]>
Commit | Line | Data |
---|---|---|
c454426c | 1 | <?xml version='1.0'?> <!--*- Mode: nxml; nxml-child-indent: 2; indent-tabs-mode: nil -*--> |
19887cd0 | 2 | <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" |
12b42c76 | 3 | "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> |
19887cd0 ZJS |
4 | |
5 | <!-- | |
572eb058 | 6 | SPDX-License-Identifier: LGPL-2.1+ |
19887cd0 ZJS |
7 | --> |
8 | ||
21ac6ff1 | 9 | <refentry id="machinectl" conditional='ENABLE_MACHINED' |
798d3a52 ZJS |
10 | xmlns:xi="http://www.w3.org/2001/XInclude"> |
11 | ||
12 | <refentryinfo> | |
13 | <title>machinectl</title> | |
14 | <productname>systemd</productname> | |
15 | ||
16 | <authorgroup> | |
17 | <author> | |
18 | <contrib>Developer</contrib> | |
19 | <firstname>Lennart</firstname> | |
20 | <surname>Poettering</surname> | |
21 | <email>lennart@poettering.net</email> | |
22 | </author> | |
23 | </authorgroup> | |
24 | </refentryinfo> | |
25 | ||
26 | <refmeta> | |
27 | <refentrytitle>machinectl</refentrytitle> | |
28 | <manvolnum>1</manvolnum> | |
29 | </refmeta> | |
30 | ||
31 | <refnamediv> | |
32 | <refname>machinectl</refname> | |
33 | <refpurpose>Control the systemd machine manager</refpurpose> | |
34 | </refnamediv> | |
35 | ||
36 | <refsynopsisdiv> | |
37 | <cmdsynopsis> | |
38 | <command>machinectl</command> | |
39 | <arg choice="opt" rep="repeat">OPTIONS</arg> | |
40 | <arg choice="req">COMMAND</arg> | |
41 | <arg choice="opt" rep="repeat">NAME</arg> | |
42 | </cmdsynopsis> | |
43 | </refsynopsisdiv> | |
44 | ||
45 | <refsect1> | |
46 | <title>Description</title> | |
47 | ||
48 | <para><command>machinectl</command> may be used to introspect and | |
49 | control the state of the | |
50 | <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry> | |
51 | virtual machine and container registration manager | |
52 | <citerefentry><refentrytitle>systemd-machined.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para> | |
91913f58 LP |
53 | |
54 | <para><command>machinectl</command> may be used to execute | |
55 | operations on machines and images. Machines in this sense are | |
56 | considered running instances of:</para> | |
57 | ||
58 | <itemizedlist> | |
59 | <listitem><para>Virtual Machines (VMs) that virtualize hardware | |
60 | to run full operating system (OS) instances (including their kernels) | |
61 | in a virtualized environment on top of the host OS.</para></listitem> | |
62 | ||
63 | <listitem><para>Containers that share the hardware and | |
64 | OS kernel with the host OS, in order to run | |
65 | OS userspace instances on top the host OS.</para></listitem> | |
66 | ||
fa69a4c7 | 67 | <listitem><para>The host system itself.</para></listitem> |
91913f58 LP |
68 | </itemizedlist> |
69 | ||
70 | <para>Machines are identified by names that follow the same rules | |
fa69a4c7 ZJS |
71 | as UNIX and DNS host names. For details, see below.</para> |
72 | ||
73 | <para>Machines are instantiated from disk or file system images that | |
74 | frequently — but not necessarily — carry the same name as machines running | |
75 | from them. Images in this sense may be:</para> | |
91913f58 LP |
76 | |
77 | <itemizedlist> | |
fa69a4c7 | 78 | <listitem><para>Directory trees containing an OS, including the |
91913f58 LP |
79 | top-level directories <filename>/usr</filename>, |
80 | <filename>/etc</filename>, and so on.</para></listitem> | |
81 | ||
82 | <listitem><para>btrfs subvolumes containing OS trees, similar to | |
83 | normal directory trees.</para></listitem> | |
84 | ||
85 | <listitem><para>Binary "raw" disk images containing MBR or GPT | |
86 | partition tables and Linux file system partitions.</para></listitem> | |
87 | ||
88 | <listitem><para>The file system tree of the host OS itself.</para></listitem> | |
89 | </itemizedlist> | |
90 | ||
798d3a52 ZJS |
91 | </refsect1> |
92 | ||
93 | <refsect1> | |
94 | <title>Options</title> | |
95 | ||
96 | <para>The following options are understood:</para> | |
97 | ||
98 | <variablelist> | |
99 | <varlistentry> | |
100 | <term><option>-p</option></term> | |
101 | <term><option>--property=</option></term> | |
102 | ||
103 | <listitem><para>When showing machine or image properties, | |
104 | limit the output to certain properties as specified by the | |
105 | argument. If not specified, all set properties are shown. The | |
106 | argument should be a property name, such as | |
107 | <literal>Name</literal>. If specified more than once, all | |
108 | properties with the specified names are | |
109 | shown.</para></listitem> | |
110 | </varlistentry> | |
111 | ||
112 | <varlistentry> | |
113 | <term><option>-a</option></term> | |
114 | <term><option>--all</option></term> | |
115 | ||
116 | <listitem><para>When showing machine or image properties, show | |
117 | all properties regardless of whether they are set or | |
118 | not.</para> | |
119 | ||
120 | <para>When listing VM or container images, do not suppress | |
121 | images beginning in a dot character | |
d94c2b06 LP |
122 | (<literal>.</literal>).</para> |
123 | ||
124 | <para>When cleaning VM or container images, remove all images, not just hidden ones.</para></listitem> | |
798d3a52 ZJS |
125 | </varlistentry> |
126 | ||
85500523 ZJS |
127 | <varlistentry> |
128 | <term><option>--value</option></term> | |
129 | ||
130 | <listitem><para>When printing properties with <command>show</command>, only print the value, | |
131 | and skip the property name and <literal>=</literal>.</para></listitem> | |
132 | </varlistentry> | |
133 | ||
798d3a52 ZJS |
134 | <varlistentry> |
135 | <term><option>-l</option></term> | |
136 | <term><option>--full</option></term> | |
137 | ||
138 | <listitem><para>Do not ellipsize process tree entries.</para> | |
139 | </listitem> | |
140 | </varlistentry> | |
141 | ||
798d3a52 ZJS |
142 | <varlistentry> |
143 | <term><option>--kill-who=</option></term> | |
144 | ||
145 | <listitem><para>When used with <command>kill</command>, choose | |
146 | which processes to kill. Must be one of | |
147 | <option>leader</option>, or <option>all</option> to select | |
148 | whether to kill only the leader process of the machine or all | |
149 | processes of the machine. If omitted, defaults to | |
150 | <option>all</option>.</para></listitem> | |
151 | </varlistentry> | |
152 | ||
153 | <varlistentry> | |
154 | <term><option>-s</option></term> | |
155 | <term><option>--signal=</option></term> | |
156 | ||
157 | <listitem><para>When used with <command>kill</command>, choose | |
158 | which signal to send to selected processes. Must be one of the | |
159 | well-known signal specifiers, such as | |
160 | <constant>SIGTERM</constant>, <constant>SIGINT</constant> or | |
161 | <constant>SIGSTOP</constant>. If omitted, defaults to | |
162 | <constant>SIGTERM</constant>.</para></listitem> | |
163 | </varlistentry> | |
164 | ||
c454426c LP |
165 | <varlistentry> |
166 | <term><option>--uid=</option></term> | |
167 | ||
bc3bb330 ZJS |
168 | <listitem><para>When used with the <command>shell</command> command, chooses the user ID to |
169 | open the interactive shell session as. If the argument to the <command>shell</command> | |
b17649ee | 170 | command also specifies a user name, this option is ignored. If the name is not specified |
bc3bb330 ZJS |
171 | in either way, <literal>root</literal> will be used by default. Note that this switch is |
172 | not supported for the <command>login</command> command (see below).</para></listitem> | |
c454426c LP |
173 | </varlistentry> |
174 | ||
175 | <varlistentry> | |
4d46e5db ZJS |
176 | <term><option>-E <replaceable>NAME</replaceable>=<replaceable>VALUE</replaceable></option></term> |
177 | <term><option>--setenv=<replaceable>NAME</replaceable>=<replaceable>VALUE</replaceable></option></term> | |
178 | ||
179 | <listitem><para>When used with the <command>shell</command> command, sets an environment | |
180 | variable to pass to the executed shell. Takes an environment variable name and value, | |
181 | separated by <literal>=</literal>. This switch may be used multiple times to set multiple | |
182 | environment variables. Note that this switch is not supported for the | |
183 | <command>login</command> command (see below).</para></listitem> | |
c454426c LP |
184 | </varlistentry> |
185 | ||
798d3a52 ZJS |
186 | <varlistentry> |
187 | <term><option>--mkdir</option></term> | |
188 | ||
d3590ace LP |
189 | <listitem><para>When used with <command>bind</command>, creates the destination file or directory before |
190 | applying the bind mount. Note that even though the name of this option suggests that it is suitable only for | |
1b2ad5d9 | 191 | directories, this option also creates the destination file node to mount over if the object to mount is not |
d3590ace | 192 | a directory, but a regular file, device node, socket or FIFO.</para></listitem> |
798d3a52 ZJS |
193 | </varlistentry> |
194 | ||
798d3a52 ZJS |
195 | <varlistentry> |
196 | <term><option>--read-only</option></term> | |
197 | ||
d3590ace | 198 | <listitem><para>When used with <command>bind</command>, creates a read-only bind mount.</para> |
798d3a52 | 199 | |
d94c2b06 LP |
200 | <para>When used with <command>clone</command>, <command>import-raw</command> or <command>import-tar</command> a |
201 | read-only container or VM image is created.</para></listitem> | |
202 | </varlistentry> | |
798d3a52 ZJS |
203 | |
204 | <varlistentry> | |
205 | <term><option>-n</option></term> | |
206 | <term><option>--lines=</option></term> | |
207 | ||
208 | <listitem><para>When used with <command>status</command>, | |
209 | controls the number of journal lines to show, counting from | |
210 | the most recent ones. Takes a positive integer argument. | |
211 | Defaults to 10.</para> | |
212 | </listitem> | |
213 | </varlistentry> | |
214 | ||
215 | <varlistentry> | |
216 | <term><option>-o</option></term> | |
217 | <term><option>--output=</option></term> | |
218 | ||
219 | <listitem><para>When used with <command>status</command>, | |
220 | controls the formatting of the journal entries that are shown. | |
221 | For the available choices, see | |
222 | <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>. | |
223 | Defaults to <literal>short</literal>.</para></listitem> | |
224 | </varlistentry> | |
225 | ||
226 | <varlistentry> | |
227 | <term><option>--verify=</option></term> | |
228 | ||
229 | <listitem><para>When downloading a container or VM image, | |
230 | specify whether the image shall be verified before it is made | |
231 | available. Takes one of <literal>no</literal>, | |
232 | <literal>checksum</literal> and <literal>signature</literal>. | |
b938cb90 JE |
233 | If <literal>no</literal>, no verification is done. If |
234 | <literal>checksum</literal> is specified, the download is | |
a8eaaee7 | 235 | checked for integrity after the transfer is complete, but no |
798d3a52 | 236 | signatures are verified. If <literal>signature</literal> is |
7f3fdb7f | 237 | specified, the checksum is verified and the image's signature |
798d3a52 ZJS |
238 | is checked against a local keyring of trustable vendors. It is |
239 | strongly recommended to set this option to | |
240 | <literal>signature</literal> if the server and protocol | |
241 | support this. Defaults to | |
242 | <literal>signature</literal>.</para></listitem> | |
243 | </varlistentry> | |
244 | ||
245 | <varlistentry> | |
246 | <term><option>--force</option></term> | |
247 | ||
248 | <listitem><para>When downloading a container or VM image, and | |
249 | a local copy by the specified local machine name already | |
250 | exists, delete it first and replace it by the newly downloaded | |
251 | image.</para></listitem> | |
252 | </varlistentry> | |
253 | ||
6e9efa59 LP |
254 | <varlistentry> |
255 | <term><option>--format=</option></term> | |
256 | ||
257 | <listitem><para>When used with the <option>export-tar</option> | |
b938cb90 | 258 | or <option>export-raw</option> commands, specifies the |
6e9efa59 LP |
259 | compression format to use for the resulting file. Takes one of |
260 | <literal>uncompressed</literal>, <literal>xz</literal>, | |
b938cb90 | 261 | <literal>gzip</literal>, <literal>bzip2</literal>. By default, |
6e9efa59 LP |
262 | the format is determined automatically from the image file |
263 | name passed.</para></listitem> | |
264 | </varlistentry> | |
265 | ||
07b0b339 SK |
266 | <varlistentry> |
267 | <term><option>--max-addresses=</option></term> | |
268 | ||
269 | <listitem><para>When used with the <option>list-machines</option> | |
270 | command, limits the number of ip addresses output for every machine. | |
271 | Defaults to 1. All addresses can be requested with <literal>all</literal> | |
272 | as argument to <option>--max-addresses</option> . If the argument to | |
273 | <option>--max-addresses</option> is less than the actual number | |
2a03116d | 274 | of addresses, <literal>...</literal>follows the last address. |
07b0b339 SK |
275 | If multiple addresses are to be written for a given machine, every |
276 | address except the first one is on a new line and is followed by | |
277 | <literal>,</literal> if another address will be output afterwards. </para></listitem> | |
278 | </varlistentry> | |
279 | ||
af8cbf47 YW |
280 | <varlistentry> |
281 | <term><option>-q</option></term> | |
282 | <term><option>--quiet</option></term> | |
283 | ||
284 | <listitem><para>Suppresses additional informational output while running.</para></listitem> | |
285 | </varlistentry> | |
286 | ||
798d3a52 | 287 | <xi:include href="user-system-options.xml" xpointer="host" /> |
fa69a4c7 ZJS |
288 | |
289 | <varlistentry> | |
290 | <term><option>-M</option></term> | |
291 | <term><option>--machine=</option></term> | |
292 | ||
293 | <listitem><para>Connect to | |
294 | <citerefentry><refentrytitle>systemd-machined.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
295 | running in a local container, to perform the specified operation within | |
296 | the container.</para></listitem> | |
297 | </varlistentry> | |
798d3a52 ZJS |
298 | |
299 | <xi:include href="standard-options.xml" xpointer="no-pager" /> | |
300 | <xi:include href="standard-options.xml" xpointer="no-legend" /> | |
d47410f3 | 301 | <xi:include href="standard-options.xml" xpointer="no-ask-password" /> |
798d3a52 ZJS |
302 | <xi:include href="standard-options.xml" xpointer="help" /> |
303 | <xi:include href="standard-options.xml" xpointer="version" /> | |
304 | </variablelist> | |
305 | </refsect1> | |
306 | ||
307 | <refsect1> | |
308 | <title>Commands</title> | |
309 | ||
310 | <para>The following commands are understood:</para> | |
311 | ||
312 | <refsect2><title>Machine Commands</title><variablelist> | |
313 | ||
314 | <varlistentry> | |
315 | <term><command>list</command></term> | |
316 | ||
317 | <listitem><para>List currently running (online) virtual | |
91913f58 LP |
318 | machines and containers. To enumerate machine images that can |
319 | be started, use <command>list-images</command> (see | |
320 | below). Note that this command hides the special | |
321 | <literal>.host</literal> machine by default. Use the | |
322 | <option>--all</option> switch to show it.</para></listitem> | |
798d3a52 ZJS |
323 | </varlistentry> |
324 | ||
325 | <varlistentry> | |
1eecafb8 | 326 | <term><command>status</command> <replaceable>NAME</replaceable>…</term> |
798d3a52 | 327 | |
28f90ea2 | 328 | <listitem><para>Show runtime status information about |
798d3a52 ZJS |
329 | one or more virtual machines and containers, followed by the |
330 | most recent log data from the journal. This function is | |
331 | intended to generate human-readable output. If you are looking | |
332 | for computer-parsable output, use <command>show</command> | |
333 | instead. Note that the log data shown is reported by the | |
334 | virtual machine or container manager, and frequently contains | |
335 | console output of the machine, but not necessarily journal | |
336 | contents of the machine itself.</para></listitem> | |
337 | </varlistentry> | |
338 | ||
339 | <varlistentry> | |
1eecafb8 | 340 | <term><command>show</command> [<replaceable>NAME</replaceable>…]</term> |
798d3a52 | 341 | |
e9c880dd LP |
342 | <listitem><para>Show properties of one or more registered virtual machines or containers or the manager |
343 | itself. If no argument is specified, properties of the manager will be shown. If a NAME is specified, | |
344 | properties of this virtual machine or container are shown. By default, empty properties are suppressed. Use | |
345 | <option>--all</option> to show those too. To select specific properties to show, use | |
346 | <option>--property=</option>. This command is intended to be used whenever computer-parsable output is | |
347 | required, and does not print the control group tree or journal entries. Use <command>status</command> if you | |
348 | are looking for formatted human-readable output.</para></listitem> | |
798d3a52 ZJS |
349 | </varlistentry> |
350 | ||
351 | <varlistentry> | |
1eecafb8 | 352 | <term><command>start</command> <replaceable>NAME</replaceable>…</term> |
798d3a52 ZJS |
353 | |
354 | <listitem><para>Start a container as a system service, using | |
355 | <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>. | |
356 | This starts <filename>systemd-nspawn@.service</filename>, | |
357 | instantiated for the specified machine name, similar to the | |
358 | effect of <command>systemctl start</command> on the service | |
359 | name. <command>systemd-nspawn</command> looks for a container | |
360 | image by the specified name in | |
361 | <filename>/var/lib/machines/</filename> (and other search | |
362 | paths, see below) and runs it. Use | |
b938cb90 | 363 | <command>list-images</command> (see below) for listing |
798d3a52 ZJS |
364 | available container images to start.</para> |
365 | ||
366 | <para>Note that | |
367 | <citerefentry><refentrytitle>systemd-machined.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
368 | also interfaces with a variety of other container and VM | |
369 | managers, <command>systemd-nspawn</command> is just one | |
370 | implementation of it. Most of the commands available in | |
371 | <command>machinectl</command> may be used on containers or VMs | |
372 | controlled by other managers, not just | |
373 | <command>systemd-nspawn</command>. Starting VMs and container | |
374 | images on those managers requires manager-specific | |
375 | tools.</para> | |
376 | ||
377 | <para>To interactively start a container on the command line | |
378 | with full access to the container's console, please invoke | |
379 | <command>systemd-nspawn</command> directly. To stop a running | |
b2bb19bb | 380 | container use <command>machinectl poweroff</command>.</para></listitem> |
798d3a52 ZJS |
381 | </varlistentry> |
382 | ||
383 | <varlistentry> | |
91913f58 | 384 | <term><command>login</command> [<replaceable>NAME</replaceable>]</term> |
798d3a52 | 385 | |
c454426c | 386 | <listitem><para>Open an interactive terminal login session in |
b938cb90 | 387 | a container or on the local host. If an argument is supplied, |
91913f58 LP |
388 | it refers to the container machine to connect to. If none is |
389 | specified, or the container name is specified as the empty | |
390 | string, or the special machine name <literal>.host</literal> | |
391 | (see below) is specified, the connection is made to the local | |
392 | host instead. This will create a TTY connection to a specific | |
393 | container or the local host and asks for the execution of a | |
394 | getty on it. Note that this is only supported for containers | |
395 | running | |
798d3a52 ZJS |
396 | <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry> |
397 | as init system.</para> | |
398 | ||
399 | <para>This command will open a full login prompt on the | |
91913f58 LP |
400 | container or the local host, which then asks for username and |
401 | password. Use <command>shell</command> (see below) or | |
798d3a52 | 402 | <citerefentry><refentrytitle>systemd-run</refentrytitle><manvolnum>1</manvolnum></citerefentry> |
91913f58 LP |
403 | with the <option>--machine=</option> switch to directly invoke |
404 | a single command, either interactively or in the | |
405 | background.</para></listitem> | |
798d3a52 ZJS |
406 | </varlistentry> |
407 | ||
c454426c | 408 | <varlistentry> |
1eecafb8 | 409 | <term><command>shell</command> [[<replaceable>NAME</replaceable>@]<replaceable>NAME</replaceable> [<replaceable>PATH</replaceable> [<replaceable>ARGUMENTS</replaceable>…]]] </term> |
c454426c LP |
410 | |
411 | <listitem><para>Open an interactive shell session in a | |
91913f58 LP |
412 | container or on the local host. The first argument refers to |
413 | the container machine to connect to. If none is specified, or | |
414 | the machine name is specified as the empty string, or the | |
415 | special machine name <literal>.host</literal> (see below) is | |
416 | specified, the connection is made to the local host | |
417 | instead. This works similar to <command>login</command> but | |
418 | immediately invokes a user process. This command runs the | |
c46bc7e2 SL |
419 | specified executable with the specified arguments, or the |
420 | default shell for the user if none is specified, or | |
421 | <filename>/bin/sh</filename> if no default shell is found. By default, | |
ef3100e9 LP |
422 | <option>--uid=</option>, or by prefixing the machine name with |
423 | a username and an <literal>@</literal> character, a different | |
424 | user may be selected. Use <option>--setenv=</option> to set | |
425 | environment variables for the executed process.</para> | |
426 | ||
7f129a1f LP |
427 | <para>Note that <command>machinectl shell</command> does not propagate the exit code/status of the invoked |
428 | shell process. Use <command>systemd-run</command> instead if that information is required (see below).</para> | |
429 | ||
ef3100e9 | 430 | <para>When using the <command>shell</command> command without |
b938cb90 | 431 | arguments, (thus invoking the executed shell or command on the |
a8eaaee7 | 432 | local host), it is in many ways similar to a <citerefentry |
ef3100e9 | 433 | project='die-net'><refentrytitle>su</refentrytitle><manvolnum>1</manvolnum></citerefentry> |
b938cb90 | 434 | session, but, unlike <command>su</command>, completely isolates |
ef3100e9 LP |
435 | the new session from the originating session, so that it |
436 | shares no process or session properties, and is in a clean and | |
437 | well-defined state. It will be tracked in a new utmp, login, | |
762a5766 LP |
438 | audit, security and keyring session, and will not inherit any |
439 | environment variables or resource limits, among other | |
440 | properties.</para> | |
ef3100e9 | 441 | |
7f129a1f LP |
442 | <para>Note that <citerefentry><refentrytitle>systemd-run</refentrytitle><manvolnum>1</manvolnum></citerefentry> |
443 | with its <option>--machine=</option> switch may be used in place of the <command>machinectl shell</command> | |
444 | command, and allows non-interactive operation, more detailed and low-level configuration of the invoked unit, | |
445 | as well as access to runtime and exit code/status information of the invoked shell process. In particular, use | |
446 | <command>systemd-run</command>'s <option>--wait</option> switch to propagate exit status information of the | |
447 | invoked process. Use <command>systemd-run</command>'s <option>--pty</option> switch for acquiring an | |
448 | interactive shell, similar to <command>machinectl shell</command>. In general, <command>systemd-run</command> | |
449 | is preferable for scripting purposes. However, note that <command>systemd-run</command> might require higher | |
450 | privileges than <command>machinectl shell</command>.</para></listitem> | |
c454426c LP |
451 | </varlistentry> |
452 | ||
798d3a52 | 453 | <varlistentry> |
1eecafb8 ZJS |
454 | <term><command>enable</command> <replaceable>NAME</replaceable>…</term> |
455 | <term><command>disable</command> <replaceable>NAME</replaceable>…</term> | |
798d3a52 ZJS |
456 | |
457 | <listitem><para>Enable or disable a container as a system | |
458 | service to start at system boot, using | |
459 | <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>. | |
460 | This enables or disables | |
461 | <filename>systemd-nspawn@.service</filename>, instantiated for | |
462 | the specified machine name, similar to the effect of | |
463 | <command>systemctl enable</command> or <command>systemctl | |
464 | disable</command> on the service name.</para></listitem> | |
465 | </varlistentry> | |
466 | ||
467 | <varlistentry> | |
1eecafb8 | 468 | <term><command>poweroff</command> <replaceable>NAME</replaceable>…</term> |
798d3a52 ZJS |
469 | |
470 | <listitem><para>Power off one or more containers. This will | |
471 | trigger a reboot by sending SIGRTMIN+4 to the container's init | |
472 | process, which causes systemd-compatible init systems to shut | |
b2bb19bb CR |
473 | down cleanly. Use <command>stop</command> as alias for <command>poweroff</command>. |
474 | This operation does not work on containers that do not run a | |
798d3a52 ZJS |
475 | <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>-compatible |
476 | init system, such as sysvinit. Use | |
477 | <command>terminate</command> (see below) to immediately | |
478 | terminate a container or VM, without cleanly shutting it | |
479 | down.</para></listitem> | |
480 | </varlistentry> | |
481 | ||
482 | <varlistentry> | |
1eecafb8 | 483 | <term><command>reboot</command> <replaceable>NAME</replaceable>…</term> |
798d3a52 ZJS |
484 | |
485 | <listitem><para>Reboot one or more containers. This will | |
486 | trigger a reboot by sending SIGINT to the container's init | |
487 | process, which is roughly equivalent to pressing Ctrl+Alt+Del | |
488 | on a non-containerized system, and is compatible with | |
489 | containers running any system manager.</para></listitem> | |
490 | </varlistentry> | |
491 | ||
492 | <varlistentry> | |
1eecafb8 | 493 | <term><command>terminate</command> <replaceable>NAME</replaceable>…</term> |
798d3a52 ZJS |
494 | |
495 | <listitem><para>Immediately terminates a virtual machine or | |
496 | container, without cleanly shutting it down. This kills all | |
497 | processes of the virtual machine or container and deallocates | |
498 | all resources attached to that instance. Use | |
499 | <command>poweroff</command> to issue a clean shutdown | |
500 | request.</para></listitem> | |
501 | </varlistentry> | |
502 | ||
503 | <varlistentry> | |
1eecafb8 | 504 | <term><command>kill</command> <replaceable>NAME</replaceable>…</term> |
798d3a52 ZJS |
505 | |
506 | <listitem><para>Send a signal to one or more processes of the | |
507 | virtual machine or container. This means processes as seen by | |
508 | the host, not the processes inside the virtual machine or | |
509 | container. Use <option>--kill-who=</option> to select which | |
510 | process to kill. Use <option>--signal=</option> to select the | |
511 | signal to send.</para></listitem> | |
512 | </varlistentry> | |
513 | ||
514 | <varlistentry> | |
515 | <term><command>bind</command> <replaceable>NAME</replaceable> <replaceable>PATH</replaceable> [<replaceable>PATH</replaceable>]</term> | |
516 | ||
d3590ace LP |
517 | <listitem><para>Bind mounts a file or directory from the host into the specified container. The first path |
518 | argument is the source file or directory on the host, the second path argument is the destination file or | |
519 | directory in the container. When the latter is omitted, the destination path in the container is the same as | |
520 | the source path on the host. When combined with the <option>--read-only</option> switch, a ready-only bind | |
521 | mount is created. When combined with the <option>--mkdir</option> switch, the destination path is first created | |
522 | before the mount is applied. Note that this option is currently only supported for | |
7f43928b | 523 | <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> containers, |
d3590ace LP |
524 | and only if user namespacing (<option>--private-users</option>) is not used. This command supports bind |
525 | mounting directories, regular files, device nodes, <constant>AF_UNIX</constant> socket nodes, as well as | |
526 | FIFOs.</para></listitem> | |
798d3a52 ZJS |
527 | </varlistentry> |
528 | ||
529 | <varlistentry> | |
530 | <term><command>copy-to</command> <replaceable>NAME</replaceable> <replaceable>PATH</replaceable> [<replaceable>PATH</replaceable>]</term> | |
531 | ||
532 | <listitem><para>Copies files or directories from the host | |
533 | system into a running container. Takes a container name, | |
534 | followed by the source path on the host and the destination | |
b938cb90 | 535 | path in the container. If the destination path is omitted, the |
d01cd401 | 536 | same as the source path is used.</para> |
798d3a52 | 537 | |
d01cd401 LP |
538 | <para>If host and container share the same user and group namespace, file ownership by numeric user ID and |
539 | group ID is preserved for the copy, otherwise all files and directories in the copy will be owned by the root | |
540 | user and group (UID/GID 0).</para></listitem> | |
541 | </varlistentry> | |
798d3a52 ZJS |
542 | |
543 | <varlistentry> | |
544 | <term><command>copy-from</command> <replaceable>NAME</replaceable> <replaceable>PATH</replaceable> [<replaceable>PATH</replaceable>]</term> | |
545 | ||
546 | <listitem><para>Copies files or directories from a container | |
547 | into the host system. Takes a container name, followed by the | |
548 | source path in the container the destination path on the host. | |
b938cb90 | 549 | If the destination path is omitted, the same as the source path |
d01cd401 LP |
550 | is used.</para> |
551 | ||
552 | <para>If host and container share the same user and group namespace, file ownership by numeric user ID and | |
553 | group ID is preserved for the copy, otherwise all files and directories in the copy will be owned by the root | |
554 | user and group (UID/GID 0).</para></listitem> | |
798d3a52 ZJS |
555 | </varlistentry> |
556 | </variablelist></refsect2> | |
557 | ||
558 | <refsect2><title>Image Commands</title><variablelist> | |
559 | ||
560 | <varlistentry> | |
561 | <term><command>list-images</command></term> | |
562 | ||
563 | <listitem><para>Show a list of locally installed container and | |
564 | VM images. This enumerates all raw disk images and container | |
565 | directories and subvolumes in | |
566 | <filename>/var/lib/machines/</filename> (and other search | |
567 | paths, see below). Use <command>start</command> (see above) to | |
b938cb90 JE |
568 | run a container off one of the listed images. Note that, by |
569 | default, containers whose name begins with a dot | |
798d3a52 ZJS |
570 | (<literal>.</literal>) are not shown. To show these too, |
571 | specify <option>--all</option>. Note that a special image | |
572 | <literal>.host</literal> always implicitly exists and refers | |
573 | to the image the host itself is booted from.</para></listitem> | |
574 | </varlistentry> | |
575 | ||
576 | <varlistentry> | |
1eecafb8 | 577 | <term><command>image-status</command> [<replaceable>NAME</replaceable>…]</term> |
798d3a52 ZJS |
578 | |
579 | <listitem><para>Show terse status information about one or | |
580 | more container or VM images. This function is intended to | |
581 | generate human-readable output. Use | |
582 | <command>show-image</command> (see below) to generate | |
583 | computer-parsable output instead.</para></listitem> | |
584 | </varlistentry> | |
585 | ||
586 | <varlistentry> | |
1eecafb8 | 587 | <term><command>show-image</command> [<replaceable>NAME</replaceable>…]</term> |
798d3a52 ZJS |
588 | |
589 | <listitem><para>Show properties of one or more registered | |
590 | virtual machine or container images, or the manager itself. If | |
591 | no argument is specified, properties of the manager will be | |
037a3ded | 592 | shown. If a NAME is specified, properties of this virtual |
798d3a52 ZJS |
593 | machine or container image are shown. By default, empty |
594 | properties are suppressed. Use <option>--all</option> to show | |
595 | those too. To select specific properties to show, use | |
596 | <option>--property=</option>. This command is intended to be | |
597 | used whenever computer-parsable output is required. Use | |
598 | <command>image-status</command> if you are looking for | |
599 | formatted human-readable output.</para></listitem> | |
600 | </varlistentry> | |
601 | ||
602 | <varlistentry> | |
603 | <term><command>clone</command> <replaceable>NAME</replaceable> <replaceable>NAME</replaceable></term> | |
604 | ||
d13febb1 LP |
605 | <listitem><para>Clones a container or VM image. The arguments specify the name of the image to clone and the |
606 | name of the newly cloned image. Note that plain directory container images are cloned into btrfs subvolume | |
607 | images with this command, if the underlying file system supports this. Note that cloning a container or VM | |
17cbb288 LP |
608 | image is optimized for file systems that support copy-on-write, and might not be efficient on others, due to |
609 | file system limitations.</para> | |
3fe22bb4 LP |
610 | |
611 | <para>Note that this command leaves host name, machine ID and | |
612 | all other settings that could identify the instance | |
613 | unmodified. The original image and the cloned copy will hence | |
614 | share these credentials, and it might be necessary to manually | |
d94c2b06 LP |
615 | change them in the copy.</para> |
616 | ||
617 | <para>If combined with the <option>--read-only</option> switch a read-only cloned image is | |
618 | created.</para></listitem> | |
798d3a52 ZJS |
619 | </varlistentry> |
620 | ||
621 | <varlistentry> | |
622 | <term><command>rename</command> <replaceable>NAME</replaceable> <replaceable>NAME</replaceable></term> | |
623 | ||
d6ce17c7 | 624 | <listitem><para>Renames a container or VM image. The |
798d3a52 ZJS |
625 | arguments specify the name of the image to rename and the new |
626 | name of the image.</para></listitem> | |
627 | </varlistentry> | |
628 | ||
629 | <varlistentry> | |
630 | <term><command>read-only</command> <replaceable>NAME</replaceable> [<replaceable>BOOL</replaceable>]</term> | |
631 | ||
d6ce17c7 | 632 | <listitem><para>Marks or (unmarks) a container or VM image |
798d3a52 ZJS |
633 | read-only. Takes a VM or container image name, followed by a |
634 | boolean as arguments. If the boolean is omitted, positive is | |
635 | implied, i.e. the image is marked read-only.</para></listitem> | |
636 | </varlistentry> | |
637 | ||
798d3a52 | 638 | <varlistentry> |
1eecafb8 | 639 | <term><command>remove</command> <replaceable>NAME</replaceable>…</term> |
798d3a52 | 640 | |
d6ce17c7 | 641 | <listitem><para>Removes one or more container or VM images. |
798d3a52 | 642 | The special image <literal>.host</literal>, which refers to |
b938cb90 | 643 | the host's own directory tree, may not be |
798d3a52 ZJS |
644 | removed.</para></listitem> |
645 | </varlistentry> | |
646 | ||
d6ce17c7 LP |
647 | <varlistentry> |
648 | <term><command>set-limit</command> [<replaceable>NAME</replaceable>] <replaceable>BYTES</replaceable></term> | |
649 | ||
a8eaaee7 | 650 | <listitem><para>Sets the maximum size in bytes that a specific |
b938cb90 | 651 | container or VM image, or all images, may grow up to on disk |
7de30452 | 652 | (disk quota). Takes either one or two parameters. The first, |
d6ce17c7 | 653 | optional parameter refers to a container or VM image name. If |
b938cb90 JE |
654 | specified, the size limit of the specified image is changed. If |
655 | omitted, the overall size limit of the sum of all images stored | |
7de30452 LP |
656 | locally is changed. The final argument specifies the size |
657 | limit in bytes, possibly suffixed by the usual K, M, G, T | |
658 | units. If the size limit shall be disabled, specify | |
659 | <literal>-</literal> as size.</para> | |
660 | ||
661 | <para>Note that per-container size limits are only supported | |
b938cb90 | 662 | on btrfs file systems. Also note that, if |
a8eaaee7 | 663 | <command>set-limit</command> is invoked without an image |
7de30452 LP |
664 | parameter, and <filename>/var/lib/machines</filename> is |
665 | empty, and the directory is not located on btrfs, a btrfs | |
666 | loopback file is implicitly created as | |
667 | <filename>/var/lib/machines.raw</filename> with the given | |
668 | size, and mounted to | |
669 | <filename>/var/lib/machines</filename>. The size of the | |
670 | loopback may later be readjusted with | |
671 | <command>set-limit</command>, as well. If such a | |
672 | loopback-mounted <filename>/var/lib/machines</filename> | |
a8eaaee7 | 673 | directory is used, <command>set-limit</command> without an image |
7de30452 LP |
674 | name alters both the quota setting within the file system as |
675 | well as the loopback file and file system size | |
676 | itself.</para></listitem> | |
d6ce17c7 LP |
677 | </varlistentry> |
678 | ||
d94c2b06 LP |
679 | <varlistentry> |
680 | <term><command>clean</command></term> | |
681 | ||
682 | <listitem><para>Remove hidden VM or container images (or all). This command removes all hidden machine images | |
683 | from <filename>/var/lib/machines</filename>, i.e. those whose name begins with a dot. Use <command>machinectl | |
684 | list-images --all</command> to see a list of all machine images, including the hidden ones.</para> | |
685 | ||
686 | <para>When combined with the <option>--all</option> switch removes all images, not just hidden ones. This | |
687 | command effectively empties <filename>/var/lib/machines</filename>.</para> | |
688 | ||
689 | <para>Note that commands such as <command>machinectl pull-tar</command> or <command>machinectl | |
690 | pull-raw</command> usually create hidden, read-only, unmodified machine images from the downloaded image first, | |
691 | before cloning a writable working copy of it, in order to avoid duplicate downloads in case of images that are | |
692 | reused multiple times. Use <command>machinectl clean</command> to remove old, hidden images created this | |
693 | way.</para></listitem> | |
694 | </varlistentry> | |
695 | ||
798d3a52 ZJS |
696 | </variablelist></refsect2> |
697 | ||
698 | <refsect2><title>Image Transfer Commands</title><variablelist> | |
699 | ||
700 | <varlistentry> | |
701 | <term><command>pull-tar</command> <replaceable>URL</replaceable> [<replaceable>NAME</replaceable>]</term> | |
702 | ||
703 | <listitem><para>Downloads a <filename>.tar</filename> | |
704 | container image from the specified URL, and makes it available | |
705 | under the specified local machine name. The URL must be of | |
706 | type <literal>http://</literal> or | |
707 | <literal>https://</literal>, and must refer to a | |
708 | <filename>.tar</filename>, <filename>.tar.gz</filename>, | |
709 | <filename>.tar.xz</filename> or <filename>.tar.bz2</filename> | |
b938cb90 | 710 | archive file. If the local machine name is omitted, it |
798d3a52 ZJS |
711 | is automatically derived from the last component of the URL, |
712 | with its suffix removed.</para> | |
713 | ||
697be0be TB |
714 | <para>The image is verified before it is made available, unless |
715 | <option>--verify=no</option> is specified. | |
716 | Verification is done either via an inline signed file with the name | |
717 | of the image and the suffix <filename>.sha256</filename> or via | |
718 | separate <filename>SHA256SUMS</filename> and | |
719 | <filename>SHA256SUMS.gpg</filename> files. | |
720 | The signature files need to be made available on the same web | |
721 | server, under the same URL as the <filename>.tar</filename> file. | |
722 | With <option>--verify=checksum</option>, only the SHA256 checksum | |
723 | for the file is verified, based on the <filename>.sha256</filename> | |
724 | suffixed file or the<filename>SHA256SUMS</filename> file. | |
725 | With <option>--verify=signature</option>, the sha checksum file is | |
726 | first verified with the inline signature in the | |
727 | <filename>.sha256</filename> file or the detached GPG signature file | |
728 | <filename>SHA256SUMS.gpg</filename>. | |
729 | The public key for this verification step needs to be available in | |
12b42c76 TG |
730 | <filename>/usr/lib/systemd/import-pubring.gpg</filename> or |
731 | <filename>/etc/systemd/import-pubring.gpg</filename>.</para> | |
798d3a52 ZJS |
732 | |
733 | <para>The container image will be downloaded and stored in a | |
734 | read-only subvolume in | |
b938cb90 | 735 | <filename>/var/lib/machines/</filename> that is named after |
798d3a52 ZJS |
736 | the specified URL and its HTTP etag. A writable snapshot is |
737 | then taken from this subvolume, and named after the specified | |
dd2b607b | 738 | local name. This behavior ensures that creating multiple |
798d3a52 ZJS |
739 | container instances of the same URL is efficient, as multiple |
740 | downloads are not necessary. In order to create only the | |
741 | read-only image, and avoid creating its writable snapshot, | |
742 | specify <literal>-</literal> as local machine name.</para> | |
743 | ||
744 | <para>Note that the read-only subvolume is prefixed with | |
6b94875f | 745 | <filename>.tar-</filename>, and is thus not shown by |
798d3a52 ZJS |
746 | <command>list-images</command>, unless <option>--all</option> |
747 | is passed.</para> | |
748 | ||
749 | <para>Note that pressing C-c during execution of this command | |
750 | will not abort the download. Use | |
751 | <command>cancel-transfer</command>, described | |
752 | below.</para></listitem> | |
753 | </varlistentry> | |
754 | ||
755 | <varlistentry> | |
756 | <term><command>pull-raw</command> <replaceable>URL</replaceable> [<replaceable>NAME</replaceable>]</term> | |
757 | ||
758 | <listitem><para>Downloads a <filename>.raw</filename> | |
759 | container or VM disk image from the specified URL, and makes | |
760 | it available under the specified local machine name. The URL | |
761 | must be of type <literal>http://</literal> or | |
762 | <literal>https://</literal>. The container image must either | |
763 | be a <filename>.qcow2</filename> or raw disk image, optionally | |
764 | compressed as <filename>.gz</filename>, | |
765 | <filename>.xz</filename>, or <filename>.bz2</filename>. If the | |
b938cb90 | 766 | local machine name is omitted, it is automatically |
798d3a52 ZJS |
767 | derived from the last component of the URL, with its suffix |
768 | removed.</para> | |
769 | ||
770 | <para>Image verification is identical for raw and tar images | |
771 | (see above).</para> | |
772 | ||
1d3eaa93 | 773 | <para>If the downloaded image is in |
6b94875f | 774 | <filename>.qcow2</filename> format it is converted into a raw |
798d3a52 ZJS |
775 | image file before it is made available.</para> |
776 | ||
777 | <para>Downloaded images of this type will be placed as | |
778 | read-only <filename>.raw</filename> file in | |
779 | <filename>/var/lib/machines/</filename>. A local, writable | |
780 | (reflinked) copy is then made under the specified local | |
781 | machine name. To omit creation of the local, writable copy | |
782 | pass <literal>-</literal> as local machine name.</para> | |
783 | ||
dd2b607b | 784 | <para>Similar to the behavior of <command>pull-tar</command>, |
798d3a52 | 785 | the read-only image is prefixed with |
6b94875f | 786 | <filename>.raw-</filename>, and thus not shown by |
798d3a52 ZJS |
787 | <command>list-images</command>, unless <option>--all</option> |
788 | is passed.</para> | |
789 | ||
790 | <para>Note that pressing C-c during execution of this command | |
791 | will not abort the download. Use | |
792 | <command>cancel-transfer</command>, described | |
793 | below.</para></listitem> | |
794 | </varlistentry> | |
795 | ||
af40e5d3 LP |
796 | <varlistentry> |
797 | <term><command>import-tar</command> <replaceable>FILE</replaceable> [<replaceable>NAME</replaceable>]</term> | |
798 | <term><command>import-raw</command> <replaceable>FILE</replaceable> [<replaceable>NAME</replaceable>]</term> | |
799 | <listitem><para>Imports a TAR or RAW container or VM image, | |
800 | and places it under the specified name in | |
801 | <filename>/var/lib/machines/</filename>. When | |
b938cb90 | 802 | <command>import-tar</command> is used, the file specified as |
a8eaaee7 | 803 | the first argument should be a tar archive, possibly compressed |
af40e5d3 LP |
804 | with xz, gzip or bzip2. It will then be unpacked into its own |
805 | subvolume in <filename>/var/lib/machines</filename>. When | |
b938cb90 | 806 | <command>import-raw</command> is used, the file should be a |
af40e5d3 LP |
807 | qcow2 or raw disk image, possibly compressed with xz, gzip or |
808 | bzip2. If the second argument (the resulting image name) is | |
b938cb90 | 809 | not specified, it is automatically derived from the file |
1245e413 | 810 | name. If the filename is passed as <literal>-</literal>, the |
af40e5d3 LP |
811 | image is read from standard input, in which case the second |
812 | argument is mandatory.</para> | |
813 | ||
ace483c4 JE |
814 | <para>Both <command>pull-tar</command> and <command>pull-raw</command> |
815 | will resize <filename>/var/lib/machines.raw</filename> and the | |
816 | filesystem therein as necessary. Optionally, the | |
af40e5d3 LP |
817 | <option>--read-only</option> switch may be used to create a |
818 | read-only container or VM image. No cryptographic validation | |
819 | is done when importing the images.</para> | |
820 | ||
821 | <para>Much like image downloads, ongoing imports may be listed | |
822 | with <command>list-transfers</command> and aborted with | |
823 | <command>cancel-transfer</command>.</para></listitem> | |
824 | </varlistentry> | |
825 | ||
6e9efa59 LP |
826 | <varlistentry> |
827 | <term><command>export-tar</command> <replaceable>NAME</replaceable> [<replaceable>FILE</replaceable>]</term> | |
828 | <term><command>export-raw</command> <replaceable>NAME</replaceable> [<replaceable>FILE</replaceable>]</term> | |
829 | <listitem><para>Exports a TAR or RAW container or VM image and | |
830 | stores it in the specified file. The first parameter should be | |
831 | a VM or container image name. The second parameter should be a | |
832 | file path the TAR or RAW image is written to. If the path ends | |
b938cb90 JE |
833 | in <literal>.gz</literal>, the file is compressed with gzip, if |
834 | it ends in <literal>.xz</literal>, with xz, and if it ends in | |
835 | <literal>.bz2</literal>, with bzip2. If the path ends in | |
836 | neither, the file is left uncompressed. If the second argument | |
837 | is missing, the image is written to standard output. The | |
6e9efa59 LP |
838 | compression may also be explicitly selected with the |
839 | <option>--format=</option> switch. This is in particular | |
840 | useful if the second parameter is left unspecified.</para> | |
841 | ||
842 | <para>Much like image downloads and imports, ongoing exports | |
843 | may be listed with <command>list-transfers</command> and | |
844 | aborted with | |
845 | <command>cancel-transfer</command>.</para> | |
846 | ||
b938cb90 | 847 | <para>Note that, currently, only directory and subvolume images |
6e9efa59 LP |
848 | may be exported as TAR images, and only raw disk images as RAW |
849 | images.</para></listitem> | |
850 | </varlistentry> | |
851 | ||
798d3a52 ZJS |
852 | <varlistentry> |
853 | <term><command>list-transfers</command></term> | |
854 | ||
855 | <listitem><para>Shows a list of container or VM image | |
6e9efa59 | 856 | downloads, imports and exports that are currently in |
af40e5d3 | 857 | progress.</para></listitem> |
798d3a52 ZJS |
858 | </varlistentry> |
859 | ||
860 | <varlistentry> | |
ee156e8d | 861 | <term><command>cancel-transfer</command> <replaceable>ID</replaceable>…</term> |
798d3a52 | 862 | |
6e9efa59 LP |
863 | <listitem><para>Aborts a download, import or export of the |
864 | container or VM image with the specified ID. To list ongoing | |
865 | transfers and their IDs, use | |
af40e5d3 | 866 | <command>list-transfers</command>. </para></listitem> |
798d3a52 ZJS |
867 | </varlistentry> |
868 | ||
869 | </variablelist></refsect2> | |
870 | ||
871 | </refsect1> | |
872 | ||
91913f58 LP |
873 | <refsect1> |
874 | <title>Machine and Image Names</title> | |
875 | ||
876 | <para>The <command>machinectl</command> tool operates on machines | |
b938cb90 | 877 | and images whose names must be chosen following strict |
91913f58 LP |
878 | rules. Machine names must be suitable for use as host names |
879 | following a conservative subset of DNS and UNIX/Linux | |
880 | semantics. Specifically, they must consist of one or more | |
881 | non-empty label strings, separated by dots. No leading or trailing | |
882 | dots are allowed. No sequences of multiple dots are allowed. The | |
a8eaaee7 | 883 | label strings may only consist of alphanumeric characters as well |
91913f58 LP |
884 | as the dash and underscore. The maximum length of a machine name |
885 | is 64 characters.</para> | |
886 | ||
887 | <para>A special machine with the name <literal>.host</literal> | |
888 | refers to the running host system itself. This is useful for execution | |
a8eaaee7 | 889 | operations or inspecting the host system as well. Note that |
91913f58 LP |
890 | <command>machinectl list</command> will not show this special |
891 | machine unless the <option>--all</option> switch is specified.</para> | |
892 | ||
a8eaaee7 | 893 | <para>Requirements on image names are less strict, however, they must be |
91913f58 LP |
894 | valid UTF-8, must be suitable as file names (hence not be the |
895 | single or double dot, and not include a slash), and may not | |
896 | contain control characters. Since many operations search for an | |
b938cb90 | 897 | image by the name of a requested machine, it is recommended to name |
91913f58 LP |
898 | images in the same strict fashion as machines.</para> |
899 | ||
900 | <para>A special image with the name <literal>.host</literal> | |
a8eaaee7 | 901 | refers to the image of the running host system. It hence |
91913f58 LP |
902 | conceptually maps to the special <literal>.host</literal> machine |
903 | name described above. Note that <command>machinectl | |
7ca41557 | 904 | list-images</command> will not show this special image either, unless |
91913f58 LP |
905 | <option>--all</option> is specified.</para> |
906 | </refsect1> | |
907 | ||
798d3a52 ZJS |
908 | <refsect1> |
909 | <title>Files and Directories</title> | |
910 | ||
911 | <para>Machine images are preferably stored in | |
912 | <filename>/var/lib/machines/</filename>, but are also searched for | |
913 | in <filename>/usr/local/lib/machines/</filename> and | |
b938cb90 | 914 | <filename>/usr/lib/machines/</filename>. For compatibility reasons, |
798d3a52 ZJS |
915 | the directory <filename>/var/lib/container/</filename> is |
916 | searched, too. Note that images stored below | |
917 | <filename>/usr</filename> are always considered read-only. It is | |
918 | possible to symlink machines images from other directories into | |
919 | <filename>/var/lib/machines/</filename> to make them available for | |
920 | control with <command>machinectl</command>.</para> | |
921 | ||
17cbb288 | 922 | <para>Note that some image operations are only supported, |
7de30452 LP |
923 | efficient or atomic on btrfs file systems. Due to this, if the |
924 | <command>pull-tar</command>, <command>pull-raw</command>, | |
b43d75c3 LP |
925 | <command>import-tar</command>, <command>import-raw</command> and |
926 | <command>set-limit</command> commands notice that | |
927 | <filename>/var/lib/machines</filename> is empty and not located on | |
928 | btrfs, they will implicitly set up a loopback file | |
929 | <filename>/var/lib/machines.raw</filename> containing a btrfs file | |
930 | system that is mounted to | |
7de30452 | 931 | <filename>/var/lib/machines</filename>. The size of this loopback |
af40e5d3 LP |
932 | file may be controlled dynamically with |
933 | <command>set-limit</command>.</para> | |
7de30452 | 934 | |
798d3a52 ZJS |
935 | <para>Disk images are understood by |
936 | <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> | |
937 | and <command>machinectl</command> in three formats:</para> | |
938 | ||
939 | <itemizedlist> | |
940 | <listitem><para>A simple directory tree, containing the files | |
941 | and directories of the container to boot.</para></listitem> | |
942 | ||
a8eaaee7 | 943 | <listitem><para>Subvolumes (on btrfs file systems), which are |
798d3a52 ZJS |
944 | similar to the simple directories, described above. However, |
945 | they have additional benefits, such as efficient cloning and | |
946 | quota reporting.</para></listitem> | |
947 | ||
948 | <listitem><para>"Raw" disk images, i.e. binary images of disks | |
949 | with a GPT or MBR partition table. Images of this type are | |
950 | regular files with the suffix | |
951 | <literal>.raw</literal>.</para></listitem> | |
952 | </itemizedlist> | |
953 | ||
954 | <para>See | |
955 | <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> | |
a8eaaee7 | 956 | for more information on image formats, in particular its |
798d3a52 ZJS |
957 | <option>--directory=</option> and <option>--image=</option> |
958 | options.</para> | |
959 | </refsect1> | |
960 | ||
961 | <refsect1> | |
962 | <title>Examples</title> | |
963 | <example> | |
964 | <title>Download an Ubuntu image and open a shell in it</title> | |
965 | ||
966 | <programlisting># machinectl pull-tar https://cloud-images.ubuntu.com/trusty/current/trusty-server-cloudimg-amd64-root.tar.gz | |
e0ea94c1 LP |
967 | # systemd-nspawn -M trusty-server-cloudimg-amd64-root</programlisting> |
968 | ||
798d3a52 ZJS |
969 | <para>This downloads and verifies the specified |
970 | <filename>.tar</filename> image, and then uses | |
971 | <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> | |
972 | to open a shell in it.</para> | |
973 | </example> | |
974 | ||
975 | <example> | |
976 | <title>Download a Fedora image, set a root password in it, start | |
977 | it as service</title> | |
978 | ||
fcc7ce4c RS |
979 | <programlisting># machinectl pull-raw --verify=no https://dl.fedoraproject.org/pub/fedora/linux/releases/27/CloudImages/x86_64/images/Fedora-Cloud-Base-27-1.6.x86_64.raw.xz |
980 | # systemd-nspawn -M Fedora-Cloud-Base-27-1.6.x86_64 | |
ac92ced5 BF |
981 | # passwd |
982 | # exit | |
fcc7ce4c RS |
983 | # machinectl start Fedora-Cloud-Base-27-1.6.x86_64 |
984 | # machinectl login Fedora-Cloud-Base-27-1.6.x86_64</programlisting> | |
798d3a52 ZJS |
985 | |
986 | <para>This downloads the specified <filename>.raw</filename> | |
b938cb90 | 987 | image with verification disabled. Then, a shell is opened in it |
798d3a52 ZJS |
988 | and a root password is set. Afterwards the shell is left, and |
989 | the machine started as system service. With the last command a | |
990 | login prompt into the container is requested.</para> | |
991 | </example> | |
992 | ||
6e9efa59 LP |
993 | <example> |
994 | <title>Exports a container image as tar file</title> | |
995 | ||
996 | <programlisting># machinectl export-tar fedora myfedora.tar.xz</programlisting> | |
997 | ||
a8eaaee7 JE |
998 | <para>Exports the container <literal>fedora</literal> as an |
999 | xz-compressed tar file <filename>myfedora.tar.xz</filename> into the | |
6e9efa59 LP |
1000 | current directory.</para> |
1001 | </example> | |
1002 | ||
ef3100e9 LP |
1003 | <example> |
1004 | <title>Create a new shell session</title> | |
1005 | ||
1006 | <programlisting># machinectl shell --uid=lennart</programlisting> | |
1007 | ||
b938cb90 | 1008 | <para>This creates a new shell session on the local host for |
ef3100e9 LP |
1009 | the user ID <literal>lennart</literal>, in a <citerefentry |
1010 | project='die-net'><refentrytitle>su</refentrytitle><manvolnum>1</manvolnum></citerefentry>-like | |
1011 | fashion.</para> | |
1012 | </example> | |
1013 | ||
798d3a52 ZJS |
1014 | </refsect1> |
1015 | ||
1016 | <refsect1> | |
1017 | <title>Exit status</title> | |
1018 | ||
1019 | <para>On success, 0 is returned, a non-zero failure code | |
1020 | otherwise.</para> | |
1021 | </refsect1> | |
1022 | ||
1023 | <xi:include href="less-variables.xml" /> | |
1024 | ||
1025 | <refsect1> | |
1026 | <title>See Also</title> | |
1027 | <para> | |
d47410f3 | 1028 | <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, |
798d3a52 ZJS |
1029 | <citerefentry><refentrytitle>systemd-machined.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>, |
1030 | <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
6e9efa59 | 1031 | <citerefentry><refentrytitle>systemd.special</refentrytitle><manvolnum>7</manvolnum></citerefentry>, |
16eb4024 ZJS |
1032 | <citerefentry project='die-net'><refentrytitle>tar</refentrytitle><manvolnum>1</manvolnum></citerefentry>, |
1033 | <citerefentry project='die-net'><refentrytitle>xz</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
1034 | <citerefentry project='die-net'><refentrytitle>gzip</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
1035 | <citerefentry project='die-net'><refentrytitle>bzip2</refentrytitle><manvolnum>1</manvolnum></citerefentry> | |
798d3a52 ZJS |
1036 | </para> |
1037 | </refsect1> | |
19887cd0 ZJS |
1038 | |
1039 | </refentry> |