<?xml version='1.0'?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
-<!ENTITY fedora_latest_version "30">
-<!ENTITY fedora_cloud_release "1.2">
+<!ENTITY fedora_latest_version "31">
+<!ENTITY fedora_cloud_release "1.9">
]>
<!-- SPDX-License-Identifier: LGPL-2.1+ -->
container.</para>
<para><command>systemd-nspawn</command> implements the <ulink
- url="https://www.freedesktop.org/wiki/Software/systemd/ContainerInterface">Container Interface</ulink>
- specification.</para>
+ url="https://systemd.io/CONTAINER_INTERFACE">Container Interface</ulink> specification.</para>
<para>While running, containers invoked with <command>systemd-nspawn</command> are registered with the
<citerefentry><refentrytitle>systemd-machined</refentrytitle><manvolnum>8</manvolnum></citerefentry> service that
all subdirectories and subvolumes below it, but excluding any sub-mounts. May not be specified
together with <option>--image=</option> or <option>--ephemeral</option>.</para>
- <para>Note that this switch leaves host name, machine ID and
+ <para>Note that this switch leaves hostname, machine ID and
all other settings that could identify the instance
unmodified.</para></listitem>
</varlistentry>
<listitem><para>If specified, the container is run with a temporary snapshot of its file system that is removed
immediately when the container terminates. May not be specified together with
<option>--template=</option>.</para>
- <para>Note that this switch leaves host name, machine ID and all other settings that could identify
+ <para>Note that this switch leaves hostname, machine ID and all other settings that could identify
the instance unmodified. Please note that — as with <option>--template=</option> — taking the
temporary snapshot is more efficient on file systems that support subvolume snapshots or 'reflinks'
natively (<literal>btrfs</literal> or new <literal>xfs</literal>) than on more traditional file
a server data partition which are mounted to the appropriate
places in the container. All these partitions must be
identified by the partition types defined by the <ulink
- url="https://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/">Discoverable
+ url="https://systemd.io/DISCOVERABLE_PARTITIONS">Discoverable
Partitions Specification</ulink>.</para></listitem>
<listitem><para>No partition table, and a single file system spanning the whole image.</para></listitem>
container, with the exception of the loopback device and those
specified with <option>--network-interface=</option> and
configured with <option>--network-veth</option>. If this
- option is specified, the CAP_NET_ADMIN capability will be
+ option is specified, the <constant>CAP_NET_ADMIN</constant> capability will be
added to the set of capabilities the container retains. The
latter may be disabled by using <option>--drop-capability=</option>.
If this option is not specified (or implied by one of the options
container names may have a length up to 64 characters. As this option derives the host-side interface
name from the container name the name is possibly truncated. Thus, care needs to be taken to ensure
that interface names remain unique in this case, or even better container names are generally not
- chosen longer than 12 characters, to avoid the truncation. Alternatively, the
+ chosen longer than 12 characters, to avoid the truncation. If the name is truncated,
+ <command>systemd-nspawn</command> will automatically append a 4-digit hash value to the name to
+ reduce the chance of collisions. However, the hash algorithm is not collision-free. (See
+ <citerefentry><refentrytitle>systemd.net-naming-scheme</refentrytitle><manvolnum>7</manvolnum></citerefentry>
+ for details on older naming algorithms for this interface). Alternatively, the
<option>--network-veth-extra=</option> option may be used, which allows free configuration of the
host-side interface name independently of the container name — but might require a bit more
additional configuration in case bridging in a fashion similar to <option>--network-bridge=</option>
<varlistentry>
<term><option>--capability=</option></term>
- <listitem><para>List one or more additional capabilities to grant the container.
- Takes a comma-separated list of capability names, see
- <citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
+ <listitem><para>List one or more additional capabilities to grant the container. Takes a
+ comma-separated list of capability names, see <citerefentry
+ project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
for more information. Note that the following capabilities will be granted in any way:
- CAP_AUDIT_CONTROL, CAP_AUDIT_WRITE, CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_DAC_READ_SEARCH,
- CAP_FOWNER, CAP_FSETID, CAP_IPC_OWNER, CAP_KILL, CAP_LEASE, CAP_LINUX_IMMUTABLE,
- CAP_MKNOD, CAP_NET_BIND_SERVICE, CAP_NET_BROADCAST, CAP_NET_RAW, CAP_SETFCAP,
- CAP_SETGID, CAP_SETPCAP, CAP_SETUID, CAP_SYS_ADMIN, CAP_SYS_BOOT, CAP_SYS_CHROOT,
- CAP_SYS_NICE, CAP_SYS_PTRACE, CAP_SYS_RESOURCE, CAP_SYS_TTY_CONFIG. Also CAP_NET_ADMIN
- is retained if <option>--private-network</option> is specified. If the special value
- <literal>all</literal> is passed, all capabilities are retained.</para></listitem>
+ <constant>CAP_AUDIT_CONTROL</constant>, <constant>CAP_AUDIT_WRITE</constant>,
+ <constant>CAP_CHOWN</constant>, <constant>CAP_DAC_OVERRIDE</constant>,
+ <constant>CAP_DAC_READ_SEARCH</constant>, <constant>CAP_FOWNER</constant>,
+ <constant>CAP_FSETID</constant>, <constant>CAP_IPC_OWNER</constant>, <constant>CAP_KILL</constant>,
+ <constant>CAP_LEASE</constant>, <constant>CAP_LINUX_IMMUTABLE</constant>,
+ <constant>CAP_MKNOD</constant>, <constant>CAP_NET_BIND_SERVICE</constant>,
+ <constant>CAP_NET_BROADCAST</constant>, <constant>CAP_NET_RAW</constant>,
+ <constant>CAP_SETFCAP</constant>, <constant>CAP_SETGID</constant>, <constant>CAP_SETPCAP</constant>,
+ <constant>CAP_SETUID</constant>, <constant>CAP_SYS_ADMIN</constant>,
+ <constant>CAP_SYS_BOOT</constant>, <constant>CAP_SYS_CHROOT</constant>,
+ <constant>CAP_SYS_NICE</constant>, <constant>CAP_SYS_PTRACE</constant>,
+ <constant>CAP_SYS_RESOURCE</constant>, <constant>CAP_SYS_TTY_CONFIG</constant>. Also
+ <constant>CAP_NET_ADMIN</constant> is retained if <option>--private-network</option> is specified.
+ If the special value <literal>all</literal> is passed, all capabilities are retained.</para>
+
+ <para>If the special value of <literal>help</literal> is passed, the program will print known
+ capability names and exit.</para></listitem>
</varlistentry>
<varlistentry>
<listitem><para>Specify one or more additional capabilities to
drop for the container. This allows running the container with
fewer capabilities than the default (see
- above).</para></listitem>
+ above).</para>
+
+ <para>If the special value of <literal>help</literal> is passed, the program will print known
+ capability names and exit.</para></listitem>
</varlistentry>
<varlistentry>
<ulink url="https://getfedora.org">Fedora</ulink> image and start a shell in it</title>
<programlisting># machinectl pull-raw --verify=no \
- https://download.fedoraproject.org/pub/fedora/linux/releases/&fedora_latest_version;/Cloud/x86_64/images/Fedora-Cloud-Base-&fedora_latest_version;-&fedora_cloud_release;.x86_64.raw.xz
-# systemd-nspawn -M Fedora-Cloud-Base-&fedora_latest_version;-&fedora_cloud_release;.x86_64</programlisting>
+ https://download.fedoraproject.org/pub/fedora/linux/releases/&fedora_latest_version;/Cloud/x86_64/images/Fedora-Cloud-Base-&fedora_latest_version;-&fedora_cloud_release;.x86_64.raw.xz \
+ Fedora-Cloud-Base-&fedora_latest_version;-&fedora_cloud_release;.x86-64
+# systemd-nspawn -M Fedora-Cloud-Base-&fedora_latest_version;-&fedora_cloud_release;.x86-64</programlisting>
<para>This downloads an image using
<citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
<programlisting># dnf -y --releasever=&fedora_latest_version; --installroot=/var/lib/machines/f&fedora_latest_version; \
--disablerepo='*' --enablerepo=fedora --enablerepo=updates install \
- systemd passwd dnf fedora-release vim-minimal
+ systemd passwd dnf fedora-release vim-minimal glibc-minimal-langpack
# systemd-nspawn -bD /var/lib/machines/f&fedora_latest_version;</programlisting>
<para>This installs a minimal Fedora distribution into the
- directory <filename noindex='true'>/var/lib/machines/f&fedora_latest_version;</filename>
+ directory <filename index="false">/var/lib/machines/f&fedora_latest_version;</filename>
and then boots an OS in a namespace container in it. Because the installation
is located underneath the standard <filename>/var/lib/machines/</filename>
directory, it is also possible to start the machine using
projects / thirdparty / systemd.git / blobdiff