container. In many ways it is similar to
<citerefentry><refentrytitle>chroot</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
but more powerful since it fully virtualizes the file
- system hierachy, as well as the process tree, the
+ system hierarchy, as well as the process tree, the
various IPC subsystems and the host and domain
name.</para>
to various kernel interfaces in the container to
read-only, such as <filename>/sys</filename>,
<filename>/proc/sys</filename> or
- <filename>/selinux</filename>. Network interfaces and
- the system clock may not be changed from within the
- container. Device nodes may not be created. The host
- system cannot be rebooted and kernel modules may not
- be loaded from within the container.</para>
+ <filename>/sys/fs/selinux</filename>. Network
+ interfaces and the system clock may not be changed
+ from within the container. Device nodes may not be
+ created. The host system cannot be rebooted and kernel
+ modules may not be loaded from within the
+ container.</para>
<para>Note that even though these security precautions
are taken <command>systemd-nspawn</command> is not
<para>Note that <command>systemd-nspawn</command> will
mount file systems private to the container to
<filename>/dev</filename>,
- <filename>/dev/.run</filename> and similar. These will
+ <filename>/run</filename> and similar. These will
not be visible outside of the container, and their
contents will be lost when the container exits.</para>
<para>Note that running two
<command>systemd-nspawn</command> containers from the
same directory tree will not make processes in them
- see each other. The PID namespace seperation of the
+ see each other. The PID namespace separation of the
two containers is complete and the containers will
share very few runtime objects except for the
underlying file system.</para>
<variablelist>
<varlistentry>
<term><option>--help</option></term>
+ <term><option>-h</option></term>
<listitem><para>Prints a short help
text and exits.</para></listitem>
<varlistentry>
<term><option>--directory=</option></term>
- <term><option>--D</option></term>
+ <term><option>-D</option></term>
<listitem><para>Directory to use as
file system root for the namespace
used.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>--user=</option></term>
+ <term><option>-u</option></term>
+
+ <listitem><para>Run the command
+ under specified user, create home
+ directory and cd into it. As rest
+ of systemd-nspawn, this is not
+ the security feature and limits
+ against accidental changes only.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--private-network</option></term>
+
+ <listitem><para>Turn off networking in
+ the container. This makes all network
+ interfaces unavailable in the
+ container, with the exception of the
+ loopback device.</para></listitem>
+ </varlistentry>
+
</variablelist>
</refsect1>
<title>Example 2</title>
<programlisting># mock --init
-# systemd-nspawn -D /var/lib/mock/fedora-rawhide-x86_64/root/ /bin/systemd systemd.log_level=debug</programlisting>
+# systemd-nspawn -D /var/lib/mock/fedora-rawhide-x86_64/root/ /sbin/init systemd.log_level=debug</programlisting>
<para>This installs a minimal Fedora distribution into
a subdirectory of <filename>/var/lib/mock/</filename>
<para>
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
<citerefentry><refentrytitle>chroot</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>debootstrap</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+ <citerefentry><refentrytitle>debootstrap</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
<citerefentry><refentrytitle>mock</refentrytitle><manvolnum>1</manvolnum></citerefentry>
</para>
</refsect1>
~ianmdlvl / elogind.git / blobdiff