X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=blobdiff_plain;f=man%2Fsystemd-nspawn.xml;h=7a88436bcfd17ae61b5f619994e785b72b702884;hp=df318d7a43c02c6ac33bc181728b9aae00603dbe;hb=aa28aefe61c5406c5cb631f3e82457b6d1bcc967;hpb=284c0b917697fb0271381f331ffee28403278e72
diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml
index df318d7a4..7a88436bc 100644
--- a/man/systemd-nspawn.xml
+++ b/man/systemd-nspawn.xml
@@ -143,19 +143,6 @@
contain this file out-of-the-box.
-
- Incompatibility with Auditing
-
- Note that the kernel auditing subsystem is
- currently broken when used together with
- containers. We hence recommend turning it off entirely
- by booting with audit=0 on the
- kernel command line, or by turning it off at kernel
- build time. If auditing is enabled in the kernel,
- operating systems booted in an nspawn container might
- refuse log-in attempts.
-
-
Options
@@ -204,9 +191,12 @@
Automatically search
for an init binary and invoke it
instead of a shell or a user supplied
- program. If this option is used, arguments
- specified on the command line are used
- as arguments for the init binary.
+ program. If this option is used,
+ arguments specified on the command
+ line are used as arguments for the
+ init binary. This option may not be
+ combined with
+ .
@@ -249,23 +239,23 @@
-
-
+
+
- Sets the mandatory
- access control (MAC/SELinux) file
- label to be used by virtual API file
- systems in the container.
+ Sets the SELinux
+ security context to be used to label
+ processes in the container.
-
-
+
+
- Sets the mandatory
- access control (MAC/SELinux) label to be used by
- processes in the container.
+ Sets the SELinux security
+ context to be used to label files in
+ the virtual API file systems in the
+ container.
@@ -290,6 +280,19 @@
loopback device.
+
+
+
+ Assign the specified
+ network interface to the
+ container. This will move the
+ specified interface from the calling
+ namespace and place it in the
+ container. When the container
+ terminates it is moved back to the
+ host namespace.
+
+
@@ -320,8 +323,11 @@
CAP_SYS_CHROOT, CAP_SYS_NICE,
CAP_SYS_PTRACE, CAP_SYS_TTY_CONFIG,
CAP_SYS_RESOURCE, CAP_SYS_BOOT,
- CAP_AUDIT_WRITE,
- CAP_AUDIT_CONTROL.
+ CAP_AUDIT_WRITE, CAP_AUDIT_CONTROL. If
+ the special value
+ all is passed all
+ capabilities are
+ retained.
@@ -424,8 +430,79 @@
output by the tool itself. When this
switch is used, then the only output
by nspawn will be the console output
- of the container OS
- itself.
+ of the container OS itself.
+
+
+
+
+
+ Allows the container
+ to share certain system facilities
+ with the host. More specifically, this
+ turns off PID namespacing, UTS
+ namespacing and IPC namespacing, and
+ thus allows the guest to see and
+ interact more easily with processes
+ outside of the container. Note that
+ using this option makes it impossible
+ to start up a full Operating System in
+ the container, as an init system
+ cannot operate in this mode. It is
+ only useful to run specific programs
+ or applications this way, without
+ involving an init system in the
+ container. This option implies
+ . This
+ option may not be combined with
+ .
+
+
+
+
+
+ Controls whether the
+ container is registered with
+ systemd-machined8. Takes
+ a boolean argument, defaults to
+ yes. This option
+ should be enabled when the container
+ runs a full Operating System (more
+ specifically: an init system), and is
+ useful to ensure that the container is
+ accessible via
+ machinectl1
+ and shown by tools such as
+ ps1. If
+ the container does not run an init
+ system it is recommended to set this
+ option to no. Note
+ that
+ implies
+ .
+
+
+
+
+
+
+ Instead of creating a
+ transient scope unit to run the
+ container in, simply register the
+ service or scope unit
+ systemd-nspawn has
+ been invoked in in
+ systemd-machined8. This
+ has no effect if
+ is
+ used. This switch should be used if
+ systemd-nspawn is
+ invoked from within an a service unit,
+ and the service unit's sole purpose
+ is to run a single
+ systemd-nspawn
+ container. This option is not
+ available if run from a user
+ session.
@@ -495,7 +572,7 @@
# chcon system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -R /srv/container
# systemd-nspawn -L system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -Z system_u:system_r:svirt_lxc_net_t:s0:c0,c1 -D /srv/container /bin/sh
- This runs a container with SELinux sandbox labels.
+ This runs a container with SELinux sandbox security contexts.