and exits.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>-q</option></term>
+ <term><option>--quiet</option></term>
+
+ <listitem><para>Turns off any status
+ output by the tool itself. When this
+ switch is used, then the only output
+ by nspawn will be the console output
+ of the container OS itself.</para></listitem>
+ </varlistentry>
+
<varlistentry>
<term><option>-D</option></term>
<term><option>--directory=</option></term>
container is used.</para></listitem>
</varlistentry>
- <varlistentry>
- <term><option>--slice=</option></term>
-
- <listitem><para>Make the container
- part of the specified slice, instead
- of the
- <filename>machine.slice</filename>.</para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term><option>-Z</option></term>
- <term><option>--selinux-context=</option></term>
-
- <listitem><para>Sets the SELinux
- security context to be used to label
- processes in the container.</para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term><option>-L</option></term>
- <term><option>--selinux-apifs-context=</option></term>
-
- <listitem><para>Sets the SELinux security
- context to be used to label files in
- the virtual API file systems in the
- container.</para>
- </listitem>
- </varlistentry>
-
<varlistentry>
<term><option>--uuid=</option></term>
</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>--slice=</option></term>
+
+ <listitem><para>Make the container
+ part of the specified slice, instead
+ of the default
+ <filename>machine.slice</filename>.</para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term><option>--private-network</option></term>
- <listitem><para>Turn off networking in
- the container. This makes all network
- interfaces unavailable in the
- container, with the exception of the
- loopback device.</para></listitem>
+ <listitem><para>Disconnect networking
+ of the container from the host. This
+ makes all network interfaces
+ unavailable in the container, with the
+ exception of the loopback device and
+ those specified with
+ <option>--network-interface=</option>
+ and configured with
+ <option>--network-veth</option>. If
+ this option is specified the
+ CAP_NET_ADMIN capability will be added
+ to the set of capabilities the
+ container retains. The latter may be
+ disabled by using
+ <option>--drop-capability=</option>.</para></listitem>
</varlistentry>
<varlistentry>
namespace and place it in the
container. When the container
terminates it is moved back to the
- host namespace.</para></listitem>
+ host namespace. Note that
+ <option>--network-interface=</option>
+ implies
+ <option>--private-network</option>. This
+ option may be used more than once to
+ add multiple network interfaces to the
+ container.</para></listitem>
</varlistentry>
<varlistentry>
- <term><option>--read-only</option></term>
+ <term><option>--network-veth</option></term>
+
+ <listitem><para>Create a virtual
+ ethernet link between host and
+ container. The host side of the
+ ethernet link will be available as
+ network interface named after the
+ container's name (as specified with
+ <option>--machine=</option>), prefixed
+ with <literal>ve-</literal>. The
+ container side of the the ethernet
+ link will be named
+ <literal>host0</literal>. Note that
+ <option>--network-veth</option>
+ implies
+ <option>--private-network</option>.</para></listitem>
+ </varlistentry>
- <listitem><para>Mount the root file
- system read-only for the
- container.</para></listitem>
+ <varlistentry>
+ <term><option>--network-bridge=</option></term>
+
+ <listitem><para>Adds the host side of the
+ ethernet link created with
+ <option>--network-veth</option>
+ to the specified bridge. Note that
+ <option>--network-bridge</option>
+ implies
+ <option>--network-veth</option>.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>-Z</option></term>
+ <term><option>--selinux-context=</option></term>
+
+ <listitem><para>Sets the SELinux
+ security context to be used to label
+ processes in the container.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>-L</option></term>
+ <term><option>--selinux-apifs-context=</option></term>
+
+ <listitem><para>Sets the SELinux security
+ context to be used to label files in
+ the virtual API file systems in the
+ container.</para>
+ </listitem>
</varlistentry>
<varlistentry>
CAP_SYS_CHROOT, CAP_SYS_NICE,
CAP_SYS_PTRACE, CAP_SYS_TTY_CONFIG,
CAP_SYS_RESOURCE, CAP_SYS_BOOT,
- CAP_AUDIT_WRITE, CAP_AUDIT_CONTROL. If
- the special value
+ CAP_AUDIT_WRITE,
+ CAP_AUDIT_CONTROL. Also CAP_NET_ADMIN
+ is retained if
+ <option>--private-network</option> is
+ specified. If the special value
<literal>all</literal> is passed all
capabilities are
retained.</para></listitem>
<option>--link-journal=guest</option>.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>--read-only</option></term>
+
+ <listitem><para>Mount the root file
+ system read-only for the
+ container.</para></listitem>
+ </varlistentry>
+
<varlistentry>
<term><option>--bind=</option></term>
<term><option>--bind-ro=</option></term>
more than once.</para></listitem>
</varlistentry>
- <varlistentry>
- <term><option>-q</option></term>
- <term><option>--quiet</option></term>
-
- <listitem><para>Turns off any status
- output by the tool itself. When this
- switch is used, then the only output
- by nspawn will be the console output
- of the container OS itself.</para></listitem>
- </varlistentry>
-
<varlistentry>
<term><option>--share-system</option></term>
~ianmdlvl / elogind.git / blobdiff