X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=blobdiff_plain;f=man%2Fsystemd-nspawn.xml;h=ca99da4909cac88b654779a86d0508945ec53f64;hb=8a96d94e4c33173d1426b7e0a6325405804ba224;hp=7d450f912c1c617c17d6bd41a32eb0d87374963a;hpb=79640424059328268b9fb6c5fa8eb777b27a177e;p=elogind.git
diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml
index 7d450f912..ca99da490 100644
--- a/man/systemd-nspawn.xml
+++ b/man/systemd-nspawn.xml
@@ -123,10 +123,10 @@
see each other. The PID namespace separation of the
two containers is complete and the containers will
share very few runtime objects except for the
- underlying file system. It is however possible to
- enter an existing container, see
- Example 4 below.
-
+ underlying file system. Use
+ machinectl1's
+ login command to request an
+ additional login prompt in a running container.
systemd-nspawn implements the
+
+
+
+
+ Sets the SELinux
+ security context to be used to label
+ processes in the container.
+
+
+
+
+
+
+
+ Sets the SELinux security
+ context to be used to label files in
+ the virtual API file systems in the
+ container.
+
+
+
@@ -303,6 +324,16 @@
CAP_AUDIT_CONTROL.
+
+
+
+ Specify one or more
+ additional capabilities to drop for
+ the container. This allows running the
+ container with fewer capabilities than
+ the default (see above).
+
+
@@ -370,6 +401,54 @@
creates read-only bind
mount.
+
+
+
+
+ Specifies an
+ environment variable assignment to
+ pass to the init process in the
+ container, in the format
+ NAME=VALUE. This
+ may be used to override the default
+ variables or to set additional
+ variables. This parameter may be used
+ more than once.
+
+
+
+
+
+
+ Turns off any status
+ output by the tool itself. When this
+ switch is used, then the only output
+ by nspawn will be the console output
+ of the container OS
+ itself.
+
+
+
+
+
+ Allows the container
+ to share certain system facilities
+ with the host. More specifically, this
+ turns off PID namespacing, UTS
+ namespacing and IPC namespacing, and
+ thus allows the guest to see and
+ interact more easily with processes
+ outside of the container. Note that
+ using this option makes it impossible
+ to start up a full Operating System in the
+ container, as an init system cannot
+ operate in this mode. It is only
+ useful to run specific programs or
+ applications this way, without
+ involving an init
+ system in the container.
+
+
@@ -409,22 +488,35 @@
boots an OS in a namespace container in it.
-
+ Example 4
- To enter the container, PID of one of the
- processes sharing the new namespaces must be used.
- systemd-nspawn prints the PID
- (as viewed from the outside) of the launched process,
- and it can be used to enter the container.
+ # mv ~/arch-tree /var/lib/container/arch
+# systemctl enable systemd-nspawn@arch.service
+# systemctl start systemd-nspawn@arch.service
+
+ This makes the Arch Linux container part of the
+ multi-user.target on the host.
+
+
+
+
+ Example 5
+
+ # btrfs subvolume snapshot / /.tmp
+# systemd-nspawn --private-network -D /.tmp -b
+
+ This runs a copy of the host system in a
+ btrfs snapshot.
+
+
+
+ Example 6
- # nsenter -m -u -i -n -p -t $PID
+ # chcon system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -R /srv/container
+# systemd-nspawn -L system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -Z system_u:system_r:svirt_lxc_net_t:s0:c0,c1 -D /srv/container /bin/sh
- nsenter1
- is part of
- util-linux.
- Kernel support for entering namespaces was added in
- Linux 3.8.
+ This runs a container with SELinux sandbox security contexts.
@@ -439,11 +531,11 @@
systemd1,
chroot1,
- unshare1,
yum8,
debootstrap8,
pacman8,
- systemd.slice5
+ systemd.slice5,
+ machinectl1