summaryrefslogtreecommitdiffstats
path: root/upstream/fedora-rawhide/man1/systemd-nspawn.1
diff options
context:
space:
mode:
Diffstat (limited to 'upstream/fedora-rawhide/man1/systemd-nspawn.1')
-rw-r--r--upstream/fedora-rawhide/man1/systemd-nspawn.1199
1 files changed, 162 insertions, 37 deletions
diff --git a/upstream/fedora-rawhide/man1/systemd-nspawn.1 b/upstream/fedora-rawhide/man1/systemd-nspawn.1
index 9aafd6eb..77ab1706 100644
--- a/upstream/fedora-rawhide/man1/systemd-nspawn.1
+++ b/upstream/fedora-rawhide/man1/systemd-nspawn.1
@@ -1,5 +1,5 @@
'\" t
-.TH "SYSTEMD\-NSPAWN" "1" "" "systemd 255" "systemd-nspawn"
+.TH "SYSTEMD\-NSPAWN" "1" "" "systemd 256~rc3" "systemd-nspawn"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -119,6 +119,56 @@ While running, containers invoked with
are registered with the
\fBsystemd-machined\fR(8)
service that keeps track of running containers, and provides programming interfaces to interact with them\&.
+.SH "UNPRIVILEGED OPERATION"
+.PP
+\fBsystemd\-nspawn\fR
+may be invoked with or without privileges\&. The full functionality is currently only available when invoked with privileges\&. When invoked without privileges, various limitations apply, including, but not limited to:
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+Only disk image based containers are supported (i\&.e\&.
+\fB\-\-image=\fR)\&. Directory based ones (i\&.e\&.
+\fB\-\-directory=\fR) are not supported\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+Machine registration via
+\fB\-\-machine=\fR
+is not supported\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+Only
+\fB\-\-private\-network\fR
+and
+\fB\-\-network\-veth\fR
+networking modes are supported\&.
+.RE
+.PP
+When running in unprivileged mode, some needed functionality is provided via
+\fBsystemd-mountfsd.service\fR(8)
+and
+\fBsystemd-nsresourced.service\fR(8)
.SH "OPTIONS"
.PP
If option
@@ -138,7 +188,7 @@ Turns off any status output by the tool itself\&. When this switch is used, the
Added in version 209\&.
.RE
.PP
-\fB\-\-settings=\fR\fIMODE\fR
+\fB\-\-settings=\fR\fB\fIMODE\fR\fR
.RS 4
Controls whether
\fBsystemd\-nspawn\fR
@@ -194,6 +244,12 @@ is specified the directory is determined by searching for a directory named the
\fBmachinectl\fR(1)
section "Files and Directories" for the precise search path\&.
.sp
+In place of the directory path a
+"\&.v/"
+versioned directory may be specified, see
+\fBsystemd.v\fR(7)
+for details\&.
+.sp
If neither
\fB\-\-directory=\fR,
\fB\-\-image=\fR, nor
@@ -313,6 +369,12 @@ Any other partitions, such as foreign partitions or swap partitions are not moun
\fB\-\-directory=\fR,
\fB\-\-template=\fR\&.
.sp
+In place of the image path a
+"\&.v/"
+versioned directory may be specified, see
+\fBsystemd.v\fR(7)
+for details\&.
+.sp
Added in version 211\&.
.RE
.PP
@@ -346,7 +408,7 @@ and similar options\&. This mode is implied if the container image file or direc
is used\&. In this case the container image on disk is strictly read\-only, while changes are permitted but kept non\-persistently in memory only\&. For further details, see below\&.
.RE
.PP
-\fB\-\-volatile\fR, \fB\-\-volatile=\fR\fIMODE\fR
+\fB\-\-volatile\fR, \fB\-\-volatile=\fR\fB\fIMODE\fR\fR
.RS 4
Boots the container in volatile mode\&. When no mode parameter is passed or when mode is specified as
\fByes\fR, full volatile mode is enabled\&. This means the root directory is mounted as a mostly unpopulated
@@ -592,6 +654,20 @@ Added in version 209\&.
\fB\-u\fR, \fB\-\-user=\fR
.RS 4
After transitioning into the container, change to the specified user defined in the container\*(Aqs user database\&. Like all other systemd\-nspawn features, this is not a security feature and provides protection against accidental destructive operations only\&.
+.sp
+Note that if credentials are used in combination with a non\-root
+\fB\-\-user=\fR
+(e\&.g\&.:
+\fB\-\-set\-credential=\fR,
+\fB\-\-load\-credential=\fR
+or
+\fB\-\-import\-credential=\fR), then
+\fB\-\-no\-new\-privileges=yes\fR
+must be used, and
+\fB\-\-boot\fR
+or
+\fB\-\-as\-pid2\fR
+must not be used, as the credentials would otherwise be unreadable by the container due to missing privileges after switching to the specified user\&.
.RE
.PP
\fB\-\-kill\-signal=\fR
@@ -1453,7 +1529,9 @@ Control whether the container\*(Aqs journal shall be made visible to the host sy
"try\-host"
and
"try\-guest"
-do the same but do not fail if the host does not have persistent journaling enabled\&. If
+do the same but do not fail if the host does not have persistent journaling enabled, or if the container is in the
+\fB\-\-ephemeral\fR
+mode\&. If
"auto"
(the default), and the right subdirectory of
/var/log/journal
@@ -1502,14 +1580,17 @@ and
control whether to create a recursive or a regular bind mount\&. Defaults to
\fBrbind\fR\&.
\fBnoidmap\fR,
-\fBidmap\fR, and
+\fBidmap\fR,
\fBrootidmap\fR
+and
+\fBowneridmap\fR
control ID mapping\&.
.sp
Using
-\fBidmap\fR
-or
+\fBidmap\fR,
\fBrootidmap\fR
+or
+\fBowneridmap\fR
requires support by the source filesystem for user/group ID mapped mounts\&. Defaults to
\fBnoidmap\fR\&. With
\fBx\fR
@@ -1584,9 +1665,28 @@ on the host\&. Other host users are mapped to
inside the container\&.
.RE
.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+If
+\fBowneridmap\fR
+is used, the owner of the target directory inside of the container is mapped to
+\fBp\fR
+on the host\&. Other host users are mapped to
+\fBnobody\fR
+inside the container\&.
+.RE
+.sp
Whichever ID mapping option is used, the same mapping will be used for users and groups IDs\&. If
\fBrootidmap\fR
-is used, the group owning the bind mounted directory will have no effect\&.
+or
+\fBowneridmap\fR
+are used, the group owning the bind mounted directory will have no effect\&.
.sp
Note that when this option is used in combination with
\fB\-\-private\-users\fR, the resulting mount points will be owned by the
@@ -1725,7 +1825,7 @@ Added in version 220\&.
.RE
.SS "Input/Output Options"
.PP
-\fB\-\-console=\fR\fIMODE\fR
+\fB\-\-console=\fR\fB\fIMODE\fR\fR
.RS 4
Configures how to set up standard input, output and error output for the container payload, as well as the
/dev/console
@@ -1785,9 +1885,23 @@ Equivalent to
.sp
Added in version 242\&.
.RE
+.PP
+\fB\-\-background=\fR\fB\fICOLOR\fR\fR
+.RS 4
+Change the terminal background color to the specified ANSI color as long as the container runs\&. The color specified should be an ANSI X3\&.64 SGR background color, i\&.e\&. strings such as
+"40",
+"41", \&...,
+"47",
+"48;2;\&...",
+"48;5;\&..."\&. See
+\m[blue]\fBANSI Escape Code (Wikipedia)\fR\m[]\&\s-2\u[6]\d\s+2
+for details\&. Assign an empty string to disable any coloring\&.
+.sp
+Added in version 256\&.
+.RE
.SS "Credentials"
.PP
-\fB\-\-load\-credential=\fR\fIID\fR:\fIPATH\fR, \fB\-\-set\-credential=\fR\fIID\fR:\fIVALUE\fR
+\fB\-\-load\-credential=\fR\fB\fIID\fR\fR\fB:\fR\fB\fIPATH\fR\fR, \fB\-\-set\-credential=\fR\fB\fIID\fR\fR\fB:\fR\fB\fIVALUE\fR\fR
.RS 4
Pass a credential to the container\&. These two options correspond to the
\fILoadCredential=\fR
@@ -1810,7 +1924,7 @@ to embed a newline, or
"\ex00"
to embed a
\fBNUL\fR
-byte)\&. Note that the invoking shell might already apply unescaping once, hence this might require double escaping!\&.
+byte)\&. Note that the invoking shell might already apply unescaping once, hence this might require double escaping!
.sp
The
\fBsystemd-sysusers.service\fR(8)
@@ -1866,7 +1980,7 @@ Print a short version string and exit\&.
.PP
\fI$SYSTEMD_LOG_LEVEL\fR
.RS 4
-The maximum log level of emitted messages (messages with a higher log level, i\&.e\&. less important ones, will be suppressed)\&. Either one of (in order of decreasing importance)
+The maximum log level of emitted messages (messages with a higher log level, i\&.e\&. less important ones, will be suppressed)\&. Takes a comma\-separated list of values\&. A value may be either one of (in order of decreasing importance)
\fBemerg\fR,
\fBalert\fR,
\fBcrit\fR,
@@ -1876,7 +1990,15 @@ The maximum log level of emitted messages (messages with a higher log level, i\&
\fBinfo\fR,
\fBdebug\fR, or an integer in the range 0\&...7\&. See
\fBsyslog\fR(3)
-for more information\&.
+for more information\&. Each value may optionally be prefixed with one of
+\fBconsole\fR,
+\fBsyslog\fR,
+\fBkmsg\fR
+or
+\fBjournal\fR
+followed by a colon to set the maximum log level for that specific log target (e\&.g\&.
+\fBSYSTEMD_LOG_LEVEL=debug,console:info\fR
+specifies to log at debug level except when logging to the console which should be at info level)\&. Note that the global maximum log level takes priority over any per target maximum log levels\&.
.RE
.PP
\fI$SYSTEMD_LOG_COLOR\fR
@@ -1995,6 +2117,12 @@ will be ignored by the executable, and needs to be handled by the pager\&.
This option instructs the pager to not send termcap initialization and deinitialization strings to the terminal\&. It is set by default to allow command output to remain visible in the terminal even after the pager exits\&. Nevertheless, this prevents some pager functionality from working, in particular paged output cannot be scrolled with the mouse\&.
.RE
.sp
+Note that setting the regular
+\fI$LESS\fR
+environment variable has no effect for
+\fBless\fR
+invocations by systemd tools\&.
+.sp
See
\fBless\fR(1)
for more discussion\&.
@@ -2006,6 +2134,12 @@ Override the charset passed to
\fBless\fR
(by default
"utf\-8", if the invoking terminal is determined to be UTF\-8 compatible)\&.
+.sp
+Note that setting the regular
+\fI$LESSCHARSET\fR
+environment variable has no effect for
+\fBless\fR
+invocations by systemd tools\&.
.RE
.PP
\fI$SYSTEMD_PAGERSECURE\fR
@@ -2061,24 +2195,24 @@ and other conditions\&.
.RE
.SH "EXAMPLES"
.PP
-\fBExample\ \&1.\ \&Download a Fedora image and start a shell in it\fR
+\fBExample\ \&1.\ \&Download an Ubuntu TAR image and open a shell in it\fR
.sp
.if n \{\
.RS 4
.\}
.nf
-# machinectl pull\-raw \-\-verify=no \e
- https://download\&.fedoraproject\&.org/pub/fedora/linux/releases/38/Cloud/x86_64/images/Fedora\-Cloud\-Base\-38\-1\&.6\&.x86_64\&.raw\&.xz \e
- Fedora\-Cloud\-Base\-38\-1\&.6\&.x86\-64
-# systemd\-nspawn \-M Fedora\-Cloud\-Base\-38\-1\&.6\&.x86\-64
+# importctl pull\-tar \-mN https://cloud\-images\&.ubuntu\&.com/jammy/current/jammy\-server\-cloudimg\-amd64\-root\&.tar\&.xz
+# systemd\-nspawn \-M jammy\-server\-cloudimg\-amd64\-root
.fi
.if n \{\
.RE
.\}
.PP
-This downloads an image using
-\fBmachinectl\fR(1)
-and opens a shell in it\&.
+This downloads and verifies the specified
+\&.tar
+image, and then uses
+\fBsystemd-nspawn\fR(1)
+to open a shell in it\&.
.PP
\fBExample\ \&2.\ \&Build and boot a minimal Fedora distribution in a container\fR
.sp
@@ -2086,21 +2220,21 @@ and opens a shell in it\&.
.RS 4
.\}
.nf
-# dnf \-y \-\-releasever=38 \-\-installroot=/var/lib/machines/f38 \e
+# dnf \-y \-\-releasever=40 \-\-installroot=/var/lib/machines/f40 \e
\-\-repo=fedora \-\-repo=updates \-\-setopt=install_weak_deps=False install \e
passwd dnf fedora\-release vim\-minimal util\-linux systemd systemd\-networkd
-# systemd\-nspawn \-bD /var/lib/machines/f38
+# systemd\-nspawn \-bD /var/lib/machines/f40
.fi
.if n \{\
.RE
.\}
.PP
This installs a minimal Fedora distribution into the directory
-/var/lib/machines/f38
+/var/lib/machines/f40
and then boots that OS in a namespace container\&. Because the installation is located underneath the standard
/var/lib/machines/
directory, it is also possible to start the machine using
-\fBsystemd\-nspawn \-M f38\fR\&.
+\fBsystemd\-nspawn \-M f40\fR\&.
.PP
\fBExample\ \&3.\ \&Spawn a shell in a container of a minimal Debian unstable distribution\fR
.sp
@@ -2208,16 +2342,7 @@ This runs a copy of the host system in a snapshot which is removed immediately w
The exit code of the program executed in the container is returned\&.
.SH "SEE ALSO"
.PP
-\fBsystemd\fR(1),
-\fBsystemd.nspawn\fR(5),
-\fBchroot\fR(1),
-\fBdnf\fR(8),
-\fBdebootstrap\fR(8),
-\fBpacman\fR(8),
-\fBzypper\fR(8),
-\fBsystemd.slice\fR(5),
-\fBmachinectl\fR(1),
-\fBbtrfs\fR(8)
+\fBsystemd\fR(1), \fBsystemd.nspawn\fR(5), \fBchroot\fR(1), \fBdnf\fR(8), \fBdebootstrap\fR(8), \fBpacman\fR(8), \fBzypper\fR(8), \fBsystemd.slice\fR(5), \fBmachinectl\fR(1), \fBimportctl\fR(1), \fBsystemd-mountfsd.service\fR(8), \fBsystemd-nsresourced.service\fR(8), \fBbtrfs\fR(8)
.SH "NOTES"
.IP " 1." 4
Container Interface
@@ -2245,9 +2370,9 @@ Overlay Filesystem
\%https://docs.kernel.org/filesystems/overlayfs.html
.RE
.IP " 6." 4
-Fedora
+ANSI Escape Code (Wikipedia)
.RS 4
-\%https://getfedora.org
+\%https://en.wikipedia.org/wiki/ANSI_escape_code#SGR_(Select_Graphic_Rendition)_parameters
.RE
.IP " 7." 4
Debian
generated by cgit v1.2.3 (git 2.39.1) at 2025-02-10 03:04:30 +0000