]> git.ipfire.org Git - thirdparty/systemd.git/blob - man/systemd-nspawn.xml
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
nspawn: --private-network should imply CAP_NET_ADMIN
[thirdparty/systemd.git] / man / systemd-nspawn.xml
1 <?xml version='1.0'?> <!--*-nxml-*-->
2 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
3 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
4
5 <!--
6 This file is part of systemd.
7
8 Copyright 2010 Lennart Poettering
9
10 systemd is free software; you can redistribute it and/or modify it
11 under the terms of the GNU Lesser General Public License as published by
12 the Free Software Foundation; either version 2.1 of the License, or
13 (at your option) any later version.
14
15 systemd is distributed in the hope that it will be useful, but
16 WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
18 Lesser General Public License for more details.
19
20 You should have received a copy of the GNU Lesser General Public License
21 along with systemd; If not, see <http://www.gnu.org/licenses/>.
22 -->
23
24 <refentry id="systemd-nspawn">
25
26 <refentryinfo>
27 <title>systemd-nspawn</title>
28 <productname>systemd</productname>
29
30 <authorgroup>
31 <author>
32 <contrib>Developer</contrib>
33 <firstname>Lennart</firstname>
34 <surname>Poettering</surname>
35 <email>lennart@poettering.net</email>
36 </author>
37 </authorgroup>
38 </refentryinfo>
39
40 <refmeta>
41 <refentrytitle>systemd-nspawn</refentrytitle>
42 <manvolnum>1</manvolnum>
43 </refmeta>
44
45 <refnamediv>
46 <refname>systemd-nspawn</refname>
47 <refpurpose>Spawn a namespace container for debugging, testing and building</refpurpose>
48 </refnamediv>
49
50 <refsynopsisdiv>
51 <cmdsynopsis>
52 <command>systemd-nspawn</command>
53 <arg choice="opt" rep="repeat">OPTIONS</arg>
54 <arg choice="opt"><replaceable>COMMAND</replaceable>
55 <arg choice="opt" rep="repeat">ARGS</arg>
56 </arg>
57 </cmdsynopsis>
58 <cmdsynopsis>
59 <command>systemd-nspawn</command>
60 <arg choice="plain">-b</arg>
61 <arg choice="opt" rep="repeat">OPTIONS</arg>
62 <arg choice="opt" rep="repeat">ARGS</arg>
63 </cmdsynopsis>
64 </refsynopsisdiv>
65
66 <refsect1>
67 <title>Description</title>
68
69 <para><command>systemd-nspawn</command> may be used to
70 run a command or OS in a light-weight namespace
71 container. In many ways it is similar to
72 <citerefentry><refentrytitle>chroot</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
73 but more powerful since it fully virtualizes the file
74 system hierarchy, as well as the process tree, the
75 various IPC subsystems and the host and domain
76 name.</para>
77
78 <para><command>systemd-nspawn</command> limits access
79 to various kernel interfaces in the container to
80 read-only, such as <filename>/sys</filename>,
81 <filename>/proc/sys</filename> or
82 <filename>/sys/fs/selinux</filename>. Network
83 interfaces and the system clock may not be changed
84 from within the container. Device nodes may not be
85 created. The host system cannot be rebooted and kernel
86 modules may not be loaded from within the
87 container.</para>
88
89 <para>Note that even though these security precautions
90 are taken <command>systemd-nspawn</command> is not
91 suitable for secure container setups. Many of the
92 security features may be circumvented and are hence
93 primarily useful to avoid accidental changes to the
94 host system from the container. The intended use of
95 this program is debugging and testing as well as
96 building of packages, distributions and software
97 involved with boot and systems management.</para>
98
99 <para>In contrast to
100 <citerefentry><refentrytitle>chroot</refentrytitle><manvolnum>1</manvolnum></citerefentry> <command>systemd-nspawn</command>
101 may be used to boot full Linux-based operating systems
102 in a container.</para>
103
104 <para>Use a tool like
105 <citerefentry><refentrytitle>yum</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
106 <citerefentry><refentrytitle>debootstrap</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
107 or
108 <citerefentry><refentrytitle>pacman</refentrytitle><manvolnum>8</manvolnum></citerefentry>
109 to set up an OS directory tree suitable as file system
110 hierarchy for <command>systemd-nspawn</command>
111 containers.</para>
112
113 <para>Note that <command>systemd-nspawn</command> will
114 mount file systems private to the container to
115 <filename>/dev</filename>,
116 <filename>/run</filename> and similar. These will
117 not be visible outside of the container, and their
118 contents will be lost when the container exits.</para>
119
120 <para>Note that running two
121 <command>systemd-nspawn</command> containers from the
122 same directory tree will not make processes in them
123 see each other. The PID namespace separation of the
124 two containers is complete and the containers will
125 share very few runtime objects except for the
126 underlying file system. Use
127 <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>'s
128 <command>login</command> command to request an
129 additional login prompt in a running container.</para>
130
131 <para><command>systemd-nspawn</command> implements the
132 <ulink
133 url="http://www.freedesktop.org/wiki/Software/systemd/ContainerInterface">Container
134 Interface</ulink> specification.</para>
135
136 <para>As a safety check
137 <command>systemd-nspawn</command> will verify the
138 existence of <filename>/etc/os-release</filename> in
139 the container tree before starting the container (see
140 <citerefentry><refentrytitle>os-release</refentrytitle><manvolnum>5</manvolnum></citerefentry>). It
141 might be necessary to add this file to the container
142 tree manually if the OS of the container is too old to
143 contain this file out-of-the-box.</para>
144 </refsect1>
145
146 <refsect1>
147 <title>Options</title>
148
149 <para>If option <option>-b</option> is specified, the
150 arguments are used as arguments for the init
151 binary. Otherwise, <replaceable>COMMAND</replaceable>
152 specifies the program to launch in the container, and
153 the remaining arguments are used as arguments for this
154 program. If <option>-b</option> is not used and no
155 arguments are specifed, a shell is launched in the
156 container.</para>
157
158 <para>The following options are understood:</para>
159
160 <variablelist>
161 <varlistentry>
162 <term><option>-h</option></term>
163 <term><option>--help</option></term>
164
165 <listitem><para>Prints a short help
166 text and exits.</para></listitem>
167 </varlistentry>
168
169 <varlistentry>
170 <term><option>--version</option></term>
171
172 <listitem><para>Prints a version string
173 and exits.</para></listitem>
174 </varlistentry>
175
176 <varlistentry>
177 <term><option>-D</option></term>
178 <term><option>--directory=</option></term>
179
180 <listitem><para>Directory to use as
181 file system root for the namespace
182 container. If omitted, the current
183 directory will be
184 used.</para></listitem>
185 </varlistentry>
186
187 <varlistentry>
188 <term><option>-b</option></term>
189 <term><option>--boot</option></term>
190
191 <listitem><para>Automatically search
192 for an init binary and invoke it
193 instead of a shell or a user supplied
194 program. If this option is used,
195 arguments specified on the command
196 line are used as arguments for the
197 init binary. This option may not be
198 combined with
199 <option>--share-system</option>.
200 </para></listitem>
201 </varlistentry>
202
203 <varlistentry>
204 <term><option>-u</option></term>
205 <term><option>--user=</option></term>
206
207 <listitem><para>Run the command
208 under specified user, create home
209 directory and cd into it. As rest
210 of systemd-nspawn, this is not
211 the security feature and limits
212 against accidental changes only.
213 </para></listitem>
214 </varlistentry>
215
216 <varlistentry>
217 <term><option>-M</option></term>
218 <term><option>--machine=</option></term>
219
220 <listitem><para>Sets the machine name
221 for this container. This name may be
222 used to identify this container on the
223 host, and is used to initialize the
224 container's hostname (which the
225 container can choose to override,
226 however). If not specified, the last
227 component of the root directory of the
228 container is used.</para></listitem>
229 </varlistentry>
230
231 <varlistentry>
232 <term><option>--slice=</option></term>
233
234 <listitem><para>Make the container
235 part of the specified slice, instead
236 of the
237 <filename>machine.slice</filename>.</para>
238 </listitem>
239 </varlistentry>
240
241 <varlistentry>
242 <term><option>-Z</option></term>
243 <term><option>--selinux-context=</option></term>
244
245 <listitem><para>Sets the SELinux
246 security context to be used to label
247 processes in the container.</para>
248 </listitem>
249 </varlistentry>
250
251 <varlistentry>
252 <term><option>-L</option></term>
253 <term><option>--selinux-apifs-context=</option></term>
254
255 <listitem><para>Sets the SELinux security
256 context to be used to label files in
257 the virtual API file systems in the
258 container.</para>
259 </listitem>
260 </varlistentry>
261
262 <varlistentry>
263 <term><option>--uuid=</option></term>
264
265 <listitem><para>Set the specified UUID
266 for the container. The init system
267 will initialize
268 <filename>/etc/machine-id</filename>
269 from this if this file is not set yet.
270 </para></listitem>
271 </varlistentry>
272
273 <varlistentry>
274 <term><option>--private-network</option></term>
275
276 <listitem><para>Turn off networking in
277 the container. This makes all network
278 interfaces unavailable in the
279 container, with the exception of the
280 loopback device and those specified
281 with
282 <option>--network-interface=</option>. If
283 this option is specified the
284 CAP_NET_ADMIN capability will be added
285 to the set of capabilities the
286 container retains. The latter may be
287 disabled by using
288 <option>--drop-capability=</option>.</para></listitem>
289 </varlistentry>
290
291 <varlistentry>
292 <term><option>--network-interface=</option></term>
293
294 <listitem><para>Assign the specified
295 network interface to the
296 container. This will move the
297 specified interface from the calling
298 namespace and place it in the
299 container. When the container
300 terminates it is moved back to the
301 host namespace. Note that
302 <option>--network-interface=</option>
303 implies
304 <option>--private-network</option>. This
305 option may be used more than once to
306 add multiple network interfaces to the
307 container.</para></listitem>
308 </varlistentry>
309
310 <varlistentry>
311 <term><option>--read-only</option></term>
312
313 <listitem><para>Mount the root file
314 system read-only for the
315 container.</para></listitem>
316 </varlistentry>
317
318 <varlistentry>
319 <term><option>--capability=</option></term>
320
321 <listitem><para>List one or more
322 additional capabilities to grant the
323 container. Takes a comma-separated
324 list of capability names, see
325 <citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
326 for more information. Note that the
327 following capabilities will be granted
328 in any way: CAP_CHOWN,
329 CAP_DAC_OVERRIDE, CAP_DAC_READ_SEARCH,
330 CAP_FOWNER, CAP_FSETID, CAP_IPC_OWNER,
331 CAP_KILL, CAP_LEASE,
332 CAP_LINUX_IMMUTABLE,
333 CAP_NET_BIND_SERVICE,
334 CAP_NET_BROADCAST, CAP_NET_RAW,
335 CAP_SETGID, CAP_SETFCAP, CAP_SETPCAP,
336 CAP_SETUID, CAP_SYS_ADMIN,
337 CAP_SYS_CHROOT, CAP_SYS_NICE,
338 CAP_SYS_PTRACE, CAP_SYS_TTY_CONFIG,
339 CAP_SYS_RESOURCE, CAP_SYS_BOOT,
340 CAP_AUDIT_WRITE,
341 CAP_AUDIT_CONTROL. Also CAP_NET_ADMIN
342 is retained if
343 <option>--private-network</option> is
344 specified. If the special value
345 <literal>all</literal> is passed all
346 capabilities are
347 retained.</para></listitem>
348 </varlistentry>
349
350 <varlistentry>
351 <term><option>--drop-capability=</option></term>
352
353 <listitem><para>Specify one or more
354 additional capabilities to drop for
355 the container. This allows running the
356 container with fewer capabilities than
357 the default (see above).</para></listitem>
358 </varlistentry>
359
360 <varlistentry>
361 <term><option>--link-journal=</option></term>
362
363 <listitem><para>Control whether the
364 container's journal shall be made
365 visible to the host system. If enabled,
366 allows viewing the container's journal
367 files from the host (but not vice
368 versa). Takes one of
369 <literal>no</literal>,
370 <literal>host</literal>,
371 <literal>guest</literal>,
372 <literal>auto</literal>. If
373 <literal>no</literal>, the journal is
374 not linked. If <literal>host</literal>,
375 the journal files are stored on the
376 host file system (beneath
377 <filename>/var/log/journal/<replaceable>machine-id</replaceable></filename>)
378 and the subdirectory is bind-mounted
379 into the container at the same
380 location. If <literal>guest</literal>,
381 the journal files are stored on the
382 guest file system (beneath
383 <filename>/var/log/journal/<replaceable>machine-id</replaceable></filename>)
384 and the subdirectory is symlinked into the host
385 at the same location. If
386 <literal>auto</literal> (the default),
387 and the right subdirectory of
388 <filename>/var/log/journal</filename>
389 exists, it will be bind mounted
390 into the container. If the
391 subdirectory does not exist, no
392 linking is performed. Effectively,
393 booting a container once with
394 <literal>guest</literal> or
395 <literal>host</literal> will link the
396 journal persistently if further on
397 the default of <literal>auto</literal>
398 is used.</para></listitem>
399 </varlistentry>
400
401 <varlistentry>
402 <term><option>-j</option></term>
403
404 <listitem><para>Equivalent to
405 <option>--link-journal=guest</option>.</para></listitem>
406 </varlistentry>
407
408 <varlistentry>
409 <term><option>--bind=</option></term>
410 <term><option>--bind-ro=</option></term>
411
412 <listitem><para>Bind mount a file or
413 directory from the host into the
414 container. Either takes a path
415 argument -- in which case the
416 specified path will be mounted from
417 the host to the same path in the
418 container --, or a colon-separated
419 pair of paths -- in which case the
420 first specified path is the source in
421 the host, and the second path is the
422 destination in the container. The
423 <option>--bind-ro=</option> option
424 creates read-only bind
425 mount.</para></listitem>
426 </varlistentry>
427
428 <varlistentry>
429 <term><option>--setenv=</option></term>
430
431 <listitem><para>Specifies an
432 environment variable assignment to
433 pass to the init process in the
434 container, in the format
435 <literal>NAME=VALUE</literal>. This
436 may be used to override the default
437 variables or to set additional
438 variables. This parameter may be used
439 more than once.</para></listitem>
440 </varlistentry>
441
442 <varlistentry>
443 <term><option>-q</option></term>
444 <term><option>--quiet</option></term>
445
446 <listitem><para>Turns off any status
447 output by the tool itself. When this
448 switch is used, then the only output
449 by nspawn will be the console output
450 of the container OS itself.</para></listitem>
451 </varlistentry>
452
453 <varlistentry>
454 <term><option>--share-system</option></term>
455
456 <listitem><para>Allows the container
457 to share certain system facilities
458 with the host. More specifically, this
459 turns off PID namespacing, UTS
460 namespacing and IPC namespacing, and
461 thus allows the guest to see and
462 interact more easily with processes
463 outside of the container. Note that
464 using this option makes it impossible
465 to start up a full Operating System in
466 the container, as an init system
467 cannot operate in this mode. It is
468 only useful to run specific programs
469 or applications this way, without
470 involving an init system in the
471 container. This option implies
472 <option>--register=no</option>. This
473 option may not be combined with
474 <option>--boot</option>.</para></listitem>
475 </varlistentry>
476
477 <varlistentry>
478 <term><option>--register=</option></term>
479
480 <listitem><para>Controls whether the
481 container is registered with
482 <citerefentry><refentrytitle>systemd-machined</refentrytitle><manvolnum>8</manvolnum></citerefentry>. Takes
483 a boolean argument, defaults to
484 <literal>yes</literal>. This option
485 should be enabled when the container
486 runs a full Operating System (more
487 specifically: an init system), and is
488 useful to ensure that the container is
489 accessible via
490 <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
491 and shown by tools such as
492 <citerefentry><refentrytitle>ps</refentrytitle><manvolnum>1</manvolnum></citerefentry>. If
493 the container does not run an init
494 system it is recommended to set this
495 option to <literal>no</literal>. Note
496 that <option>--share-system</option>
497 implies
498 <option>--register=no</option>.
499 </para></listitem>
500 </varlistentry>
501
502 <varlistentry>
503 <term><option>--keep-unit</option></term>
504
505 <listitem><para>Instead of creating a
506 transient scope unit to run the
507 container in, simply register the
508 service or scope unit
509 <command>systemd-nspawn</command> has
510 been invoked in in
511 <citerefentry><refentrytitle>systemd-machined</refentrytitle><manvolnum>8</manvolnum></citerefentry>. This
512 has no effect if
513 <option>--register=no</option> is
514 used. This switch should be used if
515 <command>systemd-nspawn</command> is
516 invoked from within an a service unit,
517 and the service unit's sole purpose
518 is to run a single
519 <command>systemd-nspawn</command>
520 container. This option is not
521 available if run from a user
522 session.</para></listitem>
523 </varlistentry>
524
525 </variablelist>
526
527 </refsect1>
528
529 <refsect1>
530 <title>Example 1</title>
531
532 <programlisting># yum -y --releasever=19 --nogpg --installroot=/srv/mycontainer --disablerepo='*' --enablerepo=fedora install systemd passwd yum fedora-release vim-minimal
533 # systemd-nspawn -bD /srv/mycontainer</programlisting>
534
535 <para>This installs a minimal Fedora distribution into
536 the directory <filename noindex='true'>/srv/mycontainer/</filename> and
537 then boots an OS in a namespace container in
538 it.</para>
539 </refsect1>
540
541 <refsect1>
542 <title>Example 2</title>
543
544 <programlisting># debootstrap --arch=amd64 unstable ~/debian-tree/
545 # systemd-nspawn -D ~/debian-tree/</programlisting>
546
547 <para>This installs a minimal Debian unstable
548 distribution into the directory
549 <filename>~/debian-tree/</filename> and then spawns a
550 shell in a namespace container in it.</para>
551 </refsect1>
552
553 <refsect1>
554 <title>Example 3</title>
555
556 <programlisting># pacstrap -c -d ~/arch-tree/ base
557 # systemd-nspawn -bD ~/arch-tree/</programlisting>
558
559 <para>This installs a mimimal Arch Linux distribution into
560 the directory <filename>~/arch-tree/</filename> and then
561 boots an OS in a namespace container in it.</para>
562 </refsect1>
563
564 <refsect1>
565 <title>Example 4</title>
566
567 <programlisting># mv ~/arch-tree /var/lib/container/arch
568 # systemctl enable systemd-nspawn@arch.service
569 # systemctl start systemd-nspawn@arch.service</programlisting>
570
571 <para>This makes the Arch Linux container part of the
572 <filename>multi-user.target</filename> on the host.
573 </para>
574 </refsect1>
575
576 <refsect1>
577 <title>Example 5</title>
578
579 <programlisting># btrfs subvolume snapshot / /.tmp
580 # systemd-nspawn --private-network -D /.tmp -b</programlisting>
581
582 <para>This runs a copy of the host system in a
583 btrfs snapshot.</para>
584 </refsect1>
585
586 <refsect1>
587 <title>Example 6</title>
588
589 <programlisting># chcon system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -R /srv/container
590 # systemd-nspawn -L system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -Z system_u:system_r:svirt_lxc_net_t:s0:c0,c1 -D /srv/container /bin/sh</programlisting>
591
592 <para>This runs a container with SELinux sandbox security contexts.</para>
593 </refsect1>
594
595 <refsect1>
596 <title>Exit status</title>
597
598 <para>The exit code of the program executed in the
599 container is returned.</para>
600 </refsect1>
601
602 <refsect1>
603 <title>See Also</title>
604 <para>
605 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
606 <citerefentry><refentrytitle>chroot</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
607 <citerefentry><refentrytitle>yum</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
608 <citerefentry><refentrytitle>debootstrap</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
609 <citerefentry><refentrytitle>pacman</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
610 <citerefentry><refentrytitle>systemd.slice</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
611 <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
612 </para>
613 </refsect1>
614
615 </refentry>
Unnamed repository; edit this file 'description' to name the repository.