]>
Commit | Line | Data |
---|---|---|
514094f9 | 1 | <?xml version='1.0'?> |
3a54a157 | 2 | <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" |
f757855e LP |
3 | "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [ |
4 | <!ENTITY % entities SYSTEM "custom-entities.ent" > | |
5 | %entities; | |
6 | ]> | |
0307f791 | 7 | <!-- SPDX-License-Identifier: LGPL-2.1+ --> |
f757855e LP |
8 | |
9 | <refentry id="systemd.nspawn"> | |
10 | ||
11 | <refentryinfo> | |
12 | <title>systemd.nspawn</title> | |
13 | <productname>systemd</productname> | |
f757855e LP |
14 | </refentryinfo> |
15 | ||
16 | <refmeta> | |
17 | <refentrytitle>systemd.nspawn</refentrytitle> | |
18 | <manvolnum>5</manvolnum> | |
19 | </refmeta> | |
20 | ||
21 | <refnamediv> | |
22 | <refname>systemd.nspawn</refname> | |
23 | <refpurpose>Container settings</refpurpose> | |
24 | </refnamediv> | |
25 | ||
26 | <refsynopsisdiv> | |
27 | <para><filename>/etc/systemd/nspawn/<replaceable>machine</replaceable>.nspawn</filename></para> | |
28 | <para><filename>/run/systemd/nspawn/<replaceable>machine</replaceable>.nspawn</filename></para> | |
29 | <para><filename>/var/lib/machines/<replaceable>machine</replaceable>.nspawn</filename></para> | |
30 | </refsynopsisdiv> | |
31 | ||
32 | <refsect1> | |
33 | <title>Description</title> | |
34 | ||
35 | <para>An nspawn container settings file (suffix | |
36 | <filename>.nspawn</filename>) encodes additional runtime | |
37 | information about a local container, and is searched, read and | |
38 | used by | |
39 | <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> | |
40 | when starting a container. Files of this type are named after the | |
41 | containers they define settings for. They are optional, and only | |
42 | required for containers whose execution environment shall differ | |
43 | from the defaults. Files of this type mostly contain settings that | |
44 | may also be set on the <command>systemd-nspawn</command> command | |
45 | line, and make it easier to persistently attach specific settings | |
46 | to specific containers. The syntax of these files is inspired by | |
47 | <filename>.desktop</filename> files following the <ulink | |
48 | url="http://standards.freedesktop.org/desktop-entry-spec/latest/">XDG | |
a8eaaee7 | 49 | Desktop Entry Specification</ulink>, which in turn are inspired by |
f757855e LP |
50 | Microsoft Windows <filename>.ini</filename> files.</para> |
51 | ||
52 | <para>Boolean arguments used in these settings files can be | |
b938cb90 | 53 | written in various formats. For positive settings, the strings |
f757855e LP |
54 | <option>1</option>, <option>yes</option>, <option>true</option> |
55 | and <option>on</option> are equivalent. For negative settings, the | |
56 | strings <option>0</option>, <option>no</option>, | |
57 | <option>false</option> and <option>off</option> are | |
58 | equivalent.</para> | |
59 | ||
60 | <para>Empty lines and lines starting with # or ; are | |
61 | ignored. This may be used for commenting. Lines ending | |
62 | in a backslash are concatenated with the following | |
63 | line while reading and the backslash is replaced by a | |
64 | space character. This may be used to wrap long lines.</para> | |
65 | ||
66 | </refsect1> | |
67 | ||
68 | <refsect1> | |
69 | <title><filename>.nspawn</filename> File Discovery</title> | |
70 | ||
71 | <para>Files are searched by appending the | |
72 | <filename>.nspawn</filename> suffix to the machine name of the | |
73 | container, as specified with the <option>--machine=</option> | |
74 | switch of <command>systemd-nspawn</command>, or derived from the | |
75 | directory or image file name. This file is first searched in | |
76 | <filename>/etc/systemd/nspawn/</filename> and | |
77 | <filename>/run/systemd/nspawn/</filename>. If found in these | |
b938cb90 | 78 | directories, its settings are read and all of them take full effect |
4f76ef04 | 79 | (but are possibly overridden by corresponding command line |
b938cb90 | 80 | arguments). If not found, the file will then be searched next to |
f757855e | 81 | the image file or in the immediate parent of the root directory of |
b938cb90 | 82 | the container. If the file is found there, only a subset of the |
f757855e LP |
83 | settings will take effect however. All settings that possibly |
84 | elevate privileges or grant additional access to resources of the | |
85 | host (such as files or directories) are ignored. To which options | |
86 | this applies is documented below.</para> | |
87 | ||
a8eaaee7 | 88 | <para>Persistent settings files created and maintained by the |
f757855e LP |
89 | administrator (and thus trusted) should be placed in |
90 | <filename>/etc/systemd/nspawn/</filename>, while automatically | |
91 | downloaded (and thus potentially untrusted) settings files are | |
92 | placed in <filename>/var/lib/machines/</filename> instead (next to | |
93 | the container images), where their security impact is limited. In | |
94 | order to add privileged settings to <filename>.nspawn</filename> | |
b938cb90 | 95 | files acquired from the image vendor, it is recommended to copy the |
f757855e LP |
96 | settings files into <filename>/etc/systemd/nspawn/</filename> and |
97 | edit them there, so that the privileged options become | |
a8eaaee7 | 98 | available. The precise algorithm for how the files are searched and |
f757855e LP |
99 | interpreted may be configured with |
100 | <command>systemd-nspawn</command>'s <option>--settings=</option> | |
101 | switch, see | |
102 | <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> | |
103 | for details.</para> | |
104 | </refsect1> | |
105 | ||
106 | <refsect1> | |
107 | <title>[Exec] Section Options</title> | |
108 | ||
109 | <para>Settings files may include an <literal>[Exec]</literal> | |
110 | section, which carries various execution parameters:</para> | |
111 | ||
37dac218 | 112 | <variablelist class='nspawn-directives'> |
f757855e LP |
113 | |
114 | <varlistentry> | |
115 | <term><varname>Boot=</varname></term> | |
116 | ||
7732f92b LP |
117 | <listitem><para>Takes a boolean argument, which defaults to off. If enabled, <command>systemd-nspawn</command> |
118 | will automatically search for an <filename>init</filename> executable and invoke it. In this case, the | |
119 | specified parameters using <varname>Parameters=</varname> are passed as additional arguments to the | |
120 | <filename>init</filename> process. This setting corresponds to the <option>--boot</option> switch on the | |
121 | <command>systemd-nspawn</command> command line. This option may not be combined with | |
7e95efb5 ZJS |
122 | <varname>ProcessTwo=yes</varname>. This option is specified by default in the |
123 | <filename>systemd-nspawn@.service</filename> template unit.</para></listitem> | |
7732f92b LP |
124 | </varlistentry> |
125 | ||
a2f577fc JL |
126 | <varlistentry> |
127 | <term><varname>Ephemeral=</varname></term> | |
128 | ||
129 | <listitem><para>Takes a boolean argument, which defaults to off, If enabled, the container is run with | |
130 | a temporary snapshot of its file system that is removed immediately when the container terminates. | |
131 | This is equivalent to the <option>--ephemeral</option> command line switch. See | |
132 | <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> for details | |
133 | about the specific options supported.</para></listitem> | |
134 | </varlistentry> | |
135 | ||
7732f92b LP |
136 | <varlistentry> |
137 | <term><varname>ProcessTwo=</varname></term> | |
138 | ||
139 | <listitem><para>Takes a boolean argument, which defaults to off. If enabled, the specified program is run as | |
140 | PID 2. A stub init process is run as PID 1. This setting corresponds to the <option>--as-pid2</option> switch | |
141 | on the <command>systemd-nspawn</command> command line. This option may not be combined with | |
142 | <varname>Boot=yes</varname>.</para></listitem> | |
f757855e LP |
143 | </varlistentry> |
144 | ||
145 | <varlistentry> | |
146 | <term><varname>Parameters=</varname></term> | |
147 | ||
7e95efb5 ZJS |
148 | <listitem><para>Takes a whitespace-separated list of arguments. Single (<literal>'</literal>) and |
149 | double (<literal>"</literal>) quotes may be used around arguments with whitespace. This is either a | |
150 | command line, beginning with the binary name to execute, or – if <varname>Boot=</varname> is enabled | |
151 | – the list of arguments to pass to the init process. This setting corresponds to the command line | |
152 | parameters passed on the <command>systemd-nspawn</command> command line.</para> | |
153 | ||
154 | <para>Note: <option>Boot=no</option>, <option>Parameters=a b "c c"</option> is the same as | |
155 | <command>systemd-nspawn a b "c c"</command>, and <option>Boot=yes</option>, <option>Parameters=b 'c c'</option> | |
156 | is the same as <command>systemd-nspawn --boot b 'c c'</command>.</para></listitem> | |
f757855e LP |
157 | </varlistentry> |
158 | ||
159 | <varlistentry> | |
160 | <term><varname>Environment=</varname></term> | |
161 | ||
162 | <listitem><para>Takes an environment variable assignment | |
163 | consisting of key and value, separated by | |
164 | <literal>=</literal>. Sets an environment variable for the | |
165 | main process invoked in the container. This setting may be | |
166 | used multiple times to set multiple environment variables. It | |
167 | corresponds to the <option>--setenv=</option> command line | |
168 | switch.</para></listitem> | |
169 | </varlistentry> | |
170 | ||
171 | <varlistentry> | |
172 | <term><varname>User=</varname></term> | |
173 | ||
174 | <listitem><para>Takes a UNIX user name. Specifies the user | |
175 | name to invoke the main process of the container as. This user | |
176 | must be known in the container's user database. This | |
177 | corresponds to the <option>--user=</option> command line | |
5f932eb9 LP |
178 | switch.</para></listitem> |
179 | </varlistentry> | |
180 | ||
181 | <varlistentry> | |
182 | <term><varname>WorkingDirectory=</varname></term> | |
183 | ||
184 | <listitem><para>Selects the working directory for the process invoked in the container. Expects an absolute | |
185 | path in the container's file system namespace. This corresponds to the <option>--chdir=</option> command line | |
f757855e LP |
186 | switch.</para></listitem> |
187 | </varlistentry> | |
188 | ||
b53ede69 PW |
189 | <varlistentry> |
190 | <term><varname>PivotRoot=</varname></term> | |
191 | ||
192 | <listitem><para>Selects a directory to pivot to <filename>/</filename> inside the container when starting up. | |
193 | Takes a single path, or a pair of two paths separated by a colon. Both paths must be absolute, and are resolved | |
194 | in the container's file system namespace. This corresponds to the <option>--pivot-root=</option> command line | |
195 | switch.</para></listitem> | |
196 | </varlistentry> | |
197 | ||
f757855e LP |
198 | <varlistentry> |
199 | <term><varname>Capability=</varname></term> | |
200 | <term><varname>DropCapability=</varname></term> | |
201 | ||
b938cb90 | 202 | <listitem><para>Takes a space-separated list of Linux process |
f757855e | 203 | capabilities (see |
524f3e5c | 204 | <citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry> |
f757855e LP |
205 | for details). The <varname>Capability=</varname> setting |
206 | specifies additional capabilities to pass on top of the | |
4f76ef04 | 207 | default set of capabilities. The |
f757855e LP |
208 | <varname>DropCapability=</varname> setting specifies |
209 | capabilities to drop from the default set. These settings | |
210 | correspond to the <option>--capability=</option> and | |
211 | <option>--drop-capability=</option> command line | |
212 | switches. Note that <varname>Capability=</varname> is a | |
213 | privileged setting, and only takes effect in | |
214 | <filename>.nspawn</filename> files in | |
215 | <filename>/etc/systemd/nspawn/</filename> and | |
216 | <filename>/run/system/nspawn/</filename> (see above). On the | |
b938cb90 | 217 | other hand, <varname>DropCapability=</varname> takes effect in |
f757855e LP |
218 | all cases.</para></listitem> |
219 | </varlistentry> | |
220 | ||
66edd963 LP |
221 | <varlistentry> |
222 | <term><varname>NoNewPrivileges=</varname></term> | |
223 | ||
224 | <listitem><para>Takes a boolean argument that controls the <constant>PR_SET_NO_NEW_PRIVS</constant> flag for | |
225 | the container payload. This is equivalent to the | |
226 | <option>--no-new-privileges=</option> command line switch. See | |
227 | <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> for | |
228 | details.</para> | |
229 | </listitem> | |
230 | </varlistentry> | |
231 | ||
b3969f73 | 232 | <varlistentry> |
c9648aa6 | 233 | <term><varname>KillSignal=</varname></term> |
b3969f73 PA |
234 | |
235 | <listitem><para>Specify the process signal to send to the | |
236 | container's PID 1 when nspawn itself receives SIGTERM, in | |
237 | order to trigger an orderly shutdown of the container. | |
238 | Defaults to SIGRTMIN+3 if <option>Boot=</option> is used | |
239 | (on systemd-compatible init systems SIGRTMIN+3 triggers an | |
240 | orderly shutdown). For a list of valid signals, see | |
241 | <citerefentry project='man-pages'><refentrytitle>signal</refentrytitle><manvolnum>7</manvolnum></citerefentry>.</para></listitem> | |
242 | </varlistentry> | |
243 | ||
f757855e LP |
244 | <varlistentry> |
245 | <term><varname>Personality=</varname></term> | |
246 | ||
247 | <listitem><para>Configures the kernel personality for the | |
248 | container. This is equivalent to the | |
249 | <option>--personality=</option> switch.</para></listitem> | |
250 | </varlistentry> | |
251 | ||
252 | <varlistentry> | |
253 | <term><varname>MachineID=</varname></term> | |
254 | ||
b938cb90 | 255 | <listitem><para>Configures the 128-bit machine ID (UUID) to pass to |
f757855e LP |
256 | the container. This is equivalent to the |
257 | <option>--uuid=</option> command line switch. This option is | |
258 | privileged (see above). </para></listitem> | |
259 | </varlistentry> | |
d2e5535f LP |
260 | |
261 | <varlistentry> | |
262 | <term><varname>PrivateUsers=</varname></term> | |
263 | ||
264 | <listitem><para>Configures support for usernamespacing. This is equivalent to the | |
265 | <option>--private-users=</option> command line switch, and takes the same options. This option is privileged | |
b09c0bba LP |
266 | (see above). This option is the default if the <filename>systemd-nspawn@.service</filename> template unit file |
267 | is used.</para></listitem> | |
d2e5535f | 268 | </varlistentry> |
9c1e04d0 AP |
269 | |
270 | <varlistentry> | |
271 | <term><varname>NotifyReady=</varname></term> | |
272 | ||
960e4569 | 273 | <listitem><para>Configures support for notifications from the container's init process. This is equivalent to |
dcfaecc7 | 274 | the <option>--notify-ready=</option> command line switch, and takes the same parameters. See |
960e4569 LP |
275 | <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> for details |
276 | about the specific options supported.</para></listitem> | |
9c1e04d0 | 277 | </varlistentry> |
960e4569 LP |
278 | |
279 | <varlistentry> | |
280 | <term><varname>SystemCallFilter=</varname></term> | |
281 | ||
282 | <listitem><para>Configures the system call filter applied to containers. This is equivalent to the | |
283 | <option>--system-call-filter=</option> command line switch, and takes the same list parameter. See | |
284 | <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> for | |
285 | details.</para></listitem> | |
286 | </varlistentry> | |
bf428efb LP |
287 | |
288 | <varlistentry> | |
289 | <term><varname>LimitCPU=</varname></term> | |
290 | <term><varname>LimitFSIZE=</varname></term> | |
291 | <term><varname>LimitDATA=</varname></term> | |
292 | <term><varname>LimitSTACK=</varname></term> | |
293 | <term><varname>LimitCORE=</varname></term> | |
294 | <term><varname>LimitRSS=</varname></term> | |
295 | <term><varname>LimitNOFILE=</varname></term> | |
296 | <term><varname>LimitAS=</varname></term> | |
297 | <term><varname>LimitNPROC=</varname></term> | |
298 | <term><varname>LimitMEMLOCK=</varname></term> | |
299 | <term><varname>LimitLOCKS=</varname></term> | |
300 | <term><varname>LimitSIGPENDING=</varname></term> | |
301 | <term><varname>LimitMSGQUEUE=</varname></term> | |
302 | <term><varname>LimitNICE=</varname></term> | |
303 | <term><varname>LimitRTPRIO=</varname></term> | |
304 | <term><varname>LimitRTTIME=</varname></term> | |
305 | ||
306 | <listitem><para>Configures various types of resource limits applied to containers. This is equivalent to the | |
307 | <option>--rlimit=</option> command line switch, and takes the same arguments. See | |
308 | <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> for | |
309 | details.</para></listitem> | |
310 | </varlistentry> | |
3a9530e5 | 311 | |
81f345df LP |
312 | <varlistentry> |
313 | <term><varname>OOMScoreAdjust=</varname></term> | |
314 | ||
315 | <listitem><para>Configures the OOM score adjustment value. This is equivalent to the | |
316 | <option>--oom-score-adjust=</option> command line switch, and takes the same argument. See | |
317 | <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> for | |
318 | details.</para></listitem> | |
319 | </varlistentry> | |
320 | ||
d107bb7d LP |
321 | <varlistentry> |
322 | <term><varname>CPUAffinity=</varname></term> | |
323 | ||
324 | <listitem><para>Configures the CPU affinity. This is equivalent to the <option>--cpu-affinity=</option> command | |
325 | line switch, and takes the same argument. See | |
326 | <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> for | |
327 | details.</para></listitem> | |
328 | </varlistentry> | |
329 | ||
3a9530e5 LP |
330 | <varlistentry> |
331 | <term><varname>Hostname=</varname></term> | |
332 | ||
333 | <listitem><para>Configures the kernel hostname set for the container. This is equivalent to the | |
334 | <option>--hostname=</option> command line switch, and takes the same argument. See | |
335 | <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> for | |
336 | details.</para></listitem> | |
337 | </varlistentry> | |
09d423e9 LP |
338 | |
339 | <varlistentry> | |
340 | <term><varname>ResolvConf=</varname></term> | |
341 | ||
342 | <listitem><para>Configures how <filename>/etc/resolv.conf</filename> in the container shall be handled. This is | |
343 | equivalent to the <option>--resolv-conf=</option> command line switch, and takes the same argument. See | |
344 | <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> for | |
345 | details.</para></listitem> | |
346 | </varlistentry> | |
4e1d6aa9 | 347 | |
1688841f LP |
348 | <varlistentry> |
349 | <term><varname>Timezone=</varname></term> | |
350 | ||
351 | <listitem><para>Configures how <filename>/etc/localtime</filename> in the container shall be handled. This is | |
bbe27ae4 | 352 | equivalent to the <option>--timezone=</option> command line switch, and takes the same argument. See |
1688841f LP |
353 | <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> for |
354 | details.</para></listitem> | |
355 | </varlistentry> | |
356 | ||
4e1d6aa9 LP |
357 | <varlistentry> |
358 | <term><varname>LinkJournal=</varname></term> | |
359 | ||
360 | <listitem><para>Configures how to link host and container journal setups. This is equivalent to the | |
361 | <option>--link-journal=</option> command line switch, and takes the same parameter. See | |
362 | <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> for | |
363 | details.</para></listitem> | |
364 | </varlistentry> | |
960e4569 | 365 | |
f757855e LP |
366 | </variablelist> |
367 | </refsect1> | |
368 | ||
369 | <refsect1> | |
370 | <title>[Files] Section Options</title> | |
371 | ||
372 | <para>Settings files may include a <literal>[Files]</literal> | |
373 | section, which carries various parameters configuring the file | |
374 | system of the container:</para> | |
375 | ||
37dac218 | 376 | <variablelist class='nspawn-directives'> |
f757855e LP |
377 | |
378 | <varlistentry> | |
379 | <term><varname>ReadOnly=</varname></term> | |
380 | ||
a8eaaee7 | 381 | <listitem><para>Takes a boolean argument, which defaults to off. If |
b938cb90 | 382 | specified, the container will be run with a read-only file |
f757855e LP |
383 | system. This setting corresponds to the |
384 | <option>--read-only</option> command line | |
385 | switch.</para></listitem> | |
386 | </varlistentry> | |
387 | ||
388 | <varlistentry> | |
389 | <term><varname>Volatile=</varname></term> | |
390 | ||
391 | <listitem><para>Takes a boolean argument, or the special value | |
392 | <literal>state</literal>. This configures whether to run the | |
393 | container with volatile state and/or configuration. This | |
394 | option is equivalent to <option>--volatile=</option>, see | |
395 | <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> | |
396 | for details about the specific options | |
397 | supported.</para></listitem> | |
398 | </varlistentry> | |
399 | ||
400 | <varlistentry> | |
401 | <term><varname>Bind=</varname></term> | |
402 | <term><varname>BindReadOnly=</varname></term> | |
403 | ||
404 | <listitem><para>Adds a bind mount from the host into the | |
405 | container. Takes a single path, a pair of two paths separated | |
406 | by a colon, or a triplet of two paths plus an option string | |
407 | separated by colons. This option may be used multiple times to | |
408 | configure multiple bind mounts. This option is equivalent to | |
409 | the command line switches <option>--bind=</option> and | |
410 | <option>--bind-ro=</option>, see | |
411 | <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> | |
412 | for details about the specific options supported. This setting | |
413 | is privileged (see above).</para></listitem> | |
414 | </varlistentry> | |
415 | ||
416 | <varlistentry> | |
417 | <term><varname>TemporaryFileSystem=</varname></term> | |
418 | ||
419 | <listitem><para>Adds a <literal>tmpfs</literal> mount to the | |
420 | container. Takes a path or a pair of path and option string, | |
4f76ef04 | 421 | separated by a colon. This option may be used multiple times to |
f757855e LP |
422 | configure multiple <literal>tmpfs</literal> mounts. This |
423 | option is equivalent to the command line switch | |
424 | <option>--tmpfs=</option>, see | |
425 | <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> | |
426 | for details about the specific options supported. This setting | |
427 | is privileged (see above).</para></listitem> | |
428 | </varlistentry> | |
d2e5535f | 429 | |
3d6c3675 LP |
430 | <varlistentry> |
431 | <term><varname>Inaccessible=</varname></term> | |
432 | ||
433 | <listitem><para>Masks the specified file or directly in the container, by over-mounting it with an empty file | |
5238e957 | 434 | node of the same type with the most restrictive access mode. Takes a file system path as argument. This option |
3d6c3675 LP |
435 | may be used multiple times to mask multiple files or directories. This option is equivalent to the command line |
436 | switch <option>--inaccessible=</option>, see | |
437 | <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> for details | |
438 | about the specific options supported. This setting is privileged (see above).</para></listitem> | |
439 | </varlistentry> | |
440 | ||
7b4318b6 LP |
441 | <varlistentry> |
442 | <term><varname>Overlay=</varname></term> | |
443 | <term><varname>OverlayReadOnly=</varname></term> | |
444 | ||
445 | <listitem><para>Adds an overlay mount point. Takes a colon-separated list of paths. This option may be used | |
446 | multiple times to configure multiple overlay mounts. This option is equivalent to the command line switches | |
447 | <option>--overlay=</option> and <option>--overlay-ro=</option>, see | |
448 | <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> for details | |
449 | about the specific options supported. This setting is privileged (see above).</para></listitem> | |
450 | </varlistentry> | |
451 | ||
d2e5535f LP |
452 | <varlistentry> |
453 | <term><varname>PrivateUsersChown=</varname></term> | |
454 | ||
455 | <listitem><para>Configures whether the ownership of the files and directories in the container tree shall be | |
456 | adjusted to the UID/GID range used, if necessary and user namespacing is enabled. This is equivalent to the | |
457 | <option>--private-users-chown</option> command line switch. This option is privileged (see | |
458 | above). </para></listitem> | |
459 | </varlistentry> | |
460 | ||
f757855e LP |
461 | </variablelist> |
462 | </refsect1> | |
463 | ||
464 | <refsect1> | |
465 | <title>[Network] Section Options</title> | |
466 | ||
467 | <para>Settings files may include a <literal>[Network]</literal> | |
468 | section, which carries various parameters configuring the network | |
469 | connectivity of the container:</para> | |
470 | ||
37dac218 | 471 | <variablelist class='nspawn-directives'> |
f757855e LP |
472 | |
473 | <varlistentry> | |
474 | <term><varname>Private=</varname></term> | |
475 | ||
a8eaaee7 | 476 | <listitem><para>Takes a boolean argument, which defaults to off. If |
b938cb90 | 477 | enabled, the container will run in its own network namespace |
f757855e LP |
478 | and not share network interfaces and configuration with the |
479 | host. This setting corresponds to the | |
480 | <option>--private-network</option> command line | |
481 | switch.</para></listitem> | |
482 | </varlistentry> | |
483 | ||
484 | <varlistentry> | |
485 | <term><varname>VirtualEthernet=</varname></term> | |
486 | ||
b09c0bba LP |
487 | <listitem><para>Takes a boolean argument. Configures whether to create a virtual Ethernet connection |
488 | (<literal>veth</literal>) between host and the container. This setting implies | |
489 | <varname>Private=yes</varname>. This setting corresponds to the <option>--network-veth</option> command line | |
490 | switch. This option is privileged (see above). This option is the default if the | |
491 | <filename>systemd-nspawn@.service</filename> template unit file is used.</para></listitem> | |
f757855e LP |
492 | </varlistentry> |
493 | ||
f6d6bad1 LP |
494 | <varlistentry> |
495 | <term><varname>VirtualEthernetExtra=</varname></term> | |
496 | ||
497 | <listitem><para>Takes a colon-separated pair of interface | |
498 | names. Configures an additional virtual Ethernet connection | |
499 | (<literal>veth</literal>) between host and the container. The | |
500 | first specified name is the interface name on the host, the | |
501 | second the interface name in the container. The latter may be | |
502 | omitted in which case it is set to the same name as the host | |
503 | side interface. This setting implies | |
504 | <varname>Private=yes</varname>. This setting corresponds to | |
505 | the <option>--network-veth-extra=</option> command line | |
506 | switch, and maybe be used multiple times. It is independent of | |
507 | <varname>VirtualEthernet=</varname>. This option is privileged | |
508 | (see above).</para></listitem> | |
509 | </varlistentry> | |
510 | ||
f757855e LP |
511 | <varlistentry> |
512 | <term><varname>Interface=</varname></term> | |
513 | ||
b938cb90 | 514 | <listitem><para>Takes a space-separated list of interfaces to |
f757855e LP |
515 | add to the container. This option corresponds to the |
516 | <option>--network-interface=</option> command line switch and | |
517 | implies <varname>Private=yes</varname>. This option is | |
518 | privileged (see above).</para></listitem> | |
519 | </varlistentry> | |
520 | ||
521 | <varlistentry> | |
522 | <term><varname>MACVLAN=</varname></term> | |
523 | <term><varname>IPVLAN=</varname></term> | |
524 | ||
b938cb90 | 525 | <listitem><para>Takes a space-separated list of interfaces to |
f757855e LP |
526 | add MACLVAN or IPVLAN interfaces to, which are then added to |
527 | the container. These options correspond to the | |
528 | <option>--network-macvlan=</option> and | |
529 | <option>--network-ipvlan=</option> command line switches and | |
530 | imply <varname>Private=yes</varname>. These options are | |
531 | privileged (see above).</para></listitem> | |
532 | </varlistentry> | |
533 | ||
534 | <varlistentry> | |
535 | <term><varname>Bridge=</varname></term> | |
536 | ||
537 | <listitem><para>Takes an interface name. This setting implies | |
538 | <varname>VirtualEthernet=yes</varname> and | |
539 | <varname>Private=yes</varname> and has the effect that the | |
540 | host side of the created virtual Ethernet link is connected to | |
541 | the specified bridge interface. This option corresponds to the | |
542 | <option>--network-bridge=</option> command line switch. This | |
543 | option is privileged (see above).</para></listitem> | |
544 | </varlistentry> | |
545 | ||
938d2579 LP |
546 | <varlistentry> |
547 | <term><varname>Zone=</varname></term> | |
548 | ||
549 | <listitem><para>Takes a network zone name. This setting implies <varname>VirtualEthernet=yes</varname> and | |
550 | <varname>Private=yes</varname> and has the effect that the host side of the created virtual Ethernet link is | |
551 | connected to an automatically managed bridge interface named after the passed argument, prefixed with | |
552 | <literal>vz-</literal>. This option corresponds to the <option>--network-zone=</option> command line | |
553 | switch. This option is privileged (see above).</para></listitem> | |
554 | </varlistentry> | |
555 | ||
f757855e LP |
556 | <varlistentry> |
557 | <term><varname>Port=</varname></term> | |
558 | ||
559 | <listitem><para>Exposes a TCP or UDP port of the container on | |
560 | the host. This option corresponds to the | |
561 | <option>--port=</option> command line switch, see | |
562 | <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> | |
563 | for the precise syntax of the argument this option takes. This | |
564 | option is privileged (see above).</para></listitem> | |
565 | </varlistentry> | |
566 | </variablelist> | |
567 | </refsect1> | |
568 | ||
569 | <refsect1> | |
570 | <title>See Also</title> | |
571 | <para> | |
572 | <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
573 | <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
574 | <citerefentry><refentrytitle>systemd.directives</refentrytitle><manvolnum>7</manvolnum></citerefentry> | |
575 | </para> | |
576 | </refsect1> | |
577 | ||
578 | </refentry> |