<refsynopsisdiv>
<cmdsynopsis>
- <command>systemd-nspawn <arg choice="opt" rep="repeat">OPTIONS</arg> <arg choice="opt">COMMAND</arg> <arg choice="opt" rep="repeat">ARGS</arg></command>
+ <command>systemd-nspawn</command>
+ <arg choice="opt" rep="repeat">OPTIONS</arg>
+ <arg choice="opt">COMMAND</arg>
+ <arg choice="opt" rep="repeat">ARGS</arg>
</cmdsynopsis>
</refsynopsisdiv>
container.</para>
<para>Use a tool like
- <citerefentry><refentrytitle>debootstrap</refentrytitle><manvolnum>8</manvolnum></citerefentry> or <citerefentry><refentrytitle>mock</refentrytitle><manvolnum>1</manvolnum></citerefentry>
+ <citerefentry><refentrytitle>yum</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>debootstrap</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+ or
+ <citerefentry><refentrytitle>pacman</refentrytitle><manvolnum>8</manvolnum></citerefentry>
to set up an OS directory tree suitable as file system
- hierarchy for <command>systemd-nspawn</command> containers.</para>
+ hierarchy for <command>systemd-nspawn</command>
+ containers.</para>
<para>Note that <command>systemd-nspawn</command> will
mount file systems private to the container to
see each other. The PID namespace separation of the
two containers is complete and the containers will
share very few runtime objects except for the
- underlying file system.</para>
+ underlying file system. It is however possible to
+ enter an existing container, see
+ <link linkend='example-nsenter'>Example 4</link> below.
+ </para>
+
+ <para><command>systemd-nspawn</command> implements the
+ <ulink
+ url="http://www.freedesktop.org/wiki/Software/systemd/ContainerInterface">Container
+ Interface</ulink> specification.</para>
</refsect1>
<refsect1>
<variablelist>
<varlistentry>
- <term><option>--help</option></term>
<term><option>-h</option></term>
+ <term><option>--help</option></term>
<listitem><para>Prints a short help
text and exits.</para></listitem>
</varlistentry>
<varlistentry>
- <term><option>--directory=</option></term>
+ <term><option>--version</option></term>
+
+ <listitem><para>Prints a version string
+ and exits.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
<term><option>-D</option></term>
+ <term><option>--directory=</option></term>
<listitem><para>Directory to use as
file system root for the namespace
</varlistentry>
<varlistentry>
- <term><option>--boot</option></term>
<term><option>-b</option></term>
+ <term><option>--boot</option></term>
<listitem><para>Automatically search
for an init binary and invoke it
</varlistentry>
<varlistentry>
- <term><option>--user=</option></term>
<term><option>-u</option></term>
+ <term><option>--user=</option></term>
<listitem><para>Run the command
under specified user, create home
</varlistentry>
<varlistentry>
- <term><option>--controllers=</option></term>
<term><option>-C</option></term>
+ <term><option>--controllers=</option></term>
<listitem><para>Makes the container appear in
- other hierarchies that the name=systemd:/ one.
+ other hierarchies than the name=systemd:/ one.
Takes a comma-separated list of controllers.
</para></listitem>
</varlistentry>
loopback device.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>--read-only</option></term>
+
+ <listitem><para>Mount the root file
+ system read only for the
+ container.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--capability=</option></term>
+
+ <listitem><para>List one or more
+ additional capabilities to grant the
+ container. Takes a comma separated
+ list of capability names, see
+ <citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
+ for more information. Note that the
+ following capabilities will be granted
+ in any way: CAP_CHOWN,
+ CAP_DAC_OVERRIDE, CAP_DAC_READ_SEARCH,
+ CAP_FOWNER, CAP_FSETID, CAP_IPC_OWNER,
+ CAP_KILL, CAP_LEASE,
+ CAP_LINUX_IMMUTABLE,
+ CAP_NET_BIND_SERVICE,
+ CAP_NET_BROADCAST, CAP_NET_RAW,
+ CAP_SETGID, CAP_SETFCAP, CAP_SETPCAP,
+ CAP_SETUID, CAP_SYS_ADMIN,
+ CAP_SYS_CHROOT, CAP_SYS_NICE,
+ CAP_SYS_PTRACE, CAP_SYS_TTY_CONFIG,
+ CAP_SYS_RESOURCE, CAP_SYS_BOOT,
+ CAP_AUDIT_WRITE,
+ CAP_AUDIT_CONTROL.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--link-journal=</option></term>
+
+ <listitem><para>Control whether the
+ container's journal shall be made
+ visible to the host system. If enabled
+ allows viewing the container's journal
+ files from the host (but not vice
+ versa). Takes one of
+ <literal>no</literal>,
+ <literal>host</literal>,
+ <literal>guest</literal>,
+ <literal>auto</literal>. If
+ <literal>no</literal>, the journal is
+ not linked. If <literal>host</literal>,
+ the journal files are stored on the
+ host file system (beneath
+ <filename>/var/log/journal/<replaceable>machine-id</replaceable></filename>)
+ and the subdirectory is bind-mounted
+ into the container at the same
+ location. If <literal>guest</literal>,
+ the journal files are stored on the
+ guest file system (beneath
+ <filename>/var/log/journal/<replaceable>machine-id</replaceable></filename>)
+ and the subdirectory is symlinked into the host
+ at the same location. If
+ <literal>auto</literal> (the default),
+ and the right subdirectory of
+ <filename>/var/log/journal</filename>
+ exists, it will be bind mounted
+ into the container. If the
+ subdirectory doesn't exist, no
+ linking is performed. Effectively,
+ booting a container once with
+ <literal>guest</literal> or
+ <literal>host</literal> will link the
+ journal persistently if further on
+ the default of <literal>auto</literal>
+ is used.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>-j</option></term>
+
+ <listitem><para>Equivalent to
+ <option>--link-journal=guest</option>.</para></listitem>
+ </varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>Example 1</title>
- <programlisting># debootstrap --arch=amd64 unstable debian-tree/
-# systemd-nspawn -D debian-tree/</programlisting>
+ <programlisting># yum -y --releasever=19 --nogpg --installroot=/srv/mycontainer --disablerepo='*' --enablerepo=fedora install systemd passwd yum fedora-release vim-minimal
+# systemd-nspawn -bD /srv/mycontainer</programlisting>
+
+ <para>This installs a minimal Fedora distribution into
+ the directory <filename>/srv/mycontainer/</filename> and
+ then boots an OS in a namespace container in
+ it.</para>
+ </refsect1>
+
+ <refsect1>
+ <title>Example 2</title>
+
+ <programlisting># debootstrap --arch=amd64 unstable ~/debian-tree/
+# systemd-nspawn -D ~/debian-tree/</programlisting>
<para>This installs a minimal Debian unstable
distribution into the directory
- <filename>debian-tree/</filename> and then spawns a
+ <filename>~/debian-tree/</filename> and then spawns a
shell in a namespace container in it.</para>
-
</refsect1>
<refsect1>
- <title>Example 2</title>
+ <title>Example 3</title>
- <programlisting># mock --init
-# systemd-nspawn -D /var/lib/mock/fedora-rawhide-x86_64/root/ /sbin/init systemd.log_level=debug</programlisting>
+ <programlisting># pacstrap -c -d ~/arch-tree/ base
+# systemd-nspawn -bD ~/arch-tree/</programlisting>
- <para>This installs a minimal Fedora distribution into
- a subdirectory of <filename>/var/lib/mock/</filename>
- and then boots an OS in a namespace container in it,
- with systemd as init system, configured for debug
- logging.</para>
+ <para>This installs a mimimal Arch Linux distribution into
+ the directory <filename>~/arch-tree/</filename> and then
+ boots an OS in a namespace container in it.</para>
+ </refsect1>
+
+ <refsect1 id='example-nsenter'>
+ <title>Example 4</title>
+
+ <para>To enter the container, PID of one of the
+ processes sharing the new namespaces must be used.
+ <command>systemd-nspawn</command> prints the PID
+ (as viewed from the outside) of the launched process,
+ and it can be used to enter the container.</para>
+
+ <programlisting># nsenter -muinpt $PID</programlisting>
+ <para><citerefentry><refentrytitle>nsenter</refentrytitle><manvolnum>1</manvolnum></citerefentry>
+ is part of
+ <ulink url="https://github.com/karelzak/util-linux">util-linux</ulink>.
+ Kernel support for entering namespaces was added in
+ Linux 3.8.</para>
</refsect1>
<refsect1>
<para>
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
<citerefentry><refentrytitle>chroot</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>unshare</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>yum</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
<citerefentry><refentrytitle>debootstrap</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>mock</refentrytitle><manvolnum>1</manvolnum></citerefentry>
+ <citerefentry><refentrytitle>pacman</refentrytitle><manvolnum>8</manvolnum></citerefentry>
</para>
</refsect1>