to various kernel interfaces in the container to
read-only, such as <filename>/sys</filename>,
<filename>/proc/sys</filename> or
- <filename>/selinux</filename>. Network interfaces and
- the system clock may not be changed from within the
- container. Device nodes may not be created. The host
- system cannot be rebooted and kernel modules may not
- be loaded from within the container.</para>
+ <filename>/sys/fs/selinux</filename>. Network
+ interfaces and the system clock may not be changed
+ from within the container. Device nodes may not be
+ created. The host system cannot be rebooted and kernel
+ modules may not be loaded from within the
+ container.</para>
<para>Note that even though these security precautions
are taken <command>systemd-nspawn</command> is not
<varlistentry>
<term><option>--directory=</option></term>
- <term><option>--D</option></term>
+ <term><option>-D</option></term>
<listitem><para>Directory to use as
file system root for the namespace
<varlistentry>
<term><option>--user=</option></term>
- <term><option>--u</option></term>
+ <term><option>-u</option></term>
<listitem><para>Run the command
under specified user, create home
</varlistentry>
<varlistentry>
- <term><option>--no-net</option></term>
+ <term><option>--private-network</option></term>
<listitem><para>Turn off networking in
the container. This makes all network
<para>
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
<citerefentry><refentrytitle>chroot</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>debootstrap</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+ <citerefentry><refentrytitle>debootstrap</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
<citerefentry><refentrytitle>mock</refentrytitle><manvolnum>1</manvolnum></citerefentry>
</para>
</refsect1>
~ianmdlvl / elogind.git / blobdiff