]> git.ipfire.org Git - thirdparty/systemd.git/blob - man/systemd-nspawn.xml
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
man: typo fixes
[thirdparty/systemd.git] / man / systemd-nspawn.xml
1 <?xml version='1.0'?> <!--*- Mode: nxml; nxml-child-indent: 2; indent-tabs-mode: nil -*-->
2 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
3 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
4
5 <!--
6 This file is part of systemd.
7
8 Copyright 2010 Lennart Poettering
9
10 systemd is free software; you can redistribute it and/or modify it
11 under the terms of the GNU Lesser General Public License as published by
12 the Free Software Foundation; either version 2.1 of the License, or
13 (at your option) any later version.
14
15 systemd is distributed in the hope that it will be useful, but
16 WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
18 Lesser General Public License for more details.
19
20 You should have received a copy of the GNU Lesser General Public License
21 along with systemd; If not, see <http://www.gnu.org/licenses/>.
22 -->
23
24 <refentry id="systemd-nspawn"
25 xmlns:xi="http://www.w3.org/2001/XInclude">
26
27 <refentryinfo>
28 <title>systemd-nspawn</title>
29 <productname>systemd</productname>
30
31 <authorgroup>
32 <author>
33 <contrib>Developer</contrib>
34 <firstname>Lennart</firstname>
35 <surname>Poettering</surname>
36 <email>lennart@poettering.net</email>
37 </author>
38 </authorgroup>
39 </refentryinfo>
40
41 <refmeta>
42 <refentrytitle>systemd-nspawn</refentrytitle>
43 <manvolnum>1</manvolnum>
44 </refmeta>
45
46 <refnamediv>
47 <refname>systemd-nspawn</refname>
48 <refpurpose>Spawn a namespace container for debugging, testing and building</refpurpose>
49 </refnamediv>
50
51 <refsynopsisdiv>
52 <cmdsynopsis>
53 <command>systemd-nspawn</command>
54 <arg choice="opt" rep="repeat">OPTIONS</arg>
55 <arg choice="opt"><replaceable>COMMAND</replaceable>
56 <arg choice="opt" rep="repeat">ARGS</arg>
57 </arg>
58 </cmdsynopsis>
59 <cmdsynopsis>
60 <command>systemd-nspawn</command>
61 <arg choice="plain">-b</arg>
62 <arg choice="opt" rep="repeat">OPTIONS</arg>
63 <arg choice="opt" rep="repeat">ARGS</arg>
64 </cmdsynopsis>
65 </refsynopsisdiv>
66
67 <refsect1>
68 <title>Description</title>
69
70 <para><command>systemd-nspawn</command> may be used to run a
71 command or OS in a light-weight namespace container. In many ways
72 it is similar to
73 <citerefentry project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
74 but more powerful since it fully virtualizes the file system
75 hierarchy, as well as the process tree, the various IPC subsystems
76 and the host and domain name.</para>
77
78 <para><command>systemd-nspawn</command> limits access to various
79 kernel interfaces in the container to read-only, such as
80 <filename>/sys</filename>, <filename>/proc/sys</filename> or
81 <filename>/sys/fs/selinux</filename>. Network interfaces and the
82 system clock may not be changed from within the container. Device
83 nodes may not be created. The host system cannot be rebooted and
84 kernel modules may not be loaded from within the container.</para>
85
86 <para>Note that even though these security precautions are taken
87 <command>systemd-nspawn</command> is not suitable for fully secure
88 container setups. Many of the security features may be
89 circumvented and are hence primarily useful to avoid accidental
90 changes to the host system from the container.</para>
91
92 <para>In contrast to
93 <citerefentry project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>1</manvolnum></citerefentry> <command>systemd-nspawn</command>
94 may be used to boot full Linux-based operating systems in a
95 container.</para>
96
97 <para>Use a tool like
98 <citerefentry project='mankier'><refentrytitle>dnf</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
99 <citerefentry project='die-net'><refentrytitle>yum</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
100 <citerefentry project='die-net'><refentrytitle>debootstrap</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
101 or
102 <citerefentry project='archlinux'><refentrytitle>pacman</refentrytitle><manvolnum>8</manvolnum></citerefentry>
103 to set up an OS directory tree suitable as file system hierarchy
104 for <command>systemd-nspawn</command> containers.</para>
105
106 <para>Note that <command>systemd-nspawn</command> will mount file
107 systems private to the container to <filename>/dev</filename>,
108 <filename>/run</filename> and similar. These will not be visible
109 outside of the container, and their contents will be lost when the
110 container exits.</para>
111
112 <para>Note that running two <command>systemd-nspawn</command>
113 containers from the same directory tree will not make processes in
114 them see each other. The PID namespace separation of the two
115 containers is complete and the containers will share very few
116 runtime objects except for the underlying file system. Use
117 <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>'s
118 <command>login</command> command to request an additional login
119 prompt in a running container.</para>
120
121 <para><command>systemd-nspawn</command> implements the
122 <ulink
123 url="http://www.freedesktop.org/wiki/Software/systemd/ContainerInterface">Container
124 Interface</ulink> specification.</para>
125
126 <para>As a safety check <command>systemd-nspawn</command> will
127 verify the existence of <filename>/usr/lib/os-release</filename>
128 or <filename>/etc/os-release</filename> in the container tree
129 before starting the container (see
130 <citerefentry><refentrytitle>os-release</refentrytitle><manvolnum>5</manvolnum></citerefentry>).
131 It might be necessary to add this file to the container tree
132 manually if the OS of the container is too old to contain this
133 file out-of-the-box.</para>
134 </refsect1>
135
136 <refsect1>
137 <title>Options</title>
138
139 <para>If option <option>-b</option> is specified, the arguments
140 are used as arguments for the init binary. Otherwise,
141 <replaceable>COMMAND</replaceable> specifies the program to launch
142 in the container, and the remaining arguments are used as
143 arguments for this program. If <option>-b</option> is not used and
144 no arguments are specified, a shell is launched in the
145 container.</para>
146
147 <para>The following options are understood:</para>
148
149 <variablelist>
150 <varlistentry>
151 <term><option>-D</option></term>
152 <term><option>--directory=</option></term>
153
154 <listitem><para>Directory to use as file system root for the
155 container.</para>
156
157 <para>If neither <option>--directory=</option>, nor
158 <option>--image=</option> is specified the directory is
159 determined by searching for a directory named the same as the
160 machine name specified with <option>--machine=</option>. See
161 <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
162 section "Files and Directories" for the precise search path.</para>
163
164 <para>If neither <option>--directory=</option>,
165 <option>--image=</option>, nor <option>--machine=</option>
166 are specified, the current directory will
167 be used. May not be specified together with
168 <option>--image=</option>.</para></listitem>
169 </varlistentry>
170
171 <varlistentry>
172 <term><option>--template=</option></term>
173
174 <listitem><para>Directory or <literal>btrfs</literal>
175 subvolume to use as template for the container's root
176 directory. If this is specified and the container's root
177 directory (as configured by <option>--directory=</option>)
178 does not yet exist it is created as <literal>btrfs</literal>
179 subvolume and populated from this template tree. Ideally, the
180 specified template path refers to the root of a
181 <literal>btrfs</literal> subvolume, in which case a simple
182 copy-on-write snapshot is taken, and populating the root
183 directory is instant. If the specified template path does not
184 refer to the root of a <literal>btrfs</literal> subvolume (or
185 not even to a <literal>btrfs</literal> file system at all),
186 the tree is copied, which can be substantially more
187 time-consuming. Note that if this option is used the
188 container's root directory (in contrast to the template
189 directory!) must be located on a <literal>btrfs</literal> file
190 system, so that the <literal>btrfs</literal> subvolume may be
191 created. May not be specified together with
192 <option>--image=</option> or
193 <option>--ephemeral</option>.</para>
194
195 <para>Note that this switch leaves host name, machine ID and
196 all other settings that could identify the instance
197 unmodified.</para></listitem>
198 </varlistentry>
199
200 <varlistentry>
201 <term><option>-x</option></term>
202 <term><option>--ephemeral</option></term>
203
204 <listitem><para>If specified, the container is run with a
205 temporary <literal>btrfs</literal> snapshot of its root
206 directory (as configured with <option>--directory=</option>),
207 that is removed immediately when the container terminates.
208 This option is only supported if the root file system is
209 <literal>btrfs</literal>. May not be specified together with
210 <option>--image=</option> or
211 <option>--template=</option>.</para>
212 <para>Note that this switch leaves host name, machine ID and
213 all other settings that could identify the instance
214 unmodified.</para></listitem>
215 </varlistentry>
216
217 <varlistentry>
218 <term><option>-i</option></term>
219 <term><option>--image=</option></term>
220
221 <listitem><para>Disk image to mount the root directory for the
222 container from. Takes a path to a regular file or to a block
223 device node. The file or block device must contain
224 either:</para>
225
226 <itemizedlist>
227 <listitem><para>An MBR partition table with a single
228 partition of type 0x83 that is marked
229 bootable.</para></listitem>
230
231 <listitem><para>A GUID partition table (GPT) with a single
232 partition of type
233 0fc63daf-8483-4772-8e79-3d69d8477de4.</para></listitem>
234
235 <listitem><para>A GUID partition table (GPT) with a marked
236 root partition which is mounted as the root directory of the
237 container. Optionally, GPT images may contain a home and/or
238 a server data partition which are mounted to the appropriate
239 places in the container. All these partitions must be
240 identified by the partition types defined by the <ulink
241 url="http://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/">Discoverable
242 Partitions Specification</ulink>.</para></listitem>
243 </itemizedlist>
244
245 <para>Any other partitions, such as foreign partitions, swap
246 partitions or EFI system partitions are not mounted. May not
247 be specified together with <option>--directory=</option>,
248 <option>--template=</option> or
249 <option>--ephemeral</option>.</para></listitem>
250 </varlistentry>
251
252 <varlistentry>
253 <term><option>-b</option></term>
254 <term><option>--boot</option></term>
255
256 <listitem><para>Automatically search for an init binary and
257 invoke it instead of a shell or a user supplied program. If
258 this option is used, arguments specified on the command line
259 are used as arguments for the init binary. This option may not
260 be combined with <option>--share-system</option>.
261 </para></listitem>
262 </varlistentry>
263
264 <varlistentry>
265 <term><option>-u</option></term>
266 <term><option>--user=</option></term>
267
268 <listitem><para>After transitioning into the container, change
269 to the specified user-defined in the container's user
270 database. Like all other systemd-nspawn features, this is not
271 a security feature and provides protection against accidental
272 destructive operations only.</para></listitem>
273 </varlistentry>
274
275 <varlistentry>
276 <term><option>-M</option></term>
277 <term><option>--machine=</option></term>
278
279 <listitem><para>Sets the machine name for this container. This
280 name may be used to identify this container during its runtime
281 (for example in tools like
282 <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
283 and similar), and is used to initialize the container's
284 hostname (which the container can choose to override,
285 however). If not specified, the last component of the root
286 directory path of the container is used, possibly suffixed
287 with a random identifier in case <option>--ephemeral</option>
288 mode is selected. If the root directory selected is the host's
289 root directory the host's hostname is used as default
290 instead.</para></listitem>
291 </varlistentry>
292
293 <varlistentry>
294 <term><option>--uuid=</option></term>
295
296 <listitem><para>Set the specified UUID for the container. The
297 init system will initialize
298 <filename>/etc/machine-id</filename> from this if this file is
299 not set yet. </para></listitem>
300 </varlistentry>
301
302 <varlistentry>
303 <term><option>--slice=</option></term>
304
305 <listitem><para>Make the container part of the specified
306 slice, instead of the default
307 <filename>machine.slice</filename>. This is only applies if
308 the machine is run in its own scope unit, i.e. if
309 <option>--keep-unit</option> is not used.</para>
310 </listitem>
311 </varlistentry>
312
313 <varlistentry>
314 <term><option>--property=</option></term>
315
316 <listitem><para>Set a unit property on the scope unit to
317 register for the machine. This only applies if the machine is
318 run in its own scope unit, i.e. if
319 <option>--keep-unit</option> is not used. Takes unit property
320 assignments in the same format as <command>systemctl
321 set-property</command>. This is useful to set memory limits
322 and similar for machines.</para>
323 </listitem>
324 </varlistentry>
325
326 <varlistentry>
327 <term><option>--private-users=</option></term>
328
329 <listitem><para>Enables user namespacing. If enabled the
330 container will run with its own private set of Unix user and
331 group ids (UIDs and GIDs). Takes none, one or two
332 colon-separated parameters: the first parameter specifies the
333 first host UID to assign to the container, the second
334 parameter specifies the number of host UIDs to assign to the
335 container. If the second parameter is omitted, 65536 UIDs are
336 assigned. If the first parameter is also omitted (and hence
337 no parameter passed at all), the first UID assigned to the
338 container is read from the owner of the root directory of the
339 container's directory tree. By default no user namespacing is
340 applied.</para>
341
342 <para>Note that user namespacing currently requires OS trees
343 that are prepared for the UID shift that is being applied:
344 UIDs and GIDs used for file ownership or in file ACL entries
345 must be shifted to the container UID base that is
346 used during container runtime.</para>
347
348 <para>It is recommended to assign as least 65536 UIDs to each
349 container, so that the usable UID range in the container
350 covers 16bit. For best security do not assign overlapping UID
351 ranges to multiple containers. It is hence a good idea to use
352 the upper 16bit of the host 32bit UIDs as container
353 identifier, while the lower 16bit encode the container UID
354 used.</para>
355
356 <para>When user namespaces are used the GID range assigned to
357 each container is always chosen identical to the UID
358 range.</para></listitem>
359 </varlistentry>
360
361
362 <varlistentry>
363 <term><option>--private-network</option></term>
364
365 <listitem><para>Disconnect networking of the container from
366 the host. This makes all network interfaces unavailable in the
367 container, with the exception of the loopback device and those
368 specified with <option>--network-interface=</option> and
369 configured with <option>--network-veth</option>. If this
370 option is specified, the CAP_NET_ADMIN capability will be
371 added to the set of capabilities the container retains. The
372 latter may be disabled by using
373 <option>--drop-capability=</option>.</para></listitem>
374 </varlistentry>
375
376 <varlistentry>
377 <term><option>--network-interface=</option></term>
378
379 <listitem><para>Assign the specified network interface to the
380 container. This will remove the specified interface from the
381 calling namespace and place it in the container. When the
382 container terminates, it is moved back to the host namespace.
383 Note that <option>--network-interface=</option> implies
384 <option>--private-network</option>. This option may be used
385 more than once to add multiple network interfaces to the
386 container.</para></listitem>
387 </varlistentry>
388
389 <varlistentry>
390 <term><option>--network-macvlan=</option></term>
391
392 <listitem><para>Create a <literal>macvlan</literal> interface
393 of the specified Ethernet network interface and add it to the
394 container. A <literal>macvlan</literal> interface is a virtual
395 interface that adds a second MAC address to an existing
396 physical Ethernet link. The interface in the container will be
397 named after the interface on the host, prefixed with
398 <literal>mv-</literal>. Note that
399 <option>--network-macvlan=</option> implies
400 <option>--private-network</option>. This option may be used
401 more than once to add multiple network interfaces to the
402 container.</para></listitem>
403 </varlistentry>
404
405 <varlistentry>
406 <term><option>--network-ipvlan=</option></term>
407
408 <listitem><para>Create an <literal>ipvlan</literal> interface
409 of the specified Ethernet network interface and add it to the
410 container. An <literal>ipvlan</literal> interface is a virtual
411 interface, similar to a <literal>macvlan</literal> interface,
412 which uses the same MAC address as the underlying interface.
413 The interface in the container will be named after the
414 interface on the host, prefixed with <literal>iv-</literal>.
415 Note that <option>--network-ipvlan=</option> implies
416 <option>--private-network</option>. This option may be used
417 more than once to add multiple network interfaces to the
418 container.</para></listitem>
419 </varlistentry>
420
421 <varlistentry>
422 <term><option>-n</option></term>
423 <term><option>--network-veth</option></term>
424
425 <listitem><para>Create a virtual Ethernet link
426 (<literal>veth</literal>) between host and container. The host
427 side of the Ethernet link will be available as a network
428 interface named after the container's name (as specified with
429 <option>--machine=</option>), prefixed with
430 <literal>ve-</literal>. The container side of the Ethernet
431 link will be named <literal>host0</literal>. Note that
432 <option>--network-veth</option> implies
433 <option>--private-network</option>.</para></listitem>
434 </varlistentry>
435
436 <varlistentry>
437 <term><option>--network-bridge=</option></term>
438
439 <listitem><para>Adds the host side of the Ethernet link
440 created with <option>--network-veth</option> to the specified
441 bridge. Note that <option>--network-bridge=</option> implies
442 <option>--network-veth</option>. If this option is used, the
443 host side of the Ethernet link will use the
444 <literal>vb-</literal> prefix instead of
445 <literal>ve-</literal>.</para></listitem>
446 </varlistentry>
447
448 <varlistentry>
449 <term><option>-p</option></term>
450 <term><option>--port=</option></term>
451
452 <listitem><para>If private networking is enabled, maps an IP
453 port on the host onto an IP port on the container. Takes a
454 protocol specifier (either <literal>tcp</literal> or
455 <literal>udp</literal>), separated by a colon from a host port
456 number in the range 1 to 65535, separated by a colon from a
457 container port number in the range from 1 to 65535. The
458 protocol specifier and its separating colon may be omitted, in
459 which case <literal>tcp</literal> is assumed. The container
460 port number and its colon may be omitted, in which case the
461 same port as the host port is implied. This option is only
462 supported if private networking is used, such as
463 <option>--network-veth</option> or
464 <option>--network-bridge=</option>.</para></listitem>
465 </varlistentry>
466
467 <varlistentry>
468 <term><option>-Z</option></term>
469 <term><option>--selinux-context=</option></term>
470
471 <listitem><para>Sets the SELinux security context to be used
472 to label processes in the container.</para>
473 </listitem>
474 </varlistentry>
475
476 <varlistentry>
477 <term><option>-L</option></term>
478 <term><option>--selinux-apifs-context=</option></term>
479
480 <listitem><para>Sets the SELinux security context to be used
481 to label files in the virtual API file systems in the
482 container.</para>
483 </listitem>
484 </varlistentry>
485
486 <varlistentry>
487 <term><option>--capability=</option></term>
488
489 <listitem><para>List one or more additional capabilities to
490 grant the container. Takes a comma-separated list of
491 capability names, see
492 <citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
493 for more information. Note that the following capabilities
494 will be granted in any way: CAP_CHOWN, CAP_DAC_OVERRIDE,
495 CAP_DAC_READ_SEARCH, CAP_FOWNER, CAP_FSETID, CAP_IPC_OWNER,
496 CAP_KILL, CAP_LEASE, CAP_LINUX_IMMUTABLE,
497 CAP_NET_BIND_SERVICE, CAP_NET_BROADCAST, CAP_NET_RAW,
498 CAP_SETGID, CAP_SETFCAP, CAP_SETPCAP, CAP_SETUID,
499 CAP_SYS_ADMIN, CAP_SYS_CHROOT, CAP_SYS_NICE, CAP_SYS_PTRACE,
500 CAP_SYS_TTY_CONFIG, CAP_SYS_RESOURCE, CAP_SYS_BOOT,
501 CAP_AUDIT_WRITE, CAP_AUDIT_CONTROL. Also CAP_NET_ADMIN is
502 retained if <option>--private-network</option> is specified.
503 If the special value <literal>all</literal> is passed, all
504 capabilities are retained.</para></listitem>
505 </varlistentry>
506
507 <varlistentry>
508 <term><option>--drop-capability=</option></term>
509
510 <listitem><para>Specify one or more additional capabilities to
511 drop for the container. This allows running the container with
512 fewer capabilities than the default (see
513 above).</para></listitem>
514 </varlistentry>
515
516 <varlistentry>
517 <term><option>--kill-signal=</option></term>
518
519 <listitem><para>Specify the process signal to send to the
520 container's PID 1 when nspawn itself receives SIGTERM, in
521 order to trigger an orderly shutdown of the
522 container. Defaults to SIGRTMIN+3 if <option>--boot</option>
523 is used (on systemd-compatible init systems SIGRTMIN+3
524 triggers an orderly shutdown). Takes a signal name like
525 <literal>SIGHUP</literal>, <literal>SIGTERM</literal> or
526 similar as argument.</para></listitem>
527 </varlistentry>
528
529 <varlistentry>
530 <term><option>--link-journal=</option></term>
531
532 <listitem><para>Control whether the container's journal shall
533 be made visible to the host system. If enabled, allows viewing
534 the container's journal files from the host (but not vice
535 versa). Takes one of <literal>no</literal>,
536 <literal>host</literal>, <literal>try-host</literal>,
537 <literal>guest</literal>, <literal>try-guest</literal>,
538 <literal>auto</literal>. If <literal>no</literal>, the journal
539 is not linked. If <literal>host</literal>, the journal files
540 are stored on the host file system (beneath
541 <filename>/var/log/journal/<replaceable>machine-id</replaceable></filename>)
542 and the subdirectory is bind-mounted into the container at the
543 same location. If <literal>guest</literal>, the journal files
544 are stored on the guest file system (beneath
545 <filename>/var/log/journal/<replaceable>machine-id</replaceable></filename>)
546 and the subdirectory is symlinked into the host at the same
547 location. <literal>try-host</literal> and
548 <literal>try-guest</literal> do the same but do not fail if
549 the host does not have persistent journalling enabled. If
550 <literal>auto</literal> (the default), and the right
551 subdirectory of <filename>/var/log/journal</filename> exists,
552 it will be bind mounted into the container. If the
553 subdirectory does not exist, no linking is performed.
554 Effectively, booting a container once with
555 <literal>guest</literal> or <literal>host</literal> will link
556 the journal persistently if further on the default of
557 <literal>auto</literal> is used.</para></listitem>
558 </varlistentry>
559
560 <varlistentry>
561 <term><option>-j</option></term>
562
563 <listitem><para>Equivalent to
564 <option>--link-journal=try-guest</option>.</para></listitem>
565 </varlistentry>
566
567 <varlistentry>
568 <term><option>--read-only</option></term>
569
570 <listitem><para>Mount the root file system read-only for the
571 container.</para></listitem>
572 </varlistentry>
573
574 <varlistentry>
575 <term><option>--bind=</option></term>
576 <term><option>--bind-ro=</option></term>
577
578 <listitem><para>Bind mount a file or directory from the host
579 into the container. Takes one of: a path argument -- in which
580 case the specified path will be mounted from the host to the
581 same path in the container --, or a colon-separated pair of
582 paths -- in which case the first specified path is the source
583 in the host, and the second path is the destination in the
584 container --, or a colon-separated triple of source path,
585 destination path and mount options. Mount options are comma
586 separated and currently only "rbind" and "norbind"
587 are allowed. Defaults to "rbind". Backslash escapes are interpreted so
588 <literal>\:</literal> may be used to embed colons in either path.
589 This option may be specified multiple times for
590 creating multiple independent bind mount points. The
591 <option>--bind-ro=</option> option creates read-only bind
592 mounts.</para></listitem>
593 </varlistentry>
594
595 <varlistentry>
596 <term><option>--tmpfs=</option></term>
597
598 <listitem><para>Mount a tmpfs file system into the container.
599 Takes a single absolute path argument that specifies where to
600 mount the tmpfs instance to (in which case the directory
601 access mode will be chosen as 0755, owned by root/root), or
602 optionally a colon-separated pair of path and mount option
603 string, that is used for mounting (in which case the kernel
604 default for access mode and owner will be chosen, unless
605 otherwise specified). This option is particularly useful for
606 mounting directories such as <filename>/var</filename> as
607 tmpfs, to allow state-less systems, in particular when
608 combined with <option>--read-only</option>.
609 Backslash escapes are interpreted in the path so
610 <literal>\:</literal> may be used to embed colons in the path.
611 </para></listitem>
612 </varlistentry>
613
614 <varlistentry>
615 <term><option>--overlay=</option></term>
616 <term><option>--overlay-ro=</option></term>
617
618 <listitem><para>Combine multiple directory trees into one
619 overlay file system and mount it into the container. Takes a
620 list of colon-separated paths to the directory trees to
621 combine and the destination mount point.</para>
622
623 <para>Backslash escapes are interpreted in the paths, so
624 <literal>\:</literal> may be used to embed colons in the paths.
625 </para>
626
627 <para>If three or more paths are specified, then the last
628 specified path is the destination mount point in the
629 container, all paths specified before refer to directory trees
630 on the host and are combined in the specified order into one
631 overlay file system. The left-most path is hence the lowest
632 directory tree, the second-to-last path the highest directory
633 tree in the stacking order. If <option>--overlay-ro=</option>
634 is used instead of <option>--overlay=</option> a read-only
635 overlay file system is created. If a writable overlay file
636 system is created all changes made to it are written to the
637 highest directory tree in the stacking order, i.e. the
638 second-to-last specified.</para>
639
640 <para>If only two paths are specified, then the second
641 specified path is used both as the top-level directory tree in
642 the stacking order as seen from the host, as well as the mount
643 point for the overlay file system in the container. At least
644 two paths have to be specified.</para>
645
646 <para>For details about overlay file systems, see <ulink
647 url="https://www.kernel.org/doc/Documentation/filesystems/overlayfs.txt">overlayfs.txt</ulink>. Note
648 that the semantics of overlay file systems are substantially
649 different from normal file systems, in particular regarding
650 reported device and inode information. Device and inode
651 information may change for a file while it is being written
652 to, and processes might see out-of-date versions of files at
653 times. Note that this switch automatically derives the
654 <literal>workdir=</literal> mount option for the overlay file
655 system from the top-level directory tree, making it a sibling
656 of it. It is hence essential that the top-level directory tree
657 is not a mount point itself (since the working directory must
658 be on the same file system as the top-most directory
659 tree). Also note that the <literal>lowerdir=</literal> mount
660 option receives the paths to stack in the opposite order of
661 this switch.</para></listitem>
662 </varlistentry>
663
664 <varlistentry>
665 <term><option>--setenv=</option></term>
666
667 <listitem><para>Specifies an environment variable assignment
668 to pass to the init process in the container, in the format
669 <literal>NAME=VALUE</literal>. This may be used to override
670 the default variables or to set additional variables. This
671 parameter may be used more than once.</para></listitem>
672 </varlistentry>
673
674 <varlistentry>
675 <term><option>--share-system</option></term>
676
677 <listitem><para>Allows the container to share certain system
678 facilities with the host. More specifically, this turns off
679 PID namespacing, UTS namespacing and IPC namespacing, and thus
680 allows the guest to see and interact more easily with
681 processes outside of the container. Note that using this
682 option makes it impossible to start up a full Operating System
683 in the container, as an init system cannot operate in this
684 mode. It is only useful to run specific programs or
685 applications this way, without involving an init system in the
686 container. This option implies <option>--register=no</option>.
687 This option may not be combined with
688 <option>--boot</option>.</para></listitem>
689 </varlistentry>
690
691 <varlistentry>
692 <term><option>--register=</option></term>
693
694 <listitem><para>Controls whether the container is registered
695 with
696 <citerefentry><refentrytitle>systemd-machined</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
697 Takes a boolean argument, defaults to <literal>yes</literal>.
698 This option should be enabled when the container runs a full
699 Operating System (more specifically: an init system), and is
700 useful to ensure that the container is accessible via
701 <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
702 and shown by tools such as
703 <citerefentry project='man-pages'><refentrytitle>ps</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
704 If the container does not run an init system, it is
705 recommended to set this option to <literal>no</literal>. Note
706 that <option>--share-system</option> implies
707 <option>--register=no</option>. </para></listitem>
708 </varlistentry>
709
710 <varlistentry>
711 <term><option>--keep-unit</option></term>
712
713 <listitem><para>Instead of creating a transient scope unit to
714 run the container in, simply register the service or scope
715 unit <command>systemd-nspawn</command> has been invoked in
716 with
717 <citerefentry><refentrytitle>systemd-machined</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
718 This has no effect if <option>--register=no</option> is used.
719 This switch should be used if
720 <command>systemd-nspawn</command> is invoked from within a
721 service unit, and the service unit's sole purpose is to run a
722 single <command>systemd-nspawn</command> container. This
723 option is not available if run from a user
724 session.</para></listitem>
725 </varlistentry>
726
727 <varlistentry>
728 <term><option>--personality=</option></term>
729
730 <listitem><para>Control the architecture ("personality")
731 reported by
732 <citerefentry project='man-pages'><refentrytitle>uname</refentrytitle><manvolnum>2</manvolnum></citerefentry>
733 in the container. Currently, only <literal>x86</literal> and
734 <literal>x86-64</literal> are supported. This is useful when
735 running a 32-bit container on a 64-bit host. If this setting
736 is not used, the personality reported in the container is the
737 same as the one reported on the host.</para></listitem>
738 </varlistentry>
739
740 <varlistentry>
741 <term><option>-q</option></term>
742 <term><option>--quiet</option></term>
743
744 <listitem><para>Turns off any status output by the tool
745 itself. When this switch is used, the only output from nspawn
746 will be the console output of the container OS
747 itself.</para></listitem>
748 </varlistentry>
749
750 <varlistentry>
751 <term><option>--volatile</option></term>
752 <term><option>--volatile=</option><replaceable>MODE</replaceable></term>
753
754 <listitem><para>Boots the container in volatile mode. When no
755 mode parameter is passed or when mode is specified as
756 <option>yes</option> full volatile mode is enabled. This
757 means the root directory is mounted as mostly unpopulated
758 <literal>tmpfs</literal> instance, and
759 <filename>/usr</filename> from the OS tree is mounted into it,
760 read-only (the system thus starts up with read-only OS
761 resources, but pristine state and configuration, any changes
762 to the either are lost on shutdown). When the mode parameter
763 is specified as <option>state</option> the OS tree is
764 mounted read-only, but <filename>/var</filename> is mounted as
765 <literal>tmpfs</literal> instance into it (the system thus
766 starts up with read-only OS resources and configuration, but
767 pristine state, any changes to the latter are lost on
768 shutdown). When the mode parameter is specified as
769 <option>no</option> (the default) the whole OS tree is made
770 available writable.</para>
771
772 <para>Note that setting this to <option>yes</option> or
773 <option>state</option> will only work correctly with
774 operating systems in the container that can boot up with only
775 <filename>/usr</filename> mounted, and are able to populate
776 <filename>/var</filename> automatically, as
777 needed.</para></listitem>
778 </varlistentry>
779
780 <varlistentry>
781 <term><option>--settings=</option><replaceable>MODE</replaceable></term>
782
783 <listitem><para>Controls whether
784 <command>systemd-nspawn</command> shall search for and use
785 additional per-container settings from
786 <filename>.nspawn</filename> files. Takes a boolean or the
787 special values <option>override</option> or
788 <option>trusted</option>.</para>
789
790 <para>If enabled (the default) a settings file named after the
791 machine (as specified with the <option>--machine=</option>
792 setting, or derived from the directory or image file name)
793 with the suffix <filename>.nspawn</filename> is searched in
794 <filename>/etc/systemd/nspawn/</filename> and
795 <filename>/run/systemd/nspawn/</filename>. If it is found
796 there, its settings are read and used. If it is not found
797 there it is subsequently searched in the same directory as the
798 image file or in the immediate parent of the root directory of
799 the container. In this case, if the file is found its settings
800 will be also read and used, but potentially unsafe settings
801 are ignored. Note that in both these cases settings on the
802 command line take precedence over the corresponding settings
803 from loaded <filename>.nspawn</filename> files, if both are
804 specified. Unsafe settings are considered all settings that
805 elevate the container's privileges or grant access to
806 additional resources such as files or directories of the
807 host. For details about the format and contents of
808 <filename>.nspawn</filename> files consult
809 <citerefentry><refentrytitle>systemd.nspawn</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
810
811 <para>If this option is set to <option>override</option> the
812 file is searched, read and used the same way, however the order of
813 precedence is reversed: settings read from the
814 <filename>.nspawn</filename> file will take precedence over
815 the corresponding command line options, if both are
816 specified.</para>
817
818 <para>If this option is set to <option>trusted</option> the
819 file is searched, read and used the same way, but regardless
820 if found in <filename>/etc/systemd/nspawn/</filename>,
821 <filename>/run/systemd/nspawn/</filename> or next to the image
822 file or container root directory, all settings will take
823 effect, however command line arguments still take precedence
824 over corresponding settings.</para>
825
826 <para>If disabled no <filename>.nspawn</filename> file is read
827 and no settings except the ones on the command line are in
828 effect.</para></listitem>
829 </varlistentry>
830
831 <xi:include href="standard-options.xml" xpointer="help" />
832 <xi:include href="standard-options.xml" xpointer="version" />
833 </variablelist>
834
835 </refsect1>
836
837 <refsect1>
838 <title>Examples</title>
839
840 <example>
841 <title>Download a Fedora image and start a shell in it</title>
842
843 <programlisting># machinectl pull-raw --verify=no http://ftp.halifax.rwth-aachen.de/fedora/linux/releases/21/Cloud/Images/x86_64/Fedora-Cloud-Base-20141203-21.x86_64.raw.xz
844 # systemd-nspawn -M Fedora-Cloud-Base-20141203-21</programlisting>
845
846 <para>This downloads an image using
847 <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
848 and opens a shell in it.</para>
849 </example>
850
851 <example>
852 <title>Build and boot a minimal Fedora distribution in a container</title>
853
854 <programlisting># dnf -y --releasever=21 --nogpg --installroot=/srv/mycontainer --disablerepo='*' --enablerepo=fedora install systemd passwd dnf fedora-release vim-minimal
855 # systemd-nspawn -bD /srv/mycontainer</programlisting>
856
857 <para>This installs a minimal Fedora distribution into the
858 directory <filename noindex='true'>/srv/mycontainer/</filename>
859 and then boots an OS in a namespace container in it.</para>
860 </example>
861
862 <example>
863 <title>Spawn a shell in a container of a minimal Debian unstable distribution</title>
864
865 <programlisting># debootstrap --arch=amd64 unstable ~/debian-tree/
866 # systemd-nspawn -D ~/debian-tree/</programlisting>
867
868 <para>This installs a minimal Debian unstable distribution into
869 the directory <filename>~/debian-tree/</filename> and then
870 spawns a shell in a namespace container in it.</para>
871 </example>
872
873 <example>
874 <title>Boot a minimal Arch Linux distribution in a container</title>
875
876 <programlisting># pacstrap -c -d ~/arch-tree/ base
877 # systemd-nspawn -bD ~/arch-tree/</programlisting>
878
879 <para>This installs a minimal Arch Linux distribution into the
880 directory <filename>~/arch-tree/</filename> and then boots an OS
881 in a namespace container in it.</para>
882 </example>
883
884 <example>
885 <title>Boot into an ephemeral <literal>btrfs</literal> snapshot of the host system</title>
886
887 <programlisting># systemd-nspawn -D / -xb</programlisting>
888
889 <para>This runs a copy of the host system in a
890 <literal>btrfs</literal> snapshot which is removed immediately
891 when the container exits. All file system changes made during
892 runtime will be lost on shutdown, hence.</para>
893 </example>
894
895 <example>
896 <title>Run a container with SELinux sandbox security contexts</title>
897
898 <programlisting># chcon system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -R /srv/container
899 # systemd-nspawn -L system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -Z system_u:system_r:svirt_lxc_net_t:s0:c0,c1 -D /srv/container /bin/sh</programlisting>
900 </example>
901 </refsect1>
902
903 <refsect1>
904 <title>Exit status</title>
905
906 <para>The exit code of the program executed in the container is
907 returned.</para>
908 </refsect1>
909
910 <refsect1>
911 <title>See Also</title>
912 <para>
913 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
914 <citerefentry><refentrytitle>systemd.nspawn</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
915 <citerefentry project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
916 <citerefentry project='mankier'><refentrytitle>dnf</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
917 <citerefentry project='die-net'><refentrytitle>yum</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
918 <citerefentry project='die-net'><refentrytitle>debootstrap</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
919 <citerefentry project='archlinux'><refentrytitle>pacman</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
920 <citerefentry><refentrytitle>systemd.slice</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
921 <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
922 <citerefentry project='man-pages'><refentrytitle>btrfs</refentrytitle><manvolnum>8</manvolnum></citerefentry>
923 </para>
924 </refsect1>
925
926 </refentry>
Unnamed repository; edit this file 'description' to name the repository.