1 <?xml version='1.0'?> <!--*-nxml-*-->
2 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
3 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
6 This file is part of systemd.
8 Copyright 2010 Lennart Poettering
10 systemd is free software; you can redistribute it and/or modify it
11 under the terms of the GNU Lesser General Public License as published by
12 the Free Software Foundation; either version 2.1 of the License, or
13 (at your option) any later version.
15 systemd is distributed in the hope that it will be useful, but
16 WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
18 Lesser General Public License for more details.
20 You should have received a copy of the GNU Lesser General Public License
21 along with systemd; If not, see <http://www.gnu.org/licenses/>.
24 <refentry id="systemd-nspawn"
25 xmlns:xi="http://www.w3.org/2001/XInclude">
28 <title>systemd-nspawn</title>
29 <productname>systemd</productname>
33 <contrib>Developer</contrib>
34 <firstname>Lennart</firstname>
35 <surname>Poettering</surname>
36 <email>lennart@poettering.net</email>
42 <refentrytitle>systemd-nspawn</refentrytitle>
43 <manvolnum>1</manvolnum>
47 <refname>systemd-nspawn</refname>
48 <refpurpose>Spawn a namespace container for debugging, testing and building</refpurpose>
53 <command>systemd-nspawn</command>
54 <arg choice="opt" rep="repeat">OPTIONS</arg>
55 <arg choice="opt"><replaceable>COMMAND</replaceable>
56 <arg choice="opt" rep="repeat">ARGS</arg>
60 <command>systemd-nspawn</command>
61 <arg choice="plain">-b</arg>
62 <arg choice="opt" rep="repeat">OPTIONS</arg>
63 <arg choice="opt" rep="repeat">ARGS</arg>
68 <title>Description</title>
70 <para><command>systemd-nspawn</command> may be used to
71 run a command or OS in a light-weight namespace
72 container. In many ways it is similar to
73 <citerefentry project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
74 but more powerful since it fully virtualizes the file
75 system hierarchy, as well as the process tree, the
76 various IPC subsystems and the host and domain
79 <para><command>systemd-nspawn</command> limits access
80 to various kernel interfaces in the container to
81 read-only, such as <filename>/sys</filename>,
82 <filename>/proc/sys</filename> or
83 <filename>/sys/fs/selinux</filename>. Network
84 interfaces and the system clock may not be changed
85 from within the container. Device nodes may not be
86 created. The host system cannot be rebooted and kernel
87 modules may not be loaded from within the
90 <para>Note that even though these security precautions
91 are taken <command>systemd-nspawn</command> is not
92 suitable for secure container setups. Many of the
93 security features may be circumvented and are hence
94 primarily useful to avoid accidental changes to the
95 host system from the container. The intended use of
96 this program is debugging and testing as well as
97 building of packages, distributions and software
98 involved with boot and systems management.</para>
101 <citerefentry project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>1</manvolnum></citerefentry> <command>systemd-nspawn</command>
102 may be used to boot full Linux-based operating systems
103 in a container.</para>
105 <para>Use a tool like
106 <citerefentry project='die-net'><refentrytitle>yum</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
107 <citerefentry project='die-net'><refentrytitle>debootstrap</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
109 <citerefentry project='archlinux'><refentrytitle>pacman</refentrytitle><manvolnum>8</manvolnum></citerefentry>
110 to set up an OS directory tree suitable as file system
111 hierarchy for <command>systemd-nspawn</command>
114 <para>Note that <command>systemd-nspawn</command> will
115 mount file systems private to the container to
116 <filename>/dev</filename>,
117 <filename>/run</filename> and similar. These will
118 not be visible outside of the container, and their
119 contents will be lost when the container exits.</para>
121 <para>Note that running two
122 <command>systemd-nspawn</command> containers from the
123 same directory tree will not make processes in them
124 see each other. The PID namespace separation of the
125 two containers is complete and the containers will
126 share very few runtime objects except for the
127 underlying file system. Use
128 <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>'s
129 <command>login</command> command to request an
130 additional login prompt in a running container.</para>
132 <para><command>systemd-nspawn</command> implements the
134 url="http://www.freedesktop.org/wiki/Software/systemd/ContainerInterface">Container
135 Interface</ulink> specification.</para>
137 <para>As a safety check
138 <command>systemd-nspawn</command> will verify the
139 existence of <filename>/usr/lib/os-release</filename>
140 or <filename>/etc/os-release</filename> in the
141 container tree before starting the container (see
142 <citerefentry><refentrytitle>os-release</refentrytitle><manvolnum>5</manvolnum></citerefentry>). It
143 might be necessary to add this file to the container
144 tree manually if the OS of the container is too old to
145 contain this file out-of-the-box.</para>
149 <title>Options</title>
151 <para>If option <option>-b</option> is specified, the
152 arguments are used as arguments for the init
153 binary. Otherwise, <replaceable>COMMAND</replaceable>
154 specifies the program to launch in the container, and
155 the remaining arguments are used as arguments for this
156 program. If <option>-b</option> is not used and no
157 arguments are specifed, a shell is launched in the
160 <para>The following options are understood:</para>
164 <term><option>-D</option></term>
165 <term><option>--directory=</option></term>
167 <listitem><para>Directory to use as
168 file system root for the container.</para>
171 <option>--directory=</option>, nor
172 <option>--image=</option> is specified
173 the directory is determined as
174 <filename>/var/lib/container/</filename>
175 suffixed by the machine name as
177 <option>--machine=</option>. If
178 neither <option>--directory=</option>,
179 <option>--image=</option>, nor
180 <option>--machine=</option> are
181 specified, the current directory will
182 be used. May not be specified together
184 <option>--image=</option>.</para></listitem>
188 <term><option>--template=</option></term>
190 <listitem><para>Directory or
191 <literal>btrfs</literal> subvolume to
192 use as template for the container's
193 root directory. If this is specified
194 and the container's root directory (as
196 <option>--directory=</option>) does
197 not yet exist it is created as
198 <literal>btrfs</literal> subvolume and
199 populated from this template
200 tree. Ideally, the specified template
201 path refers to the root of a
202 <literal>btrfs</literal> subvolume, in
203 which case a simple copy-on-write
204 snapshot is taken, and populating the
205 root directory is instant. If the
206 specified template path does not refer
208 <literal>btrfs</literal> subvolume (or
209 not even to a <literal>btrfs</literal>
210 file system at all), the tree is
211 copied, which can be substantially
212 more time-consuming. Note that if this
213 option is used the container's root
214 directory (in contrast to the template
215 directory!) must be located on a
216 <literal>btrfs</literal> file system,
217 so that the <literal>btrfs</literal>
218 subvolume may be created. May not be
219 specified together with
220 <option>--image=</option> or
221 <option>--ephemeral</option>.</para></listitem>
225 <term><option>-x</option></term>
226 <term><option>--ephemeral</option></term>
228 <listitem><para>If specified, the
229 container is run with a temporary
230 <literal>btrfs</literal> snapshot of
231 its root directory (as configured with
232 <option>--directory=</option>), that
233 is removed immediately when the
234 container terminates. This option is
235 only supported if the root file system
236 is <literal>btrfs</literal>. May not
237 be specified together with
238 <option>--image=</option> or
239 <option>--template=</option>.</para></listitem>
243 <term><option>-i</option></term>
244 <term><option>--image=</option></term>
246 <listitem><para>Disk image to mount
247 the root directory for the container
248 from. Takes a path to a regular file
249 or to a block device node. The file or
250 block device must contain a GUID
251 Partition Table with a root partition
252 which is mounted as the root directory
253 of the container. Optionally, it may
254 contain a home and/or a server data
255 partition which are mounted to the
256 appropriate places in the
257 container. All these partitions must
258 be identified by the partition types
259 defined by the <ulink
260 url="http://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/">Discoverable
261 Partitions Specification</ulink>. Any
262 other partitions, such as foreign
263 partitions, swap partitions or EFI
264 system partitions are not mounted. May
265 not be specified together with
266 <option>--directory=</option>,
267 <option>--template=</option> or
268 <option>--ephemeral</option>.</para></listitem>
272 <term><option>-b</option></term>
273 <term><option>--boot</option></term>
275 <listitem><para>Automatically search
276 for an init binary and invoke it
277 instead of a shell or a user supplied
278 program. If this option is used,
279 arguments specified on the command
280 line are used as arguments for the
281 init binary. This option may not be
283 <option>--share-system</option>.
288 <term><option>-u</option></term>
289 <term><option>--user=</option></term>
291 <listitem><para>After transitioning
292 into the container, change to the
293 specified user-defined in the
294 container's user database. Like all
295 other systemd-nspawn features, this is
296 not a security feature and provides
297 protection against accidental
298 destructive operations
299 only.</para></listitem>
303 <term><option>-M</option></term>
304 <term><option>--machine=</option></term>
306 <listitem><para>Sets the machine name
307 for this container. This name may be
308 used to identify this container during
309 its runtime (for example in tools like
310 <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
311 and similar), and is used to
312 initialize the container's hostname
313 (which the container can choose to
314 override, however). If not specified,
315 the last component of the root
316 directory path of the container is
317 used, possibly suffixed with a random
319 <option>--ephemeral</option> mode is
320 selected. If the root directory
321 selected is the host's root directory
322 the host's hostname is used as default
323 instead.</para></listitem>
327 <term><option>--uuid=</option></term>
329 <listitem><para>Set the specified UUID
330 for the container. The init system
332 <filename>/etc/machine-id</filename>
333 from this if this file is not set yet.
338 <term><option>--slice=</option></term>
340 <listitem><para>Make the container
341 part of the specified slice, instead
343 <filename>machine.slice</filename>.</para>
348 <term><option>--private-network</option></term>
350 <listitem><para>Disconnect networking
351 of the container from the host. This
352 makes all network interfaces
353 unavailable in the container, with the
354 exception of the loopback device and
356 <option>--network-interface=</option>
358 <option>--network-veth</option>. If
359 this option is specified, the
360 CAP_NET_ADMIN capability will be added
361 to the set of capabilities the
362 container retains. The latter may be
364 <option>--drop-capability=</option>.</para></listitem>
368 <term><option>--network-interface=</option></term>
370 <listitem><para>Assign the specified
371 network interface to the
372 container. This will remove the
373 specified interface from the calling
374 namespace and place it in the
375 container. When the container
376 terminates, it is moved back to the
377 host namespace. Note that
378 <option>--network-interface=</option>
380 <option>--private-network</option>. This
381 option may be used more than once to
382 add multiple network interfaces to the
383 container.</para></listitem>
387 <term><option>--network-macvlan=</option></term>
389 <listitem><para>Create a
390 <literal>macvlan</literal> interface
391 of the specified Ethernet network
392 interface and add it to the
394 <literal>macvlan</literal> interface
395 is a virtual interface that adds a
396 second MAC address to an existing
397 physical Ethernet link. The interface
398 in the container will be named after
399 the interface on the host, prefixed
400 with <literal>mv-</literal>. Note that
401 <option>--network-macvlan=</option>
403 <option>--private-network</option>. This
404 option may be used more than once to
405 add multiple network interfaces to the
406 container.</para></listitem>
410 <term><option>--network-veth</option></term>
412 <listitem><para>Create a virtual
414 (<literal>veth</literal>) between host
415 and container. The host side of the
416 Ethernet link will be available as a
417 network interface named after the
418 container's name (as specified with
419 <option>--machine=</option>), prefixed
420 with <literal>ve-</literal>. The
421 container side of the Ethernet
423 <literal>host0</literal>. Note that
424 <option>--network-veth</option>
426 <option>--private-network</option>.</para></listitem>
430 <term><option>--network-bridge=</option></term>
432 <listitem><para>Adds the host side of
433 the Ethernet link created with
434 <option>--network-veth</option> to the
435 specified bridge. Note that
436 <option>--network-bridge=</option>
438 <option>--network-veth</option>. If
439 this option is used, the host side of
440 the Ethernet link will use the
441 <literal>vb-</literal> prefix instead
442 of <literal>ve-</literal>.</para></listitem>
446 <term><option>-Z</option></term>
447 <term><option>--selinux-context=</option></term>
449 <listitem><para>Sets the SELinux
450 security context to be used to label
451 processes in the container.</para>
456 <term><option>-L</option></term>
457 <term><option>--selinux-apifs-context=</option></term>
459 <listitem><para>Sets the SELinux security
460 context to be used to label files in
461 the virtual API file systems in the
467 <term><option>--capability=</option></term>
469 <listitem><para>List one or more
470 additional capabilities to grant the
471 container. Takes a comma-separated
472 list of capability names, see
473 <citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
474 for more information. Note that the
475 following capabilities will be granted
476 in any way: CAP_CHOWN,
477 CAP_DAC_OVERRIDE, CAP_DAC_READ_SEARCH,
478 CAP_FOWNER, CAP_FSETID, CAP_IPC_OWNER,
481 CAP_NET_BIND_SERVICE,
482 CAP_NET_BROADCAST, CAP_NET_RAW,
483 CAP_SETGID, CAP_SETFCAP, CAP_SETPCAP,
484 CAP_SETUID, CAP_SYS_ADMIN,
485 CAP_SYS_CHROOT, CAP_SYS_NICE,
486 CAP_SYS_PTRACE, CAP_SYS_TTY_CONFIG,
487 CAP_SYS_RESOURCE, CAP_SYS_BOOT,
489 CAP_AUDIT_CONTROL. Also CAP_NET_ADMIN
491 <option>--private-network</option> is
492 specified. If the special value
493 <literal>all</literal> is passed, all
495 retained.</para></listitem>
499 <term><option>--drop-capability=</option></term>
501 <listitem><para>Specify one or more
502 additional capabilities to drop for
503 the container. This allows running the
504 container with fewer capabilities than
505 the default (see above).</para></listitem>
509 <term><option>--link-journal=</option></term>
511 <listitem><para>Control whether the
512 container's journal shall be made
513 visible to the host system. If enabled,
514 allows viewing the container's journal
515 files from the host (but not vice
517 <literal>no</literal>,
518 <literal>host</literal>,
519 <literal>try-host</literal>,
520 <literal>guest</literal>,
521 <literal>try-guest</literal>,
522 <literal>auto</literal>. If
523 <literal>no</literal>, the journal is
524 not linked. If <literal>host</literal>,
525 the journal files are stored on the
526 host file system (beneath
527 <filename>/var/log/journal/<replaceable>machine-id</replaceable></filename>)
528 and the subdirectory is bind-mounted
529 into the container at the same
530 location. If <literal>guest</literal>,
531 the journal files are stored on the
532 guest file system (beneath
533 <filename>/var/log/journal/<replaceable>machine-id</replaceable></filename>)
534 and the subdirectory is symlinked into the host
535 at the same location. <literal>try-host</literal>
536 and <literal>try-guest</literal> do the same
537 but do not fail if the host does not have
538 persistent journalling enabled.
539 If <literal>auto</literal> (the default),
540 and the right subdirectory of
541 <filename>/var/log/journal</filename>
542 exists, it will be bind mounted
543 into the container. If the
544 subdirectory does not exist, no
545 linking is performed. Effectively,
546 booting a container once with
547 <literal>guest</literal> or
548 <literal>host</literal> will link the
549 journal persistently if further on
550 the default of <literal>auto</literal>
551 is used.</para></listitem>
555 <term><option>-j</option></term>
557 <listitem><para>Equivalent to
558 <option>--link-journal=try-guest</option>.</para></listitem>
562 <term><option>--read-only</option></term>
564 <listitem><para>Mount the root file
565 system read-only for the
566 container.</para></listitem>
570 <term><option>--bind=</option></term>
571 <term><option>--bind-ro=</option></term>
573 <listitem><para>Bind mount a file or
574 directory from the host into the
575 container. Either takes a path
576 argument -- in which case the
577 specified path will be mounted from
578 the host to the same path in the
579 container --, or a colon-separated
580 pair of paths -- in which case the
581 first specified path is the source in
582 the host, and the second path is the
583 destination in the container. The
584 <option>--bind-ro=</option> option
585 creates read-only bind
586 mounts.</para></listitem>
590 <term><option>--tmpfs=</option></term>
592 <listitem><para>Mount a tmpfs file
593 system into the container. Takes a
594 single absolute path argument that
595 specifies where to mount the tmpfs
596 instance to (in which case the
597 directory access mode will be chosen
598 as 0755, owned by root/root), or
599 optionally a colon-separated pair of
600 path and mount option string, that is
601 used for mounting (in which case the
602 kernel default for access mode and
603 owner will be chosen, unless otherwise
604 specified). This option is
605 particularly useful for mounting
607 <filename>/var</filename> as tmpfs, to
608 allow state-less systems, in
609 particular when combined with
610 <option>--read-only</option>.</para></listitem>
614 <term><option>--setenv=</option></term>
616 <listitem><para>Specifies an
617 environment variable assignment to
618 pass to the init process in the
619 container, in the format
620 <literal>NAME=VALUE</literal>. This
621 may be used to override the default
622 variables or to set additional
623 variables. This parameter may be used
624 more than once.</para></listitem>
628 <term><option>--share-system</option></term>
630 <listitem><para>Allows the container
631 to share certain system facilities
632 with the host. More specifically, this
633 turns off PID namespacing, UTS
634 namespacing and IPC namespacing, and
635 thus allows the guest to see and
636 interact more easily with processes
637 outside of the container. Note that
638 using this option makes it impossible
639 to start up a full Operating System in
640 the container, as an init system
641 cannot operate in this mode. It is
642 only useful to run specific programs
643 or applications this way, without
644 involving an init system in the
645 container. This option implies
646 <option>--register=no</option>. This
647 option may not be combined with
648 <option>--boot</option>.</para></listitem>
652 <term><option>--register=</option></term>
654 <listitem><para>Controls whether the
655 container is registered with
656 <citerefentry><refentrytitle>systemd-machined</refentrytitle><manvolnum>8</manvolnum></citerefentry>. Takes
657 a boolean argument, defaults to
658 <literal>yes</literal>. This option
659 should be enabled when the container
660 runs a full Operating System (more
661 specifically: an init system), and is
662 useful to ensure that the container is
664 <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
665 and shown by tools such as
666 <citerefentry project='man-pages'><refentrytitle>ps</refentrytitle><manvolnum>1</manvolnum></citerefentry>. If
667 the container does not run an init
668 system, it is recommended to set this
669 option to <literal>no</literal>. Note
670 that <option>--share-system</option>
672 <option>--register=no</option>.
677 <term><option>--keep-unit</option></term>
679 <listitem><para>Instead of creating a
680 transient scope unit to run the
681 container in, simply register the
682 service or scope unit
683 <command>systemd-nspawn</command> has
685 <citerefentry><refentrytitle>systemd-machined</refentrytitle><manvolnum>8</manvolnum></citerefentry>. This
687 <option>--register=no</option> is
688 used. This switch should be used if
689 <command>systemd-nspawn</command> is
690 invoked from within a service unit,
691 and the service unit's sole purpose
693 <command>systemd-nspawn</command>
694 container. This option is not
695 available if run from a user
696 session.</para></listitem>
700 <term><option>--personality=</option></term>
702 <listitem><para>Control the
703 architecture ("personality") reported
705 <citerefentry><refentrytitle>uname</refentrytitle><manvolnum>2</manvolnum></citerefentry>
706 in the container. Currently, only
707 <literal>x86</literal> and
708 <literal>x86-64</literal> are
709 supported. This is useful when running
710 a 32-bit container on a 64-bit
711 host. If this setting is not used,
712 the personality reported in the
713 container is the same as the one
715 host.</para></listitem>
719 <term><option>-q</option></term>
720 <term><option>--quiet</option></term>
722 <listitem><para>Turns off any status
723 output by the tool itself. When this
724 switch is used, the only output
725 from nspawn will be the console output
726 of the container OS itself.</para></listitem>
730 <term><option>--volatile</option><replaceable>=MODE</replaceable></term>
732 <listitem><para>Boots the container in
733 volatile mode. When no mode parameter
734 is passed or when mode is specified as
735 <literal>yes</literal> full volatile
736 mode is enabled. This means the root
737 directory is mounted as mostly
738 unpopulated <literal>tmpfs</literal>
740 <filename>/usr</filename> from the OS
741 tree is mounted into it, read-only
742 (the system thus starts up with
743 read-only OS resources, but pristine
744 state and configuration, any changes
745 to the either are lost on
746 shutdown). When the mode parameter is
747 specified as <literal>state</literal>
748 the OS tree is mounted read-only, but
749 <filename>/var</filename> is mounted
750 as <literal>tmpfs</literal> instance
751 into it (the system thus starts up
752 with read-only OS resources and
753 configuration, but pristine state, any
754 changes to the latter are lost on
755 shutdown). When the mode parameter is
756 specified as <literal>no</literal>
757 (the default) the whole OS tree is
758 made available writable.</para>
760 <para>Note that setting this to
761 <literal>yes</literal> or
762 <literal>state</literal> will only
763 work correctly with operating systems
764 in the container that can boot up with
765 only <filename>/usr</filename>
766 mounted, and are able to populate
767 <filename>/var</filename>
769 needed.</para></listitem>
772 <xi:include href="standard-options.xml" xpointer="help" />
773 <xi:include href="standard-options.xml" xpointer="version" />
779 <title>Examples</title>
781 <title>Boot a minimal Fedora distribution in a container</title>
783 <programlisting># yum -y --releasever=21 --nogpg --installroot=/srv/mycontainer --disablerepo='*' --enablerepo=fedora install systemd passwd yum fedora-release vim-minimal
784 # systemd-nspawn -bD /srv/mycontainer</programlisting>
786 <para>This installs a minimal Fedora distribution into
787 the directory <filename noindex='true'>/srv/mycontainer/</filename> and
788 then boots an OS in a namespace container in
793 <title>Spawn a shell in a container of a minimal Debian unstable distribution</title>
795 <programlisting># debootstrap --arch=amd64 unstable ~/debian-tree/
796 # systemd-nspawn -D ~/debian-tree/</programlisting>
798 <para>This installs a minimal Debian unstable
799 distribution into the directory
800 <filename>~/debian-tree/</filename> and then spawns a
801 shell in a namespace container in it.</para>
805 <title>Boot a minimal Arch Linux distribution in a container</title>
807 <programlisting># pacstrap -c -d ~/arch-tree/ base
808 # systemd-nspawn -bD ~/arch-tree/</programlisting>
810 <para>This installs a mimimal Arch Linux distribution into
811 the directory <filename>~/arch-tree/</filename> and then
812 boots an OS in a namespace container in it.</para>
816 <title>Enable Arch Linux container on boot</title>
818 <programlisting># mv ~/arch-tree /var/lib/container/arch
819 # systemctl enable systemd-nspawn@arch.service
820 # systemctl start systemd-nspawn@arch.service</programlisting>
822 <para>This makes the Arch Linux container part of the
823 <filename>multi-user.target</filename> on the host.
828 <title>Boot into an ephemeral <literal>btrfs</literal> snapshot of the host system</title>
830 <programlisting># systemd-nspawn -D / -xb</programlisting>
832 <para>This runs a copy of the host system in a
833 <literal>btrfs</literal> snapshot which is
834 removed immediately when the container
835 exits. All file system changes made during
836 runtime will be lost on shutdown,
841 <title>Run a container with SELinux sandbox security contexts</title>
843 <programlisting># chcon system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -R /srv/container
844 # systemd-nspawn -L system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -Z system_u:system_r:svirt_lxc_net_t:s0:c0,c1 -D /srv/container /bin/sh</programlisting>
849 <title>Exit status</title>
851 <para>The exit code of the program executed in the
852 container is returned.</para>
856 <title>See Also</title>
858 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
859 <citerefentry project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
860 <citerefentry project='die-net'><refentrytitle>yum</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
861 <citerefentry project='die-net'><refentrytitle>debootstrap</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
862 <citerefentry project='archlinux'><refentrytitle>pacman</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
863 <citerefentry><refentrytitle>systemd.slice</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
864 <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
865 <citerefentry><refentrytitle>btrfs</refentrytitle><manvolnum>8</manvolnum></citerefentry>