X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=blobdiff_plain;f=man%2Fsystemd-nspawn.xml;h=a4f222c3495a6a14d17a6df538bc9074bf17e65b;hb=0f62019c34e546f7c069a3b9f46deaa4b1608276;hp=75d2e6d72e2a0a9c91cf18cf782eef8039f196ba;hpb=420c7379fb96a188459690a634d0fede55721183;p=elogind.git
diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml
index 75d2e6d72..a4f222c34 100644
--- a/man/systemd-nspawn.xml
+++ b/man/systemd-nspawn.xml
@@ -21,7 +21,8 @@
along with systemd; If not, see .
-->
-
+systemd-nspawn
@@ -143,19 +144,6 @@
contain this file out-of-the-box.
-
- Incompatibility with Auditing
-
- Note that the kernel auditing subsystem is
- currently broken when used together with
- containers. We hence recommend turning it off entirely
- by booting with audit=0 on the
- kernel command line, or by turning it off at kernel
- build time. If auditing is enabled in the kernel,
- operating systems booted in an nspawn container might
- refuse log-in attempts.
-
-
Options
@@ -171,21 +159,6 @@
The following options are understood:
-
-
-
-
- Prints a short help
- text and exits.
-
-
-
-
-
- Prints a version string
- and exits.
-
-
@@ -204,9 +177,12 @@
Automatically search
for an init binary and invoke it
instead of a shell or a user supplied
- program. If this option is used, arguments
- specified on the command line are used
- as arguments for the init binary.
+ program. If this option is used,
+ arguments specified on the command
+ line are used as arguments for the
+ init binary. This option may not be
+ combined with
+ .
@@ -238,16 +214,6 @@
container is used.
-
-
-
- Make the container
- part of the specified slice, instead
- of the
- machine.slice.
-
-
-
@@ -259,24 +225,135 @@
+
+
+
+ Make the container
+ part of the specified slice, instead
+ of the default
+ machine.slice.
+
+
+
- Turn off networking in
- the container. This makes all network
- interfaces unavailable in the
- container, with the exception of the
- loopback device.
+ Disconnect networking
+ of the container from the host. This
+ makes all network interfaces
+ unavailable in the container, with the
+ exception of the loopback device and
+ those specified with
+
+ and configured with
+ . If
+ this option is specified, the
+ CAP_NET_ADMIN capability will be added
+ to the set of capabilities the
+ container retains. The latter may be
+ disabled by using
+ .
-
+
+
+ Assign the specified
+ network interface to the
+ container. This will remove the
+ specified interface from the calling
+ namespace and place it in the
+ container. When the container
+ terminates, it is moved back to the
+ host namespace. Note that
+
+ implies
+ . This
+ option may be used more than once to
+ add multiple network interfaces to the
+ container.
+
- Mount the root file
- system read-only for the
+
+
+
+ Create a
+ macvlan interface
+ of the specified Ethernet network
+ interface and add it to the
+ container. A
+ macvlan interface
+ is a virtual interface that adds a
+ second MAC address to an existing
+ physical Ethernet link. The interface
+ in the container will be named after
+ the interface on the host, prefixed
+ with mv-. Note that
+
+ implies
+ . This
+ option may be used more than once to
+ add multiple network interfaces to the
container.
+
+
+
+ Create a virtual
+ Ethernet link
+ (veth) between host
+ and container. The host side of the
+ Ethernet link will be available as a
+ network interface named after the
+ container's name (as specified with
+ ), prefixed
+ with ve-. The
+ container side of the the Ethernet
+ link will be named
+ host0. Note that
+
+ implies
+ .
+
+
+
+
+
+ Adds the host side of
+ the Ethernet link created with
+ to the
+ specified bridge. Note that
+
+ implies
+ . If
+ this option is used the host side of
+ the Ethernet link will use the
+ vb- prefix instead
+ of ve-.
+
+
+
+
+
+
+ Sets the SELinux
+ security context to be used to label
+ processes in the container.
+
+
+
+
+
+
+
+ Sets the SELinux security
+ context to be used to label files in
+ the virtual API file systems in the
+ container.
+
+
+
@@ -300,7 +377,13 @@
CAP_SYS_PTRACE, CAP_SYS_TTY_CONFIG,
CAP_SYS_RESOURCE, CAP_SYS_BOOT,
CAP_AUDIT_WRITE,
- CAP_AUDIT_CONTROL.
+ CAP_AUDIT_CONTROL. Also CAP_NET_ADMIN
+ is retained if
+ is
+ specified. If the special value
+ all is passed, all
+ capabilities are
+ retained.
@@ -361,6 +444,14 @@
.
+
+
+
+ Mount the root file
+ system read-only for the
+ container.
+
+
@@ -378,8 +469,127 @@
destination in the container. The
option
creates read-only bind
- mount.
+ mounts.
+
+
+
+
+
+ Specifies an
+ environment variable assignment to
+ pass to the init process in the
+ container, in the format
+ NAME=VALUE. This
+ may be used to override the default
+ variables or to set additional
+ variables. This parameter may be used
+ more than once.
+
+
+
+
+
+ Allows the container
+ to share certain system facilities
+ with the host. More specifically, this
+ turns off PID namespacing, UTS
+ namespacing and IPC namespacing, and
+ thus allows the guest to see and
+ interact more easily with processes
+ outside of the container. Note that
+ using this option makes it impossible
+ to start up a full Operating System in
+ the container, as an init system
+ cannot operate in this mode. It is
+ only useful to run specific programs
+ or applications this way, without
+ involving an init system in the
+ container. This option implies
+ . This
+ option may not be combined with
+ .
+
+
+
+
+
+ Controls whether the
+ container is registered with
+ systemd-machined8. Takes
+ a boolean argument, defaults to
+ yes. This option
+ should be enabled when the container
+ runs a full Operating System (more
+ specifically: an init system), and is
+ useful to ensure that the container is
+ accessible via
+ machinectl1
+ and shown by tools such as
+ ps1. If
+ the container does not run an init
+ system, it is recommended to set this
+ option to no. Note
+ that
+ implies
+ .
+
+
+
+
+
+
+ Instead of creating a
+ transient scope unit to run the
+ container in, simply register the
+ service or scope unit
+ systemd-nspawn has
+ been invoked in with
+ systemd-machined8. This
+ has no effect if
+ is
+ used. This switch should be used if
+ systemd-nspawn is
+ invoked from within a service unit,
+ and the service unit's sole purpose
+ is to run a single
+ systemd-nspawn
+ container. This option is not
+ available if run from a user
+ session.
+
+
+
+
+
+ Control the
+ architecture ("personality") reported
+ by
+ uname2
+ in the container. Currently, only
+ x86 and
+ x86-64 are
+ supported. This is useful when running
+ a 32bit container on a 64bit
+ host. If this setting is not used
+ the personality reported in the
+ container is the same as the one
+ reported on the
+ host.
+
+
+
+
+
+
+ Turns off any status
+ output by the tool itself. When this
+ switch is used, the only output
+ from nspawn will be the console output
+ of the container OS itself.
+
+
+
@@ -431,6 +641,25 @@
+
+ Example 5
+
+ # btrfs subvolume snapshot / /.tmp
+# systemd-nspawn --private-network -D /.tmp -b
+
+ This runs a copy of the host system in a
+ btrfs snapshot.
+
+
+
+ Example 6
+
+ # chcon system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -R /srv/container
+# systemd-nspawn -L system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -Z system_u:system_r:svirt_lxc_net_t:s0:c0,c1 -D /srv/container /bin/sh
+
+ This runs a container with SELinux sandbox security contexts.
+
+
Exit status