two containers is complete and the containers will
share very few runtime objects except for the
underlying file system.</para>
+
+ <para><command>systemd-nspawn</command> implements the
+ <ulink
+ url="http://www.freedesktop.org/wiki/Software/systemd/ContainerInterface">Container
+ Interface</ulink> specification.</para>
</refsect1>
<refsect1>
loopback device.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>--read-only</option></term>
+
+ <listitem><para>Mount the root file
+ system read only for the
+ container.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--capability=</option></term>
+
+ <listitem><para>List one or more
+ additional capabilities to grant the
+ container. Takes a comma separated
+ list of capability names, see
+ <citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
+ for more information. Note that the
+ the following capabilities will be
+ granted in any way: CAP_CHOWN,
+ CAP_DAC_OVERRIDE, CAP_DAC_READ_SEARCH,
+ CAP_FOWNER, CAP_FSETID, CAP_IPC_OWNER,
+ CAP_KILL, CAP_LEASE,
+ CAP_LINUX_IMMUTABLE,
+ CAP_NET_BIND_SERVICE,
+ CAP_NET_BROADCAST, CAP_NET_RAW,
+ CAP_SETGID, CAP_SETFCAP, CAP_SETPCAP,
+ CAP_SETUID, CAP_SYS_ADMIN,
+ CAP_SYS_CHROOT, CAP_SYS_NICE,
+ CAP_SYS_PTRACE, CAP_SYS_TTY_CONFIG,
+ CAP_SYS_RESOURCE.</para></listitem>
+ </varlistentry>
+
</variablelist>
</refsect1>
~ianmdlvl / elogind.git / blobdiff