1 <?xml version='1.0'?> <!--*-nxml-*-->
2 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
3 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
6 This file is part of systemd.
8 Copyright 2010 Lennart Poettering
10 systemd is free software; you can redistribute it and/or modify it
11 under the terms of the GNU Lesser General Public License as published by
12 the Free Software Foundation; either version 2.1 of the License, or
13 (at your option) any later version.
15 systemd is distributed in the hope that it will be useful, but
16 WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
18 Lesser General Public License for more details.
20 You should have received a copy of the GNU Lesser General Public License
21 along with systemd; If not, see <http://www.gnu.org/licenses/>.
24 <refentry id="systemd-nspawn">
27 <title>systemd-nspawn</title>
28 <productname>systemd</productname>
32 <contrib>Developer</contrib>
33 <firstname>Lennart</firstname>
34 <surname>Poettering</surname>
35 <email>lennart@poettering.net</email>
41 <refentrytitle>systemd-nspawn</refentrytitle>
42 <manvolnum>1</manvolnum>
46 <refname>systemd-nspawn</refname>
47 <refpurpose>Spawn a namespace container for debugging, testing and building</refpurpose>
52 <command>systemd-nspawn</command>
53 <arg choice="opt" rep="repeat">OPTIONS</arg>
54 <arg choice="opt"><replaceable>COMMAND</replaceable>
55 <arg choice="opt" rep="repeat">ARGS</arg>
59 <command>systemd-nspawn</command>
60 <arg choice="plain">-b</arg>
61 <arg choice="opt" rep="repeat">OPTIONS</arg>
62 <arg choice="opt" rep="repeat">ARGS</arg>
67 <title>Description</title>
69 <para><command>systemd-nspawn</command> may be used to
70 run a command or OS in a light-weight namespace
71 container. In many ways it is similar to
72 <citerefentry><refentrytitle>chroot</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
73 but more powerful since it fully virtualizes the file
74 system hierarchy, as well as the process tree, the
75 various IPC subsystems and the host and domain
78 <para><command>systemd-nspawn</command> limits access
79 to various kernel interfaces in the container to
80 read-only, such as <filename>/sys</filename>,
81 <filename>/proc/sys</filename> or
82 <filename>/sys/fs/selinux</filename>. Network
83 interfaces and the system clock may not be changed
84 from within the container. Device nodes may not be
85 created. The host system cannot be rebooted and kernel
86 modules may not be loaded from within the
89 <para>Note that even though these security precautions
90 are taken <command>systemd-nspawn</command> is not
91 suitable for secure container setups. Many of the
92 security features may be circumvented and are hence
93 primarily useful to avoid accidental changes to the
94 host system from the container. The intended use of
95 this program is debugging and testing as well as
96 building of packages, distributions and software
97 involved with boot and systems management.</para>
100 <citerefentry><refentrytitle>chroot</refentrytitle><manvolnum>1</manvolnum></citerefentry> <command>systemd-nspawn</command>
101 may be used to boot full Linux-based operating systems
102 in a container.</para>
104 <para>Use a tool like
105 <citerefentry><refentrytitle>yum</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
106 <citerefentry><refentrytitle>debootstrap</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
108 <citerefentry><refentrytitle>pacman</refentrytitle><manvolnum>8</manvolnum></citerefentry>
109 to set up an OS directory tree suitable as file system
110 hierarchy for <command>systemd-nspawn</command>
113 <para>Note that <command>systemd-nspawn</command> will
114 mount file systems private to the container to
115 <filename>/dev</filename>,
116 <filename>/run</filename> and similar. These will
117 not be visible outside of the container, and their
118 contents will be lost when the container exits.</para>
120 <para>Note that running two
121 <command>systemd-nspawn</command> containers from the
122 same directory tree will not make processes in them
123 see each other. The PID namespace separation of the
124 two containers is complete and the containers will
125 share very few runtime objects except for the
126 underlying file system. Use
127 <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>'s
128 <command>login</command> command to request an
129 additional login prompt in a running container.</para>
131 <para><command>systemd-nspawn</command> implements the
133 url="http://www.freedesktop.org/wiki/Software/systemd/ContainerInterface">Container
134 Interface</ulink> specification.</para>
136 <para>As a safety check
137 <command>systemd-nspawn</command> will verify the
138 existence of <filename>/etc/os-release</filename> in
139 the container tree before starting the container (see
140 <citerefentry><refentrytitle>os-release</refentrytitle><manvolnum>5</manvolnum></citerefentry>). It
141 might be necessary to add this file to the container
142 tree manually if the OS of the container is too old to
143 contain this file out-of-the-box.</para>
147 <title>Incompatibility with Auditing</title>
149 <para>Note that the kernel auditing subsystem is
150 currently broken when used together with
151 containers. We hence recommend turning it off entirely
152 by booting with <literal>audit=0</literal> on the
153 kernel command line, or by turning it off at kernel
154 build time. If auditing is enabled in the kernel,
155 operating systems booted in an nspawn container might
156 refuse log-in attempts.</para>
160 <title>Options</title>
162 <para>If option <option>-b</option> is specified, the
163 arguments are used as arguments for the init
164 binary. Otherwise, <replaceable>COMMAND</replaceable>
165 specifies the program to launch in the container, and
166 the remaining arguments are used as arguments for this
167 program. If <option>-b</option> is not used and no
168 arguments are specifed, a shell is launched in the
171 <para>The following options are understood:</para>
175 <term><option>-h</option></term>
176 <term><option>--help</option></term>
178 <listitem><para>Prints a short help
179 text and exits.</para></listitem>
183 <term><option>--version</option></term>
185 <listitem><para>Prints a version string
186 and exits.</para></listitem>
190 <term><option>-D</option></term>
191 <term><option>--directory=</option></term>
193 <listitem><para>Directory to use as
194 file system root for the namespace
195 container. If omitted, the current
197 used.</para></listitem>
201 <term><option>-b</option></term>
202 <term><option>--boot</option></term>
204 <listitem><para>Automatically search
205 for an init binary and invoke it
206 instead of a shell or a user supplied
207 program. If this option is used,
208 arguments specified on the command
209 line are used as arguments for the
210 init binary. This option may not be
212 <option>--share-system</option>.
217 <term><option>-u</option></term>
218 <term><option>--user=</option></term>
220 <listitem><para>Run the command
221 under specified user, create home
222 directory and cd into it. As rest
223 of systemd-nspawn, this is not
224 the security feature and limits
225 against accidental changes only.
230 <term><option>-M</option></term>
231 <term><option>--machine=</option></term>
233 <listitem><para>Sets the machine name
234 for this container. This name may be
235 used to identify this container on the
236 host, and is used to initialize the
237 container's hostname (which the
238 container can choose to override,
239 however). If not specified, the last
240 component of the root directory of the
241 container is used.</para></listitem>
245 <term><option>--slice=</option></term>
247 <listitem><para>Make the container
248 part of the specified slice, instead
250 <filename>machine.slice</filename>.</para>
255 <term><option>-Z</option></term>
256 <term><option>--selinux-context=</option></term>
258 <listitem><para>Sets the SELinux
259 security context to be used to label
260 processes in the container.</para>
265 <term><option>-L</option></term>
266 <term><option>--selinux-apifs-context=</option></term>
268 <listitem><para>Sets the SELinux security
269 context to be used to label files in
270 the virtual API file systems in the
276 <term><option>--uuid=</option></term>
278 <listitem><para>Set the specified UUID
279 for the container. The init system
281 <filename>/etc/machine-id</filename>
282 from this if this file is not set yet.
287 <term><option>--private-network</option></term>
289 <listitem><para>Turn off networking in
290 the container. This makes all network
291 interfaces unavailable in the
292 container, with the exception of the
293 loopback device.</para></listitem>
297 <term><option>--read-only</option></term>
299 <listitem><para>Mount the root file
300 system read-only for the
301 container.</para></listitem>
305 <term><option>--capability=</option></term>
307 <listitem><para>List one or more
308 additional capabilities to grant the
309 container. Takes a comma-separated
310 list of capability names, see
311 <citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
312 for more information. Note that the
313 following capabilities will be granted
314 in any way: CAP_CHOWN,
315 CAP_DAC_OVERRIDE, CAP_DAC_READ_SEARCH,
316 CAP_FOWNER, CAP_FSETID, CAP_IPC_OWNER,
319 CAP_NET_BIND_SERVICE,
320 CAP_NET_BROADCAST, CAP_NET_RAW,
321 CAP_SETGID, CAP_SETFCAP, CAP_SETPCAP,
322 CAP_SETUID, CAP_SYS_ADMIN,
323 CAP_SYS_CHROOT, CAP_SYS_NICE,
324 CAP_SYS_PTRACE, CAP_SYS_TTY_CONFIG,
325 CAP_SYS_RESOURCE, CAP_SYS_BOOT,
327 CAP_AUDIT_CONTROL.</para></listitem>
331 <term><option>--drop-capability=</option></term>
333 <listitem><para>Specify one or more
334 additional capabilities to drop for
335 the container. This allows running the
336 container with fewer capabilities than
337 the default (see above).</para></listitem>
341 <term><option>--link-journal=</option></term>
343 <listitem><para>Control whether the
344 container's journal shall be made
345 visible to the host system. If enabled,
346 allows viewing the container's journal
347 files from the host (but not vice
349 <literal>no</literal>,
350 <literal>host</literal>,
351 <literal>guest</literal>,
352 <literal>auto</literal>. If
353 <literal>no</literal>, the journal is
354 not linked. If <literal>host</literal>,
355 the journal files are stored on the
356 host file system (beneath
357 <filename>/var/log/journal/<replaceable>machine-id</replaceable></filename>)
358 and the subdirectory is bind-mounted
359 into the container at the same
360 location. If <literal>guest</literal>,
361 the journal files are stored on the
362 guest file system (beneath
363 <filename>/var/log/journal/<replaceable>machine-id</replaceable></filename>)
364 and the subdirectory is symlinked into the host
365 at the same location. If
366 <literal>auto</literal> (the default),
367 and the right subdirectory of
368 <filename>/var/log/journal</filename>
369 exists, it will be bind mounted
370 into the container. If the
371 subdirectory does not exist, no
372 linking is performed. Effectively,
373 booting a container once with
374 <literal>guest</literal> or
375 <literal>host</literal> will link the
376 journal persistently if further on
377 the default of <literal>auto</literal>
378 is used.</para></listitem>
382 <term><option>-j</option></term>
384 <listitem><para>Equivalent to
385 <option>--link-journal=guest</option>.</para></listitem>
389 <term><option>--bind=</option></term>
390 <term><option>--bind-ro=</option></term>
392 <listitem><para>Bind mount a file or
393 directory from the host into the
394 container. Either takes a path
395 argument -- in which case the
396 specified path will be mounted from
397 the host to the same path in the
398 container --, or a colon-separated
399 pair of paths -- in which case the
400 first specified path is the source in
401 the host, and the second path is the
402 destination in the container. The
403 <option>--bind-ro=</option> option
404 creates read-only bind
405 mount.</para></listitem>
409 <term><option>--setenv=</option></term>
411 <listitem><para>Specifies an
412 environment variable assignment to
413 pass to the init process in the
414 container, in the format
415 <literal>NAME=VALUE</literal>. This
416 may be used to override the default
417 variables or to set additional
418 variables. This parameter may be used
419 more than once.</para></listitem>
423 <term><option>-q</option></term>
424 <term><option>--quiet</option></term>
426 <listitem><para>Turns off any status
427 output by the tool itself. When this
428 switch is used, then the only output
429 by nspawn will be the console output
430 of the container OS itself.</para></listitem>
434 <term><option>--share-system</option></term>
436 <listitem><para>Allows the container
437 to share certain system facilities
438 with the host. More specifically, this
439 turns off PID namespacing, UTS
440 namespacing and IPC namespacing, and
441 thus allows the guest to see and
442 interact more easily with processes
443 outside of the container. Note that
444 using this option makes it impossible
445 to start up a full Operating System in
446 the container, as an init system
447 cannot operate in this mode. It is
448 only useful to run specific programs
449 or applications this way, without
450 involving an init system in the
451 container. This option implies
452 <option>--register=no</option>. This
453 option may not be combined with
454 <option>--boot</option>.</para></listitem>
458 <term><option>--register=</option></term>
460 <listitem><para>Controls whether the
461 container is registered with
462 <citerefentry><refentrytitle>systemd-machined</refentrytitle><manvolnum>8</manvolnum></citerefentry>. Takes
463 a boolean argument, defaults to
464 <literal>yes</literal>. This option
465 should be enabled when the container
466 runs a full Operating System (more
467 specifically: an init system), and is
468 useful to ensure that the container is
470 <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
471 and shown by tools such as
472 <citerefentry><refentrytitle>ps</refentrytitle><manvolnum>1</manvolnum></citerefentry>. If
473 the container does not run an init
474 system it is recommended to set this
475 option to <literal>no</literal>. Note
476 that <option>--share-system</option>
478 <option>--register=no</option>.
483 <term><option>--keep-unit</option></term>
485 <listitem><para>Instead of creating a
486 transient scope unit to run the
487 container in, simply register the
488 service or scope unit
489 <command>systemd-nspawn</command> has
491 <citerefentry><refentrytitle>systemd-machined</refentrytitle><manvolnum>8</manvolnum></citerefentry>. This
493 <option>--register=no</option> is
494 used. This switch should be used if
495 <command>systemd-nspawn</command> is
496 invoked from within an a service unit,
497 and the service unit's sole purpose
499 <command>systemd-nspawn</command>
500 container. This option is not
501 available if run from a user
502 session.</para></listitem>
510 <title>Example 1</title>
512 <programlisting># yum -y --releasever=19 --nogpg --installroot=/srv/mycontainer --disablerepo='*' --enablerepo=fedora install systemd passwd yum fedora-release vim-minimal
513 # systemd-nspawn -bD /srv/mycontainer</programlisting>
515 <para>This installs a minimal Fedora distribution into
516 the directory <filename noindex='true'>/srv/mycontainer/</filename> and
517 then boots an OS in a namespace container in
522 <title>Example 2</title>
524 <programlisting># debootstrap --arch=amd64 unstable ~/debian-tree/
525 # systemd-nspawn -D ~/debian-tree/</programlisting>
527 <para>This installs a minimal Debian unstable
528 distribution into the directory
529 <filename>~/debian-tree/</filename> and then spawns a
530 shell in a namespace container in it.</para>
534 <title>Example 3</title>
536 <programlisting># pacstrap -c -d ~/arch-tree/ base
537 # systemd-nspawn -bD ~/arch-tree/</programlisting>
539 <para>This installs a mimimal Arch Linux distribution into
540 the directory <filename>~/arch-tree/</filename> and then
541 boots an OS in a namespace container in it.</para>
545 <title>Example 4</title>
547 <programlisting># mv ~/arch-tree /var/lib/container/arch
548 # systemctl enable systemd-nspawn@arch.service
549 # systemctl start systemd-nspawn@arch.service</programlisting>
551 <para>This makes the Arch Linux container part of the
552 <filename>multi-user.target</filename> on the host.
557 <title>Example 5</title>
559 <programlisting># btrfs subvolume snapshot / /.tmp
560 # systemd-nspawn --private-network -D /.tmp -b</programlisting>
562 <para>This runs a copy of the host system in a
563 btrfs snapshot.</para>
567 <title>Example 6</title>
569 <programlisting># chcon system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -R /srv/container
570 # systemd-nspawn -L system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -Z system_u:system_r:svirt_lxc_net_t:s0:c0,c1 -D /srv/container /bin/sh</programlisting>
572 <para>This runs a container with SELinux sandbox security contexts.</para>
576 <title>Exit status</title>
578 <para>The exit code of the program executed in the
579 container is returned.</para>
583 <title>See Also</title>
585 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
586 <citerefentry><refentrytitle>chroot</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
587 <citerefentry><refentrytitle>yum</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
588 <citerefentry><refentrytitle>debootstrap</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
589 <citerefentry><refentrytitle>pacman</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
590 <citerefentry><refentrytitle>systemd.slice</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
591 <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>