]> git.ipfire.org Git - thirdparty/systemd.git/blame - man/systemd.nspawn.xml
projects / thirdparty / systemd.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
test-network: use wait-online in NetworkdBondTests
[thirdparty/systemd.git] / man / systemd.nspawn.xml
CommitLineData
514094f9 1<?xml version='1.0'?>
3a54a157 2<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
f757855e
LP		 3 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
4<!ENTITY % entities SYSTEM "custom-entities.ent" >
5%entities;
6]>
0307f791 7<!-- SPDX-License-Identifier: LGPL-2.1+ -->
f757855e
LP		 8
9<refentry id="systemd.nspawn">
10
11 <refentryinfo>
12 <title>systemd.nspawn</title>
13 <productname>systemd</productname>
f757855e
LP		 14 </refentryinfo>
15
16 <refmeta>
17 <refentrytitle>systemd.nspawn</refentrytitle>
18 <manvolnum>5</manvolnum>
19 </refmeta>
20
21 <refnamediv>
22 <refname>systemd.nspawn</refname>
23 <refpurpose>Container settings</refpurpose>
24 </refnamediv>
25
26 <refsynopsisdiv>
27 <para><filename>/etc/systemd/nspawn/<replaceable>machine</replaceable>.nspawn</filename></para>
28 <para><filename>/run/systemd/nspawn/<replaceable>machine</replaceable>.nspawn</filename></para>
29 <para><filename>/var/lib/machines/<replaceable>machine</replaceable>.nspawn</filename></para>
30 </refsynopsisdiv>
31
32 <refsect1>
33 <title>Description</title>
34
35 <para>An nspawn container settings file (suffix
36 <filename>.nspawn</filename>) encodes additional runtime
37 information about a local container, and is searched, read and
38 used by
39 <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>
40 when starting a container. Files of this type are named after the
41 containers they define settings for. They are optional, and only
42 required for containers whose execution environment shall differ
43 from the defaults. Files of this type mostly contain settings that
44 may also be set on the <command>systemd-nspawn</command> command
45 line, and make it easier to persistently attach specific settings
46 to specific containers. The syntax of these files is inspired by
47 <filename>.desktop</filename> files following the <ulink
48 url="http://standards.freedesktop.org/desktop-entry-spec/latest/">XDG
a8eaaee7 49 Desktop Entry Specification</ulink>, which in turn are inspired by
f757855e
LP		 50 Microsoft Windows <filename>.ini</filename> files.</para>
51
52 <para>Boolean arguments used in these settings files can be
b938cb90 53 written in various formats. For positive settings, the strings
f757855e
LP		 54 <option>1</option>, <option>yes</option>, <option>true</option>
55 and <option>on</option> are equivalent. For negative settings, the
56 strings <option>0</option>, <option>no</option>,
57 <option>false</option> and <option>off</option> are
58 equivalent.</para>
59
60 <para>Empty lines and lines starting with # or ; are
61 ignored. This may be used for commenting. Lines ending
62 in a backslash are concatenated with the following
63 line while reading and the backslash is replaced by a
64 space character. This may be used to wrap long lines.</para>
65
66 </refsect1>
67
68 <refsect1>
69 <title><filename>.nspawn</filename> File Discovery</title>
70
71 <para>Files are searched by appending the
72 <filename>.nspawn</filename> suffix to the machine name of the
73 container, as specified with the <option>--machine=</option>
74 switch of <command>systemd-nspawn</command>, or derived from the
75 directory or image file name. This file is first searched in
76 <filename>/etc/systemd/nspawn/</filename> and
77 <filename>/run/systemd/nspawn/</filename>. If found in these
b938cb90 78 directories, its settings are read and all of them take full effect
4f76ef04 79 (but are possibly overridden by corresponding command line
b938cb90 80 arguments). If not found, the file will then be searched next to
f757855e 81 the image file or in the immediate parent of the root directory of
b938cb90 82 the container. If the file is found there, only a subset of the
f757855e
LP		 83 settings will take effect however. All settings that possibly
84 elevate privileges or grant additional access to resources of the
85 host (such as files or directories) are ignored. To which options
86 this applies is documented below.</para>
87
a8eaaee7 88 <para>Persistent settings files created and maintained by the
f757855e
LP		 89 administrator (and thus trusted) should be placed in
90 <filename>/etc/systemd/nspawn/</filename>, while automatically
91 downloaded (and thus potentially untrusted) settings files are
92 placed in <filename>/var/lib/machines/</filename> instead (next to
93 the container images), where their security impact is limited. In
94 order to add privileged settings to <filename>.nspawn</filename>
b938cb90 95 files acquired from the image vendor, it is recommended to copy the
f757855e
LP		 96 settings files into <filename>/etc/systemd/nspawn/</filename> and
97 edit them there, so that the privileged options become
a8eaaee7 98 available. The precise algorithm for how the files are searched and
f757855e
LP		 99 interpreted may be configured with
100 <command>systemd-nspawn</command>'s <option>--settings=</option>
101 switch, see
102 <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>
103 for details.</para>
104 </refsect1>
105
106 <refsect1>
107 <title>[Exec] Section Options</title>
108
109 <para>Settings files may include an <literal>[Exec]</literal>
110 section, which carries various execution parameters:</para>
111
37dac218 112 <variablelist class='nspawn-directives'>
f757855e
LP		 113
114 <varlistentry>
115 <term><varname>Boot=</varname></term>
116
7732f92b
LP		 117 <listitem><para>Takes a boolean argument, which defaults to off. If enabled, <command>systemd-nspawn</command>
118 will automatically search for an <filename>init</filename> executable and invoke it. In this case, the
119 specified parameters using <varname>Parameters=</varname> are passed as additional arguments to the
120 <filename>init</filename> process. This setting corresponds to the <option>--boot</option> switch on the
121 <command>systemd-nspawn</command> command line. This option may not be combined with
7e95efb5
ZJS		 122 <varname>ProcessTwo=yes</varname>. This option is specified by default in the
123 <filename>systemd-nspawn@.service</filename> template unit.</para></listitem>
7732f92b
LP		 124 </varlistentry>
125
a2f577fc
JL		 126 <varlistentry>
127 <term><varname>Ephemeral=</varname></term>
128
129 <listitem><para>Takes a boolean argument, which defaults to off, If enabled, the container is run with
130 a temporary snapshot of its file system that is removed immediately when the container terminates.
131 This is equivalent to the <option>--ephemeral</option> command line switch. See
132 <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> for details
133 about the specific options supported.</para></listitem>
134 </varlistentry>
135
7732f92b
LP		 136 <varlistentry>
137 <term><varname>ProcessTwo=</varname></term>
138
139 <listitem><para>Takes a boolean argument, which defaults to off. If enabled, the specified program is run as
140 PID 2. A stub init process is run as PID 1. This setting corresponds to the <option>--as-pid2</option> switch
141 on the <command>systemd-nspawn</command> command line. This option may not be combined with
142 <varname>Boot=yes</varname>.</para></listitem>
f757855e
LP		 143 </varlistentry>
144
145 <varlistentry>
146 <term><varname>Parameters=</varname></term>
147
7e95efb5
ZJS		 148 <listitem><para>Takes a whitespace-separated list of arguments. Single (<literal>'</literal>) and
149 double (<literal>"</literal>) quotes may be used around arguments with whitespace. This is either a
150 command line, beginning with the binary name to execute, or – if <varname>Boot=</varname> is enabled
151 – the list of arguments to pass to the init process. This setting corresponds to the command line
152 parameters passed on the <command>systemd-nspawn</command> command line.</para>
153
154 <para>Note: <option>Boot=no</option>, <option>Parameters=a b "c c"</option> is the same as
155 <command>systemd-nspawn a b "c c"</command>, and <option>Boot=yes</option>, <option>Parameters=b 'c c'</option>
156 is the same as <command>systemd-nspawn --boot b 'c c'</command>.</para></listitem>
f757855e
LP		 157 </varlistentry>
158
159 <varlistentry>
160 <term><varname>Environment=</varname></term>
161
162 <listitem><para>Takes an environment variable assignment
163 consisting of key and value, separated by
164 <literal>=</literal>. Sets an environment variable for the
165 main process invoked in the container. This setting may be
166 used multiple times to set multiple environment variables. It
167 corresponds to the <option>--setenv=</option> command line
168 switch.</para></listitem>
169 </varlistentry>
170
171 <varlistentry>
172 <term><varname>User=</varname></term>
173
174 <listitem><para>Takes a UNIX user name. Specifies the user
175 name to invoke the main process of the container as. This user
176 must be known in the container's user database. This
177 corresponds to the <option>--user=</option> command line
5f932eb9
LP		 178 switch.</para></listitem>
179 </varlistentry>
180
181 <varlistentry>
182 <term><varname>WorkingDirectory=</varname></term>
183
184 <listitem><para>Selects the working directory for the process invoked in the container. Expects an absolute
185 path in the container's file system namespace. This corresponds to the <option>--chdir=</option> command line
f757855e
LP		 186 switch.</para></listitem>
187 </varlistentry>
188
b53ede69
PW		 189 <varlistentry>
190 <term><varname>PivotRoot=</varname></term>
191
192 <listitem><para>Selects a directory to pivot to <filename>/</filename> inside the container when starting up.
193 Takes a single path, or a pair of two paths separated by a colon. Both paths must be absolute, and are resolved
194 in the container's file system namespace. This corresponds to the <option>--pivot-root=</option> command line
195 switch.</para></listitem>
196 </varlistentry>
197
f757855e
LP		 198 <varlistentry>
199 <term><varname>Capability=</varname></term>
200 <term><varname>DropCapability=</varname></term>
201
b938cb90 202 <listitem><para>Takes a space-separated list of Linux process
f757855e 203 capabilities (see
524f3e5c 204 <citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
f757855e
LP		 205 for details). The <varname>Capability=</varname> setting
206 specifies additional capabilities to pass on top of the
4f76ef04 207 default set of capabilities. The
f757855e
LP		 208 <varname>DropCapability=</varname> setting specifies
209 capabilities to drop from the default set. These settings
210 correspond to the <option>--capability=</option> and
211 <option>--drop-capability=</option> command line
212 switches. Note that <varname>Capability=</varname> is a
213 privileged setting, and only takes effect in
214 <filename>.nspawn</filename> files in
215 <filename>/etc/systemd/nspawn/</filename> and
216 <filename>/run/system/nspawn/</filename> (see above). On the
b938cb90 217 other hand, <varname>DropCapability=</varname> takes effect in
f757855e
LP		 218 all cases.</para></listitem>
219 </varlistentry>
220
66edd963
LP		 221 <varlistentry>
222 <term><varname>NoNewPrivileges=</varname></term>
223
224 <listitem><para>Takes a boolean argument that controls the <constant>PR_SET_NO_NEW_PRIVS</constant> flag for
225 the container payload. This is equivalent to the
226 <option>--no-new-privileges=</option> command line switch. See
227 <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> for
228 details.</para>
229 </listitem>
230 </varlistentry>
231
b3969f73 232 <varlistentry>
c9648aa6 233 <term><varname>KillSignal=</varname></term>
b3969f73
PA		 234
235 <listitem><para>Specify the process signal to send to the
236 container's PID 1 when nspawn itself receives SIGTERM, in
237 order to trigger an orderly shutdown of the container.
238 Defaults to SIGRTMIN+3 if <option>Boot=</option> is used
239 (on systemd-compatible init systems SIGRTMIN+3 triggers an
240 orderly shutdown). For a list of valid signals, see
241 <citerefentry project='man-pages'><refentrytitle>signal</refentrytitle><manvolnum>7</manvolnum></citerefentry>.</para></listitem>
242 </varlistentry>
243
f757855e
LP		 244 <varlistentry>
245 <term><varname>Personality=</varname></term>
246
247 <listitem><para>Configures the kernel personality for the
248 container. This is equivalent to the
249 <option>--personality=</option> switch.</para></listitem>
250 </varlistentry>
251
252 <varlistentry>
253 <term><varname>MachineID=</varname></term>
254
b938cb90 255 <listitem><para>Configures the 128-bit machine ID (UUID) to pass to
f757855e
LP		 256 the container. This is equivalent to the
257 <option>--uuid=</option> command line switch. This option is
258 privileged (see above). </para></listitem>
259 </varlistentry>
d2e5535f
LP		 260
261 <varlistentry>
262 <term><varname>PrivateUsers=</varname></term>
263
264 <listitem><para>Configures support for usernamespacing. This is equivalent to the
265 <option>--private-users=</option> command line switch, and takes the same options. This option is privileged
b09c0bba
LP		 266 (see above). This option is the default if the <filename>systemd-nspawn@.service</filename> template unit file
267 is used.</para></listitem>
d2e5535f 268 </varlistentry>
9c1e04d0
AP		 269
270 <varlistentry>
271 <term><varname>NotifyReady=</varname></term>
272
960e4569 273 <listitem><para>Configures support for notifications from the container's init process. This is equivalent to
dcfaecc7 274 the <option>--notify-ready=</option> command line switch, and takes the same parameters. See
960e4569
LP		 275 <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> for details
276 about the specific options supported.</para></listitem>
9c1e04d0 277 </varlistentry>
960e4569
LP		 278
279 <varlistentry>
280 <term><varname>SystemCallFilter=</varname></term>
281
282 <listitem><para>Configures the system call filter applied to containers. This is equivalent to the
283 <option>--system-call-filter=</option> command line switch, and takes the same list parameter. See
284 <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> for
285 details.</para></listitem>
286 </varlistentry>
bf428efb
LP		 287
288 <varlistentry>
289 <term><varname>LimitCPU=</varname></term>
290 <term><varname>LimitFSIZE=</varname></term>
291 <term><varname>LimitDATA=</varname></term>
292 <term><varname>LimitSTACK=</varname></term>
293 <term><varname>LimitCORE=</varname></term>
294 <term><varname>LimitRSS=</varname></term>
295 <term><varname>LimitNOFILE=</varname></term>
296 <term><varname>LimitAS=</varname></term>
297 <term><varname>LimitNPROC=</varname></term>
298 <term><varname>LimitMEMLOCK=</varname></term>
299 <term><varname>LimitLOCKS=</varname></term>
300 <term><varname>LimitSIGPENDING=</varname></term>
301 <term><varname>LimitMSGQUEUE=</varname></term>
302 <term><varname>LimitNICE=</varname></term>
303 <term><varname>LimitRTPRIO=</varname></term>
304 <term><varname>LimitRTTIME=</varname></term>
305
306 <listitem><para>Configures various types of resource limits applied to containers. This is equivalent to the
307 <option>--rlimit=</option> command line switch, and takes the same arguments. See
308 <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> for
309 details.</para></listitem>
310 </varlistentry>
3a9530e5 311
81f345df
LP		 312 <varlistentry>
313 <term><varname>OOMScoreAdjust=</varname></term>
314
315 <listitem><para>Configures the OOM score adjustment value. This is equivalent to the
316 <option>--oom-score-adjust=</option> command line switch, and takes the same argument. See
317 <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> for
318 details.</para></listitem>
319 </varlistentry>
320
d107bb7d
LP		 321 <varlistentry>
322 <term><varname>CPUAffinity=</varname></term>
323
324 <listitem><para>Configures the CPU affinity. This is equivalent to the <option>--cpu-affinity=</option> command
325 line switch, and takes the same argument. See
326 <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> for
327 details.</para></listitem>
328 </varlistentry>
329
3a9530e5
LP		 330 <varlistentry>
331 <term><varname>Hostname=</varname></term>
332
333 <listitem><para>Configures the kernel hostname set for the container. This is equivalent to the
334 <option>--hostname=</option> command line switch, and takes the same argument. See
335 <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> for
336 details.</para></listitem>
337 </varlistentry>
09d423e9
LP		 338
339 <varlistentry>
340 <term><varname>ResolvConf=</varname></term>
341
342 <listitem><para>Configures how <filename>/etc/resolv.conf</filename> in the container shall be handled. This is
343 equivalent to the <option>--resolv-conf=</option> command line switch, and takes the same argument. See
344 <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> for
345 details.</para></listitem>
346 </varlistentry>
4e1d6aa9 347
1688841f
LP		 348 <varlistentry>
349 <term><varname>Timezone=</varname></term>
350
351 <listitem><para>Configures how <filename>/etc/localtime</filename> in the container shall be handled. This is
bbe27ae4 352 equivalent to the <option>--timezone=</option> command line switch, and takes the same argument. See
1688841f
LP		 353 <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> for
354 details.</para></listitem>
355 </varlistentry>
356
4e1d6aa9
LP		 357 <varlistentry>
358 <term><varname>LinkJournal=</varname></term>
359
360 <listitem><para>Configures how to link host and container journal setups. This is equivalent to the
361 <option>--link-journal=</option> command line switch, and takes the same parameter. See
362 <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> for
363 details.</para></listitem>
364 </varlistentry>
960e4569 365
f757855e
LP		 366 </variablelist>
367 </refsect1>
368
369 <refsect1>
370 <title>[Files] Section Options</title>
371
372 <para>Settings files may include a <literal>[Files]</literal>
373 section, which carries various parameters configuring the file
374 system of the container:</para>
375
37dac218 376 <variablelist class='nspawn-directives'>
f757855e
LP		 377
378 <varlistentry>
379 <term><varname>ReadOnly=</varname></term>
380
a8eaaee7 381 <listitem><para>Takes a boolean argument, which defaults to off. If
b938cb90 382 specified, the container will be run with a read-only file
f757855e
LP		 383 system. This setting corresponds to the
384 <option>--read-only</option> command line
385 switch.</para></listitem>
386 </varlistentry>
387
388 <varlistentry>
389 <term><varname>Volatile=</varname></term>
390
391 <listitem><para>Takes a boolean argument, or the special value
392 <literal>state</literal>. This configures whether to run the
393 container with volatile state and/or configuration. This
394 option is equivalent to <option>--volatile=</option>, see
395 <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>
396 for details about the specific options
397 supported.</para></listitem>
398 </varlistentry>
399
400 <varlistentry>
401 <term><varname>Bind=</varname></term>
402 <term><varname>BindReadOnly=</varname></term>
403
404 <listitem><para>Adds a bind mount from the host into the
405 container. Takes a single path, a pair of two paths separated
406 by a colon, or a triplet of two paths plus an option string
407 separated by colons. This option may be used multiple times to
408 configure multiple bind mounts. This option is equivalent to
409 the command line switches <option>--bind=</option> and
410 <option>--bind-ro=</option>, see
411 <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>
412 for details about the specific options supported. This setting
413 is privileged (see above).</para></listitem>
414 </varlistentry>
415
416 <varlistentry>
417 <term><varname>TemporaryFileSystem=</varname></term>
418
419 <listitem><para>Adds a <literal>tmpfs</literal> mount to the
420 container. Takes a path or a pair of path and option string,
4f76ef04 421 separated by a colon. This option may be used multiple times to
f757855e
LP		 422 configure multiple <literal>tmpfs</literal> mounts. This
423 option is equivalent to the command line switch
424 <option>--tmpfs=</option>, see
425 <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>
426 for details about the specific options supported. This setting
427 is privileged (see above).</para></listitem>
428 </varlistentry>
d2e5535f 429
3d6c3675
LP		 430 <varlistentry>
431 <term><varname>Inaccessible=</varname></term>
432
433 <listitem><para>Masks the specified file or directly in the container, by over-mounting it with an empty file
5238e957 434 node of the same type with the most restrictive access mode. Takes a file system path as argument. This option
3d6c3675
LP		 435 may be used multiple times to mask multiple files or directories. This option is equivalent to the command line
436 switch <option>--inaccessible=</option>, see
437 <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> for details
438 about the specific options supported. This setting is privileged (see above).</para></listitem>
439 </varlistentry>
440
7b4318b6
LP		 441 <varlistentry>
442 <term><varname>Overlay=</varname></term>
443 <term><varname>OverlayReadOnly=</varname></term>
444
445 <listitem><para>Adds an overlay mount point. Takes a colon-separated list of paths. This option may be used
446 multiple times to configure multiple overlay mounts. This option is equivalent to the command line switches
447 <option>--overlay=</option> and <option>--overlay-ro=</option>, see
448 <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> for details
449 about the specific options supported. This setting is privileged (see above).</para></listitem>
450 </varlistentry>
451
d2e5535f
LP		 452 <varlistentry>
453 <term><varname>PrivateUsersChown=</varname></term>
454
455 <listitem><para>Configures whether the ownership of the files and directories in the container tree shall be
456 adjusted to the UID/GID range used, if necessary and user namespacing is enabled. This is equivalent to the
457 <option>--private-users-chown</option> command line switch. This option is privileged (see
458 above). </para></listitem>
459 </varlistentry>
460
f757855e
LP		 461 </variablelist>
462 </refsect1>
463
464 <refsect1>
465 <title>[Network] Section Options</title>
466
467 <para>Settings files may include a <literal>[Network]</literal>
468 section, which carries various parameters configuring the network
469 connectivity of the container:</para>
470
37dac218 471 <variablelist class='nspawn-directives'>
f757855e
LP		 472
473 <varlistentry>
474 <term><varname>Private=</varname></term>
475
a8eaaee7 476 <listitem><para>Takes a boolean argument, which defaults to off. If
b938cb90 477 enabled, the container will run in its own network namespace
f757855e
LP		 478 and not share network interfaces and configuration with the
479 host. This setting corresponds to the
480 <option>--private-network</option> command line
481 switch.</para></listitem>
482 </varlistentry>
483
484 <varlistentry>
485 <term><varname>VirtualEthernet=</varname></term>
486
b09c0bba
LP		 487 <listitem><para>Takes a boolean argument. Configures whether to create a virtual Ethernet connection
488 (<literal>veth</literal>) between host and the container. This setting implies
489 <varname>Private=yes</varname>. This setting corresponds to the <option>--network-veth</option> command line
490 switch. This option is privileged (see above). This option is the default if the
491 <filename>systemd-nspawn@.service</filename> template unit file is used.</para></listitem>
f757855e
LP		 492 </varlistentry>
493
f6d6bad1
LP		 494 <varlistentry>
495 <term><varname>VirtualEthernetExtra=</varname></term>
496
497 <listitem><para>Takes a colon-separated pair of interface
498 names. Configures an additional virtual Ethernet connection
499 (<literal>veth</literal>) between host and the container. The
500 first specified name is the interface name on the host, the
501 second the interface name in the container. The latter may be
502 omitted in which case it is set to the same name as the host
503 side interface. This setting implies
504 <varname>Private=yes</varname>. This setting corresponds to
505 the <option>--network-veth-extra=</option> command line
506 switch, and maybe be used multiple times. It is independent of
507 <varname>VirtualEthernet=</varname>. This option is privileged
508 (see above).</para></listitem>
509 </varlistentry>
510
f757855e
LP		 511 <varlistentry>
512 <term><varname>Interface=</varname></term>
513
b938cb90 514 <listitem><para>Takes a space-separated list of interfaces to
f757855e
LP		 515 add to the container. This option corresponds to the
516 <option>--network-interface=</option> command line switch and
517 implies <varname>Private=yes</varname>. This option is
518 privileged (see above).</para></listitem>
519 </varlistentry>
520
521 <varlistentry>
522 <term><varname>MACVLAN=</varname></term>
523 <term><varname>IPVLAN=</varname></term>
524
b938cb90 525 <listitem><para>Takes a space-separated list of interfaces to
f757855e
LP		 526 add MACLVAN or IPVLAN interfaces to, which are then added to
527 the container. These options correspond to the
528 <option>--network-macvlan=</option> and
529 <option>--network-ipvlan=</option> command line switches and
530 imply <varname>Private=yes</varname>. These options are
531 privileged (see above).</para></listitem>
532 </varlistentry>
533
534 <varlistentry>
535 <term><varname>Bridge=</varname></term>
536
537 <listitem><para>Takes an interface name. This setting implies
538 <varname>VirtualEthernet=yes</varname> and
539 <varname>Private=yes</varname> and has the effect that the
540 host side of the created virtual Ethernet link is connected to
541 the specified bridge interface. This option corresponds to the
542 <option>--network-bridge=</option> command line switch. This
543 option is privileged (see above).</para></listitem>
544 </varlistentry>
545
938d2579
LP		 546 <varlistentry>
547 <term><varname>Zone=</varname></term>
548
549 <listitem><para>Takes a network zone name. This setting implies <varname>VirtualEthernet=yes</varname> and
550 <varname>Private=yes</varname> and has the effect that the host side of the created virtual Ethernet link is
551 connected to an automatically managed bridge interface named after the passed argument, prefixed with
552 <literal>vz-</literal>. This option corresponds to the <option>--network-zone=</option> command line
553 switch. This option is privileged (see above).</para></listitem>
554 </varlistentry>
555
f757855e
LP		 556 <varlistentry>
557 <term><varname>Port=</varname></term>
558
559 <listitem><para>Exposes a TCP or UDP port of the container on
560 the host. This option corresponds to the
561 <option>--port=</option> command line switch, see
562 <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>
563 for the precise syntax of the argument this option takes. This
564 option is privileged (see above).</para></listitem>
565 </varlistentry>
566 </variablelist>
567 </refsect1>
568
569 <refsect1>
570 <title>See Also</title>
571 <para>
572 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
573 <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
574 <citerefentry><refentrytitle>systemd.directives</refentrytitle><manvolnum>7</manvolnum></citerefentry>
575 </para>
576 </refsect1>
577
578</refentry>
Unnamed repository; edit this file 'description' to name the repository.