projects / thirdparty / systemd.git / blame
| Commit | Line | Data |
|---|---|---|
| 514094f9 | 1 | <?xml version='1.0'?> |
| 3a54a157 | 2 | <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" |
| 7a8aa0ec | 3 | "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [ |
| b68edd30 ZJS |
4 | <!ENTITY fedora_latest_version "32"> |
| 5 | <!ENTITY fedora_cloud_release "1.6"> | |
| 7a8aa0ec | 6 | ]> |
| 0307f791 | 7 | <!-- SPDX-License-Identifier: LGPL-2.1+ --> |
| 8f7a3c14 | 8 | |
| dfdebb1b | 9 | <refentry id="systemd-nspawn" |
| 798d3a52 ZJS |
10 | xmlns:xi="http://www.w3.org/2001/XInclude"> |
| 11 | ||
| 12 | <refentryinfo> | |
| 13 | <title>systemd-nspawn</title> | |
| 14 | <productname>systemd</productname> | |
| 798d3a52 ZJS |
15 | </refentryinfo> |
| 16 | ||
| 17 | <refmeta> | |
| 18 | <refentrytitle>systemd-nspawn</refentrytitle> | |
| 19 | <manvolnum>1</manvolnum> | |
| 20 | </refmeta> | |
| 21 | ||
| 22 | <refnamediv> | |
| 23 | <refname>systemd-nspawn</refname> | |
| a7e2e50d | 24 | <refpurpose>Spawn a command or OS in a light-weight container</refpurpose> |
| 798d3a52 ZJS |
25 | </refnamediv> |
| 26 | ||
| 27 | <refsynopsisdiv> | |
| 28 | <cmdsynopsis> | |
| 29 | <command>systemd-nspawn</command> | |
| 30 | <arg choice="opt" rep="repeat">OPTIONS</arg> | |
| 31 | <arg choice="opt"><replaceable>COMMAND</replaceable> | |
| 32 | <arg choice="opt" rep="repeat">ARGS</arg> | |
| 33 | </arg> | |
| 34 | </cmdsynopsis> | |
| 35 | <cmdsynopsis> | |
| 36 | <command>systemd-nspawn</command> | |
| 4447e799 | 37 | <arg choice="plain">--boot</arg> |
| 798d3a52 ZJS |
38 | <arg choice="opt" rep="repeat">OPTIONS</arg> |
| 39 | <arg choice="opt" rep="repeat">ARGS</arg> | |
| 40 | </cmdsynopsis> | |
| 41 | </refsynopsisdiv> | |
| 42 | ||
| 43 | <refsect1> | |
| 44 | <title>Description</title> | |
| 45 | ||
| b09c0bba LP |
46 | <para><command>systemd-nspawn</command> may be used to run a command or OS in a light-weight namespace |
| 47 | container. In many ways it is similar to <citerefentry | |
| 48 | project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>1</manvolnum></citerefentry>, but more powerful | |
| 49 | since it fully virtualizes the file system hierarchy, as well as the process tree, the various IPC subsystems and | |
| 50 | the host and domain name.</para> | |
| 51 | ||
| 5164c3b4 | 52 | <para><command>systemd-nspawn</command> may be invoked on any directory tree containing an operating system tree, |
| b09c0bba | 53 | using the <option>--directory=</option> command line option. By using the <option>--machine=</option> option an OS |
| 5164c3b4 | 54 | tree is automatically searched for in a couple of locations, most importantly in |
| a7e2e50d | 55 | <filename>/var/lib/machines</filename>, the suggested directory to place OS container images installed on the |
| b09c0bba LP |
56 | system.</para> |
| 57 | ||
| 58 | <para>In contrast to <citerefentry | |
| 59 | project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>1</manvolnum></citerefentry> <command>systemd-nspawn</command> | |
| 60 | may be used to boot full Linux-based operating systems in a container.</para> | |
| 61 | ||
| 62 | <para><command>systemd-nspawn</command> limits access to various kernel interfaces in the container to read-only, | |
| 63 | such as <filename>/sys</filename>, <filename>/proc/sys</filename> or <filename>/sys/fs/selinux</filename>. The | |
| 64 | host's network interfaces and the system clock may not be changed from within the container. Device nodes may not | |
| 65 | be created. The host system cannot be rebooted and kernel modules may not be loaded from within the | |
| 798d3a52 ZJS |
66 | container.</para> |
| 67 | ||
| b09c0bba LP |
68 | <para>Use a tool like <citerefentry |
| 69 | project='mankier'><refentrytitle>dnf</refentrytitle><manvolnum>8</manvolnum></citerefentry>, <citerefentry | |
| 70 | project='die-net'><refentrytitle>debootstrap</refentrytitle><manvolnum>8</manvolnum></citerefentry>, or | |
| 71 | <citerefentry project='archlinux'><refentrytitle>pacman</refentrytitle><manvolnum>8</manvolnum></citerefentry> to | |
| 72 | set up an OS directory tree suitable as file system hierarchy for <command>systemd-nspawn</command> containers. See | |
| 73 | the Examples section below for details on suitable invocation of these commands.</para> | |
| 74 | ||
| 75 | <para>As a safety check <command>systemd-nspawn</command> will verify the existence of | |
| 76 | <filename>/usr/lib/os-release</filename> or <filename>/etc/os-release</filename> in the container tree before | |
| 77 | starting the container (see | |
| 78 | <citerefentry><refentrytitle>os-release</refentrytitle><manvolnum>5</manvolnum></citerefentry>). It might be | |
| 79 | necessary to add this file to the container tree manually if the OS of the container is too old to contain this | |
| 798d3a52 | 80 | file out-of-the-box.</para> |
| b09c0bba LP |
81 | |
| 82 | <para><command>systemd-nspawn</command> may be invoked directly from the interactive command line or run as system | |
| 83 | service in the background. In this mode each container instance runs as its own service instance; a default | |
| 84 | template unit file <filename>systemd-nspawn@.service</filename> is provided to make this easy, taking the container | |
| 85 | name as instance identifier. Note that different default options apply when <command>systemd-nspawn</command> is | |
| 6dd6a9c4 | 86 | invoked by the template unit file than interactively on the command line. Most importantly the template unit file |
| b09c0bba | 87 | makes use of the <option>--boot</option> which is not the default in case <command>systemd-nspawn</command> is |
| 6dd6a9c4 | 88 | invoked from the interactive command line. Further differences with the defaults are documented along with the |
| b09c0bba LP |
89 | various supported options below.</para> |
| 90 | ||
| 91 | <para>The <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry> tool may | |
| 92 | be used to execute a number of operations on containers. In particular it provides easy-to-use commands to run | |
| 93 | containers as system services using the <filename>systemd-nspawn@.service</filename> template unit | |
| 94 | file.</para> | |
| 95 | ||
| 96 | <para>Along with each container a settings file with the <filename>.nspawn</filename> suffix may exist, containing | |
| 97 | additional settings to apply when running the container. See | |
| 98 | <citerefentry><refentrytitle>systemd.nspawn</refentrytitle><manvolnum>5</manvolnum></citerefentry> for | |
| 99 | details. Settings files override the default options used by the <filename>systemd-nspawn@.service</filename> | |
| 100 | template unit file, making it usually unnecessary to alter this template file directly.</para> | |
| 101 | ||
| 102 | <para>Note that <command>systemd-nspawn</command> will mount file systems private to the container to | |
| 103 | <filename>/dev</filename>, <filename>/run</filename> and similar. These will not be visible outside of the | |
| 104 | container, and their contents will be lost when the container exits.</para> | |
| 105 | ||
| 106 | <para>Note that running two <command>systemd-nspawn</command> containers from the same directory tree will not make | |
| 107 | processes in them see each other. The PID namespace separation of the two containers is complete and the containers | |
| 108 | will share very few runtime objects except for the underlying file system. Use | |
| 109 | <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>'s | |
| 110 | <command>login</command> or <command>shell</command> commands to request an additional login session in a running | |
| 111 | container.</para> | |
| 112 | ||
| 113 | <para><command>systemd-nspawn</command> implements the <ulink | |
| 53dc5fbc | 114 | url="https://systemd.io/CONTAINER_INTERFACE">Container Interface</ulink> specification.</para> |
| b09c0bba LP |
115 | |
| 116 | <para>While running, containers invoked with <command>systemd-nspawn</command> are registered with the | |
| 117 | <citerefentry><refentrytitle>systemd-machined</refentrytitle><manvolnum>8</manvolnum></citerefentry> service that | |
| 118 | keeps track of running containers, and provides programming interfaces to interact with them.</para> | |
| 798d3a52 ZJS |
119 | </refsect1> |
| 120 | ||
| 121 | <refsect1> | |
| 122 | <title>Options</title> | |
| 123 | ||
| 124 | <para>If option <option>-b</option> is specified, the arguments | |
| 3f2d1365 | 125 | are used as arguments for the init program. Otherwise, |
| 798d3a52 ZJS |
126 | <replaceable>COMMAND</replaceable> specifies the program to launch |
| 127 | in the container, and the remaining arguments are used as | |
| b09c0bba | 128 | arguments for this program. If <option>--boot</option> is not used and |
| ff9b60f3 | 129 | no arguments are specified, a shell is launched in the |
| 798d3a52 ZJS |
130 | container.</para> |
| 131 | ||
| 132 | <para>The following options are understood:</para> | |
| 133 | ||
| 134 | <variablelist> | |
| d99058c9 LP |
135 | |
| 136 | <varlistentry> | |
| 137 | <term><option>-q</option></term> | |
| 138 | <term><option>--quiet</option></term> | |
| 139 | ||
| 140 | <listitem><para>Turns off any status output by the tool | |
| 141 | itself. When this switch is used, the only output from nspawn | |
| 142 | will be the console output of the container OS | |
| 143 | itself.</para></listitem> | |
| 144 | </varlistentry> | |
| 145 | ||
| 146 | <varlistentry> | |
| 147 | <term><option>--settings=</option><replaceable>MODE</replaceable></term> | |
| 148 | ||
| 149 | <listitem><para>Controls whether | |
| 150 | <command>systemd-nspawn</command> shall search for and use | |
| 151 | additional per-container settings from | |
| 152 | <filename>.nspawn</filename> files. Takes a boolean or the | |
| 153 | special values <option>override</option> or | |
| 154 | <option>trusted</option>.</para> | |
| 155 | ||
| 156 | <para>If enabled (the default), a settings file named after the | |
| 157 | machine (as specified with the <option>--machine=</option> | |
| 158 | setting, or derived from the directory or image file name) | |
| 159 | with the suffix <filename>.nspawn</filename> is searched in | |
| 160 | <filename>/etc/systemd/nspawn/</filename> and | |
| 161 | <filename>/run/systemd/nspawn/</filename>. If it is found | |
| 162 | there, its settings are read and used. If it is not found | |
| 163 | there, it is subsequently searched in the same directory as the | |
| 164 | image file or in the immediate parent of the root directory of | |
| 165 | the container. In this case, if the file is found, its settings | |
| 166 | will be also read and used, but potentially unsafe settings | |
| 167 | are ignored. Note that in both these cases, settings on the | |
| 168 | command line take precedence over the corresponding settings | |
| 169 | from loaded <filename>.nspawn</filename> files, if both are | |
| 170 | specified. Unsafe settings are considered all settings that | |
| 171 | elevate the container's privileges or grant access to | |
| 172 | additional resources such as files or directories of the | |
| 173 | host. For details about the format and contents of | |
| 174 | <filename>.nspawn</filename> files, consult | |
| 175 | <citerefentry><refentrytitle>systemd.nspawn</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para> | |
| 176 | ||
| 177 | <para>If this option is set to <option>override</option>, the | |
| 178 | file is searched, read and used the same way, however, the order of | |
| 179 | precedence is reversed: settings read from the | |
| 180 | <filename>.nspawn</filename> file will take precedence over | |
| 181 | the corresponding command line options, if both are | |
| 182 | specified.</para> | |
| 183 | ||
| 184 | <para>If this option is set to <option>trusted</option>, the | |
| 185 | file is searched, read and used the same way, but regardless | |
| 186 | of being found in <filename>/etc/systemd/nspawn/</filename>, | |
| 187 | <filename>/run/systemd/nspawn/</filename> or next to the image | |
| 188 | file or container root directory, all settings will take | |
| 189 | effect, however, command line arguments still take precedence | |
| 190 | over corresponding settings.</para> | |
| 191 | ||
| 192 | <para>If disabled, no <filename>.nspawn</filename> file is read | |
| 193 | and no settings except the ones on the command line are in | |
| 194 | effect.</para></listitem> | |
| 195 | </varlistentry> | |
| 196 | ||
| 197 | </variablelist> | |
| 198 | ||
| 199 | <refsect2> | |
| 200 | <title>Image Options</title> | |
| 201 | ||
| 202 | <variablelist> | |
| 203 | ||
| 798d3a52 ZJS |
204 | <varlistentry> |
| 205 | <term><option>-D</option></term> | |
| 206 | <term><option>--directory=</option></term> | |
| 207 | ||
| 208 | <listitem><para>Directory to use as file system root for the | |
| 209 | container.</para> | |
| 210 | ||
| 211 | <para>If neither <option>--directory=</option>, nor | |
| 212 | <option>--image=</option> is specified the directory is | |
| 32b64cce RM |
213 | determined by searching for a directory named the same as the |
| 214 | machine name specified with <option>--machine=</option>. See | |
| 215 | <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry> | |
| 216 | section "Files and Directories" for the precise search path.</para> | |
| 217 | ||
| 218 | <para>If neither <option>--directory=</option>, | |
| 219 | <option>--image=</option>, nor <option>--machine=</option> | |
| 220 | are specified, the current directory will | |
| 221 | be used. May not be specified together with | |
| 798d3a52 ZJS |
222 | <option>--image=</option>.</para></listitem> |
| 223 | </varlistentry> | |
| 224 | ||
| 225 | <varlistentry> | |
| 226 | <term><option>--template=</option></term> | |
| 227 | ||
| 3f2fa834 LP |
228 | <listitem><para>Directory or <literal>btrfs</literal> subvolume to use as template for the |
| 229 | container's root directory. If this is specified and the container's root directory (as configured by | |
| 230 | <option>--directory=</option>) does not yet exist it is created as <literal>btrfs</literal> snapshot | |
| 231 | (if supported) or plain directory (otherwise) and populated from this template tree. Ideally, the | |
| 232 | specified template path refers to the root of a <literal>btrfs</literal> subvolume, in which case a | |
| 233 | simple copy-on-write snapshot is taken, and populating the root directory is instant. If the | |
| 234 | specified template path does not refer to the root of a <literal>btrfs</literal> subvolume (or not | |
| 235 | even to a <literal>btrfs</literal> file system at all), the tree is copied (though possibly in a | |
| 236 | 'reflink' copy-on-write scheme — if the file system supports that), which can be substantially more | |
| 237 | time-consuming. Note that the snapshot taken is of the specified directory or subvolume, including | |
| 238 | all subdirectories and subvolumes below it, but excluding any sub-mounts. May not be specified | |
| 239 | together with <option>--image=</option> or <option>--ephemeral</option>.</para> | |
| 3fe22bb4 | 240 | |
| 38b38500 | 241 | <para>Note that this switch leaves hostname, machine ID and |
| 3fe22bb4 LP |
242 | all other settings that could identify the instance |
| 243 | unmodified.</para></listitem> | |
| 798d3a52 ZJS |
244 | </varlistentry> |
| 245 | ||
| 246 | <varlistentry> | |
| 247 | <term><option>-x</option></term> | |
| 248 | <term><option>--ephemeral</option></term> | |
| 249 | ||
| 0f3be6ca LP |
250 | <listitem><para>If specified, the container is run with a temporary snapshot of its file system that is removed |
| 251 | immediately when the container terminates. May not be specified together with | |
| 3fe22bb4 | 252 | <option>--template=</option>.</para> |
| 38b38500 | 253 | <para>Note that this switch leaves hostname, machine ID and all other settings that could identify |
| 3f2fa834 LP |
254 | the instance unmodified. Please note that — as with <option>--template=</option> — taking the |
| 255 | temporary snapshot is more efficient on file systems that support subvolume snapshots or 'reflinks' | |
| 256 | natively (<literal>btrfs</literal> or new <literal>xfs</literal>) than on more traditional file | |
| 257 | systems that do not (<literal>ext4</literal>). Note that the snapshot taken is of the specified | |
| 258 | directory or subvolume, including all subdirectories and subvolumes below it, but excluding any | |
| 259 | sub-mounts.</para> | |
| b23f1628 LP |
260 | |
| 261 | <para>With this option no modifications of the container image are retained. Use | |
| 262 | <option>--volatile=</option> (described below) for other mechanisms to restrict persistency of | |
| 263 | container images during runtime.</para> | |
| 264 | </listitem> | |
| 798d3a52 ZJS |
265 | </varlistentry> |
| 266 | ||
| 267 | <varlistentry> | |
| 268 | <term><option>-i</option></term> | |
| 269 | <term><option>--image=</option></term> | |
| 270 | ||
| 271 | <listitem><para>Disk image to mount the root directory for the | |
| 272 | container from. Takes a path to a regular file or to a block | |
| 273 | device node. The file or block device must contain | |
| 274 | either:</para> | |
| 275 | ||
| 276 | <itemizedlist> | |
| 277 | <listitem><para>An MBR partition table with a single | |
| 278 | partition of type 0x83 that is marked | |
| 279 | bootable.</para></listitem> | |
| 280 | ||
| 281 | <listitem><para>A GUID partition table (GPT) with a single | |
| 282 | partition of type | |
| 283 | 0fc63daf-8483-4772-8e79-3d69d8477de4.</para></listitem> | |
| 284 | ||
| 285 | <listitem><para>A GUID partition table (GPT) with a marked | |
| 286 | root partition which is mounted as the root directory of the | |
| 287 | container. Optionally, GPT images may contain a home and/or | |
| 288 | a server data partition which are mounted to the appropriate | |
| 289 | places in the container. All these partitions must be | |
| 290 | identified by the partition types defined by the <ulink | |
| 19ac32cd | 291 | url="https://systemd.io/DISCOVERABLE_PARTITIONS">Discoverable |
| 798d3a52 | 292 | Partitions Specification</ulink>.</para></listitem> |
| 58abb66f LP |
293 | |
| 294 | <listitem><para>No partition table, and a single file system spanning the whole image.</para></listitem> | |
| 798d3a52 ZJS |
295 | </itemizedlist> |
| 296 | ||
| 0f3be6ca LP |
297 | <para>On GPT images, if an EFI System Partition (ESP) is discovered, it is automatically mounted to |
| 298 | <filename>/efi</filename> (or <filename>/boot</filename> as fallback) in case a directory by this name exists | |
| 299 | and is empty.</para> | |
| 300 | ||
| 58abb66f LP |
301 | <para>Partitions encrypted with LUKS are automatically decrypted. Also, on GPT images dm-verity data integrity |
| 302 | hash partitions are set up if the root hash for them is specified using the <option>--root-hash=</option> | |
| 303 | option.</para> | |
| 304 | ||
| e7cbe5cb LB |
305 | <para>Single file system images (i.e. file systems without a surrounding partition table) can be opened using |
| 306 | dm-verity if the integrity data is passed using the <option>--root-hash=</option> and | |
| 307 | <option>--verity-data=</option> options.</para> | |
| 308 | ||
| 0f3be6ca LP |
309 | <para>Any other partitions, such as foreign partitions or swap partitions are not mounted. May not be specified |
| 310 | together with <option>--directory=</option>, <option>--template=</option>.</para></listitem> | |
| 798d3a52 | 311 | </varlistentry> |
| 58abb66f | 312 | |
| 3d6c3675 LP |
313 | <varlistentry> |
| 314 | <term><option>--oci-bundle=</option></term> | |
| 315 | ||
| 316 | <listitem><para>Takes the path to an OCI runtime bundle to invoke, as specified in the <ulink | |
| 317 | url="https://github.com/opencontainers/runtime-spec/blob/master/spec.md">OCI Runtime Specification</ulink>. In | |
| 318 | this case no <filename>.nspawn</filename> file is loaded, and the root directory and various settings are read | |
| 319 | from the OCI runtime JSON data (but data passed on the command line takes precedence).</para></listitem> | |
| 320 | </varlistentry> | |
| 321 | ||
| d99058c9 LP |
322 | <varlistentry> |
| 323 | <term><option>--read-only</option></term> | |
| 324 | ||
| 325 | <listitem><para>Mount the container's root file system (and any other file systems container in the container | |
| 326 | image) read-only. This has no effect on additional mounts made with <option>--bind=</option>, | |
| 327 | <option>--tmpfs=</option> and similar options. This mode is implied if the container image file or directory is | |
| 328 | marked read-only itself. It is also implied if <option>--volatile=</option> is used. In this case the container | |
| 329 | image on disk is strictly read-only, while changes are permitted but kept non-persistently in memory only. For | |
| 330 | further details, see below.</para></listitem> | |
| 331 | </varlistentry> | |
| 332 | ||
| 333 | <varlistentry> | |
| 334 | <term><option>--volatile</option></term> | |
| 335 | <term><option>--volatile=</option><replaceable>MODE</replaceable></term> | |
| 336 | ||
| 337 | <listitem><para>Boots the container in volatile mode. When no mode parameter is passed or when mode is | |
| 338 | specified as <option>yes</option>, full volatile mode is enabled. This means the root directory is mounted as a | |
| 339 | mostly unpopulated <literal>tmpfs</literal> instance, and <filename>/usr/</filename> from the OS tree is | |
| 340 | mounted into it in read-only mode (the system thus starts up with read-only OS image, but pristine state and | |
| 341 | configuration, any changes are lost on shutdown). When the mode parameter is specified as | |
| 342 | <option>state</option>, the OS tree is mounted read-only, but <filename>/var/</filename> is mounted as a | |
| 343 | writable <literal>tmpfs</literal> instance into it (the system thus starts up with read-only OS resources and | |
| 344 | configuration, but pristine state, and any changes to the latter are lost on shutdown). When the mode parameter | |
| 345 | is specified as <option>overlay</option> the read-only root file system is combined with a writable | |
| 346 | <filename>tmpfs</filename> instance through <literal>overlayfs</literal>, so that it appears at it normally | |
| 347 | would, but any changes are applied to the temporary file system only and lost when the container is | |
| 348 | terminated. When the mode parameter is specified as <option>no</option> (the default), the whole OS tree is | |
| 349 | made available writable (unless <option>--read-only</option> is specified, see above).</para> | |
| 350 | ||
| 351 | <para>Note that if one of the volatile modes is chosen, its effect is limited to the root file system (or | |
| 352 | <filename>/var/</filename> in case of <option>state</option>), and any other mounts placed in the hierarchy are | |
| 353 | unaffected — regardless if they are established automatically (e.g. the EFI system partition that might be | |
| 354 | mounted to <filename>/efi/</filename> or <filename>/boot/</filename>) or explicitly (e.g. through an additional | |
| 355 | command line option such as <option>--bind=</option>, see below). This means, even if | |
| 356 | <option>--volatile=overlay</option> is used changes to <filename>/efi/</filename> or | |
| 357 | <filename>/boot/</filename> are prohibited in case such a partition exists in the container image operated on, | |
| 358 | and even if <option>--volatile=state</option> is used the hypothetical file <filename>/etc/foobar</filename> is | |
| 359 | potentially writable if <option>--bind=/etc/foobar</option> if used to mount it from outside the read-only | |
| 360 | container <filename>/etc</filename> directory.</para> | |
| 361 | ||
| 362 | <para>The <option>--ephemeral</option> option is closely related to this setting, and provides similar | |
| 363 | behaviour by making a temporary, ephemeral copy of the whole OS image and executing that. For further details, | |
| 364 | see above.</para> | |
| 365 | ||
| 366 | <para>The <option>--tmpfs=</option> and <option>--overlay=</option> options provide similar functionality, but | |
| 367 | for specific sub-directories of the OS image only. For details, see below.</para> | |
| 368 | ||
| 369 | <para>This option provides similar functionality for containers as the <literal>systemd.volatile=</literal> | |
| 370 | kernel command line switch provides for host systems. See | |
| 371 | <citerefentry><refentrytitle>kernel-command-line</refentrytitle><manvolnum>7</manvolnum></citerefentry> for | |
| 372 | details.</para> | |
| 373 | ||
| 2e542f4e LP |
374 | <para>Note that setting this option to <option>yes</option> or <option>state</option> will only work |
| 375 | correctly with operating systems in the container that can boot up with only | |
| 376 | <filename>/usr/</filename> mounted, and are able to automatically populate <filename>/var/</filename> | |
| 377 | (and <filename>/etc/</filename> in case of <literal>--volatile=yes</literal>). Specifically, this | |
| 378 | means that operating systems that follow the historic split of <filename>/bin/</filename> and | |
| 379 | <filename>/lib/</filename> (and related directories) from <filename>/usr/</filename> (i.e. where the | |
| 380 | former are not symlinks into the latter) are not supported by <literal>--volatile=yes</literal> as | |
| 381 | container payload. The <option>overlay</option> option does not require any particular preparations | |
| 382 | in the OS, but do note that <literal>overlayfs</literal> behaviour differs from regular file systems | |
| 383 | in a number of ways, and hence compatibility is limited.</para></listitem> | |
| d99058c9 LP |
384 | </varlistentry> |
| 385 | ||
| 58abb66f LP |
386 | <varlistentry> |
| 387 | <term><option>--root-hash=</option></term> | |
| 388 | ||
| 389 | <listitem><para>Takes a data integrity (dm-verity) root hash specified in hexadecimal. This option enables data | |
| 390 | integrity checks using dm-verity, if the used image contains the appropriate integrity data (see above). The | |
| ef3116b5 | 391 | specified hash must match the root hash of integrity data, and is usually at least 256 bits (and hence 64 |
| 41488e1f LP |
392 | formatted hexadecimal characters) long (in case of SHA256 for example). If this option is not specified, but |
| 393 | the image file carries the <literal>user.verity.roothash</literal> extended file attribute (see <citerefentry | |
| 394 | project='man-pages'><refentrytitle>xattr</refentrytitle><manvolnum>7</manvolnum></citerefentry>), then the root | |
| 395 | hash is read from it, also as formatted hexadecimal characters. If the extended file attribute is not found (or | |
| ef3116b5 | 396 | is not supported by the underlying file system), but a file with the <filename>.roothash</filename> suffix is |
| e7cbe5cb LB |
397 | found next to the image file, bearing otherwise the same name (except if the image has the |
| 398 | <filename>.raw</filename> suffix, in which case the root hash file must not have it in its name), the root hash | |
| 399 | is read from it and automatically used, also as formatted hexadecimal characters.</para></listitem> | |
| 400 | </varlistentry> | |
| 401 | ||
| 402 | <varlistentry> | |
| 403 | <term><option>--verity-data=</option></term> | |
| 404 | ||
| 405 | <listitem><para>Takes the path to a data integrity (dm-verity) file. This option enables data integrity checks | |
| 406 | using dm-verity, if a root-hash is passed and if the used image itself does not contains the integrity data. | |
| 407 | The integrity data must be matched by the root hash. If this option is not specified, but a file with the | |
| 408 | <filename>.verity</filename> suffix is found next to the image file, bearing otherwise the same name (except if | |
| 409 | the image has the <filename>.raw</filename> suffix, in which case the verity data file must not have it in its name), | |
| 410 | the verity data is read from it and automatically used.</para></listitem> | |
| 58abb66f | 411 | </varlistentry> |
| 798d3a52 | 412 | |
| d99058c9 LP |
413 | <varlistentry> |
| 414 | <term><option>--pivot-root=</option></term> | |
| 415 | ||
| 416 | <listitem><para>Pivot the specified directory to <filename>/</filename> inside the container, and either unmount the | |
| 417 | container's old root, or pivot it to another specified directory. Takes one of: a path argument — in which case the | |
| 418 | specified path will be pivoted to <filename>/</filename> and the old root will be unmounted; or a colon-separated pair | |
| 419 | of new root path and pivot destination for the old root. The new root path will be pivoted to <filename>/</filename>, | |
| 420 | and the old <filename>/</filename> will be pivoted to the other directory. Both paths must be absolute, and are resolved | |
| 421 | in the container's file system namespace.</para> | |
| 422 | ||
| 423 | <para>This is for containers which have several bootable directories in them; for example, several | |
| 424 | <ulink url="https://ostree.readthedocs.io/en/latest/">OSTree</ulink> deployments. It emulates the behavior of | |
| 425 | the boot loader and initial RAM disk which normally select which directory to mount as the root and start the | |
| 426 | container's PID 1 in.</para></listitem> | |
| 427 | </varlistentry> | |
| 428 | </variablelist> | |
| 429 | ||
| 430 | </refsect2><refsect2> | |
| 431 | <title>Execution Options</title> | |
| 432 | ||
| 433 | <variablelist> | |
| 7732f92b LP |
434 | <varlistentry> |
| 435 | <term><option>-a</option></term> | |
| 436 | <term><option>--as-pid2</option></term> | |
| 437 | ||
| 438 | <listitem><para>Invoke the shell or specified program as process ID (PID) 2 instead of PID 1 (init). By | |
| 3f2d1365 AJ |
439 | default, if neither this option nor <option>--boot</option> is used, the selected program is run as the process |
| 440 | with PID 1, a mode only suitable for programs that are aware of the special semantics that the process with | |
| 441 | PID 1 has on UNIX. For example, it needs to reap all processes reparented to it, and should implement | |
| 7732f92b LP |
442 | <command>sysvinit</command> compatible signal handling (specifically: it needs to reboot on SIGINT, reexecute |
| 443 | on SIGTERM, reload configuration on SIGHUP, and so on). With <option>--as-pid2</option> a minimal stub init | |
| 3f2d1365 | 444 | process is run as PID 1 and the selected program is executed as PID 2 (and hence does not need to implement any |
| 7732f92b LP |
445 | special semantics). The stub init process will reap processes as necessary and react appropriately to |
| 446 | signals. It is recommended to use this mode to invoke arbitrary commands in containers, unless they have been | |
| 447 | modified to run correctly as PID 1. Or in other words: this switch should be used for pretty much all commands, | |
| 448 | except when the command refers to an init or shell implementation, as these are generally capable of running | |
| a6b5216c | 449 | correctly as PID 1. This option may not be combined with <option>--boot</option>.</para> |
| 7732f92b LP |
450 | </listitem> |
| 451 | </varlistentry> | |
| 452 | ||
| 798d3a52 ZJS |
453 | <varlistentry> |
| 454 | <term><option>-b</option></term> | |
| 455 | <term><option>--boot</option></term> | |
| 456 | ||
| 3f2d1365 | 457 | <listitem><para>Automatically search for an init program and invoke it as PID 1, instead of a shell or a user |
| 7732f92b | 458 | supplied program. If this option is used, arguments specified on the command line are used as arguments for the |
| 3f2d1365 | 459 | init program. This option may not be combined with <option>--as-pid2</option>.</para> |
| 7732f92b LP |
460 | |
| 461 | <para>The following table explains the different modes of invocation and relationship to | |
| 462 | <option>--as-pid2</option> (see above):</para> | |
| 463 | ||
| 464 | <table> | |
| 465 | <title>Invocation Mode</title> | |
| 466 | <tgroup cols='2' align='left' colsep='1' rowsep='1'> | |
| 467 | <colspec colname="switch" /> | |
| 468 | <colspec colname="explanation" /> | |
| 469 | <thead> | |
| 470 | <row> | |
| 471 | <entry>Switch</entry> | |
| 472 | <entry>Explanation</entry> | |
| 473 | </row> | |
| 474 | </thead> | |
| 475 | <tbody> | |
| 476 | <row> | |
| 477 | <entry>Neither <option>--as-pid2</option> nor <option>--boot</option> specified</entry> | |
| 4447e799 | 478 | <entry>The passed parameters are interpreted as the command line, which is executed as PID 1 in the container.</entry> |
| 7732f92b LP |
479 | </row> |
| 480 | ||
| 481 | <row> | |
| 482 | <entry><option>--as-pid2</option> specified</entry> | |
| 4447e799 | 483 | <entry>The passed parameters are interpreted as the command line, which is executed as PID 2 in the container. A stub init process is run as PID 1.</entry> |
| 7732f92b LP |
484 | </row> |
| 485 | ||
| 486 | <row> | |
| 487 | <entry><option>--boot</option> specified</entry> | |
| 3f2d1365 | 488 | <entry>An init program is automatically searched for and run as PID 1 in the container. The passed parameters are used as invocation parameters for this process.</entry> |
| 7732f92b LP |
489 | </row> |
| 490 | ||
| 491 | </tbody> | |
| 492 | </tgroup> | |
| 493 | </table> | |
| b09c0bba LP |
494 | |
| 495 | <para>Note that <option>--boot</option> is the default mode of operation if the | |
| 496 | <filename>systemd-nspawn@.service</filename> template unit file is used.</para> | |
| 7732f92b | 497 | </listitem> |
| 798d3a52 ZJS |
498 | </varlistentry> |
| 499 | ||
| 5f932eb9 LP |
500 | <varlistentry> |
| 501 | <term><option>--chdir=</option></term> | |
| 502 | ||
| 503 | <listitem><para>Change to the specified working directory before invoking the process in the container. Expects | |
| 504 | an absolute path in the container's file system namespace.</para></listitem> | |
| 505 | </varlistentry> | |
| 506 | ||
| b53ede69 | 507 | <varlistentry> |
| d99058c9 LP |
508 | <term><option>-E <replaceable>NAME</replaceable>=<replaceable>VALUE</replaceable></option></term> |
| 509 | <term><option>--setenv=<replaceable>NAME</replaceable>=<replaceable>VALUE</replaceable></option></term> | |
| b53ede69 | 510 | |
| d99058c9 LP |
511 | <listitem><para>Specifies an environment variable assignment |
| 512 | to pass to the init process in the container, in the format | |
| 513 | <literal>NAME=VALUE</literal>. This may be used to override | |
| 514 | the default variables or to set additional variables. This | |
| 515 | parameter may be used more than once.</para></listitem> | |
| b53ede69 PW |
516 | </varlistentry> |
| 517 | ||
| 798d3a52 ZJS |
518 | <varlistentry> |
| 519 | <term><option>-u</option></term> | |
| 520 | <term><option>--user=</option></term> | |
| 521 | ||
| 522 | <listitem><para>After transitioning into the container, change | |
| 523 | to the specified user-defined in the container's user | |
| 524 | database. Like all other systemd-nspawn features, this is not | |
| 525 | a security feature and provides protection against accidental | |
| 526 | destructive operations only.</para></listitem> | |
| 527 | </varlistentry> | |
| 528 | ||
| d99058c9 LP |
529 | <varlistentry> |
| 530 | <term><option>--kill-signal=</option></term> | |
| 531 | ||
| 532 | <listitem><para>Specify the process signal to send to the container's PID 1 when nspawn itself receives | |
| 533 | <constant>SIGTERM</constant>, in order to trigger an orderly shutdown of the container. Defaults to | |
| 534 | <constant>SIGRTMIN+3</constant> if <option>--boot</option> is used (on systemd-compatible init systems | |
| 535 | <constant>SIGRTMIN+3</constant> triggers an orderly shutdown). If <option>--boot</option> is not used and this | |
| 536 | option is not specified the container's processes are terminated abruptly via <constant>SIGKILL</constant>. For | |
| 537 | a list of valid signals, see <citerefentry | |
| 538 | project='man-pages'><refentrytitle>signal</refentrytitle><manvolnum>7</manvolnum></citerefentry>.</para></listitem> | |
| 539 | </varlistentry> | |
| 540 | ||
| 541 | <varlistentry> | |
| 542 | <term><option>--notify-ready=</option></term> | |
| 543 | ||
| 544 | <listitem><para>Configures support for notifications from the container's init process. | |
| 545 | <option>--notify-ready=</option> takes a boolean (<option>no</option> and <option>yes</option>). | |
| 546 | With option <option>no</option> systemd-nspawn notifies systemd | |
| 547 | with a <literal>READY=1</literal> message when the init process is created. | |
| 548 | With option <option>yes</option> systemd-nspawn waits for the | |
| 549 | <literal>READY=1</literal> message from the init process in the container | |
| 550 | before sending its own to systemd. For more details about notifications | |
| 551 | see <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry>).</para></listitem> | |
| 552 | </varlistentry> | |
| 553 | </variablelist> | |
| 554 | ||
| 555 | </refsect2><refsect2> | |
| 556 | <title>System Identity Options</title> | |
| 557 | ||
| 558 | <variablelist> | |
| 798d3a52 ZJS |
559 | <varlistentry> |
| 560 | <term><option>-M</option></term> | |
| 561 | <term><option>--machine=</option></term> | |
| 562 | ||
| 563 | <listitem><para>Sets the machine name for this container. This | |
| 564 | name may be used to identify this container during its runtime | |
| 565 | (for example in tools like | |
| 566 | <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry> | |
| 567 | and similar), and is used to initialize the container's | |
| 568 | hostname (which the container can choose to override, | |
| 569 | however). If not specified, the last component of the root | |
| 570 | directory path of the container is used, possibly suffixed | |
| 571 | with a random identifier in case <option>--ephemeral</option> | |
| 572 | mode is selected. If the root directory selected is the host's | |
| 573 | root directory the host's hostname is used as default | |
| 574 | instead.</para></listitem> | |
| 575 | </varlistentry> | |
| 576 | ||
| 3a9530e5 LP |
577 | <varlistentry> |
| 578 | <term><option>--hostname=</option></term> | |
| 579 | ||
| 580 | <listitem><para>Controls the hostname to set within the container, if different from the machine name. Expects | |
| 581 | a valid hostname as argument. If this option is used, the kernel hostname of the container will be set to this | |
| 582 | value, otherwise it will be initialized to the machine name as controlled by the <option>--machine=</option> | |
| 583 | option described above. The machine name is used for various aspect of identification of the container from the | |
| 584 | outside, the kernel hostname configurable with this option is useful for the container to identify itself from | |
| 585 | the inside. It is usually a good idea to keep both forms of identification synchronized, in order to avoid | |
| 586 | confusion. It is hence recommended to avoid usage of this option, and use <option>--machine=</option> | |
| 587 | exclusively. Note that regardless whether the container's hostname is initialized from the name set with | |
| 588 | <option>--hostname=</option> or the one set with <option>--machine=</option>, the container can later override | |
| 589 | its kernel hostname freely on its own as well.</para> | |
| 590 | </listitem> | |
| 591 | </varlistentry> | |
| 592 | ||
| 798d3a52 ZJS |
593 | <varlistentry> |
| 594 | <term><option>--uuid=</option></term> | |
| 595 | ||
| 596 | <listitem><para>Set the specified UUID for the container. The | |
| 597 | init system will initialize | |
| 598 | <filename>/etc/machine-id</filename> from this if this file is | |
| e01ff70a MS |
599 | not set yet. Note that this option takes effect only if |
| 600 | <filename>/etc/machine-id</filename> in the container is | |
| 601 | unpopulated.</para></listitem> | |
| 798d3a52 | 602 | </varlistentry> |
| d99058c9 | 603 | </variablelist> |
| 798d3a52 | 604 | |
| d99058c9 LP |
605 | </refsect2><refsect2> |
| 606 | <title>Property Options</title> | |
| 607 | ||
| 608 | <variablelist> | |
| 798d3a52 | 609 | <varlistentry> |
| 4deb5503 | 610 | <term><option>-S</option></term> |
| 798d3a52 ZJS |
611 | <term><option>--slice=</option></term> |
| 612 | ||
| cd2dfc6f LP |
613 | <listitem><para>Make the container part of the specified slice, instead of the default |
| 614 | <filename>machine.slice</filename>. This applies only if the machine is run in its own scope unit, i.e. if | |
| 615 | <option>--keep-unit</option> isn't used.</para> | |
| f36933fe LP |
616 | </listitem> |
| 617 | </varlistentry> | |
| 618 | ||
| 619 | <varlistentry> | |
| 620 | <term><option>--property=</option></term> | |
| 621 | ||
| cd2dfc6f LP |
622 | <listitem><para>Set a unit property on the scope unit to register for the machine. This applies only if the |
| 623 | machine is run in its own scope unit, i.e. if <option>--keep-unit</option> isn't used. Takes unit property | |
| 624 | assignments in the same format as <command>systemctl set-property</command>. This is useful to set memory | |
| 625 | limits and similar for container.</para> | |
| 798d3a52 ZJS |
626 | </listitem> |
| 627 | </varlistentry> | |
| 628 | ||
| d99058c9 LP |
629 | <varlistentry> |
| 630 | <term><option>--register=</option></term> | |
| 631 | ||
| 632 | <listitem><para>Controls whether the container is registered with | |
| 633 | <citerefentry><refentrytitle>systemd-machined</refentrytitle><manvolnum>8</manvolnum></citerefentry>. Takes a | |
| 634 | boolean argument, which defaults to <literal>yes</literal>. This option should be enabled when the container | |
| 635 | runs a full Operating System (more specifically: a system and service manager as PID 1), and is useful to | |
| 636 | ensure that the container is accessible via | |
| 637 | <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry> and shown by | |
| 638 | tools such as <citerefentry | |
| 639 | project='man-pages'><refentrytitle>ps</refentrytitle><manvolnum>1</manvolnum></citerefentry>. If the container | |
| 640 | does not run a service manager, it is recommended to set this option to | |
| 641 | <literal>no</literal>.</para></listitem> | |
| 642 | </varlistentry> | |
| 643 | ||
| 644 | <varlistentry> | |
| 645 | <term><option>--keep-unit</option></term> | |
| 646 | ||
| 647 | <listitem><para>Instead of creating a transient scope unit to run the container in, simply use the service or | |
| 648 | scope unit <command>systemd-nspawn</command> has been invoked in. If <option>--register=yes</option> is set | |
| 649 | this unit is registered with | |
| 650 | <citerefentry><refentrytitle>systemd-machined</refentrytitle><manvolnum>8</manvolnum></citerefentry>. This | |
| 651 | switch should be used if <command>systemd-nspawn</command> is invoked from within a service unit, and the | |
| 652 | service unit's sole purpose is to run a single <command>systemd-nspawn</command> container. This option is not | |
| 653 | available if run from a user session.</para> | |
| 654 | <para>Note that passing <option>--keep-unit</option> disables the effect of <option>--slice=</option> and | |
| 655 | <option>--property=</option>. Use <option>--keep-unit</option> and <option>--register=no</option> in | |
| 656 | combination to disable any kind of unit allocation or registration with | |
| 657 | <command>systemd-machined</command>.</para></listitem> | |
| 658 | </varlistentry> | |
| 659 | </variablelist> | |
| 660 | ||
| 661 | </refsect2><refsect2> | |
| 662 | <title>User Namespacing Options</title> | |
| 663 | ||
| 664 | <variablelist> | |
| 03cfe0d5 LP |
665 | <varlistentry> |
| 666 | <term><option>--private-users=</option></term> | |
| 667 | ||
| d2e5535f LP |
668 | <listitem><para>Controls user namespacing. If enabled, the container will run with its own private set of UNIX |
| 669 | user and group ids (UIDs and GIDs). This involves mapping the private UIDs/GIDs used in the container (starting | |
| 670 | with the container's root user 0 and up) to a range of UIDs/GIDs on the host that are not used for other | |
| 671 | purposes (usually in the range beyond the host's UID/GID 65536). The parameter may be specified as follows:</para> | |
| 672 | ||
| 673 | <orderedlist> | |
| 2dd67817 | 674 | <listitem><para>If one or two colon-separated numbers are specified, user namespacing is turned on. The first |
| ae209204 ZJS |
675 | parameter specifies the first host UID/GID to assign to the container, the second parameter specifies the |
| 676 | number of host UIDs/GIDs to assign to the container. If the second parameter is omitted, 65536 UIDs/GIDs are | |
| 677 | assigned.</para></listitem> | |
| 678 | ||
| 679 | <listitem><para>If the parameter is omitted, or true, user namespacing is turned on. The UID/GID range to | |
| 680 | use is determined automatically from the file ownership of the root directory of the container's directory | |
| 681 | tree. To use this option, make sure to prepare the directory tree in advance, and ensure that all files and | |
| 682 | directories in it are owned by UIDs/GIDs in the range you'd like to use. Also, make sure that used file ACLs | |
| 683 | exclusively reference UIDs/GIDs in the appropriate range. If this mode is used the number of UIDs/GIDs | |
| 684 | assigned to the container for use is 65536, and the UID/GID of the root directory must be a multiple of | |
| 685 | 65536.</para></listitem> | |
| 686 | ||
| 687 | <listitem><para>If the parameter is false, user namespacing is turned off. This is the default.</para> | |
| 688 | </listitem> | |
| 689 | ||
| 690 | <listitem><para>The special value <literal>pick</literal> turns on user namespacing. In this case the UID/GID | |
| 691 | range is automatically chosen. As first step, the file owner of the root directory of the container's | |
| 692 | directory tree is read, and it is checked that it is currently not used by the system otherwise (in | |
| 693 | particular, that no other container is using it). If this check is successful, the UID/GID range determined | |
| 2dd67817 | 694 | this way is used, similar to the behavior if "yes" is specified. If the check is not successful (and thus |
| ae209204 ZJS |
695 | the UID/GID range indicated in the root directory's file owner is already used elsewhere) a new – currently |
| 696 | unused – UID/GID range of 65536 UIDs/GIDs is randomly chosen between the host UID/GIDs of 524288 and | |
| 697 | 1878982656, always starting at a multiple of 65536. This setting implies | |
| 698 | <option>--private-users-chown</option> (see below), which has the effect that the files and directories in | |
| 699 | the container's directory tree will be owned by the appropriate users of the range picked. Using this option | |
| 2dd67817 | 700 | makes user namespace behavior fully automatic. Note that the first invocation of a previously unused |
| ae209204 ZJS |
701 | container image might result in picking a new UID/GID range for it, and thus in the (possibly expensive) file |
| 702 | ownership adjustment operation. However, subsequent invocations of the container will be cheap (unless of | |
| 703 | course the picked UID/GID range is assigned to a different use by then).</para></listitem> | |
| d2e5535f LP |
704 | </orderedlist> |
| 705 | ||
| 706 | <para>It is recommended to assign at least 65536 UIDs/GIDs to each container, so that the usable UID/GID range in the | |
| 707 | container covers 16 bit. For best security, do not assign overlapping UID/GID ranges to multiple containers. It is | |
| 708 | hence a good idea to use the upper 16 bit of the host 32-bit UIDs/GIDs as container identifier, while the lower 16 | |
| 2dd67817 | 709 | bit encode the container UID/GID used. This is in fact the behavior enforced by the |
| d2e5535f LP |
710 | <option>--private-users=pick</option> option.</para> |
| 711 | ||
| 712 | <para>When user namespaces are used, the GID range assigned to each container is always chosen identical to the | |
| 713 | UID range.</para> | |
| 714 | ||
| 715 | <para>In most cases, using <option>--private-users=pick</option> is the recommended option as it enhances | |
| 716 | container security massively and operates fully automatically in most cases.</para> | |
| 717 | ||
| 718 | <para>Note that the picked UID/GID range is not written to <filename>/etc/passwd</filename> or | |
| 719 | <filename>/etc/group</filename>. In fact, the allocation of the range is not stored persistently anywhere, | |
| aa10469e LP |
720 | except in the file ownership of the files and directories of the container.</para> |
| 721 | ||
| 722 | <para>Note that when user namespacing is used file ownership on disk reflects this, and all of the container's | |
| 723 | files and directories are owned by the container's effective user and group IDs. This means that copying files | |
| 724 | from and to the container image requires correction of the numeric UID/GID values, according to the UID/GID | |
| 725 | shift applied.</para></listitem> | |
| 03cfe0d5 LP |
726 | </varlistentry> |
| 727 | ||
| d2e5535f LP |
728 | <varlistentry> |
| 729 | <term><option>--private-users-chown</option></term> | |
| 730 | ||
| bcf09321 ZJS |
731 | <listitem><para>If specified, all files and directories in the container's directory tree will be |
| 732 | adjusted so that they are owned by the appropriate UIDs/GIDs selected for the container (see above). | |
| 733 | This operation is potentially expensive, as it involves iterating through the full directory tree of | |
| 734 | the container. Besides actual file ownership, file ACLs are adjusted as well.</para> | |
| d2e5535f LP |
735 | |
| 736 | <para>This option is implied if <option>--private-users=pick</option> is used. This option has no effect if | |
| 737 | user namespacing is not used.</para></listitem> | |
| 738 | </varlistentry> | |
| 03cfe0d5 | 739 | |
| 6265bde2 ZJS |
740 | <varlistentry> |
| 741 | <term><option>-U</option></term> | |
| 742 | ||
| 743 | <listitem><para>If the kernel supports the user namespaces feature, equivalent to | |
| 744 | <option>--private-users=pick --private-users-chown</option>, otherwise equivalent to | |
| 745 | <option>--private-users=no</option>.</para> | |
| 746 | ||
| 747 | <para>Note that <option>-U</option> is the default if the | |
| 748 | <filename>systemd-nspawn@.service</filename> template unit file is used.</para> | |
| 749 | ||
| 750 | <para>Note: it is possible to undo the effect of <option>--private-users-chown</option> (or | |
| 751 | <option>-U</option>) on the file system by redoing the operation with the first UID of 0:</para> | |
| 752 | ||
| 753 | <programlisting>systemd-nspawn … --private-users=0 --private-users-chown</programlisting> | |
| 754 | </listitem> | |
| 755 | </varlistentry> | |
| 756 | ||
| d99058c9 LP |
757 | </variablelist> |
| 758 | ||
| 759 | </refsect2><refsect2> | |
| 760 | <title>Networking Options</title> | |
| 761 | ||
| 762 | <variablelist> | |
| 763 | ||
| 798d3a52 ZJS |
764 | <varlistentry> |
| 765 | <term><option>--private-network</option></term> | |
| 766 | ||
| 767 | <listitem><para>Disconnect networking of the container from | |
| 768 | the host. This makes all network interfaces unavailable in the | |
| 769 | container, with the exception of the loopback device and those | |
| 770 | specified with <option>--network-interface=</option> and | |
| 771 | configured with <option>--network-veth</option>. If this | |
| ec562515 | 772 | option is specified, the <constant>CAP_NET_ADMIN</constant> capability will be |
| 798d3a52 | 773 | added to the set of capabilities the container retains. The |
| bc96c63c ZJS |
774 | latter may be disabled by using <option>--drop-capability=</option>. |
| 775 | If this option is not specified (or implied by one of the options | |
| 776 | listed below), the container will have full access to the host network. | |
| 777 | </para></listitem> | |
| 798d3a52 ZJS |
778 | </varlistentry> |
| 779 | ||
| 780 | <varlistentry> | |
| 781 | <term><option>--network-interface=</option></term> | |
| 782 | ||
| 783 | <listitem><para>Assign the specified network interface to the | |
| 784 | container. This will remove the specified interface from the | |
| 785 | calling namespace and place it in the container. When the | |
| 786 | container terminates, it is moved back to the host namespace. | |
| 787 | Note that <option>--network-interface=</option> implies | |
| 788 | <option>--private-network</option>. This option may be used | |
| 789 | more than once to add multiple network interfaces to the | |
| 790 | container.</para></listitem> | |
| 791 | </varlistentry> | |
| 792 | ||
| 793 | <varlistentry> | |
| 794 | <term><option>--network-macvlan=</option></term> | |
| 795 | ||
| 796 | <listitem><para>Create a <literal>macvlan</literal> interface | |
| 797 | of the specified Ethernet network interface and add it to the | |
| 798 | container. A <literal>macvlan</literal> interface is a virtual | |
| 799 | interface that adds a second MAC address to an existing | |
| 800 | physical Ethernet link. The interface in the container will be | |
| 801 | named after the interface on the host, prefixed with | |
| 802 | <literal>mv-</literal>. Note that | |
| 803 | <option>--network-macvlan=</option> implies | |
| 804 | <option>--private-network</option>. This option may be used | |
| 805 | more than once to add multiple network interfaces to the | |
| 806 | container.</para></listitem> | |
| 807 | </varlistentry> | |
| 808 | ||
| 809 | <varlistentry> | |
| 810 | <term><option>--network-ipvlan=</option></term> | |
| 811 | ||
| 812 | <listitem><para>Create an <literal>ipvlan</literal> interface | |
| 813 | of the specified Ethernet network interface and add it to the | |
| 814 | container. An <literal>ipvlan</literal> interface is a virtual | |
| 815 | interface, similar to a <literal>macvlan</literal> interface, | |
| 816 | which uses the same MAC address as the underlying interface. | |
| 817 | The interface in the container will be named after the | |
| 818 | interface on the host, prefixed with <literal>iv-</literal>. | |
| 819 | Note that <option>--network-ipvlan=</option> implies | |
| 820 | <option>--private-network</option>. This option may be used | |
| 821 | more than once to add multiple network interfaces to the | |
| 822 | container.</para></listitem> | |
| 823 | </varlistentry> | |
| 824 | ||
| 825 | <varlistentry> | |
| 826 | <term><option>-n</option></term> | |
| 827 | <term><option>--network-veth</option></term> | |
| 828 | ||
| 5e7423ff LP |
829 | <listitem><para>Create a virtual Ethernet link (<literal>veth</literal>) between host and container. The host |
| 830 | side of the Ethernet link will be available as a network interface named after the container's name (as | |
| 831 | specified with <option>--machine=</option>), prefixed with <literal>ve-</literal>. The container side of the | |
| 832 | Ethernet link will be named <literal>host0</literal>. The <option>--network-veth</option> option implies | |
| 833 | <option>--private-network</option>.</para> | |
| 834 | ||
| 835 | <para>Note that | |
| 836 | <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
| 837 | includes by default a network file <filename>/usr/lib/systemd/network/80-container-ve.network</filename> | |
| 838 | matching the host-side interfaces created this way, which contains settings to enable automatic address | |
| 839 | provisioning on the created virtual link via DHCP, as well as automatic IP routing onto the host's external | |
| 840 | network interfaces. It also contains <filename>/usr/lib/systemd/network/80-container-host0.network</filename> | |
| 841 | matching the container-side interface created this way, containing settings to enable client side address | |
| 842 | assignment via DHCP. In case <filename>systemd-networkd</filename> is running on both the host and inside the | |
| 843 | container, automatic IP communication from the container to the host is thus available, with further | |
| 844 | connectivity to the external network.</para> | |
| b09c0bba LP |
845 | |
| 846 | <para>Note that <option>--network-veth</option> is the default if the | |
| 847 | <filename>systemd-nspawn@.service</filename> template unit file is used.</para> | |
| 6cc68362 LP |
848 | |
| 849 | <para>Note that on Linux network interface names may have a length of 15 characters at maximum, while | |
| 850 | container names may have a length up to 64 characters. As this option derives the host-side interface | |
| 851 | name from the container name the name is possibly truncated. Thus, care needs to be taken to ensure | |
| 852 | that interface names remain unique in this case, or even better container names are generally not | |
| bc5ea049 KK |
853 | chosen longer than 12 characters, to avoid the truncation. If the name is truncated, |
| 854 | <command>systemd-nspawn</command> will automatically append a 4-digit hash value to the name to | |
| 855 | reduce the chance of collisions. However, the hash algorithm is not collision-free. (See | |
| 856 | <citerefentry><refentrytitle>systemd.net-naming-scheme</refentrytitle><manvolnum>7</manvolnum></citerefentry> | |
| 857 | for details on older naming algorithms for this interface). Alternatively, the | |
| 6cc68362 LP |
858 | <option>--network-veth-extra=</option> option may be used, which allows free configuration of the |
| 859 | host-side interface name independently of the container name — but might require a bit more | |
| 860 | additional configuration in case bridging in a fashion similar to <option>--network-bridge=</option> | |
| 861 | is desired.</para> | |
| 5e7423ff | 862 | </listitem> |
| 798d3a52 ZJS |
863 | </varlistentry> |
| 864 | ||
| f6d6bad1 LP |
865 | <varlistentry> |
| 866 | <term><option>--network-veth-extra=</option></term> | |
| 867 | ||
| 868 | <listitem><para>Adds an additional virtual Ethernet link | |
| 869 | between host and container. Takes a colon-separated pair of | |
| 870 | host interface name and container interface name. The latter | |
| 871 | may be omitted in which case the container and host sides will | |
| 872 | be assigned the same name. This switch is independent of | |
| ccddd104 | 873 | <option>--network-veth</option>, and — in contrast — may be |
| f6d6bad1 LP |
874 | used multiple times, and allows configuration of the network |
| 875 | interface names. Note that <option>--network-bridge=</option> | |
| 876 | has no effect on interfaces created with | |
| 877 | <option>--network-veth-extra=</option>.</para></listitem> | |
| 878 | </varlistentry> | |
| 879 | ||
| 798d3a52 ZJS |
880 | <varlistentry> |
| 881 | <term><option>--network-bridge=</option></term> | |
| 882 | ||
| 6cc68362 LP |
883 | <listitem><para>Adds the host side of the Ethernet link created with <option>--network-veth</option> |
| 884 | to the specified Ethernet bridge interface. Expects a valid network interface name of a bridge device | |
| 885 | as argument. Note that <option>--network-bridge=</option> implies <option>--network-veth</option>. If | |
| 886 | this option is used, the host side of the Ethernet link will use the <literal>vb-</literal> prefix | |
| 887 | instead of <literal>ve-</literal>. Regardless of the used naming prefix the same network interface | |
| 888 | name length limits imposed by Linux apply, along with the complications this creates (for details see | |
| 889 | above).</para></listitem> | |
| 798d3a52 ZJS |
890 | </varlistentry> |
| 891 | ||
| 938d2579 LP |
892 | <varlistentry> |
| 893 | <term><option>--network-zone=</option></term> | |
| 894 | ||
| 895 | <listitem><para>Creates a virtual Ethernet link (<literal>veth</literal>) to the container and adds it to an | |
| 896 | automatically managed Ethernet bridge interface. The bridge interface is named after the passed argument, | |
| 897 | prefixed with <literal>vz-</literal>. The bridge interface is automatically created when the first container | |
| 898 | configured for its name is started, and is automatically removed when the last container configured for its | |
| 899 | name exits. Hence, each bridge interface configured this way exists only as long as there's at least one | |
| 900 | container referencing it running. This option is very similar to <option>--network-bridge=</option>, besides | |
| 901 | this automatic creation/removal of the bridge device.</para> | |
| 902 | ||
| 903 | <para>This setting makes it easy to place multiple related containers on a common, virtual Ethernet-based | |
| 904 | broadcast domain, here called a "zone". Each container may only be part of one zone, but each zone may contain | |
| 905 | any number of containers. Each zone is referenced by its name. Names may be chosen freely (as long as they form | |
| 906 | valid network interface names when prefixed with <literal>vz-</literal>), and it is sufficient to pass the same | |
| cf917c27 | 907 | name to the <option>--network-zone=</option> switch of the various concurrently running containers to join |
| 938d2579 LP |
908 | them in one zone.</para> |
| 909 | ||
| 910 | <para>Note that | |
| 911 | <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
| 912 | includes by default a network file <filename>/usr/lib/systemd/network/80-container-vz.network</filename> | |
| 913 | matching the bridge interfaces created this way, which contains settings to enable automatic address | |
| 914 | provisioning on the created virtual network via DHCP, as well as automatic IP routing onto the host's external | |
| 915 | network interfaces. Using <option>--network-zone=</option> is hence in most cases fully automatic and | |
| 916 | sufficient to connect multiple local containers in a joined broadcast domain to the host, with further | |
| 917 | connectivity to the external network.</para> | |
| 918 | </listitem> | |
| 919 | </varlistentry> | |
| 920 | ||
| 798d3a52 | 921 | <varlistentry> |
| d99058c9 | 922 | <term><option>--network-namespace-path=</option></term> |
| 798d3a52 | 923 | |
| d99058c9 LP |
924 | <listitem><para>Takes the path to a file representing a kernel |
| 925 | network namespace that the container shall run in. The specified path | |
| 926 | should refer to a (possibly bind-mounted) network namespace file, as | |
| 927 | exposed by the kernel below <filename>/proc/$PID/ns/net</filename>. | |
| 928 | This makes the container enter the given network namespace. One of the | |
| 929 | typical use cases is to give a network namespace under | |
| 930 | <filename>/run/netns</filename> created by <citerefentry | |
| 931 | project='man-pages'><refentrytitle>ip-netns</refentrytitle><manvolnum>8</manvolnum></citerefentry>, | |
| 932 | for example, <option>--network-namespace-path=/run/netns/foo</option>. | |
| 933 | Note that this option cannot be used together with other | |
| 934 | network-related options, such as <option>--private-network</option> | |
| 935 | or <option>--network-interface=</option>.</para></listitem> | |
| 936 | </varlistentry> | |
| 937 | ||
| 938 | <varlistentry> | |
| 939 | <term><option>-p</option></term> | |
| 940 | <term><option>--port=</option></term> | |
| 941 | ||
| 942 | <listitem><para>If private networking is enabled, maps an IP | |
| 943 | port on the host onto an IP port on the container. Takes a | |
| 944 | protocol specifier (either <literal>tcp</literal> or | |
| 798d3a52 ZJS |
945 | <literal>udp</literal>), separated by a colon from a host port |
| 946 | number in the range 1 to 65535, separated by a colon from a | |
| 947 | container port number in the range from 1 to 65535. The | |
| 948 | protocol specifier and its separating colon may be omitted, in | |
| 949 | which case <literal>tcp</literal> is assumed. The container | |
| 7c918141 | 950 | port number and its colon may be omitted, in which case the |
| 798d3a52 | 951 | same port as the host port is implied. This option is only |
| a8eaaee7 | 952 | supported if private networking is used, such as with |
| 938d2579 | 953 | <option>--network-veth</option>, <option>--network-zone=</option> |
| 798d3a52 ZJS |
954 | <option>--network-bridge=</option>.</para></listitem> |
| 955 | </varlistentry> | |
| d99058c9 | 956 | </variablelist> |
| 798d3a52 | 957 | |
| d99058c9 LP |
958 | </refsect2><refsect2> |
| 959 | <title>Security Options</title> | |
| 798d3a52 | 960 | |
| d99058c9 | 961 | <variablelist> |
| 798d3a52 ZJS |
962 | <varlistentry> |
| 963 | <term><option>--capability=</option></term> | |
| 964 | ||
| ec562515 ZJS |
965 | <listitem><para>List one or more additional capabilities to grant the container. Takes a |
| 966 | comma-separated list of capability names, see <citerefentry | |
| 967 | project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry> | |
| a30504ed | 968 | for more information. Note that the following capabilities will be granted in any way: |
| ec562515 ZJS |
969 | <constant>CAP_AUDIT_CONTROL</constant>, <constant>CAP_AUDIT_WRITE</constant>, |
| 970 | <constant>CAP_CHOWN</constant>, <constant>CAP_DAC_OVERRIDE</constant>, | |
| 971 | <constant>CAP_DAC_READ_SEARCH</constant>, <constant>CAP_FOWNER</constant>, | |
| 972 | <constant>CAP_FSETID</constant>, <constant>CAP_IPC_OWNER</constant>, <constant>CAP_KILL</constant>, | |
| 973 | <constant>CAP_LEASE</constant>, <constant>CAP_LINUX_IMMUTABLE</constant>, | |
| 974 | <constant>CAP_MKNOD</constant>, <constant>CAP_NET_BIND_SERVICE</constant>, | |
| 975 | <constant>CAP_NET_BROADCAST</constant>, <constant>CAP_NET_RAW</constant>, | |
| 976 | <constant>CAP_SETFCAP</constant>, <constant>CAP_SETGID</constant>, <constant>CAP_SETPCAP</constant>, | |
| 977 | <constant>CAP_SETUID</constant>, <constant>CAP_SYS_ADMIN</constant>, | |
| 978 | <constant>CAP_SYS_BOOT</constant>, <constant>CAP_SYS_CHROOT</constant>, | |
| 979 | <constant>CAP_SYS_NICE</constant>, <constant>CAP_SYS_PTRACE</constant>, | |
| 980 | <constant>CAP_SYS_RESOURCE</constant>, <constant>CAP_SYS_TTY_CONFIG</constant>. Also | |
| 981 | <constant>CAP_NET_ADMIN</constant> is retained if <option>--private-network</option> is specified. | |
| 982 | If the special value <literal>all</literal> is passed, all capabilities are retained.</para> | |
| 8a99bd0c ZJS |
983 | |
| 984 | <para>If the special value of <literal>help</literal> is passed, the program will print known | |
| 985 | capability names and exit.</para></listitem> | |
| 798d3a52 ZJS |
986 | </varlistentry> |
| 987 | ||
| 988 | <varlistentry> | |
| 989 | <term><option>--drop-capability=</option></term> | |
| 990 | ||
| 991 | <listitem><para>Specify one or more additional capabilities to | |
| 992 | drop for the container. This allows running the container with | |
| 993 | fewer capabilities than the default (see | |
| 8a99bd0c ZJS |
994 | above).</para> |
| 995 | ||
| 996 | <para>If the special value of <literal>help</literal> is passed, the program will print known | |
| 997 | capability names and exit.</para></listitem> | |
| 798d3a52 ZJS |
998 | </varlistentry> |
| 999 | ||
| 66edd963 LP |
1000 | <varlistentry> |
| 1001 | <term><option>--no-new-privileges=</option></term> | |
| 1002 | ||
| 6b000af4 LP |
1003 | <listitem><para>Takes a boolean argument. Specifies the value of the |
| 1004 | <constant>PR_SET_NO_NEW_PRIVS</constant> flag for the container payload. Defaults to off. When turned | |
| 1005 | on the payload code of the container cannot acquire new privileges, i.e. the "setuid" file bit as | |
| 1006 | well as file system capabilities will not have an effect anymore. See <citerefentry | |
| 1007 | project='man-pages'><refentrytitle>prctl</refentrytitle><manvolnum>2</manvolnum></citerefentry> for | |
| 1008 | details about this flag. </para></listitem> | |
| 66edd963 LP |
1009 | </varlistentry> |
| 1010 | ||
| 960e4569 | 1011 | <varlistentry> |
| 6b000af4 LP |
1012 | <term><option>--system-call-filter=</option></term> <listitem><para>Alter the system call filter |
| 1013 | applied to containers. Takes a space-separated list of system call names or group names (the latter | |
| 1014 | prefixed with <literal>@</literal>, as listed by the <command>syscall-filter</command> command of | |
| c7fc3c4c | 1015 | <citerefentry><refentrytitle>systemd-analyze</refentrytitle><manvolnum>1</manvolnum></citerefentry>). Passed |
| 6b000af4 LP |
1016 | system calls will be permitted. The list may optionally be prefixed by <literal>~</literal>, in which |
| 1017 | case all listed system calls are prohibited. If this command line option is used multiple times the | |
| 1018 | configured lists are combined. If both a positive and a negative list (that is one system call list | |
| 1019 | without and one with the <literal>~</literal> prefix) are configured, the negative list takes | |
| 1020 | precedence over the positive list. Note that <command>systemd-nspawn</command> always implements a | |
| 1021 | system call allow list (as opposed to a deny list!), and this command line option hence adds or | |
| 1022 | removes entries from the default allow list, depending on the <literal>~</literal> prefix. Note that | |
| 1023 | the applied system call filter is also altered implicitly if additional capabilities are passed using | |
| 1024 | the <command>--capabilities=</command>.</para></listitem> | |
| 960e4569 LP |
1025 | </varlistentry> |
| 1026 | ||
| d99058c9 LP |
1027 | <varlistentry> |
| 1028 | <term><option>-Z</option></term> | |
| 1029 | <term><option>--selinux-context=</option></term> | |
| 1030 | ||
| 1031 | <listitem><para>Sets the SELinux security context to be used | |
| 1032 | to label processes in the container.</para> | |
| 1033 | </listitem> | |
| 1034 | </varlistentry> | |
| 1035 | ||
| 1036 | <varlistentry> | |
| 1037 | <term><option>-L</option></term> | |
| 1038 | <term><option>--selinux-apifs-context=</option></term> | |
| 1039 | ||
| 1040 | <listitem><para>Sets the SELinux security context to be used | |
| 1041 | to label files in the virtual API file systems in the | |
| 1042 | container.</para> | |
| 1043 | </listitem> | |
| 1044 | </varlistentry> | |
| 1045 | </variablelist> | |
| 1046 | ||
| 1047 | </refsect2><refsect2> | |
| 1048 | <title>Resource Options</title> | |
| 1049 | ||
| 1050 | <variablelist> | |
| 1051 | ||
| bf428efb LP |
1052 | <varlistentry> |
| 1053 | <term><option>--rlimit=</option></term> | |
| 1054 | ||
| 1055 | <listitem><para>Sets the specified POSIX resource limit for the container payload. Expects an assignment of the | |
| 1056 | form | |
| 1057 | <literal><replaceable>LIMIT</replaceable>=<replaceable>SOFT</replaceable>:<replaceable>HARD</replaceable></literal> | |
| 1058 | or <literal><replaceable>LIMIT</replaceable>=<replaceable>VALUE</replaceable></literal>, where | |
| 1059 | <replaceable>LIMIT</replaceable> should refer to a resource limit type, such as | |
| 1060 | <constant>RLIMIT_NOFILE</constant> or <constant>RLIMIT_NICE</constant>. The <replaceable>SOFT</replaceable> and | |
| 1061 | <replaceable>HARD</replaceable> fields should refer to the numeric soft and hard resource limit values. If the | |
| 1b2ad5d9 | 1062 | second form is used, <replaceable>VALUE</replaceable> may specify a value that is used both as soft and hard |
| bf428efb LP |
1063 | limit. In place of a numeric value the special string <literal>infinity</literal> may be used to turn off |
| 1064 | resource limiting for the specific type of resource. This command line option may be used multiple times to | |
| 1b2ad5d9 | 1065 | control limits on multiple limit types. If used multiple times for the same limit type, the last use |
| bf428efb LP |
1066 | wins. For details about resource limits see <citerefentry |
| 1067 | project='man-pages'><refentrytitle>setrlimit</refentrytitle><manvolnum>2</manvolnum></citerefentry>. By default | |
| 1068 | resource limits for the container's init process (PID 1) are set to the same values the Linux kernel originally | |
| 1069 | passed to the host init system. Note that some resource limits are enforced on resources counted per user, in | |
| 1070 | particular <constant>RLIMIT_NPROC</constant>. This means that unless user namespacing is deployed | |
| 1071 | (i.e. <option>--private-users=</option> is used, see above), any limits set will be applied to the resource | |
| 1072 | usage of the same user on all local containers as well as the host. This means particular care needs to be | |
| 1073 | taken with these limits as they might be triggered by possibly less trusted code. Example: | |
| 1074 | <literal>--rlimit=RLIMIT_NOFILE=8192:16384</literal>.</para></listitem> | |
| 1075 | </varlistentry> | |
| 1076 | ||
| 81f345df LP |
1077 | <varlistentry> |
| 1078 | <term><option>--oom-score-adjust=</option></term> | |
| 1079 | ||
| 1080 | <listitem><para>Changes the OOM ("Out Of Memory") score adjustment value for the container payload. This controls | |
| 1081 | <filename>/proc/self/oom_score_adj</filename> which influences the preference with which this container is | |
| 1082 | terminated when memory becomes scarce. For details see <citerefentry | |
| 1083 | project='man-pages'><refentrytitle>proc</refentrytitle><manvolnum>5</manvolnum></citerefentry>. Takes an | |
| 1084 | integer in the range -1000…1000.</para></listitem> | |
| 1085 | </varlistentry> | |
| 1086 | ||
| d107bb7d LP |
1087 | <varlistentry> |
| 1088 | <term><option>--cpu-affinity=</option></term> | |
| 1089 | ||
| 1090 | <listitem><para>Controls the CPU affinity of the container payload. Takes a comma separated list of CPU numbers | |
| 1091 | or number ranges (the latter's start and end value separated by dashes). See <citerefentry | |
| 1092 | project='man-pages'><refentrytitle>sched_setaffinity</refentrytitle><manvolnum>2</manvolnum></citerefentry> for | |
| 1093 | details.</para></listitem> | |
| 1094 | </varlistentry> | |
| 1095 | ||
| c6c8f6e2 | 1096 | <varlistentry> |
| d99058c9 | 1097 | <term><option>--personality=</option></term> |
| b09c0bba | 1098 | |
| d99058c9 LP |
1099 | <listitem><para>Control the architecture ("personality") |
| 1100 | reported by | |
| 1101 | <citerefentry project='man-pages'><refentrytitle>uname</refentrytitle><manvolnum>2</manvolnum></citerefentry> | |
| 1102 | in the container. Currently, only <literal>x86</literal> and | |
| 1103 | <literal>x86-64</literal> are supported. This is useful when | |
| 1104 | running a 32-bit container on a 64-bit host. If this setting | |
| 1105 | is not used, the personality reported in the container is the | |
| 1106 | same as the one reported on the host.</para></listitem> | |
| 798d3a52 | 1107 | </varlistentry> |
| d99058c9 | 1108 | </variablelist> |
| 798d3a52 | 1109 | |
| d99058c9 LP |
1110 | </refsect2><refsect2> |
| 1111 | <title>Integration Options</title> | |
| 798d3a52 | 1112 | |
| d99058c9 | 1113 | <variablelist> |
| 09d423e9 LP |
1114 | <varlistentry> |
| 1115 | <term><option>--resolv-conf=</option></term> | |
| 1116 | ||
| e309b929 LP |
1117 | <listitem><para>Configures how <filename>/etc/resolv.conf</filename> inside of the container shall be |
| 1118 | handled (i.e. DNS configuration synchronization from host to container). Takes one of | |
| 1119 | <literal>off</literal>, <literal>copy-host</literal>, <literal>copy-static</literal>, | |
| 1120 | <literal>copy-uplink</literal>, <literal>copy-stub</literal>, <literal>replace-host</literal>, | |
| 1121 | <literal>replace-static</literal>, <literal>replace-uplink</literal>, | |
| 1122 | <literal>replace-stub</literal>, <literal>bind-host</literal>, <literal>bind-static</literal>, | |
| 1123 | <literal>bind-uplink</literal>, <literal>bind-stub</literal>, <literal>delete</literal> or | |
| 1124 | <literal>auto</literal>.</para> | |
| 1125 | ||
| 1126 | <para>If set to <literal>off</literal> the <filename>/etc/resolv.conf</filename> file in the | |
| 1127 | container is left as it is included in the image, and neither modified nor bind mounted over.</para> | |
| 1128 | ||
| 1129 | <para>If set to <literal>copy-host</literal>, the <filename>/etc/resolv.conf</filename> file from the | |
| 1130 | host is copied into the container, unless the file exists already and is not a regular file (e.g. a | |
| 1131 | symlink). Similar, if <literal>replace-host</literal> is used the file is copied, replacing any | |
| 1132 | existing inode, including symlinks. Similar, if <literal>bind-host</literal> is used, the file is | |
| 1133 | bind mounted from the host into the container.</para> | |
| 1134 | ||
| 1135 | <para>If set to <literal>copy-static</literal>, <literal>replace-static</literal> or | |
| 1136 | <literal>bind-static</literal> the static <filename>resolv.conf</filename> file supplied with | |
| 1137 | <citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
| 1138 | (specifically: <filename>/usr/lib/systemd/resolv.conf</filename>) is copied or bind mounted into the | |
| 1139 | container.</para> | |
| 1140 | ||
| 1141 | <para>If set to <literal>copy-uplink</literal>, <literal>replace-uplink</literal> or | |
| 1142 | <literal>bind-uplink</literal> the uplink <filename>resolv.conf</filename> file managed by | |
| 1143 | <filename>systemd-resolved.service</filename> (specifically: | |
| 1144 | <filename>/run/systemd/resolve/resolv.conf</filename>) is copied or bind mounted into the | |
| 1145 | container.</para> | |
| 1146 | ||
| 1147 | <para>If set to <literal>copy-stub</literal>, <literal>replace-stub</literal> or | |
| 1148 | <literal>bind-stub</literal> the stub <filename>resolv.conf</filename> file managed by | |
| 1149 | <filename>systemd-resolved.service</filename> (specifically: | |
| 1150 | <filename>/run/systemd/resolve/stub-resolv.conf</filename>) is copied or bind mounted into the | |
| 1151 | container.</para> | |
| 1152 | ||
| 1153 | <para>If set to <literal>delete</literal> the <filename>/etc/resolv.conf</filename> file in the | |
| 1154 | container is deleted if it exists.</para> | |
| 1155 | ||
| 1156 | <para>Finally, if set to <literal>auto</literal> the file is left as it is if private networking is | |
| 1157 | turned on (see <option>--private-network</option>). Otherwise, if | |
| 1158 | <filename>systemd-resolved.service</filename> is connectible its stub | |
| 1159 | <filename>resolv.conf</filename> file is used, and if not the host's | |
| 1160 | <filename>/etc/resolv.conf</filename> file is used. In the latter cases the file is copied if the | |
| 1161 | image is writable, and bind mounted otherwise.</para> | |
| 1162 | ||
| 1163 | <para>It's recommended to use <literal>copy-…</literal> or <literal>replace-…</literal> if the | |
| 1164 | container shall be able to make changes to the DNS configuration on its own, deviating from the | |
| 1165 | host's settings. Otherwise <literal>bind</literal> is preferable, as it means direct changes to | |
| 1166 | <filename>/etc/resolv.conf</filename> in the container are not allowed, as it is a read-only bind | |
| 1167 | mount (but note that if the container has enough privileges, it might simply go ahead and unmount the | |
| 1168 | bind mount anyway). Note that both if the file is bind mounted and if it is copied no further | |
| 1169 | propagation of configuration is generally done after the one-time early initialization (this is | |
| 1170 | because the file is usually updated through copying and renaming). Defaults to | |
| 09d423e9 LP |
1171 | <literal>auto</literal>.</para></listitem> |
| 1172 | </varlistentry> | |
| 1173 | ||
| 1688841f LP |
1174 | <varlistentry> |
| 1175 | <term><option>--timezone=</option></term> | |
| 1176 | ||
| 1177 | <listitem><para>Configures how <filename>/etc/localtime</filename> inside of the container (i.e. local timezone | |
| 1178 | synchronization from host to container) shall be handled. Takes one of <literal>off</literal>, | |
| 1179 | <literal>copy</literal>, <literal>bind</literal>, <literal>symlink</literal>, <literal>delete</literal> or | |
| 1180 | <literal>auto</literal>. If set to <literal>off</literal> the <filename>/etc/localtime</filename> file in the | |
| 1181 | container is left as it is included in the image, and neither modified nor bind mounted over. If set to | |
| 1182 | <literal>copy</literal> the <filename>/etc/localtime</filename> file of the host is copied into the | |
| 1183 | container. Similar, if <literal>bind</literal> is used, it is bind mounted from the host into the container. If | |
| 1184 | set to <literal>symlink</literal> a symlink from <filename>/etc/localtime</filename> in the container is | |
| 1185 | created pointing to the matching the timezone file of the container that matches the timezone setting on the | |
| 1186 | host. If set to <literal>delete</literal> the file in the container is deleted, should it exist. If set to | |
| 1187 | <literal>auto</literal> and the <filename>/etc/localtime</filename> file of the host is a symlink, then | |
| 1188 | <literal>symlink</literal> mode is used, and <literal>copy</literal> otherwise, except if the image is | |
| 1189 | read-only in which case <literal>bind</literal> is used instead. Defaults to | |
| 1190 | <literal>auto</literal>.</para></listitem> | |
| 1191 | </varlistentry> | |
| 1192 | ||
| 798d3a52 | 1193 | <varlistentry> |
| d99058c9 | 1194 | <term><option>--link-journal=</option></term> |
| 798d3a52 | 1195 | |
| d99058c9 LP |
1196 | <listitem><para>Control whether the container's journal shall |
| 1197 | be made visible to the host system. If enabled, allows viewing | |
| 1198 | the container's journal files from the host (but not vice | |
| 1199 | versa). Takes one of <literal>no</literal>, | |
| 1200 | <literal>host</literal>, <literal>try-host</literal>, | |
| 1201 | <literal>guest</literal>, <literal>try-guest</literal>, | |
| 1202 | <literal>auto</literal>. If <literal>no</literal>, the journal | |
| 1203 | is not linked. If <literal>host</literal>, the journal files | |
| 1204 | are stored on the host file system (beneath | |
| 1205 | <filename>/var/log/journal/<replaceable>machine-id</replaceable></filename>) | |
| 1206 | and the subdirectory is bind-mounted into the container at the | |
| 1207 | same location. If <literal>guest</literal>, the journal files | |
| 1208 | are stored on the guest file system (beneath | |
| 1209 | <filename>/var/log/journal/<replaceable>machine-id</replaceable></filename>) | |
| 1210 | and the subdirectory is symlinked into the host at the same | |
| 1211 | location. <literal>try-host</literal> and | |
| 1212 | <literal>try-guest</literal> do the same but do not fail if | |
| 1213 | the host does not have persistent journaling enabled. If | |
| 1214 | <literal>auto</literal> (the default), and the right | |
| 1215 | subdirectory of <filename>/var/log/journal</filename> exists, | |
| 1216 | it will be bind mounted into the container. If the | |
| 1217 | subdirectory does not exist, no linking is performed. | |
| 1218 | Effectively, booting a container once with | |
| 1219 | <literal>guest</literal> or <literal>host</literal> will link | |
| 1220 | the journal persistently if further on the default of | |
| 1221 | <literal>auto</literal> is used.</para> | |
| 1222 | ||
| 1223 | <para>Note that <option>--link-journal=try-guest</option> is the default if the | |
| 1224 | <filename>systemd-nspawn@.service</filename> template unit file is used.</para></listitem> | |
| 798d3a52 ZJS |
1225 | </varlistentry> |
| 1226 | ||
| d99058c9 LP |
1227 | <varlistentry> |
| 1228 | <term><option>-j</option></term> | |
| 1229 | ||
| 1230 | <listitem><para>Equivalent to | |
| 1231 | <option>--link-journal=try-guest</option>.</para></listitem> | |
| 1232 | </varlistentry> | |
| 1233 | ||
| 1234 | </variablelist> | |
| 1235 | ||
| 1236 | </refsect2><refsect2> | |
| 1237 | <title>Mount Options</title> | |
| 1238 | ||
| 1239 | <variablelist> | |
| 1240 | ||
| 798d3a52 ZJS |
1241 | <varlistentry> |
| 1242 | <term><option>--bind=</option></term> | |
| 1243 | <term><option>--bind-ro=</option></term> | |
| 1244 | ||
| 86c0dd4a | 1245 | <listitem><para>Bind mount a file or directory from the host into the container. Takes one of: a path |
| c7a4890c LP |
1246 | argument — in which case the specified path will be mounted from the host to the same path in the container, or |
| 1247 | a colon-separated pair of paths — in which case the first specified path is the source in the host, and the | |
| 1248 | second path is the destination in the container, or a colon-separated triple of source path, destination path | |
| 86c0dd4a | 1249 | and mount options. The source path may optionally be prefixed with a <literal>+</literal> character. If so, the |
| c7a4890c LP |
1250 | source path is taken relative to the image's root directory. This permits setting up bind mounts within the |
| 1251 | container image. The source path may be specified as empty string, in which case a temporary directory below | |
| 1252 | the host's <filename>/var/tmp</filename> directory is used. It is automatically removed when the container is | |
| 1253 | shut down. Mount options are comma-separated and currently, only <option>rbind</option> and | |
| 1254 | <option>norbind</option> are allowed, controlling whether to create a recursive or a regular bind | |
| 1255 | mount. Defaults to "rbind". Backslash escapes are interpreted, so <literal>\:</literal> may be used to embed | |
| 1256 | colons in either path. This option may be specified multiple times for creating multiple independent bind | |
| 994a6364 LP |
1257 | mount points. The <option>--bind-ro=</option> option creates read-only bind mounts.</para> |
| 1258 | ||
| 1259 | <para>Note that when this option is used in combination with <option>--private-users</option>, the resulting | |
| 1260 | mount points will be owned by the <constant>nobody</constant> user. That's because the mount and its files and | |
| 1261 | directories continue to be owned by the relevant host users and groups, which do not exist in the container, | |
| 1262 | and thus show up under the wildcard UID 65534 (nobody). If such bind mounts are created, it is recommended to | |
| 1263 | make them read-only, using <option>--bind-ro=</option>.</para></listitem> | |
| 798d3a52 ZJS |
1264 | </varlistentry> |
| 1265 | ||
| 3d6c3675 LP |
1266 | <varlistentry> |
| 1267 | <term><option>--inaccessible=</option></term> | |
| 1268 | ||
| 1269 | <listitem><para>Make the specified path inaccessible in the container. This over-mounts the specified path | |
| 1270 | (which must exist in the container) with a file node of the same type that is empty and has the most | |
| 1271 | restrictive access mode supported. This is an effective way to mask files, directories and other file system | |
| 1272 | objects from the container payload. This option may be used more than once in case all specified paths are | |
| 1273 | masked.</para></listitem> | |
| 1274 | </varlistentry> | |
| 1275 | ||
| 798d3a52 ZJS |
1276 | <varlistentry> |
| 1277 | <term><option>--tmpfs=</option></term> | |
| 1278 | ||
| b23f1628 LP |
1279 | <listitem><para>Mount a tmpfs file system into the container. Takes a single absolute path argument that |
| 1280 | specifies where to mount the tmpfs instance to (in which case the directory access mode will be chosen as 0755, | |
| 1281 | owned by root/root), or optionally a colon-separated pair of path and mount option string that is used for | |
| 1282 | mounting (in which case the kernel default for access mode and owner will be chosen, unless otherwise | |
| 1283 | specified). Backslash escapes are interpreted in the path, so <literal>\:</literal> may be used to embed colons | |
| 1284 | in the path.</para> | |
| 1285 | ||
| 1286 | <para>Note that this option cannot be used to replace the root file system of the container with a temporary | |
| 1287 | file system. However, the <option>--volatile=</option> option described below provides similar | |
| 1288 | functionality, with a focus on implementing stateless operating system images.</para></listitem> | |
| 798d3a52 ZJS |
1289 | </varlistentry> |
| 1290 | ||
| 5a8af538 LP |
1291 | <varlistentry> |
| 1292 | <term><option>--overlay=</option></term> | |
| 1293 | <term><option>--overlay-ro=</option></term> | |
| 1294 | ||
| 1295 | <listitem><para>Combine multiple directory trees into one | |
| 1296 | overlay file system and mount it into the container. Takes a | |
| 1297 | list of colon-separated paths to the directory trees to | |
| 1298 | combine and the destination mount point.</para> | |
| 1299 | ||
| 2eadf91c RM |
1300 | <para>Backslash escapes are interpreted in the paths, so |
| 1301 | <literal>\:</literal> may be used to embed colons in the paths. | |
| 1302 | </para> | |
| 1303 | ||
| 5a8af538 LP |
1304 | <para>If three or more paths are specified, then the last |
| 1305 | specified path is the destination mount point in the | |
| 1306 | container, all paths specified before refer to directory trees | |
| 1307 | on the host and are combined in the specified order into one | |
| 1308 | overlay file system. The left-most path is hence the lowest | |
| 1309 | directory tree, the second-to-last path the highest directory | |
| 1310 | tree in the stacking order. If <option>--overlay-ro=</option> | |
| b938cb90 | 1311 | is used instead of <option>--overlay=</option>, a read-only |
| 5a8af538 | 1312 | overlay file system is created. If a writable overlay file |
| b938cb90 | 1313 | system is created, all changes made to it are written to the |
| 5a8af538 LP |
1314 | highest directory tree in the stacking order, i.e. the |
| 1315 | second-to-last specified.</para> | |
| 1316 | ||
| 1317 | <para>If only two paths are specified, then the second | |
| 1318 | specified path is used both as the top-level directory tree in | |
| 1319 | the stacking order as seen from the host, as well as the mount | |
| 1320 | point for the overlay file system in the container. At least | |
| 1321 | two paths have to be specified.</para> | |
| 1322 | ||
| 86c0dd4a | 1323 | <para>The source paths may optionally be prefixed with <literal>+</literal> character. If so they are taken |
| c7a4890c LP |
1324 | relative to the image's root directory. The uppermost source path may also be specified as empty string, in |
| 1325 | which case a temporary directory below the host's <filename>/var/tmp</filename> is used. The directory is | |
| 1326 | removed automatically when the container is shut down. This behaviour is useful in order to make read-only | |
| 1327 | container directories writable while the container is running. For example, use the | |
| 1328 | <literal>--overlay=+/var::/var</literal> option in order to automatically overlay a writable temporary | |
| 1329 | directory on a read-only <filename>/var</filename> directory.</para> | |
| 86c0dd4a | 1330 | |
| 5a8af538 LP |
1331 | <para>For details about overlay file systems, see <ulink |
| 1332 | url="https://www.kernel.org/doc/Documentation/filesystems/overlayfs.txt">overlayfs.txt</ulink>. Note | |
| 1333 | that the semantics of overlay file systems are substantially | |
| 1334 | different from normal file systems, in particular regarding | |
| 1335 | reported device and inode information. Device and inode | |
| 1336 | information may change for a file while it is being written | |
| 1337 | to, and processes might see out-of-date versions of files at | |
| 1338 | times. Note that this switch automatically derives the | |
| 1339 | <literal>workdir=</literal> mount option for the overlay file | |
| 1340 | system from the top-level directory tree, making it a sibling | |
| 1341 | of it. It is hence essential that the top-level directory tree | |
| 1342 | is not a mount point itself (since the working directory must | |
| 1343 | be on the same file system as the top-most directory | |
| 1344 | tree). Also note that the <literal>lowerdir=</literal> mount | |
| 1345 | option receives the paths to stack in the opposite order of | |
| b23f1628 LP |
1346 | this switch.</para> |
| 1347 | ||
| 1348 | <para>Note that this option cannot be used to replace the root file system of the container with an overlay | |
| d99058c9 | 1349 | file system. However, the <option>--volatile=</option> option described above provides similar functionality, |
| b23f1628 | 1350 | with a focus on implementing stateless operating system images.</para></listitem> |
| 5a8af538 | 1351 | </varlistentry> |
| d99058c9 | 1352 | </variablelist> |
| 5a8af538 | 1353 | |
| d99058c9 LP |
1354 | </refsect2><refsect2> |
| 1355 | <title>Input/Output Options</title> | |
| 798d3a52 | 1356 | |
| d99058c9 | 1357 | <variablelist> |
| 3d6c3675 LP |
1358 | <varlistentry> |
| 1359 | <term><option>--console=</option><replaceable>MODE</replaceable></term> | |
| 1360 | ||
| 7a25ba55 ZJS |
1361 | <listitem><para>Configures how to set up standard input, output and error output for the container |
| 1362 | payload, as well as the <filename>/dev/console</filename> device for the container. Takes one of | |
| 1363 | <option>interactive</option>, <option>read-only</option>, <option>passive</option>, or | |
| 1364 | <option>pipe</option>. If <option>interactive</option>, a pseudo-TTY is allocated and made available | |
| 1365 | as <filename>/dev/console</filename> in the container. It is then bi-directionally connected to the | |
| 1366 | standard input and output passed to <command>systemd-nspawn</command>. <option>read-only</option> is | |
| 1367 | similar but only the output of the container is propagated and no input from the caller is read. If | |
| 1368 | <option>passive</option>, a pseudo TTY is allocated, but it is not connected anywhere. Finally, in | |
| 1369 | <option>pipe</option> mode no pseudo TTY is allocated, but the standard input, output and error | |
| 1370 | output file descriptors passed to <command>systemd-nspawn</command> are passed on — as they are — to | |
| 1371 | the container payload, see the following paragraph. Defaults to <option>interactive</option> if | |
| 3d6c3675 | 1372 | <command>systemd-nspawn</command> is invoked from a terminal, and <option>read-only</option> |
| 7a25ba55 ZJS |
1373 | otherwise.</para> |
| 1374 | ||
| 1375 | <para>In <option>pipe</option> mode, <filename>/dev/console</filename> will not exist in the | |
| 1376 | container. This means that the container payload generally cannot be a full init system as init | |
| 1377 | systems tend to require <filename>/dev/console</filename> to be available. On the other hand, in this | |
| 1378 | mode container invocations can be used within shell pipelines. This is because intermediary pseudo | |
| 1379 | TTYs do not permit independent bidirectional propagation of the end-of-file (EOF) condition, which is | |
| 1380 | necessary for shell pipelines to work correctly. <emphasis>Note that the <option>pipe</option> mode | |
| 1381 | should be used carefully</emphasis>, as passing arbitrary file descriptors to less trusted container | |
| 1382 | payloads might open up unwanted interfaces for access by the container payload. For example, if a | |
| 1383 | passed file descriptor refers to a TTY of some form, APIs such as <constant>TIOCSTI</constant> may be | |
| 1384 | used to synthesize input that might be used for escaping the container. Hence <option>pipe</option> | |
| 1385 | mode should only be used if the payload is sufficiently trusted or when the standard | |
| 1386 | input/output/error output file descriptors are known safe, for example pipes.</para></listitem> | |
| 3d6c3675 LP |
1387 | </varlistentry> |
| 1388 | ||
| 1389 | <varlistentry> | |
| 1390 | <term><option>--pipe</option></term> | |
| 1391 | <term><option>-P</option></term> | |
| 1392 | ||
| 1393 | <listitem><para>Equivalent to <option>--console=pipe</option>.</para></listitem> | |
| 1394 | </varlistentry> | |
| 1395 | ||
| bb068de0 | 1396 | <xi:include href="standard-options.xml" xpointer="no-pager" /> |
| 798d3a52 ZJS |
1397 | <xi:include href="standard-options.xml" xpointer="help" /> |
| 1398 | <xi:include href="standard-options.xml" xpointer="version" /> | |
| 1399 | </variablelist> | |
| d99058c9 | 1400 | </refsect2> |
| 798d3a52 ZJS |
1401 | </refsect1> |
| 1402 | ||
| bb068de0 ZJS |
1403 | <xi:include href="less-variables.xml" /> |
| 1404 | ||
| 798d3a52 ZJS |
1405 | <refsect1> |
| 1406 | <title>Examples</title> | |
| 1407 | ||
| 1408 | <example> | |
| 12c4ee0a ZJS |
1409 | <title>Download a |
| 1410 | <ulink url="https://getfedora.org">Fedora</ulink> image and start a shell in it</title> | |
| 798d3a52 | 1411 | |
| 3797fd0a | 1412 | <programlisting># machinectl pull-raw --verify=no \ |
| b12a67ae AZ |
1413 | https://download.fedoraproject.org/pub/fedora/linux/releases/&fedora_latest_version;/Cloud/x86_64/images/Fedora-Cloud-Base-&fedora_latest_version;-&fedora_cloud_release;.x86_64.raw.xz \ |
| 1414 | Fedora-Cloud-Base-&fedora_latest_version;-&fedora_cloud_release;.x86-64 | |
| 1415 | # systemd-nspawn -M Fedora-Cloud-Base-&fedora_latest_version;-&fedora_cloud_release;.x86-64</programlisting> | |
| e0ea94c1 | 1416 | |
| 798d3a52 ZJS |
1417 | <para>This downloads an image using |
| 1418 | <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry> | |
| 1419 | and opens a shell in it.</para> | |
| 1420 | </example> | |
| e0ea94c1 | 1421 | |
| 798d3a52 ZJS |
1422 | <example> |
| 1423 | <title>Build and boot a minimal Fedora distribution in a container</title> | |
| 8f7a3c14 | 1424 | |
| 7a8aa0ec | 1425 | <programlisting># dnf -y --releasever=&fedora_latest_version; --installroot=/var/lib/machines/f&fedora_latest_version; \ |
| 3797fd0a | 1426 | --disablerepo='*' --enablerepo=fedora --enablerepo=updates install \ |
| a345d5c1 | 1427 | systemd passwd dnf fedora-release vim-minimal glibc-minimal-langpack |
| 7a8aa0ec | 1428 | # systemd-nspawn -bD /var/lib/machines/f&fedora_latest_version;</programlisting> |
| 8f7a3c14 | 1429 | |
| 798d3a52 | 1430 | <para>This installs a minimal Fedora distribution into the |
| b0343f8c | 1431 | directory <filename index="false">/var/lib/machines/f&fedora_latest_version;</filename> |
| 55107232 ZJS |
1432 | and then boots an OS in a namespace container in it. Because the installation |
| 1433 | is located underneath the standard <filename>/var/lib/machines/</filename> | |
| 1434 | directory, it is also possible to start the machine using | |
| 7a8aa0ec | 1435 | <command>systemd-nspawn -M f&fedora_latest_version;</command>.</para> |
| 798d3a52 | 1436 | </example> |
| 8f7a3c14 | 1437 | |
| 798d3a52 ZJS |
1438 | <example> |
| 1439 | <title>Spawn a shell in a container of a minimal Debian unstable distribution</title> | |
| 8f7a3c14 | 1440 | |
| 7f8b3d1d | 1441 | <programlisting># debootstrap unstable ~/debian-tree/ |
| 25f5971b | 1442 | # systemd-nspawn -D ~/debian-tree/</programlisting> |
| 8f7a3c14 | 1443 | |
| 798d3a52 ZJS |
1444 | <para>This installs a minimal Debian unstable distribution into |
| 1445 | the directory <filename>~/debian-tree/</filename> and then | |
| 1446 | spawns a shell in a namespace container in it.</para> | |
| 12c4ee0a ZJS |
1447 | |
| 1448 | <para><command>debootstrap</command> supports | |
| 1449 | <ulink url="https://www.debian.org">Debian</ulink>, | |
| 1450 | <ulink url="https://www.ubuntu.com">Ubuntu</ulink>, | |
| 1451 | and <ulink url="https://www.tanglu.org">Tanglu</ulink> | |
| 1452 | out of the box, so the same command can be used to install any of those. For other | |
| 1453 | distributions from the Debian family, a mirror has to be specified, see | |
| 1454 | <citerefentry project='die-net'><refentrytitle>debootstrap</refentrytitle><manvolnum>8</manvolnum></citerefentry>. | |
| 1455 | </para> | |
| 798d3a52 | 1456 | </example> |
| 8f7a3c14 | 1457 | |
| 798d3a52 | 1458 | <example> |
| 12c4ee0a ZJS |
1459 | <title>Boot a minimal |
| 1460 | <ulink url="https://www.archlinux.org">Arch Linux</ulink> distribution in a container</title> | |
| 68562936 | 1461 | |
| 9a027075 | 1462 | <programlisting># pacstrap -c ~/arch-tree/ base |
| 68562936 WG |
1463 | # systemd-nspawn -bD ~/arch-tree/</programlisting> |
| 1464 | ||
| ff9b60f3 | 1465 | <para>This installs a minimal Arch Linux distribution into the |
| 798d3a52 ZJS |
1466 | directory <filename>~/arch-tree/</filename> and then boots an OS |
| 1467 | in a namespace container in it.</para> | |
| 1468 | </example> | |
| 68562936 | 1469 | |
| f518ee04 | 1470 | <example> |
| 12c4ee0a ZJS |
1471 | <title>Install the |
| 1472 | <ulink url="https://software.opensuse.org/distributions/tumbleweed">OpenSUSE Tumbleweed</ulink> | |
| 1473 | rolling distribution</title> | |
| f518ee04 ZJS |
1474 | |
| 1475 | <programlisting># zypper --root=/var/lib/machines/tumbleweed ar -c \ | |
| 1476 | https://download.opensuse.org/tumbleweed/repo/oss tumbleweed | |
| 1477 | # zypper --root=/var/lib/machines/tumbleweed refresh | |
| 1478 | # zypper --root=/var/lib/machines/tumbleweed install --no-recommends \ | |
| 1479 | systemd shadow zypper openSUSE-release vim | |
| 1480 | # systemd-nspawn -M tumbleweed passwd root | |
| 1481 | # systemd-nspawn -M tumbleweed -b</programlisting> | |
| 1482 | </example> | |
| 1483 | ||
| 798d3a52 | 1484 | <example> |
| 17cbb288 | 1485 | <title>Boot into an ephemeral snapshot of the host system</title> |
| f9f4dd51 | 1486 | |
| 798d3a52 | 1487 | <programlisting># systemd-nspawn -D / -xb</programlisting> |
| f9f4dd51 | 1488 | |
| 17cbb288 LP |
1489 | <para>This runs a copy of the host system in a snapshot which is removed immediately when the container |
| 1490 | exits. All file system changes made during runtime will be lost on shutdown, hence.</para> | |
| 798d3a52 | 1491 | </example> |
| f9f4dd51 | 1492 | |
| 798d3a52 ZJS |
1493 | <example> |
| 1494 | <title>Run a container with SELinux sandbox security contexts</title> | |
| a8828ed9 | 1495 | |
| 798d3a52 | 1496 | <programlisting># chcon system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -R /srv/container |
| 3797fd0a ZJS |
1497 | # systemd-nspawn -L system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 \ |
| 1498 | -Z system_u:system_r:svirt_lxc_net_t:s0:c0,c1 -D /srv/container /bin/sh</programlisting> | |
| 798d3a52 | 1499 | </example> |
| b53ede69 PW |
1500 | |
| 1501 | <example> | |
| 1502 | <title>Run a container with an OSTree deployment</title> | |
| 1503 | ||
| 3797fd0a ZJS |
1504 | <programlisting># systemd-nspawn -b -i ~/image.raw \ |
| 1505 | --pivot-root=/ostree/deploy/$OS/deploy/$CHECKSUM:/sysroot \ | |
| 1506 | --bind=+/sysroot/ostree/deploy/$OS/var:/var</programlisting> | |
| b53ede69 | 1507 | </example> |
| 798d3a52 ZJS |
1508 | </refsect1> |
| 1509 | ||
| 1510 | <refsect1> | |
| 1511 | <title>Exit status</title> | |
| 1512 | ||
| 1513 | <para>The exit code of the program executed in the container is | |
| 1514 | returned.</para> | |
| 1515 | </refsect1> | |
| 1516 | ||
| 1517 | <refsect1> | |
| 1518 | <title>See Also</title> | |
| 1519 | <para> | |
| 1520 | <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
| f757855e | 1521 | <citerefentry><refentrytitle>systemd.nspawn</refentrytitle><manvolnum>5</manvolnum></citerefentry>, |
| 798d3a52 ZJS |
1522 | <citerefentry project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>1</manvolnum></citerefentry>, |
| 1523 | <citerefentry project='mankier'><refentrytitle>dnf</refentrytitle><manvolnum>8</manvolnum></citerefentry>, | |
| 798d3a52 ZJS |
1524 | <citerefentry project='die-net'><refentrytitle>debootstrap</refentrytitle><manvolnum>8</manvolnum></citerefentry>, |
| 1525 | <citerefentry project='archlinux'><refentrytitle>pacman</refentrytitle><manvolnum>8</manvolnum></citerefentry>, | |
| f518ee04 | 1526 | <citerefentry project='mankier'><refentrytitle>zypper</refentrytitle><manvolnum>8</manvolnum></citerefentry>, |
| 798d3a52 ZJS |
1527 | <citerefentry><refentrytitle>systemd.slice</refentrytitle><manvolnum>5</manvolnum></citerefentry>, |
| 1528 | <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
| 3ba3a79d | 1529 | <citerefentry project='man-pages'><refentrytitle>btrfs</refentrytitle><manvolnum>8</manvolnum></citerefentry> |
| 798d3a52 ZJS |
1530 | </para> |
| 1531 | </refsect1> | |
| 8f7a3c14 LP |
1532 | |
| 1533 | </refentry> |