chiark / gitweb /
~ianmdlvl / elogind.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
man: fix formatting of uuids
[elogind.git] / man / systemd-nspawn.xml
diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml
index ca99da4909cac88b654779a86d0508945ec53f64..a4f222c3495a6a14d17a6df538bc9074bf17e65b 100644 (file)
--- a/man/systemd-nspawn.xml
+++ b/man/systemd-nspawn.xml
@@ -21,7 +21,8 @@
   along with systemd; If not, see <http://www.gnu.org/licenses/>.
 -->
 
   along with systemd; If not, see <http://www.gnu.org/licenses/>.
 -->
 
-<refentry id="systemd-nspawn">
+<refentry id="systemd-nspawn"
+          xmlns:xi="http://www.w3.org/2001/XInclude">
 
         <refentryinfo>
                 <title>systemd-nspawn</title>
 
         <refentryinfo>
                 <title>systemd-nspawn</title>
@@ -143,19 +144,6 @@
                 contain this file out-of-the-box.</para>
         </refsect1>
 
                 contain this file out-of-the-box.</para>
         </refsect1>
 
-        <refsect1>
-                <title>Incompatibility with Auditing</title>
-
-                <para>Note that the kernel auditing subsystem is
-                currently broken when used together with
-                containers. We hence recommend turning it off entirely
-                by booting with <literal>audit=0</literal> on the
-                kernel command line, or by turning it off at kernel
-                build time. If auditing is enabled in the kernel,
-                operating systems booted in an nspawn container might
-                refuse log-in attempts.</para>
-        </refsect1>
-
         <refsect1>
                 <title>Options</title>
 
         <refsect1>
                 <title>Options</title>
 
@@ -171,21 +159,6 @@
                 <para>The following options are understood:</para>
 
                 <variablelist>
                 <para>The following options are understood:</para>
 
                 <variablelist>
-                        <varlistentry>
-                                <term><option>-h</option></term>
-                                <term><option>--help</option></term>
-
-                                <listitem><para>Prints a short help
-                                text and exits.</para></listitem>
-                        </varlistentry>
-
-                        <varlistentry>
-                                <term><option>--version</option></term>
-
-                                <listitem><para>Prints a version string
-                                and exits.</para></listitem>
-                        </varlistentry>
-
                         <varlistentry>
                                 <term><option>-D</option></term>
                                 <term><option>--directory=</option></term>
                         <varlistentry>
                                 <term><option>-D</option></term>
                                 <term><option>--directory=</option></term>
@@ -204,9 +177,12 @@
                                 <listitem><para>Automatically search
                                 for an init binary and invoke it
                                 instead of a shell or a user supplied
                                 <listitem><para>Automatically search
                                 for an init binary and invoke it
                                 instead of a shell or a user supplied
-                                program. If this option is used, arguments
-                                specified on the command line are used
-                                as arguments for the init binary.
+                                program. If this option is used,
+                                arguments specified on the command
+                                line are used as arguments for the
+                                init binary. This option may not be
+                                combined with
+                                <option>--share-system</option>.
                                 </para></listitem>
                         </varlistentry>
 
                                 </para></listitem>
                         </varlistentry>
 
@@ -238,16 +214,125 @@
                                 container is used.</para></listitem>
                         </varlistentry>
 
                                 container is used.</para></listitem>
                         </varlistentry>
 
+                        <varlistentry>
+                                <term><option>--uuid=</option></term>
+
+                                <listitem><para>Set the specified UUID
+                                for the container. The init system
+                                will initialize
+                                <filename>/etc/machine-id</filename>
+                                from this if this file is not set yet.
+                                </para></listitem>
+                        </varlistentry>
+
                         <varlistentry>
                                 <term><option>--slice=</option></term>
 
                                 <listitem><para>Make the container
                                 part of the specified slice, instead
                         <varlistentry>
                                 <term><option>--slice=</option></term>
 
                                 <listitem><para>Make the container
                                 part of the specified slice, instead
-                                of the
+                                of the default
                                 <filename>machine.slice</filename>.</para>
                                 </listitem>
                         </varlistentry>
 
                                 <filename>machine.slice</filename>.</para>
                                 </listitem>
                         </varlistentry>
 
+                        <varlistentry>
+                                <term><option>--private-network</option></term>
+
+                                <listitem><para>Disconnect networking
+                                of the container from the host. This
+                                makes all network interfaces
+                                unavailable in the container, with the
+                                exception of the loopback device and
+                                those specified with
+                                <option>--network-interface=</option>
+                                and configured with
+                                <option>--network-veth</option>. If
+                                this option is specified, the
+                                CAP_NET_ADMIN capability will be added
+                                to the set of capabilities the
+                                container retains. The latter may be
+                                disabled by using
+                                <option>--drop-capability=</option>.</para></listitem>
+                        </varlistentry>
+
+                        <varlistentry>
+                                <term><option>--network-interface=</option></term>
+
+                                <listitem><para>Assign the specified
+                                network interface to the
+                                container. This will remove the
+                                specified interface from the calling
+                                namespace and place it in the
+                                container. When the container
+                                terminates, it is moved back to the
+                                host namespace. Note that
+                                <option>--network-interface=</option>
+                                implies
+                                <option>--private-network</option>. This
+                                option may be used more than once to
+                                add multiple network interfaces to the
+                                container.</para></listitem>
+                        </varlistentry>
+
+                        <varlistentry>
+                                <term><option>--network-macvlan=</option></term>
+
+                                <listitem><para>Create a
+                                <literal>macvlan</literal> interface
+                                of the specified Ethernet network
+                                interface and add it to the
+                                container. A
+                                <literal>macvlan</literal> interface
+                                is a virtual interface that adds a
+                                second MAC address to an existing
+                                physical Ethernet link. The interface
+                                in the container will be named after
+                                the interface on the host, prefixed
+                                with <literal>mv-</literal>. Note that
+                                <option>--network-macvlan=</option>
+                                implies
+                                <option>--private-network</option>. This
+                                option may be used more than once to
+                                add multiple network interfaces to the
+                                container.</para></listitem>
+                        </varlistentry>
+
+                        <varlistentry>
+                                <term><option>--network-veth</option></term>
+
+                                <listitem><para>Create a virtual
+                                Ethernet link
+                                (<literal>veth</literal>) between host
+                                and container. The host side of the
+                                Ethernet link will be available as a
+                                network interface named after the
+                                container's name (as specified with
+                                <option>--machine=</option>), prefixed
+                                with <literal>ve-</literal>. The
+                                container side of the the Ethernet
+                                link will be named
+                                <literal>host0</literal>. Note that
+                                <option>--network-veth</option>
+                                implies
+                                <option>--private-network</option>.</para></listitem>
+                        </varlistentry>
+
+                        <varlistentry>
+                                <term><option>--network-bridge=</option></term>
+
+                                <listitem><para>Adds the host side of
+                                the Ethernet link created with
+                                <option>--network-veth</option> to the
+                                specified bridge. Note that
+                                <option>--network-bridge=</option>
+                                implies
+                                <option>--network-veth</option>. If
+                                this option is used the host side of
+                                the Ethernet link will use the
+                                <literal>vb-</literal> prefix instead
+                                of <literal>ve-</literal>.</para></listitem>
+                        </varlistentry>
+
                         <varlistentry>
                                 <term><option>-Z</option></term>
                                 <term><option>--selinux-context=</option></term>
                         <varlistentry>
                                 <term><option>-Z</option></term>
                                 <term><option>--selinux-context=</option></term>
@@ -269,35 +354,6 @@
                                 </listitem>
                         </varlistentry>
 
                                 </listitem>
                         </varlistentry>
 
-                        <varlistentry>
-                                <term><option>--uuid=</option></term>
-
-                                <listitem><para>Set the specified UUID
-                                for the container. The init system
-                                will initialize
-                                <filename>/etc/machine-id</filename>
-                                from this if this file is not set yet.
-                                </para></listitem>
-                        </varlistentry>
-
-                        <varlistentry>
-                                <term><option>--private-network</option></term>
-
-                                <listitem><para>Turn off networking in
-                                the container. This makes all network
-                                interfaces unavailable in the
-                                container, with the exception of the
-                                loopback device.</para></listitem>
-                        </varlistentry>
-
-                        <varlistentry>
-                                <term><option>--read-only</option></term>
-
-                                <listitem><para>Mount the root file
-                                system read-only for the
-                                container.</para></listitem>
-                        </varlistentry>
-
                         <varlistentry>
                                 <term><option>--capability=</option></term>
 
                         <varlistentry>
                                 <term><option>--capability=</option></term>
 
@@ -321,7 +377,13 @@
                                 CAP_SYS_PTRACE, CAP_SYS_TTY_CONFIG,
                                 CAP_SYS_RESOURCE, CAP_SYS_BOOT,
                                 CAP_AUDIT_WRITE,
                                 CAP_SYS_PTRACE, CAP_SYS_TTY_CONFIG,
                                 CAP_SYS_RESOURCE, CAP_SYS_BOOT,
                                 CAP_AUDIT_WRITE,
-                                CAP_AUDIT_CONTROL.</para></listitem>
+                                CAP_AUDIT_CONTROL. Also CAP_NET_ADMIN
+                                is retained if
+                                <option>--private-network</option> is
+                                specified. If the special value
+                                <literal>all</literal> is passed, all
+                                capabilities are
+                                retained.</para></listitem>
                         </varlistentry>
 
                         <varlistentry>
                         </varlistentry>
 
                         <varlistentry>
@@ -382,6 +444,14 @@
                                 <option>--link-journal=guest</option>.</para></listitem>
                         </varlistentry>
 
                                 <option>--link-journal=guest</option>.</para></listitem>
                         </varlistentry>
 
+                        <varlistentry>
+                                <term><option>--read-only</option></term>
+
+                                <listitem><para>Mount the root file
+                                system read-only for the
+                                container.</para></listitem>
+                        </varlistentry>
+
                         <varlistentry>
                                 <term><option>--bind=</option></term>
                                 <term><option>--bind-ro=</option></term>
                         <varlistentry>
                                 <term><option>--bind=</option></term>
                                 <term><option>--bind-ro=</option></term>
@@ -399,7 +469,7 @@
                                 destination in the container. The
                                 <option>--bind-ro=</option> option
                                 creates read-only bind
                                 destination in the container. The
                                 <option>--bind-ro=</option> option
                                 creates read-only bind
-                                mount.</para></listitem>
+                                mounts.</para></listitem>
                         </varlistentry>
 
                         <varlistentry>
                         </varlistentry>
 
                         <varlistentry>
@@ -416,18 +486,6 @@
                                 more than once.</para></listitem>
                         </varlistentry>
 
                                 more than once.</para></listitem>
                         </varlistentry>
 
-                        <varlistentry>
-                                <term><option>-q</option></term>
-                                <term><option>--quiet</option></term>
-
-                                <listitem><para>Turns off any status
-                                output by the tool itself. When this
-                                switch is used, then the only output
-                                by nspawn will be the console output
-                                of the container OS
-                                itself.</para></listitem>
-                        </varlistentry>
-
                         <varlistentry>
                                 <term><option>--share-system</option></term>
 
                         <varlistentry>
                                 <term><option>--share-system</option></term>
 
@@ -440,15 +498,98 @@
                                 interact more easily with processes
                                 outside of the container. Note that
                                 using this option makes it impossible
                                 interact more easily with processes
                                 outside of the container. Note that
                                 using this option makes it impossible
-                                to start up a full Operating System in the
-                                container, as an init system cannot
-                                operate in this mode. It is only
-                                useful to run specific programs or
-                                applications this way, without
-                                involving an init
-                                system in the container.</para></listitem>
+                                to start up a full Operating System in
+                                the container, as an init system
+                                cannot operate in this mode. It is
+                                only useful to run specific programs
+                                or applications this way, without
+                                involving an init system in the
+                                container. This option implies
+                                <option>--register=no</option>. This
+                                option may not be combined with
+                                <option>--boot</option>.</para></listitem>
+                        </varlistentry>
+
+                        <varlistentry>
+                                <term><option>--register=</option></term>
+
+                                <listitem><para>Controls whether the
+                                container is registered with
+                                <citerefentry><refentrytitle>systemd-machined</refentrytitle><manvolnum>8</manvolnum></citerefentry>. Takes
+                                a boolean argument, defaults to
+                                <literal>yes</literal>. This option
+                                should be enabled when the container
+                                runs a full Operating System (more
+                                specifically: an init system), and is
+                                useful to ensure that the container is
+                                accessible via
+                                <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
+                                and shown by tools such as
+                                <citerefentry><refentrytitle>ps</refentrytitle><manvolnum>1</manvolnum></citerefentry>. If
+                                the container does not run an init
+                                system, it is recommended to set this
+                                option to <literal>no</literal>. Note
+                                that <option>--share-system</option>
+                                implies
+                                <option>--register=no</option>.
+                                </para></listitem>
+                        </varlistentry>
+
+                        <varlistentry>
+                                <term><option>--keep-unit</option></term>
+
+                                <listitem><para>Instead of creating a
+                                transient scope unit to run the
+                                container in, simply register the
+                                service or scope unit
+                                <command>systemd-nspawn</command> has
+                                been invoked in with
+                                <citerefentry><refentrytitle>systemd-machined</refentrytitle><manvolnum>8</manvolnum></citerefentry>. This
+                                has no effect if
+                                <option>--register=no</option> is
+                                used. This switch should be used if
+                                <command>systemd-nspawn</command> is
+                                invoked from within a service unit,
+                                and the service unit's sole purpose
+                                is to run a single
+                                <command>systemd-nspawn</command>
+                                container. This option is not
+                                available if run from a user
+                                session.</para></listitem>
+                        </varlistentry>
+
+                        <varlistentry>
+                                <term><option>--personality=</option></term>
+
+                                <listitem><para>Control the
+                                architecture ("personality") reported
+                                by
+                                <citerefentry><refentrytitle>uname</refentrytitle><manvolnum>2</manvolnum></citerefentry>
+                                in the container. Currently, only
+                                <literal>x86</literal> and
+                                <literal>x86-64</literal> are
+                                supported. This is useful when running
+                                a 32bit container on a 64bit
+                                host. If this setting is not used
+                                the personality reported in the
+                                container is the same as the one
+                                reported on the
+                                host.</para></listitem>
+                        </varlistentry>
+
+                        <varlistentry>
+                                <term><option>-q</option></term>
+                                <term><option>--quiet</option></term>
+
+                                <listitem><para>Turns off any status
+                                output by the tool itself. When this
+                                switch is used, the only output
+                                from nspawn will be the console output
+                                of the container OS itself.</para></listitem>
                         </varlistentry>
 
                         </varlistentry>
 
+                        <xi:include href="standard-options.xml" xpointer="help" />
+                        <xi:include href="standard-options.xml" xpointer="version" />
                 </variablelist>
 
         </refsect1>
                 </variablelist>
 
         </refsect1>
Unnamed repository; edit this file 'description' to name the repository.