]>
Commit | Line | Data |
---|---|---|
c454426c | 1 | <?xml version='1.0'?> <!--*- Mode: nxml; nxml-child-indent: 2; indent-tabs-mode: nil -*--> |
19887cd0 | 2 | <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" |
12b42c76 | 3 | "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> |
19887cd0 ZJS |
4 | |
5 | <!-- | |
572eb058 ZJS |
6 | SPDX-License-Identifier: LGPL-2.1+ |
7 | ||
96b2fb93 | 8 | Copyright © 2013 Zbigniew Jędrzejewski-Szmek |
19887cd0 ZJS |
9 | --> |
10 | ||
21ac6ff1 | 11 | <refentry id="machinectl" conditional='ENABLE_MACHINED' |
798d3a52 ZJS |
12 | xmlns:xi="http://www.w3.org/2001/XInclude"> |
13 | ||
14 | <refentryinfo> | |
15 | <title>machinectl</title> | |
16 | <productname>systemd</productname> | |
798d3a52 ZJS |
17 | </refentryinfo> |
18 | ||
19 | <refmeta> | |
20 | <refentrytitle>machinectl</refentrytitle> | |
21 | <manvolnum>1</manvolnum> | |
22 | </refmeta> | |
23 | ||
24 | <refnamediv> | |
25 | <refname>machinectl</refname> | |
26 | <refpurpose>Control the systemd machine manager</refpurpose> | |
27 | </refnamediv> | |
28 | ||
29 | <refsynopsisdiv> | |
30 | <cmdsynopsis> | |
31 | <command>machinectl</command> | |
32 | <arg choice="opt" rep="repeat">OPTIONS</arg> | |
33 | <arg choice="req">COMMAND</arg> | |
34 | <arg choice="opt" rep="repeat">NAME</arg> | |
35 | </cmdsynopsis> | |
36 | </refsynopsisdiv> | |
37 | ||
38 | <refsect1> | |
39 | <title>Description</title> | |
40 | ||
41 | <para><command>machinectl</command> may be used to introspect and | |
42 | control the state of the | |
43 | <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry> | |
44 | virtual machine and container registration manager | |
45 | <citerefentry><refentrytitle>systemd-machined.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para> | |
91913f58 LP |
46 | |
47 | <para><command>machinectl</command> may be used to execute | |
48 | operations on machines and images. Machines in this sense are | |
49 | considered running instances of:</para> | |
50 | ||
51 | <itemizedlist> | |
52 | <listitem><para>Virtual Machines (VMs) that virtualize hardware | |
53 | to run full operating system (OS) instances (including their kernels) | |
54 | in a virtualized environment on top of the host OS.</para></listitem> | |
55 | ||
56 | <listitem><para>Containers that share the hardware and | |
57 | OS kernel with the host OS, in order to run | |
58 | OS userspace instances on top the host OS.</para></listitem> | |
59 | ||
fa69a4c7 | 60 | <listitem><para>The host system itself.</para></listitem> |
91913f58 LP |
61 | </itemizedlist> |
62 | ||
63 | <para>Machines are identified by names that follow the same rules | |
fa69a4c7 ZJS |
64 | as UNIX and DNS host names. For details, see below.</para> |
65 | ||
66 | <para>Machines are instantiated from disk or file system images that | |
67 | frequently — but not necessarily — carry the same name as machines running | |
68 | from them. Images in this sense may be:</para> | |
91913f58 LP |
69 | |
70 | <itemizedlist> | |
fa69a4c7 | 71 | <listitem><para>Directory trees containing an OS, including the |
91913f58 LP |
72 | top-level directories <filename>/usr</filename>, |
73 | <filename>/etc</filename>, and so on.</para></listitem> | |
74 | ||
75 | <listitem><para>btrfs subvolumes containing OS trees, similar to | |
76 | normal directory trees.</para></listitem> | |
77 | ||
78 | <listitem><para>Binary "raw" disk images containing MBR or GPT | |
79 | partition tables and Linux file system partitions.</para></listitem> | |
80 | ||
81 | <listitem><para>The file system tree of the host OS itself.</para></listitem> | |
82 | </itemizedlist> | |
83 | ||
798d3a52 ZJS |
84 | </refsect1> |
85 | ||
86 | <refsect1> | |
87 | <title>Options</title> | |
88 | ||
89 | <para>The following options are understood:</para> | |
90 | ||
91 | <variablelist> | |
92 | <varlistentry> | |
93 | <term><option>-p</option></term> | |
94 | <term><option>--property=</option></term> | |
95 | ||
96 | <listitem><para>When showing machine or image properties, | |
97 | limit the output to certain properties as specified by the | |
98 | argument. If not specified, all set properties are shown. The | |
99 | argument should be a property name, such as | |
100 | <literal>Name</literal>. If specified more than once, all | |
101 | properties with the specified names are | |
102 | shown.</para></listitem> | |
103 | </varlistentry> | |
104 | ||
105 | <varlistentry> | |
106 | <term><option>-a</option></term> | |
107 | <term><option>--all</option></term> | |
108 | ||
109 | <listitem><para>When showing machine or image properties, show | |
110 | all properties regardless of whether they are set or | |
111 | not.</para> | |
112 | ||
113 | <para>When listing VM or container images, do not suppress | |
114 | images beginning in a dot character | |
d94c2b06 LP |
115 | (<literal>.</literal>).</para> |
116 | ||
117 | <para>When cleaning VM or container images, remove all images, not just hidden ones.</para></listitem> | |
798d3a52 ZJS |
118 | </varlistentry> |
119 | ||
85500523 ZJS |
120 | <varlistentry> |
121 | <term><option>--value</option></term> | |
122 | ||
123 | <listitem><para>When printing properties with <command>show</command>, only print the value, | |
124 | and skip the property name and <literal>=</literal>.</para></listitem> | |
125 | </varlistentry> | |
126 | ||
798d3a52 ZJS |
127 | <varlistentry> |
128 | <term><option>-l</option></term> | |
129 | <term><option>--full</option></term> | |
130 | ||
131 | <listitem><para>Do not ellipsize process tree entries.</para> | |
132 | </listitem> | |
133 | </varlistentry> | |
134 | ||
798d3a52 ZJS |
135 | <varlistentry> |
136 | <term><option>--kill-who=</option></term> | |
137 | ||
138 | <listitem><para>When used with <command>kill</command>, choose | |
139 | which processes to kill. Must be one of | |
140 | <option>leader</option>, or <option>all</option> to select | |
141 | whether to kill only the leader process of the machine or all | |
142 | processes of the machine. If omitted, defaults to | |
143 | <option>all</option>.</para></listitem> | |
144 | </varlistentry> | |
145 | ||
146 | <varlistentry> | |
147 | <term><option>-s</option></term> | |
148 | <term><option>--signal=</option></term> | |
149 | ||
150 | <listitem><para>When used with <command>kill</command>, choose | |
151 | which signal to send to selected processes. Must be one of the | |
152 | well-known signal specifiers, such as | |
153 | <constant>SIGTERM</constant>, <constant>SIGINT</constant> or | |
154 | <constant>SIGSTOP</constant>. If omitted, defaults to | |
155 | <constant>SIGTERM</constant>.</para></listitem> | |
156 | </varlistentry> | |
157 | ||
c454426c LP |
158 | <varlistentry> |
159 | <term><option>--uid=</option></term> | |
160 | ||
bc3bb330 ZJS |
161 | <listitem><para>When used with the <command>shell</command> command, chooses the user ID to |
162 | open the interactive shell session as. If the argument to the <command>shell</command> | |
b17649ee | 163 | command also specifies a user name, this option is ignored. If the name is not specified |
bc3bb330 ZJS |
164 | in either way, <literal>root</literal> will be used by default. Note that this switch is |
165 | not supported for the <command>login</command> command (see below).</para></listitem> | |
c454426c LP |
166 | </varlistentry> |
167 | ||
168 | <varlistentry> | |
4d46e5db ZJS |
169 | <term><option>-E <replaceable>NAME</replaceable>=<replaceable>VALUE</replaceable></option></term> |
170 | <term><option>--setenv=<replaceable>NAME</replaceable>=<replaceable>VALUE</replaceable></option></term> | |
171 | ||
172 | <listitem><para>When used with the <command>shell</command> command, sets an environment | |
173 | variable to pass to the executed shell. Takes an environment variable name and value, | |
174 | separated by <literal>=</literal>. This switch may be used multiple times to set multiple | |
175 | environment variables. Note that this switch is not supported for the | |
176 | <command>login</command> command (see below).</para></listitem> | |
c454426c LP |
177 | </varlistentry> |
178 | ||
798d3a52 ZJS |
179 | <varlistentry> |
180 | <term><option>--mkdir</option></term> | |
181 | ||
d3590ace LP |
182 | <listitem><para>When used with <command>bind</command>, creates the destination file or directory before |
183 | applying the bind mount. Note that even though the name of this option suggests that it is suitable only for | |
1b2ad5d9 | 184 | directories, this option also creates the destination file node to mount over if the object to mount is not |
d3590ace | 185 | a directory, but a regular file, device node, socket or FIFO.</para></listitem> |
798d3a52 ZJS |
186 | </varlistentry> |
187 | ||
798d3a52 ZJS |
188 | <varlistentry> |
189 | <term><option>--read-only</option></term> | |
190 | ||
d3590ace | 191 | <listitem><para>When used with <command>bind</command>, creates a read-only bind mount.</para> |
798d3a52 | 192 | |
d94c2b06 LP |
193 | <para>When used with <command>clone</command>, <command>import-raw</command> or <command>import-tar</command> a |
194 | read-only container or VM image is created.</para></listitem> | |
195 | </varlistentry> | |
798d3a52 ZJS |
196 | |
197 | <varlistentry> | |
198 | <term><option>-n</option></term> | |
199 | <term><option>--lines=</option></term> | |
200 | ||
201 | <listitem><para>When used with <command>status</command>, | |
202 | controls the number of journal lines to show, counting from | |
203 | the most recent ones. Takes a positive integer argument. | |
204 | Defaults to 10.</para> | |
205 | </listitem> | |
206 | </varlistentry> | |
207 | ||
208 | <varlistentry> | |
209 | <term><option>-o</option></term> | |
210 | <term><option>--output=</option></term> | |
211 | ||
212 | <listitem><para>When used with <command>status</command>, | |
213 | controls the formatting of the journal entries that are shown. | |
214 | For the available choices, see | |
215 | <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>. | |
216 | Defaults to <literal>short</literal>.</para></listitem> | |
217 | </varlistentry> | |
218 | ||
219 | <varlistentry> | |
220 | <term><option>--verify=</option></term> | |
221 | ||
222 | <listitem><para>When downloading a container or VM image, | |
223 | specify whether the image shall be verified before it is made | |
224 | available. Takes one of <literal>no</literal>, | |
225 | <literal>checksum</literal> and <literal>signature</literal>. | |
b938cb90 JE |
226 | If <literal>no</literal>, no verification is done. If |
227 | <literal>checksum</literal> is specified, the download is | |
a8eaaee7 | 228 | checked for integrity after the transfer is complete, but no |
798d3a52 | 229 | signatures are verified. If <literal>signature</literal> is |
7f3fdb7f | 230 | specified, the checksum is verified and the image's signature |
798d3a52 ZJS |
231 | is checked against a local keyring of trustable vendors. It is |
232 | strongly recommended to set this option to | |
233 | <literal>signature</literal> if the server and protocol | |
234 | support this. Defaults to | |
235 | <literal>signature</literal>.</para></listitem> | |
236 | </varlistentry> | |
237 | ||
238 | <varlistentry> | |
239 | <term><option>--force</option></term> | |
240 | ||
241 | <listitem><para>When downloading a container or VM image, and | |
242 | a local copy by the specified local machine name already | |
243 | exists, delete it first and replace it by the newly downloaded | |
244 | image.</para></listitem> | |
245 | </varlistentry> | |
246 | ||
6e9efa59 LP |
247 | <varlistentry> |
248 | <term><option>--format=</option></term> | |
249 | ||
250 | <listitem><para>When used with the <option>export-tar</option> | |
b938cb90 | 251 | or <option>export-raw</option> commands, specifies the |
6e9efa59 LP |
252 | compression format to use for the resulting file. Takes one of |
253 | <literal>uncompressed</literal>, <literal>xz</literal>, | |
b938cb90 | 254 | <literal>gzip</literal>, <literal>bzip2</literal>. By default, |
6e9efa59 LP |
255 | the format is determined automatically from the image file |
256 | name passed.</para></listitem> | |
257 | </varlistentry> | |
258 | ||
07b0b339 SK |
259 | <varlistentry> |
260 | <term><option>--max-addresses=</option></term> | |
261 | ||
262 | <listitem><para>When used with the <option>list-machines</option> | |
263 | command, limits the number of ip addresses output for every machine. | |
264 | Defaults to 1. All addresses can be requested with <literal>all</literal> | |
265 | as argument to <option>--max-addresses</option> . If the argument to | |
266 | <option>--max-addresses</option> is less than the actual number | |
2a03116d | 267 | of addresses, <literal>...</literal>follows the last address. |
07b0b339 SK |
268 | If multiple addresses are to be written for a given machine, every |
269 | address except the first one is on a new line and is followed by | |
270 | <literal>,</literal> if another address will be output afterwards. </para></listitem> | |
271 | </varlistentry> | |
272 | ||
af8cbf47 YW |
273 | <varlistentry> |
274 | <term><option>-q</option></term> | |
275 | <term><option>--quiet</option></term> | |
276 | ||
277 | <listitem><para>Suppresses additional informational output while running.</para></listitem> | |
278 | </varlistentry> | |
279 | ||
798d3a52 | 280 | <xi:include href="user-system-options.xml" xpointer="host" /> |
fa69a4c7 ZJS |
281 | |
282 | <varlistentry> | |
283 | <term><option>-M</option></term> | |
284 | <term><option>--machine=</option></term> | |
285 | ||
286 | <listitem><para>Connect to | |
287 | <citerefentry><refentrytitle>systemd-machined.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
288 | running in a local container, to perform the specified operation within | |
289 | the container.</para></listitem> | |
290 | </varlistentry> | |
798d3a52 ZJS |
291 | |
292 | <xi:include href="standard-options.xml" xpointer="no-pager" /> | |
293 | <xi:include href="standard-options.xml" xpointer="no-legend" /> | |
d47410f3 | 294 | <xi:include href="standard-options.xml" xpointer="no-ask-password" /> |
798d3a52 ZJS |
295 | <xi:include href="standard-options.xml" xpointer="help" /> |
296 | <xi:include href="standard-options.xml" xpointer="version" /> | |
297 | </variablelist> | |
298 | </refsect1> | |
299 | ||
300 | <refsect1> | |
301 | <title>Commands</title> | |
302 | ||
303 | <para>The following commands are understood:</para> | |
304 | ||
305 | <refsect2><title>Machine Commands</title><variablelist> | |
306 | ||
307 | <varlistentry> | |
308 | <term><command>list</command></term> | |
309 | ||
310 | <listitem><para>List currently running (online) virtual | |
91913f58 LP |
311 | machines and containers. To enumerate machine images that can |
312 | be started, use <command>list-images</command> (see | |
313 | below). Note that this command hides the special | |
314 | <literal>.host</literal> machine by default. Use the | |
315 | <option>--all</option> switch to show it.</para></listitem> | |
798d3a52 ZJS |
316 | </varlistentry> |
317 | ||
318 | <varlistentry> | |
1eecafb8 | 319 | <term><command>status</command> <replaceable>NAME</replaceable>…</term> |
798d3a52 | 320 | |
28f90ea2 | 321 | <listitem><para>Show runtime status information about |
798d3a52 ZJS |
322 | one or more virtual machines and containers, followed by the |
323 | most recent log data from the journal. This function is | |
324 | intended to generate human-readable output. If you are looking | |
325 | for computer-parsable output, use <command>show</command> | |
326 | instead. Note that the log data shown is reported by the | |
327 | virtual machine or container manager, and frequently contains | |
328 | console output of the machine, but not necessarily journal | |
329 | contents of the machine itself.</para></listitem> | |
330 | </varlistentry> | |
331 | ||
332 | <varlistentry> | |
1eecafb8 | 333 | <term><command>show</command> [<replaceable>NAME</replaceable>…]</term> |
798d3a52 | 334 | |
e9c880dd LP |
335 | <listitem><para>Show properties of one or more registered virtual machines or containers or the manager |
336 | itself. If no argument is specified, properties of the manager will be shown. If a NAME is specified, | |
337 | properties of this virtual machine or container are shown. By default, empty properties are suppressed. Use | |
338 | <option>--all</option> to show those too. To select specific properties to show, use | |
339 | <option>--property=</option>. This command is intended to be used whenever computer-parsable output is | |
340 | required, and does not print the control group tree or journal entries. Use <command>status</command> if you | |
341 | are looking for formatted human-readable output.</para></listitem> | |
798d3a52 ZJS |
342 | </varlistentry> |
343 | ||
344 | <varlistentry> | |
1eecafb8 | 345 | <term><command>start</command> <replaceable>NAME</replaceable>…</term> |
798d3a52 ZJS |
346 | |
347 | <listitem><para>Start a container as a system service, using | |
348 | <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>. | |
349 | This starts <filename>systemd-nspawn@.service</filename>, | |
350 | instantiated for the specified machine name, similar to the | |
351 | effect of <command>systemctl start</command> on the service | |
352 | name. <command>systemd-nspawn</command> looks for a container | |
353 | image by the specified name in | |
354 | <filename>/var/lib/machines/</filename> (and other search | |
355 | paths, see below) and runs it. Use | |
b938cb90 | 356 | <command>list-images</command> (see below) for listing |
798d3a52 ZJS |
357 | available container images to start.</para> |
358 | ||
359 | <para>Note that | |
360 | <citerefentry><refentrytitle>systemd-machined.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
361 | also interfaces with a variety of other container and VM | |
362 | managers, <command>systemd-nspawn</command> is just one | |
363 | implementation of it. Most of the commands available in | |
364 | <command>machinectl</command> may be used on containers or VMs | |
365 | controlled by other managers, not just | |
366 | <command>systemd-nspawn</command>. Starting VMs and container | |
367 | images on those managers requires manager-specific | |
368 | tools.</para> | |
369 | ||
370 | <para>To interactively start a container on the command line | |
371 | with full access to the container's console, please invoke | |
372 | <command>systemd-nspawn</command> directly. To stop a running | |
b2bb19bb | 373 | container use <command>machinectl poweroff</command>.</para></listitem> |
798d3a52 ZJS |
374 | </varlistentry> |
375 | ||
376 | <varlistentry> | |
91913f58 | 377 | <term><command>login</command> [<replaceable>NAME</replaceable>]</term> |
798d3a52 | 378 | |
c454426c | 379 | <listitem><para>Open an interactive terminal login session in |
b938cb90 | 380 | a container or on the local host. If an argument is supplied, |
91913f58 LP |
381 | it refers to the container machine to connect to. If none is |
382 | specified, or the container name is specified as the empty | |
383 | string, or the special machine name <literal>.host</literal> | |
384 | (see below) is specified, the connection is made to the local | |
385 | host instead. This will create a TTY connection to a specific | |
386 | container or the local host and asks for the execution of a | |
387 | getty on it. Note that this is only supported for containers | |
388 | running | |
798d3a52 ZJS |
389 | <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry> |
390 | as init system.</para> | |
391 | ||
392 | <para>This command will open a full login prompt on the | |
91913f58 LP |
393 | container or the local host, which then asks for username and |
394 | password. Use <command>shell</command> (see below) or | |
798d3a52 | 395 | <citerefentry><refentrytitle>systemd-run</refentrytitle><manvolnum>1</manvolnum></citerefentry> |
91913f58 LP |
396 | with the <option>--machine=</option> switch to directly invoke |
397 | a single command, either interactively or in the | |
398 | background.</para></listitem> | |
798d3a52 ZJS |
399 | </varlistentry> |
400 | ||
c454426c | 401 | <varlistentry> |
1eecafb8 | 402 | <term><command>shell</command> [[<replaceable>NAME</replaceable>@]<replaceable>NAME</replaceable> [<replaceable>PATH</replaceable> [<replaceable>ARGUMENTS</replaceable>…]]] </term> |
c454426c LP |
403 | |
404 | <listitem><para>Open an interactive shell session in a | |
91913f58 LP |
405 | container or on the local host. The first argument refers to |
406 | the container machine to connect to. If none is specified, or | |
407 | the machine name is specified as the empty string, or the | |
408 | special machine name <literal>.host</literal> (see below) is | |
409 | specified, the connection is made to the local host | |
410 | instead. This works similar to <command>login</command> but | |
411 | immediately invokes a user process. This command runs the | |
c46bc7e2 SL |
412 | specified executable with the specified arguments, or the |
413 | default shell for the user if none is specified, or | |
414 | <filename>/bin/sh</filename> if no default shell is found. By default, | |
ef3100e9 LP |
415 | <option>--uid=</option>, or by prefixing the machine name with |
416 | a username and an <literal>@</literal> character, a different | |
417 | user may be selected. Use <option>--setenv=</option> to set | |
418 | environment variables for the executed process.</para> | |
419 | ||
7f129a1f LP |
420 | <para>Note that <command>machinectl shell</command> does not propagate the exit code/status of the invoked |
421 | shell process. Use <command>systemd-run</command> instead if that information is required (see below).</para> | |
422 | ||
ef3100e9 | 423 | <para>When using the <command>shell</command> command without |
b938cb90 | 424 | arguments, (thus invoking the executed shell or command on the |
a8eaaee7 | 425 | local host), it is in many ways similar to a <citerefentry |
ef3100e9 | 426 | project='die-net'><refentrytitle>su</refentrytitle><manvolnum>1</manvolnum></citerefentry> |
b938cb90 | 427 | session, but, unlike <command>su</command>, completely isolates |
ef3100e9 LP |
428 | the new session from the originating session, so that it |
429 | shares no process or session properties, and is in a clean and | |
430 | well-defined state. It will be tracked in a new utmp, login, | |
762a5766 LP |
431 | audit, security and keyring session, and will not inherit any |
432 | environment variables or resource limits, among other | |
433 | properties.</para> | |
ef3100e9 | 434 | |
7f129a1f LP |
435 | <para>Note that <citerefentry><refentrytitle>systemd-run</refentrytitle><manvolnum>1</manvolnum></citerefentry> |
436 | with its <option>--machine=</option> switch may be used in place of the <command>machinectl shell</command> | |
437 | command, and allows non-interactive operation, more detailed and low-level configuration of the invoked unit, | |
438 | as well as access to runtime and exit code/status information of the invoked shell process. In particular, use | |
439 | <command>systemd-run</command>'s <option>--wait</option> switch to propagate exit status information of the | |
440 | invoked process. Use <command>systemd-run</command>'s <option>--pty</option> switch for acquiring an | |
441 | interactive shell, similar to <command>machinectl shell</command>. In general, <command>systemd-run</command> | |
442 | is preferable for scripting purposes. However, note that <command>systemd-run</command> might require higher | |
443 | privileges than <command>machinectl shell</command>.</para></listitem> | |
c454426c LP |
444 | </varlistentry> |
445 | ||
798d3a52 | 446 | <varlistentry> |
1eecafb8 ZJS |
447 | <term><command>enable</command> <replaceable>NAME</replaceable>…</term> |
448 | <term><command>disable</command> <replaceable>NAME</replaceable>…</term> | |
798d3a52 ZJS |
449 | |
450 | <listitem><para>Enable or disable a container as a system | |
451 | service to start at system boot, using | |
452 | <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>. | |
453 | This enables or disables | |
454 | <filename>systemd-nspawn@.service</filename>, instantiated for | |
455 | the specified machine name, similar to the effect of | |
456 | <command>systemctl enable</command> or <command>systemctl | |
457 | disable</command> on the service name.</para></listitem> | |
458 | </varlistentry> | |
459 | ||
460 | <varlistentry> | |
1eecafb8 | 461 | <term><command>poweroff</command> <replaceable>NAME</replaceable>…</term> |
798d3a52 ZJS |
462 | |
463 | <listitem><para>Power off one or more containers. This will | |
464 | trigger a reboot by sending SIGRTMIN+4 to the container's init | |
465 | process, which causes systemd-compatible init systems to shut | |
b2bb19bb CR |
466 | down cleanly. Use <command>stop</command> as alias for <command>poweroff</command>. |
467 | This operation does not work on containers that do not run a | |
798d3a52 ZJS |
468 | <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>-compatible |
469 | init system, such as sysvinit. Use | |
470 | <command>terminate</command> (see below) to immediately | |
471 | terminate a container or VM, without cleanly shutting it | |
472 | down.</para></listitem> | |
473 | </varlistentry> | |
474 | ||
475 | <varlistentry> | |
1eecafb8 | 476 | <term><command>reboot</command> <replaceable>NAME</replaceable>…</term> |
798d3a52 ZJS |
477 | |
478 | <listitem><para>Reboot one or more containers. This will | |
479 | trigger a reboot by sending SIGINT to the container's init | |
480 | process, which is roughly equivalent to pressing Ctrl+Alt+Del | |
481 | on a non-containerized system, and is compatible with | |
482 | containers running any system manager.</para></listitem> | |
483 | </varlistentry> | |
484 | ||
485 | <varlistentry> | |
1eecafb8 | 486 | <term><command>terminate</command> <replaceable>NAME</replaceable>…</term> |
798d3a52 ZJS |
487 | |
488 | <listitem><para>Immediately terminates a virtual machine or | |
489 | container, without cleanly shutting it down. This kills all | |
490 | processes of the virtual machine or container and deallocates | |
491 | all resources attached to that instance. Use | |
492 | <command>poweroff</command> to issue a clean shutdown | |
493 | request.</para></listitem> | |
494 | </varlistentry> | |
495 | ||
496 | <varlistentry> | |
1eecafb8 | 497 | <term><command>kill</command> <replaceable>NAME</replaceable>…</term> |
798d3a52 ZJS |
498 | |
499 | <listitem><para>Send a signal to one or more processes of the | |
500 | virtual machine or container. This means processes as seen by | |
501 | the host, not the processes inside the virtual machine or | |
502 | container. Use <option>--kill-who=</option> to select which | |
503 | process to kill. Use <option>--signal=</option> to select the | |
504 | signal to send.</para></listitem> | |
505 | </varlistentry> | |
506 | ||
507 | <varlistentry> | |
508 | <term><command>bind</command> <replaceable>NAME</replaceable> <replaceable>PATH</replaceable> [<replaceable>PATH</replaceable>]</term> | |
509 | ||
d3590ace LP |
510 | <listitem><para>Bind mounts a file or directory from the host into the specified container. The first path |
511 | argument is the source file or directory on the host, the second path argument is the destination file or | |
512 | directory in the container. When the latter is omitted, the destination path in the container is the same as | |
513 | the source path on the host. When combined with the <option>--read-only</option> switch, a ready-only bind | |
514 | mount is created. When combined with the <option>--mkdir</option> switch, the destination path is first created | |
515 | before the mount is applied. Note that this option is currently only supported for | |
7f43928b | 516 | <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> containers, |
d3590ace LP |
517 | and only if user namespacing (<option>--private-users</option>) is not used. This command supports bind |
518 | mounting directories, regular files, device nodes, <constant>AF_UNIX</constant> socket nodes, as well as | |
519 | FIFOs.</para></listitem> | |
798d3a52 ZJS |
520 | </varlistentry> |
521 | ||
522 | <varlistentry> | |
523 | <term><command>copy-to</command> <replaceable>NAME</replaceable> <replaceable>PATH</replaceable> [<replaceable>PATH</replaceable>]</term> | |
524 | ||
525 | <listitem><para>Copies files or directories from the host | |
526 | system into a running container. Takes a container name, | |
527 | followed by the source path on the host and the destination | |
b938cb90 | 528 | path in the container. If the destination path is omitted, the |
d01cd401 | 529 | same as the source path is used.</para> |
798d3a52 | 530 | |
d01cd401 LP |
531 | <para>If host and container share the same user and group namespace, file ownership by numeric user ID and |
532 | group ID is preserved for the copy, otherwise all files and directories in the copy will be owned by the root | |
533 | user and group (UID/GID 0).</para></listitem> | |
534 | </varlistentry> | |
798d3a52 ZJS |
535 | |
536 | <varlistentry> | |
537 | <term><command>copy-from</command> <replaceable>NAME</replaceable> <replaceable>PATH</replaceable> [<replaceable>PATH</replaceable>]</term> | |
538 | ||
539 | <listitem><para>Copies files or directories from a container | |
540 | into the host system. Takes a container name, followed by the | |
541 | source path in the container the destination path on the host. | |
b938cb90 | 542 | If the destination path is omitted, the same as the source path |
d01cd401 LP |
543 | is used.</para> |
544 | ||
545 | <para>If host and container share the same user and group namespace, file ownership by numeric user ID and | |
546 | group ID is preserved for the copy, otherwise all files and directories in the copy will be owned by the root | |
547 | user and group (UID/GID 0).</para></listitem> | |
798d3a52 ZJS |
548 | </varlistentry> |
549 | </variablelist></refsect2> | |
550 | ||
551 | <refsect2><title>Image Commands</title><variablelist> | |
552 | ||
553 | <varlistentry> | |
554 | <term><command>list-images</command></term> | |
555 | ||
556 | <listitem><para>Show a list of locally installed container and | |
557 | VM images. This enumerates all raw disk images and container | |
558 | directories and subvolumes in | |
559 | <filename>/var/lib/machines/</filename> (and other search | |
560 | paths, see below). Use <command>start</command> (see above) to | |
b938cb90 JE |
561 | run a container off one of the listed images. Note that, by |
562 | default, containers whose name begins with a dot | |
798d3a52 ZJS |
563 | (<literal>.</literal>) are not shown. To show these too, |
564 | specify <option>--all</option>. Note that a special image | |
565 | <literal>.host</literal> always implicitly exists and refers | |
566 | to the image the host itself is booted from.</para></listitem> | |
567 | </varlistentry> | |
568 | ||
569 | <varlistentry> | |
1eecafb8 | 570 | <term><command>image-status</command> [<replaceable>NAME</replaceable>…]</term> |
798d3a52 ZJS |
571 | |
572 | <listitem><para>Show terse status information about one or | |
573 | more container or VM images. This function is intended to | |
574 | generate human-readable output. Use | |
575 | <command>show-image</command> (see below) to generate | |
576 | computer-parsable output instead.</para></listitem> | |
577 | </varlistentry> | |
578 | ||
579 | <varlistentry> | |
1eecafb8 | 580 | <term><command>show-image</command> [<replaceable>NAME</replaceable>…]</term> |
798d3a52 ZJS |
581 | |
582 | <listitem><para>Show properties of one or more registered | |
583 | virtual machine or container images, or the manager itself. If | |
584 | no argument is specified, properties of the manager will be | |
037a3ded | 585 | shown. If a NAME is specified, properties of this virtual |
798d3a52 ZJS |
586 | machine or container image are shown. By default, empty |
587 | properties are suppressed. Use <option>--all</option> to show | |
588 | those too. To select specific properties to show, use | |
589 | <option>--property=</option>. This command is intended to be | |
590 | used whenever computer-parsable output is required. Use | |
591 | <command>image-status</command> if you are looking for | |
592 | formatted human-readable output.</para></listitem> | |
593 | </varlistentry> | |
594 | ||
595 | <varlistentry> | |
596 | <term><command>clone</command> <replaceable>NAME</replaceable> <replaceable>NAME</replaceable></term> | |
597 | ||
d13febb1 LP |
598 | <listitem><para>Clones a container or VM image. The arguments specify the name of the image to clone and the |
599 | name of the newly cloned image. Note that plain directory container images are cloned into btrfs subvolume | |
600 | images with this command, if the underlying file system supports this. Note that cloning a container or VM | |
17cbb288 LP |
601 | image is optimized for file systems that support copy-on-write, and might not be efficient on others, due to |
602 | file system limitations.</para> | |
3fe22bb4 LP |
603 | |
604 | <para>Note that this command leaves host name, machine ID and | |
605 | all other settings that could identify the instance | |
606 | unmodified. The original image and the cloned copy will hence | |
607 | share these credentials, and it might be necessary to manually | |
d94c2b06 LP |
608 | change them in the copy.</para> |
609 | ||
610 | <para>If combined with the <option>--read-only</option> switch a read-only cloned image is | |
611 | created.</para></listitem> | |
798d3a52 ZJS |
612 | </varlistentry> |
613 | ||
614 | <varlistentry> | |
615 | <term><command>rename</command> <replaceable>NAME</replaceable> <replaceable>NAME</replaceable></term> | |
616 | ||
d6ce17c7 | 617 | <listitem><para>Renames a container or VM image. The |
798d3a52 ZJS |
618 | arguments specify the name of the image to rename and the new |
619 | name of the image.</para></listitem> | |
620 | </varlistentry> | |
621 | ||
622 | <varlistentry> | |
623 | <term><command>read-only</command> <replaceable>NAME</replaceable> [<replaceable>BOOL</replaceable>]</term> | |
624 | ||
d6ce17c7 | 625 | <listitem><para>Marks or (unmarks) a container or VM image |
798d3a52 ZJS |
626 | read-only. Takes a VM or container image name, followed by a |
627 | boolean as arguments. If the boolean is omitted, positive is | |
628 | implied, i.e. the image is marked read-only.</para></listitem> | |
629 | </varlistentry> | |
630 | ||
798d3a52 | 631 | <varlistentry> |
1eecafb8 | 632 | <term><command>remove</command> <replaceable>NAME</replaceable>…</term> |
798d3a52 | 633 | |
d6ce17c7 | 634 | <listitem><para>Removes one or more container or VM images. |
798d3a52 | 635 | The special image <literal>.host</literal>, which refers to |
b938cb90 | 636 | the host's own directory tree, may not be |
798d3a52 ZJS |
637 | removed.</para></listitem> |
638 | </varlistentry> | |
639 | ||
d6ce17c7 LP |
640 | <varlistentry> |
641 | <term><command>set-limit</command> [<replaceable>NAME</replaceable>] <replaceable>BYTES</replaceable></term> | |
642 | ||
a8eaaee7 | 643 | <listitem><para>Sets the maximum size in bytes that a specific |
b938cb90 | 644 | container or VM image, or all images, may grow up to on disk |
7de30452 | 645 | (disk quota). Takes either one or two parameters. The first, |
d6ce17c7 | 646 | optional parameter refers to a container or VM image name. If |
b938cb90 JE |
647 | specified, the size limit of the specified image is changed. If |
648 | omitted, the overall size limit of the sum of all images stored | |
7de30452 LP |
649 | locally is changed. The final argument specifies the size |
650 | limit in bytes, possibly suffixed by the usual K, M, G, T | |
651 | units. If the size limit shall be disabled, specify | |
652 | <literal>-</literal> as size.</para> | |
653 | ||
654 | <para>Note that per-container size limits are only supported | |
b938cb90 | 655 | on btrfs file systems. Also note that, if |
a8eaaee7 | 656 | <command>set-limit</command> is invoked without an image |
7de30452 LP |
657 | parameter, and <filename>/var/lib/machines</filename> is |
658 | empty, and the directory is not located on btrfs, a btrfs | |
659 | loopback file is implicitly created as | |
660 | <filename>/var/lib/machines.raw</filename> with the given | |
661 | size, and mounted to | |
662 | <filename>/var/lib/machines</filename>. The size of the | |
663 | loopback may later be readjusted with | |
664 | <command>set-limit</command>, as well. If such a | |
665 | loopback-mounted <filename>/var/lib/machines</filename> | |
a8eaaee7 | 666 | directory is used, <command>set-limit</command> without an image |
7de30452 LP |
667 | name alters both the quota setting within the file system as |
668 | well as the loopback file and file system size | |
669 | itself.</para></listitem> | |
d6ce17c7 LP |
670 | </varlistentry> |
671 | ||
d94c2b06 LP |
672 | <varlistentry> |
673 | <term><command>clean</command></term> | |
674 | ||
675 | <listitem><para>Remove hidden VM or container images (or all). This command removes all hidden machine images | |
676 | from <filename>/var/lib/machines</filename>, i.e. those whose name begins with a dot. Use <command>machinectl | |
677 | list-images --all</command> to see a list of all machine images, including the hidden ones.</para> | |
678 | ||
679 | <para>When combined with the <option>--all</option> switch removes all images, not just hidden ones. This | |
680 | command effectively empties <filename>/var/lib/machines</filename>.</para> | |
681 | ||
682 | <para>Note that commands such as <command>machinectl pull-tar</command> or <command>machinectl | |
683 | pull-raw</command> usually create hidden, read-only, unmodified machine images from the downloaded image first, | |
684 | before cloning a writable working copy of it, in order to avoid duplicate downloads in case of images that are | |
685 | reused multiple times. Use <command>machinectl clean</command> to remove old, hidden images created this | |
686 | way.</para></listitem> | |
687 | </varlistentry> | |
688 | ||
798d3a52 ZJS |
689 | </variablelist></refsect2> |
690 | ||
691 | <refsect2><title>Image Transfer Commands</title><variablelist> | |
692 | ||
693 | <varlistentry> | |
694 | <term><command>pull-tar</command> <replaceable>URL</replaceable> [<replaceable>NAME</replaceable>]</term> | |
695 | ||
696 | <listitem><para>Downloads a <filename>.tar</filename> | |
697 | container image from the specified URL, and makes it available | |
698 | under the specified local machine name. The URL must be of | |
699 | type <literal>http://</literal> or | |
700 | <literal>https://</literal>, and must refer to a | |
701 | <filename>.tar</filename>, <filename>.tar.gz</filename>, | |
702 | <filename>.tar.xz</filename> or <filename>.tar.bz2</filename> | |
b938cb90 | 703 | archive file. If the local machine name is omitted, it |
798d3a52 ZJS |
704 | is automatically derived from the last component of the URL, |
705 | with its suffix removed.</para> | |
706 | ||
697be0be TB |
707 | <para>The image is verified before it is made available, unless |
708 | <option>--verify=no</option> is specified. | |
709 | Verification is done either via an inline signed file with the name | |
710 | of the image and the suffix <filename>.sha256</filename> or via | |
711 | separate <filename>SHA256SUMS</filename> and | |
712 | <filename>SHA256SUMS.gpg</filename> files. | |
713 | The signature files need to be made available on the same web | |
714 | server, under the same URL as the <filename>.tar</filename> file. | |
715 | With <option>--verify=checksum</option>, only the SHA256 checksum | |
716 | for the file is verified, based on the <filename>.sha256</filename> | |
717 | suffixed file or the<filename>SHA256SUMS</filename> file. | |
718 | With <option>--verify=signature</option>, the sha checksum file is | |
719 | first verified with the inline signature in the | |
720 | <filename>.sha256</filename> file or the detached GPG signature file | |
721 | <filename>SHA256SUMS.gpg</filename>. | |
722 | The public key for this verification step needs to be available in | |
12b42c76 TG |
723 | <filename>/usr/lib/systemd/import-pubring.gpg</filename> or |
724 | <filename>/etc/systemd/import-pubring.gpg</filename>.</para> | |
798d3a52 ZJS |
725 | |
726 | <para>The container image will be downloaded and stored in a | |
727 | read-only subvolume in | |
b938cb90 | 728 | <filename>/var/lib/machines/</filename> that is named after |
798d3a52 ZJS |
729 | the specified URL and its HTTP etag. A writable snapshot is |
730 | then taken from this subvolume, and named after the specified | |
dd2b607b | 731 | local name. This behavior ensures that creating multiple |
798d3a52 ZJS |
732 | container instances of the same URL is efficient, as multiple |
733 | downloads are not necessary. In order to create only the | |
734 | read-only image, and avoid creating its writable snapshot, | |
735 | specify <literal>-</literal> as local machine name.</para> | |
736 | ||
737 | <para>Note that the read-only subvolume is prefixed with | |
6b94875f | 738 | <filename>.tar-</filename>, and is thus not shown by |
798d3a52 ZJS |
739 | <command>list-images</command>, unless <option>--all</option> |
740 | is passed.</para> | |
741 | ||
742 | <para>Note that pressing C-c during execution of this command | |
743 | will not abort the download. Use | |
744 | <command>cancel-transfer</command>, described | |
745 | below.</para></listitem> | |
746 | </varlistentry> | |
747 | ||
748 | <varlistentry> | |
749 | <term><command>pull-raw</command> <replaceable>URL</replaceable> [<replaceable>NAME</replaceable>]</term> | |
750 | ||
751 | <listitem><para>Downloads a <filename>.raw</filename> | |
752 | container or VM disk image from the specified URL, and makes | |
753 | it available under the specified local machine name. The URL | |
754 | must be of type <literal>http://</literal> or | |
755 | <literal>https://</literal>. The container image must either | |
756 | be a <filename>.qcow2</filename> or raw disk image, optionally | |
757 | compressed as <filename>.gz</filename>, | |
758 | <filename>.xz</filename>, or <filename>.bz2</filename>. If the | |
b938cb90 | 759 | local machine name is omitted, it is automatically |
798d3a52 ZJS |
760 | derived from the last component of the URL, with its suffix |
761 | removed.</para> | |
762 | ||
763 | <para>Image verification is identical for raw and tar images | |
764 | (see above).</para> | |
765 | ||
1d3eaa93 | 766 | <para>If the downloaded image is in |
6b94875f | 767 | <filename>.qcow2</filename> format it is converted into a raw |
798d3a52 ZJS |
768 | image file before it is made available.</para> |
769 | ||
770 | <para>Downloaded images of this type will be placed as | |
771 | read-only <filename>.raw</filename> file in | |
772 | <filename>/var/lib/machines/</filename>. A local, writable | |
773 | (reflinked) copy is then made under the specified local | |
774 | machine name. To omit creation of the local, writable copy | |
775 | pass <literal>-</literal> as local machine name.</para> | |
776 | ||
dd2b607b | 777 | <para>Similar to the behavior of <command>pull-tar</command>, |
798d3a52 | 778 | the read-only image is prefixed with |
6b94875f | 779 | <filename>.raw-</filename>, and thus not shown by |
798d3a52 ZJS |
780 | <command>list-images</command>, unless <option>--all</option> |
781 | is passed.</para> | |
782 | ||
783 | <para>Note that pressing C-c during execution of this command | |
784 | will not abort the download. Use | |
785 | <command>cancel-transfer</command>, described | |
786 | below.</para></listitem> | |
787 | </varlistentry> | |
788 | ||
af40e5d3 LP |
789 | <varlistentry> |
790 | <term><command>import-tar</command> <replaceable>FILE</replaceable> [<replaceable>NAME</replaceable>]</term> | |
791 | <term><command>import-raw</command> <replaceable>FILE</replaceable> [<replaceable>NAME</replaceable>]</term> | |
792 | <listitem><para>Imports a TAR or RAW container or VM image, | |
793 | and places it under the specified name in | |
794 | <filename>/var/lib/machines/</filename>. When | |
b938cb90 | 795 | <command>import-tar</command> is used, the file specified as |
a8eaaee7 | 796 | the first argument should be a tar archive, possibly compressed |
af40e5d3 LP |
797 | with xz, gzip or bzip2. It will then be unpacked into its own |
798 | subvolume in <filename>/var/lib/machines</filename>. When | |
b938cb90 | 799 | <command>import-raw</command> is used, the file should be a |
af40e5d3 LP |
800 | qcow2 or raw disk image, possibly compressed with xz, gzip or |
801 | bzip2. If the second argument (the resulting image name) is | |
b938cb90 | 802 | not specified, it is automatically derived from the file |
1245e413 | 803 | name. If the filename is passed as <literal>-</literal>, the |
af40e5d3 LP |
804 | image is read from standard input, in which case the second |
805 | argument is mandatory.</para> | |
806 | ||
ace483c4 JE |
807 | <para>Both <command>pull-tar</command> and <command>pull-raw</command> |
808 | will resize <filename>/var/lib/machines.raw</filename> and the | |
809 | filesystem therein as necessary. Optionally, the | |
af40e5d3 LP |
810 | <option>--read-only</option> switch may be used to create a |
811 | read-only container or VM image. No cryptographic validation | |
812 | is done when importing the images.</para> | |
813 | ||
814 | <para>Much like image downloads, ongoing imports may be listed | |
815 | with <command>list-transfers</command> and aborted with | |
816 | <command>cancel-transfer</command>.</para></listitem> | |
817 | </varlistentry> | |
818 | ||
6e9efa59 LP |
819 | <varlistentry> |
820 | <term><command>export-tar</command> <replaceable>NAME</replaceable> [<replaceable>FILE</replaceable>]</term> | |
821 | <term><command>export-raw</command> <replaceable>NAME</replaceable> [<replaceable>FILE</replaceable>]</term> | |
822 | <listitem><para>Exports a TAR or RAW container or VM image and | |
823 | stores it in the specified file. The first parameter should be | |
824 | a VM or container image name. The second parameter should be a | |
825 | file path the TAR or RAW image is written to. If the path ends | |
b938cb90 JE |
826 | in <literal>.gz</literal>, the file is compressed with gzip, if |
827 | it ends in <literal>.xz</literal>, with xz, and if it ends in | |
828 | <literal>.bz2</literal>, with bzip2. If the path ends in | |
829 | neither, the file is left uncompressed. If the second argument | |
830 | is missing, the image is written to standard output. The | |
6e9efa59 LP |
831 | compression may also be explicitly selected with the |
832 | <option>--format=</option> switch. This is in particular | |
833 | useful if the second parameter is left unspecified.</para> | |
834 | ||
835 | <para>Much like image downloads and imports, ongoing exports | |
836 | may be listed with <command>list-transfers</command> and | |
837 | aborted with | |
838 | <command>cancel-transfer</command>.</para> | |
839 | ||
b938cb90 | 840 | <para>Note that, currently, only directory and subvolume images |
6e9efa59 LP |
841 | may be exported as TAR images, and only raw disk images as RAW |
842 | images.</para></listitem> | |
843 | </varlistentry> | |
844 | ||
798d3a52 ZJS |
845 | <varlistentry> |
846 | <term><command>list-transfers</command></term> | |
847 | ||
848 | <listitem><para>Shows a list of container or VM image | |
6e9efa59 | 849 | downloads, imports and exports that are currently in |
af40e5d3 | 850 | progress.</para></listitem> |
798d3a52 ZJS |
851 | </varlistentry> |
852 | ||
853 | <varlistentry> | |
ee156e8d | 854 | <term><command>cancel-transfer</command> <replaceable>ID</replaceable>…</term> |
798d3a52 | 855 | |
6e9efa59 LP |
856 | <listitem><para>Aborts a download, import or export of the |
857 | container or VM image with the specified ID. To list ongoing | |
858 | transfers and their IDs, use | |
af40e5d3 | 859 | <command>list-transfers</command>. </para></listitem> |
798d3a52 ZJS |
860 | </varlistentry> |
861 | ||
862 | </variablelist></refsect2> | |
863 | ||
864 | </refsect1> | |
865 | ||
91913f58 LP |
866 | <refsect1> |
867 | <title>Machine and Image Names</title> | |
868 | ||
869 | <para>The <command>machinectl</command> tool operates on machines | |
b938cb90 | 870 | and images whose names must be chosen following strict |
91913f58 LP |
871 | rules. Machine names must be suitable for use as host names |
872 | following a conservative subset of DNS and UNIX/Linux | |
873 | semantics. Specifically, they must consist of one or more | |
874 | non-empty label strings, separated by dots. No leading or trailing | |
875 | dots are allowed. No sequences of multiple dots are allowed. The | |
a8eaaee7 | 876 | label strings may only consist of alphanumeric characters as well |
91913f58 LP |
877 | as the dash and underscore. The maximum length of a machine name |
878 | is 64 characters.</para> | |
879 | ||
880 | <para>A special machine with the name <literal>.host</literal> | |
881 | refers to the running host system itself. This is useful for execution | |
a8eaaee7 | 882 | operations or inspecting the host system as well. Note that |
91913f58 LP |
883 | <command>machinectl list</command> will not show this special |
884 | machine unless the <option>--all</option> switch is specified.</para> | |
885 | ||
a8eaaee7 | 886 | <para>Requirements on image names are less strict, however, they must be |
91913f58 LP |
887 | valid UTF-8, must be suitable as file names (hence not be the |
888 | single or double dot, and not include a slash), and may not | |
889 | contain control characters. Since many operations search for an | |
b938cb90 | 890 | image by the name of a requested machine, it is recommended to name |
91913f58 LP |
891 | images in the same strict fashion as machines.</para> |
892 | ||
893 | <para>A special image with the name <literal>.host</literal> | |
a8eaaee7 | 894 | refers to the image of the running host system. It hence |
91913f58 LP |
895 | conceptually maps to the special <literal>.host</literal> machine |
896 | name described above. Note that <command>machinectl | |
7ca41557 | 897 | list-images</command> will not show this special image either, unless |
91913f58 LP |
898 | <option>--all</option> is specified.</para> |
899 | </refsect1> | |
900 | ||
798d3a52 ZJS |
901 | <refsect1> |
902 | <title>Files and Directories</title> | |
903 | ||
904 | <para>Machine images are preferably stored in | |
905 | <filename>/var/lib/machines/</filename>, but are also searched for | |
906 | in <filename>/usr/local/lib/machines/</filename> and | |
b938cb90 | 907 | <filename>/usr/lib/machines/</filename>. For compatibility reasons, |
798d3a52 ZJS |
908 | the directory <filename>/var/lib/container/</filename> is |
909 | searched, too. Note that images stored below | |
910 | <filename>/usr</filename> are always considered read-only. It is | |
911 | possible to symlink machines images from other directories into | |
912 | <filename>/var/lib/machines/</filename> to make them available for | |
913 | control with <command>machinectl</command>.</para> | |
914 | ||
17cbb288 | 915 | <para>Note that some image operations are only supported, |
7de30452 LP |
916 | efficient or atomic on btrfs file systems. Due to this, if the |
917 | <command>pull-tar</command>, <command>pull-raw</command>, | |
b43d75c3 LP |
918 | <command>import-tar</command>, <command>import-raw</command> and |
919 | <command>set-limit</command> commands notice that | |
920 | <filename>/var/lib/machines</filename> is empty and not located on | |
921 | btrfs, they will implicitly set up a loopback file | |
922 | <filename>/var/lib/machines.raw</filename> containing a btrfs file | |
923 | system that is mounted to | |
7de30452 | 924 | <filename>/var/lib/machines</filename>. The size of this loopback |
af40e5d3 LP |
925 | file may be controlled dynamically with |
926 | <command>set-limit</command>.</para> | |
7de30452 | 927 | |
798d3a52 ZJS |
928 | <para>Disk images are understood by |
929 | <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> | |
930 | and <command>machinectl</command> in three formats:</para> | |
931 | ||
932 | <itemizedlist> | |
933 | <listitem><para>A simple directory tree, containing the files | |
934 | and directories of the container to boot.</para></listitem> | |
935 | ||
a8eaaee7 | 936 | <listitem><para>Subvolumes (on btrfs file systems), which are |
798d3a52 ZJS |
937 | similar to the simple directories, described above. However, |
938 | they have additional benefits, such as efficient cloning and | |
939 | quota reporting.</para></listitem> | |
940 | ||
941 | <listitem><para>"Raw" disk images, i.e. binary images of disks | |
942 | with a GPT or MBR partition table. Images of this type are | |
943 | regular files with the suffix | |
944 | <literal>.raw</literal>.</para></listitem> | |
945 | </itemizedlist> | |
946 | ||
947 | <para>See | |
948 | <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> | |
a8eaaee7 | 949 | for more information on image formats, in particular its |
798d3a52 ZJS |
950 | <option>--directory=</option> and <option>--image=</option> |
951 | options.</para> | |
952 | </refsect1> | |
953 | ||
954 | <refsect1> | |
955 | <title>Examples</title> | |
956 | <example> | |
957 | <title>Download an Ubuntu image and open a shell in it</title> | |
958 | ||
959 | <programlisting># machinectl pull-tar https://cloud-images.ubuntu.com/trusty/current/trusty-server-cloudimg-amd64-root.tar.gz | |
e0ea94c1 LP |
960 | # systemd-nspawn -M trusty-server-cloudimg-amd64-root</programlisting> |
961 | ||
798d3a52 ZJS |
962 | <para>This downloads and verifies the specified |
963 | <filename>.tar</filename> image, and then uses | |
964 | <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> | |
965 | to open a shell in it.</para> | |
966 | </example> | |
967 | ||
968 | <example> | |
969 | <title>Download a Fedora image, set a root password in it, start | |
970 | it as service</title> | |
971 | ||
fcc7ce4c RS |
972 | <programlisting># machinectl pull-raw --verify=no https://dl.fedoraproject.org/pub/fedora/linux/releases/27/CloudImages/x86_64/images/Fedora-Cloud-Base-27-1.6.x86_64.raw.xz |
973 | # systemd-nspawn -M Fedora-Cloud-Base-27-1.6.x86_64 | |
ac92ced5 BF |
974 | # passwd |
975 | # exit | |
fcc7ce4c RS |
976 | # machinectl start Fedora-Cloud-Base-27-1.6.x86_64 |
977 | # machinectl login Fedora-Cloud-Base-27-1.6.x86_64</programlisting> | |
798d3a52 ZJS |
978 | |
979 | <para>This downloads the specified <filename>.raw</filename> | |
b938cb90 | 980 | image with verification disabled. Then, a shell is opened in it |
798d3a52 ZJS |
981 | and a root password is set. Afterwards the shell is left, and |
982 | the machine started as system service. With the last command a | |
983 | login prompt into the container is requested.</para> | |
984 | </example> | |
985 | ||
6e9efa59 LP |
986 | <example> |
987 | <title>Exports a container image as tar file</title> | |
988 | ||
989 | <programlisting># machinectl export-tar fedora myfedora.tar.xz</programlisting> | |
990 | ||
a8eaaee7 JE |
991 | <para>Exports the container <literal>fedora</literal> as an |
992 | xz-compressed tar file <filename>myfedora.tar.xz</filename> into the | |
6e9efa59 LP |
993 | current directory.</para> |
994 | </example> | |
995 | ||
ef3100e9 LP |
996 | <example> |
997 | <title>Create a new shell session</title> | |
998 | ||
999 | <programlisting># machinectl shell --uid=lennart</programlisting> | |
1000 | ||
b938cb90 | 1001 | <para>This creates a new shell session on the local host for |
ef3100e9 LP |
1002 | the user ID <literal>lennart</literal>, in a <citerefentry |
1003 | project='die-net'><refentrytitle>su</refentrytitle><manvolnum>1</manvolnum></citerefentry>-like | |
1004 | fashion.</para> | |
1005 | </example> | |
1006 | ||
798d3a52 ZJS |
1007 | </refsect1> |
1008 | ||
1009 | <refsect1> | |
1010 | <title>Exit status</title> | |
1011 | ||
1012 | <para>On success, 0 is returned, a non-zero failure code | |
1013 | otherwise.</para> | |
1014 | </refsect1> | |
1015 | ||
1016 | <xi:include href="less-variables.xml" /> | |
1017 | ||
1018 | <refsect1> | |
1019 | <title>See Also</title> | |
1020 | <para> | |
d47410f3 | 1021 | <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, |
798d3a52 ZJS |
1022 | <citerefentry><refentrytitle>systemd-machined.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>, |
1023 | <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
6e9efa59 | 1024 | <citerefentry><refentrytitle>systemd.special</refentrytitle><manvolnum>7</manvolnum></citerefentry>, |
16eb4024 ZJS |
1025 | <citerefentry project='die-net'><refentrytitle>tar</refentrytitle><manvolnum>1</manvolnum></citerefentry>, |
1026 | <citerefentry project='die-net'><refentrytitle>xz</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
1027 | <citerefentry project='die-net'><refentrytitle>gzip</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
1028 | <citerefentry project='die-net'><refentrytitle>bzip2</refentrytitle><manvolnum>1</manvolnum></citerefentry> | |
798d3a52 ZJS |
1029 | </para> |
1030 | </refsect1> | |
19887cd0 ZJS |
1031 | |
1032 | </refentry> |