</cmdsynopsis>
<cmdsynopsis>
<command>systemd-nspawn</command>
- <arg choice="plain">-b</arg>
+ <arg choice="plain">--boot</arg>
<arg choice="opt" rep="repeat">OPTIONS</arg>
<arg choice="opt" rep="repeat">ARGS</arg>
</cmdsynopsis>
<para>Use a tool like
<citerefentry project='mankier'><refentrytitle>dnf</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
- <citerefentry project='die-net'><refentrytitle>yum</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
<citerefentry project='die-net'><refentrytitle>debootstrap</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
or
<citerefentry project='archlinux'><refentrytitle>pacman</refentrytitle><manvolnum>8</manvolnum></citerefentry>
<option>--ephemeral</option>.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>-a</option></term>
+ <term><option>--as-pid2</option></term>
+
+ <listitem><para>Invoke the shell or specified program as process ID (PID) 2 instead of PID 1 (init). By
+ default, if neither this option nor <option>--boot</option> is used, the selected binary is run as process with
+ PID 1, a mode only suitable for programs that are aware of the special semantics that the process with PID 1
+ has on UNIX. For example, it needs to reap all processes reparented to it, and should implement
+ <command>sysvinit</command> compatible signal handling (specifically: it needs to reboot on SIGINT, reexecute
+ on SIGTERM, reload configuration on SIGHUP, and so on). With <option>--as-pid2</option> a minimal stub init
+ process is run as PID 1 and the selected binary is executed as PID 2 (and hence does not need to implement any
+ special semantics). The stub init process will reap processes as necessary and react appropriately to
+ signals. It is recommended to use this mode to invoke arbitrary commands in containers, unless they have been
+ modified to run correctly as PID 1. Or in other words: this switch should be used for pretty much all commands,
+ except when the command refers to an init or shell implementation, as these are generally capable of running
+ correctly as PID 1. This option may not be combined with <option>--boot</option> or
+ <option>--share-system</option>.</para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term><option>-b</option></term>
<term><option>--boot</option></term>
- <listitem><para>Automatically search for an init binary and
- invoke it instead of a shell or a user supplied program. If
- this option is used, arguments specified on the command line
- are used as arguments for the init binary. This option may not
- be combined with <option>--share-system</option>.
- </para></listitem>
+ <listitem><para>Automatically search for an init binary and invoke it as PID 1, instead of a shell or a user
+ supplied program. If this option is used, arguments specified on the command line are used as arguments for the
+ init binary. This option may not be combined with <option>--as-pid2</option> or
+ <option>--share-system</option>.</para>
+
+ <para>The following table explains the different modes of invocation and relationship to
+ <option>--as-pid2</option> (see above):</para>
+
+ <table>
+ <title>Invocation Mode</title>
+ <tgroup cols='2' align='left' colsep='1' rowsep='1'>
+ <colspec colname="switch" />
+ <colspec colname="explanation" />
+ <thead>
+ <row>
+ <entry>Switch</entry>
+ <entry>Explanation</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>Neither <option>--as-pid2</option> nor <option>--boot</option> specified</entry>
+ <entry>The passed parameters are interpreted as the command line, which is executed as PID 1 in the container.</entry>
+ </row>
+
+ <row>
+ <entry><option>--as-pid2</option> specified</entry>
+ <entry>The passed parameters are interpreted as the command line, which is executed as PID 2 in the container. A stub init process is run as PID 1.</entry>
+ </row>
+
+ <row>
+ <entry><option>--boot</option> specified</entry>
+ <entry>An init binary as automatically searched and run as PID 1 in the container. The passed parameters are used as invocation parameters for this process.</entry>
+ </row>
+
+ </tbody>
+ </tgroup>
+ </table>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--chdir=</option></term>
+
+ <listitem><para>Change to the specified working directory before invoking the process in the container. Expects
+ an absolute path in the container's file system namespace.</para></listitem>
</varlistentry>
<varlistentry>
<listitem><para>Set the specified UUID for the container. The
init system will initialize
<filename>/etc/machine-id</filename> from this if this file is
- not set yet. </para></listitem>
+ not set yet. Note that this option takes effect only if
+ <filename>/etc/machine-id</filename> in the container is
+ unpopulated.</para></listitem>
</varlistentry>
<varlistentry>
<varlistentry>
<term><option>--private-users=</option></term>
- <listitem><para>Enables user namespacing. If enabled the
+ <listitem><para>Enables user namespacing. If enabled, the
container will run with its own private set of Unix user and
group ids (UIDs and GIDs). Takes none, one or two
colon-separated parameters: the first parameter specifies the
assigned. If the first parameter is also omitted (and hence
no parameter passed at all), the first UID assigned to the
container is read from the owner of the root directory of the
- container's directory tree. By default no user namespacing is
+ container's directory tree. By default, no user namespacing is
applied.</para>
<para>Note that user namespacing currently requires OS trees
must be shifted to the container UID base that is
used during container runtime.</para>
- <para>It is recommended to assign as least 65536 UIDs to each
+ <para>It is recommended to assign at least 65536 UIDs to each
container, so that the usable UID range in the container
- covers 16bit. For best security do not assign overlapping UID
+ covers 16 bit. For best security, do not assign overlapping UID
ranges to multiple containers. It is hence a good idea to use
- the upper 16bit of the host 32bit UIDs as container
- identifier, while the lower 16bit encode the container UID
+ the upper 16 bit of the host 32-bit UIDs as container
+ identifier, while the lower 16 bit encode the container UID
used.</para>
- <para>When user namespaces are used the GID range assigned to
+ <para>When user namespaces are used, the GID range assigned to
each container is always chosen identical to the UID
range.</para></listitem>
</varlistentry>
<option>--private-network</option>.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>--network-veth-extra=</option></term>
+
+ <listitem><para>Adds an additional virtual Ethernet link
+ between host and container. Takes a colon-separated pair of
+ host interface name and container interface name. The latter
+ may be omitted in which case the container and host sides will
+ be assigned the same name. This switch is independent of
+ <option>--network-veth</option>, and — in contrast — may be
+ used multiple times, and allows configuration of the network
+ interface names. Note that <option>--network-bridge=</option>
+ has no effect on interfaces created with
+ <option>--network-veth-extra=</option>.</para></listitem>
+ </varlistentry>
+
<varlistentry>
<term><option>--network-bridge=</option></term>
which case <literal>tcp</literal> is assumed. The container
port number and its colon may be omitted, in which case the
same port as the host port is implied. This option is only
- supported if private networking is used, such as
+ supported if private networking is used, such as with
<option>--network-veth</option> or
<option>--network-bridge=</option>.</para></listitem>
</varlistentry>
order to trigger an orderly shutdown of the
container. Defaults to SIGRTMIN+3 if <option>--boot</option>
is used (on systemd-compatible init systems SIGRTMIN+3
- triggers an orderly shutdown). Takes a signal name like
- <literal>SIGHUP</literal>, <literal>SIGTERM</literal> or
- similar as argument.</para></listitem>
+ triggers an orderly shutdown). For a list of valid signals, see
+ <citerefentry project='man-pages'><refentrytitle>signal</refentrytitle><manvolnum>7</manvolnum></citerefentry>.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--bind-ro=</option></term>
<listitem><para>Bind mount a file or directory from the host
- into the container. Takes one of: a path argument -- in which
+ into the container. Takes one of: a path argument — in which
case the specified path will be mounted from the host to the
- same path in the container --, or a colon-separated pair of
- paths -- in which case the first specified path is the source
+ same path in the container —, or a colon-separated pair of
+ paths — in which case the first specified path is the source
in the host, and the second path is the destination in the
- container --, or a colon-separated triple of source path,
- destination path and mount options. Mount options are comma
- separated and currently only "rbind" and "norbind"
- are allowed. Defaults to "rbind". Backslash escapes are interpreted so
+ container —, or a colon-separated triple of source path,
+ destination path and mount options. Mount options are
+ comma-separated and currently, only "rbind" and "norbind"
+ are allowed. Defaults to "rbind". Backslash escapes are interpreted, so
<literal>\:</literal> may be used to embed colons in either path.
This option may be specified multiple times for
creating multiple independent bind mount points. The
mount the tmpfs instance to (in which case the directory
access mode will be chosen as 0755, owned by root/root), or
optionally a colon-separated pair of path and mount option
- string, that is used for mounting (in which case the kernel
+ string that is used for mounting (in which case the kernel
default for access mode and owner will be chosen, unless
otherwise specified). This option is particularly useful for
mounting directories such as <filename>/var</filename> as
tmpfs, to allow state-less systems, in particular when
combined with <option>--read-only</option>.
- Backslash escapes are interpreted in the path so
+ Backslash escapes are interpreted in the path, so
<literal>\:</literal> may be used to embed colons in the path.
</para></listitem>
</varlistentry>
overlay file system. The left-most path is hence the lowest
directory tree, the second-to-last path the highest directory
tree in the stacking order. If <option>--overlay-ro=</option>
- is used instead of <option>--overlay=</option> a read-only
+ is used instead of <option>--overlay=</option>, a read-only
overlay file system is created. If a writable overlay file
- system is created all changes made to it are written to the
+ system is created, all changes made to it are written to the
highest directory tree in the stacking order, i.e. the
second-to-last specified.</para>
</varlistentry>
<varlistentry>
- <term><option>--setenv=</option></term>
+ <term><option>-E <replaceable>NAME</replaceable>=<replaceable>VALUE</replaceable></option></term>
+ <term><option>--setenv=<replaceable>NAME</replaceable>=<replaceable>VALUE</replaceable></option></term>
<listitem><para>Specifies an environment variable assignment
to pass to the init process in the container, in the format
<listitem><para>Controls whether the container is registered
with
<citerefentry><refentrytitle>systemd-machined</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
- Takes a boolean argument, defaults to <literal>yes</literal>.
+ Takes a boolean argument, which defaults to <literal>yes</literal>.
This option should be enabled when the container runs a full
Operating System (more specifically: an init system), and is
useful to ensure that the container is accessible via
<listitem><para>Boots the container in volatile mode. When no
mode parameter is passed or when mode is specified as
- <option>yes</option> full volatile mode is enabled. This
- means the root directory is mounted as mostly unpopulated
+ <option>yes</option>, full volatile mode is enabled. This
+ means the root directory is mounted as a mostly unpopulated
<literal>tmpfs</literal> instance, and
- <filename>/usr</filename> from the OS tree is mounted into it,
- read-only (the system thus starts up with read-only OS
+ <filename>/usr</filename> from the OS tree is mounted into it
+ in read-only mode (the system thus starts up with read-only OS
resources, but pristine state and configuration, any changes
to the either are lost on shutdown). When the mode parameter
- is specified as <option>state</option> the OS tree is
+ is specified as <option>state</option>, the OS tree is
mounted read-only, but <filename>/var</filename> is mounted as
- <literal>tmpfs</literal> instance into it (the system thus
+ a <literal>tmpfs</literal> instance into it (the system thus
starts up with read-only OS resources and configuration, but
- pristine state, any changes to the latter are lost on
+ pristine state, and any changes to the latter are lost on
shutdown). When the mode parameter is specified as
- <option>no</option> (the default) the whole OS tree is made
+ <option>no</option> (the default), the whole OS tree is made
available writable.</para>
<para>Note that setting this to <option>yes</option> or
special values <option>override</option> or
<option>trusted</option>.</para>
- <para>If enabled (the default) a settings file named after the
+ <para>If enabled (the default), a settings file named after the
machine (as specified with the <option>--machine=</option>
setting, or derived from the directory or image file name)
with the suffix <filename>.nspawn</filename> is searched in
<filename>/etc/systemd/nspawn/</filename> and
<filename>/run/systemd/nspawn/</filename>. If it is found
there, its settings are read and used. If it is not found
- there it is subsequently searched in the same directory as the
+ there, it is subsequently searched in the same directory as the
image file or in the immediate parent of the root directory of
- the container. In this case, if the file is found its settings
+ the container. In this case, if the file is found, its settings
will be also read and used, but potentially unsafe settings
- are ignored. Note that in both these cases settings on the
+ are ignored. Note that in both these cases, settings on the
command line take precedence over the corresponding settings
from loaded <filename>.nspawn</filename> files, if both are
specified. Unsafe settings are considered all settings that
elevate the container's privileges or grant access to
additional resources such as files or directories of the
host. For details about the format and contents of
- <filename>.nspawn</filename> files consult
+ <filename>.nspawn</filename> files, consult
<citerefentry><refentrytitle>systemd.nspawn</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
- <para>If this option is set to <option>override</option> the
- file is searched, read and used the same way, however the order of
+ <para>If this option is set to <option>override</option>, the
+ file is searched, read and used the same way, however, the order of
precedence is reversed: settings read from the
<filename>.nspawn</filename> file will take precedence over
the corresponding command line options, if both are
specified.</para>
- <para>If this option is set to <option>trusted</option> the
+ <para>If this option is set to <option>trusted</option>, the
file is searched, read and used the same way, but regardless
- if found in <filename>/etc/systemd/nspawn/</filename>,
+ of being found in <filename>/etc/systemd/nspawn/</filename>,
<filename>/run/systemd/nspawn/</filename> or next to the image
file or container root directory, all settings will take
- effect, however command line arguments still take precedence
+ effect, however, command line arguments still take precedence
over corresponding settings.</para>
- <para>If disabled no <filename>.nspawn</filename> file is read
+ <para>If disabled, no <filename>.nspawn</filename> file is read
and no settings except the ones on the command line are in
effect.</para></listitem>
</varlistentry>
<example>
<title>Build and boot a minimal Fedora distribution in a container</title>
- <programlisting># dnf -y --releasever=21 --nogpg --installroot=/srv/mycontainer --disablerepo='*' --enablerepo=fedora install systemd passwd dnf fedora-release vim-minimal
+ <programlisting># dnf -y --releasever=23 --installroot=/srv/mycontainer --disablerepo='*' --enablerepo=fedora --enablerepo=updates install systemd passwd dnf fedora-release vim-minimal
# systemd-nspawn -bD /srv/mycontainer</programlisting>
<para>This installs a minimal Fedora distribution into the
<citerefentry><refentrytitle>systemd.nspawn</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
<citerefentry project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
<citerefentry project='mankier'><refentrytitle>dnf</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
- <citerefentry project='die-net'><refentrytitle>yum</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
<citerefentry project='die-net'><refentrytitle>debootstrap</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
<citerefentry project='archlinux'><refentrytitle>pacman</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd.slice</refentrytitle><manvolnum>5</manvolnum></citerefentry>,