]>
Commit | Line | Data |
---|---|---|
8f7a3c14 LP |
1 | <?xml version='1.0'?> <!--*-nxml-*--> |
2 | <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" | |
681eb9cf FB |
3 | "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [ |
4 | <!ENTITY % entities SYSTEM "custom-entities.ent" > | |
5 | %entities; | |
6 | ]> | |
8f7a3c14 LP |
7 | |
8 | <!-- | |
9 | This file is part of systemd. | |
10 | ||
11 | Copyright 2010 Lennart Poettering | |
12 | ||
13 | systemd is free software; you can redistribute it and/or modify it | |
5430f7f2 LP |
14 | under the terms of the GNU Lesser General Public License as published by |
15 | the Free Software Foundation; either version 2.1 of the License, or | |
8f7a3c14 LP |
16 | (at your option) any later version. |
17 | ||
18 | systemd is distributed in the hope that it will be useful, but | |
19 | WITHOUT ANY WARRANTY; without even the implied warranty of | |
20 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
5430f7f2 | 21 | Lesser General Public License for more details. |
8f7a3c14 | 22 | |
5430f7f2 | 23 | You should have received a copy of the GNU Lesser General Public License |
8f7a3c14 LP |
24 | along with systemd; If not, see <http://www.gnu.org/licenses/>. |
25 | --> | |
26 | ||
dfdebb1b | 27 | <refentry id="systemd-nspawn" |
798d3a52 ZJS |
28 | xmlns:xi="http://www.w3.org/2001/XInclude"> |
29 | ||
30 | <refentryinfo> | |
31 | <title>systemd-nspawn</title> | |
32 | <productname>systemd</productname> | |
33 | ||
34 | <authorgroup> | |
35 | <author> | |
36 | <contrib>Developer</contrib> | |
37 | <firstname>Lennart</firstname> | |
38 | <surname>Poettering</surname> | |
39 | <email>lennart@poettering.net</email> | |
40 | </author> | |
41 | </authorgroup> | |
42 | </refentryinfo> | |
43 | ||
44 | <refmeta> | |
45 | <refentrytitle>systemd-nspawn</refentrytitle> | |
46 | <manvolnum>1</manvolnum> | |
47 | </refmeta> | |
48 | ||
49 | <refnamediv> | |
50 | <refname>systemd-nspawn</refname> | |
51 | <refpurpose>Spawn a namespace container for debugging, testing and building</refpurpose> | |
52 | </refnamediv> | |
53 | ||
54 | <refsynopsisdiv> | |
55 | <cmdsynopsis> | |
56 | <command>systemd-nspawn</command> | |
57 | <arg choice="opt" rep="repeat">OPTIONS</arg> | |
58 | <arg choice="opt"><replaceable>COMMAND</replaceable> | |
59 | <arg choice="opt" rep="repeat">ARGS</arg> | |
60 | </arg> | |
61 | </cmdsynopsis> | |
62 | <cmdsynopsis> | |
63 | <command>systemd-nspawn</command> | |
64 | <arg choice="plain">-b</arg> | |
65 | <arg choice="opt" rep="repeat">OPTIONS</arg> | |
66 | <arg choice="opt" rep="repeat">ARGS</arg> | |
67 | </cmdsynopsis> | |
68 | </refsynopsisdiv> | |
69 | ||
70 | <refsect1> | |
71 | <title>Description</title> | |
72 | ||
73 | <para><command>systemd-nspawn</command> may be used to run a | |
74 | command or OS in a light-weight namespace container. In many ways | |
75 | it is similar to | |
76 | <citerefentry project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
77 | but more powerful since it fully virtualizes the file system | |
78 | hierarchy, as well as the process tree, the various IPC subsystems | |
79 | and the host and domain name.</para> | |
80 | ||
81 | <para><command>systemd-nspawn</command> limits access to various | |
82 | kernel interfaces in the container to read-only, such as | |
83 | <filename>/sys</filename>, <filename>/proc/sys</filename> or | |
84 | <filename>/sys/fs/selinux</filename>. Network interfaces and the | |
85 | system clock may not be changed from within the container. Device | |
86 | nodes may not be created. The host system cannot be rebooted and | |
87 | kernel modules may not be loaded from within the container.</para> | |
88 | ||
89 | <para>Note that even though these security precautions are taken | |
7de7ee62 | 90 | <command>systemd-nspawn</command> is not suitable for fully secure |
798d3a52 ZJS |
91 | container setups. Many of the security features may be |
92 | circumvented and are hence primarily useful to avoid accidental | |
7de7ee62 | 93 | changes to the host system from the container.</para> |
798d3a52 ZJS |
94 | |
95 | <para>In contrast to | |
96 | <citerefentry project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>1</manvolnum></citerefentry> <command>systemd-nspawn</command> | |
97 | may be used to boot full Linux-based operating systems in a | |
98 | container.</para> | |
99 | ||
100 | <para>Use a tool like | |
101 | <citerefentry project='mankier'><refentrytitle>dnf</refentrytitle><manvolnum>8</manvolnum></citerefentry>, | |
102 | <citerefentry project='die-net'><refentrytitle>yum</refentrytitle><manvolnum>8</manvolnum></citerefentry>, | |
103 | <citerefentry project='die-net'><refentrytitle>debootstrap</refentrytitle><manvolnum>8</manvolnum></citerefentry>, | |
104 | or | |
105 | <citerefentry project='archlinux'><refentrytitle>pacman</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
106 | to set up an OS directory tree suitable as file system hierarchy | |
107 | for <command>systemd-nspawn</command> containers.</para> | |
108 | ||
109 | <para>Note that <command>systemd-nspawn</command> will mount file | |
110 | systems private to the container to <filename>/dev</filename>, | |
111 | <filename>/run</filename> and similar. These will not be visible | |
112 | outside of the container, and their contents will be lost when the | |
113 | container exits.</para> | |
114 | ||
115 | <para>Note that running two <command>systemd-nspawn</command> | |
116 | containers from the same directory tree will not make processes in | |
117 | them see each other. The PID namespace separation of the two | |
118 | containers is complete and the containers will share very few | |
119 | runtime objects except for the underlying file system. Use | |
120 | <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>'s | |
121 | <command>login</command> command to request an additional login | |
122 | prompt in a running container.</para> | |
123 | ||
124 | <para><command>systemd-nspawn</command> implements the | |
125 | <ulink | |
126 | url="http://www.freedesktop.org/wiki/Software/systemd/ContainerInterface">Container | |
127 | Interface</ulink> specification.</para> | |
128 | ||
129 | <para>As a safety check <command>systemd-nspawn</command> will | |
130 | verify the existence of <filename>/usr/lib/os-release</filename> | |
131 | or <filename>/etc/os-release</filename> in the container tree | |
132 | before starting the container (see | |
133 | <citerefentry><refentrytitle>os-release</refentrytitle><manvolnum>5</manvolnum></citerefentry>). | |
134 | It might be necessary to add this file to the container tree | |
135 | manually if the OS of the container is too old to contain this | |
136 | file out-of-the-box.</para> | |
137 | </refsect1> | |
138 | ||
139 | <refsect1> | |
140 | <title>Options</title> | |
141 | ||
142 | <para>If option <option>-b</option> is specified, the arguments | |
143 | are used as arguments for the init binary. Otherwise, | |
144 | <replaceable>COMMAND</replaceable> specifies the program to launch | |
145 | in the container, and the remaining arguments are used as | |
146 | arguments for this program. If <option>-b</option> is not used and | |
ff9b60f3 | 147 | no arguments are specified, a shell is launched in the |
798d3a52 ZJS |
148 | container.</para> |
149 | ||
150 | <para>The following options are understood:</para> | |
151 | ||
152 | <variablelist> | |
153 | <varlistentry> | |
154 | <term><option>-D</option></term> | |
155 | <term><option>--directory=</option></term> | |
156 | ||
157 | <listitem><para>Directory to use as file system root for the | |
158 | container.</para> | |
159 | ||
160 | <para>If neither <option>--directory=</option>, nor | |
161 | <option>--image=</option> is specified the directory is | |
162 | determined as <filename>/var/lib/machines/</filename> suffixed | |
163 | by the machine name as specified with | |
164 | <option>--machine=</option>. If neither | |
165 | <option>--directory=</option>, <option>--image=</option>, nor | |
166 | <option>--machine=</option> are specified, the current | |
167 | directory will be used. May not be specified together with | |
168 | <option>--image=</option>.</para></listitem> | |
169 | </varlistentry> | |
170 | ||
171 | <varlistentry> | |
172 | <term><option>--template=</option></term> | |
173 | ||
174 | <listitem><para>Directory or <literal>btrfs</literal> | |
175 | subvolume to use as template for the container's root | |
176 | directory. If this is specified and the container's root | |
177 | directory (as configured by <option>--directory=</option>) | |
178 | does not yet exist it is created as <literal>btrfs</literal> | |
179 | subvolume and populated from this template tree. Ideally, the | |
180 | specified template path refers to the root of a | |
181 | <literal>btrfs</literal> subvolume, in which case a simple | |
182 | copy-on-write snapshot is taken, and populating the root | |
183 | directory is instant. If the specified template path does not | |
184 | refer to the root of a <literal>btrfs</literal> subvolume (or | |
185 | not even to a <literal>btrfs</literal> file system at all), | |
186 | the tree is copied, which can be substantially more | |
187 | time-consuming. Note that if this option is used the | |
188 | container's root directory (in contrast to the template | |
189 | directory!) must be located on a <literal>btrfs</literal> file | |
190 | system, so that the <literal>btrfs</literal> subvolume may be | |
191 | created. May not be specified together with | |
192 | <option>--image=</option> or | |
3fe22bb4 LP |
193 | <option>--ephemeral</option>.</para> |
194 | ||
195 | <para>Note that this switch leaves host name, machine ID and | |
196 | all other settings that could identify the instance | |
197 | unmodified.</para></listitem> | |
798d3a52 ZJS |
198 | </varlistentry> |
199 | ||
200 | <varlistentry> | |
201 | <term><option>-x</option></term> | |
202 | <term><option>--ephemeral</option></term> | |
203 | ||
204 | <listitem><para>If specified, the container is run with a | |
205 | temporary <literal>btrfs</literal> snapshot of its root | |
206 | directory (as configured with <option>--directory=</option>), | |
207 | that is removed immediately when the container terminates. | |
208 | This option is only supported if the root file system is | |
209 | <literal>btrfs</literal>. May not be specified together with | |
210 | <option>--image=</option> or | |
3fe22bb4 LP |
211 | <option>--template=</option>.</para> |
212 | <para>Note that this switch leaves host name, machine ID and | |
213 | all other settings that could identify the instance | |
214 | unmodified.</para></listitem> | |
798d3a52 ZJS |
215 | </varlistentry> |
216 | ||
217 | <varlistentry> | |
218 | <term><option>-i</option></term> | |
219 | <term><option>--image=</option></term> | |
220 | ||
221 | <listitem><para>Disk image to mount the root directory for the | |
222 | container from. Takes a path to a regular file or to a block | |
223 | device node. The file or block device must contain | |
224 | either:</para> | |
225 | ||
226 | <itemizedlist> | |
227 | <listitem><para>An MBR partition table with a single | |
228 | partition of type 0x83 that is marked | |
229 | bootable.</para></listitem> | |
230 | ||
231 | <listitem><para>A GUID partition table (GPT) with a single | |
232 | partition of type | |
233 | 0fc63daf-8483-4772-8e79-3d69d8477de4.</para></listitem> | |
234 | ||
235 | <listitem><para>A GUID partition table (GPT) with a marked | |
236 | root partition which is mounted as the root directory of the | |
237 | container. Optionally, GPT images may contain a home and/or | |
238 | a server data partition which are mounted to the appropriate | |
239 | places in the container. All these partitions must be | |
240 | identified by the partition types defined by the <ulink | |
241 | url="http://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/">Discoverable | |
242 | Partitions Specification</ulink>.</para></listitem> | |
243 | </itemizedlist> | |
244 | ||
245 | <para>Any other partitions, such as foreign partitions, swap | |
246 | partitions or EFI system partitions are not mounted. May not | |
247 | be specified together with <option>--directory=</option>, | |
248 | <option>--template=</option> or | |
249 | <option>--ephemeral</option>.</para></listitem> | |
250 | </varlistentry> | |
251 | ||
252 | <varlistentry> | |
253 | <term><option>-b</option></term> | |
254 | <term><option>--boot</option></term> | |
255 | ||
256 | <listitem><para>Automatically search for an init binary and | |
257 | invoke it instead of a shell or a user supplied program. If | |
258 | this option is used, arguments specified on the command line | |
259 | are used as arguments for the init binary. This option may not | |
260 | be combined with <option>--share-system</option>. | |
261 | </para></listitem> | |
262 | </varlistentry> | |
263 | ||
264 | <varlistentry> | |
265 | <term><option>-u</option></term> | |
266 | <term><option>--user=</option></term> | |
267 | ||
268 | <listitem><para>After transitioning into the container, change | |
269 | to the specified user-defined in the container's user | |
270 | database. Like all other systemd-nspawn features, this is not | |
271 | a security feature and provides protection against accidental | |
272 | destructive operations only.</para></listitem> | |
273 | </varlistentry> | |
274 | ||
275 | <varlistentry> | |
276 | <term><option>-M</option></term> | |
277 | <term><option>--machine=</option></term> | |
278 | ||
279 | <listitem><para>Sets the machine name for this container. This | |
280 | name may be used to identify this container during its runtime | |
281 | (for example in tools like | |
282 | <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry> | |
283 | and similar), and is used to initialize the container's | |
284 | hostname (which the container can choose to override, | |
285 | however). If not specified, the last component of the root | |
286 | directory path of the container is used, possibly suffixed | |
287 | with a random identifier in case <option>--ephemeral</option> | |
288 | mode is selected. If the root directory selected is the host's | |
289 | root directory the host's hostname is used as default | |
290 | instead.</para></listitem> | |
291 | </varlistentry> | |
292 | ||
293 | <varlistentry> | |
294 | <term><option>--uuid=</option></term> | |
295 | ||
296 | <listitem><para>Set the specified UUID for the container. The | |
297 | init system will initialize | |
298 | <filename>/etc/machine-id</filename> from this if this file is | |
299 | not set yet. </para></listitem> | |
300 | </varlistentry> | |
301 | ||
302 | <varlistentry> | |
303 | <term><option>--slice=</option></term> | |
304 | ||
305 | <listitem><para>Make the container part of the specified | |
306 | slice, instead of the default | |
f36933fe LP |
307 | <filename>machine.slice</filename>. This is only applies if |
308 | the machine is run in its own scope unit, i.e. if | |
309 | <option>--keep-unit</option> is not used.</para> | |
310 | </listitem> | |
311 | </varlistentry> | |
312 | ||
313 | <varlistentry> | |
314 | <term><option>--property=</option></term> | |
315 | ||
316 | <listitem><para>Set a unit property on the scope unit to | |
317 | register for the machine. This only applies if the machine is | |
318 | run in its own scope unit, i.e. if | |
319 | <option>--keep-unit</option> is not used. Takes unit property | |
320 | assignments in the same format as <command>systemctl | |
321 | set-property</command>. This is useful to set memory limits | |
322 | and similar for machines.</para> | |
798d3a52 ZJS |
323 | </listitem> |
324 | </varlistentry> | |
325 | ||
03cfe0d5 LP |
326 | <varlistentry> |
327 | <term><option>--private-users=</option></term> | |
328 | ||
329 | <listitem><para>Enables user namespacing. If enabled the | |
330 | container will run with its own private set of Unix user and | |
331 | group ids (UIDs and GIDs). Takes none, one or two | |
332 | colon-separated parameters: the first parameter specifies the | |
333 | first host UID to assign to the container, the second | |
334 | parameter specifies the number of host UIDs to assign to the | |
335 | container. If the second parameter is omitted, 65536 UIDs are | |
7c918141 | 336 | assigned. If the first parameter is also omitted (and hence |
03cfe0d5 LP |
337 | no parameter passed at all), the first UID assigned to the |
338 | container is read from the owner of the root directory of the | |
339 | container's directory tree. By default no user namespacing is | |
340 | applied.</para> | |
341 | ||
342 | <para>Note that user namespacing currently requires OS trees | |
343 | that are prepared for the UID shift that is being applied: | |
344 | UIDs and GIDs used for file ownership or in file ACL entries | |
345 | must be shifted to the container UID base that is | |
346 | used during container runtime.</para> | |
347 | ||
348 | <para>It is recommended to assign as least 65536 UIDs to each | |
349 | container, so that the usable UID range in the container | |
350 | covers 16bit. For best security do not assign overlapping UID | |
351 | ranges to multiple containers. It is hence a good idea to use | |
352 | the upper 16bit of the host 32bit UIDs as container | |
353 | identifier, while the lower 16bit encode the container UID | |
354 | used.</para> | |
355 | ||
356 | <para>When user namespaces are used the GID range assigned to | |
357 | each container is always chosen identical to the UID | |
358 | range.</para></listitem> | |
359 | </varlistentry> | |
360 | ||
361 | ||
798d3a52 ZJS |
362 | <varlistentry> |
363 | <term><option>--private-network</option></term> | |
364 | ||
365 | <listitem><para>Disconnect networking of the container from | |
366 | the host. This makes all network interfaces unavailable in the | |
367 | container, with the exception of the loopback device and those | |
368 | specified with <option>--network-interface=</option> and | |
369 | configured with <option>--network-veth</option>. If this | |
370 | option is specified, the CAP_NET_ADMIN capability will be | |
371 | added to the set of capabilities the container retains. The | |
372 | latter may be disabled by using | |
373 | <option>--drop-capability=</option>.</para></listitem> | |
374 | </varlistentry> | |
375 | ||
376 | <varlistentry> | |
377 | <term><option>--network-interface=</option></term> | |
378 | ||
379 | <listitem><para>Assign the specified network interface to the | |
380 | container. This will remove the specified interface from the | |
381 | calling namespace and place it in the container. When the | |
382 | container terminates, it is moved back to the host namespace. | |
383 | Note that <option>--network-interface=</option> implies | |
384 | <option>--private-network</option>. This option may be used | |
385 | more than once to add multiple network interfaces to the | |
386 | container.</para></listitem> | |
387 | </varlistentry> | |
388 | ||
389 | <varlistentry> | |
390 | <term><option>--network-macvlan=</option></term> | |
391 | ||
392 | <listitem><para>Create a <literal>macvlan</literal> interface | |
393 | of the specified Ethernet network interface and add it to the | |
394 | container. A <literal>macvlan</literal> interface is a virtual | |
395 | interface that adds a second MAC address to an existing | |
396 | physical Ethernet link. The interface in the container will be | |
397 | named after the interface on the host, prefixed with | |
398 | <literal>mv-</literal>. Note that | |
399 | <option>--network-macvlan=</option> implies | |
400 | <option>--private-network</option>. This option may be used | |
401 | more than once to add multiple network interfaces to the | |
402 | container.</para></listitem> | |
403 | </varlistentry> | |
404 | ||
405 | <varlistentry> | |
406 | <term><option>--network-ipvlan=</option></term> | |
407 | ||
408 | <listitem><para>Create an <literal>ipvlan</literal> interface | |
409 | of the specified Ethernet network interface and add it to the | |
410 | container. An <literal>ipvlan</literal> interface is a virtual | |
411 | interface, similar to a <literal>macvlan</literal> interface, | |
412 | which uses the same MAC address as the underlying interface. | |
413 | The interface in the container will be named after the | |
414 | interface on the host, prefixed with <literal>iv-</literal>. | |
415 | Note that <option>--network-ipvlan=</option> implies | |
416 | <option>--private-network</option>. This option may be used | |
417 | more than once to add multiple network interfaces to the | |
418 | container.</para></listitem> | |
419 | </varlistentry> | |
420 | ||
421 | <varlistentry> | |
422 | <term><option>-n</option></term> | |
423 | <term><option>--network-veth</option></term> | |
424 | ||
425 | <listitem><para>Create a virtual Ethernet link | |
426 | (<literal>veth</literal>) between host and container. The host | |
427 | side of the Ethernet link will be available as a network | |
428 | interface named after the container's name (as specified with | |
429 | <option>--machine=</option>), prefixed with | |
430 | <literal>ve-</literal>. The container side of the Ethernet | |
431 | link will be named <literal>host0</literal>. Note that | |
432 | <option>--network-veth</option> implies | |
433 | <option>--private-network</option>.</para></listitem> | |
434 | </varlistentry> | |
435 | ||
436 | <varlistentry> | |
437 | <term><option>--network-bridge=</option></term> | |
438 | ||
439 | <listitem><para>Adds the host side of the Ethernet link | |
440 | created with <option>--network-veth</option> to the specified | |
441 | bridge. Note that <option>--network-bridge=</option> implies | |
442 | <option>--network-veth</option>. If this option is used, the | |
443 | host side of the Ethernet link will use the | |
444 | <literal>vb-</literal> prefix instead of | |
445 | <literal>ve-</literal>.</para></listitem> | |
446 | </varlistentry> | |
447 | ||
448 | <varlistentry> | |
449 | <term><option>-p</option></term> | |
450 | <term><option>--port=</option></term> | |
451 | ||
452 | <listitem><para>If private networking is enabled, maps an IP | |
453 | port on the host onto an IP port on the container. Takes a | |
454 | protocol specifier (either <literal>tcp</literal> or | |
455 | <literal>udp</literal>), separated by a colon from a host port | |
456 | number in the range 1 to 65535, separated by a colon from a | |
457 | container port number in the range from 1 to 65535. The | |
458 | protocol specifier and its separating colon may be omitted, in | |
459 | which case <literal>tcp</literal> is assumed. The container | |
7c918141 | 460 | port number and its colon may be omitted, in which case the |
798d3a52 ZJS |
461 | same port as the host port is implied. This option is only |
462 | supported if private networking is used, such as | |
463 | <option>--network-veth</option> or | |
464 | <option>--network-bridge=</option>.</para></listitem> | |
465 | </varlistentry> | |
466 | ||
467 | <varlistentry> | |
468 | <term><option>-Z</option></term> | |
469 | <term><option>--selinux-context=</option></term> | |
470 | ||
471 | <listitem><para>Sets the SELinux security context to be used | |
472 | to label processes in the container.</para> | |
473 | </listitem> | |
474 | </varlistentry> | |
475 | ||
476 | <varlistentry> | |
477 | <term><option>-L</option></term> | |
478 | <term><option>--selinux-apifs-context=</option></term> | |
479 | ||
480 | <listitem><para>Sets the SELinux security context to be used | |
481 | to label files in the virtual API file systems in the | |
482 | container.</para> | |
483 | </listitem> | |
484 | </varlistentry> | |
485 | ||
486 | <varlistentry> | |
487 | <term><option>--capability=</option></term> | |
488 | ||
489 | <listitem><para>List one or more additional capabilities to | |
490 | grant the container. Takes a comma-separated list of | |
491 | capability names, see | |
492 | <citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry> | |
493 | for more information. Note that the following capabilities | |
494 | will be granted in any way: CAP_CHOWN, CAP_DAC_OVERRIDE, | |
495 | CAP_DAC_READ_SEARCH, CAP_FOWNER, CAP_FSETID, CAP_IPC_OWNER, | |
496 | CAP_KILL, CAP_LEASE, CAP_LINUX_IMMUTABLE, | |
497 | CAP_NET_BIND_SERVICE, CAP_NET_BROADCAST, CAP_NET_RAW, | |
498 | CAP_SETGID, CAP_SETFCAP, CAP_SETPCAP, CAP_SETUID, | |
499 | CAP_SYS_ADMIN, CAP_SYS_CHROOT, CAP_SYS_NICE, CAP_SYS_PTRACE, | |
500 | CAP_SYS_TTY_CONFIG, CAP_SYS_RESOURCE, CAP_SYS_BOOT, | |
501 | CAP_AUDIT_WRITE, CAP_AUDIT_CONTROL. Also CAP_NET_ADMIN is | |
502 | retained if <option>--private-network</option> is specified. | |
503 | If the special value <literal>all</literal> is passed, all | |
504 | capabilities are retained.</para></listitem> | |
505 | </varlistentry> | |
506 | ||
507 | <varlistentry> | |
508 | <term><option>--drop-capability=</option></term> | |
509 | ||
510 | <listitem><para>Specify one or more additional capabilities to | |
511 | drop for the container. This allows running the container with | |
512 | fewer capabilities than the default (see | |
513 | above).</para></listitem> | |
514 | </varlistentry> | |
515 | ||
c6c8f6e2 LP |
516 | <varlistentry> |
517 | <term><option>--kill-signal=</option></term> | |
518 | ||
519 | <listitem><para>Specify the process signal to send to the | |
520 | container's PID 1 when nspawn itself receives SIGTERM, in | |
521 | order to trigger an orderly shutdown of the | |
522 | container. Defaults to SIGRTMIN+3 if <option>--boot</option> | |
523 | is used (on systemd-compatible init systems SIGRTMIN+3 | |
524 | triggers an orderly shutdown). Takes a signal name like | |
525 | <literal>SIGHUP</literal>, <literal>SIGTERM</literal> or | |
526 | similar as argument.</para></listitem> | |
527 | </varlistentry> | |
528 | ||
798d3a52 ZJS |
529 | <varlistentry> |
530 | <term><option>--link-journal=</option></term> | |
531 | ||
532 | <listitem><para>Control whether the container's journal shall | |
533 | be made visible to the host system. If enabled, allows viewing | |
534 | the container's journal files from the host (but not vice | |
535 | versa). Takes one of <literal>no</literal>, | |
536 | <literal>host</literal>, <literal>try-host</literal>, | |
537 | <literal>guest</literal>, <literal>try-guest</literal>, | |
538 | <literal>auto</literal>. If <literal>no</literal>, the journal | |
539 | is not linked. If <literal>host</literal>, the journal files | |
540 | are stored on the host file system (beneath | |
541 | <filename>/var/log/journal/<replaceable>machine-id</replaceable></filename>) | |
542 | and the subdirectory is bind-mounted into the container at the | |
543 | same location. If <literal>guest</literal>, the journal files | |
544 | are stored on the guest file system (beneath | |
545 | <filename>/var/log/journal/<replaceable>machine-id</replaceable></filename>) | |
546 | and the subdirectory is symlinked into the host at the same | |
547 | location. <literal>try-host</literal> and | |
548 | <literal>try-guest</literal> do the same but do not fail if | |
549 | the host does not have persistent journalling enabled. If | |
550 | <literal>auto</literal> (the default), and the right | |
551 | subdirectory of <filename>/var/log/journal</filename> exists, | |
552 | it will be bind mounted into the container. If the | |
553 | subdirectory does not exist, no linking is performed. | |
554 | Effectively, booting a container once with | |
555 | <literal>guest</literal> or <literal>host</literal> will link | |
556 | the journal persistently if further on the default of | |
557 | <literal>auto</literal> is used.</para></listitem> | |
558 | </varlistentry> | |
559 | ||
560 | <varlistentry> | |
561 | <term><option>-j</option></term> | |
562 | ||
563 | <listitem><para>Equivalent to | |
564 | <option>--link-journal=try-guest</option>.</para></listitem> | |
565 | </varlistentry> | |
566 | ||
567 | <varlistentry> | |
568 | <term><option>--read-only</option></term> | |
569 | ||
570 | <listitem><para>Mount the root file system read-only for the | |
571 | container.</para></listitem> | |
572 | </varlistentry> | |
573 | ||
574 | <varlistentry> | |
575 | <term><option>--bind=</option></term> | |
576 | <term><option>--bind-ro=</option></term> | |
577 | ||
578 | <listitem><para>Bind mount a file or directory from the host | |
579 | into the container. Either takes a path argument -- in which | |
580 | case the specified path will be mounted from the host to the | |
581 | same path in the container --, or a colon-separated pair of | |
582 | paths -- in which case the first specified path is the source | |
583 | in the host, and the second path is the destination in the | |
64b282ef LP |
584 | container. This option may be specified multiple times for |
585 | creating multiple independent bind mount points. The | |
586 | <option>--bind-ro=</option> option creates read-only bind | |
587 | mounts.</para></listitem> | |
798d3a52 ZJS |
588 | </varlistentry> |
589 | ||
590 | <varlistentry> | |
591 | <term><option>--tmpfs=</option></term> | |
592 | ||
593 | <listitem><para>Mount a tmpfs file system into the container. | |
594 | Takes a single absolute path argument that specifies where to | |
595 | mount the tmpfs instance to (in which case the directory | |
596 | access mode will be chosen as 0755, owned by root/root), or | |
597 | optionally a colon-separated pair of path and mount option | |
598 | string, that is used for mounting (in which case the kernel | |
599 | default for access mode and owner will be chosen, unless | |
600 | otherwise specified). This option is particularly useful for | |
601 | mounting directories such as <filename>/var</filename> as | |
602 | tmpfs, to allow state-less systems, in particular when | |
603 | combined with <option>--read-only</option>.</para></listitem> | |
604 | </varlistentry> | |
605 | ||
5a8af538 LP |
606 | <varlistentry> |
607 | <term><option>--overlay=</option></term> | |
608 | <term><option>--overlay-ro=</option></term> | |
609 | ||
610 | <listitem><para>Combine multiple directory trees into one | |
611 | overlay file system and mount it into the container. Takes a | |
612 | list of colon-separated paths to the directory trees to | |
613 | combine and the destination mount point.</para> | |
614 | ||
615 | <para>If three or more paths are specified, then the last | |
616 | specified path is the destination mount point in the | |
617 | container, all paths specified before refer to directory trees | |
618 | on the host and are combined in the specified order into one | |
619 | overlay file system. The left-most path is hence the lowest | |
620 | directory tree, the second-to-last path the highest directory | |
621 | tree in the stacking order. If <option>--overlay-ro=</option> | |
622 | is used instead of <option>--overlay=</option> a read-only | |
623 | overlay file system is created. If a writable overlay file | |
624 | system is created all changes made to it are written to the | |
625 | highest directory tree in the stacking order, i.e. the | |
626 | second-to-last specified.</para> | |
627 | ||
628 | <para>If only two paths are specified, then the second | |
629 | specified path is used both as the top-level directory tree in | |
630 | the stacking order as seen from the host, as well as the mount | |
631 | point for the overlay file system in the container. At least | |
632 | two paths have to be specified.</para> | |
633 | ||
634 | <para>For details about overlay file systems, see <ulink | |
635 | url="https://www.kernel.org/doc/Documentation/filesystems/overlayfs.txt">overlayfs.txt</ulink>. Note | |
636 | that the semantics of overlay file systems are substantially | |
637 | different from normal file systems, in particular regarding | |
638 | reported device and inode information. Device and inode | |
639 | information may change for a file while it is being written | |
640 | to, and processes might see out-of-date versions of files at | |
641 | times. Note that this switch automatically derives the | |
642 | <literal>workdir=</literal> mount option for the overlay file | |
643 | system from the top-level directory tree, making it a sibling | |
644 | of it. It is hence essential that the top-level directory tree | |
645 | is not a mount point itself (since the working directory must | |
646 | be on the same file system as the top-most directory | |
647 | tree). Also note that the <literal>lowerdir=</literal> mount | |
648 | option receives the paths to stack in the opposite order of | |
649 | this switch.</para></listitem> | |
650 | </varlistentry> | |
651 | ||
798d3a52 ZJS |
652 | <varlistentry> |
653 | <term><option>--setenv=</option></term> | |
654 | ||
655 | <listitem><para>Specifies an environment variable assignment | |
656 | to pass to the init process in the container, in the format | |
657 | <literal>NAME=VALUE</literal>. This may be used to override | |
658 | the default variables or to set additional variables. This | |
659 | parameter may be used more than once.</para></listitem> | |
660 | </varlistentry> | |
661 | ||
662 | <varlistentry> | |
663 | <term><option>--share-system</option></term> | |
664 | ||
665 | <listitem><para>Allows the container to share certain system | |
666 | facilities with the host. More specifically, this turns off | |
667 | PID namespacing, UTS namespacing and IPC namespacing, and thus | |
668 | allows the guest to see and interact more easily with | |
669 | processes outside of the container. Note that using this | |
670 | option makes it impossible to start up a full Operating System | |
671 | in the container, as an init system cannot operate in this | |
672 | mode. It is only useful to run specific programs or | |
673 | applications this way, without involving an init system in the | |
674 | container. This option implies <option>--register=no</option>. | |
675 | This option may not be combined with | |
676 | <option>--boot</option>.</para></listitem> | |
677 | </varlistentry> | |
678 | ||
679 | <varlistentry> | |
680 | <term><option>--register=</option></term> | |
681 | ||
682 | <listitem><para>Controls whether the container is registered | |
683 | with | |
684 | <citerefentry><refentrytitle>systemd-machined</refentrytitle><manvolnum>8</manvolnum></citerefentry>. | |
685 | Takes a boolean argument, defaults to <literal>yes</literal>. | |
686 | This option should be enabled when the container runs a full | |
687 | Operating System (more specifically: an init system), and is | |
688 | useful to ensure that the container is accessible via | |
689 | <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry> | |
690 | and shown by tools such as | |
691 | <citerefentry project='man-pages'><refentrytitle>ps</refentrytitle><manvolnum>1</manvolnum></citerefentry>. | |
692 | If the container does not run an init system, it is | |
693 | recommended to set this option to <literal>no</literal>. Note | |
694 | that <option>--share-system</option> implies | |
695 | <option>--register=no</option>. </para></listitem> | |
696 | </varlistentry> | |
697 | ||
698 | <varlistentry> | |
699 | <term><option>--keep-unit</option></term> | |
700 | ||
701 | <listitem><para>Instead of creating a transient scope unit to | |
702 | run the container in, simply register the service or scope | |
703 | unit <command>systemd-nspawn</command> has been invoked in | |
704 | with | |
705 | <citerefentry><refentrytitle>systemd-machined</refentrytitle><manvolnum>8</manvolnum></citerefentry>. | |
706 | This has no effect if <option>--register=no</option> is used. | |
707 | This switch should be used if | |
708 | <command>systemd-nspawn</command> is invoked from within a | |
709 | service unit, and the service unit's sole purpose is to run a | |
710 | single <command>systemd-nspawn</command> container. This | |
711 | option is not available if run from a user | |
712 | session.</para></listitem> | |
713 | </varlistentry> | |
714 | ||
715 | <varlistentry> | |
716 | <term><option>--personality=</option></term> | |
717 | ||
718 | <listitem><para>Control the architecture ("personality") | |
719 | reported by | |
3ba3a79d | 720 | <citerefentry project='man-pages'><refentrytitle>uname</refentrytitle><manvolnum>2</manvolnum></citerefentry> |
798d3a52 ZJS |
721 | in the container. Currently, only <literal>x86</literal> and |
722 | <literal>x86-64</literal> are supported. This is useful when | |
723 | running a 32-bit container on a 64-bit host. If this setting | |
724 | is not used, the personality reported in the container is the | |
725 | same as the one reported on the host.</para></listitem> | |
726 | </varlistentry> | |
727 | ||
728 | <varlistentry> | |
729 | <term><option>-q</option></term> | |
730 | <term><option>--quiet</option></term> | |
731 | ||
732 | <listitem><para>Turns off any status output by the tool | |
733 | itself. When this switch is used, the only output from nspawn | |
734 | will be the console output of the container OS | |
735 | itself.</para></listitem> | |
736 | </varlistentry> | |
737 | ||
738 | <varlistentry> | |
739 | <term><option>--volatile</option><replaceable>=MODE</replaceable></term> | |
740 | ||
741 | <listitem><para>Boots the container in volatile mode. When no | |
742 | mode parameter is passed or when mode is specified as | |
743 | <literal>yes</literal> full volatile mode is enabled. This | |
744 | means the root directory is mounted as mostly unpopulated | |
745 | <literal>tmpfs</literal> instance, and | |
746 | <filename>/usr</filename> from the OS tree is mounted into it, | |
747 | read-only (the system thus starts up with read-only OS | |
748 | resources, but pristine state and configuration, any changes | |
749 | to the either are lost on shutdown). When the mode parameter | |
750 | is specified as <literal>state</literal> the OS tree is | |
751 | mounted read-only, but <filename>/var</filename> is mounted as | |
752 | <literal>tmpfs</literal> instance into it (the system thus | |
753 | starts up with read-only OS resources and configuration, but | |
754 | pristine state, any changes to the latter are lost on | |
755 | shutdown). When the mode parameter is specified as | |
756 | <literal>no</literal> (the default) the whole OS tree is made | |
757 | available writable.</para> | |
758 | ||
759 | <para>Note that setting this to <literal>yes</literal> or | |
760 | <literal>state</literal> will only work correctly with | |
761 | operating systems in the container that can boot up with only | |
762 | <filename>/usr</filename> mounted, and are able to populate | |
763 | <filename>/var</filename> automatically, as | |
764 | needed.</para></listitem> | |
765 | </varlistentry> | |
766 | ||
767 | <xi:include href="standard-options.xml" xpointer="help" /> | |
768 | <xi:include href="standard-options.xml" xpointer="version" /> | |
769 | </variablelist> | |
770 | ||
771 | </refsect1> | |
772 | ||
773 | <refsect1> | |
774 | <title>Examples</title> | |
775 | ||
776 | <example> | |
777 | <title>Download a Fedora image and start a shell in it</title> | |
778 | ||
779 | <programlisting># machinectl pull-raw --verify=no http://ftp.halifax.rwth-aachen.de/fedora/linux/releases/21/Cloud/Images/x86_64/Fedora-Cloud-Base-20141203-21.x86_64.raw.xz | |
e0ea94c1 LP |
780 | # systemd-nspawn -M Fedora-Cloud-Base-20141203-21</programlisting> |
781 | ||
798d3a52 ZJS |
782 | <para>This downloads an image using |
783 | <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry> | |
784 | and opens a shell in it.</para> | |
785 | </example> | |
e0ea94c1 | 786 | |
798d3a52 ZJS |
787 | <example> |
788 | <title>Build and boot a minimal Fedora distribution in a container</title> | |
8f7a3c14 | 789 | |
798d3a52 | 790 | <programlisting># dnf -y --releasever=21 --nogpg --installroot=/srv/mycontainer --disablerepo='*' --enablerepo=fedora install systemd passwd dnf fedora-release vim-minimal |
2b3987a8 | 791 | # systemd-nspawn -bD /srv/mycontainer</programlisting> |
8f7a3c14 | 792 | |
798d3a52 ZJS |
793 | <para>This installs a minimal Fedora distribution into the |
794 | directory <filename noindex='true'>/srv/mycontainer/</filename> | |
795 | and then boots an OS in a namespace container in it.</para> | |
796 | </example> | |
8f7a3c14 | 797 | |
798d3a52 ZJS |
798 | <example> |
799 | <title>Spawn a shell in a container of a minimal Debian unstable distribution</title> | |
8f7a3c14 | 800 | |
798d3a52 | 801 | <programlisting># debootstrap --arch=amd64 unstable ~/debian-tree/ |
25f5971b | 802 | # systemd-nspawn -D ~/debian-tree/</programlisting> |
8f7a3c14 | 803 | |
798d3a52 ZJS |
804 | <para>This installs a minimal Debian unstable distribution into |
805 | the directory <filename>~/debian-tree/</filename> and then | |
806 | spawns a shell in a namespace container in it.</para> | |
807 | </example> | |
8f7a3c14 | 808 | |
798d3a52 ZJS |
809 | <example> |
810 | <title>Boot a minimal Arch Linux distribution in a container</title> | |
68562936 | 811 | |
798d3a52 | 812 | <programlisting># pacstrap -c -d ~/arch-tree/ base |
68562936 WG |
813 | # systemd-nspawn -bD ~/arch-tree/</programlisting> |
814 | ||
ff9b60f3 | 815 | <para>This installs a minimal Arch Linux distribution into the |
798d3a52 ZJS |
816 | directory <filename>~/arch-tree/</filename> and then boots an OS |
817 | in a namespace container in it.</para> | |
818 | </example> | |
68562936 | 819 | |
798d3a52 ZJS |
820 | <example> |
821 | <title>Boot into an ephemeral <literal>btrfs</literal> snapshot of the host system</title> | |
f9f4dd51 | 822 | |
798d3a52 | 823 | <programlisting># systemd-nspawn -D / -xb</programlisting> |
f9f4dd51 | 824 | |
798d3a52 ZJS |
825 | <para>This runs a copy of the host system in a |
826 | <literal>btrfs</literal> snapshot which is removed immediately | |
827 | when the container exits. All file system changes made during | |
828 | runtime will be lost on shutdown, hence.</para> | |
829 | </example> | |
f9f4dd51 | 830 | |
798d3a52 ZJS |
831 | <example> |
832 | <title>Run a container with SELinux sandbox security contexts</title> | |
a8828ed9 | 833 | |
798d3a52 | 834 | <programlisting># chcon system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -R /srv/container |
a8828ed9 | 835 | # systemd-nspawn -L system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -Z system_u:system_r:svirt_lxc_net_t:s0:c0,c1 -D /srv/container /bin/sh</programlisting> |
798d3a52 ZJS |
836 | </example> |
837 | </refsect1> | |
838 | ||
839 | <refsect1> | |
840 | <title>Exit status</title> | |
841 | ||
842 | <para>The exit code of the program executed in the container is | |
843 | returned.</para> | |
844 | </refsect1> | |
845 | ||
846 | <refsect1> | |
847 | <title>See Also</title> | |
848 | <para> | |
849 | <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
850 | <citerefentry project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
851 | <citerefentry project='mankier'><refentrytitle>dnf</refentrytitle><manvolnum>8</manvolnum></citerefentry>, | |
852 | <citerefentry project='die-net'><refentrytitle>yum</refentrytitle><manvolnum>8</manvolnum></citerefentry>, | |
853 | <citerefentry project='die-net'><refentrytitle>debootstrap</refentrytitle><manvolnum>8</manvolnum></citerefentry>, | |
854 | <citerefentry project='archlinux'><refentrytitle>pacman</refentrytitle><manvolnum>8</manvolnum></citerefentry>, | |
855 | <citerefentry><refentrytitle>systemd.slice</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
856 | <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
3ba3a79d | 857 | <citerefentry project='man-pages'><refentrytitle>btrfs</refentrytitle><manvolnum>8</manvolnum></citerefentry> |
798d3a52 ZJS |
858 | </para> |
859 | </refsect1> | |
8f7a3c14 LP |
860 | |
861 | </refentry> |