chiark / gitweb /
~ianmdlvl / elogind.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
nspawn: add new --network-bridge= switch
[elogind.git] / man / systemd-nspawn.xml
diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml
index 7a88436bcfd17ae61b5f619994e785b72b702884..665518dd15ed4adf76b603086bc675bfb072972d 100644 (file)
--- a/man/systemd-nspawn.xml
+++ b/man/systemd-nspawn.xml
@@ -173,6 +173,17 @@
                                 and exits.</para></listitem>
                         </varlistentry>
 
                                 and exits.</para></listitem>
                         </varlistentry>
 
+                        <varlistentry>
+                                <term><option>-q</option></term>
+                                <term><option>--quiet</option></term>
+
+                                <listitem><para>Turns off any status
+                                output by the tool itself. When this
+                                switch is used, then the only output
+                                by nspawn will be the console output
+                                of the container OS itself.</para></listitem>
+                        </varlistentry>
+
                         <varlistentry>
                                 <term><option>-D</option></term>
                                 <term><option>--directory=</option></term>
                         <varlistentry>
                                 <term><option>-D</option></term>
                                 <term><option>--directory=</option></term>
@@ -228,37 +239,6 @@
                                 container is used.</para></listitem>
                         </varlistentry>
 
                                 container is used.</para></listitem>
                         </varlistentry>
 
-                        <varlistentry>
-                                <term><option>--slice=</option></term>
-
-                                <listitem><para>Make the container
-                                part of the specified slice, instead
-                                of the
-                                <filename>machine.slice</filename>.</para>
-                                </listitem>
-                        </varlistentry>
-
-                        <varlistentry>
-                                <term><option>-Z</option></term>
-                                <term><option>--selinux-context=</option></term>
-
-                                <listitem><para>Sets the SELinux
-                                security context to be used to label
-                                processes in the container.</para>
-                                </listitem>
-                        </varlistentry>
-
-                        <varlistentry>
-                                <term><option>-L</option></term>
-                                <term><option>--selinux-apifs-context=</option></term>
-
-                                <listitem><para>Sets the SELinux security
-                                context to be used to label files in
-                                the virtual API file systems in the
-                                container.</para>
-                                </listitem>
-                        </varlistentry>
-
                         <varlistentry>
                                 <term><option>--uuid=</option></term>
 
                         <varlistentry>
                                 <term><option>--uuid=</option></term>
 
@@ -270,14 +250,34 @@
                                 </para></listitem>
                         </varlistentry>
 
                                 </para></listitem>
                         </varlistentry>
 
+                        <varlistentry>
+                                <term><option>--slice=</option></term>
+
+                                <listitem><para>Make the container
+                                part of the specified slice, instead
+                                of the default
+                                <filename>machine.slice</filename>.</para>
+                                </listitem>
+                        </varlistentry>
+
                         <varlistentry>
                                 <term><option>--private-network</option></term>
 
                         <varlistentry>
                                 <term><option>--private-network</option></term>
 
-                                <listitem><para>Turn off networking in
-                                the container. This makes all network
-                                interfaces unavailable in the
-                                container, with the exception of the
-                                loopback device.</para></listitem>
+                                <listitem><para>Disconnect networking
+                                of the container from the host. This
+                                makes all network interfaces
+                                unavailable in the container, with the
+                                exception of the loopback device and
+                                those specified with
+                                <option>--network-interface=</option>
+                                and configured with
+                                <option>--network-veth</option>. If
+                                this option is specified the
+                                CAP_NET_ADMIN capability will be added
+                                to the set of capabilities the
+                                container retains. The latter may be
+                                disabled by using
+                                <option>--drop-capability=</option>.</para></listitem>
                         </varlistentry>
 
                         <varlistentry>
                         </varlistentry>
 
                         <varlistentry>
@@ -290,15 +290,65 @@
                                 namespace and place it in the
                                 container. When the container
                                 terminates it is moved back to the
                                 namespace and place it in the
                                 container. When the container
                                 terminates it is moved back to the
-                                host namespace.</para></listitem>
+                                host namespace. Note that
+                                <option>--network-interface=</option>
+                                implies
+                                <option>--private-network</option>. This
+                                option may be used more than once to
+                                add multiple network interfaces to the
+                                container.</para></listitem>
                         </varlistentry>
 
                         <varlistentry>
                         </varlistentry>
 
                         <varlistentry>
-                                <term><option>--read-only</option></term>
+                                <term><option>--network-veth</option></term>
+
+                                <listitem><para>Create a virtual
+                                ethernet link between host and
+                                container. The host side of the
+                                ethernet link will be available as
+                                network interface named after the
+                                container's name (as specified with
+                                <option>--machine=</option>), prefixed
+                                with <literal>ve-</literal>. The
+                                container side of the the ethernet
+                                link will be named
+                                <literal>host0</literal>. Note that
+                                <option>--network-veth</option>
+                                implies
+                                <option>--private-network</option>.</para></listitem>
+                        </varlistentry>
 
 
-                                <listitem><para>Mount the root file
-                                system read-only for the
-                                container.</para></listitem>
+                        <varlistentry>
+                                <term><option>--network-bridge=</option></term>
+
+                                <listitem><para>Adds the host side of the
+                                ethernet link created with
+                                <option>--network-veth</option>
+                                to the specified bridge. Note that
+                                <option>--network-bridge</option>
+                                implies
+                                <option>--network-veth</option>.</para></listitem>
+                        </varlistentry>
+
+                        <varlistentry>
+                                <term><option>-Z</option></term>
+                                <term><option>--selinux-context=</option></term>
+
+                                <listitem><para>Sets the SELinux
+                                security context to be used to label
+                                processes in the container.</para>
+                                </listitem>
+                        </varlistentry>
+
+                        <varlistentry>
+                                <term><option>-L</option></term>
+                                <term><option>--selinux-apifs-context=</option></term>
+
+                                <listitem><para>Sets the SELinux security
+                                context to be used to label files in
+                                the virtual API file systems in the
+                                container.</para>
+                                </listitem>
                         </varlistentry>
 
                         <varlistentry>
                         </varlistentry>
 
                         <varlistentry>
@@ -323,8 +373,11 @@
                                 CAP_SYS_CHROOT, CAP_SYS_NICE,
                                 CAP_SYS_PTRACE, CAP_SYS_TTY_CONFIG,
                                 CAP_SYS_RESOURCE, CAP_SYS_BOOT,
                                 CAP_SYS_CHROOT, CAP_SYS_NICE,
                                 CAP_SYS_PTRACE, CAP_SYS_TTY_CONFIG,
                                 CAP_SYS_RESOURCE, CAP_SYS_BOOT,
-                                CAP_AUDIT_WRITE, CAP_AUDIT_CONTROL. If
-                                the special value
+                                CAP_AUDIT_WRITE,
+                                CAP_AUDIT_CONTROL. Also CAP_NET_ADMIN
+                                is retained if
+                                <option>--private-network</option> is
+                                specified. If the special value
                                 <literal>all</literal> is passed all
                                 capabilities are
                                 retained.</para></listitem>
                                 <literal>all</literal> is passed all
                                 capabilities are
                                 retained.</para></listitem>
@@ -388,6 +441,14 @@
                                 <option>--link-journal=guest</option>.</para></listitem>
                         </varlistentry>
 
                                 <option>--link-journal=guest</option>.</para></listitem>
                         </varlistentry>
 
+                        <varlistentry>
+                                <term><option>--read-only</option></term>
+
+                                <listitem><para>Mount the root file
+                                system read-only for the
+                                container.</para></listitem>
+                        </varlistentry>
+
                         <varlistentry>
                                 <term><option>--bind=</option></term>
                                 <term><option>--bind-ro=</option></term>
                         <varlistentry>
                                 <term><option>--bind=</option></term>
                                 <term><option>--bind-ro=</option></term>
@@ -422,17 +483,6 @@
                                 more than once.</para></listitem>
                         </varlistentry>
 
                                 more than once.</para></listitem>
                         </varlistentry>
 
-                        <varlistentry>
-                                <term><option>-q</option></term>
-                                <term><option>--quiet</option></term>
-
-                                <listitem><para>Turns off any status
-                                output by the tool itself. When this
-                                switch is used, then the only output
-                                by nspawn will be the console output
-                                of the container OS itself.</para></listitem>
-                        </varlistentry>
-
                         <varlistentry>
                                 <term><option>--share-system</option></term>
 
                         <varlistentry>
                                 <term><option>--share-system</option></term>
 
Unnamed repository; edit this file 'description' to name the repository.