</option> are equivalent. For negative settings, the
	83	strings <option>0</option>, <option>no</option>,
	84	<option>false</option> and <option>off</option> are
	85	equivalent.</para>
	86
	87	<para>Empty lines and lines starting with # or ; are
	88	ignored. This may be used for commenting. Lines ending
	89	in a backslash are concatenated with the following
	90	line while reading and the backslash is replaced by a
	91	space character. This may be used to wrap long lines.</para>
	92
	93	</refsect1>
	94
	95	<refsect1>
	96	<title><filename>.nspawn</filename> File Discovery</title>
	97
	98	<para>Files are searched by appending the
	99	<filename>.nspawn</filename> suffix to the machine name of the
	100	container, as specified with the <option>--machine=</option>
	101	switch of <command>systemd-nspawn</command>, or derived from the
	102	directory or image file name. This file is first searched in
	103	<filename>/etc/systemd/nspawn/</filename> and
	104	<filename>/run/systemd/nspawn/</filename>. If found in these
b938cb90	105	directories, its settings are read and all of them take full effect
4f76ef04	106	(but are possibly overridden by corresponding command line
b938cb90	107	arguments). If not found, the file will then be searched next to
f757855e	108	the image file or in the immediate parent of the root directory of
b938cb90	109	the container. If the file is found there, only a subset of the
f757855e LP	110	settings will take effect however. All settings that possibly
	111	elevate privileges or grant additional access to resources of the
	112	host (such as files or directories) are ignored. To which options
	113	this applies is documented below.</para>
	114
a8eaaee7	115	<para>Persistent settings files created and maintained by the
f757855e LP	116	administrator (and thus trusted) should be placed in
	117	<filename>/etc/systemd/nspawn/</filename>, while automatically
	118	downloaded (and thus potentially untrusted) settings files are
	119	placed in <filename>/var/lib/machines/</filename> instead (next to
	120	the container images), where their security impact is limited. In
	121	order to add privileged settings to <filename>.nspawn</filename>
b938cb90	122	files acquired from the image vendor, it is recommended to copy the
f757855e LP	123	settings files into <filename>/etc/systemd/nspawn/</filename> and
f757855e LP	124	edit them there, so that the privileged options become
a8eaaee7	125	available. The precise algorithm for how the files are searched and
f757855e LP	126	interpreted may be configured with
	127	<command>systemd-nspawn</command>'s <option>--settings=</option>
	128	switch, see
	129	<citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>
	130	for details.</para>
	131	</refsect1>
	132
	133	<refsect1>
	134	<title>[Exec] Section Options</title>
	135
	136	<para>Settings files may include an <literal>[Exec]</literal>
	137	section, which carries various execution parameters:</para>
	138
	139	<variablelist>
	140
	141	<varlistentry>
	142	<term><varname>Boot=</varname></term>
	143
7732f92b LP	144	<listitem><para>Takes a boolean argument, which defaults to off. If enabled, <command>systemd-nspawn</command>
	145	will automatically search for an <filename>init</filename> executable and invoke it. In this case, the
	146	specified parameters using <varname>Parameters=</varname> are passed as additional arguments to the
	147	<filename>init</filename> process. This setting corresponds to the <option>--boot</option> switch on the
	148	<command>systemd-nspawn</command> command line. This option may not be combined with
	149	<varname>ProcessTwo=yes</varname>.</para></listitem>
	150	</varlistentry>
	151
	152	<varlistentry>
	153	<term><varname>ProcessTwo=</varname></term>
	154
	155	<listitem><para>Takes a boolean argument, which defaults to off. If enabled, the specified program is run as
	156	PID 2. A stub init process is run as PID 1. This setting corresponds to the <option>--as-pid2</option> switch
	157	on the <command>systemd-nspawn</command> command line. This option may not be combined with
	158	<varname>Boot=yes</varname>.</para></listitem>
f757855e LP	159	</varlistentry>
	160
	161	<varlistentry>
	162	<term><varname>Parameters=</varname></term>
	163
b938cb90	164	<listitem><para>Takes a space-separated list of
f757855e LP	165	arguments. This is either a command line, beginning with the
	166	binary name to execute, or – if <varname>Boot=</varname> is
	167	enabled – the list of arguments to pass to the init
	168	process. This setting corresponds to the command line
	169	parameters passed on the <command>systemd-nspawn</command>
	170	command line.</para></listitem>
	171	</varlistentry>
	172
	173	<varlistentry>
	174	<term><varname>Environment=</varname></term>
	175
	176	<listitem><para>Takes an environment variable assignment
	177	consisting of key and value, separated by
	178	<literal>=</literal>. Sets an environment variable for the
	179	main process invoked in the container. This setting may be
	180	used multiple times to set multiple environment variables. It
	181	corresponds to the <option>--setenv=</option> command line
	182	switch.</para></listitem>
	183	</varlistentry>
	184
	185	<varlistentry>
	186	<term><varname>User=</varname></term>
	187
	188	<listitem><para>Takes a UNIX user name. Specifies the user
	189	name to invoke the main process of the container as. This user
	190	must be known in the container's user database. This
	191	corresponds to the <option>--user=</option> command line
5f932eb9 LP	192	switch.</para></listitem>
	193	</varlistentry>
	194
	195	<varlistentry>
	196	<term><varname>WorkingDirectory=</varname></term>
	197
	198	<listitem><para>Selects the working directory for the process invoked in the container. Expects an absolute
	199	path in the container's file system namespace. This corresponds to the <option>--chdir=</option> command line
f757855e LP	200	switch.</para></listitem>
	201	</varlistentry>
	202
	203	<varlistentry>
	204	<term><varname>Capability=</varname></term>
	205	<term><varname>DropCapability=</varname></term>
	206
b938cb90	207	<listitem><para>Takes a space-separated list of Linux process
f757855e	208	capabilities (see
524f3e5c	209	<citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
f757855e LP	210	for details). The <varname>Capability=</varname> setting
f757855e LP	211	specifies additional capabilities to pass on top of the
4f76ef04	212	default set of capabilities. The
f757855e LP	213	<varname>DropCapability=</varname> setting specifies
	214	capabilities to drop from the default set. These settings
	215	correspond to the <option>--capability=</option> and
	216	<option>--drop-capability=</option> command line
	217	switches. Note that <varname>Capability=</varname> is a
	218	privileged setting, and only takes effect in
	219	<filename>.nspawn</filename> files in
	220	<filename>/etc/systemd/nspawn/</filename> and
	221	<filename>/run/system/nspawn/</filename> (see above). On the
b938cb90	222	other hand, <varname>DropCapability=</varname> takes effect in
f757855e LP	223	all cases.</para></listitem>
	224	</varlistentry>
	225
	226	<varlistentry>
	227	<term><varname>Personality=</varname></term>
	228
	229	<listitem><para>Configures the kernel personality for the
	230	container. This is equivalent to the
	231	<option>--personality=</option> switch.</para></listitem>
	232	</varlistentry>
	233
	234	<varlistentry>
	235	<term><varname>MachineID=</varname></term>
	236
b938cb90	237	<listitem><para>Configures the 128-bit machine ID (UUID) to pass to
f757855e LP	238	the container. This is equivalent to the
	239	<option>--uuid=</option> command line switch. This option is
	240	privileged (see above). </para></listitem>
	241	</varlistentry>
	242	</variablelist>
	243	</refsect1>
	244
	245	<refsect1>
	246	<title>[Files] Section Options</title>
	247
	248	<para>Settings files may include a <literal>[Files]</literal>
	249	section, which carries various parameters configuring the file
	250	system of the container:</para>
	251
	252	<variablelist>
	253
	254	<varlistentry>
	255	<term><varname>ReadOnly=</varname></term>
	256
a8eaaee7	257	<listitem><para>Takes a boolean argument, which defaults to off. If
b938cb90	258	specified, the container will be run with a read-only file
f757855e LP	259	system. This setting corresponds to the
	260	<option>--read-only</option> command line
	261	switch.</para></listitem>
	262	</varlistentry>
	263
	264	<varlistentry>
	265	<term><varname>Volatile=</varname></term>
	266
	267	<listitem><para>Takes a boolean argument, or the special value
	268	<literal>state</literal>. This configures whether to run the
	269	container with volatile state and/or configuration. This
	270	option is equivalent to <option>--volatile=</option>, see
	271	<citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>
	272	for details about the specific options
	273	supported.</para></listitem>
	274	</varlistentry>
	275
	276	<varlistentry>
	277	<term><varname>Bind=</varname></term>
	278	<term><varname>BindReadOnly=</varname></term>
	279
	280	<listitem><para>Adds a bind mount from the host into the
	281	container. Takes a single path, a pair of two paths separated
	282	by a colon, or a triplet of two paths plus an option string
	283	separated by colons. This option may be used multiple times to
	284	configure multiple bind mounts. This option is equivalent to
	285	the command line switches <option>--bind=</option> and
	286	<option>--bind-ro=</option>, see
	287	<citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>
	288	for details about the specific options supported. This setting
	289	is privileged (see above).</para></listitem>
	290	</varlistentry>
	291
	292	<varlistentry>
	293	<term><varname>TemporaryFileSystem=</varname></term>
	294
	295	<listitem><para>Adds a <literal>tmpfs</literal> mount to the
	296	container. Takes a path or a pair of path and option string,
4f76ef04	297	separated by a colon. This option may be used multiple times to
f757855e LP	298	configure multiple <literal>tmpfs</literal> mounts. This
	299	option is equivalent to the command line switch
	300	<option>--tmpfs=</option>, see
	301	<citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>
	302	for details about the specific options supported. This setting
	303	is privileged (see above).</para></listitem>
	304	</varlistentry>
	305	</variablelist>
	306	</refsect1>
	307
	308	<refsect1>
	309	<title>[Network] Section Options</title>
	310
	311	<para>Settings files may include a <literal>[Network]</literal>
	312	section, which carries various parameters configuring the network
	313	connectivity of the container:</para>
	314
	315	<variablelist>
	316
	317	<varlistentry>
	318	<term><varname>Private=</varname></term>
	319
a8eaaee7	320	<listitem><para>Takes a boolean argument, which defaults to off. If
b938cb90	321	enabled, the container will run in its own network namespace
f757855e LP	322	and not share network interfaces and configuration with the
	323	host. This setting corresponds to the
	324	<option>--private-network</option> command line
	325	switch.</para></listitem>
	326	</varlistentry>
	327
	328	<varlistentry>
	329	<term><varname>VirtualEthernet=</varname></term>
	330
	331	<listitem><para>Takes a boolean argument. Configures whether
a8eaaee7	332	to create a virtual Ethernet connection
f757855e LP	333	(<literal>veth</literal>) between host and the container. This
	334	setting implies <varname>Private=yes</varname>. This setting
	335	corresponds to the <option>--network-veth</option> command
	336	line switch. This option is privileged (see
	337	above).</para></listitem>
	338	</varlistentry>
	339
f6d6bad1 LP	340	<varlistentry>
	341	<term><varname>VirtualEthernetExtra=</varname></term>
	342
	343	<listitem><para>Takes a colon-separated pair of interface
	344	names. Configures an additional virtual Ethernet connection
	345	(<literal>veth</literal>) between host and the container. The
	346	first specified name is the interface name on the host, the
	347	second the interface name in the container. The latter may be
	348	omitted in which case it is set to the same name as the host
	349	side interface. This setting implies
	350	<varname>Private=yes</varname>. This setting corresponds to
	351	the <option>--network-veth-extra=</option> command line
	352	switch, and maybe be used multiple times. It is independent of
	353	<varname>VirtualEthernet=</varname>. This option is privileged
	354	(see above).</para></listitem>
	355	</varlistentry>
	356
f757855e LP	357	<varlistentry>
	358	<term><varname>Interface=</varname></term>
	359
b938cb90	360	<listitem><para>Takes a space-separated list of interfaces to
f757855e LP	361	add to the container. This option corresponds to the
	362	<option>--network-interface=</option> command line switch and
	363	implies <varname>Private=yes</varname>. This option is
	364	privileged (see above).</para></listitem>
	365	</varlistentry>
	366
	367	<varlistentry>
	368	<term><varname>MACVLAN=</varname></term>
	369	<term><varname>IPVLAN=</varname></term>
	370
b938cb90	371	<listitem><para>Takes a space-separated list of interfaces to
f757855e LP	372	add MACLVAN or IPVLAN interfaces to, which are then added to
	373	the container. These options correspond to the
	374	<option>--network-macvlan=</option> and
	375	<option>--network-ipvlan=</option> command line switches and
	376	imply <varname>Private=yes</varname>. These options are
	377	privileged (see above).</para></listitem>
	378	</varlistentry>
	379
	380	<varlistentry>
	381	<term><varname>Bridge=</varname></term>
	382
	383	<listitem><para>Takes an interface name. This setting implies
	384	<varname>VirtualEthernet=yes</varname> and
	385	<varname>Private=yes</varname> and has the effect that the
	386	host side of the created virtual Ethernet link is connected to
	387	the specified bridge interface. This option corresponds to the
	388	<option>--network-bridge=</option> command line switch. This
	389	option is privileged (see above).</para></listitem>
	390	</varlistentry>
	391
	392	<varlistentry>
	393	<term><varname>Port=</varname></term>
	394
	395	<listitem><para>Exposes a TCP or UDP port of the container on
	396	the host. This option corresponds to the
	397	<option>--port=</option> command line switch, see
	398	<citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>
	399	for the precise syntax of the argument this option takes. This
	400	option is privileged (see above).</para></listitem>
	401	</varlistentry>
	402	</variablelist>
	403	</refsect1>
	404
	405	<refsect1>
	406	<title>See Also</title>
	407	<para>
	408	<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
	409	<citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
	410	<citerefentry><refentrytitle>systemd.directives</refentrytitle><manvolnum>7</manvolnum></citerefentry>
	411	</para>
	412	</refsect1>
	413
	414	</refentry>