1 <?xml version='1.0'?> <!--*-nxml-*-->
2 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
3 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
6 This file is part of systemd.
8 Copyright 2010 Lennart Poettering
10 systemd is free software; you can redistribute it and/or modify it
11 under the terms of the GNU Lesser General Public License as published by
12 the Free Software Foundation; either version 2.1 of the License, or
13 (at your option) any later version.
15 systemd is distributed in the hope that it will be useful, but
16 WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
18 Lesser General Public License for more details.
20 You should have received a copy of the GNU Lesser General Public License
21 along with systemd; If not, see <http://www.gnu.org/licenses/>.
24 <refentry id="systemd-nspawn"
25 xmlns:xi="http://www.w3.org/2001/XInclude">
28 <title>systemd-nspawn</title>
29 <productname>systemd</productname>
33 <contrib>Developer</contrib>
34 <firstname>Lennart</firstname>
35 <surname>Poettering</surname>
36 <email>lennart@poettering.net</email>
42 <refentrytitle>systemd-nspawn</refentrytitle>
43 <manvolnum>1</manvolnum>
47 <refname>systemd-nspawn</refname>
48 <refpurpose>Spawn a namespace container for debugging, testing and building</refpurpose>
53 <command>systemd-nspawn</command>
54 <arg choice="opt" rep="repeat">OPTIONS</arg>
55 <arg choice="opt"><replaceable>COMMAND</replaceable>
56 <arg choice="opt" rep="repeat">ARGS</arg>
60 <command>systemd-nspawn</command>
61 <arg choice="plain">-b</arg>
62 <arg choice="opt" rep="repeat">OPTIONS</arg>
63 <arg choice="opt" rep="repeat">ARGS</arg>
68 <title>Description</title>
70 <para><command>systemd-nspawn</command> may be used to
71 run a command or OS in a light-weight namespace
72 container. In many ways it is similar to
73 <citerefentry project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
74 but more powerful since it fully virtualizes the file
75 system hierarchy, as well as the process tree, the
76 various IPC subsystems and the host and domain
79 <para><command>systemd-nspawn</command> limits access
80 to various kernel interfaces in the container to
81 read-only, such as <filename>/sys</filename>,
82 <filename>/proc/sys</filename> or
83 <filename>/sys/fs/selinux</filename>. Network
84 interfaces and the system clock may not be changed
85 from within the container. Device nodes may not be
86 created. The host system cannot be rebooted and kernel
87 modules may not be loaded from within the
90 <para>Note that even though these security precautions
91 are taken <command>systemd-nspawn</command> is not
92 suitable for secure container setups. Many of the
93 security features may be circumvented and are hence
94 primarily useful to avoid accidental changes to the
95 host system from the container. The intended use of
96 this program is debugging and testing as well as
97 building of packages, distributions and software
98 involved with boot and systems management.</para>
101 <citerefentry project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>1</manvolnum></citerefentry> <command>systemd-nspawn</command>
102 may be used to boot full Linux-based operating systems
103 in a container.</para>
105 <para>Use a tool like
106 <citerefentry project='die-net'><refentrytitle>yum</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
107 <citerefentry project='die-net'><refentrytitle>debootstrap</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
109 <citerefentry project='archlinux'><refentrytitle>pacman</refentrytitle><manvolnum>8</manvolnum></citerefentry>
110 to set up an OS directory tree suitable as file system
111 hierarchy for <command>systemd-nspawn</command>
114 <para>Note that <command>systemd-nspawn</command> will
115 mount file systems private to the container to
116 <filename>/dev</filename>,
117 <filename>/run</filename> and similar. These will
118 not be visible outside of the container, and their
119 contents will be lost when the container exits.</para>
121 <para>Note that running two
122 <command>systemd-nspawn</command> containers from the
123 same directory tree will not make processes in them
124 see each other. The PID namespace separation of the
125 two containers is complete and the containers will
126 share very few runtime objects except for the
127 underlying file system. Use
128 <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>'s
129 <command>login</command> command to request an
130 additional login prompt in a running container.</para>
132 <para><command>systemd-nspawn</command> implements the
134 url="http://www.freedesktop.org/wiki/Software/systemd/ContainerInterface">Container
135 Interface</ulink> specification.</para>
137 <para>As a safety check
138 <command>systemd-nspawn</command> will verify the
139 existence of <filename>/usr/lib/os-release</filename>
140 or <filename>/etc/os-release</filename> in the
141 container tree before starting the container (see
142 <citerefentry><refentrytitle>os-release</refentrytitle><manvolnum>5</manvolnum></citerefentry>). It
143 might be necessary to add this file to the container
144 tree manually if the OS of the container is too old to
145 contain this file out-of-the-box.</para>
149 <title>Options</title>
151 <para>If option <option>-b</option> is specified, the
152 arguments are used as arguments for the init
153 binary. Otherwise, <replaceable>COMMAND</replaceable>
154 specifies the program to launch in the container, and
155 the remaining arguments are used as arguments for this
156 program. If <option>-b</option> is not used and no
157 arguments are specifed, a shell is launched in the
160 <para>The following options are understood:</para>
164 <term><option>-D</option></term>
165 <term><option>--directory=</option></term>
167 <listitem><para>Directory to use as
168 file system root for the container.</para>
171 <option>--directory=</option>, nor
172 <option>--image=</option> is specified
173 the directory is determined as
174 <filename>/var/lib/container/</filename>
175 suffixed by the machine name as
177 <option>--machine=</option>. If
178 neither <option>--directory=</option>,
179 <option>--image=</option>, nor
180 <option>--machine=</option> are
181 specified, the current directory will
182 be used. May not be specified together
184 <option>--image=</option>.</para></listitem>
188 <term><option>--template=</option></term>
190 <listitem><para>Directory or
191 <literal>btrfs</literal> subvolume to
192 use as template for the container's
193 root directory. If this is specified
194 and the container's root directory (as
196 <option>--directory=</option>) does
197 not yet exist it is created as
198 <literal>btrfs</literal> subvolume and
199 populated from this template
200 tree. Ideally, the specified template
201 path refers to the root of a
202 <literal>btrfs</literal> subvolume, in
203 which case a simple copy-on-write
204 snapshot is taken, and populating the
205 root directory is instant. If the
206 specified template path does not refer
208 <literal>btrfs</literal> subvolume (or
209 not even to a <literal>btrfs</literal>
210 file system at all), the tree is
211 copied, which can be substantially
212 more time-consuming. Note that if this
213 option is used the container's root
214 directory (in contrast to the template
215 directory!) must be located on a
216 <literal>btrfs</literal> file system,
217 so that the <literal>btrfs</literal>
218 subvolume may be created. May not be
219 specified together with
220 <option>--image=</option> or
221 <option>--ephemeral</option>.</para></listitem>
225 <term><option>-x</option></term>
226 <term><option>--ephemeral</option></term>
228 <listitem><para>If specified, the
229 container is run with a temporary
230 <literal>btrfs</literal> snapshot of
231 its root directory (as configured with
232 <option>--directory=</option>), that
233 is removed immediately when the
234 container terminates. This option is
235 only supported if the root file system
236 is <literal>btrfs</literal>. May not
237 be specified together with
238 <option>--image=</option> or
239 <option>--template=</option>.</para></listitem>
243 <term><option>-i</option></term>
244 <term><option>--image=</option></term>
246 <listitem><para>Disk image to mount
247 the root directory for the container
248 from. Takes a path to a regular file
249 or to a block device node. The file or
250 block device must contain a GUID
251 Partition Table with a root partition
252 which is mounted as the root directory
253 of the container. Optionally, it may
254 contain a home and/or a server data
255 partition which are mounted to the
256 appropriate places in the
257 container. All these partitions must
258 be identified by the partition types
259 defined by the <ulink
260 url="http://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/">Discoverable
261 Partitions Specification</ulink>. Any
262 other partitions, such as foreign
263 partitions, swap partitions or EFI
264 system partitions are not mounted. May
265 not be specified together with
266 <option>--directory=</option>,
267 <option>--template=</option> or
268 <option>--ephemeral</option>.</para></listitem>
272 <term><option>-b</option></term>
273 <term><option>--boot</option></term>
275 <listitem><para>Automatically search
276 for an init binary and invoke it
277 instead of a shell or a user supplied
278 program. If this option is used,
279 arguments specified on the command
280 line are used as arguments for the
281 init binary. This option may not be
283 <option>--share-system</option>.
288 <term><option>-u</option></term>
289 <term><option>--user=</option></term>
291 <listitem><para>After transitioning
292 into the container, change to the
293 specified user-defined in the
294 container's user database. Like all
295 other systemd-nspawn features, this is
296 not a security feature and provides
297 protection against accidental
298 destructive operations
299 only.</para></listitem>
303 <term><option>-M</option></term>
304 <term><option>--machine=</option></term>
306 <listitem><para>Sets the machine name
307 for this container. This name may be
308 used to identify this container during
309 its runtime (for example in tools like
310 <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
311 and similar), and is used to
312 initialize the container's hostname
313 (which the container can choose to
314 override, however). If not specified,
315 the last component of the root
316 directory path of the container is
317 used, possibly suffixed with a random
319 <option>--ephemeral</option> mode is
320 selected. If the root directory
321 selected is the host's root directory
322 the host's hostname is used as default
323 instead.</para></listitem>
327 <term><option>--uuid=</option></term>
329 <listitem><para>Set the specified UUID
330 for the container. The init system
332 <filename>/etc/machine-id</filename>
333 from this if this file is not set yet.
338 <term><option>--slice=</option></term>
340 <listitem><para>Make the container
341 part of the specified slice, instead
343 <filename>machine.slice</filename>.</para>
348 <term><option>--private-network</option></term>
350 <listitem><para>Disconnect networking
351 of the container from the host. This
352 makes all network interfaces
353 unavailable in the container, with the
354 exception of the loopback device and
356 <option>--network-interface=</option>
358 <option>--network-veth</option>. If
359 this option is specified, the
360 CAP_NET_ADMIN capability will be added
361 to the set of capabilities the
362 container retains. The latter may be
364 <option>--drop-capability=</option>.</para></listitem>
368 <term><option>--network-interface=</option></term>
370 <listitem><para>Assign the specified
371 network interface to the
372 container. This will remove the
373 specified interface from the calling
374 namespace and place it in the
375 container. When the container
376 terminates, it is moved back to the
377 host namespace. Note that
378 <option>--network-interface=</option>
380 <option>--private-network</option>. This
381 option may be used more than once to
382 add multiple network interfaces to the
383 container.</para></listitem>
387 <term><option>--network-macvlan=</option></term>
389 <listitem><para>Create a
390 <literal>macvlan</literal> interface
391 of the specified Ethernet network
392 interface and add it to the
394 <literal>macvlan</literal> interface
395 is a virtual interface that adds a
396 second MAC address to an existing
397 physical Ethernet link. The interface
398 in the container will be named after
399 the interface on the host, prefixed
400 with <literal>mv-</literal>. Note that
401 <option>--network-macvlan=</option>
403 <option>--private-network</option>. This
404 option may be used more than once to
405 add multiple network interfaces to the
406 container.</para></listitem>
410 <term><option>-n</option></term>
411 <term><option>--network-veth</option></term>
413 <listitem><para>Create a virtual
415 (<literal>veth</literal>) between host
416 and container. The host side of the
417 Ethernet link will be available as a
418 network interface named after the
419 container's name (as specified with
420 <option>--machine=</option>), prefixed
421 with <literal>ve-</literal>. The
422 container side of the Ethernet
424 <literal>host0</literal>. Note that
425 <option>--network-veth</option>
427 <option>--private-network</option>.</para></listitem>
431 <term><option>--network-bridge=</option></term>
433 <listitem><para>Adds the host side of
434 the Ethernet link created with
435 <option>--network-veth</option> to the
436 specified bridge. Note that
437 <option>--network-bridge=</option>
439 <option>--network-veth</option>. If
440 this option is used, the host side of
441 the Ethernet link will use the
442 <literal>vb-</literal> prefix instead
443 of <literal>ve-</literal>.</para></listitem>
447 <term><option>-p</option></term>
448 <term><option>--port=</option></term>
450 <listitem><para>If private networking
451 is enabled, maps an IP port on the
452 host onto an IP port on the
453 container. Takes a protocol specifier
454 (either <literal>tcp</literal> or
455 <literal>udp</literal>), separated by
456 a colon from a host port number in the
457 range 1 to 65535, separated by a colon
458 from a container port number in the
459 range from 1 to 65535. The protocol
460 specifier and its separating colon may
461 be omitted, in which case
462 <literal>tcp</literal> is assumed.
463 The container port number and its
464 colon may be ommitted, in which case
465 the same port as the host port is
466 implied. This option is only supported
467 if private networking is used, such as
468 <option>--network-veth</option> or
469 <option>--network-bridge=</option>.</para></listitem>
473 <term><option>-Z</option></term>
474 <term><option>--selinux-context=</option></term>
476 <listitem><para>Sets the SELinux
477 security context to be used to label
478 processes in the container.</para>
483 <term><option>-L</option></term>
484 <term><option>--selinux-apifs-context=</option></term>
486 <listitem><para>Sets the SELinux security
487 context to be used to label files in
488 the virtual API file systems in the
494 <term><option>--capability=</option></term>
496 <listitem><para>List one or more
497 additional capabilities to grant the
498 container. Takes a comma-separated
499 list of capability names, see
500 <citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
501 for more information. Note that the
502 following capabilities will be granted
503 in any way: CAP_CHOWN,
504 CAP_DAC_OVERRIDE, CAP_DAC_READ_SEARCH,
505 CAP_FOWNER, CAP_FSETID, CAP_IPC_OWNER,
508 CAP_NET_BIND_SERVICE,
509 CAP_NET_BROADCAST, CAP_NET_RAW,
510 CAP_SETGID, CAP_SETFCAP, CAP_SETPCAP,
511 CAP_SETUID, CAP_SYS_ADMIN,
512 CAP_SYS_CHROOT, CAP_SYS_NICE,
513 CAP_SYS_PTRACE, CAP_SYS_TTY_CONFIG,
514 CAP_SYS_RESOURCE, CAP_SYS_BOOT,
516 CAP_AUDIT_CONTROL. Also CAP_NET_ADMIN
518 <option>--private-network</option> is
519 specified. If the special value
520 <literal>all</literal> is passed, all
522 retained.</para></listitem>
526 <term><option>--drop-capability=</option></term>
528 <listitem><para>Specify one or more
529 additional capabilities to drop for
530 the container. This allows running the
531 container with fewer capabilities than
532 the default (see above).</para></listitem>
536 <term><option>--link-journal=</option></term>
538 <listitem><para>Control whether the
539 container's journal shall be made
540 visible to the host system. If enabled,
541 allows viewing the container's journal
542 files from the host (but not vice
544 <literal>no</literal>,
545 <literal>host</literal>,
546 <literal>try-host</literal>,
547 <literal>guest</literal>,
548 <literal>try-guest</literal>,
549 <literal>auto</literal>. If
550 <literal>no</literal>, the journal is
551 not linked. If <literal>host</literal>,
552 the journal files are stored on the
553 host file system (beneath
554 <filename>/var/log/journal/<replaceable>machine-id</replaceable></filename>)
555 and the subdirectory is bind-mounted
556 into the container at the same
557 location. If <literal>guest</literal>,
558 the journal files are stored on the
559 guest file system (beneath
560 <filename>/var/log/journal/<replaceable>machine-id</replaceable></filename>)
561 and the subdirectory is symlinked into the host
562 at the same location. <literal>try-host</literal>
563 and <literal>try-guest</literal> do the same
564 but do not fail if the host does not have
565 persistent journalling enabled.
566 If <literal>auto</literal> (the default),
567 and the right subdirectory of
568 <filename>/var/log/journal</filename>
569 exists, it will be bind mounted
570 into the container. If the
571 subdirectory does not exist, no
572 linking is performed. Effectively,
573 booting a container once with
574 <literal>guest</literal> or
575 <literal>host</literal> will link the
576 journal persistently if further on
577 the default of <literal>auto</literal>
578 is used.</para></listitem>
582 <term><option>-j</option></term>
584 <listitem><para>Equivalent to
585 <option>--link-journal=try-guest</option>.</para></listitem>
589 <term><option>--read-only</option></term>
591 <listitem><para>Mount the root file
592 system read-only for the
593 container.</para></listitem>
597 <term><option>--bind=</option></term>
598 <term><option>--bind-ro=</option></term>
600 <listitem><para>Bind mount a file or
601 directory from the host into the
602 container. Either takes a path
603 argument -- in which case the
604 specified path will be mounted from
605 the host to the same path in the
606 container --, or a colon-separated
607 pair of paths -- in which case the
608 first specified path is the source in
609 the host, and the second path is the
610 destination in the container. The
611 <option>--bind-ro=</option> option
612 creates read-only bind
613 mounts.</para></listitem>
617 <term><option>--tmpfs=</option></term>
619 <listitem><para>Mount a tmpfs file
620 system into the container. Takes a
621 single absolute path argument that
622 specifies where to mount the tmpfs
623 instance to (in which case the
624 directory access mode will be chosen
625 as 0755, owned by root/root), or
626 optionally a colon-separated pair of
627 path and mount option string, that is
628 used for mounting (in which case the
629 kernel default for access mode and
630 owner will be chosen, unless otherwise
631 specified). This option is
632 particularly useful for mounting
634 <filename>/var</filename> as tmpfs, to
635 allow state-less systems, in
636 particular when combined with
637 <option>--read-only</option>.</para></listitem>
641 <term><option>--setenv=</option></term>
643 <listitem><para>Specifies an
644 environment variable assignment to
645 pass to the init process in the
646 container, in the format
647 <literal>NAME=VALUE</literal>. This
648 may be used to override the default
649 variables or to set additional
650 variables. This parameter may be used
651 more than once.</para></listitem>
655 <term><option>--share-system</option></term>
657 <listitem><para>Allows the container
658 to share certain system facilities
659 with the host. More specifically, this
660 turns off PID namespacing, UTS
661 namespacing and IPC namespacing, and
662 thus allows the guest to see and
663 interact more easily with processes
664 outside of the container. Note that
665 using this option makes it impossible
666 to start up a full Operating System in
667 the container, as an init system
668 cannot operate in this mode. It is
669 only useful to run specific programs
670 or applications this way, without
671 involving an init system in the
672 container. This option implies
673 <option>--register=no</option>. This
674 option may not be combined with
675 <option>--boot</option>.</para></listitem>
679 <term><option>--register=</option></term>
681 <listitem><para>Controls whether the
682 container is registered with
683 <citerefentry><refentrytitle>systemd-machined</refentrytitle><manvolnum>8</manvolnum></citerefentry>. Takes
684 a boolean argument, defaults to
685 <literal>yes</literal>. This option
686 should be enabled when the container
687 runs a full Operating System (more
688 specifically: an init system), and is
689 useful to ensure that the container is
691 <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
692 and shown by tools such as
693 <citerefentry project='man-pages'><refentrytitle>ps</refentrytitle><manvolnum>1</manvolnum></citerefentry>. If
694 the container does not run an init
695 system, it is recommended to set this
696 option to <literal>no</literal>. Note
697 that <option>--share-system</option>
699 <option>--register=no</option>.
704 <term><option>--keep-unit</option></term>
706 <listitem><para>Instead of creating a
707 transient scope unit to run the
708 container in, simply register the
709 service or scope unit
710 <command>systemd-nspawn</command> has
712 <citerefentry><refentrytitle>systemd-machined</refentrytitle><manvolnum>8</manvolnum></citerefentry>. This
714 <option>--register=no</option> is
715 used. This switch should be used if
716 <command>systemd-nspawn</command> is
717 invoked from within a service unit,
718 and the service unit's sole purpose
720 <command>systemd-nspawn</command>
721 container. This option is not
722 available if run from a user
723 session.</para></listitem>
727 <term><option>--personality=</option></term>
729 <listitem><para>Control the
730 architecture ("personality") reported
732 <citerefentry><refentrytitle>uname</refentrytitle><manvolnum>2</manvolnum></citerefentry>
733 in the container. Currently, only
734 <literal>x86</literal> and
735 <literal>x86-64</literal> are
736 supported. This is useful when running
737 a 32-bit container on a 64-bit
738 host. If this setting is not used,
739 the personality reported in the
740 container is the same as the one
742 host.</para></listitem>
746 <term><option>-q</option></term>
747 <term><option>--quiet</option></term>
749 <listitem><para>Turns off any status
750 output by the tool itself. When this
751 switch is used, the only output
752 from nspawn will be the console output
753 of the container OS itself.</para></listitem>
757 <term><option>--volatile</option><replaceable>=MODE</replaceable></term>
759 <listitem><para>Boots the container in
760 volatile mode. When no mode parameter
761 is passed or when mode is specified as
762 <literal>yes</literal> full volatile
763 mode is enabled. This means the root
764 directory is mounted as mostly
765 unpopulated <literal>tmpfs</literal>
767 <filename>/usr</filename> from the OS
768 tree is mounted into it, read-only
769 (the system thus starts up with
770 read-only OS resources, but pristine
771 state and configuration, any changes
772 to the either are lost on
773 shutdown). When the mode parameter is
774 specified as <literal>state</literal>
775 the OS tree is mounted read-only, but
776 <filename>/var</filename> is mounted
777 as <literal>tmpfs</literal> instance
778 into it (the system thus starts up
779 with read-only OS resources and
780 configuration, but pristine state, any
781 changes to the latter are lost on
782 shutdown). When the mode parameter is
783 specified as <literal>no</literal>
784 (the default) the whole OS tree is
785 made available writable.</para>
787 <para>Note that setting this to
788 <literal>yes</literal> or
789 <literal>state</literal> will only
790 work correctly with operating systems
791 in the container that can boot up with
792 only <filename>/usr</filename>
793 mounted, and are able to populate
794 <filename>/var</filename>
796 needed.</para></listitem>
799 <xi:include href="standard-options.xml" xpointer="help" />
800 <xi:include href="standard-options.xml" xpointer="version" />
806 <title>Examples</title>
808 <title>Boot a minimal Fedora distribution in a container</title>
810 <programlisting># yum -y --releasever=21 --nogpg --installroot=/srv/mycontainer --disablerepo='*' --enablerepo=fedora install systemd passwd yum fedora-release vim-minimal
811 # systemd-nspawn -bD /srv/mycontainer</programlisting>
813 <para>This installs a minimal Fedora distribution into
814 the directory <filename noindex='true'>/srv/mycontainer/</filename> and
815 then boots an OS in a namespace container in
820 <title>Spawn a shell in a container of a minimal Debian unstable distribution</title>
822 <programlisting># debootstrap --arch=amd64 unstable ~/debian-tree/
823 # systemd-nspawn -D ~/debian-tree/</programlisting>
825 <para>This installs a minimal Debian unstable
826 distribution into the directory
827 <filename>~/debian-tree/</filename> and then spawns a
828 shell in a namespace container in it.</para>
832 <title>Boot a minimal Arch Linux distribution in a container</title>
834 <programlisting># pacstrap -c -d ~/arch-tree/ base
835 # systemd-nspawn -bD ~/arch-tree/</programlisting>
837 <para>This installs a mimimal Arch Linux distribution into
838 the directory <filename>~/arch-tree/</filename> and then
839 boots an OS in a namespace container in it.</para>
843 <title>Enable Arch Linux container on boot</title>
845 <programlisting># mv ~/arch-tree /var/lib/container/arch
846 # systemctl enable systemd-nspawn@arch.service
847 # systemctl start systemd-nspawn@arch.service</programlisting>
849 <para>This makes the Arch Linux container part of the
850 <filename>multi-user.target</filename> on the host.
855 <title>Boot into an ephemeral <literal>btrfs</literal> snapshot of the host system</title>
857 <programlisting># systemd-nspawn -D / -xb</programlisting>
859 <para>This runs a copy of the host system in a
860 <literal>btrfs</literal> snapshot which is
861 removed immediately when the container
862 exits. All file system changes made during
863 runtime will be lost on shutdown,
868 <title>Run a container with SELinux sandbox security contexts</title>
870 <programlisting># chcon system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -R /srv/container
871 # systemd-nspawn -L system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -Z system_u:system_r:svirt_lxc_net_t:s0:c0,c1 -D /srv/container /bin/sh</programlisting>
876 <title>Exit status</title>
878 <para>The exit code of the program executed in the
879 container is returned.</para>
883 <title>See Also</title>
885 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
886 <citerefentry project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
887 <citerefentry project='die-net'><refentrytitle>yum</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
888 <citerefentry project='die-net'><refentrytitle>debootstrap</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
889 <citerefentry project='archlinux'><refentrytitle>pacman</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
890 <citerefentry><refentrytitle>systemd.slice</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
891 <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
892 <citerefentry><refentrytitle>btrfs</refentrytitle><manvolnum>8</manvolnum></citerefentry>