projects / thirdparty / systemd.git / blame
| Commit | Line | Data |
|---|---|---|
| 514094f9 | 1 | <?xml version='1.0'?> |
| 3a54a157 | 2 | <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" |
| 7a8aa0ec | 3 | "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [ |
| 95d311fa ZJS |
4 | <!ENTITY fedora_latest_version "31"> |
| 5 | <!ENTITY fedora_cloud_release "1.9"> | |
| 7a8aa0ec | 6 | ]> |
| 0307f791 | 7 | <!-- SPDX-License-Identifier: LGPL-2.1+ --> |
| 8f7a3c14 | 8 | |
| dfdebb1b | 9 | <refentry id="systemd-nspawn" |
| 798d3a52 ZJS |
10 | xmlns:xi="http://www.w3.org/2001/XInclude"> |
| 11 | ||
| 12 | <refentryinfo> | |
| 13 | <title>systemd-nspawn</title> | |
| 14 | <productname>systemd</productname> | |
| 798d3a52 ZJS |
15 | </refentryinfo> |
| 16 | ||
| 17 | <refmeta> | |
| 18 | <refentrytitle>systemd-nspawn</refentrytitle> | |
| 19 | <manvolnum>1</manvolnum> | |
| 20 | </refmeta> | |
| 21 | ||
| 22 | <refnamediv> | |
| 23 | <refname>systemd-nspawn</refname> | |
| a7e2e50d | 24 | <refpurpose>Spawn a command or OS in a light-weight container</refpurpose> |
| 798d3a52 ZJS |
25 | </refnamediv> |
| 26 | ||
| 27 | <refsynopsisdiv> | |
| 28 | <cmdsynopsis> | |
| 29 | <command>systemd-nspawn</command> | |
| 30 | <arg choice="opt" rep="repeat">OPTIONS</arg> | |
| 31 | <arg choice="opt"><replaceable>COMMAND</replaceable> | |
| 32 | <arg choice="opt" rep="repeat">ARGS</arg> | |
| 33 | </arg> | |
| 34 | </cmdsynopsis> | |
| 35 | <cmdsynopsis> | |
| 36 | <command>systemd-nspawn</command> | |
| 4447e799 | 37 | <arg choice="plain">--boot</arg> |
| 798d3a52 ZJS |
38 | <arg choice="opt" rep="repeat">OPTIONS</arg> |
| 39 | <arg choice="opt" rep="repeat">ARGS</arg> | |
| 40 | </cmdsynopsis> | |
| 41 | </refsynopsisdiv> | |
| 42 | ||
| 43 | <refsect1> | |
| 44 | <title>Description</title> | |
| 45 | ||
| b09c0bba LP |
46 | <para><command>systemd-nspawn</command> may be used to run a command or OS in a light-weight namespace |
| 47 | container. In many ways it is similar to <citerefentry | |
| 48 | project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>1</manvolnum></citerefentry>, but more powerful | |
| 49 | since it fully virtualizes the file system hierarchy, as well as the process tree, the various IPC subsystems and | |
| 50 | the host and domain name.</para> | |
| 51 | ||
| 5164c3b4 | 52 | <para><command>systemd-nspawn</command> may be invoked on any directory tree containing an operating system tree, |
| b09c0bba | 53 | using the <option>--directory=</option> command line option. By using the <option>--machine=</option> option an OS |
| 5164c3b4 | 54 | tree is automatically searched for in a couple of locations, most importantly in |
| a7e2e50d | 55 | <filename>/var/lib/machines</filename>, the suggested directory to place OS container images installed on the |
| b09c0bba LP |
56 | system.</para> |
| 57 | ||
| 58 | <para>In contrast to <citerefentry | |
| 59 | project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>1</manvolnum></citerefentry> <command>systemd-nspawn</command> | |
| 60 | may be used to boot full Linux-based operating systems in a container.</para> | |
| 61 | ||
| 62 | <para><command>systemd-nspawn</command> limits access to various kernel interfaces in the container to read-only, | |
| 63 | such as <filename>/sys</filename>, <filename>/proc/sys</filename> or <filename>/sys/fs/selinux</filename>. The | |
| 64 | host's network interfaces and the system clock may not be changed from within the container. Device nodes may not | |
| 65 | be created. The host system cannot be rebooted and kernel modules may not be loaded from within the | |
| 798d3a52 ZJS |
66 | container.</para> |
| 67 | ||
| b09c0bba LP |
68 | <para>Use a tool like <citerefentry |
| 69 | project='mankier'><refentrytitle>dnf</refentrytitle><manvolnum>8</manvolnum></citerefentry>, <citerefentry | |
| 70 | project='die-net'><refentrytitle>debootstrap</refentrytitle><manvolnum>8</manvolnum></citerefentry>, or | |
| 71 | <citerefentry project='archlinux'><refentrytitle>pacman</refentrytitle><manvolnum>8</manvolnum></citerefentry> to | |
| 72 | set up an OS directory tree suitable as file system hierarchy for <command>systemd-nspawn</command> containers. See | |
| 73 | the Examples section below for details on suitable invocation of these commands.</para> | |
| 74 | ||
| 75 | <para>As a safety check <command>systemd-nspawn</command> will verify the existence of | |
| 76 | <filename>/usr/lib/os-release</filename> or <filename>/etc/os-release</filename> in the container tree before | |
| 77 | starting the container (see | |
| 78 | <citerefentry><refentrytitle>os-release</refentrytitle><manvolnum>5</manvolnum></citerefentry>). It might be | |
| 79 | necessary to add this file to the container tree manually if the OS of the container is too old to contain this | |
| 798d3a52 | 80 | file out-of-the-box.</para> |
| b09c0bba LP |
81 | |
| 82 | <para><command>systemd-nspawn</command> may be invoked directly from the interactive command line or run as system | |
| 83 | service in the background. In this mode each container instance runs as its own service instance; a default | |
| 84 | template unit file <filename>systemd-nspawn@.service</filename> is provided to make this easy, taking the container | |
| 85 | name as instance identifier. Note that different default options apply when <command>systemd-nspawn</command> is | |
| 6dd6a9c4 | 86 | invoked by the template unit file than interactively on the command line. Most importantly the template unit file |
| b09c0bba | 87 | makes use of the <option>--boot</option> which is not the default in case <command>systemd-nspawn</command> is |
| 6dd6a9c4 | 88 | invoked from the interactive command line. Further differences with the defaults are documented along with the |
| b09c0bba LP |
89 | various supported options below.</para> |
| 90 | ||
| 91 | <para>The <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry> tool may | |
| 92 | be used to execute a number of operations on containers. In particular it provides easy-to-use commands to run | |
| 93 | containers as system services using the <filename>systemd-nspawn@.service</filename> template unit | |
| 94 | file.</para> | |
| 95 | ||
| 96 | <para>Along with each container a settings file with the <filename>.nspawn</filename> suffix may exist, containing | |
| 97 | additional settings to apply when running the container. See | |
| 98 | <citerefentry><refentrytitle>systemd.nspawn</refentrytitle><manvolnum>5</manvolnum></citerefentry> for | |
| 99 | details. Settings files override the default options used by the <filename>systemd-nspawn@.service</filename> | |
| 100 | template unit file, making it usually unnecessary to alter this template file directly.</para> | |
| 101 | ||
| 102 | <para>Note that <command>systemd-nspawn</command> will mount file systems private to the container to | |
| 103 | <filename>/dev</filename>, <filename>/run</filename> and similar. These will not be visible outside of the | |
| 104 | container, and their contents will be lost when the container exits.</para> | |
| 105 | ||
| 106 | <para>Note that running two <command>systemd-nspawn</command> containers from the same directory tree will not make | |
| 107 | processes in them see each other. The PID namespace separation of the two containers is complete and the containers | |
| 108 | will share very few runtime objects except for the underlying file system. Use | |
| 109 | <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>'s | |
| 110 | <command>login</command> or <command>shell</command> commands to request an additional login session in a running | |
| 111 | container.</para> | |
| 112 | ||
| 113 | <para><command>systemd-nspawn</command> implements the <ulink | |
| 53dc5fbc | 114 | url="https://systemd.io/CONTAINER_INTERFACE">Container Interface</ulink> specification.</para> |
| b09c0bba LP |
115 | |
| 116 | <para>While running, containers invoked with <command>systemd-nspawn</command> are registered with the | |
| 117 | <citerefentry><refentrytitle>systemd-machined</refentrytitle><manvolnum>8</manvolnum></citerefentry> service that | |
| 118 | keeps track of running containers, and provides programming interfaces to interact with them.</para> | |
| 798d3a52 ZJS |
119 | </refsect1> |
| 120 | ||
| 121 | <refsect1> | |
| 122 | <title>Options</title> | |
| 123 | ||
| 124 | <para>If option <option>-b</option> is specified, the arguments | |
| 3f2d1365 | 125 | are used as arguments for the init program. Otherwise, |
| 798d3a52 ZJS |
126 | <replaceable>COMMAND</replaceable> specifies the program to launch |
| 127 | in the container, and the remaining arguments are used as | |
| b09c0bba | 128 | arguments for this program. If <option>--boot</option> is not used and |
| ff9b60f3 | 129 | no arguments are specified, a shell is launched in the |
| 798d3a52 ZJS |
130 | container.</para> |
| 131 | ||
| 132 | <para>The following options are understood:</para> | |
| 133 | ||
| 134 | <variablelist> | |
| d99058c9 LP |
135 | |
| 136 | <varlistentry> | |
| 137 | <term><option>-q</option></term> | |
| 138 | <term><option>--quiet</option></term> | |
| 139 | ||
| 140 | <listitem><para>Turns off any status output by the tool | |
| 141 | itself. When this switch is used, the only output from nspawn | |
| 142 | will be the console output of the container OS | |
| 143 | itself.</para></listitem> | |
| 144 | </varlistentry> | |
| 145 | ||
| 146 | <varlistentry> | |
| 147 | <term><option>--settings=</option><replaceable>MODE</replaceable></term> | |
| 148 | ||
| 149 | <listitem><para>Controls whether | |
| 150 | <command>systemd-nspawn</command> shall search for and use | |
| 151 | additional per-container settings from | |
| 152 | <filename>.nspawn</filename> files. Takes a boolean or the | |
| 153 | special values <option>override</option> or | |
| 154 | <option>trusted</option>.</para> | |
| 155 | ||
| 156 | <para>If enabled (the default), a settings file named after the | |
| 157 | machine (as specified with the <option>--machine=</option> | |
| 158 | setting, or derived from the directory or image file name) | |
| 159 | with the suffix <filename>.nspawn</filename> is searched in | |
| 160 | <filename>/etc/systemd/nspawn/</filename> and | |
| 161 | <filename>/run/systemd/nspawn/</filename>. If it is found | |
| 162 | there, its settings are read and used. If it is not found | |
| 163 | there, it is subsequently searched in the same directory as the | |
| 164 | image file or in the immediate parent of the root directory of | |
| 165 | the container. In this case, if the file is found, its settings | |
| 166 | will be also read and used, but potentially unsafe settings | |
| 167 | are ignored. Note that in both these cases, settings on the | |
| 168 | command line take precedence over the corresponding settings | |
| 169 | from loaded <filename>.nspawn</filename> files, if both are | |
| 170 | specified. Unsafe settings are considered all settings that | |
| 171 | elevate the container's privileges or grant access to | |
| 172 | additional resources such as files or directories of the | |
| 173 | host. For details about the format and contents of | |
| 174 | <filename>.nspawn</filename> files, consult | |
| 175 | <citerefentry><refentrytitle>systemd.nspawn</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para> | |
| 176 | ||
| 177 | <para>If this option is set to <option>override</option>, the | |
| 178 | file is searched, read and used the same way, however, the order of | |
| 179 | precedence is reversed: settings read from the | |
| 180 | <filename>.nspawn</filename> file will take precedence over | |
| 181 | the corresponding command line options, if both are | |
| 182 | specified.</para> | |
| 183 | ||
| 184 | <para>If this option is set to <option>trusted</option>, the | |
| 185 | file is searched, read and used the same way, but regardless | |
| 186 | of being found in <filename>/etc/systemd/nspawn/</filename>, | |
| 187 | <filename>/run/systemd/nspawn/</filename> or next to the image | |
| 188 | file or container root directory, all settings will take | |
| 189 | effect, however, command line arguments still take precedence | |
| 190 | over corresponding settings.</para> | |
| 191 | ||
| 192 | <para>If disabled, no <filename>.nspawn</filename> file is read | |
| 193 | and no settings except the ones on the command line are in | |
| 194 | effect.</para></listitem> | |
| 195 | </varlistentry> | |
| 196 | ||
| 197 | </variablelist> | |
| 198 | ||
| 199 | <refsect2> | |
| 200 | <title>Image Options</title> | |
| 201 | ||
| 202 | <variablelist> | |
| 203 | ||
| 798d3a52 ZJS |
204 | <varlistentry> |
| 205 | <term><option>-D</option></term> | |
| 206 | <term><option>--directory=</option></term> | |
| 207 | ||
| 208 | <listitem><para>Directory to use as file system root for the | |
| 209 | container.</para> | |
| 210 | ||
| 211 | <para>If neither <option>--directory=</option>, nor | |
| 212 | <option>--image=</option> is specified the directory is | |
| 32b64cce RM |
213 | determined by searching for a directory named the same as the |
| 214 | machine name specified with <option>--machine=</option>. See | |
| 215 | <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry> | |
| 216 | section "Files and Directories" for the precise search path.</para> | |
| 217 | ||
| 218 | <para>If neither <option>--directory=</option>, | |
| 219 | <option>--image=</option>, nor <option>--machine=</option> | |
| 220 | are specified, the current directory will | |
| 221 | be used. May not be specified together with | |
| 798d3a52 ZJS |
222 | <option>--image=</option>.</para></listitem> |
| 223 | </varlistentry> | |
| 224 | ||
| 225 | <varlistentry> | |
| 226 | <term><option>--template=</option></term> | |
| 227 | ||
| 3f2fa834 LP |
228 | <listitem><para>Directory or <literal>btrfs</literal> subvolume to use as template for the |
| 229 | container's root directory. If this is specified and the container's root directory (as configured by | |
| 230 | <option>--directory=</option>) does not yet exist it is created as <literal>btrfs</literal> snapshot | |
| 231 | (if supported) or plain directory (otherwise) and populated from this template tree. Ideally, the | |
| 232 | specified template path refers to the root of a <literal>btrfs</literal> subvolume, in which case a | |
| 233 | simple copy-on-write snapshot is taken, and populating the root directory is instant. If the | |
| 234 | specified template path does not refer to the root of a <literal>btrfs</literal> subvolume (or not | |
| 235 | even to a <literal>btrfs</literal> file system at all), the tree is copied (though possibly in a | |
| 236 | 'reflink' copy-on-write scheme — if the file system supports that), which can be substantially more | |
| 237 | time-consuming. Note that the snapshot taken is of the specified directory or subvolume, including | |
| 238 | all subdirectories and subvolumes below it, but excluding any sub-mounts. May not be specified | |
| 239 | together with <option>--image=</option> or <option>--ephemeral</option>.</para> | |
| 3fe22bb4 | 240 | |
| 38b38500 | 241 | <para>Note that this switch leaves hostname, machine ID and |
| 3fe22bb4 LP |
242 | all other settings that could identify the instance |
| 243 | unmodified.</para></listitem> | |
| 798d3a52 ZJS |
244 | </varlistentry> |
| 245 | ||
| 246 | <varlistentry> | |
| 247 | <term><option>-x</option></term> | |
| 248 | <term><option>--ephemeral</option></term> | |
| 249 | ||
| 0f3be6ca LP |
250 | <listitem><para>If specified, the container is run with a temporary snapshot of its file system that is removed |
| 251 | immediately when the container terminates. May not be specified together with | |
| 3fe22bb4 | 252 | <option>--template=</option>.</para> |
| 38b38500 | 253 | <para>Note that this switch leaves hostname, machine ID and all other settings that could identify |
| 3f2fa834 LP |
254 | the instance unmodified. Please note that — as with <option>--template=</option> — taking the |
| 255 | temporary snapshot is more efficient on file systems that support subvolume snapshots or 'reflinks' | |
| 256 | natively (<literal>btrfs</literal> or new <literal>xfs</literal>) than on more traditional file | |
| 257 | systems that do not (<literal>ext4</literal>). Note that the snapshot taken is of the specified | |
| 258 | directory or subvolume, including all subdirectories and subvolumes below it, but excluding any | |
| 259 | sub-mounts.</para> | |
| b23f1628 LP |
260 | |
| 261 | <para>With this option no modifications of the container image are retained. Use | |
| 262 | <option>--volatile=</option> (described below) for other mechanisms to restrict persistency of | |
| 263 | container images during runtime.</para> | |
| 264 | </listitem> | |
| 798d3a52 ZJS |
265 | </varlistentry> |
| 266 | ||
| 267 | <varlistentry> | |
| 268 | <term><option>-i</option></term> | |
| 269 | <term><option>--image=</option></term> | |
| 270 | ||
| 271 | <listitem><para>Disk image to mount the root directory for the | |
| 272 | container from. Takes a path to a regular file or to a block | |
| 273 | device node. The file or block device must contain | |
| 274 | either:</para> | |
| 275 | ||
| 276 | <itemizedlist> | |
| 277 | <listitem><para>An MBR partition table with a single | |
| 278 | partition of type 0x83 that is marked | |
| 279 | bootable.</para></listitem> | |
| 280 | ||
| 281 | <listitem><para>A GUID partition table (GPT) with a single | |
| 282 | partition of type | |
| 283 | 0fc63daf-8483-4772-8e79-3d69d8477de4.</para></listitem> | |
| 284 | ||
| 285 | <listitem><para>A GUID partition table (GPT) with a marked | |
| 286 | root partition which is mounted as the root directory of the | |
| 287 | container. Optionally, GPT images may contain a home and/or | |
| 288 | a server data partition which are mounted to the appropriate | |
| 289 | places in the container. All these partitions must be | |
| 290 | identified by the partition types defined by the <ulink | |
| 19ac32cd | 291 | url="https://systemd.io/DISCOVERABLE_PARTITIONS">Discoverable |
| 798d3a52 | 292 | Partitions Specification</ulink>.</para></listitem> |
| 58abb66f LP |
293 | |
| 294 | <listitem><para>No partition table, and a single file system spanning the whole image.</para></listitem> | |
| 798d3a52 ZJS |
295 | </itemizedlist> |
| 296 | ||
| 0f3be6ca LP |
297 | <para>On GPT images, if an EFI System Partition (ESP) is discovered, it is automatically mounted to |
| 298 | <filename>/efi</filename> (or <filename>/boot</filename> as fallback) in case a directory by this name exists | |
| 299 | and is empty.</para> | |
| 300 | ||
| 58abb66f LP |
301 | <para>Partitions encrypted with LUKS are automatically decrypted. Also, on GPT images dm-verity data integrity |
| 302 | hash partitions are set up if the root hash for them is specified using the <option>--root-hash=</option> | |
| 303 | option.</para> | |
| 304 | ||
| 0f3be6ca LP |
305 | <para>Any other partitions, such as foreign partitions or swap partitions are not mounted. May not be specified |
| 306 | together with <option>--directory=</option>, <option>--template=</option>.</para></listitem> | |
| 798d3a52 | 307 | </varlistentry> |
| 58abb66f | 308 | |
| 3d6c3675 LP |
309 | <varlistentry> |
| 310 | <term><option>--oci-bundle=</option></term> | |
| 311 | ||
| 312 | <listitem><para>Takes the path to an OCI runtime bundle to invoke, as specified in the <ulink | |
| 313 | url="https://github.com/opencontainers/runtime-spec/blob/master/spec.md">OCI Runtime Specification</ulink>. In | |
| 314 | this case no <filename>.nspawn</filename> file is loaded, and the root directory and various settings are read | |
| 315 | from the OCI runtime JSON data (but data passed on the command line takes precedence).</para></listitem> | |
| 316 | </varlistentry> | |
| 317 | ||
| d99058c9 LP |
318 | <varlistentry> |
| 319 | <term><option>--read-only</option></term> | |
| 320 | ||
| 321 | <listitem><para>Mount the container's root file system (and any other file systems container in the container | |
| 322 | image) read-only. This has no effect on additional mounts made with <option>--bind=</option>, | |
| 323 | <option>--tmpfs=</option> and similar options. This mode is implied if the container image file or directory is | |
| 324 | marked read-only itself. It is also implied if <option>--volatile=</option> is used. In this case the container | |
| 325 | image on disk is strictly read-only, while changes are permitted but kept non-persistently in memory only. For | |
| 326 | further details, see below.</para></listitem> | |
| 327 | </varlistentry> | |
| 328 | ||
| 329 | <varlistentry> | |
| 330 | <term><option>--volatile</option></term> | |
| 331 | <term><option>--volatile=</option><replaceable>MODE</replaceable></term> | |
| 332 | ||
| 333 | <listitem><para>Boots the container in volatile mode. When no mode parameter is passed or when mode is | |
| 334 | specified as <option>yes</option>, full volatile mode is enabled. This means the root directory is mounted as a | |
| 335 | mostly unpopulated <literal>tmpfs</literal> instance, and <filename>/usr/</filename> from the OS tree is | |
| 336 | mounted into it in read-only mode (the system thus starts up with read-only OS image, but pristine state and | |
| 337 | configuration, any changes are lost on shutdown). When the mode parameter is specified as | |
| 338 | <option>state</option>, the OS tree is mounted read-only, but <filename>/var/</filename> is mounted as a | |
| 339 | writable <literal>tmpfs</literal> instance into it (the system thus starts up with read-only OS resources and | |
| 340 | configuration, but pristine state, and any changes to the latter are lost on shutdown). When the mode parameter | |
| 341 | is specified as <option>overlay</option> the read-only root file system is combined with a writable | |
| 342 | <filename>tmpfs</filename> instance through <literal>overlayfs</literal>, so that it appears at it normally | |
| 343 | would, but any changes are applied to the temporary file system only and lost when the container is | |
| 344 | terminated. When the mode parameter is specified as <option>no</option> (the default), the whole OS tree is | |
| 345 | made available writable (unless <option>--read-only</option> is specified, see above).</para> | |
| 346 | ||
| 347 | <para>Note that if one of the volatile modes is chosen, its effect is limited to the root file system (or | |
| 348 | <filename>/var/</filename> in case of <option>state</option>), and any other mounts placed in the hierarchy are | |
| 349 | unaffected — regardless if they are established automatically (e.g. the EFI system partition that might be | |
| 350 | mounted to <filename>/efi/</filename> or <filename>/boot/</filename>) or explicitly (e.g. through an additional | |
| 351 | command line option such as <option>--bind=</option>, see below). This means, even if | |
| 352 | <option>--volatile=overlay</option> is used changes to <filename>/efi/</filename> or | |
| 353 | <filename>/boot/</filename> are prohibited in case such a partition exists in the container image operated on, | |
| 354 | and even if <option>--volatile=state</option> is used the hypothetical file <filename>/etc/foobar</filename> is | |
| 355 | potentially writable if <option>--bind=/etc/foobar</option> if used to mount it from outside the read-only | |
| 356 | container <filename>/etc</filename> directory.</para> | |
| 357 | ||
| 358 | <para>The <option>--ephemeral</option> option is closely related to this setting, and provides similar | |
| 359 | behaviour by making a temporary, ephemeral copy of the whole OS image and executing that. For further details, | |
| 360 | see above.</para> | |
| 361 | ||
| 362 | <para>The <option>--tmpfs=</option> and <option>--overlay=</option> options provide similar functionality, but | |
| 363 | for specific sub-directories of the OS image only. For details, see below.</para> | |
| 364 | ||
| 365 | <para>This option provides similar functionality for containers as the <literal>systemd.volatile=</literal> | |
| 366 | kernel command line switch provides for host systems. See | |
| 367 | <citerefentry><refentrytitle>kernel-command-line</refentrytitle><manvolnum>7</manvolnum></citerefentry> for | |
| 368 | details.</para> | |
| 369 | ||
| 2e542f4e LP |
370 | <para>Note that setting this option to <option>yes</option> or <option>state</option> will only work |
| 371 | correctly with operating systems in the container that can boot up with only | |
| 372 | <filename>/usr/</filename> mounted, and are able to automatically populate <filename>/var/</filename> | |
| 373 | (and <filename>/etc/</filename> in case of <literal>--volatile=yes</literal>). Specifically, this | |
| 374 | means that operating systems that follow the historic split of <filename>/bin/</filename> and | |
| 375 | <filename>/lib/</filename> (and related directories) from <filename>/usr/</filename> (i.e. where the | |
| 376 | former are not symlinks into the latter) are not supported by <literal>--volatile=yes</literal> as | |
| 377 | container payload. The <option>overlay</option> option does not require any particular preparations | |
| 378 | in the OS, but do note that <literal>overlayfs</literal> behaviour differs from regular file systems | |
| 379 | in a number of ways, and hence compatibility is limited.</para></listitem> | |
| d99058c9 LP |
380 | </varlistentry> |
| 381 | ||
| 58abb66f LP |
382 | <varlistentry> |
| 383 | <term><option>--root-hash=</option></term> | |
| 384 | ||
| 385 | <listitem><para>Takes a data integrity (dm-verity) root hash specified in hexadecimal. This option enables data | |
| 386 | integrity checks using dm-verity, if the used image contains the appropriate integrity data (see above). The | |
| ef3116b5 | 387 | specified hash must match the root hash of integrity data, and is usually at least 256 bits (and hence 64 |
| 41488e1f LP |
388 | formatted hexadecimal characters) long (in case of SHA256 for example). If this option is not specified, but |
| 389 | the image file carries the <literal>user.verity.roothash</literal> extended file attribute (see <citerefentry | |
| 390 | project='man-pages'><refentrytitle>xattr</refentrytitle><manvolnum>7</manvolnum></citerefentry>), then the root | |
| 391 | hash is read from it, also as formatted hexadecimal characters. If the extended file attribute is not found (or | |
| ef3116b5 ZJS |
392 | is not supported by the underlying file system), but a file with the <filename>.roothash</filename> suffix is |
| 393 | found next to the image file, bearing otherwise the same name, the root hash is read from it and automatically | |
| 394 | used, also as formatted hexadecimal characters.</para></listitem> | |
| 58abb66f | 395 | </varlistentry> |
| 798d3a52 | 396 | |
| d99058c9 LP |
397 | <varlistentry> |
| 398 | <term><option>--pivot-root=</option></term> | |
| 399 | ||
| 400 | <listitem><para>Pivot the specified directory to <filename>/</filename> inside the container, and either unmount the | |
| 401 | container's old root, or pivot it to another specified directory. Takes one of: a path argument — in which case the | |
| 402 | specified path will be pivoted to <filename>/</filename> and the old root will be unmounted; or a colon-separated pair | |
| 403 | of new root path and pivot destination for the old root. The new root path will be pivoted to <filename>/</filename>, | |
| 404 | and the old <filename>/</filename> will be pivoted to the other directory. Both paths must be absolute, and are resolved | |
| 405 | in the container's file system namespace.</para> | |
| 406 | ||
| 407 | <para>This is for containers which have several bootable directories in them; for example, several | |
| 408 | <ulink url="https://ostree.readthedocs.io/en/latest/">OSTree</ulink> deployments. It emulates the behavior of | |
| 409 | the boot loader and initial RAM disk which normally select which directory to mount as the root and start the | |
| 410 | container's PID 1 in.</para></listitem> | |
| 411 | </varlistentry> | |
| 412 | </variablelist> | |
| 413 | ||
| 414 | </refsect2><refsect2> | |
| 415 | <title>Execution Options</title> | |
| 416 | ||
| 417 | <variablelist> | |
| 7732f92b LP |
418 | <varlistentry> |
| 419 | <term><option>-a</option></term> | |
| 420 | <term><option>--as-pid2</option></term> | |
| 421 | ||
| 422 | <listitem><para>Invoke the shell or specified program as process ID (PID) 2 instead of PID 1 (init). By | |
| 3f2d1365 AJ |
423 | default, if neither this option nor <option>--boot</option> is used, the selected program is run as the process |
| 424 | with PID 1, a mode only suitable for programs that are aware of the special semantics that the process with | |
| 425 | PID 1 has on UNIX. For example, it needs to reap all processes reparented to it, and should implement | |
| 7732f92b LP |
426 | <command>sysvinit</command> compatible signal handling (specifically: it needs to reboot on SIGINT, reexecute |
| 427 | on SIGTERM, reload configuration on SIGHUP, and so on). With <option>--as-pid2</option> a minimal stub init | |
| 3f2d1365 | 428 | process is run as PID 1 and the selected program is executed as PID 2 (and hence does not need to implement any |
| 7732f92b LP |
429 | special semantics). The stub init process will reap processes as necessary and react appropriately to |
| 430 | signals. It is recommended to use this mode to invoke arbitrary commands in containers, unless they have been | |
| 431 | modified to run correctly as PID 1. Or in other words: this switch should be used for pretty much all commands, | |
| 432 | except when the command refers to an init or shell implementation, as these are generally capable of running | |
| a6b5216c | 433 | correctly as PID 1. This option may not be combined with <option>--boot</option>.</para> |
| 7732f92b LP |
434 | </listitem> |
| 435 | </varlistentry> | |
| 436 | ||
| 798d3a52 ZJS |
437 | <varlistentry> |
| 438 | <term><option>-b</option></term> | |
| 439 | <term><option>--boot</option></term> | |
| 440 | ||
| 3f2d1365 | 441 | <listitem><para>Automatically search for an init program and invoke it as PID 1, instead of a shell or a user |
| 7732f92b | 442 | supplied program. If this option is used, arguments specified on the command line are used as arguments for the |
| 3f2d1365 | 443 | init program. This option may not be combined with <option>--as-pid2</option>.</para> |
| 7732f92b LP |
444 | |
| 445 | <para>The following table explains the different modes of invocation and relationship to | |
| 446 | <option>--as-pid2</option> (see above):</para> | |
| 447 | ||
| 448 | <table> | |
| 449 | <title>Invocation Mode</title> | |
| 450 | <tgroup cols='2' align='left' colsep='1' rowsep='1'> | |
| 451 | <colspec colname="switch" /> | |
| 452 | <colspec colname="explanation" /> | |
| 453 | <thead> | |
| 454 | <row> | |
| 455 | <entry>Switch</entry> | |
| 456 | <entry>Explanation</entry> | |
| 457 | </row> | |
| 458 | </thead> | |
| 459 | <tbody> | |
| 460 | <row> | |
| 461 | <entry>Neither <option>--as-pid2</option> nor <option>--boot</option> specified</entry> | |
| 4447e799 | 462 | <entry>The passed parameters are interpreted as the command line, which is executed as PID 1 in the container.</entry> |
| 7732f92b LP |
463 | </row> |
| 464 | ||
| 465 | <row> | |
| 466 | <entry><option>--as-pid2</option> specified</entry> | |
| 4447e799 | 467 | <entry>The passed parameters are interpreted as the command line, which is executed as PID 2 in the container. A stub init process is run as PID 1.</entry> |
| 7732f92b LP |
468 | </row> |
| 469 | ||
| 470 | <row> | |
| 471 | <entry><option>--boot</option> specified</entry> | |
| 3f2d1365 | 472 | <entry>An init program is automatically searched for and run as PID 1 in the container. The passed parameters are used as invocation parameters for this process.</entry> |
| 7732f92b LP |
473 | </row> |
| 474 | ||
| 475 | </tbody> | |
| 476 | </tgroup> | |
| 477 | </table> | |
| b09c0bba LP |
478 | |
| 479 | <para>Note that <option>--boot</option> is the default mode of operation if the | |
| 480 | <filename>systemd-nspawn@.service</filename> template unit file is used.</para> | |
| 7732f92b | 481 | </listitem> |
| 798d3a52 ZJS |
482 | </varlistentry> |
| 483 | ||
| 5f932eb9 LP |
484 | <varlistentry> |
| 485 | <term><option>--chdir=</option></term> | |
| 486 | ||
| 487 | <listitem><para>Change to the specified working directory before invoking the process in the container. Expects | |
| 488 | an absolute path in the container's file system namespace.</para></listitem> | |
| 489 | </varlistentry> | |
| 490 | ||
| b53ede69 | 491 | <varlistentry> |
| d99058c9 LP |
492 | <term><option>-E <replaceable>NAME</replaceable>=<replaceable>VALUE</replaceable></option></term> |
| 493 | <term><option>--setenv=<replaceable>NAME</replaceable>=<replaceable>VALUE</replaceable></option></term> | |
| b53ede69 | 494 | |
| d99058c9 LP |
495 | <listitem><para>Specifies an environment variable assignment |
| 496 | to pass to the init process in the container, in the format | |
| 497 | <literal>NAME=VALUE</literal>. This may be used to override | |
| 498 | the default variables or to set additional variables. This | |
| 499 | parameter may be used more than once.</para></listitem> | |
| b53ede69 PW |
500 | </varlistentry> |
| 501 | ||
| 798d3a52 ZJS |
502 | <varlistentry> |
| 503 | <term><option>-u</option></term> | |
| 504 | <term><option>--user=</option></term> | |
| 505 | ||
| 506 | <listitem><para>After transitioning into the container, change | |
| 507 | to the specified user-defined in the container's user | |
| 508 | database. Like all other systemd-nspawn features, this is not | |
| 509 | a security feature and provides protection against accidental | |
| 510 | destructive operations only.</para></listitem> | |
| 511 | </varlistentry> | |
| 512 | ||
| d99058c9 LP |
513 | <varlistentry> |
| 514 | <term><option>--kill-signal=</option></term> | |
| 515 | ||
| 516 | <listitem><para>Specify the process signal to send to the container's PID 1 when nspawn itself receives | |
| 517 | <constant>SIGTERM</constant>, in order to trigger an orderly shutdown of the container. Defaults to | |
| 518 | <constant>SIGRTMIN+3</constant> if <option>--boot</option> is used (on systemd-compatible init systems | |
| 519 | <constant>SIGRTMIN+3</constant> triggers an orderly shutdown). If <option>--boot</option> is not used and this | |
| 520 | option is not specified the container's processes are terminated abruptly via <constant>SIGKILL</constant>. For | |
| 521 | a list of valid signals, see <citerefentry | |
| 522 | project='man-pages'><refentrytitle>signal</refentrytitle><manvolnum>7</manvolnum></citerefentry>.</para></listitem> | |
| 523 | </varlistentry> | |
| 524 | ||
| 525 | <varlistentry> | |
| 526 | <term><option>--notify-ready=</option></term> | |
| 527 | ||
| 528 | <listitem><para>Configures support for notifications from the container's init process. | |
| 529 | <option>--notify-ready=</option> takes a boolean (<option>no</option> and <option>yes</option>). | |
| 530 | With option <option>no</option> systemd-nspawn notifies systemd | |
| 531 | with a <literal>READY=1</literal> message when the init process is created. | |
| 532 | With option <option>yes</option> systemd-nspawn waits for the | |
| 533 | <literal>READY=1</literal> message from the init process in the container | |
| 534 | before sending its own to systemd. For more details about notifications | |
| 535 | see <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry>).</para></listitem> | |
| 536 | </varlistentry> | |
| 537 | </variablelist> | |
| 538 | ||
| 539 | </refsect2><refsect2> | |
| 540 | <title>System Identity Options</title> | |
| 541 | ||
| 542 | <variablelist> | |
| 798d3a52 ZJS |
543 | <varlistentry> |
| 544 | <term><option>-M</option></term> | |
| 545 | <term><option>--machine=</option></term> | |
| 546 | ||
| 547 | <listitem><para>Sets the machine name for this container. This | |
| 548 | name may be used to identify this container during its runtime | |
| 549 | (for example in tools like | |
| 550 | <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry> | |
| 551 | and similar), and is used to initialize the container's | |
| 552 | hostname (which the container can choose to override, | |
| 553 | however). If not specified, the last component of the root | |
| 554 | directory path of the container is used, possibly suffixed | |
| 555 | with a random identifier in case <option>--ephemeral</option> | |
| 556 | mode is selected. If the root directory selected is the host's | |
| 557 | root directory the host's hostname is used as default | |
| 558 | instead.</para></listitem> | |
| 559 | </varlistentry> | |
| 560 | ||
| 3a9530e5 LP |
561 | <varlistentry> |
| 562 | <term><option>--hostname=</option></term> | |
| 563 | ||
| 564 | <listitem><para>Controls the hostname to set within the container, if different from the machine name. Expects | |
| 565 | a valid hostname as argument. If this option is used, the kernel hostname of the container will be set to this | |
| 566 | value, otherwise it will be initialized to the machine name as controlled by the <option>--machine=</option> | |
| 567 | option described above. The machine name is used for various aspect of identification of the container from the | |
| 568 | outside, the kernel hostname configurable with this option is useful for the container to identify itself from | |
| 569 | the inside. It is usually a good idea to keep both forms of identification synchronized, in order to avoid | |
| 570 | confusion. It is hence recommended to avoid usage of this option, and use <option>--machine=</option> | |
| 571 | exclusively. Note that regardless whether the container's hostname is initialized from the name set with | |
| 572 | <option>--hostname=</option> or the one set with <option>--machine=</option>, the container can later override | |
| 573 | its kernel hostname freely on its own as well.</para> | |
| 574 | </listitem> | |
| 575 | </varlistentry> | |
| 576 | ||
| 798d3a52 ZJS |
577 | <varlistentry> |
| 578 | <term><option>--uuid=</option></term> | |
| 579 | ||
| 580 | <listitem><para>Set the specified UUID for the container. The | |
| 581 | init system will initialize | |
| 582 | <filename>/etc/machine-id</filename> from this if this file is | |
| e01ff70a MS |
583 | not set yet. Note that this option takes effect only if |
| 584 | <filename>/etc/machine-id</filename> in the container is | |
| 585 | unpopulated.</para></listitem> | |
| 798d3a52 | 586 | </varlistentry> |
| d99058c9 | 587 | </variablelist> |
| 798d3a52 | 588 | |
| d99058c9 LP |
589 | </refsect2><refsect2> |
| 590 | <title>Property Options</title> | |
| 591 | ||
| 592 | <variablelist> | |
| 798d3a52 | 593 | <varlistentry> |
| 4deb5503 | 594 | <term><option>-S</option></term> |
| 798d3a52 ZJS |
595 | <term><option>--slice=</option></term> |
| 596 | ||
| cd2dfc6f LP |
597 | <listitem><para>Make the container part of the specified slice, instead of the default |
| 598 | <filename>machine.slice</filename>. This applies only if the machine is run in its own scope unit, i.e. if | |
| 599 | <option>--keep-unit</option> isn't used.</para> | |
| f36933fe LP |
600 | </listitem> |
| 601 | </varlistentry> | |
| 602 | ||
| 603 | <varlistentry> | |
| 604 | <term><option>--property=</option></term> | |
| 605 | ||
| cd2dfc6f LP |
606 | <listitem><para>Set a unit property on the scope unit to register for the machine. This applies only if the |
| 607 | machine is run in its own scope unit, i.e. if <option>--keep-unit</option> isn't used. Takes unit property | |
| 608 | assignments in the same format as <command>systemctl set-property</command>. This is useful to set memory | |
| 609 | limits and similar for container.</para> | |
| 798d3a52 ZJS |
610 | </listitem> |
| 611 | </varlistentry> | |
| 612 | ||
| d99058c9 LP |
613 | <varlistentry> |
| 614 | <term><option>--register=</option></term> | |
| 615 | ||
| 616 | <listitem><para>Controls whether the container is registered with | |
| 617 | <citerefentry><refentrytitle>systemd-machined</refentrytitle><manvolnum>8</manvolnum></citerefentry>. Takes a | |
| 618 | boolean argument, which defaults to <literal>yes</literal>. This option should be enabled when the container | |
| 619 | runs a full Operating System (more specifically: a system and service manager as PID 1), and is useful to | |
| 620 | ensure that the container is accessible via | |
| 621 | <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry> and shown by | |
| 622 | tools such as <citerefentry | |
| 623 | project='man-pages'><refentrytitle>ps</refentrytitle><manvolnum>1</manvolnum></citerefentry>. If the container | |
| 624 | does not run a service manager, it is recommended to set this option to | |
| 625 | <literal>no</literal>.</para></listitem> | |
| 626 | </varlistentry> | |
| 627 | ||
| 628 | <varlistentry> | |
| 629 | <term><option>--keep-unit</option></term> | |
| 630 | ||
| 631 | <listitem><para>Instead of creating a transient scope unit to run the container in, simply use the service or | |
| 632 | scope unit <command>systemd-nspawn</command> has been invoked in. If <option>--register=yes</option> is set | |
| 633 | this unit is registered with | |
| 634 | <citerefentry><refentrytitle>systemd-machined</refentrytitle><manvolnum>8</manvolnum></citerefentry>. This | |
| 635 | switch should be used if <command>systemd-nspawn</command> is invoked from within a service unit, and the | |
| 636 | service unit's sole purpose is to run a single <command>systemd-nspawn</command> container. This option is not | |
| 637 | available if run from a user session.</para> | |
| 638 | <para>Note that passing <option>--keep-unit</option> disables the effect of <option>--slice=</option> and | |
| 639 | <option>--property=</option>. Use <option>--keep-unit</option> and <option>--register=no</option> in | |
| 640 | combination to disable any kind of unit allocation or registration with | |
| 641 | <command>systemd-machined</command>.</para></listitem> | |
| 642 | </varlistentry> | |
| 643 | </variablelist> | |
| 644 | ||
| 645 | </refsect2><refsect2> | |
| 646 | <title>User Namespacing Options</title> | |
| 647 | ||
| 648 | <variablelist> | |
| 03cfe0d5 LP |
649 | <varlistentry> |
| 650 | <term><option>--private-users=</option></term> | |
| 651 | ||
| d2e5535f LP |
652 | <listitem><para>Controls user namespacing. If enabled, the container will run with its own private set of UNIX |
| 653 | user and group ids (UIDs and GIDs). This involves mapping the private UIDs/GIDs used in the container (starting | |
| 654 | with the container's root user 0 and up) to a range of UIDs/GIDs on the host that are not used for other | |
| 655 | purposes (usually in the range beyond the host's UID/GID 65536). The parameter may be specified as follows:</para> | |
| 656 | ||
| 657 | <orderedlist> | |
| 2dd67817 | 658 | <listitem><para>If one or two colon-separated numbers are specified, user namespacing is turned on. The first |
| ae209204 ZJS |
659 | parameter specifies the first host UID/GID to assign to the container, the second parameter specifies the |
| 660 | number of host UIDs/GIDs to assign to the container. If the second parameter is omitted, 65536 UIDs/GIDs are | |
| 661 | assigned.</para></listitem> | |
| 662 | ||
| 663 | <listitem><para>If the parameter is omitted, or true, user namespacing is turned on. The UID/GID range to | |
| 664 | use is determined automatically from the file ownership of the root directory of the container's directory | |
| 665 | tree. To use this option, make sure to prepare the directory tree in advance, and ensure that all files and | |
| 666 | directories in it are owned by UIDs/GIDs in the range you'd like to use. Also, make sure that used file ACLs | |
| 667 | exclusively reference UIDs/GIDs in the appropriate range. If this mode is used the number of UIDs/GIDs | |
| 668 | assigned to the container for use is 65536, and the UID/GID of the root directory must be a multiple of | |
| 669 | 65536.</para></listitem> | |
| 670 | ||
| 671 | <listitem><para>If the parameter is false, user namespacing is turned off. This is the default.</para> | |
| 672 | </listitem> | |
| 673 | ||
| 674 | <listitem><para>The special value <literal>pick</literal> turns on user namespacing. In this case the UID/GID | |
| 675 | range is automatically chosen. As first step, the file owner of the root directory of the container's | |
| 676 | directory tree is read, and it is checked that it is currently not used by the system otherwise (in | |
| 677 | particular, that no other container is using it). If this check is successful, the UID/GID range determined | |
| 2dd67817 | 678 | this way is used, similar to the behavior if "yes" is specified. If the check is not successful (and thus |
| ae209204 ZJS |
679 | the UID/GID range indicated in the root directory's file owner is already used elsewhere) a new – currently |
| 680 | unused – UID/GID range of 65536 UIDs/GIDs is randomly chosen between the host UID/GIDs of 524288 and | |
| 681 | 1878982656, always starting at a multiple of 65536. This setting implies | |
| 682 | <option>--private-users-chown</option> (see below), which has the effect that the files and directories in | |
| 683 | the container's directory tree will be owned by the appropriate users of the range picked. Using this option | |
| 2dd67817 | 684 | makes user namespace behavior fully automatic. Note that the first invocation of a previously unused |
| ae209204 ZJS |
685 | container image might result in picking a new UID/GID range for it, and thus in the (possibly expensive) file |
| 686 | ownership adjustment operation. However, subsequent invocations of the container will be cheap (unless of | |
| 687 | course the picked UID/GID range is assigned to a different use by then).</para></listitem> | |
| d2e5535f LP |
688 | </orderedlist> |
| 689 | ||
| 690 | <para>It is recommended to assign at least 65536 UIDs/GIDs to each container, so that the usable UID/GID range in the | |
| 691 | container covers 16 bit. For best security, do not assign overlapping UID/GID ranges to multiple containers. It is | |
| 692 | hence a good idea to use the upper 16 bit of the host 32-bit UIDs/GIDs as container identifier, while the lower 16 | |
| 2dd67817 | 693 | bit encode the container UID/GID used. This is in fact the behavior enforced by the |
| d2e5535f LP |
694 | <option>--private-users=pick</option> option.</para> |
| 695 | ||
| 696 | <para>When user namespaces are used, the GID range assigned to each container is always chosen identical to the | |
| 697 | UID range.</para> | |
| 698 | ||
| 699 | <para>In most cases, using <option>--private-users=pick</option> is the recommended option as it enhances | |
| 700 | container security massively and operates fully automatically in most cases.</para> | |
| 701 | ||
| 702 | <para>Note that the picked UID/GID range is not written to <filename>/etc/passwd</filename> or | |
| 703 | <filename>/etc/group</filename>. In fact, the allocation of the range is not stored persistently anywhere, | |
| aa10469e LP |
704 | except in the file ownership of the files and directories of the container.</para> |
| 705 | ||
| 706 | <para>Note that when user namespacing is used file ownership on disk reflects this, and all of the container's | |
| 707 | files and directories are owned by the container's effective user and group IDs. This means that copying files | |
| 708 | from and to the container image requires correction of the numeric UID/GID values, according to the UID/GID | |
| 709 | shift applied.</para></listitem> | |
| 03cfe0d5 LP |
710 | </varlistentry> |
| 711 | ||
| d2e5535f LP |
712 | <varlistentry> |
| 713 | <term><option>--private-users-chown</option></term> | |
| 714 | ||
| bcf09321 ZJS |
715 | <listitem><para>If specified, all files and directories in the container's directory tree will be |
| 716 | adjusted so that they are owned by the appropriate UIDs/GIDs selected for the container (see above). | |
| 717 | This operation is potentially expensive, as it involves iterating through the full directory tree of | |
| 718 | the container. Besides actual file ownership, file ACLs are adjusted as well.</para> | |
| d2e5535f LP |
719 | |
| 720 | <para>This option is implied if <option>--private-users=pick</option> is used. This option has no effect if | |
| 721 | user namespacing is not used.</para></listitem> | |
| 722 | </varlistentry> | |
| 03cfe0d5 | 723 | |
| 6265bde2 ZJS |
724 | <varlistentry> |
| 725 | <term><option>-U</option></term> | |
| 726 | ||
| 727 | <listitem><para>If the kernel supports the user namespaces feature, equivalent to | |
| 728 | <option>--private-users=pick --private-users-chown</option>, otherwise equivalent to | |
| 729 | <option>--private-users=no</option>.</para> | |
| 730 | ||
| 731 | <para>Note that <option>-U</option> is the default if the | |
| 732 | <filename>systemd-nspawn@.service</filename> template unit file is used.</para> | |
| 733 | ||
| 734 | <para>Note: it is possible to undo the effect of <option>--private-users-chown</option> (or | |
| 735 | <option>-U</option>) on the file system by redoing the operation with the first UID of 0:</para> | |
| 736 | ||
| 737 | <programlisting>systemd-nspawn … --private-users=0 --private-users-chown</programlisting> | |
| 738 | </listitem> | |
| 739 | </varlistentry> | |
| 740 | ||
| d99058c9 LP |
741 | </variablelist> |
| 742 | ||
| 743 | </refsect2><refsect2> | |
| 744 | <title>Networking Options</title> | |
| 745 | ||
| 746 | <variablelist> | |
| 747 | ||
| 798d3a52 ZJS |
748 | <varlistentry> |
| 749 | <term><option>--private-network</option></term> | |
| 750 | ||
| 751 | <listitem><para>Disconnect networking of the container from | |
| 752 | the host. This makes all network interfaces unavailable in the | |
| 753 | container, with the exception of the loopback device and those | |
| 754 | specified with <option>--network-interface=</option> and | |
| 755 | configured with <option>--network-veth</option>. If this | |
| ec562515 | 756 | option is specified, the <constant>CAP_NET_ADMIN</constant> capability will be |
| 798d3a52 | 757 | added to the set of capabilities the container retains. The |
| bc96c63c ZJS |
758 | latter may be disabled by using <option>--drop-capability=</option>. |
| 759 | If this option is not specified (or implied by one of the options | |
| 760 | listed below), the container will have full access to the host network. | |
| 761 | </para></listitem> | |
| 798d3a52 ZJS |
762 | </varlistentry> |
| 763 | ||
| 764 | <varlistentry> | |
| 765 | <term><option>--network-interface=</option></term> | |
| 766 | ||
| 767 | <listitem><para>Assign the specified network interface to the | |
| 768 | container. This will remove the specified interface from the | |
| 769 | calling namespace and place it in the container. When the | |
| 770 | container terminates, it is moved back to the host namespace. | |
| 771 | Note that <option>--network-interface=</option> implies | |
| 772 | <option>--private-network</option>. This option may be used | |
| 773 | more than once to add multiple network interfaces to the | |
| 774 | container.</para></listitem> | |
| 775 | </varlistentry> | |
| 776 | ||
| 777 | <varlistentry> | |
| 778 | <term><option>--network-macvlan=</option></term> | |
| 779 | ||
| 780 | <listitem><para>Create a <literal>macvlan</literal> interface | |
| 781 | of the specified Ethernet network interface and add it to the | |
| 782 | container. A <literal>macvlan</literal> interface is a virtual | |
| 783 | interface that adds a second MAC address to an existing | |
| 784 | physical Ethernet link. The interface in the container will be | |
| 785 | named after the interface on the host, prefixed with | |
| 786 | <literal>mv-</literal>. Note that | |
| 787 | <option>--network-macvlan=</option> implies | |
| 788 | <option>--private-network</option>. This option may be used | |
| 789 | more than once to add multiple network interfaces to the | |
| 790 | container.</para></listitem> | |
| 791 | </varlistentry> | |
| 792 | ||
| 793 | <varlistentry> | |
| 794 | <term><option>--network-ipvlan=</option></term> | |
| 795 | ||
| 796 | <listitem><para>Create an <literal>ipvlan</literal> interface | |
| 797 | of the specified Ethernet network interface and add it to the | |
| 798 | container. An <literal>ipvlan</literal> interface is a virtual | |
| 799 | interface, similar to a <literal>macvlan</literal> interface, | |
| 800 | which uses the same MAC address as the underlying interface. | |
| 801 | The interface in the container will be named after the | |
| 802 | interface on the host, prefixed with <literal>iv-</literal>. | |
| 803 | Note that <option>--network-ipvlan=</option> implies | |
| 804 | <option>--private-network</option>. This option may be used | |
| 805 | more than once to add multiple network interfaces to the | |
| 806 | container.</para></listitem> | |
| 807 | </varlistentry> | |
| 808 | ||
| 809 | <varlistentry> | |
| 810 | <term><option>-n</option></term> | |
| 811 | <term><option>--network-veth</option></term> | |
| 812 | ||
| 5e7423ff LP |
813 | <listitem><para>Create a virtual Ethernet link (<literal>veth</literal>) between host and container. The host |
| 814 | side of the Ethernet link will be available as a network interface named after the container's name (as | |
| 815 | specified with <option>--machine=</option>), prefixed with <literal>ve-</literal>. The container side of the | |
| 816 | Ethernet link will be named <literal>host0</literal>. The <option>--network-veth</option> option implies | |
| 817 | <option>--private-network</option>.</para> | |
| 818 | ||
| 819 | <para>Note that | |
| 820 | <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
| 821 | includes by default a network file <filename>/usr/lib/systemd/network/80-container-ve.network</filename> | |
| 822 | matching the host-side interfaces created this way, which contains settings to enable automatic address | |
| 823 | provisioning on the created virtual link via DHCP, as well as automatic IP routing onto the host's external | |
| 824 | network interfaces. It also contains <filename>/usr/lib/systemd/network/80-container-host0.network</filename> | |
| 825 | matching the container-side interface created this way, containing settings to enable client side address | |
| 826 | assignment via DHCP. In case <filename>systemd-networkd</filename> is running on both the host and inside the | |
| 827 | container, automatic IP communication from the container to the host is thus available, with further | |
| 828 | connectivity to the external network.</para> | |
| b09c0bba LP |
829 | |
| 830 | <para>Note that <option>--network-veth</option> is the default if the | |
| 831 | <filename>systemd-nspawn@.service</filename> template unit file is used.</para> | |
| 6cc68362 LP |
832 | |
| 833 | <para>Note that on Linux network interface names may have a length of 15 characters at maximum, while | |
| 834 | container names may have a length up to 64 characters. As this option derives the host-side interface | |
| 835 | name from the container name the name is possibly truncated. Thus, care needs to be taken to ensure | |
| 836 | that interface names remain unique in this case, or even better container names are generally not | |
| bc5ea049 KK |
837 | chosen longer than 12 characters, to avoid the truncation. If the name is truncated, |
| 838 | <command>systemd-nspawn</command> will automatically append a 4-digit hash value to the name to | |
| 839 | reduce the chance of collisions. However, the hash algorithm is not collision-free. (See | |
| 840 | <citerefentry><refentrytitle>systemd.net-naming-scheme</refentrytitle><manvolnum>7</manvolnum></citerefentry> | |
| 841 | for details on older naming algorithms for this interface). Alternatively, the | |
| 6cc68362 LP |
842 | <option>--network-veth-extra=</option> option may be used, which allows free configuration of the |
| 843 | host-side interface name independently of the container name — but might require a bit more | |
| 844 | additional configuration in case bridging in a fashion similar to <option>--network-bridge=</option> | |
| 845 | is desired.</para> | |
| 5e7423ff | 846 | </listitem> |
| 798d3a52 ZJS |
847 | </varlistentry> |
| 848 | ||
| f6d6bad1 LP |
849 | <varlistentry> |
| 850 | <term><option>--network-veth-extra=</option></term> | |
| 851 | ||
| 852 | <listitem><para>Adds an additional virtual Ethernet link | |
| 853 | between host and container. Takes a colon-separated pair of | |
| 854 | host interface name and container interface name. The latter | |
| 855 | may be omitted in which case the container and host sides will | |
| 856 | be assigned the same name. This switch is independent of | |
| ccddd104 | 857 | <option>--network-veth</option>, and — in contrast — may be |
| f6d6bad1 LP |
858 | used multiple times, and allows configuration of the network |
| 859 | interface names. Note that <option>--network-bridge=</option> | |
| 860 | has no effect on interfaces created with | |
| 861 | <option>--network-veth-extra=</option>.</para></listitem> | |
| 862 | </varlistentry> | |
| 863 | ||
| 798d3a52 ZJS |
864 | <varlistentry> |
| 865 | <term><option>--network-bridge=</option></term> | |
| 866 | ||
| 6cc68362 LP |
867 | <listitem><para>Adds the host side of the Ethernet link created with <option>--network-veth</option> |
| 868 | to the specified Ethernet bridge interface. Expects a valid network interface name of a bridge device | |
| 869 | as argument. Note that <option>--network-bridge=</option> implies <option>--network-veth</option>. If | |
| 870 | this option is used, the host side of the Ethernet link will use the <literal>vb-</literal> prefix | |
| 871 | instead of <literal>ve-</literal>. Regardless of the used naming prefix the same network interface | |
| 872 | name length limits imposed by Linux apply, along with the complications this creates (for details see | |
| 873 | above).</para></listitem> | |
| 798d3a52 ZJS |
874 | </varlistentry> |
| 875 | ||
| 938d2579 LP |
876 | <varlistentry> |
| 877 | <term><option>--network-zone=</option></term> | |
| 878 | ||
| 879 | <listitem><para>Creates a virtual Ethernet link (<literal>veth</literal>) to the container and adds it to an | |
| 880 | automatically managed Ethernet bridge interface. The bridge interface is named after the passed argument, | |
| 881 | prefixed with <literal>vz-</literal>. The bridge interface is automatically created when the first container | |
| 882 | configured for its name is started, and is automatically removed when the last container configured for its | |
| 883 | name exits. Hence, each bridge interface configured this way exists only as long as there's at least one | |
| 884 | container referencing it running. This option is very similar to <option>--network-bridge=</option>, besides | |
| 885 | this automatic creation/removal of the bridge device.</para> | |
| 886 | ||
| 887 | <para>This setting makes it easy to place multiple related containers on a common, virtual Ethernet-based | |
| 888 | broadcast domain, here called a "zone". Each container may only be part of one zone, but each zone may contain | |
| 889 | any number of containers. Each zone is referenced by its name. Names may be chosen freely (as long as they form | |
| 890 | valid network interface names when prefixed with <literal>vz-</literal>), and it is sufficient to pass the same | |
| cf917c27 | 891 | name to the <option>--network-zone=</option> switch of the various concurrently running containers to join |
| 938d2579 LP |
892 | them in one zone.</para> |
| 893 | ||
| 894 | <para>Note that | |
| 895 | <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
| 896 | includes by default a network file <filename>/usr/lib/systemd/network/80-container-vz.network</filename> | |
| 897 | matching the bridge interfaces created this way, which contains settings to enable automatic address | |
| 898 | provisioning on the created virtual network via DHCP, as well as automatic IP routing onto the host's external | |
| 899 | network interfaces. Using <option>--network-zone=</option> is hence in most cases fully automatic and | |
| 900 | sufficient to connect multiple local containers in a joined broadcast domain to the host, with further | |
| 901 | connectivity to the external network.</para> | |
| 902 | </listitem> | |
| 903 | </varlistentry> | |
| 904 | ||
| 798d3a52 | 905 | <varlistentry> |
| d99058c9 | 906 | <term><option>--network-namespace-path=</option></term> |
| 798d3a52 | 907 | |
| d99058c9 LP |
908 | <listitem><para>Takes the path to a file representing a kernel |
| 909 | network namespace that the container shall run in. The specified path | |
| 910 | should refer to a (possibly bind-mounted) network namespace file, as | |
| 911 | exposed by the kernel below <filename>/proc/$PID/ns/net</filename>. | |
| 912 | This makes the container enter the given network namespace. One of the | |
| 913 | typical use cases is to give a network namespace under | |
| 914 | <filename>/run/netns</filename> created by <citerefentry | |
| 915 | project='man-pages'><refentrytitle>ip-netns</refentrytitle><manvolnum>8</manvolnum></citerefentry>, | |
| 916 | for example, <option>--network-namespace-path=/run/netns/foo</option>. | |
| 917 | Note that this option cannot be used together with other | |
| 918 | network-related options, such as <option>--private-network</option> | |
| 919 | or <option>--network-interface=</option>.</para></listitem> | |
| 920 | </varlistentry> | |
| 921 | ||
| 922 | <varlistentry> | |
| 923 | <term><option>-p</option></term> | |
| 924 | <term><option>--port=</option></term> | |
| 925 | ||
| 926 | <listitem><para>If private networking is enabled, maps an IP | |
| 927 | port on the host onto an IP port on the container. Takes a | |
| 928 | protocol specifier (either <literal>tcp</literal> or | |
| 798d3a52 ZJS |
929 | <literal>udp</literal>), separated by a colon from a host port |
| 930 | number in the range 1 to 65535, separated by a colon from a | |
| 931 | container port number in the range from 1 to 65535. The | |
| 932 | protocol specifier and its separating colon may be omitted, in | |
| 933 | which case <literal>tcp</literal> is assumed. The container | |
| 7c918141 | 934 | port number and its colon may be omitted, in which case the |
| 798d3a52 | 935 | same port as the host port is implied. This option is only |
| a8eaaee7 | 936 | supported if private networking is used, such as with |
| 938d2579 | 937 | <option>--network-veth</option>, <option>--network-zone=</option> |
| 798d3a52 ZJS |
938 | <option>--network-bridge=</option>.</para></listitem> |
| 939 | </varlistentry> | |
| d99058c9 | 940 | </variablelist> |
| 798d3a52 | 941 | |
| d99058c9 LP |
942 | </refsect2><refsect2> |
| 943 | <title>Security Options</title> | |
| 798d3a52 | 944 | |
| d99058c9 | 945 | <variablelist> |
| 798d3a52 ZJS |
946 | <varlistentry> |
| 947 | <term><option>--capability=</option></term> | |
| 948 | ||
| ec562515 ZJS |
949 | <listitem><para>List one or more additional capabilities to grant the container. Takes a |
| 950 | comma-separated list of capability names, see <citerefentry | |
| 951 | project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry> | |
| a30504ed | 952 | for more information. Note that the following capabilities will be granted in any way: |
| ec562515 ZJS |
953 | <constant>CAP_AUDIT_CONTROL</constant>, <constant>CAP_AUDIT_WRITE</constant>, |
| 954 | <constant>CAP_CHOWN</constant>, <constant>CAP_DAC_OVERRIDE</constant>, | |
| 955 | <constant>CAP_DAC_READ_SEARCH</constant>, <constant>CAP_FOWNER</constant>, | |
| 956 | <constant>CAP_FSETID</constant>, <constant>CAP_IPC_OWNER</constant>, <constant>CAP_KILL</constant>, | |
| 957 | <constant>CAP_LEASE</constant>, <constant>CAP_LINUX_IMMUTABLE</constant>, | |
| 958 | <constant>CAP_MKNOD</constant>, <constant>CAP_NET_BIND_SERVICE</constant>, | |
| 959 | <constant>CAP_NET_BROADCAST</constant>, <constant>CAP_NET_RAW</constant>, | |
| 960 | <constant>CAP_SETFCAP</constant>, <constant>CAP_SETGID</constant>, <constant>CAP_SETPCAP</constant>, | |
| 961 | <constant>CAP_SETUID</constant>, <constant>CAP_SYS_ADMIN</constant>, | |
| 962 | <constant>CAP_SYS_BOOT</constant>, <constant>CAP_SYS_CHROOT</constant>, | |
| 963 | <constant>CAP_SYS_NICE</constant>, <constant>CAP_SYS_PTRACE</constant>, | |
| 964 | <constant>CAP_SYS_RESOURCE</constant>, <constant>CAP_SYS_TTY_CONFIG</constant>. Also | |
| 965 | <constant>CAP_NET_ADMIN</constant> is retained if <option>--private-network</option> is specified. | |
| 966 | If the special value <literal>all</literal> is passed, all capabilities are retained.</para> | |
| 8a99bd0c ZJS |
967 | |
| 968 | <para>If the special value of <literal>help</literal> is passed, the program will print known | |
| 969 | capability names and exit.</para></listitem> | |
| 798d3a52 ZJS |
970 | </varlistentry> |
| 971 | ||
| 972 | <varlistentry> | |
| 973 | <term><option>--drop-capability=</option></term> | |
| 974 | ||
| 975 | <listitem><para>Specify one or more additional capabilities to | |
| 976 | drop for the container. This allows running the container with | |
| 977 | fewer capabilities than the default (see | |
| 8a99bd0c ZJS |
978 | above).</para> |
| 979 | ||
| 980 | <para>If the special value of <literal>help</literal> is passed, the program will print known | |
| 981 | capability names and exit.</para></listitem> | |
| 798d3a52 ZJS |
982 | </varlistentry> |
| 983 | ||
| 66edd963 LP |
984 | <varlistentry> |
| 985 | <term><option>--no-new-privileges=</option></term> | |
| 986 | ||
| 987 | <listitem><para>Takes a boolean argument. Specifies the value of the <constant>PR_SET_NO_NEW_PRIVS</constant> | |
| 988 | flag for the container payload. Defaults to off. When turned on the payload code of the container cannot | |
| 989 | acquire new privileges, i.e. the "setuid" file bit as well as file system capabilities will not have an effect | |
| 990 | anymore. See <citerefentry | |
| 991 | project='man-pages'><refentrytitle>prctl</refentrytitle><manvolnum>2</manvolnum></citerefentry> for details | |
| 992 | about this flag. </para></listitem> | |
| 993 | </varlistentry> | |
| 994 | ||
| 960e4569 LP |
995 | <varlistentry> |
| 996 | <term><option>--system-call-filter=</option></term> | |
| 997 | ||
| 998 | <listitem><para>Alter the system call filter applied to containers. Takes a space-separated list of system call | |
| 999 | names or group names (the latter prefixed with <literal>@</literal>, as listed by the | |
| c7fc3c4c LP |
1000 | <command>syscall-filter</command> command of |
| 1001 | <citerefentry><refentrytitle>systemd-analyze</refentrytitle><manvolnum>1</manvolnum></citerefentry>). Passed | |
| 960e4569 LP |
1002 | system calls will be permitted. The list may optionally be prefixed by <literal>~</literal>, in which case all |
| 1003 | listed system calls are prohibited. If this command line option is used multiple times the configured lists are | |
| 1004 | combined. If both a positive and a negative list (that is one system call list without and one with the | |
| 96bedbe2 LP |
1005 | <literal>~</literal> prefix) are configured, the negative list takes precedence over the positive list. Note |
| 1006 | that <command>systemd-nspawn</command> always implements a system call whitelist (as opposed to a blacklist), | |
| 1007 | and this command line option hence adds or removes entries from the default whitelist, depending on the | |
| 960e4569 LP |
1008 | <literal>~</literal> prefix. Note that the applied system call filter is also altered implicitly if additional |
| 1009 | capabilities are passed using the <command>--capabilities=</command>.</para></listitem> | |
| 1010 | </varlistentry> | |
| 1011 | ||
| d99058c9 LP |
1012 | <varlistentry> |
| 1013 | <term><option>-Z</option></term> | |
| 1014 | <term><option>--selinux-context=</option></term> | |
| 1015 | ||
| 1016 | <listitem><para>Sets the SELinux security context to be used | |
| 1017 | to label processes in the container.</para> | |
| 1018 | </listitem> | |
| 1019 | </varlistentry> | |
| 1020 | ||
| 1021 | <varlistentry> | |
| 1022 | <term><option>-L</option></term> | |
| 1023 | <term><option>--selinux-apifs-context=</option></term> | |
| 1024 | ||
| 1025 | <listitem><para>Sets the SELinux security context to be used | |
| 1026 | to label files in the virtual API file systems in the | |
| 1027 | container.</para> | |
| 1028 | </listitem> | |
| 1029 | </varlistentry> | |
| 1030 | </variablelist> | |
| 1031 | ||
| 1032 | </refsect2><refsect2> | |
| 1033 | <title>Resource Options</title> | |
| 1034 | ||
| 1035 | <variablelist> | |
| 1036 | ||
| bf428efb LP |
1037 | <varlistentry> |
| 1038 | <term><option>--rlimit=</option></term> | |
| 1039 | ||
| 1040 | <listitem><para>Sets the specified POSIX resource limit for the container payload. Expects an assignment of the | |
| 1041 | form | |
| 1042 | <literal><replaceable>LIMIT</replaceable>=<replaceable>SOFT</replaceable>:<replaceable>HARD</replaceable></literal> | |
| 1043 | or <literal><replaceable>LIMIT</replaceable>=<replaceable>VALUE</replaceable></literal>, where | |
| 1044 | <replaceable>LIMIT</replaceable> should refer to a resource limit type, such as | |
| 1045 | <constant>RLIMIT_NOFILE</constant> or <constant>RLIMIT_NICE</constant>. The <replaceable>SOFT</replaceable> and | |
| 1046 | <replaceable>HARD</replaceable> fields should refer to the numeric soft and hard resource limit values. If the | |
| 1b2ad5d9 | 1047 | second form is used, <replaceable>VALUE</replaceable> may specify a value that is used both as soft and hard |
| bf428efb LP |
1048 | limit. In place of a numeric value the special string <literal>infinity</literal> may be used to turn off |
| 1049 | resource limiting for the specific type of resource. This command line option may be used multiple times to | |
| 1b2ad5d9 | 1050 | control limits on multiple limit types. If used multiple times for the same limit type, the last use |
| bf428efb LP |
1051 | wins. For details about resource limits see <citerefentry |
| 1052 | project='man-pages'><refentrytitle>setrlimit</refentrytitle><manvolnum>2</manvolnum></citerefentry>. By default | |
| 1053 | resource limits for the container's init process (PID 1) are set to the same values the Linux kernel originally | |
| 1054 | passed to the host init system. Note that some resource limits are enforced on resources counted per user, in | |
| 1055 | particular <constant>RLIMIT_NPROC</constant>. This means that unless user namespacing is deployed | |
| 1056 | (i.e. <option>--private-users=</option> is used, see above), any limits set will be applied to the resource | |
| 1057 | usage of the same user on all local containers as well as the host. This means particular care needs to be | |
| 1058 | taken with these limits as they might be triggered by possibly less trusted code. Example: | |
| 1059 | <literal>--rlimit=RLIMIT_NOFILE=8192:16384</literal>.</para></listitem> | |
| 1060 | </varlistentry> | |
| 1061 | ||
| 81f345df LP |
1062 | <varlistentry> |
| 1063 | <term><option>--oom-score-adjust=</option></term> | |
| 1064 | ||
| 1065 | <listitem><para>Changes the OOM ("Out Of Memory") score adjustment value for the container payload. This controls | |
| 1066 | <filename>/proc/self/oom_score_adj</filename> which influences the preference with which this container is | |
| 1067 | terminated when memory becomes scarce. For details see <citerefentry | |
| 1068 | project='man-pages'><refentrytitle>proc</refentrytitle><manvolnum>5</manvolnum></citerefentry>. Takes an | |
| 1069 | integer in the range -1000…1000.</para></listitem> | |
| 1070 | </varlistentry> | |
| 1071 | ||
| d107bb7d LP |
1072 | <varlistentry> |
| 1073 | <term><option>--cpu-affinity=</option></term> | |
| 1074 | ||
| 1075 | <listitem><para>Controls the CPU affinity of the container payload. Takes a comma separated list of CPU numbers | |
| 1076 | or number ranges (the latter's start and end value separated by dashes). See <citerefentry | |
| 1077 | project='man-pages'><refentrytitle>sched_setaffinity</refentrytitle><manvolnum>2</manvolnum></citerefentry> for | |
| 1078 | details.</para></listitem> | |
| 1079 | </varlistentry> | |
| 1080 | ||
| c6c8f6e2 | 1081 | <varlistentry> |
| d99058c9 | 1082 | <term><option>--personality=</option></term> |
| b09c0bba | 1083 | |
| d99058c9 LP |
1084 | <listitem><para>Control the architecture ("personality") |
| 1085 | reported by | |
| 1086 | <citerefentry project='man-pages'><refentrytitle>uname</refentrytitle><manvolnum>2</manvolnum></citerefentry> | |
| 1087 | in the container. Currently, only <literal>x86</literal> and | |
| 1088 | <literal>x86-64</literal> are supported. This is useful when | |
| 1089 | running a 32-bit container on a 64-bit host. If this setting | |
| 1090 | is not used, the personality reported in the container is the | |
| 1091 | same as the one reported on the host.</para></listitem> | |
| 798d3a52 | 1092 | </varlistentry> |
| d99058c9 | 1093 | </variablelist> |
| 798d3a52 | 1094 | |
| d99058c9 LP |
1095 | </refsect2><refsect2> |
| 1096 | <title>Integration Options</title> | |
| 798d3a52 | 1097 | |
| d99058c9 | 1098 | <variablelist> |
| 09d423e9 LP |
1099 | <varlistentry> |
| 1100 | <term><option>--resolv-conf=</option></term> | |
| 1101 | ||
| 1102 | <listitem><para>Configures how <filename>/etc/resolv.conf</filename> inside of the container (i.e. DNS | |
| 1103 | configuration synchronization from host to container) shall be handled. Takes one of <literal>off</literal>, | |
| 1104 | <literal>copy-host</literal>, <literal>copy-static</literal>, <literal>bind-host</literal>, | |
| 1105 | <literal>bind-static</literal>, <literal>delete</literal> or <literal>auto</literal>. If set to | |
| 1106 | <literal>off</literal> the <filename>/etc/resolv.conf</filename> file in the container is left as it is | |
| 1107 | included in the image, and neither modified nor bind mounted over. If set to <literal>copy-host</literal>, the | |
| 1108 | <filename>/etc/resolv.conf</filename> file from the host is copied into the container. Similar, if | |
| 1109 | <literal>bind-host</literal> is used, the file is bind mounted from the host into the container. If set to | |
| 1110 | <literal>copy-static</literal> the static <filename>resolv.conf</filename> file supplied with | |
| 1111 | <citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> is | |
| 1112 | copied into the container, and correspondingly <literal>bind-static</literal> bind mounts it there. If set to | |
| 1113 | <literal>delete</literal> the <filename>/etc/resolv.conf</filename> file in the container is deleted if it | |
| 1114 | exists. Finally, if set to <literal>auto</literal> the file is left as it is if private networking is turned on | |
| 1115 | (see <option>--private-network</option>). Otherwise, if <filename>systemd-resolved.service</filename> is | |
| 1116 | connectible its static <filename>resolv.conf</filename> file is used, and if not the host's | |
| 1117 | <filename>/etc/resolv.conf</filename> file is used. In the latter cases the file is copied if the image is | |
| 1118 | writable, and bind mounted otherwise. It's recommended to use <literal>copy</literal> if the container shall be | |
| 1119 | able to make changes to the DNS configuration on its own, deviating from the host's settings. Otherwise | |
| 1120 | <literal>bind</literal> is preferable, as it means direct changes to <filename>/etc/resolv.conf</filename> in | |
| 1121 | the container are not allowed, as it is a read-only bind mount (but note that if the container has enough | |
| 1122 | privileges, it might simply go ahead and unmount the bind mount anyway). Note that both if the file is bind | |
| 1123 | mounted and if it is copied no further propagation of configuration is generally done after the one-time early | |
| 1124 | initialization (this is because the file is usually updated through copying and renaming). Defaults to | |
| 1125 | <literal>auto</literal>.</para></listitem> | |
| 1126 | </varlistentry> | |
| 1127 | ||
| 1688841f LP |
1128 | <varlistentry> |
| 1129 | <term><option>--timezone=</option></term> | |
| 1130 | ||
| 1131 | <listitem><para>Configures how <filename>/etc/localtime</filename> inside of the container (i.e. local timezone | |
| 1132 | synchronization from host to container) shall be handled. Takes one of <literal>off</literal>, | |
| 1133 | <literal>copy</literal>, <literal>bind</literal>, <literal>symlink</literal>, <literal>delete</literal> or | |
| 1134 | <literal>auto</literal>. If set to <literal>off</literal> the <filename>/etc/localtime</filename> file in the | |
| 1135 | container is left as it is included in the image, and neither modified nor bind mounted over. If set to | |
| 1136 | <literal>copy</literal> the <filename>/etc/localtime</filename> file of the host is copied into the | |
| 1137 | container. Similar, if <literal>bind</literal> is used, it is bind mounted from the host into the container. If | |
| 1138 | set to <literal>symlink</literal> a symlink from <filename>/etc/localtime</filename> in the container is | |
| 1139 | created pointing to the matching the timezone file of the container that matches the timezone setting on the | |
| 1140 | host. If set to <literal>delete</literal> the file in the container is deleted, should it exist. If set to | |
| 1141 | <literal>auto</literal> and the <filename>/etc/localtime</filename> file of the host is a symlink, then | |
| 1142 | <literal>symlink</literal> mode is used, and <literal>copy</literal> otherwise, except if the image is | |
| 1143 | read-only in which case <literal>bind</literal> is used instead. Defaults to | |
| 1144 | <literal>auto</literal>.</para></listitem> | |
| 1145 | </varlistentry> | |
| 1146 | ||
| 798d3a52 | 1147 | <varlistentry> |
| d99058c9 | 1148 | <term><option>--link-journal=</option></term> |
| 798d3a52 | 1149 | |
| d99058c9 LP |
1150 | <listitem><para>Control whether the container's journal shall |
| 1151 | be made visible to the host system. If enabled, allows viewing | |
| 1152 | the container's journal files from the host (but not vice | |
| 1153 | versa). Takes one of <literal>no</literal>, | |
| 1154 | <literal>host</literal>, <literal>try-host</literal>, | |
| 1155 | <literal>guest</literal>, <literal>try-guest</literal>, | |
| 1156 | <literal>auto</literal>. If <literal>no</literal>, the journal | |
| 1157 | is not linked. If <literal>host</literal>, the journal files | |
| 1158 | are stored on the host file system (beneath | |
| 1159 | <filename>/var/log/journal/<replaceable>machine-id</replaceable></filename>) | |
| 1160 | and the subdirectory is bind-mounted into the container at the | |
| 1161 | same location. If <literal>guest</literal>, the journal files | |
| 1162 | are stored on the guest file system (beneath | |
| 1163 | <filename>/var/log/journal/<replaceable>machine-id</replaceable></filename>) | |
| 1164 | and the subdirectory is symlinked into the host at the same | |
| 1165 | location. <literal>try-host</literal> and | |
| 1166 | <literal>try-guest</literal> do the same but do not fail if | |
| 1167 | the host does not have persistent journaling enabled. If | |
| 1168 | <literal>auto</literal> (the default), and the right | |
| 1169 | subdirectory of <filename>/var/log/journal</filename> exists, | |
| 1170 | it will be bind mounted into the container. If the | |
| 1171 | subdirectory does not exist, no linking is performed. | |
| 1172 | Effectively, booting a container once with | |
| 1173 | <literal>guest</literal> or <literal>host</literal> will link | |
| 1174 | the journal persistently if further on the default of | |
| 1175 | <literal>auto</literal> is used.</para> | |
| 1176 | ||
| 1177 | <para>Note that <option>--link-journal=try-guest</option> is the default if the | |
| 1178 | <filename>systemd-nspawn@.service</filename> template unit file is used.</para></listitem> | |
| 798d3a52 ZJS |
1179 | </varlistentry> |
| 1180 | ||
| d99058c9 LP |
1181 | <varlistentry> |
| 1182 | <term><option>-j</option></term> | |
| 1183 | ||
| 1184 | <listitem><para>Equivalent to | |
| 1185 | <option>--link-journal=try-guest</option>.</para></listitem> | |
| 1186 | </varlistentry> | |
| 1187 | ||
| 1188 | </variablelist> | |
| 1189 | ||
| 1190 | </refsect2><refsect2> | |
| 1191 | <title>Mount Options</title> | |
| 1192 | ||
| 1193 | <variablelist> | |
| 1194 | ||
| 798d3a52 ZJS |
1195 | <varlistentry> |
| 1196 | <term><option>--bind=</option></term> | |
| 1197 | <term><option>--bind-ro=</option></term> | |
| 1198 | ||
| 86c0dd4a | 1199 | <listitem><para>Bind mount a file or directory from the host into the container. Takes one of: a path |
| c7a4890c LP |
1200 | argument — in which case the specified path will be mounted from the host to the same path in the container, or |
| 1201 | a colon-separated pair of paths — in which case the first specified path is the source in the host, and the | |
| 1202 | second path is the destination in the container, or a colon-separated triple of source path, destination path | |
| 86c0dd4a | 1203 | and mount options. The source path may optionally be prefixed with a <literal>+</literal> character. If so, the |
| c7a4890c LP |
1204 | source path is taken relative to the image's root directory. This permits setting up bind mounts within the |
| 1205 | container image. The source path may be specified as empty string, in which case a temporary directory below | |
| 1206 | the host's <filename>/var/tmp</filename> directory is used. It is automatically removed when the container is | |
| 1207 | shut down. Mount options are comma-separated and currently, only <option>rbind</option> and | |
| 1208 | <option>norbind</option> are allowed, controlling whether to create a recursive or a regular bind | |
| 1209 | mount. Defaults to "rbind". Backslash escapes are interpreted, so <literal>\:</literal> may be used to embed | |
| 1210 | colons in either path. This option may be specified multiple times for creating multiple independent bind | |
| 994a6364 LP |
1211 | mount points. The <option>--bind-ro=</option> option creates read-only bind mounts.</para> |
| 1212 | ||
| 1213 | <para>Note that when this option is used in combination with <option>--private-users</option>, the resulting | |
| 1214 | mount points will be owned by the <constant>nobody</constant> user. That's because the mount and its files and | |
| 1215 | directories continue to be owned by the relevant host users and groups, which do not exist in the container, | |
| 1216 | and thus show up under the wildcard UID 65534 (nobody). If such bind mounts are created, it is recommended to | |
| 1217 | make them read-only, using <option>--bind-ro=</option>.</para></listitem> | |
| 798d3a52 ZJS |
1218 | </varlistentry> |
| 1219 | ||
| 3d6c3675 LP |
1220 | <varlistentry> |
| 1221 | <term><option>--inaccessible=</option></term> | |
| 1222 | ||
| 1223 | <listitem><para>Make the specified path inaccessible in the container. This over-mounts the specified path | |
| 1224 | (which must exist in the container) with a file node of the same type that is empty and has the most | |
| 1225 | restrictive access mode supported. This is an effective way to mask files, directories and other file system | |
| 1226 | objects from the container payload. This option may be used more than once in case all specified paths are | |
| 1227 | masked.</para></listitem> | |
| 1228 | </varlistentry> | |
| 1229 | ||
| 798d3a52 ZJS |
1230 | <varlistentry> |
| 1231 | <term><option>--tmpfs=</option></term> | |
| 1232 | ||
| b23f1628 LP |
1233 | <listitem><para>Mount a tmpfs file system into the container. Takes a single absolute path argument that |
| 1234 | specifies where to mount the tmpfs instance to (in which case the directory access mode will be chosen as 0755, | |
| 1235 | owned by root/root), or optionally a colon-separated pair of path and mount option string that is used for | |
| 1236 | mounting (in which case the kernel default for access mode and owner will be chosen, unless otherwise | |
| 1237 | specified). Backslash escapes are interpreted in the path, so <literal>\:</literal> may be used to embed colons | |
| 1238 | in the path.</para> | |
| 1239 | ||
| 1240 | <para>Note that this option cannot be used to replace the root file system of the container with a temporary | |
| 1241 | file system. However, the <option>--volatile=</option> option described below provides similar | |
| 1242 | functionality, with a focus on implementing stateless operating system images.</para></listitem> | |
| 798d3a52 ZJS |
1243 | </varlistentry> |
| 1244 | ||
| 5a8af538 LP |
1245 | <varlistentry> |
| 1246 | <term><option>--overlay=</option></term> | |
| 1247 | <term><option>--overlay-ro=</option></term> | |
| 1248 | ||
| 1249 | <listitem><para>Combine multiple directory trees into one | |
| 1250 | overlay file system and mount it into the container. Takes a | |
| 1251 | list of colon-separated paths to the directory trees to | |
| 1252 | combine and the destination mount point.</para> | |
| 1253 | ||
| 2eadf91c RM |
1254 | <para>Backslash escapes are interpreted in the paths, so |
| 1255 | <literal>\:</literal> may be used to embed colons in the paths. | |
| 1256 | </para> | |
| 1257 | ||
| 5a8af538 LP |
1258 | <para>If three or more paths are specified, then the last |
| 1259 | specified path is the destination mount point in the | |
| 1260 | container, all paths specified before refer to directory trees | |
| 1261 | on the host and are combined in the specified order into one | |
| 1262 | overlay file system. The left-most path is hence the lowest | |
| 1263 | directory tree, the second-to-last path the highest directory | |
| 1264 | tree in the stacking order. If <option>--overlay-ro=</option> | |
| b938cb90 | 1265 | is used instead of <option>--overlay=</option>, a read-only |
| 5a8af538 | 1266 | overlay file system is created. If a writable overlay file |
| b938cb90 | 1267 | system is created, all changes made to it are written to the |
| 5a8af538 LP |
1268 | highest directory tree in the stacking order, i.e. the |
| 1269 | second-to-last specified.</para> | |
| 1270 | ||
| 1271 | <para>If only two paths are specified, then the second | |
| 1272 | specified path is used both as the top-level directory tree in | |
| 1273 | the stacking order as seen from the host, as well as the mount | |
| 1274 | point for the overlay file system in the container. At least | |
| 1275 | two paths have to be specified.</para> | |
| 1276 | ||
| 86c0dd4a | 1277 | <para>The source paths may optionally be prefixed with <literal>+</literal> character. If so they are taken |
| c7a4890c LP |
1278 | relative to the image's root directory. The uppermost source path may also be specified as empty string, in |
| 1279 | which case a temporary directory below the host's <filename>/var/tmp</filename> is used. The directory is | |
| 1280 | removed automatically when the container is shut down. This behaviour is useful in order to make read-only | |
| 1281 | container directories writable while the container is running. For example, use the | |
| 1282 | <literal>--overlay=+/var::/var</literal> option in order to automatically overlay a writable temporary | |
| 1283 | directory on a read-only <filename>/var</filename> directory.</para> | |
| 86c0dd4a | 1284 | |
| 5a8af538 LP |
1285 | <para>For details about overlay file systems, see <ulink |
| 1286 | url="https://www.kernel.org/doc/Documentation/filesystems/overlayfs.txt">overlayfs.txt</ulink>. Note | |
| 1287 | that the semantics of overlay file systems are substantially | |
| 1288 | different from normal file systems, in particular regarding | |
| 1289 | reported device and inode information. Device and inode | |
| 1290 | information may change for a file while it is being written | |
| 1291 | to, and processes might see out-of-date versions of files at | |
| 1292 | times. Note that this switch automatically derives the | |
| 1293 | <literal>workdir=</literal> mount option for the overlay file | |
| 1294 | system from the top-level directory tree, making it a sibling | |
| 1295 | of it. It is hence essential that the top-level directory tree | |
| 1296 | is not a mount point itself (since the working directory must | |
| 1297 | be on the same file system as the top-most directory | |
| 1298 | tree). Also note that the <literal>lowerdir=</literal> mount | |
| 1299 | option receives the paths to stack in the opposite order of | |
| b23f1628 LP |
1300 | this switch.</para> |
| 1301 | ||
| 1302 | <para>Note that this option cannot be used to replace the root file system of the container with an overlay | |
| d99058c9 | 1303 | file system. However, the <option>--volatile=</option> option described above provides similar functionality, |
| b23f1628 | 1304 | with a focus on implementing stateless operating system images.</para></listitem> |
| 5a8af538 | 1305 | </varlistentry> |
| d99058c9 | 1306 | </variablelist> |
| 5a8af538 | 1307 | |
| d99058c9 LP |
1308 | </refsect2><refsect2> |
| 1309 | <title>Input/Output Options</title> | |
| 798d3a52 | 1310 | |
| d99058c9 | 1311 | <variablelist> |
| 3d6c3675 LP |
1312 | <varlistentry> |
| 1313 | <term><option>--console=</option><replaceable>MODE</replaceable></term> | |
| 1314 | ||
| 7a25ba55 ZJS |
1315 | <listitem><para>Configures how to set up standard input, output and error output for the container |
| 1316 | payload, as well as the <filename>/dev/console</filename> device for the container. Takes one of | |
| 1317 | <option>interactive</option>, <option>read-only</option>, <option>passive</option>, or | |
| 1318 | <option>pipe</option>. If <option>interactive</option>, a pseudo-TTY is allocated and made available | |
| 1319 | as <filename>/dev/console</filename> in the container. It is then bi-directionally connected to the | |
| 1320 | standard input and output passed to <command>systemd-nspawn</command>. <option>read-only</option> is | |
| 1321 | similar but only the output of the container is propagated and no input from the caller is read. If | |
| 1322 | <option>passive</option>, a pseudo TTY is allocated, but it is not connected anywhere. Finally, in | |
| 1323 | <option>pipe</option> mode no pseudo TTY is allocated, but the standard input, output and error | |
| 1324 | output file descriptors passed to <command>systemd-nspawn</command> are passed on — as they are — to | |
| 1325 | the container payload, see the following paragraph. Defaults to <option>interactive</option> if | |
| 3d6c3675 | 1326 | <command>systemd-nspawn</command> is invoked from a terminal, and <option>read-only</option> |
| 7a25ba55 ZJS |
1327 | otherwise.</para> |
| 1328 | ||
| 1329 | <para>In <option>pipe</option> mode, <filename>/dev/console</filename> will not exist in the | |
| 1330 | container. This means that the container payload generally cannot be a full init system as init | |
| 1331 | systems tend to require <filename>/dev/console</filename> to be available. On the other hand, in this | |
| 1332 | mode container invocations can be used within shell pipelines. This is because intermediary pseudo | |
| 1333 | TTYs do not permit independent bidirectional propagation of the end-of-file (EOF) condition, which is | |
| 1334 | necessary for shell pipelines to work correctly. <emphasis>Note that the <option>pipe</option> mode | |
| 1335 | should be used carefully</emphasis>, as passing arbitrary file descriptors to less trusted container | |
| 1336 | payloads might open up unwanted interfaces for access by the container payload. For example, if a | |
| 1337 | passed file descriptor refers to a TTY of some form, APIs such as <constant>TIOCSTI</constant> may be | |
| 1338 | used to synthesize input that might be used for escaping the container. Hence <option>pipe</option> | |
| 1339 | mode should only be used if the payload is sufficiently trusted or when the standard | |
| 1340 | input/output/error output file descriptors are known safe, for example pipes.</para></listitem> | |
| 3d6c3675 LP |
1341 | </varlistentry> |
| 1342 | ||
| 1343 | <varlistentry> | |
| 1344 | <term><option>--pipe</option></term> | |
| 1345 | <term><option>-P</option></term> | |
| 1346 | ||
| 1347 | <listitem><para>Equivalent to <option>--console=pipe</option>.</para></listitem> | |
| 1348 | </varlistentry> | |
| 1349 | ||
| bb068de0 | 1350 | <xi:include href="standard-options.xml" xpointer="no-pager" /> |
| 798d3a52 ZJS |
1351 | <xi:include href="standard-options.xml" xpointer="help" /> |
| 1352 | <xi:include href="standard-options.xml" xpointer="version" /> | |
| 1353 | </variablelist> | |
| d99058c9 | 1354 | </refsect2> |
| 798d3a52 ZJS |
1355 | </refsect1> |
| 1356 | ||
| bb068de0 ZJS |
1357 | <xi:include href="less-variables.xml" /> |
| 1358 | ||
| 798d3a52 ZJS |
1359 | <refsect1> |
| 1360 | <title>Examples</title> | |
| 1361 | ||
| 1362 | <example> | |
| 12c4ee0a ZJS |
1363 | <title>Download a |
| 1364 | <ulink url="https://getfedora.org">Fedora</ulink> image and start a shell in it</title> | |
| 798d3a52 | 1365 | |
| 3797fd0a | 1366 | <programlisting># machinectl pull-raw --verify=no \ |
| b12a67ae AZ |
1367 | https://download.fedoraproject.org/pub/fedora/linux/releases/&fedora_latest_version;/Cloud/x86_64/images/Fedora-Cloud-Base-&fedora_latest_version;-&fedora_cloud_release;.x86_64.raw.xz \ |
| 1368 | Fedora-Cloud-Base-&fedora_latest_version;-&fedora_cloud_release;.x86-64 | |
| 1369 | # systemd-nspawn -M Fedora-Cloud-Base-&fedora_latest_version;-&fedora_cloud_release;.x86-64</programlisting> | |
| e0ea94c1 | 1370 | |
| 798d3a52 ZJS |
1371 | <para>This downloads an image using |
| 1372 | <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry> | |
| 1373 | and opens a shell in it.</para> | |
| 1374 | </example> | |
| e0ea94c1 | 1375 | |
| 798d3a52 ZJS |
1376 | <example> |
| 1377 | <title>Build and boot a minimal Fedora distribution in a container</title> | |
| 8f7a3c14 | 1378 | |
| 7a8aa0ec | 1379 | <programlisting># dnf -y --releasever=&fedora_latest_version; --installroot=/var/lib/machines/f&fedora_latest_version; \ |
| 3797fd0a | 1380 | --disablerepo='*' --enablerepo=fedora --enablerepo=updates install \ |
| a345d5c1 | 1381 | systemd passwd dnf fedora-release vim-minimal glibc-minimal-langpack |
| 7a8aa0ec | 1382 | # systemd-nspawn -bD /var/lib/machines/f&fedora_latest_version;</programlisting> |
| 8f7a3c14 | 1383 | |
| 798d3a52 | 1384 | <para>This installs a minimal Fedora distribution into the |
| b0343f8c | 1385 | directory <filename index="false">/var/lib/machines/f&fedora_latest_version;</filename> |
| 55107232 ZJS |
1386 | and then boots an OS in a namespace container in it. Because the installation |
| 1387 | is located underneath the standard <filename>/var/lib/machines/</filename> | |
| 1388 | directory, it is also possible to start the machine using | |
| 7a8aa0ec | 1389 | <command>systemd-nspawn -M f&fedora_latest_version;</command>.</para> |
| 798d3a52 | 1390 | </example> |
| 8f7a3c14 | 1391 | |
| 798d3a52 ZJS |
1392 | <example> |
| 1393 | <title>Spawn a shell in a container of a minimal Debian unstable distribution</title> | |
| 8f7a3c14 | 1394 | |
| 7f8b3d1d | 1395 | <programlisting># debootstrap unstable ~/debian-tree/ |
| 25f5971b | 1396 | # systemd-nspawn -D ~/debian-tree/</programlisting> |
| 8f7a3c14 | 1397 | |
| 798d3a52 ZJS |
1398 | <para>This installs a minimal Debian unstable distribution into |
| 1399 | the directory <filename>~/debian-tree/</filename> and then | |
| 1400 | spawns a shell in a namespace container in it.</para> | |
| 12c4ee0a ZJS |
1401 | |
| 1402 | <para><command>debootstrap</command> supports | |
| 1403 | <ulink url="https://www.debian.org">Debian</ulink>, | |
| 1404 | <ulink url="https://www.ubuntu.com">Ubuntu</ulink>, | |
| 1405 | and <ulink url="https://www.tanglu.org">Tanglu</ulink> | |
| 1406 | out of the box, so the same command can be used to install any of those. For other | |
| 1407 | distributions from the Debian family, a mirror has to be specified, see | |
| 1408 | <citerefentry project='die-net'><refentrytitle>debootstrap</refentrytitle><manvolnum>8</manvolnum></citerefentry>. | |
| 1409 | </para> | |
| 798d3a52 | 1410 | </example> |
| 8f7a3c14 | 1411 | |
| 798d3a52 | 1412 | <example> |
| 12c4ee0a ZJS |
1413 | <title>Boot a minimal |
| 1414 | <ulink url="https://www.archlinux.org">Arch Linux</ulink> distribution in a container</title> | |
| 68562936 | 1415 | |
| 9a027075 | 1416 | <programlisting># pacstrap -c ~/arch-tree/ base |
| 68562936 WG |
1417 | # systemd-nspawn -bD ~/arch-tree/</programlisting> |
| 1418 | ||
| ff9b60f3 | 1419 | <para>This installs a minimal Arch Linux distribution into the |
| 798d3a52 ZJS |
1420 | directory <filename>~/arch-tree/</filename> and then boots an OS |
| 1421 | in a namespace container in it.</para> | |
| 1422 | </example> | |
| 68562936 | 1423 | |
| f518ee04 | 1424 | <example> |
| 12c4ee0a ZJS |
1425 | <title>Install the |
| 1426 | <ulink url="https://software.opensuse.org/distributions/tumbleweed">OpenSUSE Tumbleweed</ulink> | |
| 1427 | rolling distribution</title> | |
| f518ee04 ZJS |
1428 | |
| 1429 | <programlisting># zypper --root=/var/lib/machines/tumbleweed ar -c \ | |
| 1430 | https://download.opensuse.org/tumbleweed/repo/oss tumbleweed | |
| 1431 | # zypper --root=/var/lib/machines/tumbleweed refresh | |
| 1432 | # zypper --root=/var/lib/machines/tumbleweed install --no-recommends \ | |
| 1433 | systemd shadow zypper openSUSE-release vim | |
| 1434 | # systemd-nspawn -M tumbleweed passwd root | |
| 1435 | # systemd-nspawn -M tumbleweed -b</programlisting> | |
| 1436 | </example> | |
| 1437 | ||
| 798d3a52 | 1438 | <example> |
| 17cbb288 | 1439 | <title>Boot into an ephemeral snapshot of the host system</title> |
| f9f4dd51 | 1440 | |
| 798d3a52 | 1441 | <programlisting># systemd-nspawn -D / -xb</programlisting> |
| f9f4dd51 | 1442 | |
| 17cbb288 LP |
1443 | <para>This runs a copy of the host system in a snapshot which is removed immediately when the container |
| 1444 | exits. All file system changes made during runtime will be lost on shutdown, hence.</para> | |
| 798d3a52 | 1445 | </example> |
| f9f4dd51 | 1446 | |
| 798d3a52 ZJS |
1447 | <example> |
| 1448 | <title>Run a container with SELinux sandbox security contexts</title> | |
| a8828ed9 | 1449 | |
| 798d3a52 | 1450 | <programlisting># chcon system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -R /srv/container |
| 3797fd0a ZJS |
1451 | # systemd-nspawn -L system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 \ |
| 1452 | -Z system_u:system_r:svirt_lxc_net_t:s0:c0,c1 -D /srv/container /bin/sh</programlisting> | |
| 798d3a52 | 1453 | </example> |
| b53ede69 PW |
1454 | |
| 1455 | <example> | |
| 1456 | <title>Run a container with an OSTree deployment</title> | |
| 1457 | ||
| 3797fd0a ZJS |
1458 | <programlisting># systemd-nspawn -b -i ~/image.raw \ |
| 1459 | --pivot-root=/ostree/deploy/$OS/deploy/$CHECKSUM:/sysroot \ | |
| 1460 | --bind=+/sysroot/ostree/deploy/$OS/var:/var</programlisting> | |
| b53ede69 | 1461 | </example> |
| 798d3a52 ZJS |
1462 | </refsect1> |
| 1463 | ||
| 1464 | <refsect1> | |
| 1465 | <title>Exit status</title> | |
| 1466 | ||
| 1467 | <para>The exit code of the program executed in the container is | |
| 1468 | returned.</para> | |
| 1469 | </refsect1> | |
| 1470 | ||
| 1471 | <refsect1> | |
| 1472 | <title>See Also</title> | |
| 1473 | <para> | |
| 1474 | <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
| f757855e | 1475 | <citerefentry><refentrytitle>systemd.nspawn</refentrytitle><manvolnum>5</manvolnum></citerefentry>, |
| 798d3a52 ZJS |
1476 | <citerefentry project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>1</manvolnum></citerefentry>, |
| 1477 | <citerefentry project='mankier'><refentrytitle>dnf</refentrytitle><manvolnum>8</manvolnum></citerefentry>, | |
| 798d3a52 ZJS |
1478 | <citerefentry project='die-net'><refentrytitle>debootstrap</refentrytitle><manvolnum>8</manvolnum></citerefentry>, |
| 1479 | <citerefentry project='archlinux'><refentrytitle>pacman</refentrytitle><manvolnum>8</manvolnum></citerefentry>, | |
| f518ee04 | 1480 | <citerefentry project='mankier'><refentrytitle>zypper</refentrytitle><manvolnum>8</manvolnum></citerefentry>, |
| 798d3a52 ZJS |
1481 | <citerefentry><refentrytitle>systemd.slice</refentrytitle><manvolnum>5</manvolnum></citerefentry>, |
| 1482 | <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
| 3ba3a79d | 1483 | <citerefentry project='man-pages'><refentrytitle>btrfs</refentrytitle><manvolnum>8</manvolnum></citerefentry> |
| 798d3a52 ZJS |
1484 | </para> |
| 1485 | </refsect1> | |
| 8f7a3c14 LP |
1486 | |
| 1487 | </refentry> |