X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=blobdiff_plain;f=man%2Fsystemd-nspawn.xml;h=7d450f912c1c617c17d6bd41a32eb0d87374963a;hb=fb1316462952d17d6ebf19c3f093b730c13016a7;hp=28e50359f3fdaf35b097d9e38717e499e8892577;hpb=0f0dbc46ccf5aaaf3131446d0a4d78bc97a37295;p=elogind.git
diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml
index 28e50359f..7d450f912 100644
--- a/man/systemd-nspawn.xml
+++ b/man/systemd-nspawn.xml
@@ -49,7 +49,17 @@
- systemd-nspawn OPTIONSCOMMANDARGS
+ systemd-nspawn
+ OPTIONS
+ COMMAND
+ ARGS
+
+
+
+ systemd-nspawn
+ -b
+ OPTIONS
+ ARGS
@@ -87,15 +97,18 @@
involved with boot and systems management.
In contrast to
- chroot1
- systemd-nspawn may be used to boot
- full Linux-based operating systems in a
- container.
+ chroot1Â systemd-nspawn
+ may be used to boot full Linux-based operating systems
+ in a container.
Use a tool like
- debootstrap8 or mock1
+ yum8,
+ debootstrap8,
+ or
+ pacman8
to set up an OS directory tree suitable as file system
- hierarchy for systemd-nspawn containers.
+ hierarchy for systemd-nspawn
+ containers.
Note that systemd-nspawn will
mount file systems private to the container to
@@ -110,50 +123,96 @@
see each other. The PID namespace separation of the
two containers is complete and the containers will
share very few runtime objects except for the
- underlying file system.
+ underlying file system. It is however possible to
+ enter an existing container, see
+ Example 4 below.
+
+
+ systemd-nspawn implements the
+ Container
+ Interface specification.
+
+ As a safety check
+ systemd-nspawn will verify the
+ existence of /etc/os-release in
+ the container tree before starting the container (see
+ os-release5). It
+ might be necessary to add this file to the container
+ tree manually if the OS of the container is too old to
+ contain this file out-of-the-box.
+
+
+
+ Incompatibility with Auditing
+
+ Note that the kernel auditing subsystem is
+ currently broken when used together with
+ containers. We hence recommend turning it off entirely
+ by booting with audit=0 on the
+ kernel command line, or by turning it off at kernel
+ build time. If auditing is enabled in the kernel,
+ operating systems booted in an nspawn container might
+ refuse log-in attempts.Options
- If no arguments are passed the container is set
- up and a shell started in it, otherwise the passed
- command and arguments are executed in it. The
- following options are understood:
+ If option is specified, the
+ arguments are used as arguments for the init
+ binary. Otherwise, COMMAND
+ specifies the program to launch in the container, and
+ the remaining arguments are used as arguments for this
+ program. If is not used and no
+ arguments are specifed, a shell is launched in the
+ container.
+
+ The following options are understood:
-
+ Prints a short help
text and exits.
-
+
+
+ Prints a version string
+ and exits.
+
+
+
+ Directory to use as
file system root for the namespace
- container. If omitted the current
+ container. If omitted, the current
directory will be
used.
-
+ Automatically search
for an init binary and invoke it
instead of a shell or a user supplied
- program.
+ program. If this option is used, arguments
+ specified on the command line are used
+ as arguments for the init binary.
+
-
+ Run the command
under specified user, create home
@@ -165,12 +224,38 @@
-
-
+
+
+
+ Sets the machine name
+ for this container. This name may be
+ used to identify this container on the
+ host, and is used to initialize the
+ container's hostname (which the
+ container can choose to override,
+ however). If not specified, the last
+ component of the root directory of the
+ container is used.
+
+
+
+
+
+ Make the container
+ part of the specified slice, instead
+ of the
+ machine.slice.
+
+
+
+
+
- Makes the container appear in
- other hierarchies that the name=systemd:/ one.
- Takes a comma-separated list of controllers.
+ Set the specified UUID
+ for the container. The init system
+ will initialize
+ /etc/machine-id
+ from this if this file is not set yet.
@@ -184,6 +269,107 @@
loopback device.
+
+
+
+ Mount the root file
+ system read-only for the
+ container.
+
+
+
+
+
+ List one or more
+ additional capabilities to grant the
+ container. Takes a comma-separated
+ list of capability names, see
+ capabilities7
+ for more information. Note that the
+ following capabilities will be granted
+ in any way: CAP_CHOWN,
+ CAP_DAC_OVERRIDE, CAP_DAC_READ_SEARCH,
+ CAP_FOWNER, CAP_FSETID, CAP_IPC_OWNER,
+ CAP_KILL, CAP_LEASE,
+ CAP_LINUX_IMMUTABLE,
+ CAP_NET_BIND_SERVICE,
+ CAP_NET_BROADCAST, CAP_NET_RAW,
+ CAP_SETGID, CAP_SETFCAP, CAP_SETPCAP,
+ CAP_SETUID, CAP_SYS_ADMIN,
+ CAP_SYS_CHROOT, CAP_SYS_NICE,
+ CAP_SYS_PTRACE, CAP_SYS_TTY_CONFIG,
+ CAP_SYS_RESOURCE, CAP_SYS_BOOT,
+ CAP_AUDIT_WRITE,
+ CAP_AUDIT_CONTROL.
+
+
+
+
+
+ Control whether the
+ container's journal shall be made
+ visible to the host system. If enabled,
+ allows viewing the container's journal
+ files from the host (but not vice
+ versa). Takes one of
+ no,
+ host,
+ guest,
+ auto. If
+ no, the journal is
+ not linked. If host,
+ the journal files are stored on the
+ host file system (beneath
+ /var/log/journal/machine-id)
+ and the subdirectory is bind-mounted
+ into the container at the same
+ location. If guest,
+ the journal files are stored on the
+ guest file system (beneath
+ /var/log/journal/machine-id)
+ and the subdirectory is symlinked into the host
+ at the same location. If
+ auto (the default),
+ and the right subdirectory of
+ /var/log/journal
+ exists, it will be bind mounted
+ into the container. If the
+ subdirectory does not exist, no
+ linking is performed. Effectively,
+ booting a container once with
+ guest or
+ host will link the
+ journal persistently if further on
+ the default of auto
+ is used.
+
+
+
+
+
+ Equivalent to
+ .
+
+
+
+
+
+
+ Bind mount a file or
+ directory from the host into the
+ container. Either takes a path
+ argument -- in which case the
+ specified path will be mounted from
+ the host to the same path in the
+ container --, or a colon-separated
+ pair of paths -- in which case the
+ first specified path is the source in
+ the host, and the second path is the
+ destination in the container. The
+ option
+ creates read-only bind
+ mount.
+
@@ -191,28 +377,54 @@
Example 1
- # debootstrap --arch=amd64 unstable debian-tree/
-# systemd-nspawn -D debian-tree/
+ # yum -y --releasever=19 --nogpg --installroot=/srv/mycontainer --disablerepo='*' --enablerepo=fedora install systemd passwd yum fedora-release vim-minimal
+# systemd-nspawn -bD /srv/mycontainer
+
+ This installs a minimal Fedora distribution into
+ the directory /srv/mycontainer/ and
+ then boots an OS in a namespace container in
+ it.
+
+
+
+ Example 2
+
+ # debootstrap --arch=amd64 unstable ~/debian-tree/
+# systemd-nspawn -D ~/debian-tree/This installs a minimal Debian unstable
distribution into the directory
- debian-tree/ and then spawns a
+ ~/debian-tree/ and then spawns a
shell in a namespace container in it.
-
- Example 2
+ Example 3
- # mock --init
-# systemd-nspawn -D /var/lib/mock/fedora-rawhide-x86_64/root/ /sbin/init systemd.log_level=debug
+ # pacstrap -c -d ~/arch-tree/ base
+# systemd-nspawn -bD ~/arch-tree/
- This installs a minimal Fedora distribution into
- a subdirectory of /var/lib/mock/
- and then boots an OS in a namespace container in it,
- with systemd as init system, configured for debug
- logging.
+ This installs a mimimal Arch Linux distribution into
+ the directory ~/arch-tree/ and then
+ boots an OS in a namespace container in it.
+
+
+
+ Example 4
+
+ To enter the container, PID of one of the
+ processes sharing the new namespaces must be used.
+ systemd-nspawn prints the PID
+ (as viewed from the outside) of the launched process,
+ and it can be used to enter the container.
+
+ # nsenter -m -u -i -n -p -t $PID
+ nsenter1
+ is part of
+ util-linux.
+ Kernel support for entering namespaces was added in
+ Linux 3.8.
@@ -227,8 +439,11 @@
systemd1,
chroot1,
+ unshare1,
+ yum8,
debootstrap8,
- mock1
+ pacman8,
+ systemd.slice5