X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=blobdiff_plain;f=man%2Fsystemd-nspawn.xml;h=08b0457d16298d3395894391de82e60085e0b135;hp=777e0a3a77ba0ead624e29111ade46477892c9da;hb=a8828ed93878b4b4866d40ebfb660e54995ff72e;hpb=2b3987a863975f5a1fa1754725e3d07a5d4f6478
diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml
index 777e0a3a7..08b0457d1 100644
--- a/man/systemd-nspawn.xml
+++ b/man/systemd-nspawn.xml
@@ -49,7 +49,17 @@
- systemd-nspawn OPTIONSCOMMANDARGS
+ systemd-nspawn
+ OPTIONS
+ COMMAND
+ ARGS
+
+
+
+ systemd-nspawn
+ -b
+ OPTIONS
+ ARGS
@@ -87,15 +97,15 @@
involved with boot and systems management.
In contrast to
- chroot1
- systemd-nspawn may be used to boot
- full Linux-based operating systems in a
- container.
+ chroot1Â systemd-nspawn
+ may be used to boot full Linux-based operating systems
+ in a container.
Use a tool like
- yum8
+ yum8,
+ debootstrap8,
or
- debootstrap8
+ pacman8
to set up an OS directory tree suitable as file system
hierarchy for systemd-nspawn
containers.
@@ -113,26 +123,57 @@
see each other. The PID namespace separation of the
two containers is complete and the containers will
share very few runtime objects except for the
- underlying file system.
+ underlying file system. Use
+ machinectl1's
+ login command to request an
+ additional login prompt in a running container.
systemd-nspawn implements the
Container
Interface specification.
+
+ As a safety check
+ systemd-nspawn will verify the
+ existence of /etc/os-release in
+ the container tree before starting the container (see
+ os-release5). It
+ might be necessary to add this file to the container
+ tree manually if the OS of the container is too old to
+ contain this file out-of-the-box.
+
+
+
+ Incompatibility with Auditing
+
+ Note that the kernel auditing subsystem is
+ currently broken when used together with
+ containers. We hence recommend turning it off entirely
+ by booting with audit=0 on the
+ kernel command line, or by turning it off at kernel
+ build time. If auditing is enabled in the kernel,
+ operating systems booted in an nspawn container might
+ refuse log-in attempts.Options
- If no arguments are passed the container is set
- up and a shell started in it, otherwise the passed
- command and arguments are executed in it. The
- following options are understood:
+ If option is specified, the
+ arguments are used as arguments for the init
+ binary. Otherwise, COMMAND
+ specifies the program to launch in the container, and
+ the remaining arguments are used as arguments for this
+ program. If is not used and no
+ arguments are specifed, a shell is launched in the
+ container.
+
+ The following options are understood:
-
+ Prints a short help
text and exits.
@@ -146,29 +187,32 @@
-
+ Directory to use as
file system root for the namespace
- container. If omitted the current
+ container. If omitted, the current
directory will be
used.
-
+ Automatically search
for an init binary and invoke it
instead of a shell or a user supplied
- program.
+ program. If this option is used, arguments
+ specified on the command line are used
+ as arguments for the init binary.
+
-
+ Run the command
under specified user, create home
@@ -179,10 +223,56 @@
+
+
+
+
+ Sets the machine name
+ for this container. This name may be
+ used to identify this container on the
+ host, and is used to initialize the
+ container's hostname (which the
+ container can choose to override,
+ however). If not specified, the last
+ component of the root directory of the
+ container is used.
+
+
+
+
+
+ Make the container
+ part of the specified slice, instead
+ of the
+ machine.slice.
+
+
+
+
+
+
+
+ Sets the mandatory
+ access control (MAC) file label to be
+ used by tmpfs file systems in the
+ container.
+
+
+
+
+
+
+
+ Sets the mandatory
+ access control (MAC) label to be used by
+ processes in the container.
+
+
+
- Set the specified uuid
+ Set the specified UUID
for the container. The init system
will initialize
/etc/machine-id
@@ -190,16 +280,6 @@
-
-
-
-
- Makes the container appear in
- other hierarchies than the name=systemd:/ one.
- Takes a comma-separated list of controllers.
-
-
-
@@ -214,7 +294,7 @@
Mount the root file
- system read only for the
+ system read-only for the
container.
@@ -223,7 +303,7 @@
List one or more
additional capabilities to grant the
- container. Takes a comma separated
+ container. Takes a comma-separated
list of capability names, see
capabilities7
for more information. Note that the
@@ -244,12 +324,22 @@
CAP_AUDIT_CONTROL.
+
+
+
+ Specify one or more
+ additional capabilities to drop for
+ the container. This allows running the
+ container with fewer capabilities than
+ the default (see above).
+
+
Control whether the
container's journal shall be made
- visible to the host system. If enabled
+ visible to the host system. If enabled,
allows viewing the container's journal
files from the host (but not vice
versa). Takes one of
@@ -261,13 +351,13 @@
not linked. If host,
the journal files are stored on the
host file system (beneath
- /var/log/journal/<machine-id>)
+ /var/log/journal/machine-id)
and the subdirectory is bind-mounted
into the container at the same
location. If guest,
the journal files are stored on the
guest file system (beneath
- /var/log/journal/<machine-id>)
+ /var/log/journal/machine-id)
and the subdirectory is symlinked into the host
at the same location. If
auto (the default),
@@ -275,7 +365,7 @@
/var/log/journal
exists, it will be bind mounted
into the container. If the
- subdirectory doesn't exist, no
+ subdirectory does not exist, no
linking is performed. Effectively,
booting a container once with
guest or
@@ -291,6 +381,41 @@
Equivalent to
.
+
+
+
+
+
+ Bind mount a file or
+ directory from the host into the
+ container. Either takes a path
+ argument -- in which case the
+ specified path will be mounted from
+ the host to the same path in the
+ container --, or a colon-separated
+ pair of paths -- in which case the
+ first specified path is the source in
+ the host, and the second path is the
+ destination in the container. The
+ option
+ creates read-only bind
+ mount.
+
+
+
+
+
+ Specifies an
+ environment variable assignment to
+ pass to the init process in the
+ container, in the format
+ NAME=VALUE. This
+ may be used to override the default
+ variables or to set additional
+ variables. This parameter may be used
+ more than once.
+
+
@@ -302,7 +427,7 @@
# systemd-nspawn -bD /srv/mycontainer
This installs a minimal Fedora distribution into
- the directory /srv/mycontainer/ and
+ the directory /srv/mycontainer/ and
then boots an OS in a namespace container in
it.
@@ -317,7 +442,48 @@
distribution into the directory
~/debian-tree/ and then spawns a
shell in a namespace container in it.
+
+
+
+ Example 3
+
+ # pacstrap -c -d ~/arch-tree/ base
+# systemd-nspawn -bD ~/arch-tree/
+
+ This installs a mimimal Arch Linux distribution into
+ the directory ~/arch-tree/ and then
+ boots an OS in a namespace container in it.
+
+
+
+ Example 4
+
+ # mv ~/arch-tree /var/lib/container/arch
+# systemctl enable systemd-nspawn@arch.service
+# systemctl start systemd-nspawn@arch.service
+
+ This makes the Arch Linux container part of the
+ multi-user.target on the host.
+
+
+
+
+ Example 5
+
+ # btrfs subvolume snapshot / /.tmp
+# systemd-nspawn --private-network -D /.tmp -b
+
+ This runs a copy of the host system in a
+ btrfs snapshot.
+
+
+
+ Example 6
+
+ # chcon system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -R /srv/container
+# systemd-nspawn -L system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -Z system_u:system_r:svirt_lxc_net_t:s0:c0,c1 -D /srv/container /bin/sh
+ This runs a container with SELinux sandbox labels.
@@ -333,7 +499,10 @@
systemd1,
chroot1,
yum8,
- debootstrap8
+ debootstrap8,
+ pacman8,
+ systemd.slice5,
+ machinectl1