]> git.ipfire.org Git - thirdparty/systemd.git/blob - man/machinectl.xml
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
final v236 update (#7649)
[thirdparty/systemd.git] / man / machinectl.xml
1 <?xml version='1.0'?> <!--*- Mode: nxml; nxml-child-indent: 2; indent-tabs-mode: nil -*-->
2 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
3 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
4
5 <!--
6 SPDX-License-Identifier: LGPL-2.1+
7
8 This file is part of systemd.
9
10 Copyright 2013 Zbigniew Jędrzejewski-Szmek
11
12 systemd is free software; you can redistribute it and/or modify it
13 under the terms of the GNU Lesser General Public License as published by
14 the Free Software Foundation; either version 2.1 of the License, or
15 (at your option) any later version.
16
17 systemd is distributed in the hope that it will be useful, but
18 WITHOUT ANY WARRANTY; without even the implied warranty of
19 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
20 Lesser General Public License for more details.
21
22 You should have received a copy of the GNU Lesser General Public License
23 along with systemd; If not, see <http://www.gnu.org/licenses/>.
24 -->
25
26 <refentry id="machinectl" conditional='ENABLE_MACHINED'
27 xmlns:xi="http://www.w3.org/2001/XInclude">
28
29 <refentryinfo>
30 <title>machinectl</title>
31 <productname>systemd</productname>
32
33 <authorgroup>
34 <author>
35 <contrib>Developer</contrib>
36 <firstname>Lennart</firstname>
37 <surname>Poettering</surname>
38 <email>lennart@poettering.net</email>
39 </author>
40 </authorgroup>
41 </refentryinfo>
42
43 <refmeta>
44 <refentrytitle>machinectl</refentrytitle>
45 <manvolnum>1</manvolnum>
46 </refmeta>
47
48 <refnamediv>
49 <refname>machinectl</refname>
50 <refpurpose>Control the systemd machine manager</refpurpose>
51 </refnamediv>
52
53 <refsynopsisdiv>
54 <cmdsynopsis>
55 <command>machinectl</command>
56 <arg choice="opt" rep="repeat">OPTIONS</arg>
57 <arg choice="req">COMMAND</arg>
58 <arg choice="opt" rep="repeat">NAME</arg>
59 </cmdsynopsis>
60 </refsynopsisdiv>
61
62 <refsect1>
63 <title>Description</title>
64
65 <para><command>machinectl</command> may be used to introspect and
66 control the state of the
67 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>
68 virtual machine and container registration manager
69 <citerefentry><refentrytitle>systemd-machined.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
70
71 <para><command>machinectl</command> may be used to execute
72 operations on machines and images. Machines in this sense are
73 considered running instances of:</para>
74
75 <itemizedlist>
76 <listitem><para>Virtual Machines (VMs) that virtualize hardware
77 to run full operating system (OS) instances (including their kernels)
78 in a virtualized environment on top of the host OS.</para></listitem>
79
80 <listitem><para>Containers that share the hardware and
81 OS kernel with the host OS, in order to run
82 OS userspace instances on top the host OS.</para></listitem>
83
84 <listitem><para>The host system itself.</para></listitem>
85 </itemizedlist>
86
87 <para>Machines are identified by names that follow the same rules
88 as UNIX and DNS host names. For details, see below.</para>
89
90 <para>Machines are instantiated from disk or file system images that
91 frequently — but not necessarily — carry the same name as machines running
92 from them. Images in this sense may be:</para>
93
94 <itemizedlist>
95 <listitem><para>Directory trees containing an OS, including the
96 top-level directories <filename>/usr</filename>,
97 <filename>/etc</filename>, and so on.</para></listitem>
98
99 <listitem><para>btrfs subvolumes containing OS trees, similar to
100 normal directory trees.</para></listitem>
101
102 <listitem><para>Binary "raw" disk images containing MBR or GPT
103 partition tables and Linux file system partitions.</para></listitem>
104
105 <listitem><para>The file system tree of the host OS itself.</para></listitem>
106 </itemizedlist>
107
108 </refsect1>
109
110 <refsect1>
111 <title>Options</title>
112
113 <para>The following options are understood:</para>
114
115 <variablelist>
116 <varlistentry>
117 <term><option>-p</option></term>
118 <term><option>--property=</option></term>
119
120 <listitem><para>When showing machine or image properties,
121 limit the output to certain properties as specified by the
122 argument. If not specified, all set properties are shown. The
123 argument should be a property name, such as
124 <literal>Name</literal>. If specified more than once, all
125 properties with the specified names are
126 shown.</para></listitem>
127 </varlistentry>
128
129 <varlistentry>
130 <term><option>-a</option></term>
131 <term><option>--all</option></term>
132
133 <listitem><para>When showing machine or image properties, show
134 all properties regardless of whether they are set or
135 not.</para>
136
137 <para>When listing VM or container images, do not suppress
138 images beginning in a dot character
139 (<literal>.</literal>).</para>
140
141 <para>When cleaning VM or container images, remove all images, not just hidden ones.</para></listitem>
142 </varlistentry>
143
144 <varlistentry>
145 <term><option>--value</option></term>
146
147 <listitem><para>When printing properties with <command>show</command>, only print the value,
148 and skip the property name and <literal>=</literal>.</para></listitem>
149 </varlistentry>
150
151 <varlistentry>
152 <term><option>-l</option></term>
153 <term><option>--full</option></term>
154
155 <listitem><para>Do not ellipsize process tree entries.</para>
156 </listitem>
157 </varlistentry>
158
159 <varlistentry>
160 <term><option>--no-ask-password</option></term>
161
162 <listitem><para>Do not query the user for authentication for
163 privileged operations.</para></listitem>
164 </varlistentry>
165
166 <varlistentry>
167 <term><option>--kill-who=</option></term>
168
169 <listitem><para>When used with <command>kill</command>, choose
170 which processes to kill. Must be one of
171 <option>leader</option>, or <option>all</option> to select
172 whether to kill only the leader process of the machine or all
173 processes of the machine. If omitted, defaults to
174 <option>all</option>.</para></listitem>
175 </varlistentry>
176
177 <varlistentry>
178 <term><option>-s</option></term>
179 <term><option>--signal=</option></term>
180
181 <listitem><para>When used with <command>kill</command>, choose
182 which signal to send to selected processes. Must be one of the
183 well-known signal specifiers, such as
184 <constant>SIGTERM</constant>, <constant>SIGINT</constant> or
185 <constant>SIGSTOP</constant>. If omitted, defaults to
186 <constant>SIGTERM</constant>.</para></listitem>
187 </varlistentry>
188
189 <varlistentry>
190 <term><option>--uid=</option></term>
191
192 <listitem><para>When used with the <command>shell</command> command, chooses the user ID to
193 open the interactive shell session as. If the argument to the <command>shell</command>
194 command also specifies a user name, this option is ignored. If the name is not specified
195 in either way, <literal>root</literal> will be used by default. Note that this switch is
196 not supported for the <command>login</command> command (see below).</para></listitem>
197 </varlistentry>
198
199 <varlistentry>
200 <term><option>-E <replaceable>NAME</replaceable>=<replaceable>VALUE</replaceable></option></term>
201 <term><option>--setenv=<replaceable>NAME</replaceable>=<replaceable>VALUE</replaceable></option></term>
202
203 <listitem><para>When used with the <command>shell</command> command, sets an environment
204 variable to pass to the executed shell. Takes an environment variable name and value,
205 separated by <literal>=</literal>. This switch may be used multiple times to set multiple
206 environment variables. Note that this switch is not supported for the
207 <command>login</command> command (see below).</para></listitem>
208 </varlistentry>
209
210 <varlistentry>
211 <term><option>--mkdir</option></term>
212
213 <listitem><para>When used with <command>bind</command>, creates the destination file or directory before
214 applying the bind mount. Note that even though the name of this option suggests that it is suitable only for
215 directories, this option also creates the destination file node to mount over if the the object to mount is not
216 a directory, but a regular file, device node, socket or FIFO.</para></listitem>
217 </varlistentry>
218
219 <varlistentry>
220 <term><option>--read-only</option></term>
221
222 <listitem><para>When used with <command>bind</command>, creates a read-only bind mount.</para>
223
224 <para>When used with <command>clone</command>, <command>import-raw</command> or <command>import-tar</command> a
225 read-only container or VM image is created.</para></listitem>
226 </varlistentry>
227
228 <varlistentry>
229 <term><option>-n</option></term>
230 <term><option>--lines=</option></term>
231
232 <listitem><para>When used with <command>status</command>,
233 controls the number of journal lines to show, counting from
234 the most recent ones. Takes a positive integer argument.
235 Defaults to 10.</para>
236 </listitem>
237 </varlistentry>
238
239 <varlistentry>
240 <term><option>-o</option></term>
241 <term><option>--output=</option></term>
242
243 <listitem><para>When used with <command>status</command>,
244 controls the formatting of the journal entries that are shown.
245 For the available choices, see
246 <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
247 Defaults to <literal>short</literal>.</para></listitem>
248 </varlistentry>
249
250 <varlistentry>
251 <term><option>--verify=</option></term>
252
253 <listitem><para>When downloading a container or VM image,
254 specify whether the image shall be verified before it is made
255 available. Takes one of <literal>no</literal>,
256 <literal>checksum</literal> and <literal>signature</literal>.
257 If <literal>no</literal>, no verification is done. If
258 <literal>checksum</literal> is specified, the download is
259 checked for integrity after the transfer is complete, but no
260 signatures are verified. If <literal>signature</literal> is
261 specified, the checksum is verified and the image's signature
262 is checked against a local keyring of trustable vendors. It is
263 strongly recommended to set this option to
264 <literal>signature</literal> if the server and protocol
265 support this. Defaults to
266 <literal>signature</literal>.</para></listitem>
267 </varlistentry>
268
269 <varlistentry>
270 <term><option>--force</option></term>
271
272 <listitem><para>When downloading a container or VM image, and
273 a local copy by the specified local machine name already
274 exists, delete it first and replace it by the newly downloaded
275 image.</para></listitem>
276 </varlistentry>
277
278 <varlistentry>
279 <term><option>--format=</option></term>
280
281 <listitem><para>When used with the <option>export-tar</option>
282 or <option>export-raw</option> commands, specifies the
283 compression format to use for the resulting file. Takes one of
284 <literal>uncompressed</literal>, <literal>xz</literal>,
285 <literal>gzip</literal>, <literal>bzip2</literal>. By default,
286 the format is determined automatically from the image file
287 name passed.</para></listitem>
288 </varlistentry>
289
290 <varlistentry>
291 <term><option>--max-addresses=</option></term>
292
293 <listitem><para>When used with the <option>list-machines</option>
294 command, limits the number of ip addresses output for every machine.
295 Defaults to 1. All addresses can be requested with <literal>all</literal>
296 as argument to <option>--max-addresses</option> . If the argument to
297 <option>--max-addresses</option> is less than the actual number
298 of addresses, <literal>...</literal>follows the last address.
299 If multiple addresses are to be written for a given machine, every
300 address except the first one is on a new line and is followed by
301 <literal>,</literal> if another address will be output afterwards. </para></listitem>
302 </varlistentry>
303
304 <varlistentry>
305 <term><option>-q</option></term>
306 <term><option>--quiet</option></term>
307
308 <listitem><para>Suppresses additional informational output while running.</para></listitem>
309 </varlistentry>
310
311 <xi:include href="user-system-options.xml" xpointer="host" />
312
313 <varlistentry>
314 <term><option>-M</option></term>
315 <term><option>--machine=</option></term>
316
317 <listitem><para>Connect to
318 <citerefentry><refentrytitle>systemd-machined.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
319 running in a local container, to perform the specified operation within
320 the container.</para></listitem>
321 </varlistentry>
322
323 <xi:include href="standard-options.xml" xpointer="no-pager" />
324 <xi:include href="standard-options.xml" xpointer="no-legend" />
325 <xi:include href="standard-options.xml" xpointer="help" />
326 <xi:include href="standard-options.xml" xpointer="version" />
327 </variablelist>
328 </refsect1>
329
330 <refsect1>
331 <title>Commands</title>
332
333 <para>The following commands are understood:</para>
334
335 <refsect2><title>Machine Commands</title><variablelist>
336
337 <varlistentry>
338 <term><command>list</command></term>
339
340 <listitem><para>List currently running (online) virtual
341 machines and containers. To enumerate machine images that can
342 be started, use <command>list-images</command> (see
343 below). Note that this command hides the special
344 <literal>.host</literal> machine by default. Use the
345 <option>--all</option> switch to show it.</para></listitem>
346 </varlistentry>
347
348 <varlistentry>
349 <term><command>status</command> <replaceable>NAME</replaceable></term>
350
351 <listitem><para>Show runtime status information about
352 one or more virtual machines and containers, followed by the
353 most recent log data from the journal. This function is
354 intended to generate human-readable output. If you are looking
355 for computer-parsable output, use <command>show</command>
356 instead. Note that the log data shown is reported by the
357 virtual machine or container manager, and frequently contains
358 console output of the machine, but not necessarily journal
359 contents of the machine itself.</para></listitem>
360 </varlistentry>
361
362 <varlistentry>
363 <term><command>show</command> [<replaceable>NAME</replaceable>…]</term>
364
365 <listitem><para>Show properties of one or more registered virtual machines or containers or the manager
366 itself. If no argument is specified, properties of the manager will be shown. If a NAME is specified,
367 properties of this virtual machine or container are shown. By default, empty properties are suppressed. Use
368 <option>--all</option> to show those too. To select specific properties to show, use
369 <option>--property=</option>. This command is intended to be used whenever computer-parsable output is
370 required, and does not print the control group tree or journal entries. Use <command>status</command> if you
371 are looking for formatted human-readable output.</para></listitem>
372 </varlistentry>
373
374 <varlistentry>
375 <term><command>start</command> <replaceable>NAME</replaceable></term>
376
377 <listitem><para>Start a container as a system service, using
378 <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
379 This starts <filename>systemd-nspawn@.service</filename>,
380 instantiated for the specified machine name, similar to the
381 effect of <command>systemctl start</command> on the service
382 name. <command>systemd-nspawn</command> looks for a container
383 image by the specified name in
384 <filename>/var/lib/machines/</filename> (and other search
385 paths, see below) and runs it. Use
386 <command>list-images</command> (see below) for listing
387 available container images to start.</para>
388
389 <para>Note that
390 <citerefentry><refentrytitle>systemd-machined.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
391 also interfaces with a variety of other container and VM
392 managers, <command>systemd-nspawn</command> is just one
393 implementation of it. Most of the commands available in
394 <command>machinectl</command> may be used on containers or VMs
395 controlled by other managers, not just
396 <command>systemd-nspawn</command>. Starting VMs and container
397 images on those managers requires manager-specific
398 tools.</para>
399
400 <para>To interactively start a container on the command line
401 with full access to the container's console, please invoke
402 <command>systemd-nspawn</command> directly. To stop a running
403 container use <command>machinectl poweroff</command>.</para></listitem>
404 </varlistentry>
405
406 <varlistentry>
407 <term><command>login</command> [<replaceable>NAME</replaceable>]</term>
408
409 <listitem><para>Open an interactive terminal login session in
410 a container or on the local host. If an argument is supplied,
411 it refers to the container machine to connect to. If none is
412 specified, or the container name is specified as the empty
413 string, or the special machine name <literal>.host</literal>
414 (see below) is specified, the connection is made to the local
415 host instead. This will create a TTY connection to a specific
416 container or the local host and asks for the execution of a
417 getty on it. Note that this is only supported for containers
418 running
419 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>
420 as init system.</para>
421
422 <para>This command will open a full login prompt on the
423 container or the local host, which then asks for username and
424 password. Use <command>shell</command> (see below) or
425 <citerefentry><refentrytitle>systemd-run</refentrytitle><manvolnum>1</manvolnum></citerefentry>
426 with the <option>--machine=</option> switch to directly invoke
427 a single command, either interactively or in the
428 background.</para></listitem>
429 </varlistentry>
430
431 <varlistentry>
432 <term><command>shell</command> [[<replaceable>NAME</replaceable>@]<replaceable>NAME</replaceable> [<replaceable>PATH</replaceable> [<replaceable>ARGUMENTS</replaceable>…]]] </term>
433
434 <listitem><para>Open an interactive shell session in a
435 container or on the local host. The first argument refers to
436 the container machine to connect to. If none is specified, or
437 the machine name is specified as the empty string, or the
438 special machine name <literal>.host</literal> (see below) is
439 specified, the connection is made to the local host
440 instead. This works similar to <command>login</command> but
441 immediately invokes a user process. This command runs the
442 specified executable with the specified arguments, or
443 <filename>/bin/sh</filename> if none is specified. By default,
444 opens a <literal>root</literal> shell, but by using
445 <option>--uid=</option>, or by prefixing the machine name with
446 a username and an <literal>@</literal> character, a different
447 user may be selected. Use <option>--setenv=</option> to set
448 environment variables for the executed process.</para>
449
450 <para>Note that <command>machinectl shell</command> does not propagate the exit code/status of the invoked
451 shell process. Use <command>systemd-run</command> instead if that information is required (see below).</para>
452
453 <para>When using the <command>shell</command> command without
454 arguments, (thus invoking the executed shell or command on the
455 local host), it is in many ways similar to a <citerefentry
456 project='die-net'><refentrytitle>su</refentrytitle><manvolnum>1</manvolnum></citerefentry>
457 session, but, unlike <command>su</command>, completely isolates
458 the new session from the originating session, so that it
459 shares no process or session properties, and is in a clean and
460 well-defined state. It will be tracked in a new utmp, login,
461 audit, security and keyring session, and will not inherit any
462 environment variables or resource limits, among other
463 properties.</para>
464
465 <para>Note that <citerefentry><refentrytitle>systemd-run</refentrytitle><manvolnum>1</manvolnum></citerefentry>
466 with its <option>--machine=</option> switch may be used in place of the <command>machinectl shell</command>
467 command, and allows non-interactive operation, more detailed and low-level configuration of the invoked unit,
468 as well as access to runtime and exit code/status information of the invoked shell process. In particular, use
469 <command>systemd-run</command>'s <option>--wait</option> switch to propagate exit status information of the
470 invoked process. Use <command>systemd-run</command>'s <option>--pty</option> switch for acquiring an
471 interactive shell, similar to <command>machinectl shell</command>. In general, <command>systemd-run</command>
472 is preferable for scripting purposes. However, note that <command>systemd-run</command> might require higher
473 privileges than <command>machinectl shell</command>.</para></listitem>
474 </varlistentry>
475
476 <varlistentry>
477 <term><command>enable</command> <replaceable>NAME</replaceable></term>
478 <term><command>disable</command> <replaceable>NAME</replaceable></term>
479
480 <listitem><para>Enable or disable a container as a system
481 service to start at system boot, using
482 <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
483 This enables or disables
484 <filename>systemd-nspawn@.service</filename>, instantiated for
485 the specified machine name, similar to the effect of
486 <command>systemctl enable</command> or <command>systemctl
487 disable</command> on the service name.</para></listitem>
488 </varlistentry>
489
490 <varlistentry>
491 <term><command>poweroff</command> <replaceable>NAME</replaceable></term>
492
493 <listitem><para>Power off one or more containers. This will
494 trigger a reboot by sending SIGRTMIN+4 to the container's init
495 process, which causes systemd-compatible init systems to shut
496 down cleanly. Use <command>stop</command> as alias for <command>poweroff</command>.
497 This operation does not work on containers that do not run a
498 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>-compatible
499 init system, such as sysvinit. Use
500 <command>terminate</command> (see below) to immediately
501 terminate a container or VM, without cleanly shutting it
502 down.</para></listitem>
503 </varlistentry>
504
505 <varlistentry>
506 <term><command>reboot</command> <replaceable>NAME</replaceable></term>
507
508 <listitem><para>Reboot one or more containers. This will
509 trigger a reboot by sending SIGINT to the container's init
510 process, which is roughly equivalent to pressing Ctrl+Alt+Del
511 on a non-containerized system, and is compatible with
512 containers running any system manager.</para></listitem>
513 </varlistentry>
514
515 <varlistentry>
516 <term><command>terminate</command> <replaceable>NAME</replaceable></term>
517
518 <listitem><para>Immediately terminates a virtual machine or
519 container, without cleanly shutting it down. This kills all
520 processes of the virtual machine or container and deallocates
521 all resources attached to that instance. Use
522 <command>poweroff</command> to issue a clean shutdown
523 request.</para></listitem>
524 </varlistentry>
525
526 <varlistentry>
527 <term><command>kill</command> <replaceable>NAME</replaceable></term>
528
529 <listitem><para>Send a signal to one or more processes of the
530 virtual machine or container. This means processes as seen by
531 the host, not the processes inside the virtual machine or
532 container. Use <option>--kill-who=</option> to select which
533 process to kill. Use <option>--signal=</option> to select the
534 signal to send.</para></listitem>
535 </varlistentry>
536
537 <varlistentry>
538 <term><command>bind</command> <replaceable>NAME</replaceable> <replaceable>PATH</replaceable> [<replaceable>PATH</replaceable>]</term>
539
540 <listitem><para>Bind mounts a file or directory from the host into the specified container. The first path
541 argument is the source file or directory on the host, the second path argument is the destination file or
542 directory in the container. When the latter is omitted, the destination path in the container is the same as
543 the source path on the host. When combined with the <option>--read-only</option> switch, a ready-only bind
544 mount is created. When combined with the <option>--mkdir</option> switch, the destination path is first created
545 before the mount is applied. Note that this option is currently only supported for
546 <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> containers,
547 and only if user namespacing (<option>--private-users</option>) is not used. This command supports bind
548 mounting directories, regular files, device nodes, <constant>AF_UNIX</constant> socket nodes, as well as
549 FIFOs.</para></listitem>
550 </varlistentry>
551
552 <varlistentry>
553 <term><command>copy-to</command> <replaceable>NAME</replaceable> <replaceable>PATH</replaceable> [<replaceable>PATH</replaceable>]</term>
554
555 <listitem><para>Copies files or directories from the host
556 system into a running container. Takes a container name,
557 followed by the source path on the host and the destination
558 path in the container. If the destination path is omitted, the
559 same as the source path is used.</para>
560
561 <para>If host and container share the same user and group namespace, file ownership by numeric user ID and
562 group ID is preserved for the copy, otherwise all files and directories in the copy will be owned by the root
563 user and group (UID/GID 0).</para></listitem>
564 </varlistentry>
565
566 <varlistentry>
567 <term><command>copy-from</command> <replaceable>NAME</replaceable> <replaceable>PATH</replaceable> [<replaceable>PATH</replaceable>]</term>
568
569 <listitem><para>Copies files or directories from a container
570 into the host system. Takes a container name, followed by the
571 source path in the container the destination path on the host.
572 If the destination path is omitted, the same as the source path
573 is used.</para>
574
575 <para>If host and container share the same user and group namespace, file ownership by numeric user ID and
576 group ID is preserved for the copy, otherwise all files and directories in the copy will be owned by the root
577 user and group (UID/GID 0).</para></listitem>
578 </varlistentry>
579 </variablelist></refsect2>
580
581 <refsect2><title>Image Commands</title><variablelist>
582
583 <varlistentry>
584 <term><command>list-images</command></term>
585
586 <listitem><para>Show a list of locally installed container and
587 VM images. This enumerates all raw disk images and container
588 directories and subvolumes in
589 <filename>/var/lib/machines/</filename> (and other search
590 paths, see below). Use <command>start</command> (see above) to
591 run a container off one of the listed images. Note that, by
592 default, containers whose name begins with a dot
593 (<literal>.</literal>) are not shown. To show these too,
594 specify <option>--all</option>. Note that a special image
595 <literal>.host</literal> always implicitly exists and refers
596 to the image the host itself is booted from.</para></listitem>
597 </varlistentry>
598
599 <varlistentry>
600 <term><command>image-status</command> [<replaceable>NAME</replaceable>…]</term>
601
602 <listitem><para>Show terse status information about one or
603 more container or VM images. This function is intended to
604 generate human-readable output. Use
605 <command>show-image</command> (see below) to generate
606 computer-parsable output instead.</para></listitem>
607 </varlistentry>
608
609 <varlistentry>
610 <term><command>show-image</command> [<replaceable>NAME</replaceable>…]</term>
611
612 <listitem><para>Show properties of one or more registered
613 virtual machine or container images, or the manager itself. If
614 no argument is specified, properties of the manager will be
615 shown. If a NAME is specified, properties of this virtual
616 machine or container image are shown. By default, empty
617 properties are suppressed. Use <option>--all</option> to show
618 those too. To select specific properties to show, use
619 <option>--property=</option>. This command is intended to be
620 used whenever computer-parsable output is required. Use
621 <command>image-status</command> if you are looking for
622 formatted human-readable output.</para></listitem>
623 </varlistentry>
624
625 <varlistentry>
626 <term><command>clone</command> <replaceable>NAME</replaceable> <replaceable>NAME</replaceable></term>
627
628 <listitem><para>Clones a container or VM image. The arguments specify the name of the image to clone and the
629 name of the newly cloned image. Note that plain directory container images are cloned into btrfs subvolume
630 images with this command, if the underlying file system supports this. Note that cloning a container or VM
631 image is optimized for file systems that support copy-on-write, and might not be efficient on others, due to
632 file system limitations.</para>
633
634 <para>Note that this command leaves host name, machine ID and
635 all other settings that could identify the instance
636 unmodified. The original image and the cloned copy will hence
637 share these credentials, and it might be necessary to manually
638 change them in the copy.</para>
639
640 <para>If combined with the <option>--read-only</option> switch a read-only cloned image is
641 created.</para></listitem>
642 </varlistentry>
643
644 <varlistentry>
645 <term><command>rename</command> <replaceable>NAME</replaceable> <replaceable>NAME</replaceable></term>
646
647 <listitem><para>Renames a container or VM image. The
648 arguments specify the name of the image to rename and the new
649 name of the image.</para></listitem>
650 </varlistentry>
651
652 <varlistentry>
653 <term><command>read-only</command> <replaceable>NAME</replaceable> [<replaceable>BOOL</replaceable>]</term>
654
655 <listitem><para>Marks or (unmarks) a container or VM image
656 read-only. Takes a VM or container image name, followed by a
657 boolean as arguments. If the boolean is omitted, positive is
658 implied, i.e. the image is marked read-only.</para></listitem>
659 </varlistentry>
660
661 <varlistentry>
662 <term><command>remove</command> <replaceable>NAME</replaceable></term>
663
664 <listitem><para>Removes one or more container or VM images.
665 The special image <literal>.host</literal>, which refers to
666 the host's own directory tree, may not be
667 removed.</para></listitem>
668 </varlistentry>
669
670 <varlistentry>
671 <term><command>set-limit</command> [<replaceable>NAME</replaceable>] <replaceable>BYTES</replaceable></term>
672
673 <listitem><para>Sets the maximum size in bytes that a specific
674 container or VM image, or all images, may grow up to on disk
675 (disk quota). Takes either one or two parameters. The first,
676 optional parameter refers to a container or VM image name. If
677 specified, the size limit of the specified image is changed. If
678 omitted, the overall size limit of the sum of all images stored
679 locally is changed. The final argument specifies the size
680 limit in bytes, possibly suffixed by the usual K, M, G, T
681 units. If the size limit shall be disabled, specify
682 <literal>-</literal> as size.</para>
683
684 <para>Note that per-container size limits are only supported
685 on btrfs file systems. Also note that, if
686 <command>set-limit</command> is invoked without an image
687 parameter, and <filename>/var/lib/machines</filename> is
688 empty, and the directory is not located on btrfs, a btrfs
689 loopback file is implicitly created as
690 <filename>/var/lib/machines.raw</filename> with the given
691 size, and mounted to
692 <filename>/var/lib/machines</filename>. The size of the
693 loopback may later be readjusted with
694 <command>set-limit</command>, as well. If such a
695 loopback-mounted <filename>/var/lib/machines</filename>
696 directory is used, <command>set-limit</command> without an image
697 name alters both the quota setting within the file system as
698 well as the loopback file and file system size
699 itself.</para></listitem>
700 </varlistentry>
701
702 <varlistentry>
703 <term><command>clean</command></term>
704
705 <listitem><para>Remove hidden VM or container images (or all). This command removes all hidden machine images
706 from <filename>/var/lib/machines</filename>, i.e. those whose name begins with a dot. Use <command>machinectl
707 list-images --all</command> to see a list of all machine images, including the hidden ones.</para>
708
709 <para>When combined with the <option>--all</option> switch removes all images, not just hidden ones. This
710 command effectively empties <filename>/var/lib/machines</filename>.</para>
711
712 <para>Note that commands such as <command>machinectl pull-tar</command> or <command>machinectl
713 pull-raw</command> usually create hidden, read-only, unmodified machine images from the downloaded image first,
714 before cloning a writable working copy of it, in order to avoid duplicate downloads in case of images that are
715 reused multiple times. Use <command>machinectl clean</command> to remove old, hidden images created this
716 way.</para></listitem>
717 </varlistentry>
718
719 </variablelist></refsect2>
720
721 <refsect2><title>Image Transfer Commands</title><variablelist>
722
723 <varlistentry>
724 <term><command>pull-tar</command> <replaceable>URL</replaceable> [<replaceable>NAME</replaceable>]</term>
725
726 <listitem><para>Downloads a <filename>.tar</filename>
727 container image from the specified URL, and makes it available
728 under the specified local machine name. The URL must be of
729 type <literal>http://</literal> or
730 <literal>https://</literal>, and must refer to a
731 <filename>.tar</filename>, <filename>.tar.gz</filename>,
732 <filename>.tar.xz</filename> or <filename>.tar.bz2</filename>
733 archive file. If the local machine name is omitted, it
734 is automatically derived from the last component of the URL,
735 with its suffix removed.</para>
736
737 <para>The image is verified before it is made available, unless
738 <option>--verify=no</option> is specified.
739 Verification is done either via an inline signed file with the name
740 of the image and the suffix <filename>.sha256</filename> or via
741 separate <filename>SHA256SUMS</filename> and
742 <filename>SHA256SUMS.gpg</filename> files.
743 The signature files need to be made available on the same web
744 server, under the same URL as the <filename>.tar</filename> file.
745 With <option>--verify=checksum</option>, only the SHA256 checksum
746 for the file is verified, based on the <filename>.sha256</filename>
747 suffixed file or the<filename>SHA256SUMS</filename> file.
748 With <option>--verify=signature</option>, the sha checksum file is
749 first verified with the inline signature in the
750 <filename>.sha256</filename> file or the detached GPG signature file
751 <filename>SHA256SUMS.gpg</filename>.
752 The public key for this verification step needs to be available in
753 <filename>/usr/lib/systemd/import-pubring.gpg</filename> or
754 <filename>/etc/systemd/import-pubring.gpg</filename>.</para>
755
756 <para>The container image will be downloaded and stored in a
757 read-only subvolume in
758 <filename>/var/lib/machines/</filename> that is named after
759 the specified URL and its HTTP etag. A writable snapshot is
760 then taken from this subvolume, and named after the specified
761 local name. This behavior ensures that creating multiple
762 container instances of the same URL is efficient, as multiple
763 downloads are not necessary. In order to create only the
764 read-only image, and avoid creating its writable snapshot,
765 specify <literal>-</literal> as local machine name.</para>
766
767 <para>Note that the read-only subvolume is prefixed with
768 <filename>.tar-</filename>, and is thus not shown by
769 <command>list-images</command>, unless <option>--all</option>
770 is passed.</para>
771
772 <para>Note that pressing C-c during execution of this command
773 will not abort the download. Use
774 <command>cancel-transfer</command>, described
775 below.</para></listitem>
776 </varlistentry>
777
778 <varlistentry>
779 <term><command>pull-raw</command> <replaceable>URL</replaceable> [<replaceable>NAME</replaceable>]</term>
780
781 <listitem><para>Downloads a <filename>.raw</filename>
782 container or VM disk image from the specified URL, and makes
783 it available under the specified local machine name. The URL
784 must be of type <literal>http://</literal> or
785 <literal>https://</literal>. The container image must either
786 be a <filename>.qcow2</filename> or raw disk image, optionally
787 compressed as <filename>.gz</filename>,
788 <filename>.xz</filename>, or <filename>.bz2</filename>. If the
789 local machine name is omitted, it is automatically
790 derived from the last component of the URL, with its suffix
791 removed.</para>
792
793 <para>Image verification is identical for raw and tar images
794 (see above).</para>
795
796 <para>If the downloaded image is in
797 <filename>.qcow2</filename> format it is converted into a raw
798 image file before it is made available.</para>
799
800 <para>Downloaded images of this type will be placed as
801 read-only <filename>.raw</filename> file in
802 <filename>/var/lib/machines/</filename>. A local, writable
803 (reflinked) copy is then made under the specified local
804 machine name. To omit creation of the local, writable copy
805 pass <literal>-</literal> as local machine name.</para>
806
807 <para>Similar to the behavior of <command>pull-tar</command>,
808 the read-only image is prefixed with
809 <filename>.raw-</filename>, and thus not shown by
810 <command>list-images</command>, unless <option>--all</option>
811 is passed.</para>
812
813 <para>Note that pressing C-c during execution of this command
814 will not abort the download. Use
815 <command>cancel-transfer</command>, described
816 below.</para></listitem>
817 </varlistentry>
818
819 <varlistentry>
820 <term><command>import-tar</command> <replaceable>FILE</replaceable> [<replaceable>NAME</replaceable>]</term>
821 <term><command>import-raw</command> <replaceable>FILE</replaceable> [<replaceable>NAME</replaceable>]</term>
822 <listitem><para>Imports a TAR or RAW container or VM image,
823 and places it under the specified name in
824 <filename>/var/lib/machines/</filename>. When
825 <command>import-tar</command> is used, the file specified as
826 the first argument should be a tar archive, possibly compressed
827 with xz, gzip or bzip2. It will then be unpacked into its own
828 subvolume in <filename>/var/lib/machines</filename>. When
829 <command>import-raw</command> is used, the file should be a
830 qcow2 or raw disk image, possibly compressed with xz, gzip or
831 bzip2. If the second argument (the resulting image name) is
832 not specified, it is automatically derived from the file
833 name. If the filename is passed as <literal>-</literal>, the
834 image is read from standard input, in which case the second
835 argument is mandatory.</para>
836
837 <para>Both <command>pull-tar</command> and <command>pull-raw</command>
838 will resize <filename>/var/lib/machines.raw</filename> and the
839 filesystem therein as necessary. Optionally, the
840 <option>--read-only</option> switch may be used to create a
841 read-only container or VM image. No cryptographic validation
842 is done when importing the images.</para>
843
844 <para>Much like image downloads, ongoing imports may be listed
845 with <command>list-transfers</command> and aborted with
846 <command>cancel-transfer</command>.</para></listitem>
847 </varlistentry>
848
849 <varlistentry>
850 <term><command>export-tar</command> <replaceable>NAME</replaceable> [<replaceable>FILE</replaceable>]</term>
851 <term><command>export-raw</command> <replaceable>NAME</replaceable> [<replaceable>FILE</replaceable>]</term>
852 <listitem><para>Exports a TAR or RAW container or VM image and
853 stores it in the specified file. The first parameter should be
854 a VM or container image name. The second parameter should be a
855 file path the TAR or RAW image is written to. If the path ends
856 in <literal>.gz</literal>, the file is compressed with gzip, if
857 it ends in <literal>.xz</literal>, with xz, and if it ends in
858 <literal>.bz2</literal>, with bzip2. If the path ends in
859 neither, the file is left uncompressed. If the second argument
860 is missing, the image is written to standard output. The
861 compression may also be explicitly selected with the
862 <option>--format=</option> switch. This is in particular
863 useful if the second parameter is left unspecified.</para>
864
865 <para>Much like image downloads and imports, ongoing exports
866 may be listed with <command>list-transfers</command> and
867 aborted with
868 <command>cancel-transfer</command>.</para>
869
870 <para>Note that, currently, only directory and subvolume images
871 may be exported as TAR images, and only raw disk images as RAW
872 images.</para></listitem>
873 </varlistentry>
874
875 <varlistentry>
876 <term><command>list-transfers</command></term>
877
878 <listitem><para>Shows a list of container or VM image
879 downloads, imports and exports that are currently in
880 progress.</para></listitem>
881 </varlistentry>
882
883 <varlistentry>
884 <term><command>cancel-transfers</command> <replaceable>ID</replaceable></term>
885
886 <listitem><para>Aborts a download, import or export of the
887 container or VM image with the specified ID. To list ongoing
888 transfers and their IDs, use
889 <command>list-transfers</command>. </para></listitem>
890 </varlistentry>
891
892 </variablelist></refsect2>
893
894 </refsect1>
895
896 <refsect1>
897 <title>Machine and Image Names</title>
898
899 <para>The <command>machinectl</command> tool operates on machines
900 and images whose names must be chosen following strict
901 rules. Machine names must be suitable for use as host names
902 following a conservative subset of DNS and UNIX/Linux
903 semantics. Specifically, they must consist of one or more
904 non-empty label strings, separated by dots. No leading or trailing
905 dots are allowed. No sequences of multiple dots are allowed. The
906 label strings may only consist of alphanumeric characters as well
907 as the dash and underscore. The maximum length of a machine name
908 is 64 characters.</para>
909
910 <para>A special machine with the name <literal>.host</literal>
911 refers to the running host system itself. This is useful for execution
912 operations or inspecting the host system as well. Note that
913 <command>machinectl list</command> will not show this special
914 machine unless the <option>--all</option> switch is specified.</para>
915
916 <para>Requirements on image names are less strict, however, they must be
917 valid UTF-8, must be suitable as file names (hence not be the
918 single or double dot, and not include a slash), and may not
919 contain control characters. Since many operations search for an
920 image by the name of a requested machine, it is recommended to name
921 images in the same strict fashion as machines.</para>
922
923 <para>A special image with the name <literal>.host</literal>
924 refers to the image of the running host system. It hence
925 conceptually maps to the special <literal>.host</literal> machine
926 name described above. Note that <command>machinectl
927 list-images</command> will not show this special image either, unless
928 <option>--all</option> is specified.</para>
929 </refsect1>
930
931 <refsect1>
932 <title>Files and Directories</title>
933
934 <para>Machine images are preferably stored in
935 <filename>/var/lib/machines/</filename>, but are also searched for
936 in <filename>/usr/local/lib/machines/</filename> and
937 <filename>/usr/lib/machines/</filename>. For compatibility reasons,
938 the directory <filename>/var/lib/container/</filename> is
939 searched, too. Note that images stored below
940 <filename>/usr</filename> are always considered read-only. It is
941 possible to symlink machines images from other directories into
942 <filename>/var/lib/machines/</filename> to make them available for
943 control with <command>machinectl</command>.</para>
944
945 <para>Note that some image operations are only supported,
946 efficient or atomic on btrfs file systems. Due to this, if the
947 <command>pull-tar</command>, <command>pull-raw</command>,
948 <command>import-tar</command>, <command>import-raw</command> and
949 <command>set-limit</command> commands notice that
950 <filename>/var/lib/machines</filename> is empty and not located on
951 btrfs, they will implicitly set up a loopback file
952 <filename>/var/lib/machines.raw</filename> containing a btrfs file
953 system that is mounted to
954 <filename>/var/lib/machines</filename>. The size of this loopback
955 file may be controlled dynamically with
956 <command>set-limit</command>.</para>
957
958 <para>Disk images are understood by
959 <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>
960 and <command>machinectl</command> in three formats:</para>
961
962 <itemizedlist>
963 <listitem><para>A simple directory tree, containing the files
964 and directories of the container to boot.</para></listitem>
965
966 <listitem><para>Subvolumes (on btrfs file systems), which are
967 similar to the simple directories, described above. However,
968 they have additional benefits, such as efficient cloning and
969 quota reporting.</para></listitem>
970
971 <listitem><para>"Raw" disk images, i.e. binary images of disks
972 with a GPT or MBR partition table. Images of this type are
973 regular files with the suffix
974 <literal>.raw</literal>.</para></listitem>
975 </itemizedlist>
976
977 <para>See
978 <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>
979 for more information on image formats, in particular its
980 <option>--directory=</option> and <option>--image=</option>
981 options.</para>
982 </refsect1>
983
984 <refsect1>
985 <title>Examples</title>
986 <example>
987 <title>Download an Ubuntu image and open a shell in it</title>
988
989 <programlisting># machinectl pull-tar https://cloud-images.ubuntu.com/trusty/current/trusty-server-cloudimg-amd64-root.tar.gz
990 # systemd-nspawn -M trusty-server-cloudimg-amd64-root</programlisting>
991
992 <para>This downloads and verifies the specified
993 <filename>.tar</filename> image, and then uses
994 <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>
995 to open a shell in it.</para>
996 </example>
997
998 <example>
999 <title>Download a Fedora image, set a root password in it, start
1000 it as service</title>
1001
1002 <programlisting># machinectl pull-raw --verify=no https://dl.fedoraproject.org/pub/fedora/linux/releases/23/Cloud/x86_64/Images/Fedora-Cloud-Base-23-20151030.x86_64.raw.xz
1003 # systemd-nspawn -M Fedora-Cloud-Base-23-20151030
1004 # passwd
1005 # exit
1006 # machinectl start Fedora-Cloud-Base-23-20151030
1007 # machinectl login Fedora-Cloud-Base-23-20151030</programlisting>
1008
1009 <para>This downloads the specified <filename>.raw</filename>
1010 image with verification disabled. Then, a shell is opened in it
1011 and a root password is set. Afterwards the shell is left, and
1012 the machine started as system service. With the last command a
1013 login prompt into the container is requested.</para>
1014 </example>
1015
1016 <example>
1017 <title>Exports a container image as tar file</title>
1018
1019 <programlisting># machinectl export-tar fedora myfedora.tar.xz</programlisting>
1020
1021 <para>Exports the container <literal>fedora</literal> as an
1022 xz-compressed tar file <filename>myfedora.tar.xz</filename> into the
1023 current directory.</para>
1024 </example>
1025
1026 <example>
1027 <title>Create a new shell session</title>
1028
1029 <programlisting># machinectl shell --uid=lennart</programlisting>
1030
1031 <para>This creates a new shell session on the local host for
1032 the user ID <literal>lennart</literal>, in a <citerefentry
1033 project='die-net'><refentrytitle>su</refentrytitle><manvolnum>1</manvolnum></citerefentry>-like
1034 fashion.</para>
1035 </example>
1036
1037 </refsect1>
1038
1039 <refsect1>
1040 <title>Exit status</title>
1041
1042 <para>On success, 0 is returned, a non-zero failure code
1043 otherwise.</para>
1044 </refsect1>
1045
1046 <xi:include href="less-variables.xml" />
1047
1048 <refsect1>
1049 <title>See Also</title>
1050 <para>
1051 <citerefentry><refentrytitle>systemd-machined.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
1052 <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
1053 <citerefentry><refentrytitle>systemd.special</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
1054 <citerefentry project='die-net'><refentrytitle>tar</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
1055 <citerefentry project='die-net'><refentrytitle>xz</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
1056 <citerefentry project='die-net'><refentrytitle>gzip</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
1057 <citerefentry project='die-net'><refentrytitle>bzip2</refentrytitle><manvolnum>1</manvolnum></citerefentry>
1058 </para>
1059 </refsect1>
1060
1061 </refentry>
Unnamed repository; edit this file 'description' to name the repository.