chiark / gitweb /
~ianmdlvl / elogind.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
doc: reword "shared per-thread" wording
[elogind.git] / man / systemd-nspawn.xml
diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml
index ca99da4909cac88b654779a86d0508945ec53f64..b34d38c9b53638926654675739c714bf0ecff1de 100644 (file)
--- a/man/systemd-nspawn.xml
+++ b/man/systemd-nspawn.xml
@@ -143,19 +143,6 @@
                 contain this file out-of-the-box.</para>
         </refsect1>
 
                 contain this file out-of-the-box.</para>
         </refsect1>
 
-        <refsect1>
-                <title>Incompatibility with Auditing</title>
-
-                <para>Note that the kernel auditing subsystem is
-                currently broken when used together with
-                containers. We hence recommend turning it off entirely
-                by booting with <literal>audit=0</literal> on the
-                kernel command line, or by turning it off at kernel
-                build time. If auditing is enabled in the kernel,
-                operating systems booted in an nspawn container might
-                refuse log-in attempts.</para>
-        </refsect1>
-
         <refsect1>
                 <title>Options</title>
 
         <refsect1>
                 <title>Options</title>
 
@@ -186,6 +173,17 @@
                                 and exits.</para></listitem>
                         </varlistentry>
 
                                 and exits.</para></listitem>
                         </varlistentry>
 
+                        <varlistentry>
+                                <term><option>-q</option></term>
+                                <term><option>--quiet</option></term>
+
+                                <listitem><para>Turns off any status
+                                output by the tool itself. When this
+                                switch is used, the only output
+                                from nspawn will be the console output
+                                of the container OS itself.</para></listitem>
+                        </varlistentry>
+
                         <varlistentry>
                                 <term><option>-D</option></term>
                                 <term><option>--directory=</option></term>
                         <varlistentry>
                                 <term><option>-D</option></term>
                                 <term><option>--directory=</option></term>
@@ -204,9 +202,12 @@
                                 <listitem><para>Automatically search
                                 for an init binary and invoke it
                                 instead of a shell or a user supplied
                                 <listitem><para>Automatically search
                                 for an init binary and invoke it
                                 instead of a shell or a user supplied
-                                program. If this option is used, arguments
-                                specified on the command line are used
-                                as arguments for the init binary.
+                                program. If this option is used,
+                                arguments specified on the command
+                                line are used as arguments for the
+                                init binary. This option may not be
+                                combined with
+                                <option>--share-system</option>.
                                 </para></listitem>
                         </varlistentry>
 
                                 </para></listitem>
                         </varlistentry>
 
@@ -238,16 +239,97 @@
                                 container is used.</para></listitem>
                         </varlistentry>
 
                                 container is used.</para></listitem>
                         </varlistentry>
 
+                        <varlistentry>
+                                <term><option>--uuid=</option></term>
+
+                                <listitem><para>Set the specified UUID
+                                for the container. The init system
+                                will initialize
+                                <filename>/etc/machine-id</filename>
+                                from this if this file is not set yet.
+                                </para></listitem>
+                        </varlistentry>
+
                         <varlistentry>
                                 <term><option>--slice=</option></term>
 
                                 <listitem><para>Make the container
                                 part of the specified slice, instead
                         <varlistentry>
                                 <term><option>--slice=</option></term>
 
                                 <listitem><para>Make the container
                                 part of the specified slice, instead
-                                of the
+                                of the default
                                 <filename>machine.slice</filename>.</para>
                                 </listitem>
                         </varlistentry>
 
                                 <filename>machine.slice</filename>.</para>
                                 </listitem>
                         </varlistentry>
 
+                        <varlistentry>
+                                <term><option>--private-network</option></term>
+
+                                <listitem><para>Disconnect networking
+                                of the container from the host. This
+                                makes all network interfaces
+                                unavailable in the container, with the
+                                exception of the loopback device and
+                                those specified with
+                                <option>--network-interface=</option>
+                                and configured with
+                                <option>--network-veth</option>. If
+                                this option is specified, the
+                                CAP_NET_ADMIN capability will be added
+                                to the set of capabilities the
+                                container retains. The latter may be
+                                disabled by using
+                                <option>--drop-capability=</option>.</para></listitem>
+                        </varlistentry>
+
+                        <varlistentry>
+                                <term><option>--network-interface=</option></term>
+
+                                <listitem><para>Assign the specified
+                                network interface to the
+                                container. This will move the
+                                specified interface from the calling
+                                namespace and place it in the
+                                container. When the container
+                                terminates, it is moved back to the
+                                host namespace. Note that
+                                <option>--network-interface=</option>
+                                implies
+                                <option>--private-network</option>. This
+                                option may be used more than once to
+                                add multiple network interfaces to the
+                                container.</para></listitem>
+                        </varlistentry>
+
+                        <varlistentry>
+                                <term><option>--network-veth</option></term>
+
+                                <listitem><para>Create a virtual
+                                Ethernet link between host and
+                                container. The host side of the
+                                Ethernet link will be available as a
+                                network interface named after the
+                                container's name (as specified with
+                                <option>--machine=</option>), prefixed
+                                with <literal>ve-</literal>. The
+                                container side of the the Ethernet
+                                link will be named
+                                <literal>host0</literal>. Note that
+                                <option>--network-veth</option>
+                                implies
+                                <option>--private-network</option>.</para></listitem>
+                        </varlistentry>
+
+                        <varlistentry>
+                                <term><option>--network-bridge=</option></term>
+
+                                <listitem><para>Adds the host side of the
+                                Ethernet link created with
+                                <option>--network-veth</option>
+                                to the specified bridge. Note that
+                                <option>--network-bridge</option>
+                                implies
+                                <option>--network-veth</option>.</para></listitem>
+                        </varlistentry>
+
                         <varlistentry>
                                 <term><option>-Z</option></term>
                                 <term><option>--selinux-context=</option></term>
                         <varlistentry>
                                 <term><option>-Z</option></term>
                                 <term><option>--selinux-context=</option></term>
@@ -269,35 +351,6 @@
                                 </listitem>
                         </varlistentry>
 
                                 </listitem>
                         </varlistentry>
 
-                        <varlistentry>
-                                <term><option>--uuid=</option></term>
-
-                                <listitem><para>Set the specified UUID
-                                for the container. The init system
-                                will initialize
-                                <filename>/etc/machine-id</filename>
-                                from this if this file is not set yet.
-                                </para></listitem>
-                        </varlistentry>
-
-                        <varlistentry>
-                                <term><option>--private-network</option></term>
-
-                                <listitem><para>Turn off networking in
-                                the container. This makes all network
-                                interfaces unavailable in the
-                                container, with the exception of the
-                                loopback device.</para></listitem>
-                        </varlistentry>
-
-                        <varlistentry>
-                                <term><option>--read-only</option></term>
-
-                                <listitem><para>Mount the root file
-                                system read-only for the
-                                container.</para></listitem>
-                        </varlistentry>
-
                         <varlistentry>
                                 <term><option>--capability=</option></term>
 
                         <varlistentry>
                                 <term><option>--capability=</option></term>
 
@@ -321,7 +374,13 @@
                                 CAP_SYS_PTRACE, CAP_SYS_TTY_CONFIG,
                                 CAP_SYS_RESOURCE, CAP_SYS_BOOT,
                                 CAP_AUDIT_WRITE,
                                 CAP_SYS_PTRACE, CAP_SYS_TTY_CONFIG,
                                 CAP_SYS_RESOURCE, CAP_SYS_BOOT,
                                 CAP_AUDIT_WRITE,
-                                CAP_AUDIT_CONTROL.</para></listitem>
+                                CAP_AUDIT_CONTROL. Also CAP_NET_ADMIN
+                                is retained if
+                                <option>--private-network</option> is
+                                specified. If the special value
+                                <literal>all</literal> is passed, all
+                                capabilities are
+                                retained.</para></listitem>
                         </varlistentry>
 
                         <varlistentry>
                         </varlistentry>
 
                         <varlistentry>
@@ -382,6 +441,14 @@
                                 <option>--link-journal=guest</option>.</para></listitem>
                         </varlistentry>
 
                                 <option>--link-journal=guest</option>.</para></listitem>
                         </varlistentry>
 
+                        <varlistentry>
+                                <term><option>--read-only</option></term>
+
+                                <listitem><para>Mount the root file
+                                system read-only for the
+                                container.</para></listitem>
+                        </varlistentry>
+
                         <varlistentry>
                                 <term><option>--bind=</option></term>
                                 <term><option>--bind-ro=</option></term>
                         <varlistentry>
                                 <term><option>--bind=</option></term>
                                 <term><option>--bind-ro=</option></term>
@@ -416,18 +483,6 @@
                                 more than once.</para></listitem>
                         </varlistentry>
 
                                 more than once.</para></listitem>
                         </varlistentry>
 
-                        <varlistentry>
-                                <term><option>-q</option></term>
-                                <term><option>--quiet</option></term>
-
-                                <listitem><para>Turns off any status
-                                output by the tool itself. When this
-                                switch is used, then the only output
-                                by nspawn will be the console output
-                                of the container OS
-                                itself.</para></listitem>
-                        </varlistentry>
-
                         <varlistentry>
                                 <term><option>--share-system</option></term>
 
                         <varlistentry>
                                 <term><option>--share-system</option></term>
 
@@ -440,13 +495,64 @@
                                 interact more easily with processes
                                 outside of the container. Note that
                                 using this option makes it impossible
                                 interact more easily with processes
                                 outside of the container. Note that
                                 using this option makes it impossible
-                                to start up a full Operating System in the
-                                container, as an init system cannot
-                                operate in this mode. It is only
-                                useful to run specific programs or
-                                applications this way, without
-                                involving an init
-                                system in the container.</para></listitem>
+                                to start up a full Operating System in
+                                the container, as an init system
+                                cannot operate in this mode. It is
+                                only useful to run specific programs
+                                or applications this way, without
+                                involving an init system in the
+                                container. This option implies
+                                <option>--register=no</option>. This
+                                option may not be combined with
+                                <option>--boot</option>.</para></listitem>
+                        </varlistentry>
+
+                        <varlistentry>
+                                <term><option>--register=</option></term>
+
+                                <listitem><para>Controls whether the
+                                container is registered with
+                                <citerefentry><refentrytitle>systemd-machined</refentrytitle><manvolnum>8</manvolnum></citerefentry>. Takes
+                                a boolean argument, defaults to
+                                <literal>yes</literal>. This option
+                                should be enabled when the container
+                                runs a full Operating System (more
+                                specifically: an init system), and is
+                                useful to ensure that the container is
+                                accessible via
+                                <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
+                                and shown by tools such as
+                                <citerefentry><refentrytitle>ps</refentrytitle><manvolnum>1</manvolnum></citerefentry>. If
+                                the container does not run an init
+                                system, it is recommended to set this
+                                option to <literal>no</literal>. Note
+                                that <option>--share-system</option>
+                                implies
+                                <option>--register=no</option>.
+                                </para></listitem>
+                        </varlistentry>
+
+                        <varlistentry>
+                                <term><option>--keep-unit</option></term>
+
+                                <listitem><para>Instead of creating a
+                                transient scope unit to run the
+                                container in, simply register the
+                                service or scope unit
+                                <command>systemd-nspawn</command> has
+                                been invoked in with
+                                <citerefentry><refentrytitle>systemd-machined</refentrytitle><manvolnum>8</manvolnum></citerefentry>. This
+                                has no effect if
+                                <option>--register=no</option> is
+                                used. This switch should be used if
+                                <command>systemd-nspawn</command> is
+                                invoked from within a service unit,
+                                and the service unit's sole purpose
+                                is to run a single
+                                <command>systemd-nspawn</command>
+                                container. This option is not
+                                available if run from a user
+                                session.</para></listitem>
                         </varlistentry>
 
                 </variablelist>
                         </varlistentry>
 
                 </variablelist>
Unnamed repository; edit this file 'description' to name the repository.