<?xml version='1.0'?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
-<!ENTITY fedora_latest_version "31">
-<!ENTITY fedora_cloud_release "1.9">
+<!ENTITY fedora_latest_version "32">
+<!ENTITY fedora_cloud_release "1.6">
]>
<!-- SPDX-License-Identifier: LGPL-2.1+ -->
hash partitions are set up if the root hash for them is specified using the <option>--root-hash=</option>
option.</para>
+ <para>Single file system images (i.e. file systems without a surrounding partition table) can be opened using
+ dm-verity if the integrity data is passed using the <option>--root-hash=</option> and
+ <option>--verity-data=</option> (and optionally <option>--root-hash-sig=</option>) options.</para>
+
<para>Any other partitions, such as foreign partitions or swap partitions are not mounted. May not be specified
together with <option>--directory=</option>, <option>--template=</option>.</para></listitem>
</varlistentry>
project='man-pages'><refentrytitle>xattr</refentrytitle><manvolnum>7</manvolnum></citerefentry>), then the root
hash is read from it, also as formatted hexadecimal characters. If the extended file attribute is not found (or
is not supported by the underlying file system), but a file with the <filename>.roothash</filename> suffix is
- found next to the image file, bearing otherwise the same name, the root hash is read from it and automatically
- used, also as formatted hexadecimal characters.</para></listitem>
+ found next to the image file, bearing otherwise the same name (except if the image has the
+ <filename>.raw</filename> suffix, in which case the root hash file must not have it in its name), the root hash
+ is read from it and automatically used, also as formatted hexadecimal characters.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--root-hash-sig=</option></term>
+
+ <listitem><para>Takes a PKCS7 formatted binary signature of the <option>--root-hash=</option> option as a path
+ to a DER encoded signature file or as an ASCII base64 string encoding of the DER encoded signature, prefixed
+ by <literal>base64:</literal>. The dm-verity volume will only be opened if the signature of the root hash hex
+ string is valid and done by a public key present in the kernel keyring. If this option is not specified, but a
+ file with the <filename>.roothash.p7s</filename> suffix is found next to the image file, bearing otherwise the
+ same name (except if the image has the <filename>.raw</filename> suffix, in which case the signature file must
+ not have it in its name), the signature is read from it and automatically used.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--verity-data=</option></term>
+
+ <listitem><para>Takes the path to a data integrity (dm-verity) file. This option enables data integrity checks
+ using dm-verity, if a root-hash is passed and if the used image itself does not contains the integrity data.
+ The integrity data must be matched by the root hash. If this option is not specified, but a file with the
+ <filename>.verity</filename> suffix is found next to the image file, bearing otherwise the same name (except if
+ the image has the <filename>.raw</filename> suffix, in which case the verity data file must not have it in its name),
+ the verity data is read from it and automatically used.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>-u</option></term>
<term><option>--user=</option></term>
- <listitem><para>After transitioning into the container, change
- to the specified user-defined in the container's user
- database. Like all other systemd-nspawn features, this is not
- a security feature and provides protection against accidental
- destructive operations only.</para></listitem>
+ <listitem><para>After transitioning into the container, change to the specified user defined in the
+ container's user database. Like all other systemd-nspawn features, this is not a security feature and
+ provides protection against accidental destructive operations only.</para></listitem>
</varlistentry>
<varlistentry>
With option <option>yes</option> systemd-nspawn waits for the
<literal>READY=1</literal> message from the init process in the container
before sending its own to systemd. For more details about notifications
- see <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry>).</para></listitem>
+ see <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry>.</para></listitem>
</varlistentry>
</variablelist>
<varlistentry>
<term><option>--no-new-privileges=</option></term>
- <listitem><para>Takes a boolean argument. Specifies the value of the <constant>PR_SET_NO_NEW_PRIVS</constant>
- flag for the container payload. Defaults to off. When turned on the payload code of the container cannot
- acquire new privileges, i.e. the "setuid" file bit as well as file system capabilities will not have an effect
- anymore. See <citerefentry
- project='man-pages'><refentrytitle>prctl</refentrytitle><manvolnum>2</manvolnum></citerefentry> for details
- about this flag. </para></listitem>
+ <listitem><para>Takes a boolean argument. Specifies the value of the
+ <constant>PR_SET_NO_NEW_PRIVS</constant> flag for the container payload. Defaults to off. When turned
+ on the payload code of the container cannot acquire new privileges, i.e. the "setuid" file bit as
+ well as file system capabilities will not have an effect anymore. See <citerefentry
+ project='man-pages'><refentrytitle>prctl</refentrytitle><manvolnum>2</manvolnum></citerefentry> for
+ details about this flag. </para></listitem>
</varlistentry>
<varlistentry>
- <term><option>--system-call-filter=</option></term>
-
- <listitem><para>Alter the system call filter applied to containers. Takes a space-separated list of system call
- names or group names (the latter prefixed with <literal>@</literal>, as listed by the
- <command>syscall-filter</command> command of
+ <term><option>--system-call-filter=</option></term> <listitem><para>Alter the system call filter
+ applied to containers. Takes a space-separated list of system call names or group names (the latter
+ prefixed with <literal>@</literal>, as listed by the <command>syscall-filter</command> command of
<citerefentry><refentrytitle>systemd-analyze</refentrytitle><manvolnum>1</manvolnum></citerefentry>). Passed
- system calls will be permitted. The list may optionally be prefixed by <literal>~</literal>, in which case all
- listed system calls are prohibited. If this command line option is used multiple times the configured lists are
- combined. If both a positive and a negative list (that is one system call list without and one with the
- <literal>~</literal> prefix) are configured, the negative list takes precedence over the positive list. Note
- that <command>systemd-nspawn</command> always implements a system call whitelist (as opposed to a blacklist),
- and this command line option hence adds or removes entries from the default whitelist, depending on the
- <literal>~</literal> prefix. Note that the applied system call filter is also altered implicitly if additional
- capabilities are passed using the <command>--capabilities=</command>.</para></listitem>
+ system calls will be permitted. The list may optionally be prefixed by <literal>~</literal>, in which
+ case all listed system calls are prohibited. If this command line option is used multiple times the
+ configured lists are combined. If both a positive and a negative list (that is one system call list
+ without and one with the <literal>~</literal> prefix) are configured, the negative list takes
+ precedence over the positive list. Note that <command>systemd-nspawn</command> always implements a
+ system call allow list (as opposed to a deny list!), and this command line option hence adds or
+ removes entries from the default allow list, depending on the <literal>~</literal> prefix. Note that
+ the applied system call filter is also altered implicitly if additional capabilities are passed using
+ the <command>--capabilities=</command>.</para></listitem>
</varlistentry>
<varlistentry>
<para>Finally, if set to <literal>auto</literal> the file is left as it is if private networking is
turned on (see <option>--private-network</option>). Otherwise, if
- <filename>systemd-resolved.service</filename> is connectible its stub
- <filename>resolv.conf</filename> file is used, and if not the host's
- <filename>/etc/resolv.conf</filename> file is used. In the latter cases the file is copied if the
- image is writable, and bind mounted otherwise.</para>
+ <filename>systemd-resolved.service</filename> is running its stub <filename>resolv.conf</filename>
+ file is used, and if not the host's <filename>/etc/resolv.conf</filename> file. In the latter cases
+ the file is copied if the image is writable, and bind mounted otherwise.</para>
<para>It's recommended to use <literal>copy-…</literal> or <literal>replace-…</literal> if the
container shall be able to make changes to the DNS configuration on its own, deviating from the
<varlistentry>
<term><option>--timezone=</option></term>
- <listitem><para>Configures how <filename>/etc/localtime</filename> inside of the container (i.e. local timezone
- synchronization from host to container) shall be handled. Takes one of <literal>off</literal>,
- <literal>copy</literal>, <literal>bind</literal>, <literal>symlink</literal>, <literal>delete</literal> or
- <literal>auto</literal>. If set to <literal>off</literal> the <filename>/etc/localtime</filename> file in the
- container is left as it is included in the image, and neither modified nor bind mounted over. If set to
- <literal>copy</literal> the <filename>/etc/localtime</filename> file of the host is copied into the
- container. Similar, if <literal>bind</literal> is used, it is bind mounted from the host into the container. If
- set to <literal>symlink</literal> a symlink from <filename>/etc/localtime</filename> in the container is
- created pointing to the matching the timezone file of the container that matches the timezone setting on the
- host. If set to <literal>delete</literal> the file in the container is deleted, should it exist. If set to
- <literal>auto</literal> and the <filename>/etc/localtime</filename> file of the host is a symlink, then
- <literal>symlink</literal> mode is used, and <literal>copy</literal> otherwise, except if the image is
- read-only in which case <literal>bind</literal> is used instead. Defaults to
+ <listitem><para>Configures how <filename>/etc/localtime</filename> inside of the container
+ (i.e. local timezone synchronization from host to container) shall be handled. Takes one of
+ <literal>off</literal>, <literal>copy</literal>, <literal>bind</literal>, <literal>symlink</literal>,
+ <literal>delete</literal> or <literal>auto</literal>. If set to <literal>off</literal> the
+ <filename>/etc/localtime</filename> file in the container is left as it is included in the image, and
+ neither modified nor bind mounted over. If set to <literal>copy</literal> the
+ <filename>/etc/localtime</filename> file of the host is copied into the container. Similarly, if
+ <literal>bind</literal> is used, the file is bind mounted from the host into the container. If set to
+ <literal>symlink</literal>, a symlink is created pointing from <filename>/etc/localtime</filename> in
+ the container to the timezone file in the container that matches the timezone setting on the host. If
+ set to <literal>delete</literal>, the file in the container is deleted, should it exist. If set to
+ <literal>auto</literal> and the <filename>/etc/localtime</filename> file of the host is a symlink,
+ then <literal>symlink</literal> mode is used, and <literal>copy</literal> otherwise, except if the
+ image is read-only in which case <literal>bind</literal> is used instead. Defaults to
<literal>auto</literal>.</para></listitem>
</varlistentry>
<para>This installs a minimal Fedora distribution into the
directory <filename index="false">/var/lib/machines/f&fedora_latest_version;</filename>
- and then boots an OS in a namespace container in it. Because the installation
+ and then boots that OS in a namespace container. Because the installation
is located underneath the standard <filename>/var/lib/machines/</filename>
directory, it is also possible to start the machine using
<command>systemd-nspawn -M f&fedora_latest_version;</command>.</para>
<para>This installs a minimal Debian unstable distribution into
the directory <filename>~/debian-tree/</filename> and then
- spawns a shell in a namespace container in it.</para>
+ spawns a shell from this image in a namespace container.</para>
<para><command>debootstrap</command> supports
<ulink url="https://www.debian.org">Debian</ulink>,
projects / thirdparty / systemd.git / blobdiff