machined: optionally, allow registration of pre-existing units (scopes

[elogind.git] / man / systemd-nspawn.xml
diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml

index c95a7c0e9a5148600a1adf3e0a2340190b142a42..9d8db83e81ba9e845c0fe41f919e58c869b365de 100644 (file)
--- a/man/systemd-nspawn.xml
+++ b/man/systemd-nspawn.xml
@@ -204,9 +204,12 @@
                                  <listitem><para>Automatically search
                                  for an init binary and invoke it
                                  instead of a shell or a user supplied
                                  <listitem><para>Automatically search
                                  for an init binary and invoke it
                                  instead of a shell or a user supplied
-                                program. If this option is used, arguments
-                                specified on the command line are used
-                                as arguments for the init binary.
+                                program. If this option is used,
+                                arguments specified on the command
+                                line are used as arguments for the
+                                init binary. This option may not be
+                                combined with
+                                <option>--share-system</option>.
                                  </para></listitem>
                          </varlistentry>
  
                                  </para></listitem>
                          </varlistentry>
  
@@ -249,23 +252,23 @@
                          </varlistentry>
  
                          <varlistentry>
                          </varlistentry>
  
                          <varlistentry>
-                                <term><option>-L</option></term>
-                                <term><option>--apifs-label=</option></term>
+                                <term><option>-Z</option></term>
+                                <term><option>--selinux-context=</option></term>
  
  
-                                <listitem><para>Sets the mandatory
-                                access control (MAC/SELinux) file
-                                label to be used by virtual API file
-                                systems in the container.</para>
+                                <listitem><para>Sets the SELinux
+                                security context to be used to label
+                                processes in the container.</para>
                                  </listitem>
                          </varlistentry>
  
                          <varlistentry>
                                  </listitem>
                          </varlistentry>
  
                          <varlistentry>
-                                <term><option>-Z</option></term>
-                                <term><option>--process-label=</option></term>
+                                <term><option>-L</option></term>
+                                <term><option>--selinux-apifs-context=</option></term>
  
  
-                                <listitem><para>Sets the mandatory
-                                access control (MAC/SELinux) label to be used by
-                                processes in the container.</para>
+                                <listitem><para>Sets the SELinux security
+                                context to be used to label files in
+                                the virtual API file systems in the
+                                container.</para>
                                  </listitem>
                          </varlistentry>
  
                                  </listitem>
                          </varlistentry>
  
@@ -424,8 +427,79 @@
                                  output by the tool itself. When this
                                  switch is used, then the only output
                                  by nspawn will be the console output
                                  output by the tool itself. When this
                                  switch is used, then the only output
                                  by nspawn will be the console output
-                                of the container OS
-                                itself.</para></listitem>
+                                of the container OS itself.</para></listitem>
+                        </varlistentry>
+
+                        <varlistentry>
+                                <term><option>--share-system</option></term>
+
+                                <listitem><para>Allows the container
+                                to share certain system facilities
+                                with the host. More specifically, this
+                                turns off PID namespacing, UTS
+                                namespacing and IPC namespacing, and
+                                thus allows the guest to see and
+                                interact more easily with processes
+                                outside of the container. Note that
+                                using this option makes it impossible
+                                to start up a full Operating System in
+                                the container, as an init system
+                                cannot operate in this mode. It is
+                                only useful to run specific programs
+                                or applications this way, without
+                                involving an init system in the
+                                container. This option implies
+                                <option>--register=no</option>. This
+                                option may not be combined with
+                                <option>--boot</option>.</para></listitem>
+                        </varlistentry>
+
+                        <varlistentry>
+                                <term><option>--register=</option></term>
+
+                                <listitem><para>Controls whether the
+                                container is registered with
+                                <citerefentry><refentrytitle>systemd-machined</refentrytitle><manvolnum>8</manvolnum></citerefentry>. Takes
+                                a boolean argument, defaults to
+                                <literal>yes</literal>. This option
+                                should be enabled when the container
+                                runs a full Operating System (more
+                                specifically: an init system), and is
+                                useful to ensure that the container is
+                                accessible via
+                                <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
+                                and shown by tools such as
+                                <citerefentry><refentrytitle>ps</refentrytitle><manvolnum>1</manvolnum></citerefentry>. If
+                                the container does not run an init
+                                system it is recommended to set this
+                                option to <literal>no</literal>. Note
+                                that <option>--share-system</option>
+                                implies
+                                <option>--register=no</option>.
+                                </para></listitem>
+                        </varlistentry>
+
+                        <varlistentry>
+                                <term><option>--keep-unit</option></term>
+
+                                <listitem><para>Instead of creating a
+                                transient scope unit to run the
+                                container in, simply register the
+                                service or scope unit
+                                <command>systemd-nspawn</command> has
+                                been invoked in in
+                                <citerefentry><refentrytitle>systemd-machined</refentrytitle><manvolnum>8</manvolnum></citerefentry>. This
+                                has no effect if
+                                <option>--register=no</option> is
+                                used. This switch should be used if
+                                <command>systemd-nspawn</command> is
+                                invoked from within an a service unit,
+                                and the service unit's sole purpose
+                                is to run a single
+                                <command>systemd-nspawn</command>
+                                container. This option is not
+                                available if run from a user
+                                session.</para></listitem>
                          </varlistentry>
  
                  </variablelist>
                          </varlistentry>
  
                  </variablelist>
@@ -495,7 +569,7 @@
                  <programlisting># chcon system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -R /srv/container
  # systemd-nspawn -L system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -Z system_u:system_r:svirt_lxc_net_t:s0:c0,c1 -D /srv/container /bin/sh</programlisting>
  
                  <programlisting># chcon system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -R /srv/container
  # systemd-nspawn -L system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -Z system_u:system_r:svirt_lxc_net_t:s0:c0,c1 -D /srv/container /bin/sh</programlisting>
  
-                <para>This runs a container with SELinux sandbox labels.</para>
+                <para>This runs a container with SELinux sandbox security contexts.</para>
          </refsect1>
  
          <refsect1>
          </refsect1>
  
          <refsect1>