[thirdparty/systemd.git] / man / systemd.nspawn.xml

<?xml version='1.0'?> <!--*- Mode: nxml; nxml-child-indent: 2; indent-tabs-mode: nil -*-->
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
<!ENTITY % entities SYSTEM "custom-entities.ent" >
%entities;
]>

<!--
  This file is part of systemd.

  Copyright 2015 Lennart Poettering

  systemd is free software; you can redistribute it and/or modify it
  under the terms of the GNU Lesser General Public License as published by
  the Free Software Foundation; either version 2.1 of the License, or
  (at your option) any later version.

  systemd is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  Lesser General Public License for more details.

  You should have received a copy of the GNU Lesser General Public License
  along with systemd; If not, see <http://www.gnu.org/licenses/>.
-->

<refentry id="systemd.nspawn">

  <refentryinfo>
    <title>systemd.nspawn</title>
    <productname>systemd</productname>

    <authorgroup>
      <author>
        <contrib>Developer</contrib>
        <firstname>Lennart</firstname>
        <surname>Poettering</surname>
        <email>lennart@poettering.net</email>
      </author>
    </authorgroup>
  </refentryinfo>

  <refmeta>
    <refentrytitle>systemd.nspawn</refentrytitle>
    <manvolnum>5</manvolnum>
  </refmeta>

  <refnamediv>
    <refname>systemd.nspawn</refname>
    <refpurpose>Container settings</refpurpose>
  </refnamediv>

  <refsynopsisdiv>
    <para><filename>/etc/systemd/nspawn/<replaceable>machine</replaceable>.nspawn</filename></para>
    <para><filename>/run/systemd/nspawn/<replaceable>machine</replaceable>.nspawn</filename></para>
    <para><filename>/var/lib/machines/<replaceable>machine</replaceable>.nspawn</filename></para>
  </refsynopsisdiv>

  <refsect1>
    <title>Description</title>

    <para>An nspawn container settings file (suffix
    <filename>.nspawn</filename>) encodes additional runtime
    information about a local container, and is searched, read and
    used by
    <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>
    when starting a container. Files of this type are named after the
    containers they define settings for. They are optional, and only
    required for containers whose execution environment shall differ
    from the defaults. Files of this type mostly contain settings that
    may also be set on the <command>systemd-nspawn</command> command
    line, and make it easier to persistently attach specific settings
    to specific containers. The syntax of these files is inspired by
    <filename>.desktop</filename> files following the <ulink
    url="http://standards.freedesktop.org/desktop-entry-spec/latest/">XDG
    Desktop Entry Specification</ulink>, which in turn are inspired by
    Microsoft Windows <filename>.ini</filename> files.</para>

    <para>Boolean arguments used in these settings files can be
    written in various formats. For positive settings, the strings
    <option>1</option>, <option>yes</option>, <option>true</option>
    and <option>on</option> are equivalent. For negative settings, the
    strings <option>0</option>, <option>no</option>,
    <option>false</option> and <option>off</option> are
    equivalent.</para>

    <para>Empty lines and lines starting with # or ; are
    ignored. This may be used for commenting. Lines ending
    in a backslash are concatenated with the following
    line while reading and the backslash is replaced by a
    space character. This may be used to wrap long lines.</para>

  </refsect1>

  <refsect1>
    <title><filename>.nspawn</filename> File Discovery</title>

    <para>Files are searched by appending the
    <filename>.nspawn</filename> suffix to the machine name of the
    container, as specified with the <option>--machine=</option>
    switch of <command>systemd-nspawn</command>, or derived from the
    directory or image file name. This file is first searched in
    <filename>/etc/systemd/nspawn/</filename> and
    <filename>/run/systemd/nspawn/</filename>. If found in these
    directories, its settings are read and all of them take full effect
    (but are possibly overridden by corresponding command line
    arguments). If not found, the file will then be searched next to
    the image file or in the immediate parent of the root directory of
    the container. If the file is found there, only a subset of the
    settings will take effect however. All settings that possibly
    elevate privileges or grant additional access to resources of the
    host (such as files or directories) are ignored. To which options
    this applies is documented below.</para>

    <para>Persistent settings files created and maintained by the
    administrator (and thus trusted) should be placed in
    <filename>/etc/systemd/nspawn/</filename>, while automatically
    downloaded (and thus potentially untrusted) settings files are
    placed in <filename>/var/lib/machines/</filename> instead (next to
    the container images), where their security impact is limited. In
    order to add privileged settings to <filename>.nspawn</filename>
    files acquired from the image vendor, it is recommended to copy the
    settings files into <filename>/etc/systemd/nspawn/</filename> and
    edit them there, so that the privileged options become
    available. The precise algorithm for how the files are searched and
    interpreted may be configured with
    <command>systemd-nspawn</command>'s <option>--settings=</option>
    switch, see
    <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>
    for details.</para>
  </refsect1>

  <refsect1>
    <title>[Exec] Section Options</title>

    <para>Settings files may include an <literal>[Exec]</literal>
    section, which carries various execution parameters:</para>

    <variablelist>

      <varlistentry>
        <term><varname>Boot=</varname></term>

        <listitem><para>Takes a boolean argument, which defaults to off. If enabled, <command>systemd-nspawn</command>
        will automatically search for an <filename>init</filename> executable and invoke it. In this case, the
        specified parameters using <varname>Parameters=</varname> are passed as additional arguments to the
        <filename>init</filename> process. This setting corresponds to the <option>--boot</option> switch on the
        <command>systemd-nspawn</command> command line. This option may not be combined with
        <varname>ProcessTwo=yes</varname>.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>ProcessTwo=</varname></term>

        <listitem><para>Takes a boolean argument, which defaults to off. If enabled, the specified program is run as
        PID 2. A stub init process is run as PID 1. This setting corresponds to the <option>--as-pid2</option> switch
        on the <command>systemd-nspawn</command> command line. This option may not be combined with
        <varname>Boot=yes</varname>.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>Parameters=</varname></term>

        <listitem><para>Takes a space-separated list of
        arguments. This is either a command line, beginning with the
        binary name to execute, or – if <varname>Boot=</varname> is
        enabled – the list of arguments to pass to the init
        process. This setting corresponds to the command line
        parameters passed on the <command>systemd-nspawn</command>
        command line.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>Environment=</varname></term>

        <listitem><para>Takes an environment variable assignment
        consisting of key and value, separated by
        <literal>=</literal>. Sets an environment variable for the
        main process invoked in the container. This setting may be
        used multiple times to set multiple environment variables. It
        corresponds to the <option>--setenv=</option> command line
        switch.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>User=</varname></term>

        <listitem><para>Takes a UNIX user name. Specifies the user
        name to invoke the main process of the container as. This user
        must be known in the container's user database. This
        corresponds to the <option>--user=</option> command line
        switch.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>WorkingDirectory=</varname></term>

        <listitem><para>Selects the working directory for the process invoked in the container. Expects an absolute
        path in the container's file system namespace. This corresponds to the <option>--chdir=</option> command line
        switch.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>Capability=</varname></term>
        <term><varname>DropCapability=</varname></term>

        <listitem><para>Takes a space-separated list of Linux process
        capabilities (see
        <citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
        for details). The <varname>Capability=</varname> setting
        specifies additional capabilities to pass on top of the
        default set of capabilities. The
        <varname>DropCapability=</varname> setting specifies
        capabilities to drop from the default set. These settings
        correspond to the <option>--capability=</option> and
        <option>--drop-capability=</option> command line
        switches. Note that <varname>Capability=</varname> is a
        privileged setting, and only takes effect in
        <filename>.nspawn</filename> files in
        <filename>/etc/systemd/nspawn/</filename> and
        <filename>/run/system/nspawn/</filename> (see above). On the
        other hand, <varname>DropCapability=</varname> takes effect in
        all cases.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>KillSignal=</varname></term>

        <listitem><para>Specify the process signal to send to the
        container's PID 1 when nspawn itself receives SIGTERM, in
        order to trigger an orderly shutdown of the container.
        Defaults to SIGRTMIN+3 if <option>Boot=</option> is used
        (on systemd-compatible init systems SIGRTMIN+3 triggers an
        orderly shutdown). For a list of valid signals, see
        <citerefentry project='man-pages'><refentrytitle>signal</refentrytitle><manvolnum>7</manvolnum></citerefentry>.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>Personality=</varname></term>

        <listitem><para>Configures the kernel personality for the
        container. This is equivalent to the
        <option>--personality=</option> switch.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>MachineID=</varname></term>

        <listitem><para>Configures the 128-bit machine ID (UUID) to pass to
        the container. This is equivalent to the
        <option>--uuid=</option> command line switch. This option is
        privileged (see above). </para></listitem>
      </varlistentry>
    </variablelist>
  </refsect1>

  <refsect1>
    <title>[Files] Section Options</title>

    <para>Settings files may include a <literal>[Files]</literal>
    section, which carries various parameters configuring the file
    system of the container:</para>

    <variablelist>

      <varlistentry>
        <term><varname>ReadOnly=</varname></term>

        <listitem><para>Takes a boolean argument, which defaults to off. If
        specified, the container will be run with a read-only file
        system. This setting corresponds to the
        <option>--read-only</option> command line
        switch.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>Volatile=</varname></term>

        <listitem><para>Takes a boolean argument, or the special value
        <literal>state</literal>. This configures whether to run the
        container with volatile state and/or configuration. This
        option is equivalent to <option>--volatile=</option>, see
        <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>
        for details about the specific options
        supported.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>Bind=</varname></term>
        <term><varname>BindReadOnly=</varname></term>

        <listitem><para>Adds a bind mount from the host into the
        container. Takes a single path, a pair of two paths separated
        by a colon, or a triplet of two paths plus an option string
        separated by colons. This option may be used multiple times to
        configure multiple bind mounts. This option is equivalent to
        the command line switches <option>--bind=</option> and
        <option>--bind-ro=</option>, see
        <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>
        for details about the specific options supported. This setting
        is privileged (see above).</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>TemporaryFileSystem=</varname></term>

        <listitem><para>Adds a <literal>tmpfs</literal> mount to the
        container. Takes a path or a pair of path and option string,
        separated by a colon. This option may be used multiple times to
        configure multiple <literal>tmpfs</literal> mounts. This
        option is equivalent to the command line switch
        <option>--tmpfs=</option>, see
        <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>
        for details about the specific options supported. This setting
        is privileged (see above).</para></listitem>
      </varlistentry>
    </variablelist>
  </refsect1>

  <refsect1>
    <title>[Network] Section Options</title>

    <para>Settings files may include a <literal>[Network]</literal>
    section, which carries various parameters configuring the network
    connectivity of the container:</para>

    <variablelist>

      <varlistentry>
        <term><varname>Private=</varname></term>

        <listitem><para>Takes a boolean argument, which defaults to off. If
        enabled, the container will run in its own network namespace
        and not share network interfaces and configuration with the
        host. This setting corresponds to the
        <option>--private-network</option> command line
        switch.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>VirtualEthernet=</varname></term>

        <listitem><para>Takes a boolean argument. Configures whether
        to create a virtual Ethernet connection
        (<literal>veth</literal>) between host and the container. This
        setting implies <varname>Private=yes</varname>. This setting
        corresponds to the <option>--network-veth</option> command
        line switch. This option is privileged (see
        above).</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>VirtualEthernetExtra=</varname></term>

        <listitem><para>Takes a colon-separated pair of interface
        names. Configures an additional virtual Ethernet connection
        (<literal>veth</literal>) between host and the container. The
        first specified name is the interface name on the host, the
        second the interface name in the container. The latter may be
        omitted in which case it is set to the same name as the host
        side interface. This setting implies
        <varname>Private=yes</varname>. This setting corresponds to
        the <option>--network-veth-extra=</option> command line
        switch, and maybe be used multiple times. It is independent of
        <varname>VirtualEthernet=</varname>. This option is privileged
        (see above).</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>Interface=</varname></term>

        <listitem><para>Takes a space-separated list of interfaces to
        add to the container. This option corresponds to the
        <option>--network-interface=</option> command line switch and
        implies <varname>Private=yes</varname>. This option is
        privileged (see above).</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>MACVLAN=</varname></term>
        <term><varname>IPVLAN=</varname></term>

        <listitem><para>Takes a space-separated list of interfaces to
        add MACLVAN or IPVLAN interfaces to, which are then added to
        the container. These options correspond to the
        <option>--network-macvlan=</option> and
        <option>--network-ipvlan=</option> command line switches and
        imply <varname>Private=yes</varname>. These options are
        privileged (see above).</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>Bridge=</varname></term>

        <listitem><para>Takes an interface name. This setting implies
        <varname>VirtualEthernet=yes</varname> and
        <varname>Private=yes</varname> and has the effect that the
        host side of the created virtual Ethernet link is connected to
        the specified bridge interface. This option corresponds to the
        <option>--network-bridge=</option> command line switch. This
        option is privileged (see above).</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>Port=</varname></term>

        <listitem><para>Exposes a TCP or UDP port of the container on
        the host. This option corresponds to the
        <option>--port=</option> command line switch, see
        <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>
        for the precise syntax of the argument this option takes. This
        option is privileged (see above).</para></listitem>
      </varlistentry>
    </variablelist>
  </refsect1>

  <refsect1>
    <title>See Also</title>
    <para>
      <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>systemd.directives</refentrytitle><manvolnum>7</manvolnum></citerefentry>
    </para>
  </refsect1>

</refentry>
Commit	Line	Data
f757855e LP	1	<?xml version='1.0'?> <!--- Mode: nxml; nxml-child-indent: 2; indent-tabs-mode: nil --->
	2	<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
	3	"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
	4	<!ENTITY % entities SYSTEM "custom-entities.ent" >
	5	%entities;
	6	]>
	7
	8	<!--
	9	This file is part of systemd.
	10
	11	Copyright 2015 Lennart Poettering
	12
	13	systemd is free software; you can redistribute it and/or modify it
	14	under the terms of the GNU Lesser General Public License as published by
	15	the Free Software Foundation; either version 2.1 of the License, or
	16	(at your option) any later version.
	17
	18	systemd is distributed in the hope that it will be useful, but
	19	WITHOUT ANY WARRANTY; without even the implied warranty of
	20	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	21	Lesser General Public License for more details.
	22
	23	You should have received a copy of the GNU Lesser General Public License
	24	along with systemd; If not, see <http://www.gnu.org/licenses/>.
	25	-->
	26
	27	<refentry id="systemd.nspawn">
	28
	29	<refentryinfo>
	30	<title>systemd.nspawn</title>
	31	<productname>systemd</productname>
	32
	33	<authorgroup>
	34	<author>
	35	<contrib>Developer</contrib>
	36	<firstname>Lennart</firstname>
	37	<surname>Poettering</surname>
	38	<email>lennart@poettering.net</email>
	39	</author>
	40	</authorgroup>
	41	</refentryinfo>
	42
	43	<refmeta>
	44	<refentrytitle>systemd.nspawn</refentrytitle>
	45	<manvolnum>5</manvolnum>
	46	</refmeta>
	47
	48	<refnamediv>
	49	<refname>systemd.nspawn</refname>
	50	<refpurpose>Container settings</refpurpose>
	51	</refnamediv>
	52
	53	<refsynopsisdiv>
	54	<para><filename>/etc/systemd/nspawn/<replaceable>machine</replaceable>.nspawn</filename></para>
	55	<para><filename>/run/systemd/nspawn/<replaceable>machine</replaceable>.nspawn</filename></para>
	56	<para><filename>/var/lib/machines/<replaceable>machine</replaceable>.nspawn</filename></para>
	57	</refsynopsisdiv>
	58
	59	<refsect1>
	60	<title>Description</title>
	61
	62	<para>An nspawn container settings file (suffix
	63	<filename>.nspawn</filename>) encodes additional runtime
	64	information about a local container, and is searched, read and
65	used by
66	<citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>
67	when starting a container. Files of this type are named after the
68	containers they define settings for. They are optional, and only
69	required for containers whose execution environment shall differ
70	from the defaults. Files of this type mostly contain settings that
71	may also be set on the <command>systemd-nspawn</command> command
72	line, and make it easier to persistently attach specific settings
73	to specific containers. The syntax of these files is inspired by
74	<filename>.desktop</filename> files following the <ulink
75	url="http://standards.freedesktop.org/desktop-entry-spec/latest/">XDG
a8eaaee7	76	Desktop Entry Specification</ulink>, which in turn are inspired by
f757855e LP	77	Microsoft Windows <filename>.ini</filename> files.</para>
	78
	79	<para>Boolean arguments used in these settings files can be
b938cb90	80	written in various formats. For positive settings, the strings
f757855e LP	81	<option>1</option>, <option>yes</option>, <option>true</option>
	82	and <option>on</option> are equivalent. For negative settings, the
	83	strings <option>0</option>, <option>no</option>,
	84	<option>false</option> and <option>off</option> are
	85	equivalent.</para>
	86
	87	<para>Empty lines and lines starting with # or ; are
	88	ignored. This may be used for commenting. Lines ending
	89	in a backslash are concatenated with the following
	90	line while reading and the backslash is replaced by a
	91	space character. This may be used to wrap long lines.</para>
	92
	93	</refsect1>
	94
	95	<refsect1>
	96	<title><filename>.nspawn</filename> File Discovery</title>
	97
	98	<para>Files are searched by appending the
	99	<filename>.nspawn</filename> suffix to the machine name of the
	100	container, as specified with the <option>--machine=</option>
	101	switch of <command>systemd-nspawn</command>, or derived from the
	102	directory or image file name. This file is first searched in
	103	<filename>/etc/systemd/nspawn/</filename> and
	104	<filename>/run/systemd/nspawn/</filename>. If found in these
b938cb90	105	directories, its settings are read and all of them take full effect
4f76ef04	106	(but are possibly overridden by corresponding command line
b938cb90	107	arguments). If not found, the file will then be searched next to
f757855e	108	the image file or in the immediate parent of the root directory of
b938cb90	109	the container. If the file is found there, only a subset of the
f757855e LP	110	settings will take effect however. All settings that possibly
	111	elevate privileges or grant additional access to resources of the
	112	host (such as files or directories) are ignored. To which options
	113	this applies is documented below.</para>
	114
a8eaaee7	115	<para>Persistent settings files created and maintained by the
f757855e LP	116	administrator (and thus trusted) should be placed in
	117	<filename>/etc/systemd/nspawn/</filename>, while automatically
	118	downloaded (and thus potentially untrusted) settings files are
	119	placed in <filename>/var/lib/machines/</filename> instead (next to
	120	the container images), where their security impact is limited. In
	121	order to add privileged settings to <filename>.nspawn</filename>
b938cb90	122	files acquired from the image vendor, it is recommended to copy the
f757855e LP	123	settings files into <filename>/etc/systemd/nspawn/</filename> and
f757855e LP	124	edit them there, so that the privileged options become
a8eaaee7	125	available. The precise algorithm for how the files are searched and
f757855e LP	126	interpreted may be configured with
	127	<command>systemd-nspawn</command>'s <option>--settings=</option>
	128	switch, see
	129	<citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>
	130	for details.</para>
	131	</refsect1>
	132
	133	<refsect1>
	134	<title>[Exec] Section Options</title>
	135
	136	<para>Settings files may include an <literal>[Exec]</literal>
	137	section, which carries various execution parameters:</para>
	138
	139	<variablelist>
	140
	141	<varlistentry>
	142	<term><varname>Boot=</varname></term>
	143
7732f92b LP	144	<listitem><para>Takes a boolean argument, which defaults to off. If enabled, <command>systemd-nspawn</command>
	145	will automatically search for an <filename>init</filename> executable and invoke it. In this case, the
	146	specified parameters using <varname>Parameters=</varname> are passed as additional arguments to the
	147	<filename>init</filename> process. This setting corresponds to the <option>--boot</option> switch on the
	148	<command>systemd-nspawn</command> command line. This option may not be combined with
	149	<varname>ProcessTwo=yes</varname>.</para></listitem>
	150	</varlistentry>
	151
	152	<varlistentry>
	153	<term><varname>ProcessTwo=</varname></term>
	154
	155	<listitem><para>Takes a boolean argument, which defaults to off. If enabled, the specified program is run as
	156	PID 2. A stub init process is run as PID 1. This setting corresponds to the <option>--as-pid2</option> switch
	157	on the <command>systemd-nspawn</command> command line. This option may not be combined with
	158	<varname>Boot=yes</varname>.</para></listitem>
f757855e LP	159	</varlistentry>
	160
	161	<varlistentry>
	162	<term><varname>Parameters=</varname></term>
	163
b938cb90	164	<listitem><para>Takes a space-separated list of
f757855e LP	165	arguments. This is either a command line, beginning with the
	166	binary name to execute, or – if <varname>Boot=</varname> is
	167	enabled – the list of arguments to pass to the init
	168	process. This setting corresponds to the command line
	169	parameters passed on the <command>systemd-nspawn</command>
	170	command line.</para></listitem>
	171	</varlistentry>
	172
	173	<varlistentry>
	174	<term><varname>Environment=</varname></term>
	175
	176	<listitem><para>Takes an environment variable assignment
	177	consisting of key and value, separated by
	178	<literal>=</literal>. Sets an environment variable for the
	179	main process invoked in the container. This setting may be
	180	used multiple times to set multiple environment variables. It
	181	corresponds to the <option>--setenv=</option> command line
	182	switch.</para></listitem>
	183	</varlistentry>
	184
	185	<varlistentry>
	186	<term><varname>User=</varname></term>
	187
	188	<listitem><para>Takes a UNIX user name. Specifies the user
	189	name to invoke the main process of the container as. This user
	190	must be known in the container's user database. This
	191	corresponds to the <option>--user=</option> command line
5f932eb9 LP	192	switch.</para></listitem>
	193	</varlistentry>
	194
	195	<varlistentry>
	196	<term><varname>WorkingDirectory=</varname></term>
	197
	198	<listitem><para>Selects the working directory for the process invoked in the container. Expects an absolute
	199	path in the container's file system namespace. This corresponds to the <option>--chdir=</option> command line
f757855e LP	200	switch.</para></listitem>
	201	</varlistentry>
	202
	203	<varlistentry>
	204	<term><varname>Capability=</varname></term>
	205	<term><varname>DropCapability=</varname></term>
	206
b938cb90	207	<listitem><para>Takes a space-separated list of Linux process
f757855e	208	capabilities (see
524f3e5c	209	<citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
f757855e LP	210	for details). The <varname>Capability=</varname> setting
f757855e LP	211	specifies additional capabilities to pass on top of the
4f76ef04	212	default set of capabilities. The
f757855e LP	213	<varname>DropCapability=</varname> setting specifies
	214	capabilities to drop from the default set. These settings
	215	correspond to the <option>--capability=</option> and
	216	<option>--drop-capability=</option> command line
	217	switches. Note that <varname>Capability=</varname> is a
	218	privileged setting, and only takes effect in
	219	<filename>.nspawn</filename> files in
	220	<filename>/etc/systemd/nspawn/</filename> and
	221	<filename>/run/system/nspawn/</filename> (see above). On the
b938cb90	222	other hand, <varname>DropCapability=</varname> takes effect in
f757855e LP	223	all cases.</para></listitem>
	224	</varlistentry>
	225
b3969f73	226	<varlistentry>
c9648aa6	227	<term><varname>KillSignal=</varname></term>
b3969f73 PA	228
	229	<listitem><para>Specify the process signal to send to the
	230	container's PID 1 when nspawn itself receives SIGTERM, in
	231	order to trigger an orderly shutdown of the container.
	232	Defaults to SIGRTMIN+3 if <option>Boot=</option> is used
	233	(on systemd-compatible init systems SIGRTMIN+3 triggers an
	234	orderly shutdown). For a list of valid signals, see
	235	<citerefentry project='man-pages'><refentrytitle>signal</refentrytitle><manvolnum>7</manvolnum></citerefentry>.</para></listitem>
	236	</varlistentry>
	237
f757855e LP	238	<varlistentry>
	239	<term><varname>Personality=</varname></term>
	240
	241	<listitem><para>Configures the kernel personality for the
	242	container. This is equivalent to the
	243	<option>--personality=</option> switch.</para></listitem>
	244	</varlistentry>
	245
	246	<varlistentry>
	247	<term><varname>MachineID=</varname></term>
	248
b938cb90	249	<listitem><para>Configures the 128-bit machine ID (UUID) to pass to
f757855e LP	250	the container. This is equivalent to the
	251	<option>--uuid=</option> command line switch. This option is
	252	privileged (see above). </para></listitem>
	253	</varlistentry>
	254	</variablelist>
	255	</refsect1>
	256
	257	<refsect1>
	258	<title>[Files] Section Options</title>
	259
	260	<para>Settings files may include a <literal>[Files]</literal>
	261	section, which carries various parameters configuring the file
	262	system of the container:</para>
	263
	264	<variablelist>
	265
	266	<varlistentry>
	267	<term><varname>ReadOnly=</varname></term>
	268
a8eaaee7	269	<listitem><para>Takes a boolean argument, which defaults to off. If
b938cb90	270	specified, the container will be run with a read-only file
f757855e LP	271	system. This setting corresponds to the
	272	<option>--read-only</option> command line
	273	switch.</para></listitem>
	274	</varlistentry>
	275
	276	<varlistentry>
	277	<term><varname>Volatile=</varname></term>
	278
	279	<listitem><para>Takes a boolean argument, or the special value
	280	<literal>state</literal>. This configures whether to run the
	281	container with volatile state and/or configuration. This
	282	option is equivalent to <option>--volatile=</option>, see
	283	<citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>
	284	for details about the specific options
	285	supported.</para></listitem>
	286	</varlistentry>
	287
	288	<varlistentry>
	289	<term><varname>Bind=</varname></term>
	290	<term><varname>BindReadOnly=</varname></term>
	291
	292	<listitem><para>Adds a bind mount from the host into the
	293	container. Takes a single path, a pair of two paths separated
	294	by a colon, or a triplet of two paths plus an option string
	295	separated by colons. This option may be used multiple times to
	296	configure multiple bind mounts. This option is equivalent to
	297	the command line switches <option>--bind=</option> and
	298	<option>--bind-ro=</option>, see
	299	<citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>
	300	for details about the specific options supported. This setting
	301	is privileged (see above).</para></listitem>
	302	</varlistentry>
	303
	304	<varlistentry>
	305	<term><varname>TemporaryFileSystem=</varname></term>
	306
	307	<listitem><para>Adds a <literal>tmpfs</literal> mount to the
	308	container. Takes a path or a pair of path and option string,
4f76ef04	309	separated by a colon. This option may be used multiple times to
f757855e LP	310	configure multiple <literal>tmpfs</literal> mounts. This
	311	option is equivalent to the command line switch
	312	<option>--tmpfs=</option>, see
	313	<citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>
	314	for details about the specific options supported. This setting
	315	is privileged (see above).</para></listitem>
	316	</varlistentry>
	317	</variablelist>
	318	</refsect1>
	319
	320	<refsect1>
	321	<title>[Network] Section Options</title>
	322
	323	<para>Settings files may include a <literal>[Network]</literal>
	324	section, which carries various parameters configuring the network
	325	connectivity of the container:</para>
	326
	327	<variablelist>
	328
	329	<varlistentry>
	330	<term><varname>Private=</varname></term>
	331
a8eaaee7	332	<listitem><para>Takes a boolean argument, which defaults to off. If
b938cb90	333	enabled, the container will run in its own network namespace
f757855e LP	334	and not share network interfaces and configuration with the
	335	host. This setting corresponds to the
	336	<option>--private-network</option> command line
	337	switch.</para></listitem>
	338	</varlistentry>
	339
	340	<varlistentry>
	341	<term><varname>VirtualEthernet=</varname></term>
	342
	343	<listitem><para>Takes a boolean argument. Configures whether
a8eaaee7	344	to create a virtual Ethernet connection
f757855e LP	345	(<literal>veth</literal>) between host and the container. This
	346	setting implies <varname>Private=yes</varname>. This setting
	347	corresponds to the <option>--network-veth</option> command
	348	line switch. This option is privileged (see
	349	above).</para></listitem>
	350	</varlistentry>
	351
f6d6bad1 LP	352	<varlistentry>
	353	<term><varname>VirtualEthernetExtra=</varname></term>
	354
	355	<listitem><para>Takes a colon-separated pair of interface
	356	names. Configures an additional virtual Ethernet connection
	357	(<literal>veth</literal>) between host and the container. The
	358	first specified name is the interface name on the host, the
	359	second the interface name in the container. The latter may be
	360	omitted in which case it is set to the same name as the host
	361	side interface. This setting implies
	362	<varname>Private=yes</varname>. This setting corresponds to
	363	the <option>--network-veth-extra=</option> command line
	364	switch, and maybe be used multiple times. It is independent of
	365	<varname>VirtualEthernet=</varname>. This option is privileged
	366	(see above).</para></listitem>
	367	</varlistentry>
	368
f757855e LP	369	<varlistentry>
	370	<term><varname>Interface=</varname></term>
	371
b938cb90	372	<listitem><para>Takes a space-separated list of interfaces to
f757855e LP	373	add to the container. This option corresponds to the
	374	<option>--network-interface=</option> command line switch and
	375	implies <varname>Private=yes</varname>. This option is
	376	privileged (see above).</para></listitem>
	377	</varlistentry>
	378
	379	<varlistentry>
	380	<term><varname>MACVLAN=</varname></term>
	381	<term><varname>IPVLAN=</varname></term>
	382
b938cb90	383	<listitem><para>Takes a space-separated list of interfaces to
f757855e LP	384	add MACLVAN or IPVLAN interfaces to, which are then added to
	385	the container. These options correspond to the
	386	<option>--network-macvlan=</option> and
	387	<option>--network-ipvlan=</option> command line switches and
	388	imply <varname>Private=yes</varname>. These options are
	389	privileged (see above).</para></listitem>
	390	</varlistentry>
	391
	392	<varlistentry>
	393	<term><varname>Bridge=</varname></term>
	394
	395	<listitem><para>Takes an interface name. This setting implies
	396	<varname>VirtualEthernet=yes</varname> and
	397	<varname>Private=yes</varname> and has the effect that the
	398	host side of the created virtual Ethernet link is connected to
	399	the specified bridge interface. This option corresponds to the
	400	<option>--network-bridge=</option> command line switch. This
	401	option is privileged (see above).</para></listitem>
	402	</varlistentry>
	403
	404	<varlistentry>
	405	<term><varname>Port=</varname></term>
	406
	407	<listitem><para>Exposes a TCP or UDP port of the container on
	408	the host. This option corresponds to the
	409	<option>--port=</option> command line switch, see
	410	<citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>
	411	for the precise syntax of the argument this option takes. This
	412	option is privileged (see above).</para></listitem>
	413	</varlistentry>
	414	</variablelist>
	415	</refsect1>
	416
	417	<refsect1>
	418	<title>See Also</title>
	419	<para>
	420	<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
	421	<citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
	422	<citerefentry><refentrytitle>systemd.directives</refentrytitle><manvolnum>7</manvolnum></citerefentry>
	423	</para>
	424	</refsect1>
	425
	426	</refentry>