man: cryptsetup-1.6.3 now allows partition device file in system mode

[elogind.git] / man / systemd-nspawn.xml
diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml

index 7d450f912c1c617c17d6bd41a32eb0d87374963a..df318d7a43c02c6ac33bc181728b9aae00603dbe 100644 (file)
--- a/man/systemd-nspawn.xml
+++ b/man/systemd-nspawn.xml
@@ -123,10 +123,10 @@
                  see each other. The PID namespace separation of the
                  two containers is complete and the containers will
                  share very few runtime objects except for the
                  see each other. The PID namespace separation of the
                  two containers is complete and the containers will
                  share very few runtime objects except for the
-                underlying file system. It is however possible to
-                enter an existing container, see
-                <link linkend='example-nsenter'>Example 4</link> below.
-                </para>
+                underlying file system. Use
+                <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>'s
+                <command>login</command> command to request an
+                additional login prompt in a running container.</para>
  
                  <para><command>systemd-nspawn</command> implements the
                  <ulink
  
                  <para><command>systemd-nspawn</command> implements the
                  <ulink
@@ -248,6 +248,27 @@
                                  </listitem>
                          </varlistentry>
  
                                  </listitem>
                          </varlistentry>
  
+                        <varlistentry>
+                                <term><option>-L</option></term>
+                                <term><option>--file-label=</option></term>
+
+                                <listitem><para>Sets the mandatory
+                                access control (MAC/SELinux) file
+                                label to be used by virtual API file
+                                systems in the container.</para>
+                                </listitem>
+                        </varlistentry>
+
+                        <varlistentry>
+                                <term><option>-Z</option></term>
+                                <term><option>--process-label=</option></term>
+
+                                <listitem><para>Sets the mandatory
+                                access control (MAC/SELinux) label to be used by
+                                processes in the container.</para>
+                                </listitem>
+                        </varlistentry>
+
                          <varlistentry>
                                  <term><option>--uuid=</option></term>
  
                          <varlistentry>
                                  <term><option>--uuid=</option></term>
  
@@ -303,6 +324,16 @@
                                  CAP_AUDIT_CONTROL.</para></listitem>
                          </varlistentry>
  
                                  CAP_AUDIT_CONTROL.</para></listitem>
                          </varlistentry>
  
+                        <varlistentry>
+                                <term><option>--drop-capability=</option></term>
+
+                                <listitem><para>Specify one or more
+                                additional capabilities to drop for
+                                the container. This allows running the
+                                container with fewer capabilities than
+                                the default (see above).</para></listitem>
+                        </varlistentry>
+
                          <varlistentry>
                                  <term><option>--link-journal=</option></term>
  
                          <varlistentry>
                                  <term><option>--link-journal=</option></term>
  
@@ -370,6 +401,33 @@
                                  creates read-only bind
                                  mount.</para></listitem>
                          </varlistentry>
                                  creates read-only bind
                                  mount.</para></listitem>
                          </varlistentry>
+
+                        <varlistentry>
+                                <term><option>--setenv=</option></term>
+
+                                <listitem><para>Specifies an
+                                environment variable assignment to
+                                pass to the init process in the
+                                container, in the format
+                                <literal>NAME=VALUE</literal>. This
+                                may be used to override the default
+                                variables or to set additional
+                                variables. This parameter may be used
+                                more than once.</para></listitem>
+                        </varlistentry>
+
+                        <varlistentry>
+                                <term><option>-q</option></term>
+                                <term><option>--quiet</option></term>
+
+                                <listitem><para>Turns off any status
+                                output by the tool itself. When this
+                                switch is used, then the only output
+                                by nspawn will be the console output
+                                of the container OS
+                                itself.</para></listitem>
+                        </varlistentry>
+
                  </variablelist>
  
          </refsect1>
                  </variablelist>
  
          </refsect1>
@@ -409,22 +467,35 @@
                  boots an OS in a namespace container in it.</para>
          </refsect1>
  
                  boots an OS in a namespace container in it.</para>
          </refsect1>
  
-        <refsect1 id='example-nsenter'>
+        <refsect1>
                  <title>Example 4</title>
  
                  <title>Example 4</title>
  
-                <para>To enter the container, PID of one of the
-                processes sharing the new namespaces must be used.
-                <command>systemd-nspawn</command> prints the PID
-                (as viewed from the outside) of the launched process,
-                and it can be used to enter the container.</para>
+                <programlisting># mv ~/arch-tree /var/lib/container/arch
+# systemctl enable systemd-nspawn@arch.service
+# systemctl start systemd-nspawn@arch.service</programlisting>
+
+                <para>This makes the Arch Linux container part of the
+                <filename>multi-user.target</filename> on the host.
+                </para>
+        </refsect1>
+
+        <refsect1>
+                <title>Example 5</title>
+
+                <programlisting># btrfs subvolume snapshot / /.tmp
+# systemd-nspawn --private-network -D /.tmp -b</programlisting>
+
+                <para>This runs a copy of the host system in a
+                btrfs snapshot.</para>
+        </refsect1>
+
+        <refsect1>
+                <title>Example 6</title>
  
  
-                <programlisting># nsenter -m -u -i -n -p -t $PID</programlisting>
+                <programlisting># chcon system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -R /srv/container
+# systemd-nspawn -L system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -Z system_u:system_r:svirt_lxc_net_t:s0:c0,c1 -D /srv/container /bin/sh</programlisting>
  
  
-                <para><citerefentry><refentrytitle>nsenter</refentrytitle><manvolnum>1</manvolnum></citerefentry>
-                is part of
-                <ulink url="https://github.com/karelzak/util-linux">util-linux</ulink>.
-                Kernel support for entering namespaces was added in
-                Linux 3.8.</para>
+                <para>This runs a container with SELinux sandbox labels.</para>
          </refsect1>
  
          <refsect1>
          </refsect1>
  
          <refsect1>
@@ -439,11 +510,11 @@
                  <para>
                          <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
                          <citerefentry><refentrytitle>chroot</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
                  <para>
                          <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
                          <citerefentry><refentrytitle>chroot</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
-                        <citerefentry><refentrytitle>unshare</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
                          <citerefentry><refentrytitle>yum</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
                          <citerefentry><refentrytitle>debootstrap</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
                          <citerefentry><refentrytitle>pacman</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
                          <citerefentry><refentrytitle>yum</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
                          <citerefentry><refentrytitle>debootstrap</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
                          <citerefentry><refentrytitle>pacman</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
-                        <citerefentry><refentrytitle>systemd.slice</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+                        <citerefentry><refentrytitle>systemd.slice</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+                        <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
                  </para>
          </refsect1>
  
                  </para>
          </refsect1>