]> git.ipfire.org Git - thirdparty/systemd.git/blob - man/machinectl.xml
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
man: drop unused <authorgroup> tags from man sources
[thirdparty/systemd.git] / man / machinectl.xml
1 <?xml version='1.0'?> <!--*- Mode: nxml; nxml-child-indent: 2; indent-tabs-mode: nil -*-->
2 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
3 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
4
5 <!--
6 SPDX-License-Identifier: LGPL-2.1+
7
8 Copyright © 2013 Zbigniew Jędrzejewski-Szmek
9 -->
10
11 <refentry id="machinectl" conditional='ENABLE_MACHINED'
12 xmlns:xi="http://www.w3.org/2001/XInclude">
13
14 <refentryinfo>
15 <title>machinectl</title>
16 <productname>systemd</productname>
17 </refentryinfo>
18
19 <refmeta>
20 <refentrytitle>machinectl</refentrytitle>
21 <manvolnum>1</manvolnum>
22 </refmeta>
23
24 <refnamediv>
25 <refname>machinectl</refname>
26 <refpurpose>Control the systemd machine manager</refpurpose>
27 </refnamediv>
28
29 <refsynopsisdiv>
30 <cmdsynopsis>
31 <command>machinectl</command>
32 <arg choice="opt" rep="repeat">OPTIONS</arg>
33 <arg choice="req">COMMAND</arg>
34 <arg choice="opt" rep="repeat">NAME</arg>
35 </cmdsynopsis>
36 </refsynopsisdiv>
37
38 <refsect1>
39 <title>Description</title>
40
41 <para><command>machinectl</command> may be used to introspect and
42 control the state of the
43 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>
44 virtual machine and container registration manager
45 <citerefentry><refentrytitle>systemd-machined.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
46
47 <para><command>machinectl</command> may be used to execute
48 operations on machines and images. Machines in this sense are
49 considered running instances of:</para>
50
51 <itemizedlist>
52 <listitem><para>Virtual Machines (VMs) that virtualize hardware
53 to run full operating system (OS) instances (including their kernels)
54 in a virtualized environment on top of the host OS.</para></listitem>
55
56 <listitem><para>Containers that share the hardware and
57 OS kernel with the host OS, in order to run
58 OS userspace instances on top the host OS.</para></listitem>
59
60 <listitem><para>The host system itself.</para></listitem>
61 </itemizedlist>
62
63 <para>Machines are identified by names that follow the same rules
64 as UNIX and DNS host names. For details, see below.</para>
65
66 <para>Machines are instantiated from disk or file system images that
67 frequently — but not necessarily — carry the same name as machines running
68 from them. Images in this sense may be:</para>
69
70 <itemizedlist>
71 <listitem><para>Directory trees containing an OS, including the
72 top-level directories <filename>/usr</filename>,
73 <filename>/etc</filename>, and so on.</para></listitem>
74
75 <listitem><para>btrfs subvolumes containing OS trees, similar to
76 normal directory trees.</para></listitem>
77
78 <listitem><para>Binary "raw" disk images containing MBR or GPT
79 partition tables and Linux file system partitions.</para></listitem>
80
81 <listitem><para>The file system tree of the host OS itself.</para></listitem>
82 </itemizedlist>
83
84 </refsect1>
85
86 <refsect1>
87 <title>Options</title>
88
89 <para>The following options are understood:</para>
90
91 <variablelist>
92 <varlistentry>
93 <term><option>-p</option></term>
94 <term><option>--property=</option></term>
95
96 <listitem><para>When showing machine or image properties,
97 limit the output to certain properties as specified by the
98 argument. If not specified, all set properties are shown. The
99 argument should be a property name, such as
100 <literal>Name</literal>. If specified more than once, all
101 properties with the specified names are
102 shown.</para></listitem>
103 </varlistentry>
104
105 <varlistentry>
106 <term><option>-a</option></term>
107 <term><option>--all</option></term>
108
109 <listitem><para>When showing machine or image properties, show
110 all properties regardless of whether they are set or
111 not.</para>
112
113 <para>When listing VM or container images, do not suppress
114 images beginning in a dot character
115 (<literal>.</literal>).</para>
116
117 <para>When cleaning VM or container images, remove all images, not just hidden ones.</para></listitem>
118 </varlistentry>
119
120 <varlistentry>
121 <term><option>--value</option></term>
122
123 <listitem><para>When printing properties with <command>show</command>, only print the value,
124 and skip the property name and <literal>=</literal>.</para></listitem>
125 </varlistentry>
126
127 <varlistentry>
128 <term><option>-l</option></term>
129 <term><option>--full</option></term>
130
131 <listitem><para>Do not ellipsize process tree entries.</para>
132 </listitem>
133 </varlistentry>
134
135 <varlistentry>
136 <term><option>--kill-who=</option></term>
137
138 <listitem><para>When used with <command>kill</command>, choose
139 which processes to kill. Must be one of
140 <option>leader</option>, or <option>all</option> to select
141 whether to kill only the leader process of the machine or all
142 processes of the machine. If omitted, defaults to
143 <option>all</option>.</para></listitem>
144 </varlistentry>
145
146 <varlistentry>
147 <term><option>-s</option></term>
148 <term><option>--signal=</option></term>
149
150 <listitem><para>When used with <command>kill</command>, choose
151 which signal to send to selected processes. Must be one of the
152 well-known signal specifiers, such as
153 <constant>SIGTERM</constant>, <constant>SIGINT</constant> or
154 <constant>SIGSTOP</constant>. If omitted, defaults to
155 <constant>SIGTERM</constant>.</para></listitem>
156 </varlistentry>
157
158 <varlistentry>
159 <term><option>--uid=</option></term>
160
161 <listitem><para>When used with the <command>shell</command> command, chooses the user ID to
162 open the interactive shell session as. If the argument to the <command>shell</command>
163 command also specifies a user name, this option is ignored. If the name is not specified
164 in either way, <literal>root</literal> will be used by default. Note that this switch is
165 not supported for the <command>login</command> command (see below).</para></listitem>
166 </varlistentry>
167
168 <varlistentry>
169 <term><option>-E <replaceable>NAME</replaceable>=<replaceable>VALUE</replaceable></option></term>
170 <term><option>--setenv=<replaceable>NAME</replaceable>=<replaceable>VALUE</replaceable></option></term>
171
172 <listitem><para>When used with the <command>shell</command> command, sets an environment
173 variable to pass to the executed shell. Takes an environment variable name and value,
174 separated by <literal>=</literal>. This switch may be used multiple times to set multiple
175 environment variables. Note that this switch is not supported for the
176 <command>login</command> command (see below).</para></listitem>
177 </varlistentry>
178
179 <varlistentry>
180 <term><option>--mkdir</option></term>
181
182 <listitem><para>When used with <command>bind</command>, creates the destination file or directory before
183 applying the bind mount. Note that even though the name of this option suggests that it is suitable only for
184 directories, this option also creates the destination file node to mount over if the object to mount is not
185 a directory, but a regular file, device node, socket or FIFO.</para></listitem>
186 </varlistentry>
187
188 <varlistentry>
189 <term><option>--read-only</option></term>
190
191 <listitem><para>When used with <command>bind</command>, creates a read-only bind mount.</para>
192
193 <para>When used with <command>clone</command>, <command>import-raw</command> or <command>import-tar</command> a
194 read-only container or VM image is created.</para></listitem>
195 </varlistentry>
196
197 <varlistentry>
198 <term><option>-n</option></term>
199 <term><option>--lines=</option></term>
200
201 <listitem><para>When used with <command>status</command>,
202 controls the number of journal lines to show, counting from
203 the most recent ones. Takes a positive integer argument.
204 Defaults to 10.</para>
205 </listitem>
206 </varlistentry>
207
208 <varlistentry>
209 <term><option>-o</option></term>
210 <term><option>--output=</option></term>
211
212 <listitem><para>When used with <command>status</command>,
213 controls the formatting of the journal entries that are shown.
214 For the available choices, see
215 <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
216 Defaults to <literal>short</literal>.</para></listitem>
217 </varlistentry>
218
219 <varlistentry>
220 <term><option>--verify=</option></term>
221
222 <listitem><para>When downloading a container or VM image,
223 specify whether the image shall be verified before it is made
224 available. Takes one of <literal>no</literal>,
225 <literal>checksum</literal> and <literal>signature</literal>.
226 If <literal>no</literal>, no verification is done. If
227 <literal>checksum</literal> is specified, the download is
228 checked for integrity after the transfer is complete, but no
229 signatures are verified. If <literal>signature</literal> is
230 specified, the checksum is verified and the image's signature
231 is checked against a local keyring of trustable vendors. It is
232 strongly recommended to set this option to
233 <literal>signature</literal> if the server and protocol
234 support this. Defaults to
235 <literal>signature</literal>.</para></listitem>
236 </varlistentry>
237
238 <varlistentry>
239 <term><option>--force</option></term>
240
241 <listitem><para>When downloading a container or VM image, and
242 a local copy by the specified local machine name already
243 exists, delete it first and replace it by the newly downloaded
244 image.</para></listitem>
245 </varlistentry>
246
247 <varlistentry>
248 <term><option>--format=</option></term>
249
250 <listitem><para>When used with the <option>export-tar</option>
251 or <option>export-raw</option> commands, specifies the
252 compression format to use for the resulting file. Takes one of
253 <literal>uncompressed</literal>, <literal>xz</literal>,
254 <literal>gzip</literal>, <literal>bzip2</literal>. By default,
255 the format is determined automatically from the image file
256 name passed.</para></listitem>
257 </varlistentry>
258
259 <varlistentry>
260 <term><option>--max-addresses=</option></term>
261
262 <listitem><para>When used with the <option>list-machines</option>
263 command, limits the number of ip addresses output for every machine.
264 Defaults to 1. All addresses can be requested with <literal>all</literal>
265 as argument to <option>--max-addresses</option> . If the argument to
266 <option>--max-addresses</option> is less than the actual number
267 of addresses, <literal>...</literal>follows the last address.
268 If multiple addresses are to be written for a given machine, every
269 address except the first one is on a new line and is followed by
270 <literal>,</literal> if another address will be output afterwards. </para></listitem>
271 </varlistentry>
272
273 <varlistentry>
274 <term><option>-q</option></term>
275 <term><option>--quiet</option></term>
276
277 <listitem><para>Suppresses additional informational output while running.</para></listitem>
278 </varlistentry>
279
280 <xi:include href="user-system-options.xml" xpointer="host" />
281
282 <varlistentry>
283 <term><option>-M</option></term>
284 <term><option>--machine=</option></term>
285
286 <listitem><para>Connect to
287 <citerefentry><refentrytitle>systemd-machined.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
288 running in a local container, to perform the specified operation within
289 the container.</para></listitem>
290 </varlistentry>
291
292 <xi:include href="standard-options.xml" xpointer="no-pager" />
293 <xi:include href="standard-options.xml" xpointer="no-legend" />
294 <xi:include href="standard-options.xml" xpointer="no-ask-password" />
295 <xi:include href="standard-options.xml" xpointer="help" />
296 <xi:include href="standard-options.xml" xpointer="version" />
297 </variablelist>
298 </refsect1>
299
300 <refsect1>
301 <title>Commands</title>
302
303 <para>The following commands are understood:</para>
304
305 <refsect2><title>Machine Commands</title><variablelist>
306
307 <varlistentry>
308 <term><command>list</command></term>
309
310 <listitem><para>List currently running (online) virtual
311 machines and containers. To enumerate machine images that can
312 be started, use <command>list-images</command> (see
313 below). Note that this command hides the special
314 <literal>.host</literal> machine by default. Use the
315 <option>--all</option> switch to show it.</para></listitem>
316 </varlistentry>
317
318 <varlistentry>
319 <term><command>status</command> <replaceable>NAME</replaceable></term>
320
321 <listitem><para>Show runtime status information about
322 one or more virtual machines and containers, followed by the
323 most recent log data from the journal. This function is
324 intended to generate human-readable output. If you are looking
325 for computer-parsable output, use <command>show</command>
326 instead. Note that the log data shown is reported by the
327 virtual machine or container manager, and frequently contains
328 console output of the machine, but not necessarily journal
329 contents of the machine itself.</para></listitem>
330 </varlistentry>
331
332 <varlistentry>
333 <term><command>show</command> [<replaceable>NAME</replaceable>…]</term>
334
335 <listitem><para>Show properties of one or more registered virtual machines or containers or the manager
336 itself. If no argument is specified, properties of the manager will be shown. If a NAME is specified,
337 properties of this virtual machine or container are shown. By default, empty properties are suppressed. Use
338 <option>--all</option> to show those too. To select specific properties to show, use
339 <option>--property=</option>. This command is intended to be used whenever computer-parsable output is
340 required, and does not print the control group tree or journal entries. Use <command>status</command> if you
341 are looking for formatted human-readable output.</para></listitem>
342 </varlistentry>
343
344 <varlistentry>
345 <term><command>start</command> <replaceable>NAME</replaceable></term>
346
347 <listitem><para>Start a container as a system service, using
348 <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
349 This starts <filename>systemd-nspawn@.service</filename>,
350 instantiated for the specified machine name, similar to the
351 effect of <command>systemctl start</command> on the service
352 name. <command>systemd-nspawn</command> looks for a container
353 image by the specified name in
354 <filename>/var/lib/machines/</filename> (and other search
355 paths, see below) and runs it. Use
356 <command>list-images</command> (see below) for listing
357 available container images to start.</para>
358
359 <para>Note that
360 <citerefentry><refentrytitle>systemd-machined.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
361 also interfaces with a variety of other container and VM
362 managers, <command>systemd-nspawn</command> is just one
363 implementation of it. Most of the commands available in
364 <command>machinectl</command> may be used on containers or VMs
365 controlled by other managers, not just
366 <command>systemd-nspawn</command>. Starting VMs and container
367 images on those managers requires manager-specific
368 tools.</para>
369
370 <para>To interactively start a container on the command line
371 with full access to the container's console, please invoke
372 <command>systemd-nspawn</command> directly. To stop a running
373 container use <command>machinectl poweroff</command>.</para></listitem>
374 </varlistentry>
375
376 <varlistentry>
377 <term><command>login</command> [<replaceable>NAME</replaceable>]</term>
378
379 <listitem><para>Open an interactive terminal login session in
380 a container or on the local host. If an argument is supplied,
381 it refers to the container machine to connect to. If none is
382 specified, or the container name is specified as the empty
383 string, or the special machine name <literal>.host</literal>
384 (see below) is specified, the connection is made to the local
385 host instead. This will create a TTY connection to a specific
386 container or the local host and asks for the execution of a
387 getty on it. Note that this is only supported for containers
388 running
389 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>
390 as init system.</para>
391
392 <para>This command will open a full login prompt on the
393 container or the local host, which then asks for username and
394 password. Use <command>shell</command> (see below) or
395 <citerefentry><refentrytitle>systemd-run</refentrytitle><manvolnum>1</manvolnum></citerefentry>
396 with the <option>--machine=</option> switch to directly invoke
397 a single command, either interactively or in the
398 background.</para></listitem>
399 </varlistentry>
400
401 <varlistentry>
402 <term><command>shell</command> [[<replaceable>NAME</replaceable>@]<replaceable>NAME</replaceable> [<replaceable>PATH</replaceable> [<replaceable>ARGUMENTS</replaceable>…]]] </term>
403
404 <listitem><para>Open an interactive shell session in a
405 container or on the local host. The first argument refers to
406 the container machine to connect to. If none is specified, or
407 the machine name is specified as the empty string, or the
408 special machine name <literal>.host</literal> (see below) is
409 specified, the connection is made to the local host
410 instead. This works similar to <command>login</command> but
411 immediately invokes a user process. This command runs the
412 specified executable with the specified arguments, or the
413 default shell for the user if none is specified, or
414 <filename>/bin/sh</filename> if no default shell is found. By default,
415 <option>--uid=</option>, or by prefixing the machine name with
416 a username and an <literal>@</literal> character, a different
417 user may be selected. Use <option>--setenv=</option> to set
418 environment variables for the executed process.</para>
419
420 <para>Note that <command>machinectl shell</command> does not propagate the exit code/status of the invoked
421 shell process. Use <command>systemd-run</command> instead if that information is required (see below).</para>
422
423 <para>When using the <command>shell</command> command without
424 arguments, (thus invoking the executed shell or command on the
425 local host), it is in many ways similar to a <citerefentry
426 project='die-net'><refentrytitle>su</refentrytitle><manvolnum>1</manvolnum></citerefentry>
427 session, but, unlike <command>su</command>, completely isolates
428 the new session from the originating session, so that it
429 shares no process or session properties, and is in a clean and
430 well-defined state. It will be tracked in a new utmp, login,
431 audit, security and keyring session, and will not inherit any
432 environment variables or resource limits, among other
433 properties.</para>
434
435 <para>Note that <citerefentry><refentrytitle>systemd-run</refentrytitle><manvolnum>1</manvolnum></citerefentry>
436 with its <option>--machine=</option> switch may be used in place of the <command>machinectl shell</command>
437 command, and allows non-interactive operation, more detailed and low-level configuration of the invoked unit,
438 as well as access to runtime and exit code/status information of the invoked shell process. In particular, use
439 <command>systemd-run</command>'s <option>--wait</option> switch to propagate exit status information of the
440 invoked process. Use <command>systemd-run</command>'s <option>--pty</option> switch for acquiring an
441 interactive shell, similar to <command>machinectl shell</command>. In general, <command>systemd-run</command>
442 is preferable for scripting purposes. However, note that <command>systemd-run</command> might require higher
443 privileges than <command>machinectl shell</command>.</para></listitem>
444 </varlistentry>
445
446 <varlistentry>
447 <term><command>enable</command> <replaceable>NAME</replaceable></term>
448 <term><command>disable</command> <replaceable>NAME</replaceable></term>
449
450 <listitem><para>Enable or disable a container as a system
451 service to start at system boot, using
452 <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
453 This enables or disables
454 <filename>systemd-nspawn@.service</filename>, instantiated for
455 the specified machine name, similar to the effect of
456 <command>systemctl enable</command> or <command>systemctl
457 disable</command> on the service name.</para></listitem>
458 </varlistentry>
459
460 <varlistentry>
461 <term><command>poweroff</command> <replaceable>NAME</replaceable></term>
462
463 <listitem><para>Power off one or more containers. This will
464 trigger a reboot by sending SIGRTMIN+4 to the container's init
465 process, which causes systemd-compatible init systems to shut
466 down cleanly. Use <command>stop</command> as alias for <command>poweroff</command>.
467 This operation does not work on containers that do not run a
468 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>-compatible
469 init system, such as sysvinit. Use
470 <command>terminate</command> (see below) to immediately
471 terminate a container or VM, without cleanly shutting it
472 down.</para></listitem>
473 </varlistentry>
474
475 <varlistentry>
476 <term><command>reboot</command> <replaceable>NAME</replaceable></term>
477
478 <listitem><para>Reboot one or more containers. This will
479 trigger a reboot by sending SIGINT to the container's init
480 process, which is roughly equivalent to pressing Ctrl+Alt+Del
481 on a non-containerized system, and is compatible with
482 containers running any system manager.</para></listitem>
483 </varlistentry>
484
485 <varlistentry>
486 <term><command>terminate</command> <replaceable>NAME</replaceable></term>
487
488 <listitem><para>Immediately terminates a virtual machine or
489 container, without cleanly shutting it down. This kills all
490 processes of the virtual machine or container and deallocates
491 all resources attached to that instance. Use
492 <command>poweroff</command> to issue a clean shutdown
493 request.</para></listitem>
494 </varlistentry>
495
496 <varlistentry>
497 <term><command>kill</command> <replaceable>NAME</replaceable></term>
498
499 <listitem><para>Send a signal to one or more processes of the
500 virtual machine or container. This means processes as seen by
501 the host, not the processes inside the virtual machine or
502 container. Use <option>--kill-who=</option> to select which
503 process to kill. Use <option>--signal=</option> to select the
504 signal to send.</para></listitem>
505 </varlistentry>
506
507 <varlistentry>
508 <term><command>bind</command> <replaceable>NAME</replaceable> <replaceable>PATH</replaceable> [<replaceable>PATH</replaceable>]</term>
509
510 <listitem><para>Bind mounts a file or directory from the host into the specified container. The first path
511 argument is the source file or directory on the host, the second path argument is the destination file or
512 directory in the container. When the latter is omitted, the destination path in the container is the same as
513 the source path on the host. When combined with the <option>--read-only</option> switch, a ready-only bind
514 mount is created. When combined with the <option>--mkdir</option> switch, the destination path is first created
515 before the mount is applied. Note that this option is currently only supported for
516 <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> containers,
517 and only if user namespacing (<option>--private-users</option>) is not used. This command supports bind
518 mounting directories, regular files, device nodes, <constant>AF_UNIX</constant> socket nodes, as well as
519 FIFOs.</para></listitem>
520 </varlistentry>
521
522 <varlistentry>
523 <term><command>copy-to</command> <replaceable>NAME</replaceable> <replaceable>PATH</replaceable> [<replaceable>PATH</replaceable>]</term>
524
525 <listitem><para>Copies files or directories from the host
526 system into a running container. Takes a container name,
527 followed by the source path on the host and the destination
528 path in the container. If the destination path is omitted, the
529 same as the source path is used.</para>
530
531 <para>If host and container share the same user and group namespace, file ownership by numeric user ID and
532 group ID is preserved for the copy, otherwise all files and directories in the copy will be owned by the root
533 user and group (UID/GID 0).</para></listitem>
534 </varlistentry>
535
536 <varlistentry>
537 <term><command>copy-from</command> <replaceable>NAME</replaceable> <replaceable>PATH</replaceable> [<replaceable>PATH</replaceable>]</term>
538
539 <listitem><para>Copies files or directories from a container
540 into the host system. Takes a container name, followed by the
541 source path in the container the destination path on the host.
542 If the destination path is omitted, the same as the source path
543 is used.</para>
544
545 <para>If host and container share the same user and group namespace, file ownership by numeric user ID and
546 group ID is preserved for the copy, otherwise all files and directories in the copy will be owned by the root
547 user and group (UID/GID 0).</para></listitem>
548 </varlistentry>
549 </variablelist></refsect2>
550
551 <refsect2><title>Image Commands</title><variablelist>
552
553 <varlistentry>
554 <term><command>list-images</command></term>
555
556 <listitem><para>Show a list of locally installed container and
557 VM images. This enumerates all raw disk images and container
558 directories and subvolumes in
559 <filename>/var/lib/machines/</filename> (and other search
560 paths, see below). Use <command>start</command> (see above) to
561 run a container off one of the listed images. Note that, by
562 default, containers whose name begins with a dot
563 (<literal>.</literal>) are not shown. To show these too,
564 specify <option>--all</option>. Note that a special image
565 <literal>.host</literal> always implicitly exists and refers
566 to the image the host itself is booted from.</para></listitem>
567 </varlistentry>
568
569 <varlistentry>
570 <term><command>image-status</command> [<replaceable>NAME</replaceable>…]</term>
571
572 <listitem><para>Show terse status information about one or
573 more container or VM images. This function is intended to
574 generate human-readable output. Use
575 <command>show-image</command> (see below) to generate
576 computer-parsable output instead.</para></listitem>
577 </varlistentry>
578
579 <varlistentry>
580 <term><command>show-image</command> [<replaceable>NAME</replaceable>…]</term>
581
582 <listitem><para>Show properties of one or more registered
583 virtual machine or container images, or the manager itself. If
584 no argument is specified, properties of the manager will be
585 shown. If a NAME is specified, properties of this virtual
586 machine or container image are shown. By default, empty
587 properties are suppressed. Use <option>--all</option> to show
588 those too. To select specific properties to show, use
589 <option>--property=</option>. This command is intended to be
590 used whenever computer-parsable output is required. Use
591 <command>image-status</command> if you are looking for
592 formatted human-readable output.</para></listitem>
593 </varlistentry>
594
595 <varlistentry>
596 <term><command>clone</command> <replaceable>NAME</replaceable> <replaceable>NAME</replaceable></term>
597
598 <listitem><para>Clones a container or VM image. The arguments specify the name of the image to clone and the
599 name of the newly cloned image. Note that plain directory container images are cloned into btrfs subvolume
600 images with this command, if the underlying file system supports this. Note that cloning a container or VM
601 image is optimized for file systems that support copy-on-write, and might not be efficient on others, due to
602 file system limitations.</para>
603
604 <para>Note that this command leaves host name, machine ID and
605 all other settings that could identify the instance
606 unmodified. The original image and the cloned copy will hence
607 share these credentials, and it might be necessary to manually
608 change them in the copy.</para>
609
610 <para>If combined with the <option>--read-only</option> switch a read-only cloned image is
611 created.</para></listitem>
612 </varlistentry>
613
614 <varlistentry>
615 <term><command>rename</command> <replaceable>NAME</replaceable> <replaceable>NAME</replaceable></term>
616
617 <listitem><para>Renames a container or VM image. The
618 arguments specify the name of the image to rename and the new
619 name of the image.</para></listitem>
620 </varlistentry>
621
622 <varlistentry>
623 <term><command>read-only</command> <replaceable>NAME</replaceable> [<replaceable>BOOL</replaceable>]</term>
624
625 <listitem><para>Marks or (unmarks) a container or VM image
626 read-only. Takes a VM or container image name, followed by a
627 boolean as arguments. If the boolean is omitted, positive is
628 implied, i.e. the image is marked read-only.</para></listitem>
629 </varlistentry>
630
631 <varlistentry>
632 <term><command>remove</command> <replaceable>NAME</replaceable></term>
633
634 <listitem><para>Removes one or more container or VM images.
635 The special image <literal>.host</literal>, which refers to
636 the host's own directory tree, may not be
637 removed.</para></listitem>
638 </varlistentry>
639
640 <varlistentry>
641 <term><command>set-limit</command> [<replaceable>NAME</replaceable>] <replaceable>BYTES</replaceable></term>
642
643 <listitem><para>Sets the maximum size in bytes that a specific
644 container or VM image, or all images, may grow up to on disk
645 (disk quota). Takes either one or two parameters. The first,
646 optional parameter refers to a container or VM image name. If
647 specified, the size limit of the specified image is changed. If
648 omitted, the overall size limit of the sum of all images stored
649 locally is changed. The final argument specifies the size
650 limit in bytes, possibly suffixed by the usual K, M, G, T
651 units. If the size limit shall be disabled, specify
652 <literal>-</literal> as size.</para>
653
654 <para>Note that per-container size limits are only supported
655 on btrfs file systems. Also note that, if
656 <command>set-limit</command> is invoked without an image
657 parameter, and <filename>/var/lib/machines</filename> is
658 empty, and the directory is not located on btrfs, a btrfs
659 loopback file is implicitly created as
660 <filename>/var/lib/machines.raw</filename> with the given
661 size, and mounted to
662 <filename>/var/lib/machines</filename>. The size of the
663 loopback may later be readjusted with
664 <command>set-limit</command>, as well. If such a
665 loopback-mounted <filename>/var/lib/machines</filename>
666 directory is used, <command>set-limit</command> without an image
667 name alters both the quota setting within the file system as
668 well as the loopback file and file system size
669 itself.</para></listitem>
670 </varlistentry>
671
672 <varlistentry>
673 <term><command>clean</command></term>
674
675 <listitem><para>Remove hidden VM or container images (or all). This command removes all hidden machine images
676 from <filename>/var/lib/machines</filename>, i.e. those whose name begins with a dot. Use <command>machinectl
677 list-images --all</command> to see a list of all machine images, including the hidden ones.</para>
678
679 <para>When combined with the <option>--all</option> switch removes all images, not just hidden ones. This
680 command effectively empties <filename>/var/lib/machines</filename>.</para>
681
682 <para>Note that commands such as <command>machinectl pull-tar</command> or <command>machinectl
683 pull-raw</command> usually create hidden, read-only, unmodified machine images from the downloaded image first,
684 before cloning a writable working copy of it, in order to avoid duplicate downloads in case of images that are
685 reused multiple times. Use <command>machinectl clean</command> to remove old, hidden images created this
686 way.</para></listitem>
687 </varlistentry>
688
689 </variablelist></refsect2>
690
691 <refsect2><title>Image Transfer Commands</title><variablelist>
692
693 <varlistentry>
694 <term><command>pull-tar</command> <replaceable>URL</replaceable> [<replaceable>NAME</replaceable>]</term>
695
696 <listitem><para>Downloads a <filename>.tar</filename>
697 container image from the specified URL, and makes it available
698 under the specified local machine name. The URL must be of
699 type <literal>http://</literal> or
700 <literal>https://</literal>, and must refer to a
701 <filename>.tar</filename>, <filename>.tar.gz</filename>,
702 <filename>.tar.xz</filename> or <filename>.tar.bz2</filename>
703 archive file. If the local machine name is omitted, it
704 is automatically derived from the last component of the URL,
705 with its suffix removed.</para>
706
707 <para>The image is verified before it is made available, unless
708 <option>--verify=no</option> is specified.
709 Verification is done either via an inline signed file with the name
710 of the image and the suffix <filename>.sha256</filename> or via
711 separate <filename>SHA256SUMS</filename> and
712 <filename>SHA256SUMS.gpg</filename> files.
713 The signature files need to be made available on the same web
714 server, under the same URL as the <filename>.tar</filename> file.
715 With <option>--verify=checksum</option>, only the SHA256 checksum
716 for the file is verified, based on the <filename>.sha256</filename>
717 suffixed file or the<filename>SHA256SUMS</filename> file.
718 With <option>--verify=signature</option>, the sha checksum file is
719 first verified with the inline signature in the
720 <filename>.sha256</filename> file or the detached GPG signature file
721 <filename>SHA256SUMS.gpg</filename>.
722 The public key for this verification step needs to be available in
723 <filename>/usr/lib/systemd/import-pubring.gpg</filename> or
724 <filename>/etc/systemd/import-pubring.gpg</filename>.</para>
725
726 <para>The container image will be downloaded and stored in a
727 read-only subvolume in
728 <filename>/var/lib/machines/</filename> that is named after
729 the specified URL and its HTTP etag. A writable snapshot is
730 then taken from this subvolume, and named after the specified
731 local name. This behavior ensures that creating multiple
732 container instances of the same URL is efficient, as multiple
733 downloads are not necessary. In order to create only the
734 read-only image, and avoid creating its writable snapshot,
735 specify <literal>-</literal> as local machine name.</para>
736
737 <para>Note that the read-only subvolume is prefixed with
738 <filename>.tar-</filename>, and is thus not shown by
739 <command>list-images</command>, unless <option>--all</option>
740 is passed.</para>
741
742 <para>Note that pressing C-c during execution of this command
743 will not abort the download. Use
744 <command>cancel-transfer</command>, described
745 below.</para></listitem>
746 </varlistentry>
747
748 <varlistentry>
749 <term><command>pull-raw</command> <replaceable>URL</replaceable> [<replaceable>NAME</replaceable>]</term>
750
751 <listitem><para>Downloads a <filename>.raw</filename>
752 container or VM disk image from the specified URL, and makes
753 it available under the specified local machine name. The URL
754 must be of type <literal>http://</literal> or
755 <literal>https://</literal>. The container image must either
756 be a <filename>.qcow2</filename> or raw disk image, optionally
757 compressed as <filename>.gz</filename>,
758 <filename>.xz</filename>, or <filename>.bz2</filename>. If the
759 local machine name is omitted, it is automatically
760 derived from the last component of the URL, with its suffix
761 removed.</para>
762
763 <para>Image verification is identical for raw and tar images
764 (see above).</para>
765
766 <para>If the downloaded image is in
767 <filename>.qcow2</filename> format it is converted into a raw
768 image file before it is made available.</para>
769
770 <para>Downloaded images of this type will be placed as
771 read-only <filename>.raw</filename> file in
772 <filename>/var/lib/machines/</filename>. A local, writable
773 (reflinked) copy is then made under the specified local
774 machine name. To omit creation of the local, writable copy
775 pass <literal>-</literal> as local machine name.</para>
776
777 <para>Similar to the behavior of <command>pull-tar</command>,
778 the read-only image is prefixed with
779 <filename>.raw-</filename>, and thus not shown by
780 <command>list-images</command>, unless <option>--all</option>
781 is passed.</para>
782
783 <para>Note that pressing C-c during execution of this command
784 will not abort the download. Use
785 <command>cancel-transfer</command>, described
786 below.</para></listitem>
787 </varlistentry>
788
789 <varlistentry>
790 <term><command>import-tar</command> <replaceable>FILE</replaceable> [<replaceable>NAME</replaceable>]</term>
791 <term><command>import-raw</command> <replaceable>FILE</replaceable> [<replaceable>NAME</replaceable>]</term>
792 <listitem><para>Imports a TAR or RAW container or VM image,
793 and places it under the specified name in
794 <filename>/var/lib/machines/</filename>. When
795 <command>import-tar</command> is used, the file specified as
796 the first argument should be a tar archive, possibly compressed
797 with xz, gzip or bzip2. It will then be unpacked into its own
798 subvolume in <filename>/var/lib/machines</filename>. When
799 <command>import-raw</command> is used, the file should be a
800 qcow2 or raw disk image, possibly compressed with xz, gzip or
801 bzip2. If the second argument (the resulting image name) is
802 not specified, it is automatically derived from the file
803 name. If the filename is passed as <literal>-</literal>, the
804 image is read from standard input, in which case the second
805 argument is mandatory.</para>
806
807 <para>Both <command>pull-tar</command> and <command>pull-raw</command>
808 will resize <filename>/var/lib/machines.raw</filename> and the
809 filesystem therein as necessary. Optionally, the
810 <option>--read-only</option> switch may be used to create a
811 read-only container or VM image. No cryptographic validation
812 is done when importing the images.</para>
813
814 <para>Much like image downloads, ongoing imports may be listed
815 with <command>list-transfers</command> and aborted with
816 <command>cancel-transfer</command>.</para></listitem>
817 </varlistentry>
818
819 <varlistentry>
820 <term><command>export-tar</command> <replaceable>NAME</replaceable> [<replaceable>FILE</replaceable>]</term>
821 <term><command>export-raw</command> <replaceable>NAME</replaceable> [<replaceable>FILE</replaceable>]</term>
822 <listitem><para>Exports a TAR or RAW container or VM image and
823 stores it in the specified file. The first parameter should be
824 a VM or container image name. The second parameter should be a
825 file path the TAR or RAW image is written to. If the path ends
826 in <literal>.gz</literal>, the file is compressed with gzip, if
827 it ends in <literal>.xz</literal>, with xz, and if it ends in
828 <literal>.bz2</literal>, with bzip2. If the path ends in
829 neither, the file is left uncompressed. If the second argument
830 is missing, the image is written to standard output. The
831 compression may also be explicitly selected with the
832 <option>--format=</option> switch. This is in particular
833 useful if the second parameter is left unspecified.</para>
834
835 <para>Much like image downloads and imports, ongoing exports
836 may be listed with <command>list-transfers</command> and
837 aborted with
838 <command>cancel-transfer</command>.</para>
839
840 <para>Note that, currently, only directory and subvolume images
841 may be exported as TAR images, and only raw disk images as RAW
842 images.</para></listitem>
843 </varlistentry>
844
845 <varlistentry>
846 <term><command>list-transfers</command></term>
847
848 <listitem><para>Shows a list of container or VM image
849 downloads, imports and exports that are currently in
850 progress.</para></listitem>
851 </varlistentry>
852
853 <varlistentry>
854 <term><command>cancel-transfer</command> <replaceable>ID</replaceable></term>
855
856 <listitem><para>Aborts a download, import or export of the
857 container or VM image with the specified ID. To list ongoing
858 transfers and their IDs, use
859 <command>list-transfers</command>. </para></listitem>
860 </varlistentry>
861
862 </variablelist></refsect2>
863
864 </refsect1>
865
866 <refsect1>
867 <title>Machine and Image Names</title>
868
869 <para>The <command>machinectl</command> tool operates on machines
870 and images whose names must be chosen following strict
871 rules. Machine names must be suitable for use as host names
872 following a conservative subset of DNS and UNIX/Linux
873 semantics. Specifically, they must consist of one or more
874 non-empty label strings, separated by dots. No leading or trailing
875 dots are allowed. No sequences of multiple dots are allowed. The
876 label strings may only consist of alphanumeric characters as well
877 as the dash and underscore. The maximum length of a machine name
878 is 64 characters.</para>
879
880 <para>A special machine with the name <literal>.host</literal>
881 refers to the running host system itself. This is useful for execution
882 operations or inspecting the host system as well. Note that
883 <command>machinectl list</command> will not show this special
884 machine unless the <option>--all</option> switch is specified.</para>
885
886 <para>Requirements on image names are less strict, however, they must be
887 valid UTF-8, must be suitable as file names (hence not be the
888 single or double dot, and not include a slash), and may not
889 contain control characters. Since many operations search for an
890 image by the name of a requested machine, it is recommended to name
891 images in the same strict fashion as machines.</para>
892
893 <para>A special image with the name <literal>.host</literal>
894 refers to the image of the running host system. It hence
895 conceptually maps to the special <literal>.host</literal> machine
896 name described above. Note that <command>machinectl
897 list-images</command> will not show this special image either, unless
898 <option>--all</option> is specified.</para>
899 </refsect1>
900
901 <refsect1>
902 <title>Files and Directories</title>
903
904 <para>Machine images are preferably stored in
905 <filename>/var/lib/machines/</filename>, but are also searched for
906 in <filename>/usr/local/lib/machines/</filename> and
907 <filename>/usr/lib/machines/</filename>. For compatibility reasons,
908 the directory <filename>/var/lib/container/</filename> is
909 searched, too. Note that images stored below
910 <filename>/usr</filename> are always considered read-only. It is
911 possible to symlink machines images from other directories into
912 <filename>/var/lib/machines/</filename> to make them available for
913 control with <command>machinectl</command>.</para>
914
915 <para>Note that some image operations are only supported,
916 efficient or atomic on btrfs file systems. Due to this, if the
917 <command>pull-tar</command>, <command>pull-raw</command>,
918 <command>import-tar</command>, <command>import-raw</command> and
919 <command>set-limit</command> commands notice that
920 <filename>/var/lib/machines</filename> is empty and not located on
921 btrfs, they will implicitly set up a loopback file
922 <filename>/var/lib/machines.raw</filename> containing a btrfs file
923 system that is mounted to
924 <filename>/var/lib/machines</filename>. The size of this loopback
925 file may be controlled dynamically with
926 <command>set-limit</command>.</para>
927
928 <para>Disk images are understood by
929 <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>
930 and <command>machinectl</command> in three formats:</para>
931
932 <itemizedlist>
933 <listitem><para>A simple directory tree, containing the files
934 and directories of the container to boot.</para></listitem>
935
936 <listitem><para>Subvolumes (on btrfs file systems), which are
937 similar to the simple directories, described above. However,
938 they have additional benefits, such as efficient cloning and
939 quota reporting.</para></listitem>
940
941 <listitem><para>"Raw" disk images, i.e. binary images of disks
942 with a GPT or MBR partition table. Images of this type are
943 regular files with the suffix
944 <literal>.raw</literal>.</para></listitem>
945 </itemizedlist>
946
947 <para>See
948 <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>
949 for more information on image formats, in particular its
950 <option>--directory=</option> and <option>--image=</option>
951 options.</para>
952 </refsect1>
953
954 <refsect1>
955 <title>Examples</title>
956 <example>
957 <title>Download an Ubuntu image and open a shell in it</title>
958
959 <programlisting># machinectl pull-tar https://cloud-images.ubuntu.com/trusty/current/trusty-server-cloudimg-amd64-root.tar.gz
960 # systemd-nspawn -M trusty-server-cloudimg-amd64-root</programlisting>
961
962 <para>This downloads and verifies the specified
963 <filename>.tar</filename> image, and then uses
964 <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>
965 to open a shell in it.</para>
966 </example>
967
968 <example>
969 <title>Download a Fedora image, set a root password in it, start
970 it as service</title>
971
972 <programlisting># machinectl pull-raw --verify=no https://dl.fedoraproject.org/pub/fedora/linux/releases/27/CloudImages/x86_64/images/Fedora-Cloud-Base-27-1.6.x86_64.raw.xz
973 # systemd-nspawn -M Fedora-Cloud-Base-27-1.6.x86_64
974 # passwd
975 # exit
976 # machinectl start Fedora-Cloud-Base-27-1.6.x86_64
977 # machinectl login Fedora-Cloud-Base-27-1.6.x86_64</programlisting>
978
979 <para>This downloads the specified <filename>.raw</filename>
980 image with verification disabled. Then, a shell is opened in it
981 and a root password is set. Afterwards the shell is left, and
982 the machine started as system service. With the last command a
983 login prompt into the container is requested.</para>
984 </example>
985
986 <example>
987 <title>Exports a container image as tar file</title>
988
989 <programlisting># machinectl export-tar fedora myfedora.tar.xz</programlisting>
990
991 <para>Exports the container <literal>fedora</literal> as an
992 xz-compressed tar file <filename>myfedora.tar.xz</filename> into the
993 current directory.</para>
994 </example>
995
996 <example>
997 <title>Create a new shell session</title>
998
999 <programlisting># machinectl shell --uid=lennart</programlisting>
1000
1001 <para>This creates a new shell session on the local host for
1002 the user ID <literal>lennart</literal>, in a <citerefentry
1003 project='die-net'><refentrytitle>su</refentrytitle><manvolnum>1</manvolnum></citerefentry>-like
1004 fashion.</para>
1005 </example>
1006
1007 </refsect1>
1008
1009 <refsect1>
1010 <title>Exit status</title>
1011
1012 <para>On success, 0 is returned, a non-zero failure code
1013 otherwise.</para>
1014 </refsect1>
1015
1016 <xi:include href="less-variables.xml" />
1017
1018 <refsect1>
1019 <title>See Also</title>
1020 <para>
1021 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
1022 <citerefentry><refentrytitle>systemd-machined.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
1023 <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
1024 <citerefentry><refentrytitle>systemd.special</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
1025 <citerefentry project='die-net'><refentrytitle>tar</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
1026 <citerefentry project='die-net'><refentrytitle>xz</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
1027 <citerefentry project='die-net'><refentrytitle>gzip</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
1028 <citerefentry project='die-net'><refentrytitle>bzip2</refentrytitle><manvolnum>1</manvolnum></citerefentry>
1029 </para>
1030 </refsect1>
1031
1032 </refentry>
Unnamed repository; edit this file 'description' to name the repository.