1 <?xml version='1.0'?> <!--*-nxml-*-->
2 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
3 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
6 This file is part of systemd.
8 Copyright 2010 Lennart Poettering
10 systemd is free software; you can redistribute it and/or modify it
11 under the terms of the GNU Lesser General Public License as published by
12 the Free Software Foundation; either version 2.1 of the License, or
13 (at your option) any later version.
15 systemd is distributed in the hope that it will be useful, but
16 WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
18 Lesser General Public License for more details.
20 You should have received a copy of the GNU Lesser General Public License
21 along with systemd; If not, see <http://www.gnu.org/licenses/>.
24 <refentry id="systemd-nspawn"
25 xmlns:xi="http://www.w3.org/2001/XInclude">
28 <title>systemd-nspawn</title>
29 <productname>systemd</productname>
33 <contrib>Developer</contrib>
34 <firstname>Lennart</firstname>
35 <surname>Poettering</surname>
36 <email>lennart@poettering.net</email>
42 <refentrytitle>systemd-nspawn</refentrytitle>
43 <manvolnum>1</manvolnum>
47 <refname>systemd-nspawn</refname>
48 <refpurpose>Spawn a namespace container for debugging, testing and building</refpurpose>
53 <command>systemd-nspawn</command>
54 <arg choice="opt" rep="repeat">OPTIONS</arg>
55 <arg choice="opt"><replaceable>COMMAND</replaceable>
56 <arg choice="opt" rep="repeat">ARGS</arg>
60 <command>systemd-nspawn</command>
61 <arg choice="plain">-b</arg>
62 <arg choice="opt" rep="repeat">OPTIONS</arg>
63 <arg choice="opt" rep="repeat">ARGS</arg>
68 <title>Description</title>
70 <para><command>systemd-nspawn</command> may be used to
71 run a command or OS in a light-weight namespace
72 container. In many ways it is similar to
73 <citerefentry project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
74 but more powerful since it fully virtualizes the file
75 system hierarchy, as well as the process tree, the
76 various IPC subsystems and the host and domain
79 <para><command>systemd-nspawn</command> limits access
80 to various kernel interfaces in the container to
81 read-only, such as <filename>/sys</filename>,
82 <filename>/proc/sys</filename> or
83 <filename>/sys/fs/selinux</filename>. Network
84 interfaces and the system clock may not be changed
85 from within the container. Device nodes may not be
86 created. The host system cannot be rebooted and kernel
87 modules may not be loaded from within the
90 <para>Note that even though these security precautions
91 are taken <command>systemd-nspawn</command> is not
92 suitable for secure container setups. Many of the
93 security features may be circumvented and are hence
94 primarily useful to avoid accidental changes to the
95 host system from the container. The intended use of
96 this program is debugging and testing as well as
97 building of packages, distributions and software
98 involved with boot and systems management.</para>
101 <citerefentry project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>1</manvolnum></citerefentry> <command>systemd-nspawn</command>
102 may be used to boot full Linux-based operating systems
103 in a container.</para>
105 <para>Use a tool like
106 <citerefentry project='die-net'><refentrytitle>yum</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
107 <citerefentry project='die-net'><refentrytitle>debootstrap</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
109 <citerefentry project='archlinux'><refentrytitle>pacman</refentrytitle><manvolnum>8</manvolnum></citerefentry>
110 to set up an OS directory tree suitable as file system
111 hierarchy for <command>systemd-nspawn</command>
114 <para>Note that <command>systemd-nspawn</command> will
115 mount file systems private to the container to
116 <filename>/dev</filename>,
117 <filename>/run</filename> and similar. These will
118 not be visible outside of the container, and their
119 contents will be lost when the container exits.</para>
121 <para>Note that running two
122 <command>systemd-nspawn</command> containers from the
123 same directory tree will not make processes in them
124 see each other. The PID namespace separation of the
125 two containers is complete and the containers will
126 share very few runtime objects except for the
127 underlying file system. Use
128 <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>'s
129 <command>login</command> command to request an
130 additional login prompt in a running container.</para>
132 <para><command>systemd-nspawn</command> implements the
134 url="http://www.freedesktop.org/wiki/Software/systemd/ContainerInterface">Container
135 Interface</ulink> specification.</para>
137 <para>As a safety check
138 <command>systemd-nspawn</command> will verify the
139 existence of <filename>/usr/lib/os-release</filename>
140 or <filename>/etc/os-release</filename> in the
141 container tree before starting the container (see
142 <citerefentry><refentrytitle>os-release</refentrytitle><manvolnum>5</manvolnum></citerefentry>). It
143 might be necessary to add this file to the container
144 tree manually if the OS of the container is too old to
145 contain this file out-of-the-box.</para>
149 <title>Options</title>
151 <para>If option <option>-b</option> is specified, the
152 arguments are used as arguments for the init
153 binary. Otherwise, <replaceable>COMMAND</replaceable>
154 specifies the program to launch in the container, and
155 the remaining arguments are used as arguments for this
156 program. If <option>-b</option> is not used and no
157 arguments are specifed, a shell is launched in the
160 <para>The following options are understood:</para>
164 <term><option>-D</option></term>
165 <term><option>--directory=</option></term>
167 <listitem><para>Directory to use as
168 file system root for the container.</para>
171 <option>--directory=</option>, nor
172 <option>--image=</option> is specified
173 the directory is determined as
174 <filename>/var/lib/machines/</filename>
175 suffixed by the machine name as
177 <option>--machine=</option>. If
178 neither <option>--directory=</option>,
179 <option>--image=</option>, nor
180 <option>--machine=</option> are
181 specified, the current directory will
182 be used. May not be specified together
184 <option>--image=</option>.</para></listitem>
188 <term><option>--template=</option></term>
190 <listitem><para>Directory or
191 <literal>btrfs</literal> subvolume to
192 use as template for the container's
193 root directory. If this is specified
194 and the container's root directory (as
196 <option>--directory=</option>) does
197 not yet exist it is created as
198 <literal>btrfs</literal> subvolume and
199 populated from this template
200 tree. Ideally, the specified template
201 path refers to the root of a
202 <literal>btrfs</literal> subvolume, in
203 which case a simple copy-on-write
204 snapshot is taken, and populating the
205 root directory is instant. If the
206 specified template path does not refer
208 <literal>btrfs</literal> subvolume (or
209 not even to a <literal>btrfs</literal>
210 file system at all), the tree is
211 copied, which can be substantially
212 more time-consuming. Note that if this
213 option is used the container's root
214 directory (in contrast to the template
215 directory!) must be located on a
216 <literal>btrfs</literal> file system,
217 so that the <literal>btrfs</literal>
218 subvolume may be created. May not be
219 specified together with
220 <option>--image=</option> or
221 <option>--ephemeral</option>.</para></listitem>
225 <term><option>-x</option></term>
226 <term><option>--ephemeral</option></term>
228 <listitem><para>If specified, the
229 container is run with a temporary
230 <literal>btrfs</literal> snapshot of
231 its root directory (as configured with
232 <option>--directory=</option>), that
233 is removed immediately when the
234 container terminates. This option is
235 only supported if the root file system
236 is <literal>btrfs</literal>. May not
237 be specified together with
238 <option>--image=</option> or
239 <option>--template=</option>.</para></listitem>
243 <term><option>-i</option></term>
244 <term><option>--image=</option></term>
246 <listitem><para>Disk image to mount
247 the root directory for the container
248 from. Takes a path to a regular file
249 or to a block device node. The file or
250 block device must contain either an
251 MBR partition table with a single
252 partition of type 0x83 that is marked
253 bootable, or a GUID partition table
254 with a root partition which is mounted
255 as the root directory of the
256 container. Optionally, GPT images may
257 contain a home and/or a server data
258 partition which are mounted to the
259 appropriate places in the
260 container. All these partitions must
261 be identified by the partition types
262 defined by the <ulink
263 url="http://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/">Discoverable
264 Partitions Specification</ulink>. Any
265 other partitions, such as foreign
266 partitions, swap partitions or EFI
267 system partitions are not mounted. May
268 not be specified together with
269 <option>--directory=</option>,
270 <option>--template=</option> or
271 <option>--ephemeral</option>.</para></listitem>
275 <term><option>-b</option></term>
276 <term><option>--boot</option></term>
278 <listitem><para>Automatically search
279 for an init binary and invoke it
280 instead of a shell or a user supplied
281 program. If this option is used,
282 arguments specified on the command
283 line are used as arguments for the
284 init binary. This option may not be
286 <option>--share-system</option>.
291 <term><option>-u</option></term>
292 <term><option>--user=</option></term>
294 <listitem><para>After transitioning
295 into the container, change to the
296 specified user-defined in the
297 container's user database. Like all
298 other systemd-nspawn features, this is
299 not a security feature and provides
300 protection against accidental
301 destructive operations
302 only.</para></listitem>
306 <term><option>-M</option></term>
307 <term><option>--machine=</option></term>
309 <listitem><para>Sets the machine name
310 for this container. This name may be
311 used to identify this container during
312 its runtime (for example in tools like
313 <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
314 and similar), and is used to
315 initialize the container's hostname
316 (which the container can choose to
317 override, however). If not specified,
318 the last component of the root
319 directory path of the container is
320 used, possibly suffixed with a random
322 <option>--ephemeral</option> mode is
323 selected. If the root directory
324 selected is the host's root directory
325 the host's hostname is used as default
326 instead.</para></listitem>
330 <term><option>--uuid=</option></term>
332 <listitem><para>Set the specified UUID
333 for the container. The init system
335 <filename>/etc/machine-id</filename>
336 from this if this file is not set yet.
341 <term><option>--slice=</option></term>
343 <listitem><para>Make the container
344 part of the specified slice, instead
346 <filename>machine.slice</filename>.</para>
351 <term><option>--private-network</option></term>
353 <listitem><para>Disconnect networking
354 of the container from the host. This
355 makes all network interfaces
356 unavailable in the container, with the
357 exception of the loopback device and
359 <option>--network-interface=</option>
361 <option>--network-veth</option>. If
362 this option is specified, the
363 CAP_NET_ADMIN capability will be added
364 to the set of capabilities the
365 container retains. The latter may be
367 <option>--drop-capability=</option>.</para></listitem>
371 <term><option>--network-interface=</option></term>
373 <listitem><para>Assign the specified
374 network interface to the
375 container. This will remove the
376 specified interface from the calling
377 namespace and place it in the
378 container. When the container
379 terminates, it is moved back to the
380 host namespace. Note that
381 <option>--network-interface=</option>
383 <option>--private-network</option>. This
384 option may be used more than once to
385 add multiple network interfaces to the
386 container.</para></listitem>
390 <term><option>--network-macvlan=</option></term>
392 <listitem><para>Create a
393 <literal>macvlan</literal> interface
394 of the specified Ethernet network
395 interface and add it to the
397 <literal>macvlan</literal> interface
398 is a virtual interface that adds a
399 second MAC address to an existing
400 physical Ethernet link. The interface
401 in the container will be named after
402 the interface on the host, prefixed
403 with <literal>mv-</literal>. Note that
404 <option>--network-macvlan=</option>
406 <option>--private-network</option>. This
407 option may be used more than once to
408 add multiple network interfaces to the
409 container.</para></listitem>
413 <term><option>--network-ipvlan=</option></term>
415 <listitem><para>Create a
416 <literal>ipvlan</literal> interface
417 of the specified Ethernet network
418 interface and add it to the
420 <literal>ipvlan</literal> interface
421 is a virtual interface, similar to a
422 <literal>macvlan</literal> interface, which
423 uses the same MAC address as the underlying
424 interface. The interface
425 in the container will be named after
426 the interface on the host, prefixed
427 with <literal>iv-</literal>. Note that
428 <option>--network-ipvlan=</option>
430 <option>--private-network</option>. This
431 option may be used more than once to
432 add multiple network interfaces to the
433 container.</para></listitem>
437 <term><option>-n</option></term>
438 <term><option>--network-veth</option></term>
440 <listitem><para>Create a virtual
442 (<literal>veth</literal>) between host
443 and container. The host side of the
444 Ethernet link will be available as a
445 network interface named after the
446 container's name (as specified with
447 <option>--machine=</option>), prefixed
448 with <literal>ve-</literal>. The
449 container side of the Ethernet
451 <literal>host0</literal>. Note that
452 <option>--network-veth</option>
454 <option>--private-network</option>.</para></listitem>
458 <term><option>--network-bridge=</option></term>
460 <listitem><para>Adds the host side of
461 the Ethernet link created with
462 <option>--network-veth</option> to the
463 specified bridge. Note that
464 <option>--network-bridge=</option>
466 <option>--network-veth</option>. If
467 this option is used, the host side of
468 the Ethernet link will use the
469 <literal>vb-</literal> prefix instead
470 of <literal>ve-</literal>.</para></listitem>
474 <term><option>-p</option></term>
475 <term><option>--port=</option></term>
477 <listitem><para>If private networking
478 is enabled, maps an IP port on the
479 host onto an IP port on the
480 container. Takes a protocol specifier
481 (either <literal>tcp</literal> or
482 <literal>udp</literal>), separated by
483 a colon from a host port number in the
484 range 1 to 65535, separated by a colon
485 from a container port number in the
486 range from 1 to 65535. The protocol
487 specifier and its separating colon may
488 be omitted, in which case
489 <literal>tcp</literal> is assumed.
490 The container port number and its
491 colon may be ommitted, in which case
492 the same port as the host port is
493 implied. This option is only supported
494 if private networking is used, such as
495 <option>--network-veth</option> or
496 <option>--network-bridge=</option>.</para></listitem>
500 <term><option>-Z</option></term>
501 <term><option>--selinux-context=</option></term>
503 <listitem><para>Sets the SELinux
504 security context to be used to label
505 processes in the container.</para>
510 <term><option>-L</option></term>
511 <term><option>--selinux-apifs-context=</option></term>
513 <listitem><para>Sets the SELinux security
514 context to be used to label files in
515 the virtual API file systems in the
521 <term><option>--capability=</option></term>
523 <listitem><para>List one or more
524 additional capabilities to grant the
525 container. Takes a comma-separated
526 list of capability names, see
527 <citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
528 for more information. Note that the
529 following capabilities will be granted
530 in any way: CAP_CHOWN,
531 CAP_DAC_OVERRIDE, CAP_DAC_READ_SEARCH,
532 CAP_FOWNER, CAP_FSETID, CAP_IPC_OWNER,
535 CAP_NET_BIND_SERVICE,
536 CAP_NET_BROADCAST, CAP_NET_RAW,
537 CAP_SETGID, CAP_SETFCAP, CAP_SETPCAP,
538 CAP_SETUID, CAP_SYS_ADMIN,
539 CAP_SYS_CHROOT, CAP_SYS_NICE,
540 CAP_SYS_PTRACE, CAP_SYS_TTY_CONFIG,
541 CAP_SYS_RESOURCE, CAP_SYS_BOOT,
543 CAP_AUDIT_CONTROL. Also CAP_NET_ADMIN
545 <option>--private-network</option> is
546 specified. If the special value
547 <literal>all</literal> is passed, all
549 retained.</para></listitem>
553 <term><option>--drop-capability=</option></term>
555 <listitem><para>Specify one or more
556 additional capabilities to drop for
557 the container. This allows running the
558 container with fewer capabilities than
559 the default (see above).</para></listitem>
563 <term><option>--link-journal=</option></term>
565 <listitem><para>Control whether the
566 container's journal shall be made
567 visible to the host system. If enabled,
568 allows viewing the container's journal
569 files from the host (but not vice
571 <literal>no</literal>,
572 <literal>host</literal>,
573 <literal>try-host</literal>,
574 <literal>guest</literal>,
575 <literal>try-guest</literal>,
576 <literal>auto</literal>. If
577 <literal>no</literal>, the journal is
578 not linked. If <literal>host</literal>,
579 the journal files are stored on the
580 host file system (beneath
581 <filename>/var/log/journal/<replaceable>machine-id</replaceable></filename>)
582 and the subdirectory is bind-mounted
583 into the container at the same
584 location. If <literal>guest</literal>,
585 the journal files are stored on the
586 guest file system (beneath
587 <filename>/var/log/journal/<replaceable>machine-id</replaceable></filename>)
588 and the subdirectory is symlinked into the host
589 at the same location. <literal>try-host</literal>
590 and <literal>try-guest</literal> do the same
591 but do not fail if the host does not have
592 persistent journalling enabled.
593 If <literal>auto</literal> (the default),
594 and the right subdirectory of
595 <filename>/var/log/journal</filename>
596 exists, it will be bind mounted
597 into the container. If the
598 subdirectory does not exist, no
599 linking is performed. Effectively,
600 booting a container once with
601 <literal>guest</literal> or
602 <literal>host</literal> will link the
603 journal persistently if further on
604 the default of <literal>auto</literal>
605 is used.</para></listitem>
609 <term><option>-j</option></term>
611 <listitem><para>Equivalent to
612 <option>--link-journal=try-guest</option>.</para></listitem>
616 <term><option>--read-only</option></term>
618 <listitem><para>Mount the root file
619 system read-only for the
620 container.</para></listitem>
624 <term><option>--bind=</option></term>
625 <term><option>--bind-ro=</option></term>
627 <listitem><para>Bind mount a file or
628 directory from the host into the
629 container. Either takes a path
630 argument -- in which case the
631 specified path will be mounted from
632 the host to the same path in the
633 container --, or a colon-separated
634 pair of paths -- in which case the
635 first specified path is the source in
636 the host, and the second path is the
637 destination in the container. The
638 <option>--bind-ro=</option> option
639 creates read-only bind
640 mounts.</para></listitem>
644 <term><option>--tmpfs=</option></term>
646 <listitem><para>Mount a tmpfs file
647 system into the container. Takes a
648 single absolute path argument that
649 specifies where to mount the tmpfs
650 instance to (in which case the
651 directory access mode will be chosen
652 as 0755, owned by root/root), or
653 optionally a colon-separated pair of
654 path and mount option string, that is
655 used for mounting (in which case the
656 kernel default for access mode and
657 owner will be chosen, unless otherwise
658 specified). This option is
659 particularly useful for mounting
661 <filename>/var</filename> as tmpfs, to
662 allow state-less systems, in
663 particular when combined with
664 <option>--read-only</option>.</para></listitem>
668 <term><option>--setenv=</option></term>
670 <listitem><para>Specifies an
671 environment variable assignment to
672 pass to the init process in the
673 container, in the format
674 <literal>NAME=VALUE</literal>. This
675 may be used to override the default
676 variables or to set additional
677 variables. This parameter may be used
678 more than once.</para></listitem>
682 <term><option>--share-system</option></term>
684 <listitem><para>Allows the container
685 to share certain system facilities
686 with the host. More specifically, this
687 turns off PID namespacing, UTS
688 namespacing and IPC namespacing, and
689 thus allows the guest to see and
690 interact more easily with processes
691 outside of the container. Note that
692 using this option makes it impossible
693 to start up a full Operating System in
694 the container, as an init system
695 cannot operate in this mode. It is
696 only useful to run specific programs
697 or applications this way, without
698 involving an init system in the
699 container. This option implies
700 <option>--register=no</option>. This
701 option may not be combined with
702 <option>--boot</option>.</para></listitem>
706 <term><option>--register=</option></term>
708 <listitem><para>Controls whether the
709 container is registered with
710 <citerefentry><refentrytitle>systemd-machined</refentrytitle><manvolnum>8</manvolnum></citerefentry>. Takes
711 a boolean argument, defaults to
712 <literal>yes</literal>. This option
713 should be enabled when the container
714 runs a full Operating System (more
715 specifically: an init system), and is
716 useful to ensure that the container is
718 <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
719 and shown by tools such as
720 <citerefentry project='man-pages'><refentrytitle>ps</refentrytitle><manvolnum>1</manvolnum></citerefentry>. If
721 the container does not run an init
722 system, it is recommended to set this
723 option to <literal>no</literal>. Note
724 that <option>--share-system</option>
726 <option>--register=no</option>.
731 <term><option>--keep-unit</option></term>
733 <listitem><para>Instead of creating a
734 transient scope unit to run the
735 container in, simply register the
736 service or scope unit
737 <command>systemd-nspawn</command> has
739 <citerefentry><refentrytitle>systemd-machined</refentrytitle><manvolnum>8</manvolnum></citerefentry>. This
741 <option>--register=no</option> is
742 used. This switch should be used if
743 <command>systemd-nspawn</command> is
744 invoked from within a service unit,
745 and the service unit's sole purpose
747 <command>systemd-nspawn</command>
748 container. This option is not
749 available if run from a user
750 session.</para></listitem>
754 <term><option>--personality=</option></term>
756 <listitem><para>Control the
757 architecture ("personality") reported
759 <citerefentry><refentrytitle>uname</refentrytitle><manvolnum>2</manvolnum></citerefentry>
760 in the container. Currently, only
761 <literal>x86</literal> and
762 <literal>x86-64</literal> are
763 supported. This is useful when running
764 a 32-bit container on a 64-bit
765 host. If this setting is not used,
766 the personality reported in the
767 container is the same as the one
769 host.</para></listitem>
773 <term><option>-q</option></term>
774 <term><option>--quiet</option></term>
776 <listitem><para>Turns off any status
777 output by the tool itself. When this
778 switch is used, the only output
779 from nspawn will be the console output
780 of the container OS itself.</para></listitem>
784 <term><option>--volatile</option><replaceable>=MODE</replaceable></term>
786 <listitem><para>Boots the container in
787 volatile mode. When no mode parameter
788 is passed or when mode is specified as
789 <literal>yes</literal> full volatile
790 mode is enabled. This means the root
791 directory is mounted as mostly
792 unpopulated <literal>tmpfs</literal>
794 <filename>/usr</filename> from the OS
795 tree is mounted into it, read-only
796 (the system thus starts up with
797 read-only OS resources, but pristine
798 state and configuration, any changes
799 to the either are lost on
800 shutdown). When the mode parameter is
801 specified as <literal>state</literal>
802 the OS tree is mounted read-only, but
803 <filename>/var</filename> is mounted
804 as <literal>tmpfs</literal> instance
805 into it (the system thus starts up
806 with read-only OS resources and
807 configuration, but pristine state, any
808 changes to the latter are lost on
809 shutdown). When the mode parameter is
810 specified as <literal>no</literal>
811 (the default) the whole OS tree is
812 made available writable.</para>
814 <para>Note that setting this to
815 <literal>yes</literal> or
816 <literal>state</literal> will only
817 work correctly with operating systems
818 in the container that can boot up with
819 only <filename>/usr</filename>
820 mounted, and are able to populate
821 <filename>/var</filename>
823 needed.</para></listitem>
826 <xi:include href="standard-options.xml" xpointer="help" />
827 <xi:include href="standard-options.xml" xpointer="version" />
833 <title>Examples</title>
835 <title>Boot a minimal Fedora distribution in a container</title>
837 <programlisting># yum -y --releasever=21 --nogpg --installroot=/srv/mycontainer --disablerepo='*' --enablerepo=fedora install systemd passwd yum fedora-release vim-minimal
838 # systemd-nspawn -bD /srv/mycontainer</programlisting>
840 <para>This installs a minimal Fedora distribution into
841 the directory <filename noindex='true'>/srv/mycontainer/</filename> and
842 then boots an OS in a namespace container in
847 <title>Spawn a shell in a container of a minimal Debian unstable distribution</title>
849 <programlisting># debootstrap --arch=amd64 unstable ~/debian-tree/
850 # systemd-nspawn -D ~/debian-tree/</programlisting>
852 <para>This installs a minimal Debian unstable
853 distribution into the directory
854 <filename>~/debian-tree/</filename> and then spawns a
855 shell in a namespace container in it.</para>
859 <title>Boot a minimal Arch Linux distribution in a container</title>
861 <programlisting># pacstrap -c -d ~/arch-tree/ base
862 # systemd-nspawn -bD ~/arch-tree/</programlisting>
864 <para>This installs a mimimal Arch Linux distribution into
865 the directory <filename>~/arch-tree/</filename> and then
866 boots an OS in a namespace container in it.</para>
870 <title>Enable Arch Linux container on boot</title>
872 <programlisting># mv ~/arch-tree /var/lib/machines/arch
873 # systemctl enable systemd-nspawn@arch.service
874 # systemctl start systemd-nspawn@arch.service</programlisting>
876 <para>This makes the Arch Linux container part of the
877 <filename>multi-user.target</filename> on the host.
882 <title>Boot into an ephemeral <literal>btrfs</literal> snapshot of the host system</title>
884 <programlisting># systemd-nspawn -D / -xb</programlisting>
886 <para>This runs a copy of the host system in a
887 <literal>btrfs</literal> snapshot which is
888 removed immediately when the container
889 exits. All file system changes made during
890 runtime will be lost on shutdown,
895 <title>Run a container with SELinux sandbox security contexts</title>
897 <programlisting># chcon system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -R /srv/container
898 # systemd-nspawn -L system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -Z system_u:system_r:svirt_lxc_net_t:s0:c0,c1 -D /srv/container /bin/sh</programlisting>
903 <title>Exit status</title>
905 <para>The exit code of the program executed in the
906 container is returned.</para>
910 <title>See Also</title>
912 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
913 <citerefentry project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
914 <citerefentry project='die-net'><refentrytitle>yum</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
915 <citerefentry project='die-net'><refentrytitle>debootstrap</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
916 <citerefentry project='archlinux'><refentrytitle>pacman</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
917 <citerefentry><refentrytitle>systemd.slice</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
918 <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
919 <citerefentry><refentrytitle>btrfs</refentrytitle><manvolnum>8</manvolnum></citerefentry>