contain this file out-of-the-box.</para>
</refsect1>
- <refsect1>
- <title>Incompatibility with Auditing</title>
-
- <para>Note that the kernel auditing subsystem is
- currently broken when used together with
- containers. We hence recommend turning it off entirely
- by booting with <literal>audit=0</literal> on the
- kernel command line, or by turning it off at kernel
- build time. If auditing is enabled in the kernel,
- operating systems booted in an nspawn container might
- refuse log-in attempts.</para>
- </refsect1>
-
<refsect1>
<title>Options</title>
the container. This makes all network
interfaces unavailable in the
container, with the exception of the
- loopback device.</para></listitem>
+ loopback device and those specified
+ with
+ <option>--network-interface=</option>. If
+ this option is specified the
+ CAP_NET_ADMIN capability will be added
+ to the set of capabilities the
+ container retains. The latter may be
+ disabled by using
+ <option>--drop-capability=</option>.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--network-interface=</option></term>
+
+ <listitem><para>Assign the specified
+ network interface to the
+ container. This will move the
+ specified interface from the calling
+ namespace and place it in the
+ container. When the container
+ terminates it is moved back to the
+ host namespace. Note that
+ <option>--network-interface=</option>
+ implies
+ <option>--private-network</option>. This
+ option may be used more than once to
+ add multiple network interfaces to the
+ container.</para></listitem>
</varlistentry>
<varlistentry>
CAP_SYS_PTRACE, CAP_SYS_TTY_CONFIG,
CAP_SYS_RESOURCE, CAP_SYS_BOOT,
CAP_AUDIT_WRITE,
- CAP_AUDIT_CONTROL.</para></listitem>
+ CAP_AUDIT_CONTROL. Also CAP_NET_ADMIN
+ is retained if
+ <option>--private-network</option> is
+ specified. If the special value
+ <literal>all</literal> is passed all
+ capabilities are
+ retained.</para></listitem>
</varlistentry>
<varlistentry>
should be enabled when the container
runs a full Operating System (more
specifically: an init system), and is
- useful to ensure the container is
- accesible via
+ useful to ensure that the container is
+ accessible via
<citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
and shown by tools such as
<citerefentry><refentrytitle>ps</refentrytitle><manvolnum>1</manvolnum></citerefentry>. If
<option>--register=no</option>.
</para></listitem>
</varlistentry>
+
+ <varlistentry>
+ <term><option>--keep-unit</option></term>
+
+ <listitem><para>Instead of creating a
+ transient scope unit to run the
+ container in, simply register the
+ service or scope unit
+ <command>systemd-nspawn</command> has
+ been invoked in in
+ <citerefentry><refentrytitle>systemd-machined</refentrytitle><manvolnum>8</manvolnum></citerefentry>. This
+ has no effect if
+ <option>--register=no</option> is
+ used. This switch should be used if
+ <command>systemd-nspawn</command> is
+ invoked from within an a service unit,
+ and the service unit's sole purpose
+ is to run a single
+ <command>systemd-nspawn</command>
+ container. This option is not
+ available if run from a user
+ session.</para></listitem>
+ </varlistentry>
+
</variablelist>
</refsect1>
~ianmdlvl / elogind.git / blobdiff