X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=blobdiff_plain;f=man%2Fsystemd-nspawn.xml;h=b3a2d328559273a6feccc01114ca7e562e419e98;hp=8f92b8430461ce2efd6216df824255a048cd9956;hb=9700d6980f7c212b10a69399e6430b82a6f45587;hpb=db999e0f923ca6c2c1b919d0f1c916472f209e62
diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml
index 8f92b8430..b3a2d3285 100644
--- a/man/systemd-nspawn.xml
+++ b/man/systemd-nspawn.xml
@@ -21,7 +21,8 @@
along with systemd; If not, see .
-->
-
+systemd-nspawn
@@ -69,7 +70,7 @@
systemd-nspawn may be used to
run a command or OS in a light-weight namespace
container. In many ways it is similar to
- chroot1,
+ chroot1,
but more powerful since it fully virtualizes the file
system hierarchy, as well as the process tree, the
various IPC subsystems and the host and domain
@@ -97,15 +98,15 @@
involved with boot and systems management.In contrast to
- chroot1Â systemd-nspawn
+ chroot1Â systemd-nspawn
may be used to boot full Linux-based operating systems
in a container.Use a tool like
- yum8,
- debootstrap8,
+ yum8,
+ debootstrap8,
or
- pacman8
+ pacman8
to set up an OS directory tree suitable as file system
hierarchy for systemd-nspawn
containers.
@@ -135,8 +136,9 @@
As a safety check
systemd-nspawn will verify the
- existence of /etc/os-release in
- the container tree before starting the container (see
+ existence of /usr/lib/os-release
+ or /etc/os-release in the
+ container tree before starting the container (see
os-release5). It
might be necessary to add this file to the container
tree manually if the OS of the container is too old to
@@ -158,30 +160,44 @@
The following options are understood:
-
-
-
-
- Prints a short help
- text and exits.
-
-
-
-
-
- Prints a version string
- and exits.
-
-
Directory to use as
- file system root for the namespace
- container. If omitted, the current
- directory will be
- used.
+ file system root for the container. If
+ neither
+ nor are
+ specified, the current directory will
+ be used. May not be specified together with
+ .
+
+
+
+
+
+
+ Disk image to mount
+ the root directory for the container
+ from. Takes a path to a regular file
+ or to a block device node. The file or
+ block device must contain a GUID
+ Partition Table with a root partition
+ which is mounted as the root directory
+ of the container. Optionally, it may
+ contain a home and/or a server data
+ partition which are mounted to the
+ appropriate places in the
+ container. All these partitions must
+ be identified by the partition types
+ defined by the Discoverable
+ Partitions Specification. Any
+ other partitions, such as foreign
+ partitions, swap partitions or EFI
+ system partitions are not mounted. May
+ not be specified together with
+ .
@@ -204,13 +220,15 @@
- Run the command
- under specified user, create home
- directory and cd into it. As rest
- of systemd-nspawn, this is not
- the security feature and limits
- against accidental changes only.
-
+ After transitioning
+ into the container, change to the
+ specified user-defined in the
+ container's user database. Like all
+ other systemd-nspawn features, this is
+ not a security feature and provides
+ protection against accidental
+ destructive operations
+ only.
@@ -228,16 +246,125 @@
container is used.
+
+
+
+ Set the specified UUID
+ for the container. The init system
+ will initialize
+ /etc/machine-id
+ from this if this file is not set yet.
+
+
+
Make the container
part of the specified slice, instead
- of the
+ of the default
machine.slice.
+
+
+
+ Disconnect networking
+ of the container from the host. This
+ makes all network interfaces
+ unavailable in the container, with the
+ exception of the loopback device and
+ those specified with
+
+ and configured with
+ . If
+ this option is specified, the
+ CAP_NET_ADMIN capability will be added
+ to the set of capabilities the
+ container retains. The latter may be
+ disabled by using
+ .
+
+
+
+
+
+ Assign the specified
+ network interface to the
+ container. This will remove the
+ specified interface from the calling
+ namespace and place it in the
+ container. When the container
+ terminates, it is moved back to the
+ host namespace. Note that
+
+ implies
+ . This
+ option may be used more than once to
+ add multiple network interfaces to the
+ container.
+
+
+
+
+
+ Create a
+ macvlan interface
+ of the specified Ethernet network
+ interface and add it to the
+ container. A
+ macvlan interface
+ is a virtual interface that adds a
+ second MAC address to an existing
+ physical Ethernet link. The interface
+ in the container will be named after
+ the interface on the host, prefixed
+ with mv-. Note that
+
+ implies
+ . This
+ option may be used more than once to
+ add multiple network interfaces to the
+ container.
+
+
+
+
+
+ Create a virtual
+ Ethernet link
+ (veth) between host
+ and container. The host side of the
+ Ethernet link will be available as a
+ network interface named after the
+ container's name (as specified with
+ ), prefixed
+ with ve-. The
+ container side of the Ethernet
+ link will be named
+ host0. Note that
+
+ implies
+ .
+
+
+
+
+
+ Adds the host side of
+ the Ethernet link created with
+ to the
+ specified bridge. Note that
+
+ implies
+ . If
+ this option is used, the host side of
+ the Ethernet link will use the
+ vb- prefix instead
+ of ve-.
+
+
@@ -259,35 +386,6 @@
-
-
-
- Set the specified UUID
- for the container. The init system
- will initialize
- /etc/machine-id
- from this if this file is not set yet.
-
-
-
-
-
-
- Turn off networking in
- the container. This makes all network
- interfaces unavailable in the
- container, with the exception of the
- loopback device.
-
-
-
-
-
- Mount the root file
- system read-only for the
- container.
-
-
@@ -295,7 +393,7 @@
additional capabilities to grant the
container. Takes a comma-separated
list of capability names, see
- capabilities7
+ capabilities7
for more information. Note that the
following capabilities will be granted
in any way: CAP_CHOWN,
@@ -311,7 +409,13 @@
CAP_SYS_PTRACE, CAP_SYS_TTY_CONFIG,
CAP_SYS_RESOURCE, CAP_SYS_BOOT,
CAP_AUDIT_WRITE,
- CAP_AUDIT_CONTROL.
+ CAP_AUDIT_CONTROL. Also CAP_NET_ADMIN
+ is retained if
+ is
+ specified. If the special value
+ all is passed, all
+ capabilities are
+ retained.
@@ -372,6 +476,14 @@
.
+
+
+
+ Mount the root file
+ system read-only for the
+ container.
+
+
@@ -389,7 +501,31 @@
destination in the container. The
option
creates read-only bind
- mount.
+ mounts.
+
+
+
+
+
+ Mount a tmpfs file
+ system into the container. Takes a
+ single absolute path argument that
+ specifies where to mount the tmpfs
+ instance to (in which case the
+ directory access mode will be chosen
+ as 0755, owned by root/root), or
+ optionally a colon-separated pair of
+ path and mount option string, that is
+ used for mounting (in which case the
+ kernel default for access mode and
+ owner will be chosen, unless otherwise
+ specified). This option is
+ particularly useful for mounting
+ directories such as
+ /var as tmpfs, to
+ allow state-less systems, in
+ particular when combined with
+ .
@@ -406,17 +542,6 @@
more than once.
-
-
-
-
- Turns off any status
- output by the tool itself. When this
- switch is used, then the only output
- by nspawn will be the console output
- of the container OS itself.
-
-
@@ -456,9 +581,9 @@
accessible via
machinectl1
and shown by tools such as
- ps1. If
+ ps1. If
the container does not run an init
- system it is recommended to set this
+ system, it is recommended to set this
option to no. Note
that
implies
@@ -474,13 +599,13 @@
container in, simply register the
service or scope unit
systemd-nspawn has
- been invoked in in
+ been invoked in with
systemd-machined8. This
has no effect if
is
used. This switch should be used if
systemd-nspawn is
- invoked from within an a service unit,
+ invoked from within a service unit,
and the service unit's sole purpose
is to run a single
systemd-nspawn
@@ -489,74 +614,150 @@
session.
+
+
+
+ Control the
+ architecture ("personality") reported
+ by
+ uname2
+ in the container. Currently, only
+ x86 and
+ x86-64 are
+ supported. This is useful when running
+ a 32-bit container on a 64-bit
+ host. If this setting is not used,
+ the personality reported in the
+ container is the same as the one
+ reported on the
+ host.
+
+
+
+
+
+
+ Turns off any status
+ output by the tool itself. When this
+ switch is used, the only output
+ from nspawn will be the console output
+ of the container OS itself.
+
+
+
+ =MODE
+
+ Boots the container in
+ volatile (ephemeral) mode. When no
+ mode parameter is passed or when mode
+ is specified as yes
+ full volatile mode is enabled. This
+ means the root directory is mounted as
+ mostly unpopulated
+ tmpfs instance, and
+ /usr from the OS
+ tree is mounted into it, read-only
+ (the system thus starts up with
+ read-only OS resources, but pristine
+ state and configuration, any changes
+ to the either are lost on
+ shutdown). When the mode parameter is
+ specified as state
+ the OS tree is mounted read-only, but
+ /var is mounted
+ as tmpfs instance
+ into it (the system thus starts up
+ with read-only OS resources and
+ configuration, but pristine state, any
+ changes to the latter are lost on
+ shutdown). When the mode parameter is
+ specified as no
+ (the default) the whole OS tree is made
+ available writable.
+
+ Note that setting this to
+ yes or
+ state will only
+ work correctly with operating systems
+ in the container that can boot up with
+ only /usr
+ mounted, and are able to populate
+ /var
+ automatically, as
+ needed.
+
+
+
+
- Example 1
+ Examples
+
+ Boot a minimal Fedora distribution in a container
- # yum -y --releasever=19 --nogpg --installroot=/srv/mycontainer --disablerepo='*' --enablerepo=fedora install systemd passwd yum fedora-release vim-minimal
+ # yum -y --releasever=19 --nogpg --installroot=/srv/mycontainer --disablerepo='*' --enablerepo=fedora install systemd passwd yum fedora-release vim-minimal
# systemd-nspawn -bD /srv/mycontainer
- This installs a minimal Fedora distribution into
- the directory /srv/mycontainer/ and
- then boots an OS in a namespace container in
- it.
-
+ This installs a minimal Fedora distribution into
+ the directory /srv/mycontainer/ and
+ then boots an OS in a namespace container in
+ it.
+
-
- Example 2
+
+ Spawn a shell in a container of a minimal Debian unstable distribution
- # debootstrap --arch=amd64 unstable ~/debian-tree/
+ # debootstrap --arch=amd64 unstable ~/debian-tree/
# systemd-nspawn -D ~/debian-tree/
- This installs a minimal Debian unstable
- distribution into the directory
- ~/debian-tree/ and then spawns a
- shell in a namespace container in it.
-
+ This installs a minimal Debian unstable
+ distribution into the directory
+ ~/debian-tree/ and then spawns a
+ shell in a namespace container in it.
+
-
- Example 3
+
+ Boot a minimal Arch Linux distribution in a container
- # pacstrap -c -d ~/arch-tree/ base
+ # pacstrap -c -d ~/arch-tree/ base
# systemd-nspawn -bD ~/arch-tree/
- This installs a mimimal Arch Linux distribution into
- the directory ~/arch-tree/ and then
- boots an OS in a namespace container in it.
-
+ This installs a mimimal Arch Linux distribution into
+ the directory ~/arch-tree/ and then
+ boots an OS in a namespace container in it.
+
-
- Example 4
+
+ Enable Arch Linux container on boot
- # mv ~/arch-tree /var/lib/container/arch
+ # mv ~/arch-tree /var/lib/container/arch
# systemctl enable systemd-nspawn@arch.service
# systemctl start systemd-nspawn@arch.service
- This makes the Arch Linux container part of the
- multi-user.target on the host.
-
-
+ This makes the Arch Linux container part of the
+ multi-user.target on the host.
+
+
-
- Example 5
+
+ Boot into a btrfs snapshot of the host system
- # btrfs subvolume snapshot / /.tmp
+ # btrfs subvolume snapshot / /.tmp
# systemd-nspawn --private-network -D /.tmp -b
- This runs a copy of the host system in a
- btrfs snapshot.
-
+ This runs a copy of the host system in a
+ btrfs snapshot.
+
-
- Example 6
+
+ Run a container with SELinux sandbox security contexts
- # chcon system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -R /srv/container
+ # chcon system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -R /srv/container
# systemd-nspawn -L system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -Z system_u:system_r:svirt_lxc_net_t:s0:c0,c1 -D /srv/container /bin/sh
-
- This runs a container with SELinux sandbox security contexts.
+
@@ -570,10 +771,10 @@
See Alsosystemd1,
- chroot1,
- yum8,
- debootstrap8,
- pacman8,
+ chroot1,
+ yum8,
+ debootstrap8,
+ pacman8,
systemd.slice5,
machinectl1