and exits.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>-q</option></term>
+ <term><option>--quiet</option></term>
+
+ <listitem><para>Turns off any status
+ output by the tool itself. When this
+ switch is used, the only output
+ from nspawn will be the console output
+ of the container OS itself.</para></listitem>
+ </varlistentry>
+
<varlistentry>
<term><option>-D</option></term>
<term><option>--directory=</option></term>
container is used.</para></listitem>
</varlistentry>
- <varlistentry>
- <term><option>--slice=</option></term>
-
- <listitem><para>Make the container
- part of the specified slice, instead
- of the
- <filename>machine.slice</filename>.</para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term><option>-Z</option></term>
- <term><option>--selinux-context=</option></term>
-
- <listitem><para>Sets the SELinux
- security context to be used to label
- processes in the container.</para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term><option>-L</option></term>
- <term><option>--selinux-apifs-context=</option></term>
-
- <listitem><para>Sets the SELinux security
- context to be used to label files in
- the virtual API file systems in the
- container.</para>
- </listitem>
- </varlistentry>
-
<varlistentry>
<term><option>--uuid=</option></term>
</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>--slice=</option></term>
+
+ <listitem><para>Make the container
+ part of the specified slice, instead
+ of the default
+ <filename>machine.slice</filename>.</para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term><option>--private-network</option></term>
- <listitem><para>Turn off networking in
- the container. This makes all network
- interfaces unavailable in the
- container, with the exception of the
- loopback device and those specified
- with
- <option>--network-interface=</option>. If
- this option is specified the
+ <listitem><para>Disconnect networking
+ of the container from the host. This
+ makes all network interfaces
+ unavailable in the container, with the
+ exception of the loopback device and
+ those specified with
+ <option>--network-interface=</option>
+ and configured with
+ <option>--network-veth</option>. If
+ this option is specified, the
CAP_NET_ADMIN capability will be added
to the set of capabilities the
container retains. The latter may be
specified interface from the calling
namespace and place it in the
container. When the container
- terminates it is moved back to the
+ terminates, it is moved back to the
host namespace. Note that
<option>--network-interface=</option>
implies
</varlistentry>
<varlistentry>
- <term><option>--read-only</option></term>
+ <term><option>--network-veth</option></term>
+
+ <listitem><para>Create a virtual
+ Ethernet link between host and
+ container. The host side of the
+ Ethernet link will be available as a
+ network interface named after the
+ container's name (as specified with
+ <option>--machine=</option>), prefixed
+ with <literal>ve-</literal>. The
+ container side of the the Ethernet
+ link will be named
+ <literal>host0</literal>. Note that
+ <option>--network-veth</option>
+ implies
+ <option>--private-network</option>.</para></listitem>
+ </varlistentry>
- <listitem><para>Mount the root file
- system read-only for the
- container.</para></listitem>
+ <varlistentry>
+ <term><option>--network-bridge=</option></term>
+
+ <listitem><para>Adds the host side of the
+ Ethernet link created with
+ <option>--network-veth</option>
+ to the specified bridge. Note that
+ <option>--network-bridge</option>
+ implies
+ <option>--network-veth</option>.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>-Z</option></term>
+ <term><option>--selinux-context=</option></term>
+
+ <listitem><para>Sets the SELinux
+ security context to be used to label
+ processes in the container.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>-L</option></term>
+ <term><option>--selinux-apifs-context=</option></term>
+
+ <listitem><para>Sets the SELinux security
+ context to be used to label files in
+ the virtual API file systems in the
+ container.</para>
+ </listitem>
</varlistentry>
<varlistentry>
is retained if
<option>--private-network</option> is
specified. If the special value
- <literal>all</literal> is passed all
+ <literal>all</literal> is passed, all
capabilities are
retained.</para></listitem>
</varlistentry>
<option>--link-journal=guest</option>.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>--read-only</option></term>
+
+ <listitem><para>Mount the root file
+ system read-only for the
+ container.</para></listitem>
+ </varlistentry>
+
<varlistentry>
<term><option>--bind=</option></term>
<term><option>--bind-ro=</option></term>
more than once.</para></listitem>
</varlistentry>
- <varlistentry>
- <term><option>-q</option></term>
- <term><option>--quiet</option></term>
-
- <listitem><para>Turns off any status
- output by the tool itself. When this
- switch is used, then the only output
- by nspawn will be the console output
- of the container OS itself.</para></listitem>
- </varlistentry>
-
<varlistentry>
<term><option>--share-system</option></term>
and shown by tools such as
<citerefentry><refentrytitle>ps</refentrytitle><manvolnum>1</manvolnum></citerefentry>. If
the container does not run an init
- system it is recommended to set this
+ system, it is recommended to set this
option to <literal>no</literal>. Note
that <option>--share-system</option>
implies
container in, simply register the
service or scope unit
<command>systemd-nspawn</command> has
- been invoked in in
+ been invoked in with
<citerefentry><refentrytitle>systemd-machined</refentrytitle><manvolnum>8</manvolnum></citerefentry>. This
has no effect if
<option>--register=no</option> is
used. This switch should be used if
<command>systemd-nspawn</command> is
- invoked from within an a service unit,
+ invoked from within a service unit,
and the service unit's sole purpose
is to run a single
<command>systemd-nspawn</command>
session.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>--personality=</option></term>
+
+ <listitem><para>Control the
+ architecture ("personality") reported
+ by
+ <citerefentry><refentrytitle>uname</refentrytitle><manvolnum>2</manvolnum></citerefentry>
+ in the container. Currently, only
+ <literal>x86</literal> and
+ <literal>x86-64</literal> are
+ supported. This is useful when running
+ a 32bit container on a 64bit
+ host. If this setting is not used
+ the personality reported in the
+ container is the same as the one
+ reported on the
+ host.</para></listitem>
+ </varlistentry>
</variablelist>
</refsect1>