-<?xml version='1.0'?> <!--*- Mode: nxml; nxml-child-indent: 2; indent-tabs-mode: nil -*-->
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
- "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
-
-<!--
- SPDX-License-Identifier: LGPL-2.1+
-
- This file is part of systemd.
-
- Copyright 2010 Lennart Poettering
--->
+<?xml version='1.0'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+<!ENTITY fedora_latest_version "30">
+<!ENTITY fedora_cloud_release "1.2">
+]>
+<!-- SPDX-License-Identifier: LGPL-2.1+ -->
<refentry id="systemd-nspawn"
xmlns:xi="http://www.w3.org/2001/XInclude">
<refentryinfo>
<title>systemd-nspawn</title>
<productname>systemd</productname>
-
- <authorgroup>
- <author>
- <contrib>Developer</contrib>
- <firstname>Lennart</firstname>
- <surname>Poettering</surname>
- <email>lennart@poettering.net</email>
- </author>
- </authorgroup>
</refentryinfo>
<refmeta>
<refnamediv>
<refname>systemd-nspawn</refname>
- <refpurpose>Spawn a namespace container for debugging, testing and building</refpurpose>
+ <refpurpose>Spawn a command or OS in a light-weight container</refpurpose>
</refnamediv>
<refsynopsisdiv>
<para><command>systemd-nspawn</command> may be invoked on any directory tree containing an operating system tree,
using the <option>--directory=</option> command line option. By using the <option>--machine=</option> option an OS
tree is automatically searched for in a couple of locations, most importantly in
- <filename>/var/lib/machines</filename>, the suggested directory to place container images installed on the
+ <filename>/var/lib/machines</filename>, the suggested directory to place OS container images installed on the
system.</para>
<para>In contrast to <citerefentry
<para>The following options are understood:</para>
<variablelist>
+
+ <varlistentry>
+ <term><option>-q</option></term>
+ <term><option>--quiet</option></term>
+
+ <listitem><para>Turns off any status output by the tool
+ itself. When this switch is used, the only output from nspawn
+ will be the console output of the container OS
+ itself.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--settings=</option><replaceable>MODE</replaceable></term>
+
+ <listitem><para>Controls whether
+ <command>systemd-nspawn</command> shall search for and use
+ additional per-container settings from
+ <filename>.nspawn</filename> files. Takes a boolean or the
+ special values <option>override</option> or
+ <option>trusted</option>.</para>
+
+ <para>If enabled (the default), a settings file named after the
+ machine (as specified with the <option>--machine=</option>
+ setting, or derived from the directory or image file name)
+ with the suffix <filename>.nspawn</filename> is searched in
+ <filename>/etc/systemd/nspawn/</filename> and
+ <filename>/run/systemd/nspawn/</filename>. If it is found
+ there, its settings are read and used. If it is not found
+ there, it is subsequently searched in the same directory as the
+ image file or in the immediate parent of the root directory of
+ the container. In this case, if the file is found, its settings
+ will be also read and used, but potentially unsafe settings
+ are ignored. Note that in both these cases, settings on the
+ command line take precedence over the corresponding settings
+ from loaded <filename>.nspawn</filename> files, if both are
+ specified. Unsafe settings are considered all settings that
+ elevate the container's privileges or grant access to
+ additional resources such as files or directories of the
+ host. For details about the format and contents of
+ <filename>.nspawn</filename> files, consult
+ <citerefentry><refentrytitle>systemd.nspawn</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
+
+ <para>If this option is set to <option>override</option>, the
+ file is searched, read and used the same way, however, the order of
+ precedence is reversed: settings read from the
+ <filename>.nspawn</filename> file will take precedence over
+ the corresponding command line options, if both are
+ specified.</para>
+
+ <para>If this option is set to <option>trusted</option>, the
+ file is searched, read and used the same way, but regardless
+ of being found in <filename>/etc/systemd/nspawn/</filename>,
+ <filename>/run/systemd/nspawn/</filename> or next to the image
+ file or container root directory, all settings will take
+ effect, however, command line arguments still take precedence
+ over corresponding settings.</para>
+
+ <para>If disabled, no <filename>.nspawn</filename> file is read
+ and no settings except the ones on the command line are in
+ effect.</para></listitem>
+ </varlistentry>
+
+ </variablelist>
+
+ <refsect2>
+ <title>Image Options</title>
+
+ <variablelist>
+
<varlistentry>
<term><option>-D</option></term>
<term><option>--directory=</option></term>
<varlistentry>
<term><option>--template=</option></term>
- <listitem><para>Directory or <literal>btrfs</literal> subvolume to use as template for the container's root
- directory. If this is specified and the container's root directory (as configured by
- <option>--directory=</option>) does not yet exist it is created as <literal>btrfs</literal> snapshot (if
- supported) or plain directory (otherwise) and populated from this template tree. Ideally, the specified
- template path refers to the root of a <literal>btrfs</literal> subvolume, in which case a simple copy-on-write
- snapshot is taken, and populating the root directory is instant. If the specified template path does not refer
- to the root of a <literal>btrfs</literal> subvolume (or not even to a <literal>btrfs</literal> file system at
- all), the tree is copied (though possibly in a copy-on-write scheme — if the file system supports that), which
- can be substantially more time-consuming. May not be specified together with <option>--image=</option> or
- <option>--ephemeral</option>.</para>
+ <listitem><para>Directory or <literal>btrfs</literal> subvolume to use as template for the
+ container's root directory. If this is specified and the container's root directory (as configured by
+ <option>--directory=</option>) does not yet exist it is created as <literal>btrfs</literal> snapshot
+ (if supported) or plain directory (otherwise) and populated from this template tree. Ideally, the
+ specified template path refers to the root of a <literal>btrfs</literal> subvolume, in which case a
+ simple copy-on-write snapshot is taken, and populating the root directory is instant. If the
+ specified template path does not refer to the root of a <literal>btrfs</literal> subvolume (or not
+ even to a <literal>btrfs</literal> file system at all), the tree is copied (though possibly in a
+ 'reflink' copy-on-write scheme — if the file system supports that), which can be substantially more
+ time-consuming. Note that the snapshot taken is of the specified directory or subvolume, including
+ all subdirectories and subvolumes below it, but excluding any sub-mounts. May not be specified
+ together with <option>--image=</option> or <option>--ephemeral</option>.</para>
<para>Note that this switch leaves host name, machine ID and
all other settings that could identify the instance
<listitem><para>If specified, the container is run with a temporary snapshot of its file system that is removed
immediately when the container terminates. May not be specified together with
<option>--template=</option>.</para>
- <para>Note that this switch leaves host name, machine ID and
- all other settings that could identify the instance
- unmodified.</para></listitem>
+ <para>Note that this switch leaves host name, machine ID and all other settings that could identify
+ the instance unmodified. Please note that — as with <option>--template=</option> — taking the
+ temporary snapshot is more efficient on file systems that support subvolume snapshots or 'reflinks'
+ natively (<literal>btrfs</literal> or new <literal>xfs</literal>) than on more traditional file
+ systems that do not (<literal>ext4</literal>). Note that the snapshot taken is of the specified
+ directory or subvolume, including all subdirectories and subvolumes below it, but excluding any
+ sub-mounts.</para>
+
+ <para>With this option no modifications of the container image are retained. Use
+ <option>--volatile=</option> (described below) for other mechanisms to restrict persistency of
+ container images during runtime.</para>
+ </listitem>
</varlistentry>
<varlistentry>
together with <option>--directory=</option>, <option>--template=</option>.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>--oci-bundle=</option></term>
+
+ <listitem><para>Takes the path to an OCI runtime bundle to invoke, as specified in the <ulink
+ url="https://github.com/opencontainers/runtime-spec/blob/master/spec.md">OCI Runtime Specification</ulink>. In
+ this case no <filename>.nspawn</filename> file is loaded, and the root directory and various settings are read
+ from the OCI runtime JSON data (but data passed on the command line takes precedence).</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--read-only</option></term>
+
+ <listitem><para>Mount the container's root file system (and any other file systems container in the container
+ image) read-only. This has no effect on additional mounts made with <option>--bind=</option>,
+ <option>--tmpfs=</option> and similar options. This mode is implied if the container image file or directory is
+ marked read-only itself. It is also implied if <option>--volatile=</option> is used. In this case the container
+ image on disk is strictly read-only, while changes are permitted but kept non-persistently in memory only. For
+ further details, see below.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--volatile</option></term>
+ <term><option>--volatile=</option><replaceable>MODE</replaceable></term>
+
+ <listitem><para>Boots the container in volatile mode. When no mode parameter is passed or when mode is
+ specified as <option>yes</option>, full volatile mode is enabled. This means the root directory is mounted as a
+ mostly unpopulated <literal>tmpfs</literal> instance, and <filename>/usr/</filename> from the OS tree is
+ mounted into it in read-only mode (the system thus starts up with read-only OS image, but pristine state and
+ configuration, any changes are lost on shutdown). When the mode parameter is specified as
+ <option>state</option>, the OS tree is mounted read-only, but <filename>/var/</filename> is mounted as a
+ writable <literal>tmpfs</literal> instance into it (the system thus starts up with read-only OS resources and
+ configuration, but pristine state, and any changes to the latter are lost on shutdown). When the mode parameter
+ is specified as <option>overlay</option> the read-only root file system is combined with a writable
+ <filename>tmpfs</filename> instance through <literal>overlayfs</literal>, so that it appears at it normally
+ would, but any changes are applied to the temporary file system only and lost when the container is
+ terminated. When the mode parameter is specified as <option>no</option> (the default), the whole OS tree is
+ made available writable (unless <option>--read-only</option> is specified, see above).</para>
+
+ <para>Note that if one of the volatile modes is chosen, its effect is limited to the root file system (or
+ <filename>/var/</filename> in case of <option>state</option>), and any other mounts placed in the hierarchy are
+ unaffected — regardless if they are established automatically (e.g. the EFI system partition that might be
+ mounted to <filename>/efi/</filename> or <filename>/boot/</filename>) or explicitly (e.g. through an additional
+ command line option such as <option>--bind=</option>, see below). This means, even if
+ <option>--volatile=overlay</option> is used changes to <filename>/efi/</filename> or
+ <filename>/boot/</filename> are prohibited in case such a partition exists in the container image operated on,
+ and even if <option>--volatile=state</option> is used the hypothetical file <filename>/etc/foobar</filename> is
+ potentially writable if <option>--bind=/etc/foobar</option> if used to mount it from outside the read-only
+ container <filename>/etc</filename> directory.</para>
+
+ <para>The <option>--ephemeral</option> option is closely related to this setting, and provides similar
+ behaviour by making a temporary, ephemeral copy of the whole OS image and executing that. For further details,
+ see above.</para>
+
+ <para>The <option>--tmpfs=</option> and <option>--overlay=</option> options provide similar functionality, but
+ for specific sub-directories of the OS image only. For details, see below.</para>
+
+ <para>This option provides similar functionality for containers as the <literal>systemd.volatile=</literal>
+ kernel command line switch provides for host systems. See
+ <citerefentry><refentrytitle>kernel-command-line</refentrytitle><manvolnum>7</manvolnum></citerefentry> for
+ details.</para>
+
+ <para>Note that setting this option to <option>yes</option> or <option>state</option> will only work correctly
+ with operating systems in the container that can boot up with only <filename>/usr</filename> mounted, and are
+ able to automatically populate <filename>/var</filename>, and also <filename>/etc</filename> in case of
+ <literal>--volatile=yes</literal>. The <option>overlay</option> option does not require any particular
+ preparations in the OS, but do note that <literal>overlayfs</literal> behaviour differs from regular file
+ systems in a number of ways, and hence compatibility is limited.</para></listitem>
+ </varlistentry>
+
<varlistentry>
<term><option>--root-hash=</option></term>
used, also as formatted hexadecimal characters.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>--pivot-root=</option></term>
+
+ <listitem><para>Pivot the specified directory to <filename>/</filename> inside the container, and either unmount the
+ container's old root, or pivot it to another specified directory. Takes one of: a path argument — in which case the
+ specified path will be pivoted to <filename>/</filename> and the old root will be unmounted; or a colon-separated pair
+ of new root path and pivot destination for the old root. The new root path will be pivoted to <filename>/</filename>,
+ and the old <filename>/</filename> will be pivoted to the other directory. Both paths must be absolute, and are resolved
+ in the container's file system namespace.</para>
+
+ <para>This is for containers which have several bootable directories in them; for example, several
+ <ulink url="https://ostree.readthedocs.io/en/latest/">OSTree</ulink> deployments. It emulates the behavior of
+ the boot loader and initial RAM disk which normally select which directory to mount as the root and start the
+ container's PID 1 in.</para></listitem>
+ </varlistentry>
+ </variablelist>
+
+ </refsect2><refsect2>
+ <title>Execution Options</title>
+
+ <variablelist>
<varlistentry>
<term><option>-a</option></term>
<term><option>--as-pid2</option></term>
</varlistentry>
<varlistentry>
- <term><option>--pivot-root=</option></term>
-
- <listitem><para>Pivot the specified directory to <filename>/</filename> inside the container, and either unmount the
- container's old root, or pivot it to another specified directory. Takes one of: a path argument — in which case the
- specified path will be pivoted to <filename>/</filename> and the old root will be unmounted; or a colon-separated pair
- of new root path and pivot destination for the old root. The new root path will be pivoted to <filename>/</filename>,
- and the old <filename>/</filename> will be pivoted to the other directory. Both paths must be absolute, and are resolved
- in the container's file system namespace.</para>
+ <term><option>-E <replaceable>NAME</replaceable>=<replaceable>VALUE</replaceable></option></term>
+ <term><option>--setenv=<replaceable>NAME</replaceable>=<replaceable>VALUE</replaceable></option></term>
- <para>This is for containers which have several bootable directories in them; for example, several
- <ulink url="https://ostree.readthedocs.io/en/latest/">OSTree</ulink> deployments. It emulates the behavior of
- the boot loader and initial RAM disk which normally select which directory to mount as the root and start the
- container's PID 1 in.</para></listitem>
+ <listitem><para>Specifies an environment variable assignment
+ to pass to the init process in the container, in the format
+ <literal>NAME=VALUE</literal>. This may be used to override
+ the default variables or to set additional variables. This
+ parameter may be used more than once.</para></listitem>
</varlistentry>
<varlistentry>
destructive operations only.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>--kill-signal=</option></term>
+
+ <listitem><para>Specify the process signal to send to the container's PID 1 when nspawn itself receives
+ <constant>SIGTERM</constant>, in order to trigger an orderly shutdown of the container. Defaults to
+ <constant>SIGRTMIN+3</constant> if <option>--boot</option> is used (on systemd-compatible init systems
+ <constant>SIGRTMIN+3</constant> triggers an orderly shutdown). If <option>--boot</option> is not used and this
+ option is not specified the container's processes are terminated abruptly via <constant>SIGKILL</constant>. For
+ a list of valid signals, see <citerefentry
+ project='man-pages'><refentrytitle>signal</refentrytitle><manvolnum>7</manvolnum></citerefentry>.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--notify-ready=</option></term>
+
+ <listitem><para>Configures support for notifications from the container's init process.
+ <option>--notify-ready=</option> takes a boolean (<option>no</option> and <option>yes</option>).
+ With option <option>no</option> systemd-nspawn notifies systemd
+ with a <literal>READY=1</literal> message when the init process is created.
+ With option <option>yes</option> systemd-nspawn waits for the
+ <literal>READY=1</literal> message from the init process in the container
+ before sending its own to systemd. For more details about notifications
+ see <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry>).</para></listitem>
+ </varlistentry>
+ </variablelist>
+
+ </refsect2><refsect2>
+ <title>System Identity Options</title>
+
+ <variablelist>
<varlistentry>
<term><option>-M</option></term>
<term><option>--machine=</option></term>
instead.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>--hostname=</option></term>
+
+ <listitem><para>Controls the hostname to set within the container, if different from the machine name. Expects
+ a valid hostname as argument. If this option is used, the kernel hostname of the container will be set to this
+ value, otherwise it will be initialized to the machine name as controlled by the <option>--machine=</option>
+ option described above. The machine name is used for various aspect of identification of the container from the
+ outside, the kernel hostname configurable with this option is useful for the container to identify itself from
+ the inside. It is usually a good idea to keep both forms of identification synchronized, in order to avoid
+ confusion. It is hence recommended to avoid usage of this option, and use <option>--machine=</option>
+ exclusively. Note that regardless whether the container's hostname is initialized from the name set with
+ <option>--hostname=</option> or the one set with <option>--machine=</option>, the container can later override
+ its kernel hostname freely on its own as well.</para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term><option>--uuid=</option></term>
<filename>/etc/machine-id</filename> in the container is
unpopulated.</para></listitem>
</varlistentry>
+ </variablelist>
+ </refsect2><refsect2>
+ <title>Property Options</title>
+
+ <variablelist>
<varlistentry>
<term><option>-S</option></term>
<term><option>--slice=</option></term>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>--register=</option></term>
+
+ <listitem><para>Controls whether the container is registered with
+ <citerefentry><refentrytitle>systemd-machined</refentrytitle><manvolnum>8</manvolnum></citerefentry>. Takes a
+ boolean argument, which defaults to <literal>yes</literal>. This option should be enabled when the container
+ runs a full Operating System (more specifically: a system and service manager as PID 1), and is useful to
+ ensure that the container is accessible via
+ <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry> and shown by
+ tools such as <citerefentry
+ project='man-pages'><refentrytitle>ps</refentrytitle><manvolnum>1</manvolnum></citerefentry>. If the container
+ does not run a service manager, it is recommended to set this option to
+ <literal>no</literal>.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--keep-unit</option></term>
+
+ <listitem><para>Instead of creating a transient scope unit to run the container in, simply use the service or
+ scope unit <command>systemd-nspawn</command> has been invoked in. If <option>--register=yes</option> is set
+ this unit is registered with
+ <citerefentry><refentrytitle>systemd-machined</refentrytitle><manvolnum>8</manvolnum></citerefentry>. This
+ switch should be used if <command>systemd-nspawn</command> is invoked from within a service unit, and the
+ service unit's sole purpose is to run a single <command>systemd-nspawn</command> container. This option is not
+ available if run from a user session.</para>
+ <para>Note that passing <option>--keep-unit</option> disables the effect of <option>--slice=</option> and
+ <option>--property=</option>. Use <option>--keep-unit</option> and <option>--register=no</option> in
+ combination to disable any kind of unit allocation or registration with
+ <command>systemd-machined</command>.</para></listitem>
+ </varlistentry>
+ </variablelist>
+
+ </refsect2><refsect2>
+ <title>User Namespacing Options</title>
+
+ <variablelist>
<varlistentry>
<term><option>--private-users=</option></term>
</listitem>
</varlistentry>
+ </variablelist>
+
+ </refsect2><refsect2>
+ <title>Networking Options</title>
+
+ <variablelist>
+
<varlistentry>
<term><option>--private-network</option></term>
</para></listitem>
</varlistentry>
- <varlistentry>
- <term><option>--network-namespace-path=</option></term>
-
- <listitem><para>Takes the path to a file representing a kernel
- network namespace that the container shall run in. The specified path
- should refer to a (possibly bind-mounted) network namespace file, as
- exposed by the kernel below <filename>/proc/$PID/ns/net</filename>.
- This makes the container enter the given network namespace. One of the
- typical use cases is to give a network namespace under
- <filename>/run/netns</filename> created by <citerefentry
- project='man-pages'><refentrytitle>ip-netns</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
- for example, <option>--network-namespace-path=/run/netns/foo</option>.
- Note that this option cannot be used together with other
- network-related options, such as <option>--private-network</option>
- or <option>--network-interface=</option>.</para></listitem>
- </varlistentry>
-
<varlistentry>
<term><option>--network-interface=</option></term>
<para>Note that <option>--network-veth</option> is the default if the
<filename>systemd-nspawn@.service</filename> template unit file is used.</para>
+
+ <para>Note that on Linux network interface names may have a length of 15 characters at maximum, while
+ container names may have a length up to 64 characters. As this option derives the host-side interface
+ name from the container name the name is possibly truncated. Thus, care needs to be taken to ensure
+ that interface names remain unique in this case, or even better container names are generally not
+ chosen longer than 12 characters, to avoid the truncation. Alternatively, the
+ <option>--network-veth-extra=</option> option may be used, which allows free configuration of the
+ host-side interface name independently of the container name — but might require a bit more
+ additional configuration in case bridging in a fashion similar to <option>--network-bridge=</option>
+ is desired.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>--network-bridge=</option></term>
- <listitem><para>Adds the host side of the Ethernet link created with <option>--network-veth</option> to the
- specified Ethernet bridge interface. Expects a valid network interface name of a bridge device as
- argument. Note that <option>--network-bridge=</option> implies <option>--network-veth</option>. If this option
- is used, the host side of the Ethernet link will use the <literal>vb-</literal> prefix instead of
- <literal>ve-</literal>.</para></listitem>
+ <listitem><para>Adds the host side of the Ethernet link created with <option>--network-veth</option>
+ to the specified Ethernet bridge interface. Expects a valid network interface name of a bridge device
+ as argument. Note that <option>--network-bridge=</option> implies <option>--network-veth</option>. If
+ this option is used, the host side of the Ethernet link will use the <literal>vb-</literal> prefix
+ instead of <literal>ve-</literal>. Regardless of the used naming prefix the same network interface
+ name length limits imposed by Linux apply, along with the complications this creates (for details see
+ above).</para></listitem>
</varlistentry>
<varlistentry>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>--network-namespace-path=</option></term>
+
+ <listitem><para>Takes the path to a file representing a kernel
+ network namespace that the container shall run in. The specified path
+ should refer to a (possibly bind-mounted) network namespace file, as
+ exposed by the kernel below <filename>/proc/$PID/ns/net</filename>.
+ This makes the container enter the given network namespace. One of the
+ typical use cases is to give a network namespace under
+ <filename>/run/netns</filename> created by <citerefentry
+ project='man-pages'><refentrytitle>ip-netns</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ for example, <option>--network-namespace-path=/run/netns/foo</option>.
+ Note that this option cannot be used together with other
+ network-related options, such as <option>--private-network</option>
+ or <option>--network-interface=</option>.</para></listitem>
+ </varlistentry>
+
<varlistentry>
<term><option>-p</option></term>
<term><option>--port=</option></term>
<option>--network-veth</option>, <option>--network-zone=</option>
<option>--network-bridge=</option>.</para></listitem>
</varlistentry>
+ </variablelist>
- <varlistentry>
- <term><option>-Z</option></term>
- <term><option>--selinux-context=</option></term>
-
- <listitem><para>Sets the SELinux security context to be used
- to label processes in the container.</para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term><option>-L</option></term>
- <term><option>--selinux-apifs-context=</option></term>
-
- <listitem><para>Sets the SELinux security context to be used
- to label files in the virtual API file systems in the
- container.</para>
- </listitem>
- </varlistentry>
+ </refsect2><refsect2>
+ <title>Security Options</title>
+ <variablelist>
<varlistentry>
<term><option>--capability=</option></term>
above).</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>--no-new-privileges=</option></term>
+
+ <listitem><para>Takes a boolean argument. Specifies the value of the <constant>PR_SET_NO_NEW_PRIVS</constant>
+ flag for the container payload. Defaults to off. When turned on the payload code of the container cannot
+ acquire new privileges, i.e. the "setuid" file bit as well as file system capabilities will not have an effect
+ anymore. See <citerefentry
+ project='man-pages'><refentrytitle>prctl</refentrytitle><manvolnum>2</manvolnum></citerefentry> for details
+ about this flag. </para></listitem>
+ </varlistentry>
+
<varlistentry>
<term><option>--system-call-filter=</option></term>
</varlistentry>
<varlistentry>
- <term><option>--kill-signal=</option></term>
+ <term><option>-Z</option></term>
+ <term><option>--selinux-context=</option></term>
+
+ <listitem><para>Sets the SELinux security context to be used
+ to label processes in the container.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>-L</option></term>
+ <term><option>--selinux-apifs-context=</option></term>
+
+ <listitem><para>Sets the SELinux security context to be used
+ to label files in the virtual API file systems in the
+ container.</para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+
+ </refsect2><refsect2>
+ <title>Resource Options</title>
+
+ <variablelist>
+
+ <varlistentry>
+ <term><option>--rlimit=</option></term>
+
+ <listitem><para>Sets the specified POSIX resource limit for the container payload. Expects an assignment of the
+ form
+ <literal><replaceable>LIMIT</replaceable>=<replaceable>SOFT</replaceable>:<replaceable>HARD</replaceable></literal>
+ or <literal><replaceable>LIMIT</replaceable>=<replaceable>VALUE</replaceable></literal>, where
+ <replaceable>LIMIT</replaceable> should refer to a resource limit type, such as
+ <constant>RLIMIT_NOFILE</constant> or <constant>RLIMIT_NICE</constant>. The <replaceable>SOFT</replaceable> and
+ <replaceable>HARD</replaceable> fields should refer to the numeric soft and hard resource limit values. If the
+ second form is used, <replaceable>VALUE</replaceable> may specify a value that is used both as soft and hard
+ limit. In place of a numeric value the special string <literal>infinity</literal> may be used to turn off
+ resource limiting for the specific type of resource. This command line option may be used multiple times to
+ control limits on multiple limit types. If used multiple times for the same limit type, the last use
+ wins. For details about resource limits see <citerefentry
+ project='man-pages'><refentrytitle>setrlimit</refentrytitle><manvolnum>2</manvolnum></citerefentry>. By default
+ resource limits for the container's init process (PID 1) are set to the same values the Linux kernel originally
+ passed to the host init system. Note that some resource limits are enforced on resources counted per user, in
+ particular <constant>RLIMIT_NPROC</constant>. This means that unless user namespacing is deployed
+ (i.e. <option>--private-users=</option> is used, see above), any limits set will be applied to the resource
+ usage of the same user on all local containers as well as the host. This means particular care needs to be
+ taken with these limits as they might be triggered by possibly less trusted code. Example:
+ <literal>--rlimit=RLIMIT_NOFILE=8192:16384</literal>.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--oom-score-adjust=</option></term>
+
+ <listitem><para>Changes the OOM ("Out Of Memory") score adjustment value for the container payload. This controls
+ <filename>/proc/self/oom_score_adj</filename> which influences the preference with which this container is
+ terminated when memory becomes scarce. For details see <citerefentry
+ project='man-pages'><refentrytitle>proc</refentrytitle><manvolnum>5</manvolnum></citerefentry>. Takes an
+ integer in the range -1000…1000.</para></listitem>
+ </varlistentry>
- <listitem><para>Specify the process signal to send to the
- container's PID 1 when nspawn itself receives SIGTERM, in
- order to trigger an orderly shutdown of the
- container. Defaults to SIGRTMIN+3 if <option>--boot</option>
- is used (on systemd-compatible init systems SIGRTMIN+3
- triggers an orderly shutdown). For a list of valid signals, see
- <citerefentry project='man-pages'><refentrytitle>signal</refentrytitle><manvolnum>7</manvolnum></citerefentry>.</para></listitem>
+ <varlistentry>
+ <term><option>--cpu-affinity=</option></term>
+
+ <listitem><para>Controls the CPU affinity of the container payload. Takes a comma separated list of CPU numbers
+ or number ranges (the latter's start and end value separated by dashes). See <citerefentry
+ project='man-pages'><refentrytitle>sched_setaffinity</refentrytitle><manvolnum>2</manvolnum></citerefentry> for
+ details.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--personality=</option></term>
+
+ <listitem><para>Control the architecture ("personality")
+ reported by
+ <citerefentry project='man-pages'><refentrytitle>uname</refentrytitle><manvolnum>2</manvolnum></citerefentry>
+ in the container. Currently, only <literal>x86</literal> and
+ <literal>x86-64</literal> are supported. This is useful when
+ running a 32-bit container on a 64-bit host. If this setting
+ is not used, the personality reported in the container is the
+ same as the one reported on the host.</para></listitem>
+ </varlistentry>
+ </variablelist>
+
+ </refsect2><refsect2>
+ <title>Integration Options</title>
+
+ <variablelist>
+ <varlistentry>
+ <term><option>--resolv-conf=</option></term>
+
+ <listitem><para>Configures how <filename>/etc/resolv.conf</filename> inside of the container (i.e. DNS
+ configuration synchronization from host to container) shall be handled. Takes one of <literal>off</literal>,
+ <literal>copy-host</literal>, <literal>copy-static</literal>, <literal>bind-host</literal>,
+ <literal>bind-static</literal>, <literal>delete</literal> or <literal>auto</literal>. If set to
+ <literal>off</literal> the <filename>/etc/resolv.conf</filename> file in the container is left as it is
+ included in the image, and neither modified nor bind mounted over. If set to <literal>copy-host</literal>, the
+ <filename>/etc/resolv.conf</filename> file from the host is copied into the container. Similar, if
+ <literal>bind-host</literal> is used, the file is bind mounted from the host into the container. If set to
+ <literal>copy-static</literal> the static <filename>resolv.conf</filename> file supplied with
+ <citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> is
+ copied into the container, and correspondingly <literal>bind-static</literal> bind mounts it there. If set to
+ <literal>delete</literal> the <filename>/etc/resolv.conf</filename> file in the container is deleted if it
+ exists. Finally, if set to <literal>auto</literal> the file is left as it is if private networking is turned on
+ (see <option>--private-network</option>). Otherwise, if <filename>systemd-resolved.service</filename> is
+ connectible its static <filename>resolv.conf</filename> file is used, and if not the host's
+ <filename>/etc/resolv.conf</filename> file is used. In the latter cases the file is copied if the image is
+ writable, and bind mounted otherwise. It's recommended to use <literal>copy</literal> if the container shall be
+ able to make changes to the DNS configuration on its own, deviating from the host's settings. Otherwise
+ <literal>bind</literal> is preferable, as it means direct changes to <filename>/etc/resolv.conf</filename> in
+ the container are not allowed, as it is a read-only bind mount (but note that if the container has enough
+ privileges, it might simply go ahead and unmount the bind mount anyway). Note that both if the file is bind
+ mounted and if it is copied no further propagation of configuration is generally done after the one-time early
+ initialization (this is because the file is usually updated through copying and renaming). Defaults to
+ <literal>auto</literal>.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--timezone=</option></term>
+
+ <listitem><para>Configures how <filename>/etc/localtime</filename> inside of the container (i.e. local timezone
+ synchronization from host to container) shall be handled. Takes one of <literal>off</literal>,
+ <literal>copy</literal>, <literal>bind</literal>, <literal>symlink</literal>, <literal>delete</literal> or
+ <literal>auto</literal>. If set to <literal>off</literal> the <filename>/etc/localtime</filename> file in the
+ container is left as it is included in the image, and neither modified nor bind mounted over. If set to
+ <literal>copy</literal> the <filename>/etc/localtime</filename> file of the host is copied into the
+ container. Similar, if <literal>bind</literal> is used, it is bind mounted from the host into the container. If
+ set to <literal>symlink</literal> a symlink from <filename>/etc/localtime</filename> in the container is
+ created pointing to the matching the timezone file of the container that matches the timezone setting on the
+ host. If set to <literal>delete</literal> the file in the container is deleted, should it exist. If set to
+ <literal>auto</literal> and the <filename>/etc/localtime</filename> file of the host is a symlink, then
+ <literal>symlink</literal> mode is used, and <literal>copy</literal> otherwise, except if the image is
+ read-only in which case <literal>bind</literal> is used instead. Defaults to
+ <literal>auto</literal>.</para></listitem>
</varlistentry>
<varlistentry>
<option>--link-journal=try-guest</option>.</para></listitem>
</varlistentry>
- <varlistentry>
- <term><option>--read-only</option></term>
+ </variablelist>
- <listitem><para>Mount the root file system read-only for the
- container.</para></listitem>
- </varlistentry>
+ </refsect2><refsect2>
+ <title>Mount Options</title>
+
+ <variablelist>
<varlistentry>
<term><option>--bind=</option></term>
make them read-only, using <option>--bind-ro=</option>.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>--inaccessible=</option></term>
+
+ <listitem><para>Make the specified path inaccessible in the container. This over-mounts the specified path
+ (which must exist in the container) with a file node of the same type that is empty and has the most
+ restrictive access mode supported. This is an effective way to mask files, directories and other file system
+ objects from the container payload. This option may be used more than once in case all specified paths are
+ masked.</para></listitem>
+ </varlistentry>
+
<varlistentry>
<term><option>--tmpfs=</option></term>
- <listitem><para>Mount a tmpfs file system into the container.
- Takes a single absolute path argument that specifies where to
- mount the tmpfs instance to (in which case the directory
- access mode will be chosen as 0755, owned by root/root), or
- optionally a colon-separated pair of path and mount option
- string that is used for mounting (in which case the kernel
- default for access mode and owner will be chosen, unless
- otherwise specified). This option is particularly useful for
- mounting directories such as <filename>/var</filename> as
- tmpfs, to allow state-less systems, in particular when
- combined with <option>--read-only</option>.
- Backslash escapes are interpreted in the path, so
- <literal>\:</literal> may be used to embed colons in the path.
- </para></listitem>
+ <listitem><para>Mount a tmpfs file system into the container. Takes a single absolute path argument that
+ specifies where to mount the tmpfs instance to (in which case the directory access mode will be chosen as 0755,
+ owned by root/root), or optionally a colon-separated pair of path and mount option string that is used for
+ mounting (in which case the kernel default for access mode and owner will be chosen, unless otherwise
+ specified). Backslash escapes are interpreted in the path, so <literal>\:</literal> may be used to embed colons
+ in the path.</para>
+
+ <para>Note that this option cannot be used to replace the root file system of the container with a temporary
+ file system. However, the <option>--volatile=</option> option described below provides similar
+ functionality, with a focus on implementing stateless operating system images.</para></listitem>
</varlistentry>
<varlistentry>
be on the same file system as the top-most directory
tree). Also note that the <literal>lowerdir=</literal> mount
option receives the paths to stack in the opposite order of
- this switch.</para></listitem>
- </varlistentry>
+ this switch.</para>
- <varlistentry>
- <term><option>-E <replaceable>NAME</replaceable>=<replaceable>VALUE</replaceable></option></term>
- <term><option>--setenv=<replaceable>NAME</replaceable>=<replaceable>VALUE</replaceable></option></term>
-
- <listitem><para>Specifies an environment variable assignment
- to pass to the init process in the container, in the format
- <literal>NAME=VALUE</literal>. This may be used to override
- the default variables or to set additional variables. This
- parameter may be used more than once.</para></listitem>
+ <para>Note that this option cannot be used to replace the root file system of the container with an overlay
+ file system. However, the <option>--volatile=</option> option described above provides similar functionality,
+ with a focus on implementing stateless operating system images.</para></listitem>
</varlistentry>
+ </variablelist>
- <varlistentry>
- <term><option>--register=</option></term>
-
- <listitem><para>Controls whether the container is registered with
- <citerefentry><refentrytitle>systemd-machined</refentrytitle><manvolnum>8</manvolnum></citerefentry>. Takes a
- boolean argument, which defaults to <literal>yes</literal>. This option should be enabled when the container
- runs a full Operating System (more specifically: a system and service manager as PID 1), and is useful to
- ensure that the container is accessible via
- <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry> and shown by
- tools such as <citerefentry
- project='man-pages'><refentrytitle>ps</refentrytitle><manvolnum>1</manvolnum></citerefentry>. If the container
- does not run a service manager, it is recommended to set this option to
- <literal>no</literal>.</para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term><option>--keep-unit</option></term>
-
- <listitem><para>Instead of creating a transient scope unit to run the container in, simply use the service or
- scope unit <command>systemd-nspawn</command> has been invoked in. If <option>--register=yes</option> is set
- this unit is registered with
- <citerefentry><refentrytitle>systemd-machined</refentrytitle><manvolnum>8</manvolnum></citerefentry>. This
- switch should be used if <command>systemd-nspawn</command> is invoked from within a service unit, and the
- service unit's sole purpose is to run a single <command>systemd-nspawn</command> container. This option is not
- available if run from a user session.</para>
- <para>Note that passing <option>--keep-unit</option> disables the effect of <option>--slice=</option> and
- <option>--property=</option>. Use <option>--keep-unit</option> and <option>--register=no</option> in
- combination to disable any kind of unit allocation or registration with
- <command>systemd-machined</command>.</para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term><option>--personality=</option></term>
-
- <listitem><para>Control the architecture ("personality")
- reported by
- <citerefentry project='man-pages'><refentrytitle>uname</refentrytitle><manvolnum>2</manvolnum></citerefentry>
- in the container. Currently, only <literal>x86</literal> and
- <literal>x86-64</literal> are supported. This is useful when
- running a 32-bit container on a 64-bit host. If this setting
- is not used, the personality reported in the container is the
- same as the one reported on the host.</para></listitem>
- </varlistentry>
+ </refsect2><refsect2>
+ <title>Input/Output Options</title>
+ <variablelist>
<varlistentry>
- <term><option>-q</option></term>
- <term><option>--quiet</option></term>
-
- <listitem><para>Turns off any status output by the tool
- itself. When this switch is used, the only output from nspawn
- will be the console output of the container OS
- itself.</para></listitem>
+ <term><option>--console=</option><replaceable>MODE</replaceable></term>
+
+ <listitem><para>Configures how to set up standard input, output and error output for the container payload, as
+ well as the <filename>/dev/console</filename> device for the container. Takes one of
+ <option>interactive</option>, <option>read-only</option>, <option>passive</option> or <option>pipe</option>. If
+ <option>interactive</option> a pseudo-TTY is allocated and made available as <filename>/dev/console</filename>
+ in the container. It is then bi-directionally connected to the standard input and output passed to
+ <command>systemd-nspawn</command>. <option>read-only</option> is similar but only the output of the container
+ is propagated and no input from the caller is read. In <option>passive</option> mode a pseudo TTY is allocated,
+ but it is not connected anywhere. Finally, in <option>pipe</option> mode no pseudo TTY is allocated, but the
+ passed standard input, output and error output file descriptors are passed on — as they are — to the container
+ payload. In this mode <filename>/dev/console</filename> will not exist in the container. Note that in this mode
+ the container payload generally cannot be a full init system as init systems tend to require
+ <filename>/dev/console</filename> to be available. On the other hand, in this mode container invocations can be
+ used within shell pipelines. This is because intermediary pseudo TTYs do not permit independent bidirectional
+ propagation of the end-of-file (EOF) condition, which is necessary for shell pipelines to work
+ correctly.</para>
+
+ <para>Note that the <option>pipe</option> mode should be used carefully, as passing arbitrary file descriptors
+ to less trusted container payloads might open up unwanted interfaces for access by the container payload. For
+ example, if a passed file descriptor refers to a TTY of some form, APIs such as <constant>TIOCSTI</constant>
+ may be used to synthesize input that might be used for escaping the container. Hence <option>pipe</option> mode
+ should only be used if the payload is sufficiently trusted or when the standard input/output/error output file
+ descriptors are known safe, for example pipes. Defaults to <option>interactive</option> if
+ <command>systemd-nspawn</command> is invoked from a terminal, and <option>read-only</option>
+ otherwise.</para></listitem>
</varlistentry>
<varlistentry>
- <term><option>--volatile</option></term>
- <term><option>--volatile=</option><replaceable>MODE</replaceable></term>
-
- <listitem><para>Boots the container in volatile mode. When no
- mode parameter is passed or when mode is specified as
- <option>yes</option>, full volatile mode is enabled. This
- means the root directory is mounted as a mostly unpopulated
- <literal>tmpfs</literal> instance, and
- <filename>/usr</filename> from the OS tree is mounted into it
- in read-only mode (the system thus starts up with read-only OS
- image, but pristine state and configuration, any changes
- are lost on shutdown). When the mode parameter
- is specified as <option>state</option>, the OS tree is
- mounted read-only, but <filename>/var</filename> is mounted as
- a <literal>tmpfs</literal> instance into it (the system thus
- starts up with read-only OS resources and configuration, but
- pristine state, and any changes to the latter are lost on
- shutdown). When the mode parameter is specified as
- <option>no</option> (the default), the whole OS tree is made
- available writable.</para>
+ <term><option>--pipe</option></term>
+ <term><option>-P</option></term>
- <para>This option provides similar functionality for containers as the <literal>systemd.volatile=</literal>
- kernel command line switch provides for host systems. See
- <citerefentry><refentrytitle>kernel-command-line</refentrytitle><manvolnum>7</manvolnum></citerefentry> for
- details.</para>
-
- <para>Note that enabling this setting will only work correctly with operating systems in the container that can
- boot up with only <filename>/usr</filename> mounted, and are able to automatically populate
- <filename>/var</filename>, and also <filename>/etc</filename> in case of
- <literal>--volatile=yes</literal>.</para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term><option>--settings=</option><replaceable>MODE</replaceable></term>
-
- <listitem><para>Controls whether
- <command>systemd-nspawn</command> shall search for and use
- additional per-container settings from
- <filename>.nspawn</filename> files. Takes a boolean or the
- special values <option>override</option> or
- <option>trusted</option>.</para>
-
- <para>If enabled (the default), a settings file named after the
- machine (as specified with the <option>--machine=</option>
- setting, or derived from the directory or image file name)
- with the suffix <filename>.nspawn</filename> is searched in
- <filename>/etc/systemd/nspawn/</filename> and
- <filename>/run/systemd/nspawn/</filename>. If it is found
- there, its settings are read and used. If it is not found
- there, it is subsequently searched in the same directory as the
- image file or in the immediate parent of the root directory of
- the container. In this case, if the file is found, its settings
- will be also read and used, but potentially unsafe settings
- are ignored. Note that in both these cases, settings on the
- command line take precedence over the corresponding settings
- from loaded <filename>.nspawn</filename> files, if both are
- specified. Unsafe settings are considered all settings that
- elevate the container's privileges or grant access to
- additional resources such as files or directories of the
- host. For details about the format and contents of
- <filename>.nspawn</filename> files, consult
- <citerefentry><refentrytitle>systemd.nspawn</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
-
- <para>If this option is set to <option>override</option>, the
- file is searched, read and used the same way, however, the order of
- precedence is reversed: settings read from the
- <filename>.nspawn</filename> file will take precedence over
- the corresponding command line options, if both are
- specified.</para>
-
- <para>If this option is set to <option>trusted</option>, the
- file is searched, read and used the same way, but regardless
- of being found in <filename>/etc/systemd/nspawn/</filename>,
- <filename>/run/systemd/nspawn/</filename> or next to the image
- file or container root directory, all settings will take
- effect, however, command line arguments still take precedence
- over corresponding settings.</para>
-
- <para>If disabled, no <filename>.nspawn</filename> file is read
- and no settings except the ones on the command line are in
- effect.</para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term><option>--notify-ready=</option></term>
-
- <listitem><para>Configures support for notifications from the container's init process.
- <option>--notify-ready=</option> takes a boolean (<option>no</option> and <option>yes</option>).
- With option <option>no</option> systemd-nspawn notifies systemd
- with a <literal>READY=1</literal> message when the init process is created.
- With option <option>yes</option> systemd-nspawn waits for the
- <literal>READY=1</literal> message from the init process in the container
- before sending its own to systemd. For more details about notifications
- see <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry>).</para></listitem>
+ <listitem><para>Equivalent to <option>--console=pipe</option>.</para></listitem>
</varlistentry>
+ <xi:include href="standard-options.xml" xpointer="no-pager" />
<xi:include href="standard-options.xml" xpointer="help" />
<xi:include href="standard-options.xml" xpointer="version" />
</variablelist>
-
+ </refsect2>
</refsect1>
+ <xi:include href="less-variables.xml" />
+
<refsect1>
<title>Examples</title>
<ulink url="https://getfedora.org">Fedora</ulink> image and start a shell in it</title>
<programlisting># machinectl pull-raw --verify=no \
- https://download.fedoraproject.org/pub/fedora/linux/releases/25/CloudImages/x86_64/images/Fedora-Cloud-Base-25-1.3.x86_64.raw.xz
-# systemd-nspawn -M Fedora-Cloud-Base-25-1.3.x86_64.raw</programlisting>
+ https://download.fedoraproject.org/pub/fedora/linux/releases/&fedora_latest_version;/Cloud/x86_64/images/Fedora-Cloud-Base-&fedora_latest_version;-&fedora_cloud_release;.x86_64.raw.xz
+# systemd-nspawn -M Fedora-Cloud-Base-&fedora_latest_version;-&fedora_cloud_release;.x86_64</programlisting>
<para>This downloads an image using
<citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
<example>
<title>Build and boot a minimal Fedora distribution in a container</title>
- <programlisting># dnf -y --releasever=27 --installroot=/var/lib/machines/f27container \
+ <programlisting># dnf -y --releasever=&fedora_latest_version; --installroot=/var/lib/machines/f&fedora_latest_version; \
--disablerepo='*' --enablerepo=fedora --enablerepo=updates install \
systemd passwd dnf fedora-release vim-minimal
-# systemd-nspawn -bD /var/lib/machines/f27container</programlisting>
+# systemd-nspawn -bD /var/lib/machines/f&fedora_latest_version;</programlisting>
<para>This installs a minimal Fedora distribution into the
- directory <filename noindex='true'>/var/lib/machines/f27container</filename>
+ directory <filename noindex='true'>/var/lib/machines/f&fedora_latest_version;</filename>
and then boots an OS in a namespace container in it. Because the installation
is located underneath the standard <filename>/var/lib/machines/</filename>
directory, it is also possible to start the machine using
- <command>systemd-nspawn -M f27container</command>.</para>
+ <command>systemd-nspawn -M f&fedora_latest_version;</command>.</para>
</example>
<example>
projects / thirdparty / systemd.git / blobdiff