projects / thirdparty / systemd.git / blame
| Commit | Line | Data |
|---|---|---|
| 8f7a3c14 LP |
1 | <?xml version='1.0'?> <!--*-nxml-*--> |
| 2 | <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" | |
| 681eb9cf FB |
3 | "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [ |
| 4 | <!ENTITY % entities SYSTEM "custom-entities.ent" > | |
| 5 | %entities; | |
| 6 | ]> | |
| 8f7a3c14 LP |
7 | |
| 8 | <!-- | |
| 9 | This file is part of systemd. | |
| 10 | ||
| 11 | Copyright 2010 Lennart Poettering | |
| 12 | ||
| 13 | systemd is free software; you can redistribute it and/or modify it | |
| 5430f7f2 LP |
14 | under the terms of the GNU Lesser General Public License as published by |
| 15 | the Free Software Foundation; either version 2.1 of the License, or | |
| 8f7a3c14 LP |
16 | (at your option) any later version. |
| 17 | ||
| 18 | systemd is distributed in the hope that it will be useful, but | |
| 19 | WITHOUT ANY WARRANTY; without even the implied warranty of | |
| 20 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
| 5430f7f2 | 21 | Lesser General Public License for more details. |
| 8f7a3c14 | 22 | |
| 5430f7f2 | 23 | You should have received a copy of the GNU Lesser General Public License |
| 8f7a3c14 LP |
24 | along with systemd; If not, see <http://www.gnu.org/licenses/>. |
| 25 | --> | |
| 26 | ||
| dfdebb1b | 27 | <refentry id="systemd-nspawn" |
| 798d3a52 ZJS |
28 | xmlns:xi="http://www.w3.org/2001/XInclude"> |
| 29 | ||
| 30 | <refentryinfo> | |
| 31 | <title>systemd-nspawn</title> | |
| 32 | <productname>systemd</productname> | |
| 33 | ||
| 34 | <authorgroup> | |
| 35 | <author> | |
| 36 | <contrib>Developer</contrib> | |
| 37 | <firstname>Lennart</firstname> | |
| 38 | <surname>Poettering</surname> | |
| 39 | <email>lennart@poettering.net</email> | |
| 40 | </author> | |
| 41 | </authorgroup> | |
| 42 | </refentryinfo> | |
| 43 | ||
| 44 | <refmeta> | |
| 45 | <refentrytitle>systemd-nspawn</refentrytitle> | |
| 46 | <manvolnum>1</manvolnum> | |
| 47 | </refmeta> | |
| 48 | ||
| 49 | <refnamediv> | |
| 50 | <refname>systemd-nspawn</refname> | |
| 51 | <refpurpose>Spawn a namespace container for debugging, testing and building</refpurpose> | |
| 52 | </refnamediv> | |
| 53 | ||
| 54 | <refsynopsisdiv> | |
| 55 | <cmdsynopsis> | |
| 56 | <command>systemd-nspawn</command> | |
| 57 | <arg choice="opt" rep="repeat">OPTIONS</arg> | |
| 58 | <arg choice="opt"><replaceable>COMMAND</replaceable> | |
| 59 | <arg choice="opt" rep="repeat">ARGS</arg> | |
| 60 | </arg> | |
| 61 | </cmdsynopsis> | |
| 62 | <cmdsynopsis> | |
| 63 | <command>systemd-nspawn</command> | |
| 64 | <arg choice="plain">-b</arg> | |
| 65 | <arg choice="opt" rep="repeat">OPTIONS</arg> | |
| 66 | <arg choice="opt" rep="repeat">ARGS</arg> | |
| 67 | </cmdsynopsis> | |
| 68 | </refsynopsisdiv> | |
| 69 | ||
| 70 | <refsect1> | |
| 71 | <title>Description</title> | |
| 72 | ||
| 73 | <para><command>systemd-nspawn</command> may be used to run a | |
| 74 | command or OS in a light-weight namespace container. In many ways | |
| 75 | it is similar to | |
| 76 | <citerefentry project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
| 77 | but more powerful since it fully virtualizes the file system | |
| 78 | hierarchy, as well as the process tree, the various IPC subsystems | |
| 79 | and the host and domain name.</para> | |
| 80 | ||
| 81 | <para><command>systemd-nspawn</command> limits access to various | |
| 82 | kernel interfaces in the container to read-only, such as | |
| 83 | <filename>/sys</filename>, <filename>/proc/sys</filename> or | |
| 84 | <filename>/sys/fs/selinux</filename>. Network interfaces and the | |
| 85 | system clock may not be changed from within the container. Device | |
| 86 | nodes may not be created. The host system cannot be rebooted and | |
| 87 | kernel modules may not be loaded from within the container.</para> | |
| 88 | ||
| 89 | <para>Note that even though these security precautions are taken | |
| 7de7ee62 | 90 | <command>systemd-nspawn</command> is not suitable for fully secure |
| 798d3a52 ZJS |
91 | container setups. Many of the security features may be |
| 92 | circumvented and are hence primarily useful to avoid accidental | |
| 7de7ee62 | 93 | changes to the host system from the container.</para> |
| 798d3a52 ZJS |
94 | |
| 95 | <para>In contrast to | |
| 96 | <citerefentry project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>1</manvolnum></citerefentry> <command>systemd-nspawn</command> | |
| 97 | may be used to boot full Linux-based operating systems in a | |
| 98 | container.</para> | |
| 99 | ||
| 100 | <para>Use a tool like | |
| 101 | <citerefentry project='mankier'><refentrytitle>dnf</refentrytitle><manvolnum>8</manvolnum></citerefentry>, | |
| 102 | <citerefentry project='die-net'><refentrytitle>yum</refentrytitle><manvolnum>8</manvolnum></citerefentry>, | |
| 103 | <citerefentry project='die-net'><refentrytitle>debootstrap</refentrytitle><manvolnum>8</manvolnum></citerefentry>, | |
| 104 | or | |
| 105 | <citerefentry project='archlinux'><refentrytitle>pacman</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
| 106 | to set up an OS directory tree suitable as file system hierarchy | |
| 107 | for <command>systemd-nspawn</command> containers.</para> | |
| 108 | ||
| 109 | <para>Note that <command>systemd-nspawn</command> will mount file | |
| 110 | systems private to the container to <filename>/dev</filename>, | |
| 111 | <filename>/run</filename> and similar. These will not be visible | |
| 112 | outside of the container, and their contents will be lost when the | |
| 113 | container exits.</para> | |
| 114 | ||
| 115 | <para>Note that running two <command>systemd-nspawn</command> | |
| 116 | containers from the same directory tree will not make processes in | |
| 117 | them see each other. The PID namespace separation of the two | |
| 118 | containers is complete and the containers will share very few | |
| 119 | runtime objects except for the underlying file system. Use | |
| 120 | <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>'s | |
| 121 | <command>login</command> command to request an additional login | |
| 122 | prompt in a running container.</para> | |
| 123 | ||
| 124 | <para><command>systemd-nspawn</command> implements the | |
| 125 | <ulink | |
| 126 | url="http://www.freedesktop.org/wiki/Software/systemd/ContainerInterface">Container | |
| 127 | Interface</ulink> specification.</para> | |
| 128 | ||
| 129 | <para>As a safety check <command>systemd-nspawn</command> will | |
| 130 | verify the existence of <filename>/usr/lib/os-release</filename> | |
| 131 | or <filename>/etc/os-release</filename> in the container tree | |
| 132 | before starting the container (see | |
| 133 | <citerefentry><refentrytitle>os-release</refentrytitle><manvolnum>5</manvolnum></citerefentry>). | |
| 134 | It might be necessary to add this file to the container tree | |
| 135 | manually if the OS of the container is too old to contain this | |
| 136 | file out-of-the-box.</para> | |
| 137 | </refsect1> | |
| 138 | ||
| 139 | <refsect1> | |
| 140 | <title>Options</title> | |
| 141 | ||
| 142 | <para>If option <option>-b</option> is specified, the arguments | |
| 143 | are used as arguments for the init binary. Otherwise, | |
| 144 | <replaceable>COMMAND</replaceable> specifies the program to launch | |
| 145 | in the container, and the remaining arguments are used as | |
| 146 | arguments for this program. If <option>-b</option> is not used and | |
| ff9b60f3 | 147 | no arguments are specified, a shell is launched in the |
| 798d3a52 ZJS |
148 | container.</para> |
| 149 | ||
| 150 | <para>The following options are understood:</para> | |
| 151 | ||
| 152 | <variablelist> | |
| 153 | <varlistentry> | |
| 154 | <term><option>-D</option></term> | |
| 155 | <term><option>--directory=</option></term> | |
| 156 | ||
| 157 | <listitem><para>Directory to use as file system root for the | |
| 158 | container.</para> | |
| 159 | ||
| 160 | <para>If neither <option>--directory=</option>, nor | |
| 161 | <option>--image=</option> is specified the directory is | |
| 162 | determined as <filename>/var/lib/machines/</filename> suffixed | |
| 163 | by the machine name as specified with | |
| 164 | <option>--machine=</option>. If neither | |
| 165 | <option>--directory=</option>, <option>--image=</option>, nor | |
| 166 | <option>--machine=</option> are specified, the current | |
| 167 | directory will be used. May not be specified together with | |
| 168 | <option>--image=</option>.</para></listitem> | |
| 169 | </varlistentry> | |
| 170 | ||
| 171 | <varlistentry> | |
| 172 | <term><option>--template=</option></term> | |
| 173 | ||
| 174 | <listitem><para>Directory or <literal>btrfs</literal> | |
| 175 | subvolume to use as template for the container's root | |
| 176 | directory. If this is specified and the container's root | |
| 177 | directory (as configured by <option>--directory=</option>) | |
| 178 | does not yet exist it is created as <literal>btrfs</literal> | |
| 179 | subvolume and populated from this template tree. Ideally, the | |
| 180 | specified template path refers to the root of a | |
| 181 | <literal>btrfs</literal> subvolume, in which case a simple | |
| 182 | copy-on-write snapshot is taken, and populating the root | |
| 183 | directory is instant. If the specified template path does not | |
| 184 | refer to the root of a <literal>btrfs</literal> subvolume (or | |
| 185 | not even to a <literal>btrfs</literal> file system at all), | |
| 186 | the tree is copied, which can be substantially more | |
| 187 | time-consuming. Note that if this option is used the | |
| 188 | container's root directory (in contrast to the template | |
| 189 | directory!) must be located on a <literal>btrfs</literal> file | |
| 190 | system, so that the <literal>btrfs</literal> subvolume may be | |
| 191 | created. May not be specified together with | |
| 192 | <option>--image=</option> or | |
| 3fe22bb4 LP |
193 | <option>--ephemeral</option>.</para> |
| 194 | ||
| 195 | <para>Note that this switch leaves host name, machine ID and | |
| 196 | all other settings that could identify the instance | |
| 197 | unmodified.</para></listitem> | |
| 798d3a52 ZJS |
198 | </varlistentry> |
| 199 | ||
| 200 | <varlistentry> | |
| 201 | <term><option>-x</option></term> | |
| 202 | <term><option>--ephemeral</option></term> | |
| 203 | ||
| 204 | <listitem><para>If specified, the container is run with a | |
| 205 | temporary <literal>btrfs</literal> snapshot of its root | |
| 206 | directory (as configured with <option>--directory=</option>), | |
| 207 | that is removed immediately when the container terminates. | |
| 208 | This option is only supported if the root file system is | |
| 209 | <literal>btrfs</literal>. May not be specified together with | |
| 210 | <option>--image=</option> or | |
| 3fe22bb4 LP |
211 | <option>--template=</option>.</para> |
| 212 | <para>Note that this switch leaves host name, machine ID and | |
| 213 | all other settings that could identify the instance | |
| 214 | unmodified.</para></listitem> | |
| 798d3a52 ZJS |
215 | </varlistentry> |
| 216 | ||
| 217 | <varlistentry> | |
| 218 | <term><option>-i</option></term> | |
| 219 | <term><option>--image=</option></term> | |
| 220 | ||
| 221 | <listitem><para>Disk image to mount the root directory for the | |
| 222 | container from. Takes a path to a regular file or to a block | |
| 223 | device node. The file or block device must contain | |
| 224 | either:</para> | |
| 225 | ||
| 226 | <itemizedlist> | |
| 227 | <listitem><para>An MBR partition table with a single | |
| 228 | partition of type 0x83 that is marked | |
| 229 | bootable.</para></listitem> | |
| 230 | ||
| 231 | <listitem><para>A GUID partition table (GPT) with a single | |
| 232 | partition of type | |
| 233 | 0fc63daf-8483-4772-8e79-3d69d8477de4.</para></listitem> | |
| 234 | ||
| 235 | <listitem><para>A GUID partition table (GPT) with a marked | |
| 236 | root partition which is mounted as the root directory of the | |
| 237 | container. Optionally, GPT images may contain a home and/or | |
| 238 | a server data partition which are mounted to the appropriate | |
| 239 | places in the container. All these partitions must be | |
| 240 | identified by the partition types defined by the <ulink | |
| 241 | url="http://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/">Discoverable | |
| 242 | Partitions Specification</ulink>.</para></listitem> | |
| 243 | </itemizedlist> | |
| 244 | ||
| 245 | <para>Any other partitions, such as foreign partitions, swap | |
| 246 | partitions or EFI system partitions are not mounted. May not | |
| 247 | be specified together with <option>--directory=</option>, | |
| 248 | <option>--template=</option> or | |
| 249 | <option>--ephemeral</option>.</para></listitem> | |
| 250 | </varlistentry> | |
| 251 | ||
| 252 | <varlistentry> | |
| 253 | <term><option>-b</option></term> | |
| 254 | <term><option>--boot</option></term> | |
| 255 | ||
| 256 | <listitem><para>Automatically search for an init binary and | |
| 257 | invoke it instead of a shell or a user supplied program. If | |
| 258 | this option is used, arguments specified on the command line | |
| 259 | are used as arguments for the init binary. This option may not | |
| 260 | be combined with <option>--share-system</option>. | |
| 261 | </para></listitem> | |
| 262 | </varlistentry> | |
| 263 | ||
| 264 | <varlistentry> | |
| 265 | <term><option>-u</option></term> | |
| 266 | <term><option>--user=</option></term> | |
| 267 | ||
| 268 | <listitem><para>After transitioning into the container, change | |
| 269 | to the specified user-defined in the container's user | |
| 270 | database. Like all other systemd-nspawn features, this is not | |
| 271 | a security feature and provides protection against accidental | |
| 272 | destructive operations only.</para></listitem> | |
| 273 | </varlistentry> | |
| 274 | ||
| 275 | <varlistentry> | |
| 276 | <term><option>-M</option></term> | |
| 277 | <term><option>--machine=</option></term> | |
| 278 | ||
| 279 | <listitem><para>Sets the machine name for this container. This | |
| 280 | name may be used to identify this container during its runtime | |
| 281 | (for example in tools like | |
| 282 | <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry> | |
| 283 | and similar), and is used to initialize the container's | |
| 284 | hostname (which the container can choose to override, | |
| 285 | however). If not specified, the last component of the root | |
| 286 | directory path of the container is used, possibly suffixed | |
| 287 | with a random identifier in case <option>--ephemeral</option> | |
| 288 | mode is selected. If the root directory selected is the host's | |
| 289 | root directory the host's hostname is used as default | |
| 290 | instead.</para></listitem> | |
| 291 | </varlistentry> | |
| 292 | ||
| 293 | <varlistentry> | |
| 294 | <term><option>--uuid=</option></term> | |
| 295 | ||
| 296 | <listitem><para>Set the specified UUID for the container. The | |
| 297 | init system will initialize | |
| 298 | <filename>/etc/machine-id</filename> from this if this file is | |
| 299 | not set yet. </para></listitem> | |
| 300 | </varlistentry> | |
| 301 | ||
| 302 | <varlistentry> | |
| 303 | <term><option>--slice=</option></term> | |
| 304 | ||
| 305 | <listitem><para>Make the container part of the specified | |
| 306 | slice, instead of the default | |
| f36933fe LP |
307 | <filename>machine.slice</filename>. This is only applies if |
| 308 | the machine is run in its own scope unit, i.e. if | |
| 309 | <option>--keep-unit</option> is not used.</para> | |
| 310 | </listitem> | |
| 311 | </varlistentry> | |
| 312 | ||
| 313 | <varlistentry> | |
| 314 | <term><option>--property=</option></term> | |
| 315 | ||
| 316 | <listitem><para>Set a unit property on the scope unit to | |
| 317 | register for the machine. This only applies if the machine is | |
| 318 | run in its own scope unit, i.e. if | |
| 319 | <option>--keep-unit</option> is not used. Takes unit property | |
| 320 | assignments in the same format as <command>systemctl | |
| 321 | set-property</command>. This is useful to set memory limits | |
| 322 | and similar for machines.</para> | |
| 798d3a52 ZJS |
323 | </listitem> |
| 324 | </varlistentry> | |
| 325 | ||
| 03cfe0d5 LP |
326 | <varlistentry> |
| 327 | <term><option>--private-users=</option></term> | |
| 328 | ||
| 329 | <listitem><para>Enables user namespacing. If enabled the | |
| 330 | container will run with its own private set of Unix user and | |
| 331 | group ids (UIDs and GIDs). Takes none, one or two | |
| 332 | colon-separated parameters: the first parameter specifies the | |
| 333 | first host UID to assign to the container, the second | |
| 334 | parameter specifies the number of host UIDs to assign to the | |
| 335 | container. If the second parameter is omitted, 65536 UIDs are | |
| 7c918141 | 336 | assigned. If the first parameter is also omitted (and hence |
| 03cfe0d5 LP |
337 | no parameter passed at all), the first UID assigned to the |
| 338 | container is read from the owner of the root directory of the | |
| 339 | container's directory tree. By default no user namespacing is | |
| 340 | applied.</para> | |
| 341 | ||
| 342 | <para>Note that user namespacing currently requires OS trees | |
| 343 | that are prepared for the UID shift that is being applied: | |
| 344 | UIDs and GIDs used for file ownership or in file ACL entries | |
| 345 | must be shifted to the container UID base that is | |
| 346 | used during container runtime.</para> | |
| 347 | ||
| 348 | <para>It is recommended to assign as least 65536 UIDs to each | |
| 349 | container, so that the usable UID range in the container | |
| 350 | covers 16bit. For best security do not assign overlapping UID | |
| 351 | ranges to multiple containers. It is hence a good idea to use | |
| 352 | the upper 16bit of the host 32bit UIDs as container | |
| 353 | identifier, while the lower 16bit encode the container UID | |
| 354 | used.</para> | |
| 355 | ||
| 356 | <para>When user namespaces are used the GID range assigned to | |
| 357 | each container is always chosen identical to the UID | |
| 358 | range.</para></listitem> | |
| 359 | </varlistentry> | |
| 360 | ||
| 361 | ||
| 798d3a52 ZJS |
362 | <varlistentry> |
| 363 | <term><option>--private-network</option></term> | |
| 364 | ||
| 365 | <listitem><para>Disconnect networking of the container from | |
| 366 | the host. This makes all network interfaces unavailable in the | |
| 367 | container, with the exception of the loopback device and those | |
| 368 | specified with <option>--network-interface=</option> and | |
| 369 | configured with <option>--network-veth</option>. If this | |
| 370 | option is specified, the CAP_NET_ADMIN capability will be | |
| 371 | added to the set of capabilities the container retains. The | |
| 372 | latter may be disabled by using | |
| 373 | <option>--drop-capability=</option>.</para></listitem> | |
| 374 | </varlistentry> | |
| 375 | ||
| 376 | <varlistentry> | |
| 377 | <term><option>--network-interface=</option></term> | |
| 378 | ||
| 379 | <listitem><para>Assign the specified network interface to the | |
| 380 | container. This will remove the specified interface from the | |
| 381 | calling namespace and place it in the container. When the | |
| 382 | container terminates, it is moved back to the host namespace. | |
| 383 | Note that <option>--network-interface=</option> implies | |
| 384 | <option>--private-network</option>. This option may be used | |
| 385 | more than once to add multiple network interfaces to the | |
| 386 | container.</para></listitem> | |
| 387 | </varlistentry> | |
| 388 | ||
| 389 | <varlistentry> | |
| 390 | <term><option>--network-macvlan=</option></term> | |
| 391 | ||
| 392 | <listitem><para>Create a <literal>macvlan</literal> interface | |
| 393 | of the specified Ethernet network interface and add it to the | |
| 394 | container. A <literal>macvlan</literal> interface is a virtual | |
| 395 | interface that adds a second MAC address to an existing | |
| 396 | physical Ethernet link. The interface in the container will be | |
| 397 | named after the interface on the host, prefixed with | |
| 398 | <literal>mv-</literal>. Note that | |
| 399 | <option>--network-macvlan=</option> implies | |
| 400 | <option>--private-network</option>. This option may be used | |
| 401 | more than once to add multiple network interfaces to the | |
| 402 | container.</para></listitem> | |
| 403 | </varlistentry> | |
| 404 | ||
| 405 | <varlistentry> | |
| 406 | <term><option>--network-ipvlan=</option></term> | |
| 407 | ||
| 408 | <listitem><para>Create an <literal>ipvlan</literal> interface | |
| 409 | of the specified Ethernet network interface and add it to the | |
| 410 | container. An <literal>ipvlan</literal> interface is a virtual | |
| 411 | interface, similar to a <literal>macvlan</literal> interface, | |
| 412 | which uses the same MAC address as the underlying interface. | |
| 413 | The interface in the container will be named after the | |
| 414 | interface on the host, prefixed with <literal>iv-</literal>. | |
| 415 | Note that <option>--network-ipvlan=</option> implies | |
| 416 | <option>--private-network</option>. This option may be used | |
| 417 | more than once to add multiple network interfaces to the | |
| 418 | container.</para></listitem> | |
| 419 | </varlistentry> | |
| 420 | ||
| 421 | <varlistentry> | |
| 422 | <term><option>-n</option></term> | |
| 423 | <term><option>--network-veth</option></term> | |
| 424 | ||
| 425 | <listitem><para>Create a virtual Ethernet link | |
| 426 | (<literal>veth</literal>) between host and container. The host | |
| 427 | side of the Ethernet link will be available as a network | |
| 428 | interface named after the container's name (as specified with | |
| 429 | <option>--machine=</option>), prefixed with | |
| 430 | <literal>ve-</literal>. The container side of the Ethernet | |
| 431 | link will be named <literal>host0</literal>. Note that | |
| 432 | <option>--network-veth</option> implies | |
| 433 | <option>--private-network</option>.</para></listitem> | |
| 434 | </varlistentry> | |
| 435 | ||
| 436 | <varlistentry> | |
| 437 | <term><option>--network-bridge=</option></term> | |
| 438 | ||
| 439 | <listitem><para>Adds the host side of the Ethernet link | |
| 440 | created with <option>--network-veth</option> to the specified | |
| 441 | bridge. Note that <option>--network-bridge=</option> implies | |
| 442 | <option>--network-veth</option>. If this option is used, the | |
| 443 | host side of the Ethernet link will use the | |
| 444 | <literal>vb-</literal> prefix instead of | |
| 445 | <literal>ve-</literal>.</para></listitem> | |
| 446 | </varlistentry> | |
| 447 | ||
| 448 | <varlistentry> | |
| 449 | <term><option>-p</option></term> | |
| 450 | <term><option>--port=</option></term> | |
| 451 | ||
| 452 | <listitem><para>If private networking is enabled, maps an IP | |
| 453 | port on the host onto an IP port on the container. Takes a | |
| 454 | protocol specifier (either <literal>tcp</literal> or | |
| 455 | <literal>udp</literal>), separated by a colon from a host port | |
| 456 | number in the range 1 to 65535, separated by a colon from a | |
| 457 | container port number in the range from 1 to 65535. The | |
| 458 | protocol specifier and its separating colon may be omitted, in | |
| 459 | which case <literal>tcp</literal> is assumed. The container | |
| 7c918141 | 460 | port number and its colon may be omitted, in which case the |
| 798d3a52 ZJS |
461 | same port as the host port is implied. This option is only |
| 462 | supported if private networking is used, such as | |
| 463 | <option>--network-veth</option> or | |
| 464 | <option>--network-bridge=</option>.</para></listitem> | |
| 465 | </varlistentry> | |
| 466 | ||
| 467 | <varlistentry> | |
| 468 | <term><option>-Z</option></term> | |
| 469 | <term><option>--selinux-context=</option></term> | |
| 470 | ||
| 471 | <listitem><para>Sets the SELinux security context to be used | |
| 472 | to label processes in the container.</para> | |
| 473 | </listitem> | |
| 474 | </varlistentry> | |
| 475 | ||
| 476 | <varlistentry> | |
| 477 | <term><option>-L</option></term> | |
| 478 | <term><option>--selinux-apifs-context=</option></term> | |
| 479 | ||
| 480 | <listitem><para>Sets the SELinux security context to be used | |
| 481 | to label files in the virtual API file systems in the | |
| 482 | container.</para> | |
| 483 | </listitem> | |
| 484 | </varlistentry> | |
| 485 | ||
| 486 | <varlistentry> | |
| 487 | <term><option>--capability=</option></term> | |
| 488 | ||
| 489 | <listitem><para>List one or more additional capabilities to | |
| 490 | grant the container. Takes a comma-separated list of | |
| 491 | capability names, see | |
| 492 | <citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry> | |
| 493 | for more information. Note that the following capabilities | |
| 494 | will be granted in any way: CAP_CHOWN, CAP_DAC_OVERRIDE, | |
| 495 | CAP_DAC_READ_SEARCH, CAP_FOWNER, CAP_FSETID, CAP_IPC_OWNER, | |
| 496 | CAP_KILL, CAP_LEASE, CAP_LINUX_IMMUTABLE, | |
| 497 | CAP_NET_BIND_SERVICE, CAP_NET_BROADCAST, CAP_NET_RAW, | |
| 498 | CAP_SETGID, CAP_SETFCAP, CAP_SETPCAP, CAP_SETUID, | |
| 499 | CAP_SYS_ADMIN, CAP_SYS_CHROOT, CAP_SYS_NICE, CAP_SYS_PTRACE, | |
| 500 | CAP_SYS_TTY_CONFIG, CAP_SYS_RESOURCE, CAP_SYS_BOOT, | |
| 501 | CAP_AUDIT_WRITE, CAP_AUDIT_CONTROL. Also CAP_NET_ADMIN is | |
| 502 | retained if <option>--private-network</option> is specified. | |
| 503 | If the special value <literal>all</literal> is passed, all | |
| 504 | capabilities are retained.</para></listitem> | |
| 505 | </varlistentry> | |
| 506 | ||
| 507 | <varlistentry> | |
| 508 | <term><option>--drop-capability=</option></term> | |
| 509 | ||
| 510 | <listitem><para>Specify one or more additional capabilities to | |
| 511 | drop for the container. This allows running the container with | |
| 512 | fewer capabilities than the default (see | |
| 513 | above).</para></listitem> | |
| 514 | </varlistentry> | |
| 515 | ||
| c6c8f6e2 LP |
516 | <varlistentry> |
| 517 | <term><option>--kill-signal=</option></term> | |
| 518 | ||
| 519 | <listitem><para>Specify the process signal to send to the | |
| 520 | container's PID 1 when nspawn itself receives SIGTERM, in | |
| 521 | order to trigger an orderly shutdown of the | |
| 522 | container. Defaults to SIGRTMIN+3 if <option>--boot</option> | |
| 523 | is used (on systemd-compatible init systems SIGRTMIN+3 | |
| 524 | triggers an orderly shutdown). Takes a signal name like | |
| 525 | <literal>SIGHUP</literal>, <literal>SIGTERM</literal> or | |
| 526 | similar as argument.</para></listitem> | |
| 527 | </varlistentry> | |
| 528 | ||
| 798d3a52 ZJS |
529 | <varlistentry> |
| 530 | <term><option>--link-journal=</option></term> | |
| 531 | ||
| 532 | <listitem><para>Control whether the container's journal shall | |
| 533 | be made visible to the host system. If enabled, allows viewing | |
| 534 | the container's journal files from the host (but not vice | |
| 535 | versa). Takes one of <literal>no</literal>, | |
| 536 | <literal>host</literal>, <literal>try-host</literal>, | |
| 537 | <literal>guest</literal>, <literal>try-guest</literal>, | |
| 538 | <literal>auto</literal>. If <literal>no</literal>, the journal | |
| 539 | is not linked. If <literal>host</literal>, the journal files | |
| 540 | are stored on the host file system (beneath | |
| 541 | <filename>/var/log/journal/<replaceable>machine-id</replaceable></filename>) | |
| 542 | and the subdirectory is bind-mounted into the container at the | |
| 543 | same location. If <literal>guest</literal>, the journal files | |
| 544 | are stored on the guest file system (beneath | |
| 545 | <filename>/var/log/journal/<replaceable>machine-id</replaceable></filename>) | |
| 546 | and the subdirectory is symlinked into the host at the same | |
| 547 | location. <literal>try-host</literal> and | |
| 548 | <literal>try-guest</literal> do the same but do not fail if | |
| 549 | the host does not have persistent journalling enabled. If | |
| 550 | <literal>auto</literal> (the default), and the right | |
| 551 | subdirectory of <filename>/var/log/journal</filename> exists, | |
| 552 | it will be bind mounted into the container. If the | |
| 553 | subdirectory does not exist, no linking is performed. | |
| 554 | Effectively, booting a container once with | |
| 555 | <literal>guest</literal> or <literal>host</literal> will link | |
| 556 | the journal persistently if further on the default of | |
| 557 | <literal>auto</literal> is used.</para></listitem> | |
| 558 | </varlistentry> | |
| 559 | ||
| 560 | <varlistentry> | |
| 561 | <term><option>-j</option></term> | |
| 562 | ||
| 563 | <listitem><para>Equivalent to | |
| 564 | <option>--link-journal=try-guest</option>.</para></listitem> | |
| 565 | </varlistentry> | |
| 566 | ||
| 567 | <varlistentry> | |
| 568 | <term><option>--read-only</option></term> | |
| 569 | ||
| 570 | <listitem><para>Mount the root file system read-only for the | |
| 571 | container.</para></listitem> | |
| 572 | </varlistentry> | |
| 573 | ||
| 574 | <varlistentry> | |
| 575 | <term><option>--bind=</option></term> | |
| 576 | <term><option>--bind-ro=</option></term> | |
| 577 | ||
| 578 | <listitem><para>Bind mount a file or directory from the host | |
| 579 | into the container. Either takes a path argument -- in which | |
| 580 | case the specified path will be mounted from the host to the | |
| 581 | same path in the container --, or a colon-separated pair of | |
| 582 | paths -- in which case the first specified path is the source | |
| 583 | in the host, and the second path is the destination in the | |
| 64b282ef LP |
584 | container. This option may be specified multiple times for |
| 585 | creating multiple independent bind mount points. The | |
| 586 | <option>--bind-ro=</option> option creates read-only bind | |
| 587 | mounts.</para></listitem> | |
| 798d3a52 ZJS |
588 | </varlistentry> |
| 589 | ||
| 590 | <varlistentry> | |
| 591 | <term><option>--tmpfs=</option></term> | |
| 592 | ||
| 593 | <listitem><para>Mount a tmpfs file system into the container. | |
| 594 | Takes a single absolute path argument that specifies where to | |
| 595 | mount the tmpfs instance to (in which case the directory | |
| 596 | access mode will be chosen as 0755, owned by root/root), or | |
| 597 | optionally a colon-separated pair of path and mount option | |
| 598 | string, that is used for mounting (in which case the kernel | |
| 599 | default for access mode and owner will be chosen, unless | |
| 600 | otherwise specified). This option is particularly useful for | |
| 601 | mounting directories such as <filename>/var</filename> as | |
| 602 | tmpfs, to allow state-less systems, in particular when | |
| 603 | combined with <option>--read-only</option>.</para></listitem> | |
| 604 | </varlistentry> | |
| 605 | ||
| 5a8af538 LP |
606 | <varlistentry> |
| 607 | <term><option>--overlay=</option></term> | |
| 608 | <term><option>--overlay-ro=</option></term> | |
| 609 | ||
| 610 | <listitem><para>Combine multiple directory trees into one | |
| 611 | overlay file system and mount it into the container. Takes a | |
| 612 | list of colon-separated paths to the directory trees to | |
| 613 | combine and the destination mount point.</para> | |
| 614 | ||
| 615 | <para>If three or more paths are specified, then the last | |
| 616 | specified path is the destination mount point in the | |
| 617 | container, all paths specified before refer to directory trees | |
| 618 | on the host and are combined in the specified order into one | |
| 619 | overlay file system. The left-most path is hence the lowest | |
| 620 | directory tree, the second-to-last path the highest directory | |
| 621 | tree in the stacking order. If <option>--overlay-ro=</option> | |
| 622 | is used instead of <option>--overlay=</option> a read-only | |
| 623 | overlay file system is created. If a writable overlay file | |
| 624 | system is created all changes made to it are written to the | |
| 625 | highest directory tree in the stacking order, i.e. the | |
| 626 | second-to-last specified.</para> | |
| 627 | ||
| 628 | <para>If only two paths are specified, then the second | |
| 629 | specified path is used both as the top-level directory tree in | |
| 630 | the stacking order as seen from the host, as well as the mount | |
| 631 | point for the overlay file system in the container. At least | |
| 632 | two paths have to be specified.</para> | |
| 633 | ||
| 634 | <para>For details about overlay file systems, see <ulink | |
| 635 | url="https://www.kernel.org/doc/Documentation/filesystems/overlayfs.txt">overlayfs.txt</ulink>. Note | |
| 636 | that the semantics of overlay file systems are substantially | |
| 637 | different from normal file systems, in particular regarding | |
| 638 | reported device and inode information. Device and inode | |
| 639 | information may change for a file while it is being written | |
| 640 | to, and processes might see out-of-date versions of files at | |
| 641 | times. Note that this switch automatically derives the | |
| 642 | <literal>workdir=</literal> mount option for the overlay file | |
| 643 | system from the top-level directory tree, making it a sibling | |
| 644 | of it. It is hence essential that the top-level directory tree | |
| 645 | is not a mount point itself (since the working directory must | |
| 646 | be on the same file system as the top-most directory | |
| 647 | tree). Also note that the <literal>lowerdir=</literal> mount | |
| 648 | option receives the paths to stack in the opposite order of | |
| 649 | this switch.</para></listitem> | |
| 650 | </varlistentry> | |
| 651 | ||
| 798d3a52 ZJS |
652 | <varlistentry> |
| 653 | <term><option>--setenv=</option></term> | |
| 654 | ||
| 655 | <listitem><para>Specifies an environment variable assignment | |
| 656 | to pass to the init process in the container, in the format | |
| 657 | <literal>NAME=VALUE</literal>. This may be used to override | |
| 658 | the default variables or to set additional variables. This | |
| 659 | parameter may be used more than once.</para></listitem> | |
| 660 | </varlistentry> | |
| 661 | ||
| 662 | <varlistentry> | |
| 663 | <term><option>--share-system</option></term> | |
| 664 | ||
| 665 | <listitem><para>Allows the container to share certain system | |
| 666 | facilities with the host. More specifically, this turns off | |
| 667 | PID namespacing, UTS namespacing and IPC namespacing, and thus | |
| 668 | allows the guest to see and interact more easily with | |
| 669 | processes outside of the container. Note that using this | |
| 670 | option makes it impossible to start up a full Operating System | |
| 671 | in the container, as an init system cannot operate in this | |
| 672 | mode. It is only useful to run specific programs or | |
| 673 | applications this way, without involving an init system in the | |
| 674 | container. This option implies <option>--register=no</option>. | |
| 675 | This option may not be combined with | |
| 676 | <option>--boot</option>.</para></listitem> | |
| 677 | </varlistentry> | |
| 678 | ||
| 679 | <varlistentry> | |
| 680 | <term><option>--register=</option></term> | |
| 681 | ||
| 682 | <listitem><para>Controls whether the container is registered | |
| 683 | with | |
| 684 | <citerefentry><refentrytitle>systemd-machined</refentrytitle><manvolnum>8</manvolnum></citerefentry>. | |
| 685 | Takes a boolean argument, defaults to <literal>yes</literal>. | |
| 686 | This option should be enabled when the container runs a full | |
| 687 | Operating System (more specifically: an init system), and is | |
| 688 | useful to ensure that the container is accessible via | |
| 689 | <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry> | |
| 690 | and shown by tools such as | |
| 691 | <citerefentry project='man-pages'><refentrytitle>ps</refentrytitle><manvolnum>1</manvolnum></citerefentry>. | |
| 692 | If the container does not run an init system, it is | |
| 693 | recommended to set this option to <literal>no</literal>. Note | |
| 694 | that <option>--share-system</option> implies | |
| 695 | <option>--register=no</option>. </para></listitem> | |
| 696 | </varlistentry> | |
| 697 | ||
| 698 | <varlistentry> | |
| 699 | <term><option>--keep-unit</option></term> | |
| 700 | ||
| 701 | <listitem><para>Instead of creating a transient scope unit to | |
| 702 | run the container in, simply register the service or scope | |
| 703 | unit <command>systemd-nspawn</command> has been invoked in | |
| 704 | with | |
| 705 | <citerefentry><refentrytitle>systemd-machined</refentrytitle><manvolnum>8</manvolnum></citerefentry>. | |
| 706 | This has no effect if <option>--register=no</option> is used. | |
| 707 | This switch should be used if | |
| 708 | <command>systemd-nspawn</command> is invoked from within a | |
| 709 | service unit, and the service unit's sole purpose is to run a | |
| 710 | single <command>systemd-nspawn</command> container. This | |
| 711 | option is not available if run from a user | |
| 712 | session.</para></listitem> | |
| 713 | </varlistentry> | |
| 714 | ||
| 715 | <varlistentry> | |
| 716 | <term><option>--personality=</option></term> | |
| 717 | ||
| 718 | <listitem><para>Control the architecture ("personality") | |
| 719 | reported by | |
| 3ba3a79d | 720 | <citerefentry project='man-pages'><refentrytitle>uname</refentrytitle><manvolnum>2</manvolnum></citerefentry> |
| 798d3a52 ZJS |
721 | in the container. Currently, only <literal>x86</literal> and |
| 722 | <literal>x86-64</literal> are supported. This is useful when | |
| 723 | running a 32-bit container on a 64-bit host. If this setting | |
| 724 | is not used, the personality reported in the container is the | |
| 725 | same as the one reported on the host.</para></listitem> | |
| 726 | </varlistentry> | |
| 727 | ||
| 728 | <varlistentry> | |
| 729 | <term><option>-q</option></term> | |
| 730 | <term><option>--quiet</option></term> | |
| 731 | ||
| 732 | <listitem><para>Turns off any status output by the tool | |
| 733 | itself. When this switch is used, the only output from nspawn | |
| 734 | will be the console output of the container OS | |
| 735 | itself.</para></listitem> | |
| 736 | </varlistentry> | |
| 737 | ||
| 738 | <varlistentry> | |
| 739 | <term><option>--volatile</option><replaceable>=MODE</replaceable></term> | |
| 740 | ||
| 741 | <listitem><para>Boots the container in volatile mode. When no | |
| 742 | mode parameter is passed or when mode is specified as | |
| 743 | <literal>yes</literal> full volatile mode is enabled. This | |
| 744 | means the root directory is mounted as mostly unpopulated | |
| 745 | <literal>tmpfs</literal> instance, and | |
| 746 | <filename>/usr</filename> from the OS tree is mounted into it, | |
| 747 | read-only (the system thus starts up with read-only OS | |
| 748 | resources, but pristine state and configuration, any changes | |
| 749 | to the either are lost on shutdown). When the mode parameter | |
| 750 | is specified as <literal>state</literal> the OS tree is | |
| 751 | mounted read-only, but <filename>/var</filename> is mounted as | |
| 752 | <literal>tmpfs</literal> instance into it (the system thus | |
| 753 | starts up with read-only OS resources and configuration, but | |
| 754 | pristine state, any changes to the latter are lost on | |
| 755 | shutdown). When the mode parameter is specified as | |
| 756 | <literal>no</literal> (the default) the whole OS tree is made | |
| 757 | available writable.</para> | |
| 758 | ||
| 759 | <para>Note that setting this to <literal>yes</literal> or | |
| 760 | <literal>state</literal> will only work correctly with | |
| 761 | operating systems in the container that can boot up with only | |
| 762 | <filename>/usr</filename> mounted, and are able to populate | |
| 763 | <filename>/var</filename> automatically, as | |
| 764 | needed.</para></listitem> | |
| 765 | </varlistentry> | |
| 766 | ||
| 767 | <xi:include href="standard-options.xml" xpointer="help" /> | |
| 768 | <xi:include href="standard-options.xml" xpointer="version" /> | |
| 769 | </variablelist> | |
| 770 | ||
| 771 | </refsect1> | |
| 772 | ||
| 773 | <refsect1> | |
| 774 | <title>Examples</title> | |
| 775 | ||
| 776 | <example> | |
| 777 | <title>Download a Fedora image and start a shell in it</title> | |
| 778 | ||
| 779 | <programlisting># machinectl pull-raw --verify=no http://ftp.halifax.rwth-aachen.de/fedora/linux/releases/21/Cloud/Images/x86_64/Fedora-Cloud-Base-20141203-21.x86_64.raw.xz | |
| e0ea94c1 LP |
780 | # systemd-nspawn -M Fedora-Cloud-Base-20141203-21</programlisting> |
| 781 | ||
| 798d3a52 ZJS |
782 | <para>This downloads an image using |
| 783 | <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry> | |
| 784 | and opens a shell in it.</para> | |
| 785 | </example> | |
| e0ea94c1 | 786 | |
| 798d3a52 ZJS |
787 | <example> |
| 788 | <title>Build and boot a minimal Fedora distribution in a container</title> | |
| 8f7a3c14 | 789 | |
| 798d3a52 | 790 | <programlisting># dnf -y --releasever=21 --nogpg --installroot=/srv/mycontainer --disablerepo='*' --enablerepo=fedora install systemd passwd dnf fedora-release vim-minimal |
| 2b3987a8 | 791 | # systemd-nspawn -bD /srv/mycontainer</programlisting> |
| 8f7a3c14 | 792 | |
| 798d3a52 ZJS |
793 | <para>This installs a minimal Fedora distribution into the |
| 794 | directory <filename noindex='true'>/srv/mycontainer/</filename> | |
| 795 | and then boots an OS in a namespace container in it.</para> | |
| 796 | </example> | |
| 8f7a3c14 | 797 | |
| 798d3a52 ZJS |
798 | <example> |
| 799 | <title>Spawn a shell in a container of a minimal Debian unstable distribution</title> | |
| 8f7a3c14 | 800 | |
| 798d3a52 | 801 | <programlisting># debootstrap --arch=amd64 unstable ~/debian-tree/ |
| 25f5971b | 802 | # systemd-nspawn -D ~/debian-tree/</programlisting> |
| 8f7a3c14 | 803 | |
| 798d3a52 ZJS |
804 | <para>This installs a minimal Debian unstable distribution into |
| 805 | the directory <filename>~/debian-tree/</filename> and then | |
| 806 | spawns a shell in a namespace container in it.</para> | |
| 807 | </example> | |
| 8f7a3c14 | 808 | |
| 798d3a52 ZJS |
809 | <example> |
| 810 | <title>Boot a minimal Arch Linux distribution in a container</title> | |
| 68562936 | 811 | |
| 798d3a52 | 812 | <programlisting># pacstrap -c -d ~/arch-tree/ base |
| 68562936 WG |
813 | # systemd-nspawn -bD ~/arch-tree/</programlisting> |
| 814 | ||
| ff9b60f3 | 815 | <para>This installs a minimal Arch Linux distribution into the |
| 798d3a52 ZJS |
816 | directory <filename>~/arch-tree/</filename> and then boots an OS |
| 817 | in a namespace container in it.</para> | |
| 818 | </example> | |
| 68562936 | 819 | |
| 798d3a52 ZJS |
820 | <example> |
| 821 | <title>Boot into an ephemeral <literal>btrfs</literal> snapshot of the host system</title> | |
| f9f4dd51 | 822 | |
| 798d3a52 | 823 | <programlisting># systemd-nspawn -D / -xb</programlisting> |
| f9f4dd51 | 824 | |
| 798d3a52 ZJS |
825 | <para>This runs a copy of the host system in a |
| 826 | <literal>btrfs</literal> snapshot which is removed immediately | |
| 827 | when the container exits. All file system changes made during | |
| 828 | runtime will be lost on shutdown, hence.</para> | |
| 829 | </example> | |
| f9f4dd51 | 830 | |
| 798d3a52 ZJS |
831 | <example> |
| 832 | <title>Run a container with SELinux sandbox security contexts</title> | |
| a8828ed9 | 833 | |
| 798d3a52 | 834 | <programlisting># chcon system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -R /srv/container |
| a8828ed9 | 835 | # systemd-nspawn -L system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -Z system_u:system_r:svirt_lxc_net_t:s0:c0,c1 -D /srv/container /bin/sh</programlisting> |
| 798d3a52 ZJS |
836 | </example> |
| 837 | </refsect1> | |
| 838 | ||
| 839 | <refsect1> | |
| 840 | <title>Exit status</title> | |
| 841 | ||
| 842 | <para>The exit code of the program executed in the container is | |
| 843 | returned.</para> | |
| 844 | </refsect1> | |
| 845 | ||
| 846 | <refsect1> | |
| 847 | <title>See Also</title> | |
| 848 | <para> | |
| 849 | <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
| 850 | <citerefentry project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
| 851 | <citerefentry project='mankier'><refentrytitle>dnf</refentrytitle><manvolnum>8</manvolnum></citerefentry>, | |
| 852 | <citerefentry project='die-net'><refentrytitle>yum</refentrytitle><manvolnum>8</manvolnum></citerefentry>, | |
| 853 | <citerefentry project='die-net'><refentrytitle>debootstrap</refentrytitle><manvolnum>8</manvolnum></citerefentry>, | |
| 854 | <citerefentry project='archlinux'><refentrytitle>pacman</refentrytitle><manvolnum>8</manvolnum></citerefentry>, | |
| 855 | <citerefentry><refentrytitle>systemd.slice</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
| 856 | <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
| 3ba3a79d | 857 | <citerefentry project='man-pages'><refentrytitle>btrfs</refentrytitle><manvolnum>8</manvolnum></citerefentry> |
| 798d3a52 ZJS |
858 | </para> |
| 859 | </refsect1> | |
| 8f7a3c14 LP |
860 | |
| 861 | </refentry> |