projects / thirdparty / systemd.git / blame
| Commit | Line | Data |
|---|---|---|
| 8f7a3c14 LP |
1 | <?xml version='1.0'?> <!--*-nxml-*--> |
| 2 | <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" | |
| 12b42c76 | 3 | "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> |
| 8f7a3c14 LP |
4 | |
| 5 | <!-- | |
| 6 | This file is part of systemd. | |
| 7 | ||
| 8 | Copyright 2010 Lennart Poettering | |
| 9 | ||
| 10 | systemd is free software; you can redistribute it and/or modify it | |
| 5430f7f2 LP |
11 | under the terms of the GNU Lesser General Public License as published by |
| 12 | the Free Software Foundation; either version 2.1 of the License, or | |
| 8f7a3c14 LP |
13 | (at your option) any later version. |
| 14 | ||
| 15 | systemd is distributed in the hope that it will be useful, but | |
| 16 | WITHOUT ANY WARRANTY; without even the implied warranty of | |
| 17 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
| 5430f7f2 | 18 | Lesser General Public License for more details. |
| 8f7a3c14 | 19 | |
| 5430f7f2 | 20 | You should have received a copy of the GNU Lesser General Public License |
| 8f7a3c14 LP |
21 | along with systemd; If not, see <http://www.gnu.org/licenses/>. |
| 22 | --> | |
| 23 | ||
| dfdebb1b | 24 | <refentry id="systemd-nspawn" |
| 798d3a52 ZJS |
25 | xmlns:xi="http://www.w3.org/2001/XInclude"> |
| 26 | ||
| 27 | <refentryinfo> | |
| 28 | <title>systemd-nspawn</title> | |
| 29 | <productname>systemd</productname> | |
| 30 | ||
| 31 | <authorgroup> | |
| 32 | <author> | |
| 33 | <contrib>Developer</contrib> | |
| 34 | <firstname>Lennart</firstname> | |
| 35 | <surname>Poettering</surname> | |
| 36 | <email>lennart@poettering.net</email> | |
| 37 | </author> | |
| 38 | </authorgroup> | |
| 39 | </refentryinfo> | |
| 40 | ||
| 41 | <refmeta> | |
| 42 | <refentrytitle>systemd-nspawn</refentrytitle> | |
| 43 | <manvolnum>1</manvolnum> | |
| 44 | </refmeta> | |
| 45 | ||
| 46 | <refnamediv> | |
| 47 | <refname>systemd-nspawn</refname> | |
| 48 | <refpurpose>Spawn a namespace container for debugging, testing and building</refpurpose> | |
| 49 | </refnamediv> | |
| 50 | ||
| 51 | <refsynopsisdiv> | |
| 52 | <cmdsynopsis> | |
| 53 | <command>systemd-nspawn</command> | |
| 54 | <arg choice="opt" rep="repeat">OPTIONS</arg> | |
| 55 | <arg choice="opt"><replaceable>COMMAND</replaceable> | |
| 56 | <arg choice="opt" rep="repeat">ARGS</arg> | |
| 57 | </arg> | |
| 58 | </cmdsynopsis> | |
| 59 | <cmdsynopsis> | |
| 60 | <command>systemd-nspawn</command> | |
| 61 | <arg choice="plain">-b</arg> | |
| 62 | <arg choice="opt" rep="repeat">OPTIONS</arg> | |
| 63 | <arg choice="opt" rep="repeat">ARGS</arg> | |
| 64 | </cmdsynopsis> | |
| 65 | </refsynopsisdiv> | |
| 66 | ||
| 67 | <refsect1> | |
| 68 | <title>Description</title> | |
| 69 | ||
| 70 | <para><command>systemd-nspawn</command> may be used to run a | |
| 71 | command or OS in a light-weight namespace container. In many ways | |
| 72 | it is similar to | |
| 73 | <citerefentry project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
| 74 | but more powerful since it fully virtualizes the file system | |
| 75 | hierarchy, as well as the process tree, the various IPC subsystems | |
| 76 | and the host and domain name.</para> | |
| 77 | ||
| 78 | <para><command>systemd-nspawn</command> limits access to various | |
| 79 | kernel interfaces in the container to read-only, such as | |
| 80 | <filename>/sys</filename>, <filename>/proc/sys</filename> or | |
| 81 | <filename>/sys/fs/selinux</filename>. Network interfaces and the | |
| 82 | system clock may not be changed from within the container. Device | |
| 83 | nodes may not be created. The host system cannot be rebooted and | |
| 84 | kernel modules may not be loaded from within the container.</para> | |
| 85 | ||
| 86 | <para>Note that even though these security precautions are taken | |
| 7de7ee62 | 87 | <command>systemd-nspawn</command> is not suitable for fully secure |
| 798d3a52 ZJS |
88 | container setups. Many of the security features may be |
| 89 | circumvented and are hence primarily useful to avoid accidental | |
| 7de7ee62 | 90 | changes to the host system from the container.</para> |
| 798d3a52 ZJS |
91 | |
| 92 | <para>In contrast to | |
| 93 | <citerefentry project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>1</manvolnum></citerefentry> <command>systemd-nspawn</command> | |
| 94 | may be used to boot full Linux-based operating systems in a | |
| 95 | container.</para> | |
| 96 | ||
| 97 | <para>Use a tool like | |
| 98 | <citerefentry project='mankier'><refentrytitle>dnf</refentrytitle><manvolnum>8</manvolnum></citerefentry>, | |
| 99 | <citerefentry project='die-net'><refentrytitle>yum</refentrytitle><manvolnum>8</manvolnum></citerefentry>, | |
| 100 | <citerefentry project='die-net'><refentrytitle>debootstrap</refentrytitle><manvolnum>8</manvolnum></citerefentry>, | |
| 101 | or | |
| 102 | <citerefentry project='archlinux'><refentrytitle>pacman</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
| 103 | to set up an OS directory tree suitable as file system hierarchy | |
| 104 | for <command>systemd-nspawn</command> containers.</para> | |
| 105 | ||
| 106 | <para>Note that <command>systemd-nspawn</command> will mount file | |
| 107 | systems private to the container to <filename>/dev</filename>, | |
| 108 | <filename>/run</filename> and similar. These will not be visible | |
| 109 | outside of the container, and their contents will be lost when the | |
| 110 | container exits.</para> | |
| 111 | ||
| 112 | <para>Note that running two <command>systemd-nspawn</command> | |
| 113 | containers from the same directory tree will not make processes in | |
| 114 | them see each other. The PID namespace separation of the two | |
| 115 | containers is complete and the containers will share very few | |
| 116 | runtime objects except for the underlying file system. Use | |
| 117 | <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>'s | |
| 118 | <command>login</command> command to request an additional login | |
| 119 | prompt in a running container.</para> | |
| 120 | ||
| 121 | <para><command>systemd-nspawn</command> implements the | |
| 122 | <ulink | |
| 123 | url="http://www.freedesktop.org/wiki/Software/systemd/ContainerInterface">Container | |
| 124 | Interface</ulink> specification.</para> | |
| 125 | ||
| 126 | <para>As a safety check <command>systemd-nspawn</command> will | |
| 127 | verify the existence of <filename>/usr/lib/os-release</filename> | |
| 128 | or <filename>/etc/os-release</filename> in the container tree | |
| 129 | before starting the container (see | |
| 130 | <citerefentry><refentrytitle>os-release</refentrytitle><manvolnum>5</manvolnum></citerefentry>). | |
| 131 | It might be necessary to add this file to the container tree | |
| 132 | manually if the OS of the container is too old to contain this | |
| 133 | file out-of-the-box.</para> | |
| 134 | </refsect1> | |
| 135 | ||
| 136 | <refsect1> | |
| 137 | <title>Options</title> | |
| 138 | ||
| 139 | <para>If option <option>-b</option> is specified, the arguments | |
| 140 | are used as arguments for the init binary. Otherwise, | |
| 141 | <replaceable>COMMAND</replaceable> specifies the program to launch | |
| 142 | in the container, and the remaining arguments are used as | |
| 143 | arguments for this program. If <option>-b</option> is not used and | |
| ff9b60f3 | 144 | no arguments are specified, a shell is launched in the |
| 798d3a52 ZJS |
145 | container.</para> |
| 146 | ||
| 147 | <para>The following options are understood:</para> | |
| 148 | ||
| 149 | <variablelist> | |
| 150 | <varlistentry> | |
| 151 | <term><option>-D</option></term> | |
| 152 | <term><option>--directory=</option></term> | |
| 153 | ||
| 154 | <listitem><para>Directory to use as file system root for the | |
| 155 | container.</para> | |
| 156 | ||
| 157 | <para>If neither <option>--directory=</option>, nor | |
| 158 | <option>--image=</option> is specified the directory is | |
| 159 | determined as <filename>/var/lib/machines/</filename> suffixed | |
| 160 | by the machine name as specified with | |
| 161 | <option>--machine=</option>. If neither | |
| 162 | <option>--directory=</option>, <option>--image=</option>, nor | |
| 163 | <option>--machine=</option> are specified, the current | |
| 164 | directory will be used. May not be specified together with | |
| 165 | <option>--image=</option>.</para></listitem> | |
| 166 | </varlistentry> | |
| 167 | ||
| 168 | <varlistentry> | |
| 169 | <term><option>--template=</option></term> | |
| 170 | ||
| 171 | <listitem><para>Directory or <literal>btrfs</literal> | |
| 172 | subvolume to use as template for the container's root | |
| 173 | directory. If this is specified and the container's root | |
| 174 | directory (as configured by <option>--directory=</option>) | |
| 175 | does not yet exist it is created as <literal>btrfs</literal> | |
| 176 | subvolume and populated from this template tree. Ideally, the | |
| 177 | specified template path refers to the root of a | |
| 178 | <literal>btrfs</literal> subvolume, in which case a simple | |
| 179 | copy-on-write snapshot is taken, and populating the root | |
| 180 | directory is instant. If the specified template path does not | |
| 181 | refer to the root of a <literal>btrfs</literal> subvolume (or | |
| 182 | not even to a <literal>btrfs</literal> file system at all), | |
| 183 | the tree is copied, which can be substantially more | |
| 184 | time-consuming. Note that if this option is used the | |
| 185 | container's root directory (in contrast to the template | |
| 186 | directory!) must be located on a <literal>btrfs</literal> file | |
| 187 | system, so that the <literal>btrfs</literal> subvolume may be | |
| 188 | created. May not be specified together with | |
| 189 | <option>--image=</option> or | |
| 3fe22bb4 LP |
190 | <option>--ephemeral</option>.</para> |
| 191 | ||
| 192 | <para>Note that this switch leaves host name, machine ID and | |
| 193 | all other settings that could identify the instance | |
| 194 | unmodified.</para></listitem> | |
| 798d3a52 ZJS |
195 | </varlistentry> |
| 196 | ||
| 197 | <varlistentry> | |
| 198 | <term><option>-x</option></term> | |
| 199 | <term><option>--ephemeral</option></term> | |
| 200 | ||
| 201 | <listitem><para>If specified, the container is run with a | |
| 202 | temporary <literal>btrfs</literal> snapshot of its root | |
| 203 | directory (as configured with <option>--directory=</option>), | |
| 204 | that is removed immediately when the container terminates. | |
| 205 | This option is only supported if the root file system is | |
| 206 | <literal>btrfs</literal>. May not be specified together with | |
| 207 | <option>--image=</option> or | |
| 3fe22bb4 LP |
208 | <option>--template=</option>.</para> |
| 209 | <para>Note that this switch leaves host name, machine ID and | |
| 210 | all other settings that could identify the instance | |
| 211 | unmodified.</para></listitem> | |
| 798d3a52 ZJS |
212 | </varlistentry> |
| 213 | ||
| 214 | <varlistentry> | |
| 215 | <term><option>-i</option></term> | |
| 216 | <term><option>--image=</option></term> | |
| 217 | ||
| 218 | <listitem><para>Disk image to mount the root directory for the | |
| 219 | container from. Takes a path to a regular file or to a block | |
| 220 | device node. The file or block device must contain | |
| 221 | either:</para> | |
| 222 | ||
| 223 | <itemizedlist> | |
| 224 | <listitem><para>An MBR partition table with a single | |
| 225 | partition of type 0x83 that is marked | |
| 226 | bootable.</para></listitem> | |
| 227 | ||
| 228 | <listitem><para>A GUID partition table (GPT) with a single | |
| 229 | partition of type | |
| 230 | 0fc63daf-8483-4772-8e79-3d69d8477de4.</para></listitem> | |
| 231 | ||
| 232 | <listitem><para>A GUID partition table (GPT) with a marked | |
| 233 | root partition which is mounted as the root directory of the | |
| 234 | container. Optionally, GPT images may contain a home and/or | |
| 235 | a server data partition which are mounted to the appropriate | |
| 236 | places in the container. All these partitions must be | |
| 237 | identified by the partition types defined by the <ulink | |
| 238 | url="http://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/">Discoverable | |
| 239 | Partitions Specification</ulink>.</para></listitem> | |
| 240 | </itemizedlist> | |
| 241 | ||
| 242 | <para>Any other partitions, such as foreign partitions, swap | |
| 243 | partitions or EFI system partitions are not mounted. May not | |
| 244 | be specified together with <option>--directory=</option>, | |
| 245 | <option>--template=</option> or | |
| 246 | <option>--ephemeral</option>.</para></listitem> | |
| 247 | </varlistentry> | |
| 248 | ||
| 249 | <varlistentry> | |
| 250 | <term><option>-b</option></term> | |
| 251 | <term><option>--boot</option></term> | |
| 252 | ||
| 253 | <listitem><para>Automatically search for an init binary and | |
| 254 | invoke it instead of a shell or a user supplied program. If | |
| 255 | this option is used, arguments specified on the command line | |
| 256 | are used as arguments for the init binary. This option may not | |
| 257 | be combined with <option>--share-system</option>. | |
| 258 | </para></listitem> | |
| 259 | </varlistentry> | |
| 260 | ||
| 261 | <varlistentry> | |
| 262 | <term><option>-u</option></term> | |
| 263 | <term><option>--user=</option></term> | |
| 264 | ||
| 265 | <listitem><para>After transitioning into the container, change | |
| 266 | to the specified user-defined in the container's user | |
| 267 | database. Like all other systemd-nspawn features, this is not | |
| 268 | a security feature and provides protection against accidental | |
| 269 | destructive operations only.</para></listitem> | |
| 270 | </varlistentry> | |
| 271 | ||
| 272 | <varlistentry> | |
| 273 | <term><option>-M</option></term> | |
| 274 | <term><option>--machine=</option></term> | |
| 275 | ||
| 276 | <listitem><para>Sets the machine name for this container. This | |
| 277 | name may be used to identify this container during its runtime | |
| 278 | (for example in tools like | |
| 279 | <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry> | |
| 280 | and similar), and is used to initialize the container's | |
| 281 | hostname (which the container can choose to override, | |
| 282 | however). If not specified, the last component of the root | |
| 283 | directory path of the container is used, possibly suffixed | |
| 284 | with a random identifier in case <option>--ephemeral</option> | |
| 285 | mode is selected. If the root directory selected is the host's | |
| 286 | root directory the host's hostname is used as default | |
| 287 | instead.</para></listitem> | |
| 288 | </varlistentry> | |
| 289 | ||
| 290 | <varlistentry> | |
| 291 | <term><option>--uuid=</option></term> | |
| 292 | ||
| 293 | <listitem><para>Set the specified UUID for the container. The | |
| 294 | init system will initialize | |
| 295 | <filename>/etc/machine-id</filename> from this if this file is | |
| 296 | not set yet. </para></listitem> | |
| 297 | </varlistentry> | |
| 298 | ||
| 299 | <varlistentry> | |
| 300 | <term><option>--slice=</option></term> | |
| 301 | ||
| 302 | <listitem><para>Make the container part of the specified | |
| 303 | slice, instead of the default | |
| f36933fe LP |
304 | <filename>machine.slice</filename>. This is only applies if |
| 305 | the machine is run in its own scope unit, i.e. if | |
| 306 | <option>--keep-unit</option> is not used.</para> | |
| 307 | </listitem> | |
| 308 | </varlistentry> | |
| 309 | ||
| 310 | <varlistentry> | |
| 311 | <term><option>--property=</option></term> | |
| 312 | ||
| 313 | <listitem><para>Set a unit property on the scope unit to | |
| 314 | register for the machine. This only applies if the machine is | |
| 315 | run in its own scope unit, i.e. if | |
| 316 | <option>--keep-unit</option> is not used. Takes unit property | |
| 317 | assignments in the same format as <command>systemctl | |
| 318 | set-property</command>. This is useful to set memory limits | |
| 319 | and similar for machines.</para> | |
| 798d3a52 ZJS |
320 | </listitem> |
| 321 | </varlistentry> | |
| 322 | ||
| 03cfe0d5 LP |
323 | <varlistentry> |
| 324 | <term><option>--private-users=</option></term> | |
| 325 | ||
| 326 | <listitem><para>Enables user namespacing. If enabled the | |
| 327 | container will run with its own private set of Unix user and | |
| 328 | group ids (UIDs and GIDs). Takes none, one or two | |
| 329 | colon-separated parameters: the first parameter specifies the | |
| 330 | first host UID to assign to the container, the second | |
| 331 | parameter specifies the number of host UIDs to assign to the | |
| 332 | container. If the second parameter is omitted, 65536 UIDs are | |
| 7c918141 | 333 | assigned. If the first parameter is also omitted (and hence |
| 03cfe0d5 LP |
334 | no parameter passed at all), the first UID assigned to the |
| 335 | container is read from the owner of the root directory of the | |
| 336 | container's directory tree. By default no user namespacing is | |
| 337 | applied.</para> | |
| 338 | ||
| 339 | <para>Note that user namespacing currently requires OS trees | |
| 340 | that are prepared for the UID shift that is being applied: | |
| 341 | UIDs and GIDs used for file ownership or in file ACL entries | |
| 342 | must be shifted to the container UID base that is | |
| 343 | used during container runtime.</para> | |
| 344 | ||
| 345 | <para>It is recommended to assign as least 65536 UIDs to each | |
| 346 | container, so that the usable UID range in the container | |
| 347 | covers 16bit. For best security do not assign overlapping UID | |
| 348 | ranges to multiple containers. It is hence a good idea to use | |
| 349 | the upper 16bit of the host 32bit UIDs as container | |
| 350 | identifier, while the lower 16bit encode the container UID | |
| 351 | used.</para> | |
| 352 | ||
| 353 | <para>When user namespaces are used the GID range assigned to | |
| 354 | each container is always chosen identical to the UID | |
| 355 | range.</para></listitem> | |
| 356 | </varlistentry> | |
| 357 | ||
| 358 | ||
| 798d3a52 ZJS |
359 | <varlistentry> |
| 360 | <term><option>--private-network</option></term> | |
| 361 | ||
| 362 | <listitem><para>Disconnect networking of the container from | |
| 363 | the host. This makes all network interfaces unavailable in the | |
| 364 | container, with the exception of the loopback device and those | |
| 365 | specified with <option>--network-interface=</option> and | |
| 366 | configured with <option>--network-veth</option>. If this | |
| 367 | option is specified, the CAP_NET_ADMIN capability will be | |
| 368 | added to the set of capabilities the container retains. The | |
| 369 | latter may be disabled by using | |
| 370 | <option>--drop-capability=</option>.</para></listitem> | |
| 371 | </varlistentry> | |
| 372 | ||
| 373 | <varlistentry> | |
| 374 | <term><option>--network-interface=</option></term> | |
| 375 | ||
| 376 | <listitem><para>Assign the specified network interface to the | |
| 377 | container. This will remove the specified interface from the | |
| 378 | calling namespace and place it in the container. When the | |
| 379 | container terminates, it is moved back to the host namespace. | |
| 380 | Note that <option>--network-interface=</option> implies | |
| 381 | <option>--private-network</option>. This option may be used | |
| 382 | more than once to add multiple network interfaces to the | |
| 383 | container.</para></listitem> | |
| 384 | </varlistentry> | |
| 385 | ||
| 386 | <varlistentry> | |
| 387 | <term><option>--network-macvlan=</option></term> | |
| 388 | ||
| 389 | <listitem><para>Create a <literal>macvlan</literal> interface | |
| 390 | of the specified Ethernet network interface and add it to the | |
| 391 | container. A <literal>macvlan</literal> interface is a virtual | |
| 392 | interface that adds a second MAC address to an existing | |
| 393 | physical Ethernet link. The interface in the container will be | |
| 394 | named after the interface on the host, prefixed with | |
| 395 | <literal>mv-</literal>. Note that | |
| 396 | <option>--network-macvlan=</option> implies | |
| 397 | <option>--private-network</option>. This option may be used | |
| 398 | more than once to add multiple network interfaces to the | |
| 399 | container.</para></listitem> | |
| 400 | </varlistentry> | |
| 401 | ||
| 402 | <varlistentry> | |
| 403 | <term><option>--network-ipvlan=</option></term> | |
| 404 | ||
| 405 | <listitem><para>Create an <literal>ipvlan</literal> interface | |
| 406 | of the specified Ethernet network interface and add it to the | |
| 407 | container. An <literal>ipvlan</literal> interface is a virtual | |
| 408 | interface, similar to a <literal>macvlan</literal> interface, | |
| 409 | which uses the same MAC address as the underlying interface. | |
| 410 | The interface in the container will be named after the | |
| 411 | interface on the host, prefixed with <literal>iv-</literal>. | |
| 412 | Note that <option>--network-ipvlan=</option> implies | |
| 413 | <option>--private-network</option>. This option may be used | |
| 414 | more than once to add multiple network interfaces to the | |
| 415 | container.</para></listitem> | |
| 416 | </varlistentry> | |
| 417 | ||
| 418 | <varlistentry> | |
| 419 | <term><option>-n</option></term> | |
| 420 | <term><option>--network-veth</option></term> | |
| 421 | ||
| 422 | <listitem><para>Create a virtual Ethernet link | |
| 423 | (<literal>veth</literal>) between host and container. The host | |
| 424 | side of the Ethernet link will be available as a network | |
| 425 | interface named after the container's name (as specified with | |
| 426 | <option>--machine=</option>), prefixed with | |
| 427 | <literal>ve-</literal>. The container side of the Ethernet | |
| 428 | link will be named <literal>host0</literal>. Note that | |
| 429 | <option>--network-veth</option> implies | |
| 430 | <option>--private-network</option>.</para></listitem> | |
| 431 | </varlistentry> | |
| 432 | ||
| 433 | <varlistentry> | |
| 434 | <term><option>--network-bridge=</option></term> | |
| 435 | ||
| 436 | <listitem><para>Adds the host side of the Ethernet link | |
| 437 | created with <option>--network-veth</option> to the specified | |
| 438 | bridge. Note that <option>--network-bridge=</option> implies | |
| 439 | <option>--network-veth</option>. If this option is used, the | |
| 440 | host side of the Ethernet link will use the | |
| 441 | <literal>vb-</literal> prefix instead of | |
| 442 | <literal>ve-</literal>.</para></listitem> | |
| 443 | </varlistentry> | |
| 444 | ||
| 445 | <varlistentry> | |
| 446 | <term><option>-p</option></term> | |
| 447 | <term><option>--port=</option></term> | |
| 448 | ||
| 449 | <listitem><para>If private networking is enabled, maps an IP | |
| 450 | port on the host onto an IP port on the container. Takes a | |
| 451 | protocol specifier (either <literal>tcp</literal> or | |
| 452 | <literal>udp</literal>), separated by a colon from a host port | |
| 453 | number in the range 1 to 65535, separated by a colon from a | |
| 454 | container port number in the range from 1 to 65535. The | |
| 455 | protocol specifier and its separating colon may be omitted, in | |
| 456 | which case <literal>tcp</literal> is assumed. The container | |
| 7c918141 | 457 | port number and its colon may be omitted, in which case the |
| 798d3a52 ZJS |
458 | same port as the host port is implied. This option is only |
| 459 | supported if private networking is used, such as | |
| 460 | <option>--network-veth</option> or | |
| 461 | <option>--network-bridge=</option>.</para></listitem> | |
| 462 | </varlistentry> | |
| 463 | ||
| 464 | <varlistentry> | |
| 465 | <term><option>-Z</option></term> | |
| 466 | <term><option>--selinux-context=</option></term> | |
| 467 | ||
| 468 | <listitem><para>Sets the SELinux security context to be used | |
| 469 | to label processes in the container.</para> | |
| 470 | </listitem> | |
| 471 | </varlistentry> | |
| 472 | ||
| 473 | <varlistentry> | |
| 474 | <term><option>-L</option></term> | |
| 475 | <term><option>--selinux-apifs-context=</option></term> | |
| 476 | ||
| 477 | <listitem><para>Sets the SELinux security context to be used | |
| 478 | to label files in the virtual API file systems in the | |
| 479 | container.</para> | |
| 480 | </listitem> | |
| 481 | </varlistentry> | |
| 482 | ||
| 483 | <varlistentry> | |
| 484 | <term><option>--capability=</option></term> | |
| 485 | ||
| 486 | <listitem><para>List one or more additional capabilities to | |
| 487 | grant the container. Takes a comma-separated list of | |
| 488 | capability names, see | |
| 489 | <citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry> | |
| 490 | for more information. Note that the following capabilities | |
| 491 | will be granted in any way: CAP_CHOWN, CAP_DAC_OVERRIDE, | |
| 492 | CAP_DAC_READ_SEARCH, CAP_FOWNER, CAP_FSETID, CAP_IPC_OWNER, | |
| 493 | CAP_KILL, CAP_LEASE, CAP_LINUX_IMMUTABLE, | |
| 494 | CAP_NET_BIND_SERVICE, CAP_NET_BROADCAST, CAP_NET_RAW, | |
| 495 | CAP_SETGID, CAP_SETFCAP, CAP_SETPCAP, CAP_SETUID, | |
| 496 | CAP_SYS_ADMIN, CAP_SYS_CHROOT, CAP_SYS_NICE, CAP_SYS_PTRACE, | |
| 497 | CAP_SYS_TTY_CONFIG, CAP_SYS_RESOURCE, CAP_SYS_BOOT, | |
| 498 | CAP_AUDIT_WRITE, CAP_AUDIT_CONTROL. Also CAP_NET_ADMIN is | |
| 499 | retained if <option>--private-network</option> is specified. | |
| 500 | If the special value <literal>all</literal> is passed, all | |
| 501 | capabilities are retained.</para></listitem> | |
| 502 | </varlistentry> | |
| 503 | ||
| 504 | <varlistentry> | |
| 505 | <term><option>--drop-capability=</option></term> | |
| 506 | ||
| 507 | <listitem><para>Specify one or more additional capabilities to | |
| 508 | drop for the container. This allows running the container with | |
| 509 | fewer capabilities than the default (see | |
| 510 | above).</para></listitem> | |
| 511 | </varlistentry> | |
| 512 | ||
| c6c8f6e2 LP |
513 | <varlistentry> |
| 514 | <term><option>--kill-signal=</option></term> | |
| 515 | ||
| 516 | <listitem><para>Specify the process signal to send to the | |
| 517 | container's PID 1 when nspawn itself receives SIGTERM, in | |
| 518 | order to trigger an orderly shutdown of the | |
| 519 | container. Defaults to SIGRTMIN+3 if <option>--boot</option> | |
| 520 | is used (on systemd-compatible init systems SIGRTMIN+3 | |
| 521 | triggers an orderly shutdown). Takes a signal name like | |
| 522 | <literal>SIGHUP</literal>, <literal>SIGTERM</literal> or | |
| 523 | similar as argument.</para></listitem> | |
| 524 | </varlistentry> | |
| 525 | ||
| 798d3a52 ZJS |
526 | <varlistentry> |
| 527 | <term><option>--link-journal=</option></term> | |
| 528 | ||
| 529 | <listitem><para>Control whether the container's journal shall | |
| 530 | be made visible to the host system. If enabled, allows viewing | |
| 531 | the container's journal files from the host (but not vice | |
| 532 | versa). Takes one of <literal>no</literal>, | |
| 533 | <literal>host</literal>, <literal>try-host</literal>, | |
| 534 | <literal>guest</literal>, <literal>try-guest</literal>, | |
| 535 | <literal>auto</literal>. If <literal>no</literal>, the journal | |
| 536 | is not linked. If <literal>host</literal>, the journal files | |
| 537 | are stored on the host file system (beneath | |
| 538 | <filename>/var/log/journal/<replaceable>machine-id</replaceable></filename>) | |
| 539 | and the subdirectory is bind-mounted into the container at the | |
| 540 | same location. If <literal>guest</literal>, the journal files | |
| 541 | are stored on the guest file system (beneath | |
| 542 | <filename>/var/log/journal/<replaceable>machine-id</replaceable></filename>) | |
| 543 | and the subdirectory is symlinked into the host at the same | |
| 544 | location. <literal>try-host</literal> and | |
| 545 | <literal>try-guest</literal> do the same but do not fail if | |
| 546 | the host does not have persistent journalling enabled. If | |
| 547 | <literal>auto</literal> (the default), and the right | |
| 548 | subdirectory of <filename>/var/log/journal</filename> exists, | |
| 549 | it will be bind mounted into the container. If the | |
| 550 | subdirectory does not exist, no linking is performed. | |
| 551 | Effectively, booting a container once with | |
| 552 | <literal>guest</literal> or <literal>host</literal> will link | |
| 553 | the journal persistently if further on the default of | |
| 554 | <literal>auto</literal> is used.</para></listitem> | |
| 555 | </varlistentry> | |
| 556 | ||
| 557 | <varlistentry> | |
| 558 | <term><option>-j</option></term> | |
| 559 | ||
| 560 | <listitem><para>Equivalent to | |
| 561 | <option>--link-journal=try-guest</option>.</para></listitem> | |
| 562 | </varlistentry> | |
| 563 | ||
| 564 | <varlistentry> | |
| 565 | <term><option>--read-only</option></term> | |
| 566 | ||
| 567 | <listitem><para>Mount the root file system read-only for the | |
| 568 | container.</para></listitem> | |
| 569 | </varlistentry> | |
| 570 | ||
| 571 | <varlistentry> | |
| 572 | <term><option>--bind=</option></term> | |
| 573 | <term><option>--bind-ro=</option></term> | |
| 574 | ||
| 575 | <listitem><para>Bind mount a file or directory from the host | |
| 576 | into the container. Either takes a path argument -- in which | |
| 577 | case the specified path will be mounted from the host to the | |
| 578 | same path in the container --, or a colon-separated pair of | |
| 579 | paths -- in which case the first specified path is the source | |
| 580 | in the host, and the second path is the destination in the | |
| 64b282ef LP |
581 | container. This option may be specified multiple times for |
| 582 | creating multiple independent bind mount points. The | |
| 583 | <option>--bind-ro=</option> option creates read-only bind | |
| 584 | mounts.</para></listitem> | |
| 798d3a52 ZJS |
585 | </varlistentry> |
| 586 | ||
| 587 | <varlistentry> | |
| 588 | <term><option>--tmpfs=</option></term> | |
| 589 | ||
| 590 | <listitem><para>Mount a tmpfs file system into the container. | |
| 591 | Takes a single absolute path argument that specifies where to | |
| 592 | mount the tmpfs instance to (in which case the directory | |
| 593 | access mode will be chosen as 0755, owned by root/root), or | |
| 594 | optionally a colon-separated pair of path and mount option | |
| 595 | string, that is used for mounting (in which case the kernel | |
| 596 | default for access mode and owner will be chosen, unless | |
| 597 | otherwise specified). This option is particularly useful for | |
| 598 | mounting directories such as <filename>/var</filename> as | |
| 599 | tmpfs, to allow state-less systems, in particular when | |
| 600 | combined with <option>--read-only</option>.</para></listitem> | |
| 601 | </varlistentry> | |
| 602 | ||
| 5a8af538 LP |
603 | <varlistentry> |
| 604 | <term><option>--overlay=</option></term> | |
| 605 | <term><option>--overlay-ro=</option></term> | |
| 606 | ||
| 607 | <listitem><para>Combine multiple directory trees into one | |
| 608 | overlay file system and mount it into the container. Takes a | |
| 609 | list of colon-separated paths to the directory trees to | |
| 610 | combine and the destination mount point.</para> | |
| 611 | ||
| 612 | <para>If three or more paths are specified, then the last | |
| 613 | specified path is the destination mount point in the | |
| 614 | container, all paths specified before refer to directory trees | |
| 615 | on the host and are combined in the specified order into one | |
| 616 | overlay file system. The left-most path is hence the lowest | |
| 617 | directory tree, the second-to-last path the highest directory | |
| 618 | tree in the stacking order. If <option>--overlay-ro=</option> | |
| 619 | is used instead of <option>--overlay=</option> a read-only | |
| 620 | overlay file system is created. If a writable overlay file | |
| 621 | system is created all changes made to it are written to the | |
| 622 | highest directory tree in the stacking order, i.e. the | |
| 623 | second-to-last specified.</para> | |
| 624 | ||
| 625 | <para>If only two paths are specified, then the second | |
| 626 | specified path is used both as the top-level directory tree in | |
| 627 | the stacking order as seen from the host, as well as the mount | |
| 628 | point for the overlay file system in the container. At least | |
| 629 | two paths have to be specified.</para> | |
| 630 | ||
| 631 | <para>For details about overlay file systems, see <ulink | |
| 632 | url="https://www.kernel.org/doc/Documentation/filesystems/overlayfs.txt">overlayfs.txt</ulink>. Note | |
| 633 | that the semantics of overlay file systems are substantially | |
| 634 | different from normal file systems, in particular regarding | |
| 635 | reported device and inode information. Device and inode | |
| 636 | information may change for a file while it is being written | |
| 637 | to, and processes might see out-of-date versions of files at | |
| 638 | times. Note that this switch automatically derives the | |
| 639 | <literal>workdir=</literal> mount option for the overlay file | |
| 640 | system from the top-level directory tree, making it a sibling | |
| 641 | of it. It is hence essential that the top-level directory tree | |
| 642 | is not a mount point itself (since the working directory must | |
| 643 | be on the same file system as the top-most directory | |
| 644 | tree). Also note that the <literal>lowerdir=</literal> mount | |
| 645 | option receives the paths to stack in the opposite order of | |
| 646 | this switch.</para></listitem> | |
| 647 | </varlistentry> | |
| 648 | ||
| 798d3a52 ZJS |
649 | <varlistentry> |
| 650 | <term><option>--setenv=</option></term> | |
| 651 | ||
| 652 | <listitem><para>Specifies an environment variable assignment | |
| 653 | to pass to the init process in the container, in the format | |
| 654 | <literal>NAME=VALUE</literal>. This may be used to override | |
| 655 | the default variables or to set additional variables. This | |
| 656 | parameter may be used more than once.</para></listitem> | |
| 657 | </varlistentry> | |
| 658 | ||
| 659 | <varlistentry> | |
| 660 | <term><option>--share-system</option></term> | |
| 661 | ||
| 662 | <listitem><para>Allows the container to share certain system | |
| 663 | facilities with the host. More specifically, this turns off | |
| 664 | PID namespacing, UTS namespacing and IPC namespacing, and thus | |
| 665 | allows the guest to see and interact more easily with | |
| 666 | processes outside of the container. Note that using this | |
| 667 | option makes it impossible to start up a full Operating System | |
| 668 | in the container, as an init system cannot operate in this | |
| 669 | mode. It is only useful to run specific programs or | |
| 670 | applications this way, without involving an init system in the | |
| 671 | container. This option implies <option>--register=no</option>. | |
| 672 | This option may not be combined with | |
| 673 | <option>--boot</option>.</para></listitem> | |
| 674 | </varlistentry> | |
| 675 | ||
| 676 | <varlistentry> | |
| 677 | <term><option>--register=</option></term> | |
| 678 | ||
| 679 | <listitem><para>Controls whether the container is registered | |
| 680 | with | |
| 681 | <citerefentry><refentrytitle>systemd-machined</refentrytitle><manvolnum>8</manvolnum></citerefentry>. | |
| 682 | Takes a boolean argument, defaults to <literal>yes</literal>. | |
| 683 | This option should be enabled when the container runs a full | |
| 684 | Operating System (more specifically: an init system), and is | |
| 685 | useful to ensure that the container is accessible via | |
| 686 | <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry> | |
| 687 | and shown by tools such as | |
| 688 | <citerefentry project='man-pages'><refentrytitle>ps</refentrytitle><manvolnum>1</manvolnum></citerefentry>. | |
| 689 | If the container does not run an init system, it is | |
| 690 | recommended to set this option to <literal>no</literal>. Note | |
| 691 | that <option>--share-system</option> implies | |
| 692 | <option>--register=no</option>. </para></listitem> | |
| 693 | </varlistentry> | |
| 694 | ||
| 695 | <varlistentry> | |
| 696 | <term><option>--keep-unit</option></term> | |
| 697 | ||
| 698 | <listitem><para>Instead of creating a transient scope unit to | |
| 699 | run the container in, simply register the service or scope | |
| 700 | unit <command>systemd-nspawn</command> has been invoked in | |
| 701 | with | |
| 702 | <citerefentry><refentrytitle>systemd-machined</refentrytitle><manvolnum>8</manvolnum></citerefentry>. | |
| 703 | This has no effect if <option>--register=no</option> is used. | |
| 704 | This switch should be used if | |
| 705 | <command>systemd-nspawn</command> is invoked from within a | |
| 706 | service unit, and the service unit's sole purpose is to run a | |
| 707 | single <command>systemd-nspawn</command> container. This | |
| 708 | option is not available if run from a user | |
| 709 | session.</para></listitem> | |
| 710 | </varlistentry> | |
| 711 | ||
| 712 | <varlistentry> | |
| 713 | <term><option>--personality=</option></term> | |
| 714 | ||
| 715 | <listitem><para>Control the architecture ("personality") | |
| 716 | reported by | |
| 3ba3a79d | 717 | <citerefentry project='man-pages'><refentrytitle>uname</refentrytitle><manvolnum>2</manvolnum></citerefentry> |
| 798d3a52 ZJS |
718 | in the container. Currently, only <literal>x86</literal> and |
| 719 | <literal>x86-64</literal> are supported. This is useful when | |
| 720 | running a 32-bit container on a 64-bit host. If this setting | |
| 721 | is not used, the personality reported in the container is the | |
| 722 | same as the one reported on the host.</para></listitem> | |
| 723 | </varlistentry> | |
| 724 | ||
| 725 | <varlistentry> | |
| 726 | <term><option>-q</option></term> | |
| 727 | <term><option>--quiet</option></term> | |
| 728 | ||
| 729 | <listitem><para>Turns off any status output by the tool | |
| 730 | itself. When this switch is used, the only output from nspawn | |
| 731 | will be the console output of the container OS | |
| 732 | itself.</para></listitem> | |
| 733 | </varlistentry> | |
| 734 | ||
| 735 | <varlistentry> | |
| 736 | <term><option>--volatile</option><replaceable>=MODE</replaceable></term> | |
| 737 | ||
| 738 | <listitem><para>Boots the container in volatile mode. When no | |
| 739 | mode parameter is passed or when mode is specified as | |
| 740 | <literal>yes</literal> full volatile mode is enabled. This | |
| 741 | means the root directory is mounted as mostly unpopulated | |
| 742 | <literal>tmpfs</literal> instance, and | |
| 743 | <filename>/usr</filename> from the OS tree is mounted into it, | |
| 744 | read-only (the system thus starts up with read-only OS | |
| 745 | resources, but pristine state and configuration, any changes | |
| 746 | to the either are lost on shutdown). When the mode parameter | |
| 747 | is specified as <literal>state</literal> the OS tree is | |
| 748 | mounted read-only, but <filename>/var</filename> is mounted as | |
| 749 | <literal>tmpfs</literal> instance into it (the system thus | |
| 750 | starts up with read-only OS resources and configuration, but | |
| 751 | pristine state, any changes to the latter are lost on | |
| 752 | shutdown). When the mode parameter is specified as | |
| 753 | <literal>no</literal> (the default) the whole OS tree is made | |
| 754 | available writable.</para> | |
| 755 | ||
| 756 | <para>Note that setting this to <literal>yes</literal> or | |
| 757 | <literal>state</literal> will only work correctly with | |
| 758 | operating systems in the container that can boot up with only | |
| 759 | <filename>/usr</filename> mounted, and are able to populate | |
| 760 | <filename>/var</filename> automatically, as | |
| 761 | needed.</para></listitem> | |
| 762 | </varlistentry> | |
| 763 | ||
| 764 | <xi:include href="standard-options.xml" xpointer="help" /> | |
| 765 | <xi:include href="standard-options.xml" xpointer="version" /> | |
| 766 | </variablelist> | |
| 767 | ||
| 768 | </refsect1> | |
| 769 | ||
| 770 | <refsect1> | |
| 771 | <title>Examples</title> | |
| 772 | ||
| 773 | <example> | |
| 774 | <title>Download a Fedora image and start a shell in it</title> | |
| 775 | ||
| 776 | <programlisting># machinectl pull-raw --verify=no http://ftp.halifax.rwth-aachen.de/fedora/linux/releases/21/Cloud/Images/x86_64/Fedora-Cloud-Base-20141203-21.x86_64.raw.xz | |
| e0ea94c1 LP |
777 | # systemd-nspawn -M Fedora-Cloud-Base-20141203-21</programlisting> |
| 778 | ||
| 798d3a52 ZJS |
779 | <para>This downloads an image using |
| 780 | <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry> | |
| 781 | and opens a shell in it.</para> | |
| 782 | </example> | |
| e0ea94c1 | 783 | |
| 798d3a52 ZJS |
784 | <example> |
| 785 | <title>Build and boot a minimal Fedora distribution in a container</title> | |
| 8f7a3c14 | 786 | |
| 798d3a52 | 787 | <programlisting># dnf -y --releasever=21 --nogpg --installroot=/srv/mycontainer --disablerepo='*' --enablerepo=fedora install systemd passwd dnf fedora-release vim-minimal |
| 2b3987a8 | 788 | # systemd-nspawn -bD /srv/mycontainer</programlisting> |
| 8f7a3c14 | 789 | |
| 798d3a52 ZJS |
790 | <para>This installs a minimal Fedora distribution into the |
| 791 | directory <filename noindex='true'>/srv/mycontainer/</filename> | |
| 792 | and then boots an OS in a namespace container in it.</para> | |
| 793 | </example> | |
| 8f7a3c14 | 794 | |
| 798d3a52 ZJS |
795 | <example> |
| 796 | <title>Spawn a shell in a container of a minimal Debian unstable distribution</title> | |
| 8f7a3c14 | 797 | |
| 798d3a52 | 798 | <programlisting># debootstrap --arch=amd64 unstable ~/debian-tree/ |
| 25f5971b | 799 | # systemd-nspawn -D ~/debian-tree/</programlisting> |
| 8f7a3c14 | 800 | |
| 798d3a52 ZJS |
801 | <para>This installs a minimal Debian unstable distribution into |
| 802 | the directory <filename>~/debian-tree/</filename> and then | |
| 803 | spawns a shell in a namespace container in it.</para> | |
| 804 | </example> | |
| 8f7a3c14 | 805 | |
| 798d3a52 ZJS |
806 | <example> |
| 807 | <title>Boot a minimal Arch Linux distribution in a container</title> | |
| 68562936 | 808 | |
| 798d3a52 | 809 | <programlisting># pacstrap -c -d ~/arch-tree/ base |
| 68562936 WG |
810 | # systemd-nspawn -bD ~/arch-tree/</programlisting> |
| 811 | ||
| ff9b60f3 | 812 | <para>This installs a minimal Arch Linux distribution into the |
| 798d3a52 ZJS |
813 | directory <filename>~/arch-tree/</filename> and then boots an OS |
| 814 | in a namespace container in it.</para> | |
| 815 | </example> | |
| 68562936 | 816 | |
| 798d3a52 ZJS |
817 | <example> |
| 818 | <title>Boot into an ephemeral <literal>btrfs</literal> snapshot of the host system</title> | |
| f9f4dd51 | 819 | |
| 798d3a52 | 820 | <programlisting># systemd-nspawn -D / -xb</programlisting> |
| f9f4dd51 | 821 | |
| 798d3a52 ZJS |
822 | <para>This runs a copy of the host system in a |
| 823 | <literal>btrfs</literal> snapshot which is removed immediately | |
| 824 | when the container exits. All file system changes made during | |
| 825 | runtime will be lost on shutdown, hence.</para> | |
| 826 | </example> | |
| f9f4dd51 | 827 | |
| 798d3a52 ZJS |
828 | <example> |
| 829 | <title>Run a container with SELinux sandbox security contexts</title> | |
| a8828ed9 | 830 | |
| 798d3a52 | 831 | <programlisting># chcon system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -R /srv/container |
| a8828ed9 | 832 | # systemd-nspawn -L system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -Z system_u:system_r:svirt_lxc_net_t:s0:c0,c1 -D /srv/container /bin/sh</programlisting> |
| 798d3a52 ZJS |
833 | </example> |
| 834 | </refsect1> | |
| 835 | ||
| 836 | <refsect1> | |
| 837 | <title>Exit status</title> | |
| 838 | ||
| 839 | <para>The exit code of the program executed in the container is | |
| 840 | returned.</para> | |
| 841 | </refsect1> | |
| 842 | ||
| 843 | <refsect1> | |
| 844 | <title>See Also</title> | |
| 845 | <para> | |
| 846 | <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
| 847 | <citerefentry project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
| 848 | <citerefentry project='mankier'><refentrytitle>dnf</refentrytitle><manvolnum>8</manvolnum></citerefentry>, | |
| 849 | <citerefentry project='die-net'><refentrytitle>yum</refentrytitle><manvolnum>8</manvolnum></citerefentry>, | |
| 850 | <citerefentry project='die-net'><refentrytitle>debootstrap</refentrytitle><manvolnum>8</manvolnum></citerefentry>, | |
| 851 | <citerefentry project='archlinux'><refentrytitle>pacman</refentrytitle><manvolnum>8</manvolnum></citerefentry>, | |
| 852 | <citerefentry><refentrytitle>systemd.slice</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
| 853 | <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
| 3ba3a79d | 854 | <citerefentry project='man-pages'><refentrytitle>btrfs</refentrytitle><manvolnum>8</manvolnum></citerefentry> |
| 798d3a52 ZJS |
855 | </para> |
| 856 | </refsect1> | |
| 8f7a3c14 LP |
857 | |
| 858 | </refentry> |