projects / thirdparty / systemd.git / blame
| Commit | Line | Data |
|---|---|---|
| 514094f9 | 1 | <?xml version='1.0'?> |
| 3a54a157 | 2 | <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" |
| 7a8aa0ec | 3 | "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [ |
| 336351dc KC |
4 | <!ENTITY fedora_latest_version "30"> |
| 5 | <!ENTITY fedora_cloud_release "1.2"> | |
| 7a8aa0ec | 6 | ]> |
| 0307f791 | 7 | <!-- SPDX-License-Identifier: LGPL-2.1+ --> |
| 8f7a3c14 | 8 | |
| dfdebb1b | 9 | <refentry id="systemd-nspawn" |
| 798d3a52 ZJS |
10 | xmlns:xi="http://www.w3.org/2001/XInclude"> |
| 11 | ||
| 12 | <refentryinfo> | |
| 13 | <title>systemd-nspawn</title> | |
| 14 | <productname>systemd</productname> | |
| 798d3a52 ZJS |
15 | </refentryinfo> |
| 16 | ||
| 17 | <refmeta> | |
| 18 | <refentrytitle>systemd-nspawn</refentrytitle> | |
| 19 | <manvolnum>1</manvolnum> | |
| 20 | </refmeta> | |
| 21 | ||
| 22 | <refnamediv> | |
| 23 | <refname>systemd-nspawn</refname> | |
| a7e2e50d | 24 | <refpurpose>Spawn a command or OS in a light-weight container</refpurpose> |
| 798d3a52 ZJS |
25 | </refnamediv> |
| 26 | ||
| 27 | <refsynopsisdiv> | |
| 28 | <cmdsynopsis> | |
| 29 | <command>systemd-nspawn</command> | |
| 30 | <arg choice="opt" rep="repeat">OPTIONS</arg> | |
| 31 | <arg choice="opt"><replaceable>COMMAND</replaceable> | |
| 32 | <arg choice="opt" rep="repeat">ARGS</arg> | |
| 33 | </arg> | |
| 34 | </cmdsynopsis> | |
| 35 | <cmdsynopsis> | |
| 36 | <command>systemd-nspawn</command> | |
| 4447e799 | 37 | <arg choice="plain">--boot</arg> |
| 798d3a52 ZJS |
38 | <arg choice="opt" rep="repeat">OPTIONS</arg> |
| 39 | <arg choice="opt" rep="repeat">ARGS</arg> | |
| 40 | </cmdsynopsis> | |
| 41 | </refsynopsisdiv> | |
| 42 | ||
| 43 | <refsect1> | |
| 44 | <title>Description</title> | |
| 45 | ||
| b09c0bba LP |
46 | <para><command>systemd-nspawn</command> may be used to run a command or OS in a light-weight namespace |
| 47 | container. In many ways it is similar to <citerefentry | |
| 48 | project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>1</manvolnum></citerefentry>, but more powerful | |
| 49 | since it fully virtualizes the file system hierarchy, as well as the process tree, the various IPC subsystems and | |
| 50 | the host and domain name.</para> | |
| 51 | ||
| 5164c3b4 | 52 | <para><command>systemd-nspawn</command> may be invoked on any directory tree containing an operating system tree, |
| b09c0bba | 53 | using the <option>--directory=</option> command line option. By using the <option>--machine=</option> option an OS |
| 5164c3b4 | 54 | tree is automatically searched for in a couple of locations, most importantly in |
| a7e2e50d | 55 | <filename>/var/lib/machines</filename>, the suggested directory to place OS container images installed on the |
| b09c0bba LP |
56 | system.</para> |
| 57 | ||
| 58 | <para>In contrast to <citerefentry | |
| 59 | project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>1</manvolnum></citerefentry> <command>systemd-nspawn</command> | |
| 60 | may be used to boot full Linux-based operating systems in a container.</para> | |
| 61 | ||
| 62 | <para><command>systemd-nspawn</command> limits access to various kernel interfaces in the container to read-only, | |
| 63 | such as <filename>/sys</filename>, <filename>/proc/sys</filename> or <filename>/sys/fs/selinux</filename>. The | |
| 64 | host's network interfaces and the system clock may not be changed from within the container. Device nodes may not | |
| 65 | be created. The host system cannot be rebooted and kernel modules may not be loaded from within the | |
| 798d3a52 ZJS |
66 | container.</para> |
| 67 | ||
| b09c0bba LP |
68 | <para>Use a tool like <citerefentry |
| 69 | project='mankier'><refentrytitle>dnf</refentrytitle><manvolnum>8</manvolnum></citerefentry>, <citerefentry | |
| 70 | project='die-net'><refentrytitle>debootstrap</refentrytitle><manvolnum>8</manvolnum></citerefentry>, or | |
| 71 | <citerefentry project='archlinux'><refentrytitle>pacman</refentrytitle><manvolnum>8</manvolnum></citerefentry> to | |
| 72 | set up an OS directory tree suitable as file system hierarchy for <command>systemd-nspawn</command> containers. See | |
| 73 | the Examples section below for details on suitable invocation of these commands.</para> | |
| 74 | ||
| 75 | <para>As a safety check <command>systemd-nspawn</command> will verify the existence of | |
| 76 | <filename>/usr/lib/os-release</filename> or <filename>/etc/os-release</filename> in the container tree before | |
| 77 | starting the container (see | |
| 78 | <citerefentry><refentrytitle>os-release</refentrytitle><manvolnum>5</manvolnum></citerefentry>). It might be | |
| 79 | necessary to add this file to the container tree manually if the OS of the container is too old to contain this | |
| 798d3a52 | 80 | file out-of-the-box.</para> |
| b09c0bba LP |
81 | |
| 82 | <para><command>systemd-nspawn</command> may be invoked directly from the interactive command line or run as system | |
| 83 | service in the background. In this mode each container instance runs as its own service instance; a default | |
| 84 | template unit file <filename>systemd-nspawn@.service</filename> is provided to make this easy, taking the container | |
| 85 | name as instance identifier. Note that different default options apply when <command>systemd-nspawn</command> is | |
| 6dd6a9c4 | 86 | invoked by the template unit file than interactively on the command line. Most importantly the template unit file |
| b09c0bba | 87 | makes use of the <option>--boot</option> which is not the default in case <command>systemd-nspawn</command> is |
| 6dd6a9c4 | 88 | invoked from the interactive command line. Further differences with the defaults are documented along with the |
| b09c0bba LP |
89 | various supported options below.</para> |
| 90 | ||
| 91 | <para>The <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry> tool may | |
| 92 | be used to execute a number of operations on containers. In particular it provides easy-to-use commands to run | |
| 93 | containers as system services using the <filename>systemd-nspawn@.service</filename> template unit | |
| 94 | file.</para> | |
| 95 | ||
| 96 | <para>Along with each container a settings file with the <filename>.nspawn</filename> suffix may exist, containing | |
| 97 | additional settings to apply when running the container. See | |
| 98 | <citerefentry><refentrytitle>systemd.nspawn</refentrytitle><manvolnum>5</manvolnum></citerefentry> for | |
| 99 | details. Settings files override the default options used by the <filename>systemd-nspawn@.service</filename> | |
| 100 | template unit file, making it usually unnecessary to alter this template file directly.</para> | |
| 101 | ||
| 102 | <para>Note that <command>systemd-nspawn</command> will mount file systems private to the container to | |
| 103 | <filename>/dev</filename>, <filename>/run</filename> and similar. These will not be visible outside of the | |
| 104 | container, and their contents will be lost when the container exits.</para> | |
| 105 | ||
| 106 | <para>Note that running two <command>systemd-nspawn</command> containers from the same directory tree will not make | |
| 107 | processes in them see each other. The PID namespace separation of the two containers is complete and the containers | |
| 108 | will share very few runtime objects except for the underlying file system. Use | |
| 109 | <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>'s | |
| 110 | <command>login</command> or <command>shell</command> commands to request an additional login session in a running | |
| 111 | container.</para> | |
| 112 | ||
| 113 | <para><command>systemd-nspawn</command> implements the <ulink | |
| 28a0ad81 | 114 | url="https://www.freedesktop.org/wiki/Software/systemd/ContainerInterface">Container Interface</ulink> |
| b09c0bba LP |
115 | specification.</para> |
| 116 | ||
| 117 | <para>While running, containers invoked with <command>systemd-nspawn</command> are registered with the | |
| 118 | <citerefentry><refentrytitle>systemd-machined</refentrytitle><manvolnum>8</manvolnum></citerefentry> service that | |
| 119 | keeps track of running containers, and provides programming interfaces to interact with them.</para> | |
| 798d3a52 ZJS |
120 | </refsect1> |
| 121 | ||
| 122 | <refsect1> | |
| 123 | <title>Options</title> | |
| 124 | ||
| 125 | <para>If option <option>-b</option> is specified, the arguments | |
| 3f2d1365 | 126 | are used as arguments for the init program. Otherwise, |
| 798d3a52 ZJS |
127 | <replaceable>COMMAND</replaceable> specifies the program to launch |
| 128 | in the container, and the remaining arguments are used as | |
| b09c0bba | 129 | arguments for this program. If <option>--boot</option> is not used and |
| ff9b60f3 | 130 | no arguments are specified, a shell is launched in the |
| 798d3a52 ZJS |
131 | container.</para> |
| 132 | ||
| 133 | <para>The following options are understood:</para> | |
| 134 | ||
| 135 | <variablelist> | |
| d99058c9 LP |
136 | |
| 137 | <varlistentry> | |
| 138 | <term><option>-q</option></term> | |
| 139 | <term><option>--quiet</option></term> | |
| 140 | ||
| 141 | <listitem><para>Turns off any status output by the tool | |
| 142 | itself. When this switch is used, the only output from nspawn | |
| 143 | will be the console output of the container OS | |
| 144 | itself.</para></listitem> | |
| 145 | </varlistentry> | |
| 146 | ||
| 147 | <varlistentry> | |
| 148 | <term><option>--settings=</option><replaceable>MODE</replaceable></term> | |
| 149 | ||
| 150 | <listitem><para>Controls whether | |
| 151 | <command>systemd-nspawn</command> shall search for and use | |
| 152 | additional per-container settings from | |
| 153 | <filename>.nspawn</filename> files. Takes a boolean or the | |
| 154 | special values <option>override</option> or | |
| 155 | <option>trusted</option>.</para> | |
| 156 | ||
| 157 | <para>If enabled (the default), a settings file named after the | |
| 158 | machine (as specified with the <option>--machine=</option> | |
| 159 | setting, or derived from the directory or image file name) | |
| 160 | with the suffix <filename>.nspawn</filename> is searched in | |
| 161 | <filename>/etc/systemd/nspawn/</filename> and | |
| 162 | <filename>/run/systemd/nspawn/</filename>. If it is found | |
| 163 | there, its settings are read and used. If it is not found | |
| 164 | there, it is subsequently searched in the same directory as the | |
| 165 | image file or in the immediate parent of the root directory of | |
| 166 | the container. In this case, if the file is found, its settings | |
| 167 | will be also read and used, but potentially unsafe settings | |
| 168 | are ignored. Note that in both these cases, settings on the | |
| 169 | command line take precedence over the corresponding settings | |
| 170 | from loaded <filename>.nspawn</filename> files, if both are | |
| 171 | specified. Unsafe settings are considered all settings that | |
| 172 | elevate the container's privileges or grant access to | |
| 173 | additional resources such as files or directories of the | |
| 174 | host. For details about the format and contents of | |
| 175 | <filename>.nspawn</filename> files, consult | |
| 176 | <citerefentry><refentrytitle>systemd.nspawn</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para> | |
| 177 | ||
| 178 | <para>If this option is set to <option>override</option>, the | |
| 179 | file is searched, read and used the same way, however, the order of | |
| 180 | precedence is reversed: settings read from the | |
| 181 | <filename>.nspawn</filename> file will take precedence over | |
| 182 | the corresponding command line options, if both are | |
| 183 | specified.</para> | |
| 184 | ||
| 185 | <para>If this option is set to <option>trusted</option>, the | |
| 186 | file is searched, read and used the same way, but regardless | |
| 187 | of being found in <filename>/etc/systemd/nspawn/</filename>, | |
| 188 | <filename>/run/systemd/nspawn/</filename> or next to the image | |
| 189 | file or container root directory, all settings will take | |
| 190 | effect, however, command line arguments still take precedence | |
| 191 | over corresponding settings.</para> | |
| 192 | ||
| 193 | <para>If disabled, no <filename>.nspawn</filename> file is read | |
| 194 | and no settings except the ones on the command line are in | |
| 195 | effect.</para></listitem> | |
| 196 | </varlistentry> | |
| 197 | ||
| 198 | </variablelist> | |
| 199 | ||
| 200 | <refsect2> | |
| 201 | <title>Image Options</title> | |
| 202 | ||
| 203 | <variablelist> | |
| 204 | ||
| 798d3a52 ZJS |
205 | <varlistentry> |
| 206 | <term><option>-D</option></term> | |
| 207 | <term><option>--directory=</option></term> | |
| 208 | ||
| 209 | <listitem><para>Directory to use as file system root for the | |
| 210 | container.</para> | |
| 211 | ||
| 212 | <para>If neither <option>--directory=</option>, nor | |
| 213 | <option>--image=</option> is specified the directory is | |
| 32b64cce RM |
214 | determined by searching for a directory named the same as the |
| 215 | machine name specified with <option>--machine=</option>. See | |
| 216 | <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry> | |
| 217 | section "Files and Directories" for the precise search path.</para> | |
| 218 | ||
| 219 | <para>If neither <option>--directory=</option>, | |
| 220 | <option>--image=</option>, nor <option>--machine=</option> | |
| 221 | are specified, the current directory will | |
| 222 | be used. May not be specified together with | |
| 798d3a52 ZJS |
223 | <option>--image=</option>.</para></listitem> |
| 224 | </varlistentry> | |
| 225 | ||
| 226 | <varlistentry> | |
| 227 | <term><option>--template=</option></term> | |
| 228 | ||
| 3f2fa834 LP |
229 | <listitem><para>Directory or <literal>btrfs</literal> subvolume to use as template for the |
| 230 | container's root directory. If this is specified and the container's root directory (as configured by | |
| 231 | <option>--directory=</option>) does not yet exist it is created as <literal>btrfs</literal> snapshot | |
| 232 | (if supported) or plain directory (otherwise) and populated from this template tree. Ideally, the | |
| 233 | specified template path refers to the root of a <literal>btrfs</literal> subvolume, in which case a | |
| 234 | simple copy-on-write snapshot is taken, and populating the root directory is instant. If the | |
| 235 | specified template path does not refer to the root of a <literal>btrfs</literal> subvolume (or not | |
| 236 | even to a <literal>btrfs</literal> file system at all), the tree is copied (though possibly in a | |
| 237 | 'reflink' copy-on-write scheme — if the file system supports that), which can be substantially more | |
| 238 | time-consuming. Note that the snapshot taken is of the specified directory or subvolume, including | |
| 239 | all subdirectories and subvolumes below it, but excluding any sub-mounts. May not be specified | |
| 240 | together with <option>--image=</option> or <option>--ephemeral</option>.</para> | |
| 3fe22bb4 LP |
241 | |
| 242 | <para>Note that this switch leaves host name, machine ID and | |
| 243 | all other settings that could identify the instance | |
| 244 | unmodified.</para></listitem> | |
| 798d3a52 ZJS |
245 | </varlistentry> |
| 246 | ||
| 247 | <varlistentry> | |
| 248 | <term><option>-x</option></term> | |
| 249 | <term><option>--ephemeral</option></term> | |
| 250 | ||
| 0f3be6ca LP |
251 | <listitem><para>If specified, the container is run with a temporary snapshot of its file system that is removed |
| 252 | immediately when the container terminates. May not be specified together with | |
| 3fe22bb4 | 253 | <option>--template=</option>.</para> |
| 3f2fa834 LP |
254 | <para>Note that this switch leaves host name, machine ID and all other settings that could identify |
| 255 | the instance unmodified. Please note that — as with <option>--template=</option> — taking the | |
| 256 | temporary snapshot is more efficient on file systems that support subvolume snapshots or 'reflinks' | |
| 257 | natively (<literal>btrfs</literal> or new <literal>xfs</literal>) than on more traditional file | |
| 258 | systems that do not (<literal>ext4</literal>). Note that the snapshot taken is of the specified | |
| 259 | directory or subvolume, including all subdirectories and subvolumes below it, but excluding any | |
| 260 | sub-mounts.</para> | |
| b23f1628 LP |
261 | |
| 262 | <para>With this option no modifications of the container image are retained. Use | |
| 263 | <option>--volatile=</option> (described below) for other mechanisms to restrict persistency of | |
| 264 | container images during runtime.</para> | |
| 265 | </listitem> | |
| 798d3a52 ZJS |
266 | </varlistentry> |
| 267 | ||
| 268 | <varlistentry> | |
| 269 | <term><option>-i</option></term> | |
| 270 | <term><option>--image=</option></term> | |
| 271 | ||
| 272 | <listitem><para>Disk image to mount the root directory for the | |
| 273 | container from. Takes a path to a regular file or to a block | |
| 274 | device node. The file or block device must contain | |
| 275 | either:</para> | |
| 276 | ||
| 277 | <itemizedlist> | |
| 278 | <listitem><para>An MBR partition table with a single | |
| 279 | partition of type 0x83 that is marked | |
| 280 | bootable.</para></listitem> | |
| 281 | ||
| 282 | <listitem><para>A GUID partition table (GPT) with a single | |
| 283 | partition of type | |
| 284 | 0fc63daf-8483-4772-8e79-3d69d8477de4.</para></listitem> | |
| 285 | ||
| 286 | <listitem><para>A GUID partition table (GPT) with a marked | |
| 287 | root partition which is mounted as the root directory of the | |
| 288 | container. Optionally, GPT images may contain a home and/or | |
| 289 | a server data partition which are mounted to the appropriate | |
| 290 | places in the container. All these partitions must be | |
| 291 | identified by the partition types defined by the <ulink | |
| 28a0ad81 | 292 | url="https://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/">Discoverable |
| 798d3a52 | 293 | Partitions Specification</ulink>.</para></listitem> |
| 58abb66f LP |
294 | |
| 295 | <listitem><para>No partition table, and a single file system spanning the whole image.</para></listitem> | |
| 798d3a52 ZJS |
296 | </itemizedlist> |
| 297 | ||
| 0f3be6ca LP |
298 | <para>On GPT images, if an EFI System Partition (ESP) is discovered, it is automatically mounted to |
| 299 | <filename>/efi</filename> (or <filename>/boot</filename> as fallback) in case a directory by this name exists | |
| 300 | and is empty.</para> | |
| 301 | ||
| 58abb66f LP |
302 | <para>Partitions encrypted with LUKS are automatically decrypted. Also, on GPT images dm-verity data integrity |
| 303 | hash partitions are set up if the root hash for them is specified using the <option>--root-hash=</option> | |
| 304 | option.</para> | |
| 305 | ||
| 0f3be6ca LP |
306 | <para>Any other partitions, such as foreign partitions or swap partitions are not mounted. May not be specified |
| 307 | together with <option>--directory=</option>, <option>--template=</option>.</para></listitem> | |
| 798d3a52 | 308 | </varlistentry> |
| 58abb66f | 309 | |
| 3d6c3675 LP |
310 | <varlistentry> |
| 311 | <term><option>--oci-bundle=</option></term> | |
| 312 | ||
| 313 | <listitem><para>Takes the path to an OCI runtime bundle to invoke, as specified in the <ulink | |
| 314 | url="https://github.com/opencontainers/runtime-spec/blob/master/spec.md">OCI Runtime Specification</ulink>. In | |
| 315 | this case no <filename>.nspawn</filename> file is loaded, and the root directory and various settings are read | |
| 316 | from the OCI runtime JSON data (but data passed on the command line takes precedence).</para></listitem> | |
| 317 | </varlistentry> | |
| 318 | ||
| d99058c9 LP |
319 | <varlistentry> |
| 320 | <term><option>--read-only</option></term> | |
| 321 | ||
| 322 | <listitem><para>Mount the container's root file system (and any other file systems container in the container | |
| 323 | image) read-only. This has no effect on additional mounts made with <option>--bind=</option>, | |
| 324 | <option>--tmpfs=</option> and similar options. This mode is implied if the container image file or directory is | |
| 325 | marked read-only itself. It is also implied if <option>--volatile=</option> is used. In this case the container | |
| 326 | image on disk is strictly read-only, while changes are permitted but kept non-persistently in memory only. For | |
| 327 | further details, see below.</para></listitem> | |
| 328 | </varlistentry> | |
| 329 | ||
| 330 | <varlistentry> | |
| 331 | <term><option>--volatile</option></term> | |
| 332 | <term><option>--volatile=</option><replaceable>MODE</replaceable></term> | |
| 333 | ||
| 334 | <listitem><para>Boots the container in volatile mode. When no mode parameter is passed or when mode is | |
| 335 | specified as <option>yes</option>, full volatile mode is enabled. This means the root directory is mounted as a | |
| 336 | mostly unpopulated <literal>tmpfs</literal> instance, and <filename>/usr/</filename> from the OS tree is | |
| 337 | mounted into it in read-only mode (the system thus starts up with read-only OS image, but pristine state and | |
| 338 | configuration, any changes are lost on shutdown). When the mode parameter is specified as | |
| 339 | <option>state</option>, the OS tree is mounted read-only, but <filename>/var/</filename> is mounted as a | |
| 340 | writable <literal>tmpfs</literal> instance into it (the system thus starts up with read-only OS resources and | |
| 341 | configuration, but pristine state, and any changes to the latter are lost on shutdown). When the mode parameter | |
| 342 | is specified as <option>overlay</option> the read-only root file system is combined with a writable | |
| 343 | <filename>tmpfs</filename> instance through <literal>overlayfs</literal>, so that it appears at it normally | |
| 344 | would, but any changes are applied to the temporary file system only and lost when the container is | |
| 345 | terminated. When the mode parameter is specified as <option>no</option> (the default), the whole OS tree is | |
| 346 | made available writable (unless <option>--read-only</option> is specified, see above).</para> | |
| 347 | ||
| 348 | <para>Note that if one of the volatile modes is chosen, its effect is limited to the root file system (or | |
| 349 | <filename>/var/</filename> in case of <option>state</option>), and any other mounts placed in the hierarchy are | |
| 350 | unaffected — regardless if they are established automatically (e.g. the EFI system partition that might be | |
| 351 | mounted to <filename>/efi/</filename> or <filename>/boot/</filename>) or explicitly (e.g. through an additional | |
| 352 | command line option such as <option>--bind=</option>, see below). This means, even if | |
| 353 | <option>--volatile=overlay</option> is used changes to <filename>/efi/</filename> or | |
| 354 | <filename>/boot/</filename> are prohibited in case such a partition exists in the container image operated on, | |
| 355 | and even if <option>--volatile=state</option> is used the hypothetical file <filename>/etc/foobar</filename> is | |
| 356 | potentially writable if <option>--bind=/etc/foobar</option> if used to mount it from outside the read-only | |
| 357 | container <filename>/etc</filename> directory.</para> | |
| 358 | ||
| 359 | <para>The <option>--ephemeral</option> option is closely related to this setting, and provides similar | |
| 360 | behaviour by making a temporary, ephemeral copy of the whole OS image and executing that. For further details, | |
| 361 | see above.</para> | |
| 362 | ||
| 363 | <para>The <option>--tmpfs=</option> and <option>--overlay=</option> options provide similar functionality, but | |
| 364 | for specific sub-directories of the OS image only. For details, see below.</para> | |
| 365 | ||
| 366 | <para>This option provides similar functionality for containers as the <literal>systemd.volatile=</literal> | |
| 367 | kernel command line switch provides for host systems. See | |
| 368 | <citerefentry><refentrytitle>kernel-command-line</refentrytitle><manvolnum>7</manvolnum></citerefentry> for | |
| 369 | details.</para> | |
| 370 | ||
| 2e542f4e LP |
371 | <para>Note that setting this option to <option>yes</option> or <option>state</option> will only work |
| 372 | correctly with operating systems in the container that can boot up with only | |
| 373 | <filename>/usr/</filename> mounted, and are able to automatically populate <filename>/var/</filename> | |
| 374 | (and <filename>/etc/</filename> in case of <literal>--volatile=yes</literal>). Specifically, this | |
| 375 | means that operating systems that follow the historic split of <filename>/bin/</filename> and | |
| 376 | <filename>/lib/</filename> (and related directories) from <filename>/usr/</filename> (i.e. where the | |
| 377 | former are not symlinks into the latter) are not supported by <literal>--volatile=yes</literal> as | |
| 378 | container payload. The <option>overlay</option> option does not require any particular preparations | |
| 379 | in the OS, but do note that <literal>overlayfs</literal> behaviour differs from regular file systems | |
| 380 | in a number of ways, and hence compatibility is limited.</para></listitem> | |
| d99058c9 LP |
381 | </varlistentry> |
| 382 | ||
| 58abb66f LP |
383 | <varlistentry> |
| 384 | <term><option>--root-hash=</option></term> | |
| 385 | ||
| 386 | <listitem><para>Takes a data integrity (dm-verity) root hash specified in hexadecimal. This option enables data | |
| 387 | integrity checks using dm-verity, if the used image contains the appropriate integrity data (see above). The | |
| ef3116b5 | 388 | specified hash must match the root hash of integrity data, and is usually at least 256 bits (and hence 64 |
| 41488e1f LP |
389 | formatted hexadecimal characters) long (in case of SHA256 for example). If this option is not specified, but |
| 390 | the image file carries the <literal>user.verity.roothash</literal> extended file attribute (see <citerefentry | |
| 391 | project='man-pages'><refentrytitle>xattr</refentrytitle><manvolnum>7</manvolnum></citerefentry>), then the root | |
| 392 | hash is read from it, also as formatted hexadecimal characters. If the extended file attribute is not found (or | |
| ef3116b5 ZJS |
393 | is not supported by the underlying file system), but a file with the <filename>.roothash</filename> suffix is |
| 394 | found next to the image file, bearing otherwise the same name, the root hash is read from it and automatically | |
| 395 | used, also as formatted hexadecimal characters.</para></listitem> | |
| 58abb66f | 396 | </varlistentry> |
| 798d3a52 | 397 | |
| d99058c9 LP |
398 | <varlistentry> |
| 399 | <term><option>--pivot-root=</option></term> | |
| 400 | ||
| 401 | <listitem><para>Pivot the specified directory to <filename>/</filename> inside the container, and either unmount the | |
| 402 | container's old root, or pivot it to another specified directory. Takes one of: a path argument — in which case the | |
| 403 | specified path will be pivoted to <filename>/</filename> and the old root will be unmounted; or a colon-separated pair | |
| 404 | of new root path and pivot destination for the old root. The new root path will be pivoted to <filename>/</filename>, | |
| 405 | and the old <filename>/</filename> will be pivoted to the other directory. Both paths must be absolute, and are resolved | |
| 406 | in the container's file system namespace.</para> | |
| 407 | ||
| 408 | <para>This is for containers which have several bootable directories in them; for example, several | |
| 409 | <ulink url="https://ostree.readthedocs.io/en/latest/">OSTree</ulink> deployments. It emulates the behavior of | |
| 410 | the boot loader and initial RAM disk which normally select which directory to mount as the root and start the | |
| 411 | container's PID 1 in.</para></listitem> | |
| 412 | </varlistentry> | |
| 413 | </variablelist> | |
| 414 | ||
| 415 | </refsect2><refsect2> | |
| 416 | <title>Execution Options</title> | |
| 417 | ||
| 418 | <variablelist> | |
| 7732f92b LP |
419 | <varlistentry> |
| 420 | <term><option>-a</option></term> | |
| 421 | <term><option>--as-pid2</option></term> | |
| 422 | ||
| 423 | <listitem><para>Invoke the shell or specified program as process ID (PID) 2 instead of PID 1 (init). By | |
| 3f2d1365 AJ |
424 | default, if neither this option nor <option>--boot</option> is used, the selected program is run as the process |
| 425 | with PID 1, a mode only suitable for programs that are aware of the special semantics that the process with | |
| 426 | PID 1 has on UNIX. For example, it needs to reap all processes reparented to it, and should implement | |
| 7732f92b LP |
427 | <command>sysvinit</command> compatible signal handling (specifically: it needs to reboot on SIGINT, reexecute |
| 428 | on SIGTERM, reload configuration on SIGHUP, and so on). With <option>--as-pid2</option> a minimal stub init | |
| 3f2d1365 | 429 | process is run as PID 1 and the selected program is executed as PID 2 (and hence does not need to implement any |
| 7732f92b LP |
430 | special semantics). The stub init process will reap processes as necessary and react appropriately to |
| 431 | signals. It is recommended to use this mode to invoke arbitrary commands in containers, unless they have been | |
| 432 | modified to run correctly as PID 1. Or in other words: this switch should be used for pretty much all commands, | |
| 433 | except when the command refers to an init or shell implementation, as these are generally capable of running | |
| a6b5216c | 434 | correctly as PID 1. This option may not be combined with <option>--boot</option>.</para> |
| 7732f92b LP |
435 | </listitem> |
| 436 | </varlistentry> | |
| 437 | ||
| 798d3a52 ZJS |
438 | <varlistentry> |
| 439 | <term><option>-b</option></term> | |
| 440 | <term><option>--boot</option></term> | |
| 441 | ||
| 3f2d1365 | 442 | <listitem><para>Automatically search for an init program and invoke it as PID 1, instead of a shell or a user |
| 7732f92b | 443 | supplied program. If this option is used, arguments specified on the command line are used as arguments for the |
| 3f2d1365 | 444 | init program. This option may not be combined with <option>--as-pid2</option>.</para> |
| 7732f92b LP |
445 | |
| 446 | <para>The following table explains the different modes of invocation and relationship to | |
| 447 | <option>--as-pid2</option> (see above):</para> | |
| 448 | ||
| 449 | <table> | |
| 450 | <title>Invocation Mode</title> | |
| 451 | <tgroup cols='2' align='left' colsep='1' rowsep='1'> | |
| 452 | <colspec colname="switch" /> | |
| 453 | <colspec colname="explanation" /> | |
| 454 | <thead> | |
| 455 | <row> | |
| 456 | <entry>Switch</entry> | |
| 457 | <entry>Explanation</entry> | |
| 458 | </row> | |
| 459 | </thead> | |
| 460 | <tbody> | |
| 461 | <row> | |
| 462 | <entry>Neither <option>--as-pid2</option> nor <option>--boot</option> specified</entry> | |
| 4447e799 | 463 | <entry>The passed parameters are interpreted as the command line, which is executed as PID 1 in the container.</entry> |
| 7732f92b LP |
464 | </row> |
| 465 | ||
| 466 | <row> | |
| 467 | <entry><option>--as-pid2</option> specified</entry> | |
| 4447e799 | 468 | <entry>The passed parameters are interpreted as the command line, which is executed as PID 2 in the container. A stub init process is run as PID 1.</entry> |
| 7732f92b LP |
469 | </row> |
| 470 | ||
| 471 | <row> | |
| 472 | <entry><option>--boot</option> specified</entry> | |
| 3f2d1365 | 473 | <entry>An init program is automatically searched for and run as PID 1 in the container. The passed parameters are used as invocation parameters for this process.</entry> |
| 7732f92b LP |
474 | </row> |
| 475 | ||
| 476 | </tbody> | |
| 477 | </tgroup> | |
| 478 | </table> | |
| b09c0bba LP |
479 | |
| 480 | <para>Note that <option>--boot</option> is the default mode of operation if the | |
| 481 | <filename>systemd-nspawn@.service</filename> template unit file is used.</para> | |
| 7732f92b | 482 | </listitem> |
| 798d3a52 ZJS |
483 | </varlistentry> |
| 484 | ||
| 5f932eb9 LP |
485 | <varlistentry> |
| 486 | <term><option>--chdir=</option></term> | |
| 487 | ||
| 488 | <listitem><para>Change to the specified working directory before invoking the process in the container. Expects | |
| 489 | an absolute path in the container's file system namespace.</para></listitem> | |
| 490 | </varlistentry> | |
| 491 | ||
| b53ede69 | 492 | <varlistentry> |
| d99058c9 LP |
493 | <term><option>-E <replaceable>NAME</replaceable>=<replaceable>VALUE</replaceable></option></term> |
| 494 | <term><option>--setenv=<replaceable>NAME</replaceable>=<replaceable>VALUE</replaceable></option></term> | |
| b53ede69 | 495 | |
| d99058c9 LP |
496 | <listitem><para>Specifies an environment variable assignment |
| 497 | to pass to the init process in the container, in the format | |
| 498 | <literal>NAME=VALUE</literal>. This may be used to override | |
| 499 | the default variables or to set additional variables. This | |
| 500 | parameter may be used more than once.</para></listitem> | |
| b53ede69 PW |
501 | </varlistentry> |
| 502 | ||
| 798d3a52 ZJS |
503 | <varlistentry> |
| 504 | <term><option>-u</option></term> | |
| 505 | <term><option>--user=</option></term> | |
| 506 | ||
| 507 | <listitem><para>After transitioning into the container, change | |
| 508 | to the specified user-defined in the container's user | |
| 509 | database. Like all other systemd-nspawn features, this is not | |
| 510 | a security feature and provides protection against accidental | |
| 511 | destructive operations only.</para></listitem> | |
| 512 | </varlistentry> | |
| 513 | ||
| d99058c9 LP |
514 | <varlistentry> |
| 515 | <term><option>--kill-signal=</option></term> | |
| 516 | ||
| 517 | <listitem><para>Specify the process signal to send to the container's PID 1 when nspawn itself receives | |
| 518 | <constant>SIGTERM</constant>, in order to trigger an orderly shutdown of the container. Defaults to | |
| 519 | <constant>SIGRTMIN+3</constant> if <option>--boot</option> is used (on systemd-compatible init systems | |
| 520 | <constant>SIGRTMIN+3</constant> triggers an orderly shutdown). If <option>--boot</option> is not used and this | |
| 521 | option is not specified the container's processes are terminated abruptly via <constant>SIGKILL</constant>. For | |
| 522 | a list of valid signals, see <citerefentry | |
| 523 | project='man-pages'><refentrytitle>signal</refentrytitle><manvolnum>7</manvolnum></citerefentry>.</para></listitem> | |
| 524 | </varlistentry> | |
| 525 | ||
| 526 | <varlistentry> | |
| 527 | <term><option>--notify-ready=</option></term> | |
| 528 | ||
| 529 | <listitem><para>Configures support for notifications from the container's init process. | |
| 530 | <option>--notify-ready=</option> takes a boolean (<option>no</option> and <option>yes</option>). | |
| 531 | With option <option>no</option> systemd-nspawn notifies systemd | |
| 532 | with a <literal>READY=1</literal> message when the init process is created. | |
| 533 | With option <option>yes</option> systemd-nspawn waits for the | |
| 534 | <literal>READY=1</literal> message from the init process in the container | |
| 535 | before sending its own to systemd. For more details about notifications | |
| 536 | see <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry>).</para></listitem> | |
| 537 | </varlistentry> | |
| 538 | </variablelist> | |
| 539 | ||
| 540 | </refsect2><refsect2> | |
| 541 | <title>System Identity Options</title> | |
| 542 | ||
| 543 | <variablelist> | |
| 798d3a52 ZJS |
544 | <varlistentry> |
| 545 | <term><option>-M</option></term> | |
| 546 | <term><option>--machine=</option></term> | |
| 547 | ||
| 548 | <listitem><para>Sets the machine name for this container. This | |
| 549 | name may be used to identify this container during its runtime | |
| 550 | (for example in tools like | |
| 551 | <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry> | |
| 552 | and similar), and is used to initialize the container's | |
| 553 | hostname (which the container can choose to override, | |
| 554 | however). If not specified, the last component of the root | |
| 555 | directory path of the container is used, possibly suffixed | |
| 556 | with a random identifier in case <option>--ephemeral</option> | |
| 557 | mode is selected. If the root directory selected is the host's | |
| 558 | root directory the host's hostname is used as default | |
| 559 | instead.</para></listitem> | |
| 560 | </varlistentry> | |
| 561 | ||
| 3a9530e5 LP |
562 | <varlistentry> |
| 563 | <term><option>--hostname=</option></term> | |
| 564 | ||
| 565 | <listitem><para>Controls the hostname to set within the container, if different from the machine name. Expects | |
| 566 | a valid hostname as argument. If this option is used, the kernel hostname of the container will be set to this | |
| 567 | value, otherwise it will be initialized to the machine name as controlled by the <option>--machine=</option> | |
| 568 | option described above. The machine name is used for various aspect of identification of the container from the | |
| 569 | outside, the kernel hostname configurable with this option is useful for the container to identify itself from | |
| 570 | the inside. It is usually a good idea to keep both forms of identification synchronized, in order to avoid | |
| 571 | confusion. It is hence recommended to avoid usage of this option, and use <option>--machine=</option> | |
| 572 | exclusively. Note that regardless whether the container's hostname is initialized from the name set with | |
| 573 | <option>--hostname=</option> or the one set with <option>--machine=</option>, the container can later override | |
| 574 | its kernel hostname freely on its own as well.</para> | |
| 575 | </listitem> | |
| 576 | </varlistentry> | |
| 577 | ||
| 798d3a52 ZJS |
578 | <varlistentry> |
| 579 | <term><option>--uuid=</option></term> | |
| 580 | ||
| 581 | <listitem><para>Set the specified UUID for the container. The | |
| 582 | init system will initialize | |
| 583 | <filename>/etc/machine-id</filename> from this if this file is | |
| e01ff70a MS |
584 | not set yet. Note that this option takes effect only if |
| 585 | <filename>/etc/machine-id</filename> in the container is | |
| 586 | unpopulated.</para></listitem> | |
| 798d3a52 | 587 | </varlistentry> |
| d99058c9 | 588 | </variablelist> |
| 798d3a52 | 589 | |
| d99058c9 LP |
590 | </refsect2><refsect2> |
| 591 | <title>Property Options</title> | |
| 592 | ||
| 593 | <variablelist> | |
| 798d3a52 | 594 | <varlistentry> |
| 4deb5503 | 595 | <term><option>-S</option></term> |
| 798d3a52 ZJS |
596 | <term><option>--slice=</option></term> |
| 597 | ||
| cd2dfc6f LP |
598 | <listitem><para>Make the container part of the specified slice, instead of the default |
| 599 | <filename>machine.slice</filename>. This applies only if the machine is run in its own scope unit, i.e. if | |
| 600 | <option>--keep-unit</option> isn't used.</para> | |
| f36933fe LP |
601 | </listitem> |
| 602 | </varlistentry> | |
| 603 | ||
| 604 | <varlistentry> | |
| 605 | <term><option>--property=</option></term> | |
| 606 | ||
| cd2dfc6f LP |
607 | <listitem><para>Set a unit property on the scope unit to register for the machine. This applies only if the |
| 608 | machine is run in its own scope unit, i.e. if <option>--keep-unit</option> isn't used. Takes unit property | |
| 609 | assignments in the same format as <command>systemctl set-property</command>. This is useful to set memory | |
| 610 | limits and similar for container.</para> | |
| 798d3a52 ZJS |
611 | </listitem> |
| 612 | </varlistentry> | |
| 613 | ||
| d99058c9 LP |
614 | <varlistentry> |
| 615 | <term><option>--register=</option></term> | |
| 616 | ||
| 617 | <listitem><para>Controls whether the container is registered with | |
| 618 | <citerefentry><refentrytitle>systemd-machined</refentrytitle><manvolnum>8</manvolnum></citerefentry>. Takes a | |
| 619 | boolean argument, which defaults to <literal>yes</literal>. This option should be enabled when the container | |
| 620 | runs a full Operating System (more specifically: a system and service manager as PID 1), and is useful to | |
| 621 | ensure that the container is accessible via | |
| 622 | <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry> and shown by | |
| 623 | tools such as <citerefentry | |
| 624 | project='man-pages'><refentrytitle>ps</refentrytitle><manvolnum>1</manvolnum></citerefentry>. If the container | |
| 625 | does not run a service manager, it is recommended to set this option to | |
| 626 | <literal>no</literal>.</para></listitem> | |
| 627 | </varlistentry> | |
| 628 | ||
| 629 | <varlistentry> | |
| 630 | <term><option>--keep-unit</option></term> | |
| 631 | ||
| 632 | <listitem><para>Instead of creating a transient scope unit to run the container in, simply use the service or | |
| 633 | scope unit <command>systemd-nspawn</command> has been invoked in. If <option>--register=yes</option> is set | |
| 634 | this unit is registered with | |
| 635 | <citerefentry><refentrytitle>systemd-machined</refentrytitle><manvolnum>8</manvolnum></citerefentry>. This | |
| 636 | switch should be used if <command>systemd-nspawn</command> is invoked from within a service unit, and the | |
| 637 | service unit's sole purpose is to run a single <command>systemd-nspawn</command> container. This option is not | |
| 638 | available if run from a user session.</para> | |
| 639 | <para>Note that passing <option>--keep-unit</option> disables the effect of <option>--slice=</option> and | |
| 640 | <option>--property=</option>. Use <option>--keep-unit</option> and <option>--register=no</option> in | |
| 641 | combination to disable any kind of unit allocation or registration with | |
| 642 | <command>systemd-machined</command>.</para></listitem> | |
| 643 | </varlistentry> | |
| 644 | </variablelist> | |
| 645 | ||
| 646 | </refsect2><refsect2> | |
| 647 | <title>User Namespacing Options</title> | |
| 648 | ||
| 649 | <variablelist> | |
| 03cfe0d5 LP |
650 | <varlistentry> |
| 651 | <term><option>--private-users=</option></term> | |
| 652 | ||
| d2e5535f LP |
653 | <listitem><para>Controls user namespacing. If enabled, the container will run with its own private set of UNIX |
| 654 | user and group ids (UIDs and GIDs). This involves mapping the private UIDs/GIDs used in the container (starting | |
| 655 | with the container's root user 0 and up) to a range of UIDs/GIDs on the host that are not used for other | |
| 656 | purposes (usually in the range beyond the host's UID/GID 65536). The parameter may be specified as follows:</para> | |
| 657 | ||
| 658 | <orderedlist> | |
| 2dd67817 | 659 | <listitem><para>If one or two colon-separated numbers are specified, user namespacing is turned on. The first |
| ae209204 ZJS |
660 | parameter specifies the first host UID/GID to assign to the container, the second parameter specifies the |
| 661 | number of host UIDs/GIDs to assign to the container. If the second parameter is omitted, 65536 UIDs/GIDs are | |
| 662 | assigned.</para></listitem> | |
| 663 | ||
| 664 | <listitem><para>If the parameter is omitted, or true, user namespacing is turned on. The UID/GID range to | |
| 665 | use is determined automatically from the file ownership of the root directory of the container's directory | |
| 666 | tree. To use this option, make sure to prepare the directory tree in advance, and ensure that all files and | |
| 667 | directories in it are owned by UIDs/GIDs in the range you'd like to use. Also, make sure that used file ACLs | |
| 668 | exclusively reference UIDs/GIDs in the appropriate range. If this mode is used the number of UIDs/GIDs | |
| 669 | assigned to the container for use is 65536, and the UID/GID of the root directory must be a multiple of | |
| 670 | 65536.</para></listitem> | |
| 671 | ||
| 672 | <listitem><para>If the parameter is false, user namespacing is turned off. This is the default.</para> | |
| 673 | </listitem> | |
| 674 | ||
| 675 | <listitem><para>The special value <literal>pick</literal> turns on user namespacing. In this case the UID/GID | |
| 676 | range is automatically chosen. As first step, the file owner of the root directory of the container's | |
| 677 | directory tree is read, and it is checked that it is currently not used by the system otherwise (in | |
| 678 | particular, that no other container is using it). If this check is successful, the UID/GID range determined | |
| 2dd67817 | 679 | this way is used, similar to the behavior if "yes" is specified. If the check is not successful (and thus |
| ae209204 ZJS |
680 | the UID/GID range indicated in the root directory's file owner is already used elsewhere) a new – currently |
| 681 | unused – UID/GID range of 65536 UIDs/GIDs is randomly chosen between the host UID/GIDs of 524288 and | |
| 682 | 1878982656, always starting at a multiple of 65536. This setting implies | |
| 683 | <option>--private-users-chown</option> (see below), which has the effect that the files and directories in | |
| 684 | the container's directory tree will be owned by the appropriate users of the range picked. Using this option | |
| 2dd67817 | 685 | makes user namespace behavior fully automatic. Note that the first invocation of a previously unused |
| ae209204 ZJS |
686 | container image might result in picking a new UID/GID range for it, and thus in the (possibly expensive) file |
| 687 | ownership adjustment operation. However, subsequent invocations of the container will be cheap (unless of | |
| 688 | course the picked UID/GID range is assigned to a different use by then).</para></listitem> | |
| d2e5535f LP |
689 | </orderedlist> |
| 690 | ||
| 691 | <para>It is recommended to assign at least 65536 UIDs/GIDs to each container, so that the usable UID/GID range in the | |
| 692 | container covers 16 bit. For best security, do not assign overlapping UID/GID ranges to multiple containers. It is | |
| 693 | hence a good idea to use the upper 16 bit of the host 32-bit UIDs/GIDs as container identifier, while the lower 16 | |
| 2dd67817 | 694 | bit encode the container UID/GID used. This is in fact the behavior enforced by the |
| d2e5535f LP |
695 | <option>--private-users=pick</option> option.</para> |
| 696 | ||
| 697 | <para>When user namespaces are used, the GID range assigned to each container is always chosen identical to the | |
| 698 | UID range.</para> | |
| 699 | ||
| 700 | <para>In most cases, using <option>--private-users=pick</option> is the recommended option as it enhances | |
| 701 | container security massively and operates fully automatically in most cases.</para> | |
| 702 | ||
| 703 | <para>Note that the picked UID/GID range is not written to <filename>/etc/passwd</filename> or | |
| 704 | <filename>/etc/group</filename>. In fact, the allocation of the range is not stored persistently anywhere, | |
| aa10469e LP |
705 | except in the file ownership of the files and directories of the container.</para> |
| 706 | ||
| 707 | <para>Note that when user namespacing is used file ownership on disk reflects this, and all of the container's | |
| 708 | files and directories are owned by the container's effective user and group IDs. This means that copying files | |
| 709 | from and to the container image requires correction of the numeric UID/GID values, according to the UID/GID | |
| 710 | shift applied.</para></listitem> | |
| 03cfe0d5 LP |
711 | </varlistentry> |
| 712 | ||
| d2e5535f LP |
713 | <varlistentry> |
| 714 | <term><option>--private-users-chown</option></term> | |
| 715 | ||
| bcf09321 ZJS |
716 | <listitem><para>If specified, all files and directories in the container's directory tree will be |
| 717 | adjusted so that they are owned by the appropriate UIDs/GIDs selected for the container (see above). | |
| 718 | This operation is potentially expensive, as it involves iterating through the full directory tree of | |
| 719 | the container. Besides actual file ownership, file ACLs are adjusted as well.</para> | |
| d2e5535f LP |
720 | |
| 721 | <para>This option is implied if <option>--private-users=pick</option> is used. This option has no effect if | |
| 722 | user namespacing is not used.</para></listitem> | |
| 723 | </varlistentry> | |
| 03cfe0d5 | 724 | |
| 6265bde2 ZJS |
725 | <varlistentry> |
| 726 | <term><option>-U</option></term> | |
| 727 | ||
| 728 | <listitem><para>If the kernel supports the user namespaces feature, equivalent to | |
| 729 | <option>--private-users=pick --private-users-chown</option>, otherwise equivalent to | |
| 730 | <option>--private-users=no</option>.</para> | |
| 731 | ||
| 732 | <para>Note that <option>-U</option> is the default if the | |
| 733 | <filename>systemd-nspawn@.service</filename> template unit file is used.</para> | |
| 734 | ||
| 735 | <para>Note: it is possible to undo the effect of <option>--private-users-chown</option> (or | |
| 736 | <option>-U</option>) on the file system by redoing the operation with the first UID of 0:</para> | |
| 737 | ||
| 738 | <programlisting>systemd-nspawn … --private-users=0 --private-users-chown</programlisting> | |
| 739 | </listitem> | |
| 740 | </varlistentry> | |
| 741 | ||
| d99058c9 LP |
742 | </variablelist> |
| 743 | ||
| 744 | </refsect2><refsect2> | |
| 745 | <title>Networking Options</title> | |
| 746 | ||
| 747 | <variablelist> | |
| 748 | ||
| 798d3a52 ZJS |
749 | <varlistentry> |
| 750 | <term><option>--private-network</option></term> | |
| 751 | ||
| 752 | <listitem><para>Disconnect networking of the container from | |
| 753 | the host. This makes all network interfaces unavailable in the | |
| 754 | container, with the exception of the loopback device and those | |
| 755 | specified with <option>--network-interface=</option> and | |
| 756 | configured with <option>--network-veth</option>. If this | |
| ec562515 | 757 | option is specified, the <constant>CAP_NET_ADMIN</constant> capability will be |
| 798d3a52 | 758 | added to the set of capabilities the container retains. The |
| bc96c63c ZJS |
759 | latter may be disabled by using <option>--drop-capability=</option>. |
| 760 | If this option is not specified (or implied by one of the options | |
| 761 | listed below), the container will have full access to the host network. | |
| 762 | </para></listitem> | |
| 798d3a52 ZJS |
763 | </varlistentry> |
| 764 | ||
| 765 | <varlistentry> | |
| 766 | <term><option>--network-interface=</option></term> | |
| 767 | ||
| 768 | <listitem><para>Assign the specified network interface to the | |
| 769 | container. This will remove the specified interface from the | |
| 770 | calling namespace and place it in the container. When the | |
| 771 | container terminates, it is moved back to the host namespace. | |
| 772 | Note that <option>--network-interface=</option> implies | |
| 773 | <option>--private-network</option>. This option may be used | |
| 774 | more than once to add multiple network interfaces to the | |
| 775 | container.</para></listitem> | |
| 776 | </varlistentry> | |
| 777 | ||
| 778 | <varlistentry> | |
| 779 | <term><option>--network-macvlan=</option></term> | |
| 780 | ||
| 781 | <listitem><para>Create a <literal>macvlan</literal> interface | |
| 782 | of the specified Ethernet network interface and add it to the | |
| 783 | container. A <literal>macvlan</literal> interface is a virtual | |
| 784 | interface that adds a second MAC address to an existing | |
| 785 | physical Ethernet link. The interface in the container will be | |
| 786 | named after the interface on the host, prefixed with | |
| 787 | <literal>mv-</literal>. Note that | |
| 788 | <option>--network-macvlan=</option> implies | |
| 789 | <option>--private-network</option>. This option may be used | |
| 790 | more than once to add multiple network interfaces to the | |
| 791 | container.</para></listitem> | |
| 792 | </varlistentry> | |
| 793 | ||
| 794 | <varlistentry> | |
| 795 | <term><option>--network-ipvlan=</option></term> | |
| 796 | ||
| 797 | <listitem><para>Create an <literal>ipvlan</literal> interface | |
| 798 | of the specified Ethernet network interface and add it to the | |
| 799 | container. An <literal>ipvlan</literal> interface is a virtual | |
| 800 | interface, similar to a <literal>macvlan</literal> interface, | |
| 801 | which uses the same MAC address as the underlying interface. | |
| 802 | The interface in the container will be named after the | |
| 803 | interface on the host, prefixed with <literal>iv-</literal>. | |
| 804 | Note that <option>--network-ipvlan=</option> implies | |
| 805 | <option>--private-network</option>. This option may be used | |
| 806 | more than once to add multiple network interfaces to the | |
| 807 | container.</para></listitem> | |
| 808 | </varlistentry> | |
| 809 | ||
| 810 | <varlistentry> | |
| 811 | <term><option>-n</option></term> | |
| 812 | <term><option>--network-veth</option></term> | |
| 813 | ||
| 5e7423ff LP |
814 | <listitem><para>Create a virtual Ethernet link (<literal>veth</literal>) between host and container. The host |
| 815 | side of the Ethernet link will be available as a network interface named after the container's name (as | |
| 816 | specified with <option>--machine=</option>), prefixed with <literal>ve-</literal>. The container side of the | |
| 817 | Ethernet link will be named <literal>host0</literal>. The <option>--network-veth</option> option implies | |
| 818 | <option>--private-network</option>.</para> | |
| 819 | ||
| 820 | <para>Note that | |
| 821 | <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
| 822 | includes by default a network file <filename>/usr/lib/systemd/network/80-container-ve.network</filename> | |
| 823 | matching the host-side interfaces created this way, which contains settings to enable automatic address | |
| 824 | provisioning on the created virtual link via DHCP, as well as automatic IP routing onto the host's external | |
| 825 | network interfaces. It also contains <filename>/usr/lib/systemd/network/80-container-host0.network</filename> | |
| 826 | matching the container-side interface created this way, containing settings to enable client side address | |
| 827 | assignment via DHCP. In case <filename>systemd-networkd</filename> is running on both the host and inside the | |
| 828 | container, automatic IP communication from the container to the host is thus available, with further | |
| 829 | connectivity to the external network.</para> | |
| b09c0bba LP |
830 | |
| 831 | <para>Note that <option>--network-veth</option> is the default if the | |
| 832 | <filename>systemd-nspawn@.service</filename> template unit file is used.</para> | |
| 6cc68362 LP |
833 | |
| 834 | <para>Note that on Linux network interface names may have a length of 15 characters at maximum, while | |
| 835 | container names may have a length up to 64 characters. As this option derives the host-side interface | |
| 836 | name from the container name the name is possibly truncated. Thus, care needs to be taken to ensure | |
| 837 | that interface names remain unique in this case, or even better container names are generally not | |
| bc5ea049 KK |
838 | chosen longer than 12 characters, to avoid the truncation. If the name is truncated, |
| 839 | <command>systemd-nspawn</command> will automatically append a 4-digit hash value to the name to | |
| 840 | reduce the chance of collisions. However, the hash algorithm is not collision-free. (See | |
| 841 | <citerefentry><refentrytitle>systemd.net-naming-scheme</refentrytitle><manvolnum>7</manvolnum></citerefentry> | |
| 842 | for details on older naming algorithms for this interface). Alternatively, the | |
| 6cc68362 LP |
843 | <option>--network-veth-extra=</option> option may be used, which allows free configuration of the |
| 844 | host-side interface name independently of the container name — but might require a bit more | |
| 845 | additional configuration in case bridging in a fashion similar to <option>--network-bridge=</option> | |
| 846 | is desired.</para> | |
| 5e7423ff | 847 | </listitem> |
| 798d3a52 ZJS |
848 | </varlistentry> |
| 849 | ||
| f6d6bad1 LP |
850 | <varlistentry> |
| 851 | <term><option>--network-veth-extra=</option></term> | |
| 852 | ||
| 853 | <listitem><para>Adds an additional virtual Ethernet link | |
| 854 | between host and container. Takes a colon-separated pair of | |
| 855 | host interface name and container interface name. The latter | |
| 856 | may be omitted in which case the container and host sides will | |
| 857 | be assigned the same name. This switch is independent of | |
| ccddd104 | 858 | <option>--network-veth</option>, and — in contrast — may be |
| f6d6bad1 LP |
859 | used multiple times, and allows configuration of the network |
| 860 | interface names. Note that <option>--network-bridge=</option> | |
| 861 | has no effect on interfaces created with | |
| 862 | <option>--network-veth-extra=</option>.</para></listitem> | |
| 863 | </varlistentry> | |
| 864 | ||
| 798d3a52 ZJS |
865 | <varlistentry> |
| 866 | <term><option>--network-bridge=</option></term> | |
| 867 | ||
| 6cc68362 LP |
868 | <listitem><para>Adds the host side of the Ethernet link created with <option>--network-veth</option> |
| 869 | to the specified Ethernet bridge interface. Expects a valid network interface name of a bridge device | |
| 870 | as argument. Note that <option>--network-bridge=</option> implies <option>--network-veth</option>. If | |
| 871 | this option is used, the host side of the Ethernet link will use the <literal>vb-</literal> prefix | |
| 872 | instead of <literal>ve-</literal>. Regardless of the used naming prefix the same network interface | |
| 873 | name length limits imposed by Linux apply, along with the complications this creates (for details see | |
| 874 | above).</para></listitem> | |
| 798d3a52 ZJS |
875 | </varlistentry> |
| 876 | ||
| 938d2579 LP |
877 | <varlistentry> |
| 878 | <term><option>--network-zone=</option></term> | |
| 879 | ||
| 880 | <listitem><para>Creates a virtual Ethernet link (<literal>veth</literal>) to the container and adds it to an | |
| 881 | automatically managed Ethernet bridge interface. The bridge interface is named after the passed argument, | |
| 882 | prefixed with <literal>vz-</literal>. The bridge interface is automatically created when the first container | |
| 883 | configured for its name is started, and is automatically removed when the last container configured for its | |
| 884 | name exits. Hence, each bridge interface configured this way exists only as long as there's at least one | |
| 885 | container referencing it running. This option is very similar to <option>--network-bridge=</option>, besides | |
| 886 | this automatic creation/removal of the bridge device.</para> | |
| 887 | ||
| 888 | <para>This setting makes it easy to place multiple related containers on a common, virtual Ethernet-based | |
| 889 | broadcast domain, here called a "zone". Each container may only be part of one zone, but each zone may contain | |
| 890 | any number of containers. Each zone is referenced by its name. Names may be chosen freely (as long as they form | |
| 891 | valid network interface names when prefixed with <literal>vz-</literal>), and it is sufficient to pass the same | |
| cf917c27 | 892 | name to the <option>--network-zone=</option> switch of the various concurrently running containers to join |
| 938d2579 LP |
893 | them in one zone.</para> |
| 894 | ||
| 895 | <para>Note that | |
| 896 | <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
| 897 | includes by default a network file <filename>/usr/lib/systemd/network/80-container-vz.network</filename> | |
| 898 | matching the bridge interfaces created this way, which contains settings to enable automatic address | |
| 899 | provisioning on the created virtual network via DHCP, as well as automatic IP routing onto the host's external | |
| 900 | network interfaces. Using <option>--network-zone=</option> is hence in most cases fully automatic and | |
| 901 | sufficient to connect multiple local containers in a joined broadcast domain to the host, with further | |
| 902 | connectivity to the external network.</para> | |
| 903 | </listitem> | |
| 904 | </varlistentry> | |
| 905 | ||
| 798d3a52 | 906 | <varlistentry> |
| d99058c9 | 907 | <term><option>--network-namespace-path=</option></term> |
| 798d3a52 | 908 | |
| d99058c9 LP |
909 | <listitem><para>Takes the path to a file representing a kernel |
| 910 | network namespace that the container shall run in. The specified path | |
| 911 | should refer to a (possibly bind-mounted) network namespace file, as | |
| 912 | exposed by the kernel below <filename>/proc/$PID/ns/net</filename>. | |
| 913 | This makes the container enter the given network namespace. One of the | |
| 914 | typical use cases is to give a network namespace under | |
| 915 | <filename>/run/netns</filename> created by <citerefentry | |
| 916 | project='man-pages'><refentrytitle>ip-netns</refentrytitle><manvolnum>8</manvolnum></citerefentry>, | |
| 917 | for example, <option>--network-namespace-path=/run/netns/foo</option>. | |
| 918 | Note that this option cannot be used together with other | |
| 919 | network-related options, such as <option>--private-network</option> | |
| 920 | or <option>--network-interface=</option>.</para></listitem> | |
| 921 | </varlistentry> | |
| 922 | ||
| 923 | <varlistentry> | |
| 924 | <term><option>-p</option></term> | |
| 925 | <term><option>--port=</option></term> | |
| 926 | ||
| 927 | <listitem><para>If private networking is enabled, maps an IP | |
| 928 | port on the host onto an IP port on the container. Takes a | |
| 929 | protocol specifier (either <literal>tcp</literal> or | |
| 798d3a52 ZJS |
930 | <literal>udp</literal>), separated by a colon from a host port |
| 931 | number in the range 1 to 65535, separated by a colon from a | |
| 932 | container port number in the range from 1 to 65535. The | |
| 933 | protocol specifier and its separating colon may be omitted, in | |
| 934 | which case <literal>tcp</literal> is assumed. The container | |
| 7c918141 | 935 | port number and its colon may be omitted, in which case the |
| 798d3a52 | 936 | same port as the host port is implied. This option is only |
| a8eaaee7 | 937 | supported if private networking is used, such as with |
| 938d2579 | 938 | <option>--network-veth</option>, <option>--network-zone=</option> |
| 798d3a52 ZJS |
939 | <option>--network-bridge=</option>.</para></listitem> |
| 940 | </varlistentry> | |
| d99058c9 | 941 | </variablelist> |
| 798d3a52 | 942 | |
| d99058c9 LP |
943 | </refsect2><refsect2> |
| 944 | <title>Security Options</title> | |
| 798d3a52 | 945 | |
| d99058c9 | 946 | <variablelist> |
| 798d3a52 ZJS |
947 | <varlistentry> |
| 948 | <term><option>--capability=</option></term> | |
| 949 | ||
| ec562515 ZJS |
950 | <listitem><para>List one or more additional capabilities to grant the container. Takes a |
| 951 | comma-separated list of capability names, see <citerefentry | |
| 952 | project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry> | |
| a30504ed | 953 | for more information. Note that the following capabilities will be granted in any way: |
| ec562515 ZJS |
954 | <constant>CAP_AUDIT_CONTROL</constant>, <constant>CAP_AUDIT_WRITE</constant>, |
| 955 | <constant>CAP_CHOWN</constant>, <constant>CAP_DAC_OVERRIDE</constant>, | |
| 956 | <constant>CAP_DAC_READ_SEARCH</constant>, <constant>CAP_FOWNER</constant>, | |
| 957 | <constant>CAP_FSETID</constant>, <constant>CAP_IPC_OWNER</constant>, <constant>CAP_KILL</constant>, | |
| 958 | <constant>CAP_LEASE</constant>, <constant>CAP_LINUX_IMMUTABLE</constant>, | |
| 959 | <constant>CAP_MKNOD</constant>, <constant>CAP_NET_BIND_SERVICE</constant>, | |
| 960 | <constant>CAP_NET_BROADCAST</constant>, <constant>CAP_NET_RAW</constant>, | |
| 961 | <constant>CAP_SETFCAP</constant>, <constant>CAP_SETGID</constant>, <constant>CAP_SETPCAP</constant>, | |
| 962 | <constant>CAP_SETUID</constant>, <constant>CAP_SYS_ADMIN</constant>, | |
| 963 | <constant>CAP_SYS_BOOT</constant>, <constant>CAP_SYS_CHROOT</constant>, | |
| 964 | <constant>CAP_SYS_NICE</constant>, <constant>CAP_SYS_PTRACE</constant>, | |
| 965 | <constant>CAP_SYS_RESOURCE</constant>, <constant>CAP_SYS_TTY_CONFIG</constant>. Also | |
| 966 | <constant>CAP_NET_ADMIN</constant> is retained if <option>--private-network</option> is specified. | |
| 967 | If the special value <literal>all</literal> is passed, all capabilities are retained.</para> | |
| 8a99bd0c ZJS |
968 | |
| 969 | <para>If the special value of <literal>help</literal> is passed, the program will print known | |
| 970 | capability names and exit.</para></listitem> | |
| 798d3a52 ZJS |
971 | </varlistentry> |
| 972 | ||
| 973 | <varlistentry> | |
| 974 | <term><option>--drop-capability=</option></term> | |
| 975 | ||
| 976 | <listitem><para>Specify one or more additional capabilities to | |
| 977 | drop for the container. This allows running the container with | |
| 978 | fewer capabilities than the default (see | |
| 8a99bd0c ZJS |
979 | above).</para> |
| 980 | ||
| 981 | <para>If the special value of <literal>help</literal> is passed, the program will print known | |
| 982 | capability names and exit.</para></listitem> | |
| 798d3a52 ZJS |
983 | </varlistentry> |
| 984 | ||
| 66edd963 LP |
985 | <varlistentry> |
| 986 | <term><option>--no-new-privileges=</option></term> | |
| 987 | ||
| 988 | <listitem><para>Takes a boolean argument. Specifies the value of the <constant>PR_SET_NO_NEW_PRIVS</constant> | |
| 989 | flag for the container payload. Defaults to off. When turned on the payload code of the container cannot | |
| 990 | acquire new privileges, i.e. the "setuid" file bit as well as file system capabilities will not have an effect | |
| 991 | anymore. See <citerefentry | |
| 992 | project='man-pages'><refentrytitle>prctl</refentrytitle><manvolnum>2</manvolnum></citerefentry> for details | |
| 993 | about this flag. </para></listitem> | |
| 994 | </varlistentry> | |
| 995 | ||
| 960e4569 LP |
996 | <varlistentry> |
| 997 | <term><option>--system-call-filter=</option></term> | |
| 998 | ||
| 999 | <listitem><para>Alter the system call filter applied to containers. Takes a space-separated list of system call | |
| 1000 | names or group names (the latter prefixed with <literal>@</literal>, as listed by the | |
| c7fc3c4c LP |
1001 | <command>syscall-filter</command> command of |
| 1002 | <citerefentry><refentrytitle>systemd-analyze</refentrytitle><manvolnum>1</manvolnum></citerefentry>). Passed | |
| 960e4569 LP |
1003 | system calls will be permitted. The list may optionally be prefixed by <literal>~</literal>, in which case all |
| 1004 | listed system calls are prohibited. If this command line option is used multiple times the configured lists are | |
| 1005 | combined. If both a positive and a negative list (that is one system call list without and one with the | |
| 96bedbe2 LP |
1006 | <literal>~</literal> prefix) are configured, the negative list takes precedence over the positive list. Note |
| 1007 | that <command>systemd-nspawn</command> always implements a system call whitelist (as opposed to a blacklist), | |
| 1008 | and this command line option hence adds or removes entries from the default whitelist, depending on the | |
| 960e4569 LP |
1009 | <literal>~</literal> prefix. Note that the applied system call filter is also altered implicitly if additional |
| 1010 | capabilities are passed using the <command>--capabilities=</command>.</para></listitem> | |
| 1011 | </varlistentry> | |
| 1012 | ||
| d99058c9 LP |
1013 | <varlistentry> |
| 1014 | <term><option>-Z</option></term> | |
| 1015 | <term><option>--selinux-context=</option></term> | |
| 1016 | ||
| 1017 | <listitem><para>Sets the SELinux security context to be used | |
| 1018 | to label processes in the container.</para> | |
| 1019 | </listitem> | |
| 1020 | </varlistentry> | |
| 1021 | ||
| 1022 | <varlistentry> | |
| 1023 | <term><option>-L</option></term> | |
| 1024 | <term><option>--selinux-apifs-context=</option></term> | |
| 1025 | ||
| 1026 | <listitem><para>Sets the SELinux security context to be used | |
| 1027 | to label files in the virtual API file systems in the | |
| 1028 | container.</para> | |
| 1029 | </listitem> | |
| 1030 | </varlistentry> | |
| 1031 | </variablelist> | |
| 1032 | ||
| 1033 | </refsect2><refsect2> | |
| 1034 | <title>Resource Options</title> | |
| 1035 | ||
| 1036 | <variablelist> | |
| 1037 | ||
| bf428efb LP |
1038 | <varlistentry> |
| 1039 | <term><option>--rlimit=</option></term> | |
| 1040 | ||
| 1041 | <listitem><para>Sets the specified POSIX resource limit for the container payload. Expects an assignment of the | |
| 1042 | form | |
| 1043 | <literal><replaceable>LIMIT</replaceable>=<replaceable>SOFT</replaceable>:<replaceable>HARD</replaceable></literal> | |
| 1044 | or <literal><replaceable>LIMIT</replaceable>=<replaceable>VALUE</replaceable></literal>, where | |
| 1045 | <replaceable>LIMIT</replaceable> should refer to a resource limit type, such as | |
| 1046 | <constant>RLIMIT_NOFILE</constant> or <constant>RLIMIT_NICE</constant>. The <replaceable>SOFT</replaceable> and | |
| 1047 | <replaceable>HARD</replaceable> fields should refer to the numeric soft and hard resource limit values. If the | |
| 1b2ad5d9 | 1048 | second form is used, <replaceable>VALUE</replaceable> may specify a value that is used both as soft and hard |
| bf428efb LP |
1049 | limit. In place of a numeric value the special string <literal>infinity</literal> may be used to turn off |
| 1050 | resource limiting for the specific type of resource. This command line option may be used multiple times to | |
| 1b2ad5d9 | 1051 | control limits on multiple limit types. If used multiple times for the same limit type, the last use |
| bf428efb LP |
1052 | wins. For details about resource limits see <citerefentry |
| 1053 | project='man-pages'><refentrytitle>setrlimit</refentrytitle><manvolnum>2</manvolnum></citerefentry>. By default | |
| 1054 | resource limits for the container's init process (PID 1) are set to the same values the Linux kernel originally | |
| 1055 | passed to the host init system. Note that some resource limits are enforced on resources counted per user, in | |
| 1056 | particular <constant>RLIMIT_NPROC</constant>. This means that unless user namespacing is deployed | |
| 1057 | (i.e. <option>--private-users=</option> is used, see above), any limits set will be applied to the resource | |
| 1058 | usage of the same user on all local containers as well as the host. This means particular care needs to be | |
| 1059 | taken with these limits as they might be triggered by possibly less trusted code. Example: | |
| 1060 | <literal>--rlimit=RLIMIT_NOFILE=8192:16384</literal>.</para></listitem> | |
| 1061 | </varlistentry> | |
| 1062 | ||
| 81f345df LP |
1063 | <varlistentry> |
| 1064 | <term><option>--oom-score-adjust=</option></term> | |
| 1065 | ||
| 1066 | <listitem><para>Changes the OOM ("Out Of Memory") score adjustment value for the container payload. This controls | |
| 1067 | <filename>/proc/self/oom_score_adj</filename> which influences the preference with which this container is | |
| 1068 | terminated when memory becomes scarce. For details see <citerefentry | |
| 1069 | project='man-pages'><refentrytitle>proc</refentrytitle><manvolnum>5</manvolnum></citerefentry>. Takes an | |
| 1070 | integer in the range -1000…1000.</para></listitem> | |
| 1071 | </varlistentry> | |
| 1072 | ||
| d107bb7d LP |
1073 | <varlistentry> |
| 1074 | <term><option>--cpu-affinity=</option></term> | |
| 1075 | ||
| 1076 | <listitem><para>Controls the CPU affinity of the container payload. Takes a comma separated list of CPU numbers | |
| 1077 | or number ranges (the latter's start and end value separated by dashes). See <citerefentry | |
| 1078 | project='man-pages'><refentrytitle>sched_setaffinity</refentrytitle><manvolnum>2</manvolnum></citerefentry> for | |
| 1079 | details.</para></listitem> | |
| 1080 | </varlistentry> | |
| 1081 | ||
| c6c8f6e2 | 1082 | <varlistentry> |
| d99058c9 | 1083 | <term><option>--personality=</option></term> |
| b09c0bba | 1084 | |
| d99058c9 LP |
1085 | <listitem><para>Control the architecture ("personality") |
| 1086 | reported by | |
| 1087 | <citerefentry project='man-pages'><refentrytitle>uname</refentrytitle><manvolnum>2</manvolnum></citerefentry> | |
| 1088 | in the container. Currently, only <literal>x86</literal> and | |
| 1089 | <literal>x86-64</literal> are supported. This is useful when | |
| 1090 | running a 32-bit container on a 64-bit host. If this setting | |
| 1091 | is not used, the personality reported in the container is the | |
| 1092 | same as the one reported on the host.</para></listitem> | |
| 798d3a52 | 1093 | </varlistentry> |
| d99058c9 | 1094 | </variablelist> |
| 798d3a52 | 1095 | |
| d99058c9 LP |
1096 | </refsect2><refsect2> |
| 1097 | <title>Integration Options</title> | |
| 798d3a52 | 1098 | |
| d99058c9 | 1099 | <variablelist> |
| 09d423e9 LP |
1100 | <varlistentry> |
| 1101 | <term><option>--resolv-conf=</option></term> | |
| 1102 | ||
| 1103 | <listitem><para>Configures how <filename>/etc/resolv.conf</filename> inside of the container (i.e. DNS | |
| 1104 | configuration synchronization from host to container) shall be handled. Takes one of <literal>off</literal>, | |
| 1105 | <literal>copy-host</literal>, <literal>copy-static</literal>, <literal>bind-host</literal>, | |
| 1106 | <literal>bind-static</literal>, <literal>delete</literal> or <literal>auto</literal>. If set to | |
| 1107 | <literal>off</literal> the <filename>/etc/resolv.conf</filename> file in the container is left as it is | |
| 1108 | included in the image, and neither modified nor bind mounted over. If set to <literal>copy-host</literal>, the | |
| 1109 | <filename>/etc/resolv.conf</filename> file from the host is copied into the container. Similar, if | |
| 1110 | <literal>bind-host</literal> is used, the file is bind mounted from the host into the container. If set to | |
| 1111 | <literal>copy-static</literal> the static <filename>resolv.conf</filename> file supplied with | |
| 1112 | <citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> is | |
| 1113 | copied into the container, and correspondingly <literal>bind-static</literal> bind mounts it there. If set to | |
| 1114 | <literal>delete</literal> the <filename>/etc/resolv.conf</filename> file in the container is deleted if it | |
| 1115 | exists. Finally, if set to <literal>auto</literal> the file is left as it is if private networking is turned on | |
| 1116 | (see <option>--private-network</option>). Otherwise, if <filename>systemd-resolved.service</filename> is | |
| 1117 | connectible its static <filename>resolv.conf</filename> file is used, and if not the host's | |
| 1118 | <filename>/etc/resolv.conf</filename> file is used. In the latter cases the file is copied if the image is | |
| 1119 | writable, and bind mounted otherwise. It's recommended to use <literal>copy</literal> if the container shall be | |
| 1120 | able to make changes to the DNS configuration on its own, deviating from the host's settings. Otherwise | |
| 1121 | <literal>bind</literal> is preferable, as it means direct changes to <filename>/etc/resolv.conf</filename> in | |
| 1122 | the container are not allowed, as it is a read-only bind mount (but note that if the container has enough | |
| 1123 | privileges, it might simply go ahead and unmount the bind mount anyway). Note that both if the file is bind | |
| 1124 | mounted and if it is copied no further propagation of configuration is generally done after the one-time early | |
| 1125 | initialization (this is because the file is usually updated through copying and renaming). Defaults to | |
| 1126 | <literal>auto</literal>.</para></listitem> | |
| 1127 | </varlistentry> | |
| 1128 | ||
| 1688841f LP |
1129 | <varlistentry> |
| 1130 | <term><option>--timezone=</option></term> | |
| 1131 | ||
| 1132 | <listitem><para>Configures how <filename>/etc/localtime</filename> inside of the container (i.e. local timezone | |
| 1133 | synchronization from host to container) shall be handled. Takes one of <literal>off</literal>, | |
| 1134 | <literal>copy</literal>, <literal>bind</literal>, <literal>symlink</literal>, <literal>delete</literal> or | |
| 1135 | <literal>auto</literal>. If set to <literal>off</literal> the <filename>/etc/localtime</filename> file in the | |
| 1136 | container is left as it is included in the image, and neither modified nor bind mounted over. If set to | |
| 1137 | <literal>copy</literal> the <filename>/etc/localtime</filename> file of the host is copied into the | |
| 1138 | container. Similar, if <literal>bind</literal> is used, it is bind mounted from the host into the container. If | |
| 1139 | set to <literal>symlink</literal> a symlink from <filename>/etc/localtime</filename> in the container is | |
| 1140 | created pointing to the matching the timezone file of the container that matches the timezone setting on the | |
| 1141 | host. If set to <literal>delete</literal> the file in the container is deleted, should it exist. If set to | |
| 1142 | <literal>auto</literal> and the <filename>/etc/localtime</filename> file of the host is a symlink, then | |
| 1143 | <literal>symlink</literal> mode is used, and <literal>copy</literal> otherwise, except if the image is | |
| 1144 | read-only in which case <literal>bind</literal> is used instead. Defaults to | |
| 1145 | <literal>auto</literal>.</para></listitem> | |
| 1146 | </varlistentry> | |
| 1147 | ||
| 798d3a52 | 1148 | <varlistentry> |
| d99058c9 | 1149 | <term><option>--link-journal=</option></term> |
| 798d3a52 | 1150 | |
| d99058c9 LP |
1151 | <listitem><para>Control whether the container's journal shall |
| 1152 | be made visible to the host system. If enabled, allows viewing | |
| 1153 | the container's journal files from the host (but not vice | |
| 1154 | versa). Takes one of <literal>no</literal>, | |
| 1155 | <literal>host</literal>, <literal>try-host</literal>, | |
| 1156 | <literal>guest</literal>, <literal>try-guest</literal>, | |
| 1157 | <literal>auto</literal>. If <literal>no</literal>, the journal | |
| 1158 | is not linked. If <literal>host</literal>, the journal files | |
| 1159 | are stored on the host file system (beneath | |
| 1160 | <filename>/var/log/journal/<replaceable>machine-id</replaceable></filename>) | |
| 1161 | and the subdirectory is bind-mounted into the container at the | |
| 1162 | same location. If <literal>guest</literal>, the journal files | |
| 1163 | are stored on the guest file system (beneath | |
| 1164 | <filename>/var/log/journal/<replaceable>machine-id</replaceable></filename>) | |
| 1165 | and the subdirectory is symlinked into the host at the same | |
| 1166 | location. <literal>try-host</literal> and | |
| 1167 | <literal>try-guest</literal> do the same but do not fail if | |
| 1168 | the host does not have persistent journaling enabled. If | |
| 1169 | <literal>auto</literal> (the default), and the right | |
| 1170 | subdirectory of <filename>/var/log/journal</filename> exists, | |
| 1171 | it will be bind mounted into the container. If the | |
| 1172 | subdirectory does not exist, no linking is performed. | |
| 1173 | Effectively, booting a container once with | |
| 1174 | <literal>guest</literal> or <literal>host</literal> will link | |
| 1175 | the journal persistently if further on the default of | |
| 1176 | <literal>auto</literal> is used.</para> | |
| 1177 | ||
| 1178 | <para>Note that <option>--link-journal=try-guest</option> is the default if the | |
| 1179 | <filename>systemd-nspawn@.service</filename> template unit file is used.</para></listitem> | |
| 798d3a52 ZJS |
1180 | </varlistentry> |
| 1181 | ||
| d99058c9 LP |
1182 | <varlistentry> |
| 1183 | <term><option>-j</option></term> | |
| 1184 | ||
| 1185 | <listitem><para>Equivalent to | |
| 1186 | <option>--link-journal=try-guest</option>.</para></listitem> | |
| 1187 | </varlistentry> | |
| 1188 | ||
| 1189 | </variablelist> | |
| 1190 | ||
| 1191 | </refsect2><refsect2> | |
| 1192 | <title>Mount Options</title> | |
| 1193 | ||
| 1194 | <variablelist> | |
| 1195 | ||
| 798d3a52 ZJS |
1196 | <varlistentry> |
| 1197 | <term><option>--bind=</option></term> | |
| 1198 | <term><option>--bind-ro=</option></term> | |
| 1199 | ||
| 86c0dd4a | 1200 | <listitem><para>Bind mount a file or directory from the host into the container. Takes one of: a path |
| c7a4890c LP |
1201 | argument — in which case the specified path will be mounted from the host to the same path in the container, or |
| 1202 | a colon-separated pair of paths — in which case the first specified path is the source in the host, and the | |
| 1203 | second path is the destination in the container, or a colon-separated triple of source path, destination path | |
| 86c0dd4a | 1204 | and mount options. The source path may optionally be prefixed with a <literal>+</literal> character. If so, the |
| c7a4890c LP |
1205 | source path is taken relative to the image's root directory. This permits setting up bind mounts within the |
| 1206 | container image. The source path may be specified as empty string, in which case a temporary directory below | |
| 1207 | the host's <filename>/var/tmp</filename> directory is used. It is automatically removed when the container is | |
| 1208 | shut down. Mount options are comma-separated and currently, only <option>rbind</option> and | |
| 1209 | <option>norbind</option> are allowed, controlling whether to create a recursive or a regular bind | |
| 1210 | mount. Defaults to "rbind". Backslash escapes are interpreted, so <literal>\:</literal> may be used to embed | |
| 1211 | colons in either path. This option may be specified multiple times for creating multiple independent bind | |
| 994a6364 LP |
1212 | mount points. The <option>--bind-ro=</option> option creates read-only bind mounts.</para> |
| 1213 | ||
| 1214 | <para>Note that when this option is used in combination with <option>--private-users</option>, the resulting | |
| 1215 | mount points will be owned by the <constant>nobody</constant> user. That's because the mount and its files and | |
| 1216 | directories continue to be owned by the relevant host users and groups, which do not exist in the container, | |
| 1217 | and thus show up under the wildcard UID 65534 (nobody). If such bind mounts are created, it is recommended to | |
| 1218 | make them read-only, using <option>--bind-ro=</option>.</para></listitem> | |
| 798d3a52 ZJS |
1219 | </varlistentry> |
| 1220 | ||
| 3d6c3675 LP |
1221 | <varlistentry> |
| 1222 | <term><option>--inaccessible=</option></term> | |
| 1223 | ||
| 1224 | <listitem><para>Make the specified path inaccessible in the container. This over-mounts the specified path | |
| 1225 | (which must exist in the container) with a file node of the same type that is empty and has the most | |
| 1226 | restrictive access mode supported. This is an effective way to mask files, directories and other file system | |
| 1227 | objects from the container payload. This option may be used more than once in case all specified paths are | |
| 1228 | masked.</para></listitem> | |
| 1229 | </varlistentry> | |
| 1230 | ||
| 798d3a52 ZJS |
1231 | <varlistentry> |
| 1232 | <term><option>--tmpfs=</option></term> | |
| 1233 | ||
| b23f1628 LP |
1234 | <listitem><para>Mount a tmpfs file system into the container. Takes a single absolute path argument that |
| 1235 | specifies where to mount the tmpfs instance to (in which case the directory access mode will be chosen as 0755, | |
| 1236 | owned by root/root), or optionally a colon-separated pair of path and mount option string that is used for | |
| 1237 | mounting (in which case the kernel default for access mode and owner will be chosen, unless otherwise | |
| 1238 | specified). Backslash escapes are interpreted in the path, so <literal>\:</literal> may be used to embed colons | |
| 1239 | in the path.</para> | |
| 1240 | ||
| 1241 | <para>Note that this option cannot be used to replace the root file system of the container with a temporary | |
| 1242 | file system. However, the <option>--volatile=</option> option described below provides similar | |
| 1243 | functionality, with a focus on implementing stateless operating system images.</para></listitem> | |
| 798d3a52 ZJS |
1244 | </varlistentry> |
| 1245 | ||
| 5a8af538 LP |
1246 | <varlistentry> |
| 1247 | <term><option>--overlay=</option></term> | |
| 1248 | <term><option>--overlay-ro=</option></term> | |
| 1249 | ||
| 1250 | <listitem><para>Combine multiple directory trees into one | |
| 1251 | overlay file system and mount it into the container. Takes a | |
| 1252 | list of colon-separated paths to the directory trees to | |
| 1253 | combine and the destination mount point.</para> | |
| 1254 | ||
| 2eadf91c RM |
1255 | <para>Backslash escapes are interpreted in the paths, so |
| 1256 | <literal>\:</literal> may be used to embed colons in the paths. | |
| 1257 | </para> | |
| 1258 | ||
| 5a8af538 LP |
1259 | <para>If three or more paths are specified, then the last |
| 1260 | specified path is the destination mount point in the | |
| 1261 | container, all paths specified before refer to directory trees | |
| 1262 | on the host and are combined in the specified order into one | |
| 1263 | overlay file system. The left-most path is hence the lowest | |
| 1264 | directory tree, the second-to-last path the highest directory | |
| 1265 | tree in the stacking order. If <option>--overlay-ro=</option> | |
| b938cb90 | 1266 | is used instead of <option>--overlay=</option>, a read-only |
| 5a8af538 | 1267 | overlay file system is created. If a writable overlay file |
| b938cb90 | 1268 | system is created, all changes made to it are written to the |
| 5a8af538 LP |
1269 | highest directory tree in the stacking order, i.e. the |
| 1270 | second-to-last specified.</para> | |
| 1271 | ||
| 1272 | <para>If only two paths are specified, then the second | |
| 1273 | specified path is used both as the top-level directory tree in | |
| 1274 | the stacking order as seen from the host, as well as the mount | |
| 1275 | point for the overlay file system in the container. At least | |
| 1276 | two paths have to be specified.</para> | |
| 1277 | ||
| 86c0dd4a | 1278 | <para>The source paths may optionally be prefixed with <literal>+</literal> character. If so they are taken |
| c7a4890c LP |
1279 | relative to the image's root directory. The uppermost source path may also be specified as empty string, in |
| 1280 | which case a temporary directory below the host's <filename>/var/tmp</filename> is used. The directory is | |
| 1281 | removed automatically when the container is shut down. This behaviour is useful in order to make read-only | |
| 1282 | container directories writable while the container is running. For example, use the | |
| 1283 | <literal>--overlay=+/var::/var</literal> option in order to automatically overlay a writable temporary | |
| 1284 | directory on a read-only <filename>/var</filename> directory.</para> | |
| 86c0dd4a | 1285 | |
| 5a8af538 LP |
1286 | <para>For details about overlay file systems, see <ulink |
| 1287 | url="https://www.kernel.org/doc/Documentation/filesystems/overlayfs.txt">overlayfs.txt</ulink>. Note | |
| 1288 | that the semantics of overlay file systems are substantially | |
| 1289 | different from normal file systems, in particular regarding | |
| 1290 | reported device and inode information. Device and inode | |
| 1291 | information may change for a file while it is being written | |
| 1292 | to, and processes might see out-of-date versions of files at | |
| 1293 | times. Note that this switch automatically derives the | |
| 1294 | <literal>workdir=</literal> mount option for the overlay file | |
| 1295 | system from the top-level directory tree, making it a sibling | |
| 1296 | of it. It is hence essential that the top-level directory tree | |
| 1297 | is not a mount point itself (since the working directory must | |
| 1298 | be on the same file system as the top-most directory | |
| 1299 | tree). Also note that the <literal>lowerdir=</literal> mount | |
| 1300 | option receives the paths to stack in the opposite order of | |
| b23f1628 LP |
1301 | this switch.</para> |
| 1302 | ||
| 1303 | <para>Note that this option cannot be used to replace the root file system of the container with an overlay | |
| d99058c9 | 1304 | file system. However, the <option>--volatile=</option> option described above provides similar functionality, |
| b23f1628 | 1305 | with a focus on implementing stateless operating system images.</para></listitem> |
| 5a8af538 | 1306 | </varlistentry> |
| d99058c9 | 1307 | </variablelist> |
| 5a8af538 | 1308 | |
| d99058c9 LP |
1309 | </refsect2><refsect2> |
| 1310 | <title>Input/Output Options</title> | |
| 798d3a52 | 1311 | |
| d99058c9 | 1312 | <variablelist> |
| 3d6c3675 LP |
1313 | <varlistentry> |
| 1314 | <term><option>--console=</option><replaceable>MODE</replaceable></term> | |
| 1315 | ||
| 7a25ba55 ZJS |
1316 | <listitem><para>Configures how to set up standard input, output and error output for the container |
| 1317 | payload, as well as the <filename>/dev/console</filename> device for the container. Takes one of | |
| 1318 | <option>interactive</option>, <option>read-only</option>, <option>passive</option>, or | |
| 1319 | <option>pipe</option>. If <option>interactive</option>, a pseudo-TTY is allocated and made available | |
| 1320 | as <filename>/dev/console</filename> in the container. It is then bi-directionally connected to the | |
| 1321 | standard input and output passed to <command>systemd-nspawn</command>. <option>read-only</option> is | |
| 1322 | similar but only the output of the container is propagated and no input from the caller is read. If | |
| 1323 | <option>passive</option>, a pseudo TTY is allocated, but it is not connected anywhere. Finally, in | |
| 1324 | <option>pipe</option> mode no pseudo TTY is allocated, but the standard input, output and error | |
| 1325 | output file descriptors passed to <command>systemd-nspawn</command> are passed on — as they are — to | |
| 1326 | the container payload, see the following paragraph. Defaults to <option>interactive</option> if | |
| 3d6c3675 | 1327 | <command>systemd-nspawn</command> is invoked from a terminal, and <option>read-only</option> |
| 7a25ba55 ZJS |
1328 | otherwise.</para> |
| 1329 | ||
| 1330 | <para>In <option>pipe</option> mode, <filename>/dev/console</filename> will not exist in the | |
| 1331 | container. This means that the container payload generally cannot be a full init system as init | |
| 1332 | systems tend to require <filename>/dev/console</filename> to be available. On the other hand, in this | |
| 1333 | mode container invocations can be used within shell pipelines. This is because intermediary pseudo | |
| 1334 | TTYs do not permit independent bidirectional propagation of the end-of-file (EOF) condition, which is | |
| 1335 | necessary for shell pipelines to work correctly. <emphasis>Note that the <option>pipe</option> mode | |
| 1336 | should be used carefully</emphasis>, as passing arbitrary file descriptors to less trusted container | |
| 1337 | payloads might open up unwanted interfaces for access by the container payload. For example, if a | |
| 1338 | passed file descriptor refers to a TTY of some form, APIs such as <constant>TIOCSTI</constant> may be | |
| 1339 | used to synthesize input that might be used for escaping the container. Hence <option>pipe</option> | |
| 1340 | mode should only be used if the payload is sufficiently trusted or when the standard | |
| 1341 | input/output/error output file descriptors are known safe, for example pipes.</para></listitem> | |
| 3d6c3675 LP |
1342 | </varlistentry> |
| 1343 | ||
| 1344 | <varlistentry> | |
| 1345 | <term><option>--pipe</option></term> | |
| 1346 | <term><option>-P</option></term> | |
| 1347 | ||
| 1348 | <listitem><para>Equivalent to <option>--console=pipe</option>.</para></listitem> | |
| 1349 | </varlistentry> | |
| 1350 | ||
| bb068de0 | 1351 | <xi:include href="standard-options.xml" xpointer="no-pager" /> |
| 798d3a52 ZJS |
1352 | <xi:include href="standard-options.xml" xpointer="help" /> |
| 1353 | <xi:include href="standard-options.xml" xpointer="version" /> | |
| 1354 | </variablelist> | |
| d99058c9 | 1355 | </refsect2> |
| 798d3a52 ZJS |
1356 | </refsect1> |
| 1357 | ||
| bb068de0 ZJS |
1358 | <xi:include href="less-variables.xml" /> |
| 1359 | ||
| 798d3a52 ZJS |
1360 | <refsect1> |
| 1361 | <title>Examples</title> | |
| 1362 | ||
| 1363 | <example> | |
| 12c4ee0a ZJS |
1364 | <title>Download a |
| 1365 | <ulink url="https://getfedora.org">Fedora</ulink> image and start a shell in it</title> | |
| 798d3a52 | 1366 | |
| 3797fd0a | 1367 | <programlisting># machinectl pull-raw --verify=no \ |
| b12a67ae AZ |
1368 | https://download.fedoraproject.org/pub/fedora/linux/releases/&fedora_latest_version;/Cloud/x86_64/images/Fedora-Cloud-Base-&fedora_latest_version;-&fedora_cloud_release;.x86_64.raw.xz \ |
| 1369 | Fedora-Cloud-Base-&fedora_latest_version;-&fedora_cloud_release;.x86-64 | |
| 1370 | # systemd-nspawn -M Fedora-Cloud-Base-&fedora_latest_version;-&fedora_cloud_release;.x86-64</programlisting> | |
| e0ea94c1 | 1371 | |
| 798d3a52 ZJS |
1372 | <para>This downloads an image using |
| 1373 | <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry> | |
| 1374 | and opens a shell in it.</para> | |
| 1375 | </example> | |
| e0ea94c1 | 1376 | |
| 798d3a52 ZJS |
1377 | <example> |
| 1378 | <title>Build and boot a minimal Fedora distribution in a container</title> | |
| 8f7a3c14 | 1379 | |
| 7a8aa0ec | 1380 | <programlisting># dnf -y --releasever=&fedora_latest_version; --installroot=/var/lib/machines/f&fedora_latest_version; \ |
| 3797fd0a ZJS |
1381 | --disablerepo='*' --enablerepo=fedora --enablerepo=updates install \ |
| 1382 | systemd passwd dnf fedora-release vim-minimal | |
| 7a8aa0ec | 1383 | # systemd-nspawn -bD /var/lib/machines/f&fedora_latest_version;</programlisting> |
| 8f7a3c14 | 1384 | |
| 798d3a52 | 1385 | <para>This installs a minimal Fedora distribution into the |
| b0343f8c | 1386 | directory <filename index="false">/var/lib/machines/f&fedora_latest_version;</filename> |
| 55107232 ZJS |
1387 | and then boots an OS in a namespace container in it. Because the installation |
| 1388 | is located underneath the standard <filename>/var/lib/machines/</filename> | |
| 1389 | directory, it is also possible to start the machine using | |
| 7a8aa0ec | 1390 | <command>systemd-nspawn -M f&fedora_latest_version;</command>.</para> |
| 798d3a52 | 1391 | </example> |
| 8f7a3c14 | 1392 | |
| 798d3a52 ZJS |
1393 | <example> |
| 1394 | <title>Spawn a shell in a container of a minimal Debian unstable distribution</title> | |
| 8f7a3c14 | 1395 | |
| 7f8b3d1d | 1396 | <programlisting># debootstrap unstable ~/debian-tree/ |
| 25f5971b | 1397 | # systemd-nspawn -D ~/debian-tree/</programlisting> |
| 8f7a3c14 | 1398 | |
| 798d3a52 ZJS |
1399 | <para>This installs a minimal Debian unstable distribution into |
| 1400 | the directory <filename>~/debian-tree/</filename> and then | |
| 1401 | spawns a shell in a namespace container in it.</para> | |
| 12c4ee0a ZJS |
1402 | |
| 1403 | <para><command>debootstrap</command> supports | |
| 1404 | <ulink url="https://www.debian.org">Debian</ulink>, | |
| 1405 | <ulink url="https://www.ubuntu.com">Ubuntu</ulink>, | |
| 1406 | and <ulink url="https://www.tanglu.org">Tanglu</ulink> | |
| 1407 | out of the box, so the same command can be used to install any of those. For other | |
| 1408 | distributions from the Debian family, a mirror has to be specified, see | |
| 1409 | <citerefentry project='die-net'><refentrytitle>debootstrap</refentrytitle><manvolnum>8</manvolnum></citerefentry>. | |
| 1410 | </para> | |
| 798d3a52 | 1411 | </example> |
| 8f7a3c14 | 1412 | |
| 798d3a52 | 1413 | <example> |
| 12c4ee0a ZJS |
1414 | <title>Boot a minimal |
| 1415 | <ulink url="https://www.archlinux.org">Arch Linux</ulink> distribution in a container</title> | |
| 68562936 | 1416 | |
| 9a027075 | 1417 | <programlisting># pacstrap -c ~/arch-tree/ base |
| 68562936 WG |
1418 | # systemd-nspawn -bD ~/arch-tree/</programlisting> |
| 1419 | ||
| ff9b60f3 | 1420 | <para>This installs a minimal Arch Linux distribution into the |
| 798d3a52 ZJS |
1421 | directory <filename>~/arch-tree/</filename> and then boots an OS |
| 1422 | in a namespace container in it.</para> | |
| 1423 | </example> | |
| 68562936 | 1424 | |
| f518ee04 | 1425 | <example> |
| 12c4ee0a ZJS |
1426 | <title>Install the |
| 1427 | <ulink url="https://software.opensuse.org/distributions/tumbleweed">OpenSUSE Tumbleweed</ulink> | |
| 1428 | rolling distribution</title> | |
| f518ee04 ZJS |
1429 | |
| 1430 | <programlisting># zypper --root=/var/lib/machines/tumbleweed ar -c \ | |
| 1431 | https://download.opensuse.org/tumbleweed/repo/oss tumbleweed | |
| 1432 | # zypper --root=/var/lib/machines/tumbleweed refresh | |
| 1433 | # zypper --root=/var/lib/machines/tumbleweed install --no-recommends \ | |
| 1434 | systemd shadow zypper openSUSE-release vim | |
| 1435 | # systemd-nspawn -M tumbleweed passwd root | |
| 1436 | # systemd-nspawn -M tumbleweed -b</programlisting> | |
| 1437 | </example> | |
| 1438 | ||
| 798d3a52 | 1439 | <example> |
| 17cbb288 | 1440 | <title>Boot into an ephemeral snapshot of the host system</title> |
| f9f4dd51 | 1441 | |
| 798d3a52 | 1442 | <programlisting># systemd-nspawn -D / -xb</programlisting> |
| f9f4dd51 | 1443 | |
| 17cbb288 LP |
1444 | <para>This runs a copy of the host system in a snapshot which is removed immediately when the container |
| 1445 | exits. All file system changes made during runtime will be lost on shutdown, hence.</para> | |
| 798d3a52 | 1446 | </example> |
| f9f4dd51 | 1447 | |
| 798d3a52 ZJS |
1448 | <example> |
| 1449 | <title>Run a container with SELinux sandbox security contexts</title> | |
| a8828ed9 | 1450 | |
| 798d3a52 | 1451 | <programlisting># chcon system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -R /srv/container |
| 3797fd0a ZJS |
1452 | # systemd-nspawn -L system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 \ |
| 1453 | -Z system_u:system_r:svirt_lxc_net_t:s0:c0,c1 -D /srv/container /bin/sh</programlisting> | |
| 798d3a52 | 1454 | </example> |
| b53ede69 PW |
1455 | |
| 1456 | <example> | |
| 1457 | <title>Run a container with an OSTree deployment</title> | |
| 1458 | ||
| 3797fd0a ZJS |
1459 | <programlisting># systemd-nspawn -b -i ~/image.raw \ |
| 1460 | --pivot-root=/ostree/deploy/$OS/deploy/$CHECKSUM:/sysroot \ | |
| 1461 | --bind=+/sysroot/ostree/deploy/$OS/var:/var</programlisting> | |
| b53ede69 | 1462 | </example> |
| 798d3a52 ZJS |
1463 | </refsect1> |
| 1464 | ||
| 1465 | <refsect1> | |
| 1466 | <title>Exit status</title> | |
| 1467 | ||
| 1468 | <para>The exit code of the program executed in the container is | |
| 1469 | returned.</para> | |
| 1470 | </refsect1> | |
| 1471 | ||
| 1472 | <refsect1> | |
| 1473 | <title>See Also</title> | |
| 1474 | <para> | |
| 1475 | <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
| f757855e | 1476 | <citerefentry><refentrytitle>systemd.nspawn</refentrytitle><manvolnum>5</manvolnum></citerefentry>, |
| 798d3a52 ZJS |
1477 | <citerefentry project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>1</manvolnum></citerefentry>, |
| 1478 | <citerefentry project='mankier'><refentrytitle>dnf</refentrytitle><manvolnum>8</manvolnum></citerefentry>, | |
| 798d3a52 ZJS |
1479 | <citerefentry project='die-net'><refentrytitle>debootstrap</refentrytitle><manvolnum>8</manvolnum></citerefentry>, |
| 1480 | <citerefentry project='archlinux'><refentrytitle>pacman</refentrytitle><manvolnum>8</manvolnum></citerefentry>, | |
| f518ee04 | 1481 | <citerefentry project='mankier'><refentrytitle>zypper</refentrytitle><manvolnum>8</manvolnum></citerefentry>, |
| 798d3a52 ZJS |
1482 | <citerefentry><refentrytitle>systemd.slice</refentrytitle><manvolnum>5</manvolnum></citerefentry>, |
| 1483 | <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
| 3ba3a79d | 1484 | <citerefentry project='man-pages'><refentrytitle>btrfs</refentrytitle><manvolnum>8</manvolnum></citerefentry> |
| 798d3a52 ZJS |
1485 | </para> |
| 1486 | </refsect1> | |
| 8f7a3c14 LP |
1487 | |
| 1488 | </refentry> |