summaryrefslogtreecommitdiffstats
path: root/man/portablectl.xml
diff options
context:
space:
mode:
Diffstat (limited to 'man/portablectl.xml')
-rw-r--r--man/portablectl.xml474
1 files changed, 474 insertions, 0 deletions
diff --git a/man/portablectl.xml b/man/portablectl.xml
new file mode 100644
index 0000000..963361e
--- /dev/null
+++ b/man/portablectl.xml
@@ -0,0 +1,474 @@
+<?xml version='1.0'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
+
+<refentry id="portablectl" conditional='ENABLE_PORTABLED'
+ xmlns:xi="http://www.w3.org/2001/XInclude">
+
+ <refentryinfo>
+ <title>portablectl</title>
+ <productname>systemd</productname>
+ </refentryinfo>
+
+ <refmeta>
+ <refentrytitle>portablectl</refentrytitle>
+ <manvolnum>1</manvolnum>
+ </refmeta>
+
+ <refnamediv>
+ <refname>portablectl</refname>
+ <refpurpose>Attach, detach or inspect portable service images</refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv>
+ <cmdsynopsis>
+ <command>portablectl</command>
+ <arg choice="opt" rep="repeat">OPTIONS</arg>
+ <arg choice="req">COMMAND</arg>
+ <arg choice="opt" rep="repeat">NAME</arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1>
+ <title>Description</title>
+
+ <para><command>portablectl</command> may be used to attach, detach or inspect portable service images. It's
+ primarily a command interfacing with
+ <citerefentry><refentrytitle>systemd-portabled.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
+
+ <para>Portable service images contain an OS file system tree along with
+ <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry> unit file
+ information. A service image may be "attached" to the local system. If attached, a set of unit files are copied
+ from the image to the host, and extended with <varname>RootDirectory=</varname> or <varname>RootImage=</varname>
+ assignments (in case of service units) pointing to the image file or directory, ensuring the services will run
+ within the file system context of the image.</para>
+
+ <para>Portable service images are an efficient way to bundle multiple related services and other units together,
+ and transfer them as a whole between systems. When these images are attached the local system the contained units
+ may run in most ways like regular system-provided units, either with full privileges or inside strict sandboxing,
+ depending on the selected configuration. For more details, see
+ <ulink url="https://systemd.io/PORTABLE_SERVICES">Portable Services</ulink>.</para>
+
+ <para>Specifically portable service images may be of the following kind:</para>
+
+ <itemizedlist>
+ <listitem><para>Directory trees containing an OS, including the top-level directories <filename>/usr/</filename>,
+ <filename>/etc/</filename>, and so on.</para></listitem>
+
+ <listitem><para>btrfs subvolumes containing OS trees, similar to normal directory trees.</para></listitem>
+
+ <listitem><para>Binary "raw" disk images containing MBR or GPT partition tables and Linux file system
+ partitions. (These must be regular files, with the <filename>.raw</filename> suffix.)</para></listitem>
+ </itemizedlist>
+
+ </refsect1>
+
+ <refsect1>
+ <title>Commands</title>
+
+ <para>The following commands are understood:</para>
+
+ <variablelist>
+
+ <varlistentry>
+ <term><command>list</command></term>
+
+ <listitem><para>List available portable service images. This will list all portable service images discovered
+ in the portable image search paths (see below), along with brief metadata and state information. Note that many
+ of the commands below may both operate on images inside and outside of the search paths. This command is hence
+ mostly a convenience option, the commands are generally not restricted to what this list
+ shows.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>attach</command> <replaceable>IMAGE</replaceable> [<replaceable>PREFIX…</replaceable>]</term>
+
+ <listitem><para>Attach a portable service image to the host system. Expects a file system path to a portable
+ service image file or directory as first argument. If the specified path contains no slash character
+ (<literal>/</literal>) it is understood as image filename that is searched for in the portable service image
+ search paths (see below). To reference a file in the current working directory prefix the filename with
+ <literal>./</literal> to avoid this search path logic.</para>
+
+ <para>When a portable service is attached four operations are executed:</para>
+
+ <orderedlist>
+
+ <listitem><para>All unit files of types <filename>.service</filename>, <filename>.socket</filename>,
+ <filename>.target</filename>, <filename>.timer</filename> and <filename>.path</filename> which match the
+ indicated unit file name prefix are copied from the image to the host's
+ <filename>/etc/systemd/system.attached/</filename> directory (or
+ <filename>/run/systemd/system.attached/</filename> — depending whether <option>--runtime</option> is
+ specified, see below), which is included in the built-in unit search path of the system service
+ manager.</para></listitem>
+
+ <listitem><para>For unit files of type <filename>.service</filename> a drop-in is added to these copies that
+ adds <varname>RootDirectory=</varname> or <varname>RootImage=</varname> settings (see
+ <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
+ details), that ensures these services are run within the file system of the originating portable service
+ image.</para></listitem>
+
+ <listitem><para>A second drop-in is created: the "profile" drop-in, that may contain additional security
+ settings (and other settings). A number of profiles are available by default but administrators may define
+ their own ones. See below.</para></listitem>
+
+ <listitem><para>If the portable service image file is not already in the search path (see below), a symbolic
+ link to it is created in <filename>/etc/portables/</filename> or
+ <filename>/run/portables/</filename>, to make sure it is included in it.</para></listitem>
+ </orderedlist>
+
+ <para>By default all unit files whose names start with a prefix generated from the image's file name are copied
+ out. Specifically, the prefix is determined from the image file name with any suffix such as
+ <filename>.raw</filename> removed, truncated at the first occurrence of an underscore character
+ (<literal>_</literal>), if there is one. The underscore logic is supposed to be used to versioning so that the
+ an image file <filename>foobar_47.11.raw</filename> will result in a unit file matching prefix of
+ <filename>foobar</filename>. This prefix is then compared with all unit files names contained in the image in
+ the usual directories, but only unit file names where the prefix is followed by <literal>-</literal>,
+ <literal>.</literal> or <literal>@</literal> are considered. Example: if a portable service image file is named
+ <filename>foobar_47.11.raw</filename> then by default all its unit files with names such as
+ <filename>foobar-quux-waldi.service</filename>, <filename>foobar.service</filename> or
+ <filename>foobar@.service</filename> will be considered. It's possible to override the matching prefix: all
+ strings listed on the command line after the image file name are considered prefixes, overriding the implicit
+ logic where the prefix is derived from the image file name.</para>
+
+ <para>By default, after the unit files are attached the service manager's configuration is reloaded, except
+ when <option>--no-reload</option> is specified (see below). This ensures that the new units made available to
+ the service manager are seen by it.</para>
+
+ <para>If <option>--now</option> and/or <option>--enable</option> are passed, the portable services are
+ immediately started (blocking operation unless <option>--no-block</option> is passed) and/or enabled after
+ attaching the image.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>detach</command> <replaceable>IMAGE</replaceable> [<replaceable>PREFIX…</replaceable>]</term>
+
+ <listitem><para>Detaches a portable service image from the host. This undoes the operations executed by the
+ <command>attach</command> command above, and removes the unit file copies, drop-ins and image symlink
+ again. This command expects an image name or path as parameter. Note that if a path is specified only the last
+ component of it (i.e. the file or directory name itself, not the path to it) is used for finding matching unit
+ files. This is a convenience feature to allow all arguments passed as <command>attach</command> also to
+ <command>detach</command>.</para></listitem>
+
+ <para>If <option>--now</option> and/or <option>--enable</option> are passed, the portable services are
+ immediately stopped (blocking operation) and/or disabled before detaching the image. Prefix(es) are also accepted,
+ to be used in case the unit names do not match the image name as described in the <command>attach</command>.</para>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>reattach</command> <replaceable>IMAGE</replaceable> [<replaceable>PREFIX…</replaceable>]</term>
+
+ <listitem><para>Detaches an existing portable service image from the host, and immediately attaches it again.
+ This is useful in case the image was replaced. Running units are not stopped during the process. Partial matching,
+ to allow for different versions in the image name, is allowed: only the part before the first <literal>_</literal>
+ character has to match. If the new image doesn't exist, the existing one will not be detached. The parameters
+ follow the same syntax as the <command>attach</command> command.</para></listitem>
+
+ <para>If <option>--now</option> and/or <option>--enable</option> are passed, the portable services are
+ immediately stopped if removed, started and/or enabled if added, or restarted if updated. Prefixes are also
+ accepted, in the same way as described in the <command>attach</command> case.</para>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>inspect</command> <replaceable>IMAGE</replaceable> [<replaceable>PREFIX…</replaceable>]</term>
+
+ <listitem><para>Extracts various metadata from a portable service image and presents it to the
+ caller. Specifically, the
+ <citerefentry><refentrytitle>os-release</refentrytitle><manvolnum>5</manvolnum></citerefentry> file of the
+ image is retrieved as well as all matching unit files. By default a short summary showing the most relevant
+ metadata in combination with a list of matching unit files is shown (that is the unit files
+ <command>attach</command> would install to the host system). If combined with <option>--cat</option> (see
+ above), the <filename>os-release</filename> data and the units files' contents is displayed unprocessed. This
+ command is useful to determine whether an image qualifies as portable service image, and which unit files are
+ included. This command expects the path to the image as parameter, optionally followed by a list of unit file
+ prefixes to consider, similar to the <command>attach</command> command described above.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>is-attached</command> <replaceable>IMAGE</replaceable></term>
+
+ <listitem><para>Determines whether the specified image is currently attached or not. Unless combined with the
+ <option>--quiet</option> switch this will show a short state identifier for the image. Specifically:</para>
+
+ <table>
+ <title>Image attachment states</title>
+ <tgroup cols='2'>
+ <colspec colname='state'/>
+ <colspec colname='description'/>
+ <thead>
+ <row>
+ <entry>State</entry>
+ <entry>Description</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry><option>detached</option></entry>
+ <entry>The image is currently not attached.</entry>
+ </row>
+ <row>
+ <entry><option>attached</option></entry>
+ <entry>The image is currently attached, i.e. its unit files have been made available to the host system.</entry>
+ </row>
+ <row>
+ <entry><option>attached-runtime</option></entry>
+ <entry>Like <option>attached</option>, but the unit files have been made available transiently only, i.e. the <command>attach</command> command has been invoked with the <option>--runtime</option> option.</entry>
+ </row>
+ <row>
+ <entry><option>enabled</option></entry>
+ <entry>The image is currently attached, and at least one unit file associated with it has been enabled.</entry>
+ </row>
+ <row>
+ <entry><option>enabled-runtime</option></entry>
+ <entry>Like <option>enabled</option>, but the unit files have been made available transiently only, i.e. the <command>attach</command> command has been invoked with the <option>--runtime</option> option.</entry>
+ </row>
+ <row>
+ <entry><option>running</option></entry>
+ <entry>The image is currently attached, and at least one unit file associated with it is running.</entry>
+ </row>
+ <row>
+ <entry><option>running-runtime</option></entry>
+ <entry>The image is currently attached transiently, and at least one unit file associated with it is running.</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>read-only</command> <replaceable>IMAGE</replaceable> [<replaceable>BOOL</replaceable>]</term>
+
+ <listitem><para>Marks or (unmarks) a portable service image read-only. Takes an image name, followed by a
+ boolean as arguments. If the boolean is omitted, positive is implied, i.e. the image is marked
+ read-only.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>remove</command> <replaceable>IMAGE</replaceable>…</term>
+
+ <listitem><para>Removes one or more portable service images. Note that this command will only remove the
+ specified image path itself — it refers to a symbolic link then the symbolic link is removed and not the
+ image it points to.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>set-limit</command> [<replaceable>IMAGE</replaceable>] <replaceable>BYTES</replaceable></term>
+
+ <listitem><para>Sets the maximum size in bytes that a specific portable service image, or all images, may grow
+ up to on disk (disk quota). Takes either one or two parameters. The first, optional parameter refers to a
+ portable service image name. If specified, the size limit of the specified image is changed. If omitted, the
+ overall size limit of the sum of all images stored locally is changed. The final argument specifies the size
+ limit in bytes, possibly suffixed by the usual K, M, G, T units. If the size limit shall be disabled, specify
+ <literal>-</literal> as size.</para>
+
+ <para>Note that per-image size limits are only supported on btrfs file systems. Also, depending on
+ <varname>BindPaths=</varname> settings in the portable service's unit files directories from the host might be
+ visible in the image environment during runtime which are not affected by this setting, as only the image
+ itself is counted against this limit.</para></listitem>
+ </varlistentry>
+
+ </variablelist>
+
+ </refsect1>
+
+ <refsect1>
+ <title>Options</title>
+
+ <para>The following options are understood:</para>
+
+ <variablelist>
+ <varlistentry>
+ <term><option>-q</option></term>
+ <term><option>--quiet</option></term>
+
+ <listitem><para>Suppresses additional informational output while running.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>-p</option> <replaceable>PROFILE</replaceable></term>
+ <term><option>--profile=</option><replaceable>PROFILE</replaceable></term>
+
+ <listitem><para>When attaching an image, select the profile to use. By default the <literal>default</literal>
+ profile is used. For details about profiles, see below.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--copy=</option></term>
+
+ <listitem><para>When attaching an image, select whether to prefer copying or symlinking of files installed into
+ the host system. Takes one of <literal>copy</literal> (to prefer copying of files), <literal>symlink</literal>
+ (to prefer creation of symbolic links) or <literal>auto</literal> for an intermediary mode where security
+ profile drop-ins are symlinked while unit files are copied. Note that this option expresses a preference only,
+ in cases where symbolic links cannot be created — for example when the image operated on is a raw disk image,
+ and hence not directly referentiable from the host file system — copying of files is used
+ unconditionally.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--runtime</option></term>
+
+ <listitem><para>When specified the unit and drop-in files are placed in
+ <filename>/run/systemd/system.attached/</filename> instead of
+ <filename>/etc/systemd/system.attached/</filename>. Images attached with this option set hence remain attached
+ only until the next reboot, while they are normally attached persistently.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--no-reload</option></term>
+
+ <listitem><para>Don't reload the service manager after attaching or detaching a portable service
+ image. Normally the service manager is reloaded to ensure it is aware of added or removed unit
+ files.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--cat</option></term>
+
+ <listitem><para>When inspecting portable service images, show the (unprocessed) contents of the metadata files
+ pulled from the image, instead of brief summaries. Specifically, this will show the
+ <citerefentry><refentrytitle>os-release</refentrytitle><manvolnum>5</manvolnum></citerefentry> and unit file
+ contents of the image.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--enable</option></term>
+
+ <listitem><para>Immediately enable/disable the portable service after attaching/detaching.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--now</option></term>
+
+ <listitem><para>Immediately start/stop/restart the portable service after attaching/before
+ detaching/after upgrading.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--no-block</option></term>
+
+ <listitem><para>Don't block waiting for attach --now to complete.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--extension=</option><replaceable>PATH</replaceable></term>
+
+ <listitem><para>Add an additional image <replaceable>PATH</replaceable> as an overlay on
+ top of <replaceable>IMAGE</replaceable> when attaching/detaching. This argument can be specified
+ multiple times, in which case the order in which images are laid down follows the rules specified in
+ <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+ for the <varname>ExtensionImages=</varname> directive and for the
+ <citerefentry><refentrytitle>systemd-sysext</refentrytitle><manvolnum>8</manvolnum></citerefentry> tool.
+ The images must contain an <filename>extension-release</filename> file with metadata that matches
+ what is defined in the <filename>os-release</filename> of <replaceable>IMAGE</replaceable>. See:
+ <citerefentry><refentrytitle>os-release</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
+ Images can be block images, btrfs subvolumes or directories. For more information on portable
+ services with extensions, see the <literal>Extension Images</literal> paragraph on
+ <ulink url="https://systemd.io/PORTABLE_SERVICES">Portable Services</ulink>.
+ </para>
+
+ <para>Note that the same extensions have to be specified, in the same order, when attaching
+ and detaching.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--force</option></term>
+
+ <listitem><para>Skip safety checks and attach or detach images (with extensions) without first ensuring
+ that the units are not running, and do not insist that the
+ <filename>extension-release.<replaceable>NAME</replaceable></filename> file in the extension image has
+ to match the image filename.</para></listitem>
+ </varlistentry>
+
+ <xi:include href="user-system-options.xml" xpointer="host" />
+ <xi:include href="user-system-options.xml" xpointer="machine" />
+
+ <xi:include href="standard-options.xml" xpointer="no-pager" />
+ <xi:include href="standard-options.xml" xpointer="no-legend" />
+ <xi:include href="standard-options.xml" xpointer="no-ask-password" />
+ <xi:include href="standard-options.xml" xpointer="help" />
+ <xi:include href="standard-options.xml" xpointer="version" />
+ </variablelist>
+ </refsect1>
+
+ <refsect1>
+ <title>Files and Directories</title>
+
+ <para>Portable service images are preferably stored in <filename>/var/lib/portables/</filename>, but are also
+ searched for in <filename>/etc/portables/</filename>, <filename>/run/systemd/portables/</filename>,
+ <filename>/usr/local/lib/portables/</filename> and <filename>/usr/lib/portables/</filename>. It's recommended not
+ to place image files directly in <filename>/etc/portables/</filename> or
+ <filename>/run/systemd/portables/</filename> (as these are generally not suitable for storing large or non-textual
+ data), but use these directories only for linking images located elsewhere into the image search path.</para>
+
+ <para>When a portable service image is attached, matching unit files are copied onto the host into the
+ <filename>/etc/systemd/system.attached/</filename> and <filename>/run/systemd/system.attached/</filename>
+ directories. When an image is detached, the unit files are removed again from these directories.</para>
+ </refsect1>
+
+ <refsect1>
+ <title>Profiles</title>
+
+ <para>When portable service images are attached a "profile" drop-in is linked in, which may be used to enforce
+ additional security (and other) restrictions locally. Four profile drop-ins are defined by default, and shipped in
+ <filename>/usr/lib/systemd/portable/profile/</filename>. Additional, local profiles may be defined by placing them
+ in <filename>/etc/systemd/portable/profile/</filename>. The default profiles are:</para>
+
+ <table>
+ <title>Profiles</title>
+ <tgroup cols='2'>
+ <colspec colname='state'/>
+ <colspec colname='description'/>
+ <thead>
+ <row>
+ <entry>Name</entry>
+ <entry>Description</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry><filename>default</filename></entry>
+ <entry>This is the default profile if no other profile name is set via the <option>--profile=</option> (see above). It's fairly restrictive, but should be useful for common, unprivileged system workloads. This includes write access to the logging framework, as well as IPC access to the D-Bus system.</entry>
+ </row>
+ <row>
+ <entry><filename>nonetwork</filename></entry>
+ <entry>Very similar to <filename>default</filename>, but networking is turned off for any services of the portable service image.</entry>
+ </row>
+ <row>
+ <entry><filename>strict</filename></entry>
+ <entry>A profile with very strict settings. This profile excludes IPC (D-Bus) and network access.</entry>
+ </row>
+ <row>
+ <entry><filename>trusted</filename></entry>
+ <entry>A profile with very relaxed settings. In this profile the services run with full privileges.</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+
+ <para>For details on these profiles and their effects see their precise definitions,
+ e.g. <filename>/usr/lib/systemd/portable/profile/default/service.conf</filename> and similar.</para>
+ </refsect1>
+
+ <refsect1>
+ <title>Exit status</title>
+
+ <para>On success, 0 is returned, a non-zero failure code otherwise.</para>
+ </refsect1>
+
+ <xi:include href="common-variables.xml" />
+
+ <refsect1>
+ <title>See Also</title>
+ <para>
+ <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>systemd-sysext</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>org.freedesktop.portable1</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>systemd-portabled.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+ </para>
+ </refsect1>
+
+</refentry>