X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=blobdiff_plain;f=man%2Fsystemd-nspawn.xml;h=ba2c5a487b693270d03d7d2646c227278b400aca;hp=ca21f2e6dbc0afadd805325a8acd3bc93b1fcba0;hb=39ed67d14694983dabd6641c02216aa440eed767;hpb=fb69ed55e5f8e82145440ba15075e8db807bf7fa
diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml
index ca21f2e6d..ba2c5a487 100644
--- a/man/systemd-nspawn.xml
+++ b/man/systemd-nspawn.xml
@@ -97,14 +97,13 @@
involved with boot and systems management.
In contrast to
- chroot1
- systemd-nspawn may be used to boot
- full Linux-based operating systems in a
- container.
+ chroot1Â systemd-nspawn
+ may be used to boot full Linux-based operating systems
+ in a container.
Use a tool like
yum8,
- debootstrap8
+ debootstrap8,
or
pacman8
to set up an OS directory tree suitable as file system
@@ -124,10 +123,10 @@
see each other. The PID namespace separation of the
two containers is complete and the containers will
share very few runtime objects except for the
- underlying file system. It is however possible to
- enter an existing container, see
- Example 4 below.
-
+ underlying file system. Use
+ machinectl1's
+ login command to request an
+ additional login prompt in a running container.
systemd-nspawn implements the
-
- Incompatibility with Auditing
-
- Note that the kernel auditing subsystem is
- currently broken when used together with
- containers. We hence recommend turning it off entirely
- by booting with audit=0 on the
- kernel command line, or by turning it off at kernel
- build time. If auditing is enabled in the kernel
- operating systems booted in an nspawn container might
- refuse log-in attempts.
-
-
Options
@@ -193,7 +179,7 @@
Directory to use as
file system root for the namespace
- container. If omitted the current
+ container. If omitted, the current
directory will be
used.
@@ -205,9 +191,12 @@
Automatically search
for an init binary and invoke it
instead of a shell or a user supplied
- program. If this option is used, arguments
- specified on the command line are used
- as arguments for the init binary.
+ program. If this option is used,
+ arguments specified on the command
+ line are used as arguments for the
+ init binary. This option may not be
+ combined with
+ .
@@ -234,15 +223,46 @@
host, and is used to initialize the
container's hostname (which the
container can choose to override,
- however). If not specified the last
+ however). If not specified, the last
component of the root directory of the
container is used.
+
+
+
+ Make the container
+ part of the specified slice, instead
+ of the
+ machine.slice.
+
+
+
+
+
+
+
+ Sets the SELinux
+ security context to be used to label
+ processes in the container.
+
+
+
+
+
+
+
+ Sets the SELinux security
+ context to be used to label files in
+ the virtual API file systems in the
+ container.
+
+
+
- Set the specified uuid
+ Set the specified UUID
for the container. The init system
will initialize
/etc/machine-id
@@ -250,16 +270,6 @@
-
-
-
-
- Makes the container appear in
- other hierarchies than the name=systemd:/ one.
- Takes a comma-separated list of controllers.
-
-
-
@@ -274,7 +284,7 @@
Mount the root file
- system read only for the
+ system read-only for the
container.
@@ -283,7 +293,7 @@
List one or more
additional capabilities to grant the
- container. Takes a comma separated
+ container. Takes a comma-separated
list of capability names, see
capabilities7
for more information. Note that the
@@ -300,8 +310,21 @@
CAP_SYS_CHROOT, CAP_SYS_NICE,
CAP_SYS_PTRACE, CAP_SYS_TTY_CONFIG,
CAP_SYS_RESOURCE, CAP_SYS_BOOT,
- CAP_AUDIT_WRITE,
- CAP_AUDIT_CONTROL.
+ CAP_AUDIT_WRITE, CAP_AUDIT_CONTROL. If
+ the special value
+ all is passed all
+ capabilities are
+ retained.
+
+
+
+
+
+ Specify one or more
+ additional capabilities to drop for
+ the container. This allows running the
+ container with fewer capabilities than
+ the default (see above).
@@ -309,7 +332,7 @@
Control whether the
container's journal shall be made
- visible to the host system. If enabled
+ visible to the host system. If enabled,
allows viewing the container's journal
files from the host (but not vice
versa). Takes one of
@@ -335,7 +358,7 @@
/var/log/journal
exists, it will be bind mounted
into the container. If the
- subdirectory doesn't exist, no
+ subdirectory does not exist, no
linking is performed. Effectively,
booting a container once with
guest or
@@ -371,6 +394,104 @@
creates read-only bind
mount.
+
+
+
+
+ Specifies an
+ environment variable assignment to
+ pass to the init process in the
+ container, in the format
+ NAME=VALUE. This
+ may be used to override the default
+ variables or to set additional
+ variables. This parameter may be used
+ more than once.
+
+
+
+
+
+
+ Turns off any status
+ output by the tool itself. When this
+ switch is used, then the only output
+ by nspawn will be the console output
+ of the container OS itself.
+
+
+
+
+
+ Allows the container
+ to share certain system facilities
+ with the host. More specifically, this
+ turns off PID namespacing, UTS
+ namespacing and IPC namespacing, and
+ thus allows the guest to see and
+ interact more easily with processes
+ outside of the container. Note that
+ using this option makes it impossible
+ to start up a full Operating System in
+ the container, as an init system
+ cannot operate in this mode. It is
+ only useful to run specific programs
+ or applications this way, without
+ involving an init system in the
+ container. This option implies
+ . This
+ option may not be combined with
+ .
+
+
+
+
+
+ Controls whether the
+ container is registered with
+ systemd-machined8. Takes
+ a boolean argument, defaults to
+ yes. This option
+ should be enabled when the container
+ runs a full Operating System (more
+ specifically: an init system), and is
+ useful to ensure that the container is
+ accessible via
+ machinectl1
+ and shown by tools such as
+ ps1. If
+ the container does not run an init
+ system it is recommended to set this
+ option to no. Note
+ that
+ implies
+ .
+
+
+
+
+
+
+ Instead of creating a
+ transient scope unit to run the
+ container in, simply register the
+ service or scope unit
+ systemd-nspawn has
+ been invoked in in
+ systemd-machined8. This
+ has no effect if
+ is
+ used. This switch should be used if
+ systemd-nspawn is
+ invoked from within an a service unit,
+ and the service unit's sole purpose
+ is to run a single
+ systemd-nspawn
+ container. This option is not
+ available if run from a user
+ session.
+
+
@@ -410,22 +531,35 @@
boots an OS in a namespace container in it.
-
+ Example 4
- To enter the container, PID of one of the
- processes sharing the new namespaces must be used.
- systemd-nspawn prints the PID
- (as viewed from the outside) of the launched process,
- and it can be used to enter the container.
+ # mv ~/arch-tree /var/lib/container/arch
+# systemctl enable systemd-nspawn@arch.service
+# systemctl start systemd-nspawn@arch.service
+
+ This makes the Arch Linux container part of the
+ multi-user.target on the host.
+
+
+
+
+ Example 5
+
+ # btrfs subvolume snapshot / /.tmp
+# systemd-nspawn --private-network -D /.tmp -b
+
+ This runs a copy of the host system in a
+ btrfs snapshot.
+
+
+
+ Example 6
- # nsenter -m -u -i -n -p -t $PID
+ # chcon system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -R /srv/container
+# systemd-nspawn -L system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -Z system_u:system_r:svirt_lxc_net_t:s0:c0,c1 -D /srv/container /bin/sh
- nsenter1
- is part of
- util-linux.
- Kernel support for entering namespaces was added in
- Linux 3.8.
+ This runs a container with SELinux sandbox security contexts.
@@ -440,10 +574,11 @@
systemd1,
chroot1,
- unshare1,
yum8,
debootstrap8,
- pacman8
+ pacman8,
+ systemd.slice5,
+ machinectl1