[thirdparty/systemd.git] / man / systemd-nspawn.xml

<?xml version='1.0'?> <!--*-nxml-*-->
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
        "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">

<!--
  This file is part of systemd.

  Copyright 2010 Lennart Poettering

  systemd is free software; you can redistribute it and/or modify it
  under the terms of the GNU Lesser General Public License as published by
  the Free Software Foundation; either version 2.1 of the License, or
  (at your option) any later version.

  systemd is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  Lesser General Public License for more details.

  You should have received a copy of the GNU Lesser General Public License
  along with systemd; If not, see <http://www.gnu.org/licenses/>.
-->

<refentry id="systemd-nspawn">

        <refentryinfo>
                <title>systemd-nspawn</title>
                <productname>systemd</productname>

                <authorgroup>
                        <author>
                                <contrib>Developer</contrib>
                                <firstname>Lennart</firstname>
                                <surname>Poettering</surname>
                                <email>lennart@poettering.net</email>
                        </author>
                </authorgroup>
        </refentryinfo>

        <refmeta>
                <refentrytitle>systemd-nspawn</refentrytitle>
                <manvolnum>1</manvolnum>
        </refmeta>

        <refnamediv>
                <refname>systemd-nspawn</refname>
                <refpurpose>Spawn a namespace container for debugging, testing and building</refpurpose>
        </refnamediv>

        <refsynopsisdiv>
                <cmdsynopsis>
                        <command>systemd-nspawn</command>
                        <arg choice="opt" rep="repeat">OPTIONS</arg>
                        <arg choice="opt"><replaceable>COMMAND</replaceable>
                        <arg choice="opt" rep="repeat">ARGS</arg>
                        </arg>
                </cmdsynopsis>
                <cmdsynopsis>
                        <command>systemd-nspawn</command>
                        <arg choice="plain">-b</arg>
                        <arg choice="opt" rep="repeat">OPTIONS</arg>
                        <arg choice="opt" rep="repeat">ARGS</arg>
                </cmdsynopsis>
        </refsynopsisdiv>

        <refsect1>
                <title>Description</title>

                <para><command>systemd-nspawn</command> may be used to
                run a command or OS in a light-weight namespace
                container. In many ways it is similar to
                <citerefentry><refentrytitle>chroot</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
                but more powerful since it fully virtualizes the file
                system hierarchy, as well as the process tree, the
                various IPC subsystems and the host and domain
                name.</para>

                <para><command>systemd-nspawn</command> limits access
                to various kernel interfaces in the container to
                read-only, such as <filename>/sys</filename>,
                <filename>/proc/sys</filename> or
                <filename>/sys/fs/selinux</filename>. Network
                interfaces and the system clock may not be changed
                from within the container. Device nodes may not be
                created. The host system cannot be rebooted and kernel
                modules may not be loaded from within the
                container.</para>

                <para>Note that even though these security precautions
                are taken <command>systemd-nspawn</command> is not
                suitable for secure container setups. Many of the
                security features may be circumvented and are hence
                primarily useful to avoid accidental changes to the
                host system from the container. The intended use of
                this program is debugging and testing as well as
                building of packages, distributions and software
                involved with boot and systems management.</para>

                <para>In contrast to
                <citerefentry><refentrytitle>chroot</refentrytitle><manvolnum>1</manvolnum></citerefentry> <command>systemd-nspawn</command>
                may be used to boot full Linux-based operating systems
                in a container.</para>

                <para>Use a tool like
                <citerefentry><refentrytitle>yum</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
                <citerefentry><refentrytitle>debootstrap</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
                or
                <citerefentry><refentrytitle>pacman</refentrytitle><manvolnum>8</manvolnum></citerefentry>
                to set up an OS directory tree suitable as file system
                hierarchy for <command>systemd-nspawn</command>
                containers.</para>

                <para>Note that <command>systemd-nspawn</command> will
                mount file systems private to the container to
                <filename>/dev</filename>,
                <filename>/run</filename> and similar. These will
                not be visible outside of the container, and their
                contents will be lost when the container exits.</para>

                <para>Note that running two
                <command>systemd-nspawn</command> containers from the
                same directory tree will not make processes in them
                see each other. The PID namespace separation of the
                two containers is complete and the containers will
                share very few runtime objects except for the
                underlying file system. Use
                <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>'s
                <command>login</command> command to request an
                additional login prompt in a running container.</para>

                <para><command>systemd-nspawn</command> implements the
                <ulink
                url="http://www.freedesktop.org/wiki/Software/systemd/ContainerInterface">Container
                Interface</ulink> specification.</para>

                <para>As a safety check
                <command>systemd-nspawn</command> will verify the
                existence of <filename>/etc/os-release</filename> in
                the container tree before starting the container (see
                <citerefentry><refentrytitle>os-release</refentrytitle><manvolnum>5</manvolnum></citerefentry>). It
                might be necessary to add this file to the container
                tree manually if the OS of the container is too old to
                contain this file out-of-the-box.</para>
        </refsect1>

        <refsect1>
                <title>Incompatibility with Auditing</title>

                <para>Note that the kernel auditing subsystem is
                currently broken when used together with
                containers. We hence recommend turning it off entirely
                by booting with <literal>audit=0</literal> on the
                kernel command line, or by turning it off at kernel
                build time. If auditing is enabled in the kernel,
                operating systems booted in an nspawn container might
                refuse log-in attempts.</para>
        </refsect1>

        <refsect1>
                <title>Options</title>

                <para>If option <option>-b</option> is specified, the
                arguments are used as arguments for the init
                binary. Otherwise, <replaceable>COMMAND</replaceable>
                specifies the program to launch in the container, and
                the remaining arguments are used as arguments for this
                program. If <option>-b</option> is not used and no
                arguments are specifed, a shell is launched in the
                container.</para>

                <para>The following options are understood:</para>

                <variablelist>
                        <varlistentry>
                                <term><option>-h</option></term>
                                <term><option>--help</option></term>

                                <listitem><para>Prints a short help
                                text and exits.</para></listitem>
                        </varlistentry>

                        <varlistentry>
                                <term><option>--version</option></term>

                                <listitem><para>Prints a version string
                                and exits.</para></listitem>
                        </varlistentry>

                        <varlistentry>
                                <term><option>-D</option></term>
                                <term><option>--directory=</option></term>

                                <listitem><para>Directory to use as
                                file system root for the namespace
                                container. If omitted, the current
                                directory will be
                                used.</para></listitem>
                        </varlistentry>

                        <varlistentry>
                                <term><option>-b</option></term>
                                <term><option>--boot</option></term>

                                <listitem><para>Automatically search
                                for an init binary and invoke it
                                instead of a shell or a user supplied
                                program. If this option is used, arguments
                                specified on the command line are used
                                as arguments for the init binary.
                                </para></listitem>
                        </varlistentry>

                        <varlistentry>
                                <term><option>-u</option></term>
                                <term><option>--user=</option></term>

                                <listitem><para>Run the command
                                under specified user, create home
                                directory and cd into it. As rest
                                of systemd-nspawn, this is not
                                the security feature and limits
                                against accidental changes only.
                                </para></listitem>
                        </varlistentry>

                        <varlistentry>
                                <term><option>-M</option></term>
                                <term><option>--machine=</option></term>

                                <listitem><para>Sets the machine name
                                for this container. This name may be
                                used to identify this container on the
                                host, and is used to initialize the
                                container's hostname (which the
                                container can choose to override,
                                however). If not specified, the last
                                component of the root directory of the
                                container is used.</para></listitem>
                        </varlistentry>

                        <varlistentry>
                                <term><option>--slice=</option></term>

                                <listitem><para>Make the container
                                part of the specified slice, instead
                                of the
                                <filename>machine.slice</filename>.</para>
                                </listitem>
                        </varlistentry>

                        <varlistentry>
                                <term><option>--uuid=</option></term>

                                <listitem><para>Set the specified UUID
                                for the container. The init system
                                will initialize
                                <filename>/etc/machine-id</filename>
                                from this if this file is not set yet.
                                </para></listitem>
                        </varlistentry>

                        <varlistentry>
                                <term><option>--private-network</option></term>

                                <listitem><para>Turn off networking in
                                the container. This makes all network
                                interfaces unavailable in the
                                container, with the exception of the
                                loopback device.</para></listitem>
                        </varlistentry>

                        <varlistentry>
                                <term><option>--read-only</option></term>

                                <listitem><para>Mount the root file
                                system read-only for the
                                container.</para></listitem>
                        </varlistentry>

                        <varlistentry>
                                <term><option>--capability=</option></term>

                                <listitem><para>List one or more
                                additional capabilities to grant the
                                container. Takes a comma-separated
                                list of capability names, see
                                <citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
                                for more information. Note that the
                                following capabilities will be granted
                                in any way: CAP_CHOWN,
                                CAP_DAC_OVERRIDE, CAP_DAC_READ_SEARCH,
                                CAP_FOWNER, CAP_FSETID, CAP_IPC_OWNER,
                                CAP_KILL, CAP_LEASE,
                                CAP_LINUX_IMMUTABLE,
                                CAP_NET_BIND_SERVICE,
                                CAP_NET_BROADCAST, CAP_NET_RAW,
                                CAP_SETGID, CAP_SETFCAP, CAP_SETPCAP,
                                CAP_SETUID, CAP_SYS_ADMIN,
                                CAP_SYS_CHROOT, CAP_SYS_NICE,
                                CAP_SYS_PTRACE, CAP_SYS_TTY_CONFIG,
                                CAP_SYS_RESOURCE, CAP_SYS_BOOT,
                                CAP_AUDIT_WRITE,
                                CAP_AUDIT_CONTROL.</para></listitem>
                        </varlistentry>

                        <varlistentry>
                                <term><option>--drop-capability=</option></term>

                                <listitem><para>Specify one or more
                                additional capabilities to drop for
                                the container. This allows running the
                                container with fewer capabilities than
                                the default (see above).</para></listitem>
                        </varlistentry>

                        <varlistentry>
                                <term><option>--link-journal=</option></term>

                                <listitem><para>Control whether the
                                container's journal shall be made
                                visible to the host system. If enabled,
                                allows viewing the container's journal
                                files from the host (but not vice
                                versa). Takes one of
                                <literal>no</literal>,
                                <literal>host</literal>,
                                <literal>guest</literal>,
                                <literal>auto</literal>. If
                                <literal>no</literal>, the journal is
                                not linked. If <literal>host</literal>,
                                the journal files are stored on the
                                host file system (beneath
                                <filename>/var/log/journal/<replaceable>machine-id</replaceable></filename>)
                                and the subdirectory is bind-mounted
                                into the container at the same
                                location. If <literal>guest</literal>,
                                the journal files are stored on the
                                guest file system (beneath
                                <filename>/var/log/journal/<replaceable>machine-id</replaceable></filename>)
                                and the subdirectory is symlinked into the host
                                at the same location. If
                                <literal>auto</literal> (the default),
                                and the right subdirectory of
                                <filename>/var/log/journal</filename>
                                exists, it will be bind mounted
                                into the container. If the
                                subdirectory does not exist, no
                                linking is performed. Effectively,
                                booting a container once with
                                <literal>guest</literal> or
                                <literal>host</literal> will link the
                                journal persistently if further on
                                the default of <literal>auto</literal>
                                is used.</para></listitem>
                        </varlistentry>

                        <varlistentry>
                                <term><option>-j</option></term>

                                <listitem><para>Equivalent to
                                <option>--link-journal=guest</option>.</para></listitem>
                        </varlistentry>

                        <varlistentry>
                                <term><option>--bind=</option></term>
                                <term><option>--bind-ro=</option></term>

                                <listitem><para>Bind mount a file or
                                directory from the host into the
                                container. Either takes a path
                                argument -- in which case the
                                specified path will be mounted from
                                the host to the same path in the
                                container --, or a colon-separated
                                pair of paths -- in which case the
                                first specified path is the source in
                                the host, and the second path is the
                                destination in the container. The
                                <option>--bind-ro=</option> option
                                creates read-only bind
                                mount.</para></listitem>
                        </varlistentry>
                </variablelist>

        </refsect1>

        <refsect1>
                <title>Example 1</title>

                <programlisting># yum -y --releasever=19 --nogpg --installroot=/srv/mycontainer --disablerepo='*' --enablerepo=fedora install systemd passwd yum fedora-release vim-minimal
# systemd-nspawn -bD /srv/mycontainer</programlisting>

                <para>This installs a minimal Fedora distribution into
                the directory <filename noindex='true'>/srv/mycontainer/</filename> and
                then boots an OS in a namespace container in
                it.</para>
        </refsect1>

        <refsect1>
                <title>Example 2</title>

                <programlisting># debootstrap --arch=amd64 unstable ~/debian-tree/
# systemd-nspawn -D ~/debian-tree/</programlisting>

                <para>This installs a minimal Debian unstable
                distribution into the directory
                <filename>~/debian-tree/</filename> and then spawns a
                shell in a namespace container in it.</para>
        </refsect1>

        <refsect1>
                <title>Example 3</title>

                <programlisting># pacstrap -c -d ~/arch-tree/ base
# systemd-nspawn -bD ~/arch-tree/</programlisting>

                <para>This installs a mimimal Arch Linux distribution into
                the directory <filename>~/arch-tree/</filename> and then
                boots an OS in a namespace container in it.</para>
        </refsect1>

        <refsect1>
                <title>Example 4</title>

                <programlisting># mv ~/arch-tree /var/lib/container/arch
# systemctl enable systemd-nspawn@arch.service
# systemctl start systemd-nspawn@arch.service</programlisting>

                <para>This makes the Arch Linux container part of the
                <filename>multi-user.target</filename> on the host.
                </para>
        </refsect1>

        <refsect1>
                <title>Exit status</title>

                <para>The exit code of the program executed in the
                container is returned.</para>
        </refsect1>

        <refsect1>
                <title>See Also</title>
                <para>
                        <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
                        <citerefentry><refentrytitle>chroot</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
                        <citerefentry><refentrytitle>yum</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
                        <citerefentry><refentrytitle>debootstrap</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
                        <citerefentry><refentrytitle>pacman</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
                        <citerefentry><refentrytitle>systemd.slice</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
                        <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
                </para>
        </refsect1>

</refentry>
Commit	Line	Data
8f7a3c14 LP	1	<?xml version='1.0'?> <!---nxml--->
	2	<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
	3	"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
	4
	5	<!--
	6	This file is part of systemd.
	7
	8	Copyright 2010 Lennart Poettering
	9
	10	systemd is free software; you can redistribute it and/or modify it
5430f7f2 LP	11	under the terms of the GNU Lesser General Public License as published by
5430f7f2 LP	12	the Free Software Foundation; either version 2.1 of the License, or
8f7a3c14 LP	13	(at your option) any later version.
	14
	15	systemd is distributed in the hope that it will be useful, but
	16	WITHOUT ANY WARRANTY; without even the implied warranty of
	17	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
5430f7f2	18	Lesser General Public License for more details.
8f7a3c14	19
5430f7f2	20	You should have received a copy of the GNU Lesser General Public License
8f7a3c14 LP	21	along with systemd; If not, see <http://www.gnu.org/licenses/>.
	22	-->
	23
	24	<refentry id="systemd-nspawn">
	25
	26	<refentryinfo>
	27	<title>systemd-nspawn</title>
	28	<productname>systemd</productname>
	29
	30	<authorgroup>
	31	<author>
	32	<contrib>Developer</contrib>
	33	<firstname>Lennart</firstname>
	34	<surname>Poettering</surname>
	35	<email>lennart@poettering.net</email>
	36	</author>
	37	</authorgroup>
	38	</refentryinfo>
	39
	40	<refmeta>
	41	<refentrytitle>systemd-nspawn</refentrytitle>
	42	<manvolnum>1</manvolnum>
	43	</refmeta>
	44
	45	<refnamediv>
	46	<refname>systemd-nspawn</refname>
	47	<refpurpose>Spawn a namespace container for debugging, testing and building</refpurpose>
	48	</refnamediv>
	49
	50	<refsynopsisdiv>
	51	<cmdsynopsis>
1fd96121 ZJS	52	<command>systemd-nspawn</command>
1fd96121 ZJS	53	<arg choice="opt" rep="repeat">OPTIONS</arg>
870c4365 ZJS	54	<arg choice="opt"><replaceable>COMMAND</replaceable>
	55	<arg choice="opt" rep="repeat">ARGS</arg>
	56	</arg>
	57	</cmdsynopsis>
	58	<cmdsynopsis>
	59	<command>systemd-nspawn</command>
	60	<arg choice="plain">-b</arg>
	61	<arg choice="opt" rep="repeat">OPTIONS</arg>
1fd96121	62	<arg choice="opt" rep="repeat">ARGS</arg>
8f7a3c14 LP	63	</cmdsynopsis>
	64	</refsynopsisdiv>
	65
	66	<refsect1>
	67	<title>Description</title>
	68
	69	<para><command>systemd-nspawn</command> may be used to
	70	run a command or OS in a light-weight namespace
	71	container. In many ways it is similar to
	72	<citerefentry><refentrytitle>chroot</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
	73	but more powerful since it fully virtualizes the file
9f7dad77	74	system hierarchy, as well as the process tree, the
8f7a3c14 LP	75	various IPC subsystems and the host and domain
	76	name.</para>
	77
	78	<para><command>systemd-nspawn</command> limits access
	79	to various kernel interfaces in the container to
	80	read-only, such as <filename>/sys</filename>,
	81	<filename>/proc/sys</filename> or
4f755fc6 LP	82	<filename>/sys/fs/selinux</filename>. Network
	83	interfaces and the system clock may not be changed
	84	from within the container. Device nodes may not be
	85	created. The host system cannot be rebooted and kernel
	86	modules may not be loaded from within the
	87	container.</para>
8f7a3c14 LP	88
	89	<para>Note that even though these security precautions
	90	are taken <command>systemd-nspawn</command> is not
	91	suitable for secure container setups. Many of the
	92	security features may be circumvented and are hence
	93	primarily useful to avoid accidental changes to the
	94	host system from the container. The intended use of
	95	this program is debugging and testing as well as
	96	building of packages, distributions and software
	97	involved with boot and systems management.</para>
	98
	99	<para>In contrast to
04ac7992 ZJS	100	<citerefentry><refentrytitle>chroot</refentrytitle><manvolnum>1</manvolnum></citerefentry> <command>systemd-nspawn</command>
	101	may be used to boot full Linux-based operating systems
	102	in a container.</para>
8f7a3c14 LP	103
8f7a3c14 LP	104	<para>Use a tool like
4d62fb42	105	<citerefentry><refentrytitle>yum</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
04ac7992	106	<citerefentry><refentrytitle>debootstrap</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
4d62fb42 LP	107	or
4d62fb42 LP	108	<citerefentry><refentrytitle>pacman</refentrytitle><manvolnum>8</manvolnum></citerefentry>
8f7a3c14	109	to set up an OS directory tree suitable as file system
25f5971b LP	110	hierarchy for <command>systemd-nspawn</command>
25f5971b LP	111	containers.</para>
8f7a3c14 LP	112
	113	<para>Note that <command>systemd-nspawn</command> will
	114	mount file systems private to the container to
	115	<filename>/dev</filename>,
2b583ce6	116	<filename>/run</filename> and similar. These will
8f7a3c14 LP	117	not be visible outside of the container, and their
	118	contents will be lost when the container exits.</para>
	119
	120	<para>Note that running two
	121	<command>systemd-nspawn</command> containers from the
	122	same directory tree will not make processes in them
9f7dad77	123	see each other. The PID namespace separation of the
8f7a3c14 LP	124	two containers is complete and the containers will
8f7a3c14 LP	125	share very few runtime objects except for the
04d39279 LP	126	underlying file system. Use
	127	<citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>'s
	128	<command>login</command> command to request an
	129	additional login prompt in a running container.</para>
99800333 LP	130
	131	<para><command>systemd-nspawn</command> implements the
	132	<ulink
	133	url="http://www.freedesktop.org/wiki/Software/systemd/ContainerInterface">Container
	134	Interface</ulink> specification.</para>
f8964235 LP	135
	136	<para>As a safety check
	137	<command>systemd-nspawn</command> will verify the
fb69ed55	138	existence of <filename>/etc/os-release</filename> in
f8964235 LP	139	the container tree before starting the container (see
	140	<citerefentry><refentrytitle>os-release</refentrytitle><manvolnum>5</manvolnum></citerefentry>). It
	141	might be necessary to add this file to the container
	142	tree manually if the OS of the container is too old to
	143	contain this file out-of-the-box.</para>
77b6e194 LP	144	</refsect1>
	145
	146	<refsect1>
	147	<title>Incompatibility with Auditing</title>
2aba426f LP	148
	149	<para>Note that the kernel auditing subsystem is
	150	currently broken when used together with
	151	containers. We hence recommend turning it off entirely
77b6e194 LP	152	by booting with <literal>audit=0</literal> on the
77b6e194 LP	153	kernel command line, or by turning it off at kernel
79640424	154	build time. If auditing is enabled in the kernel,
77b6e194 LP	155	operating systems booted in an nspawn container might
77b6e194 LP	156	refuse log-in attempts.</para>
8f7a3c14 LP	157	</refsect1>
	158
	159	<refsect1>
	160	<title>Options</title>
	161
870c4365 ZJS	162	<para>If option <option>-b</option> is specified, the
	163	arguments are used as arguments for the init
	164	binary. Otherwise, <replaceable>COMMAND</replaceable>
	165	specifies the program to launch in the container, and
	166	the remaining arguments are used as arguments for this
	167	program. If <option>-b</option> is not used and no
	168	arguments are specifed, a shell is launched in the
	169	container.</para>
	170
	171	<para>The following options are understood:</para>
8f7a3c14 LP	172
	173	<variablelist>
	174	<varlistentry>
a41fe3a2	175	<term><option>-h</option></term>
a7f5bb1e	176	<term><option>--help</option></term>
8f7a3c14 LP	177
	178	<listitem><para>Prints a short help
	179	text and exits.</para></listitem>
	180	</varlistentry>
	181
acbeb427 ZJS	182	<varlistentry>
	183	<term><option>--version</option></term>
	184
	185	<listitem><para>Prints a version string
	186	and exits.</para></listitem>
	187	</varlistentry>
	188
8f7a3c14	189	<varlistentry>
ab1f0633	190	<term><option>-D</option></term>
a7f5bb1e	191	<term><option>--directory=</option></term>
8f7a3c14 LP	192
	193	<listitem><para>Directory to use as
	194	file system root for the namespace
79640424	195	container. If omitted, the current
8f7a3c14 LP	196	directory will be
	197	used.</para></listitem>
	198	</varlistentry>
	199
0f0dbc46	200	<varlistentry>
0f0dbc46	201	<term><option>-b</option></term>
a7f5bb1e	202	<term><option>--boot</option></term>
0f0dbc46 LP	203
	204	<listitem><para>Automatically search
	205	for an init binary and invoke it
	206	instead of a shell or a user supplied
870c4365 ZJS	207	program. If this option is used, arguments
	208	specified on the command line are used
	209	as arguments for the init binary.
	210	</para></listitem>
0f0dbc46 LP	211	</varlistentry>
0f0dbc46 LP	212
687d0825	213	<varlistentry>
4f755fc6	214	<term><option>-u</option></term>
a7f5bb1e	215	<term><option>--user=</option></term>
687d0825 MV	216
	217	<listitem><para>Run the command
	218	under specified user, create home
	219	directory and cd into it. As rest
	220	of systemd-nspawn, this is not
	221	the security feature and limits
	222	against accidental changes only.
	223	</para></listitem>
	224	</varlistentry>
	225
7027ff61 LP	226	<varlistentry>
	227	<term><option>-M</option></term>
	228	<term><option>--machine=</option></term>
	229
	230	<listitem><para>Sets the machine name
	231	for this container. This name may be
	232	used to identify this container on the
	233	host, and is used to initialize the
	234	container's hostname (which the
	235	container can choose to override,
79640424	236	however). If not specified, the last
7027ff61 LP	237	component of the root directory of the
	238	container is used.</para></listitem>
	239	</varlistentry>
	240
431c72dc LP	241	<varlistentry>
	242	<term><option>--slice=</option></term>
	243
	244	<listitem><para>Make the container
	245	part of the specified slice, instead
	246	of the
	247	<filename>machine.slice</filename>.</para>
	248	</listitem>
	249	</varlistentry>
	250
144f0fc0 LP	251	<varlistentry>
	252	<term><option>--uuid=</option></term>
	253
e9dd9f95	254	<listitem><para>Set the specified UUID
144f0fc0 LP	255	for the container. The init system
	256	will initialize
	257	<filename>/etc/machine-id</filename>
	258	from this if this file is not set yet.
	259	</para></listitem>
	260	</varlistentry>
	261
a41fe3a2	262	<varlistentry>
ff01d048	263	<term><option>--private-network</option></term>
a41fe3a2 LP	264
	265	<listitem><para>Turn off networking in
	266	the container. This makes all network
	267	interfaces unavailable in the
	268	container, with the exception of the
	269	loopback device.</para></listitem>
	270	</varlistentry>
	271
bc2f673e LP	272	<varlistentry>
	273	<term><option>--read-only</option></term>
	274
	275	<listitem><para>Mount the root file
e9dd9f95	276	system read-only for the
bc2f673e LP	277	container.</para></listitem>
	278	</varlistentry>
	279
5076f0cc LP	280	<varlistentry>
	281	<term><option>--capability=</option></term>
	282
	283	<listitem><para>List one or more
	284	additional capabilities to grant the
e9dd9f95	285	container. Takes a comma-separated
5076f0cc LP	286	list of capability names, see
	287	<citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
	288	for more information. Note that the
88d04e31 LP	289	following capabilities will be granted
88d04e31 LP	290	in any way: CAP_CHOWN,
5076f0cc LP	291	CAP_DAC_OVERRIDE, CAP_DAC_READ_SEARCH,
	292	CAP_FOWNER, CAP_FSETID, CAP_IPC_OWNER,
	293	CAP_KILL, CAP_LEASE,
	294	CAP_LINUX_IMMUTABLE,
	295	CAP_NET_BIND_SERVICE,
	296	CAP_NET_BROADCAST, CAP_NET_RAW,
	297	CAP_SETGID, CAP_SETFCAP, CAP_SETPCAP,
	298	CAP_SETUID, CAP_SYS_ADMIN,
	299	CAP_SYS_CHROOT, CAP_SYS_NICE,
	300	CAP_SYS_PTRACE, CAP_SYS_TTY_CONFIG,
88d04e31 LP	301	CAP_SYS_RESOURCE, CAP_SYS_BOOT,
	302	CAP_AUDIT_WRITE,
	303	CAP_AUDIT_CONTROL.</para></listitem>
5076f0cc LP	304	</varlistentry>
5076f0cc LP	305
420c7379 LP	306	<varlistentry>
	307	<term><option>--drop-capability=</option></term>
	308
	309	<listitem><para>Specify one or more
	310	additional capabilities to drop for
	311	the container. This allows running the
	312	container with fewer capabilities than
	313	the default (see above).</para></listitem>
	314	</varlistentry>
	315
57fb9fb5 LP	316	<varlistentry>
	317	<term><option>--link-journal=</option></term>
	318
	319	<listitem><para>Control whether the
	320	container's journal shall be made
79640424	321	visible to the host system. If enabled,
57fb9fb5 LP	322	allows viewing the container's journal
	323	files from the host (but not vice
	324	versa). Takes one of
	325	<literal>no</literal>,
	326	<literal>host</literal>,
	327	<literal>guest</literal>,
	328	<literal>auto</literal>. If
27407a01 ZJS	329	<literal>no</literal>, the journal is
27407a01 ZJS	330	not linked. If <literal>host</literal>,
57fb9fb5	331	the journal files are stored on the
27407a01	332	host file system (beneath
e670b166	333	<filename>/var/log/journal/<replaceable>machine-id</replaceable></filename>)
27407a01	334	and the subdirectory is bind-mounted
57fb9fb5	335	into the container at the same
27407a01	336	location. If <literal>guest</literal>,
57fb9fb5	337	the journal files are stored on the
27407a01	338	guest file system (beneath
e670b166	339	<filename>/var/log/journal/<replaceable>machine-id</replaceable></filename>)
27407a01	340	and the subdirectory is symlinked into the host
57fb9fb5	341	at the same location. If
27407a01 ZJS	342	<literal>auto</literal> (the default),
27407a01 ZJS	343	and the right subdirectory of
57fb9fb5	344	<filename>/var/log/journal</filename>
27407a01 ZJS	345	exists, it will be bind mounted
27407a01 ZJS	346	into the container. If the
6b4991cf	347	subdirectory does not exist, no
27407a01 ZJS	348	linking is performed. Effectively,
27407a01 ZJS	349	booting a container once with
57fb9fb5 LP	350	<literal>guest</literal> or
57fb9fb5 LP	351	<literal>host</literal> will link the
27407a01	352	journal persistently if further on
57fb9fb5 LP	353	the default of <literal>auto</literal>
	354	is used.</para></listitem>
	355	</varlistentry>
	356
	357	<varlistentry>
	358	<term><option>-j</option></term>
	359
	360	<listitem><para>Equivalent to
	361	<option>--link-journal=guest</option>.</para></listitem>
	362	</varlistentry>
17fe0523 LP	363
	364	<varlistentry>
	365	<term><option>--bind=</option></term>
	366	<term><option>--bind-ro=</option></term>
	367
	368	<listitem><para>Bind mount a file or
	369	directory from the host into the
	370	container. Either takes a path
	371	argument -- in which case the
	372	specified path will be mounted from
	373	the host to the same path in the
	374	container --, or a colon-separated
	375	pair of paths -- in which case the
	376	first specified path is the source in
	377	the host, and the second path is the
	378	destination in the container. The
	379	<option>--bind-ro=</option> option
	380	creates read-only bind
	381	mount.</para></listitem>
	382	</varlistentry>
8f7a3c14 LP	383	</variablelist>
	384
	385	</refsect1>
	386
	387	<refsect1>
	388	<title>Example 1</title>
	389
2b3987a8 LP	390	<programlisting># yum -y --releasever=19 --nogpg --installroot=/srv/mycontainer --disablerepo='*' --enablerepo=fedora install systemd passwd yum fedora-release vim-minimal
2b3987a8 LP	391	# systemd-nspawn -bD /srv/mycontainer</programlisting>
8f7a3c14	392
25f5971b	393	<para>This installs a minimal Fedora distribution into
845c5324	394	the directory <filename noindex='true'>/srv/mycontainer/</filename> and
2b3987a8 LP	395	then boots an OS in a namespace container in
2b3987a8 LP	396	it.</para>
8f7a3c14 LP	397	</refsect1>
	398
	399	<refsect1>
	400	<title>Example 2</title>
	401
25f5971b LP	402	<programlisting># debootstrap --arch=amd64 unstable ~/debian-tree/
25f5971b LP	403	# systemd-nspawn -D ~/debian-tree/</programlisting>
8f7a3c14	404
25f5971b LP	405	<para>This installs a minimal Debian unstable
	406	distribution into the directory
	407	<filename>~/debian-tree/</filename> and then spawns a
	408	shell in a namespace container in it.</para>
8f7a3c14 LP	409	</refsect1>
8f7a3c14 LP	410
68562936 WG	411	<refsect1>
	412	<title>Example 3</title>
	413
	414	<programlisting># pacstrap -c -d ~/arch-tree/ base
	415	# systemd-nspawn -bD ~/arch-tree/</programlisting>
	416
	417	<para>This installs a mimimal Arch Linux distribution into
	418	the directory <filename>~/arch-tree/</filename> and then
	419	boots an OS in a namespace container in it.</para>
	420	</refsect1>
	421
9cb74bcb ZJS	422	<refsect1>
	423	<title>Example 4</title>
	424
	425	<programlisting># mv ~/arch-tree /var/lib/container/arch
	426	# systemctl enable systemd-nspawn@arch.service
	427	# systemctl start systemd-nspawn@arch.service</programlisting>
	428
	429	<para>This makes the Arch Linux container part of the
	430	<filename>multi-user.target</filename> on the host.
	431	</para>
	432	</refsect1>
	433
8f7a3c14 LP	434	<refsect1>
	435	<title>Exit status</title>
	436
	437	<para>The exit code of the program executed in the
	438	container is returned.</para>
	439	</refsect1>
	440
	441	<refsect1>
	442	<title>See Also</title>
	443	<para>
	444	<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
	445	<citerefentry><refentrytitle>chroot</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
25f5971b	446	<citerefentry><refentrytitle>yum</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
4d62fb42	447	<citerefentry><refentrytitle>debootstrap</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
431c72dc	448	<citerefentry><refentrytitle>pacman</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
04d39279 LP	449	<citerefentry><refentrytitle>systemd.slice</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
04d39279 LP	450	<citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
8f7a3c14 LP	451	</para>
	452	</refsect1>
	453
	454	</refentry>