summaryrefslogtreecommitdiffstats
path: root/man/systemd-vmspawn.xml
diff options
context:
space:
mode:
Diffstat (limited to 'man/systemd-vmspawn.xml')
-rw-r--r--man/systemd-vmspawn.xml475
1 files changed, 417 insertions, 58 deletions
diff --git a/man/systemd-vmspawn.xml b/man/systemd-vmspawn.xml
index 9bec440..19dce8a 100644
--- a/man/systemd-vmspawn.xml
+++ b/man/systemd-vmspawn.xml
@@ -1,6 +1,9 @@
<?xml version='1.0'?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
- "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+ "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+<!ENTITY % entities SYSTEM "custom-entities.ent" >
+%entities;
+]>
<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
<refentry id="systemd-vmspawn" conditional="ENABLE_VMSPAWN"
@@ -31,11 +34,19 @@
<refsect1>
<title>Description</title>
- <para><command>systemd-vmspawn</command> may be used to start a virtual machine from an OS image. In many ways it is similar to <citerefentry
- project='man-pages'><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>, but it
+ <para><command>systemd-vmspawn</command> may be used to start a virtual machine from an OS image. In many ways it is similar to <citerefentry>
+ <refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>, but
launches a full virtual machine instead of using namespaces.</para>
- <para>Note: on Ubuntu/Debian derivatives systemd-vmspawn requires the user to be in the <literal>kvm</literal> group to use the VSock options.</para>
+ <para>File descriptors for <filename>/dev/kvm</filename> and <filename>/dev/vhost-vsock</filename> can be
+ passed to <command>systemd-vmspawn</command> via systemd's native socket passing interface (see
+ <citerefentry><refentrytitle>sd_listen_fds</refentrytitle><manvolnum>3</manvolnum></citerefentry> for
+ details about the precise protocol used and the order in which the file descriptors are passed), these
+ file descriptors must be passed with the names <literal>kvm</literal> and <literal>vhost-vsock</literal>
+ respectively.</para>
+
+ <para>Note: on Ubuntu/Debian derivatives systemd-vmspawn requires the user to be in the
+ <literal>kvm</literal> group to use the VSOCK options.</para>
</refsect1>
<refsect1>
@@ -45,11 +56,43 @@
<para>The following options are understood:</para>
+ <variablelist>
+
+ <varlistentry>
+ <term><option>-q</option></term>
+ <term><option>--quiet</option></term>
+
+ <listitem><para>Turns off any status output by the tool
+ itself. When this switch is used, the only output from vmspawn
+ will be the console output of the Virtual Machine OS itself.</para>
+
+ <xi:include href="version-info.xml" xpointer="v256"/></listitem>
+ </varlistentry>
+
+ </variablelist>
+
<refsect2>
<title>Image Options</title>
<variablelist>
<varlistentry>
+ <term><option>-D</option></term>
+ <term><option>--directory=</option></term>
+
+ <listitem><para>Directory to use as file system root for the virtual machine.</para>
+
+ <para>One of either <option>--directory=</option> or <option>--image=</option> must be specified.
+ If neither are specified <option>--directory=.</option> is assumed.</para>
+
+ <para>Note: If mounting a non-root owned directory you may require <option>--private-users=</option>
+ to map into the user's subuid namespace. An example of how to use <constant>/etc/subuid</constant>
+ for this is given later.</para>
+
+ <xi:include href="version-info.xml" xpointer="v256"/>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term><option>-i</option></term>
<term><option>--image=</option></term>
@@ -66,9 +109,9 @@
<variablelist>
<varlistentry>
- <term><option>--qemu-smp=</option><replaceable>SMP</replaceable></term>
+ <term><option>--cpus=<replaceable>CPUS</replaceable></option></term>
- <listitem><para>Configures the number of CPUs to start the virtual machine with.
+ <listitem><para>The number of CPUs to start the virtual machine with.
Defaults to 1.</para>
<xi:include href="version-info.xml" xpointer="v255"/>
@@ -76,68 +119,156 @@
</varlistentry>
<varlistentry>
- <term><option>--qemu-mem=</option><replaceable>MEM</replaceable></term>
+ <term><option>--ram=<replaceable>BYTES</replaceable></option></term>
- <listitem><para>Configures the amount of memory to start the virtual machine with.
+ <listitem><para>The amount of memory to start the virtual machine with.
Defaults to 2G.</para>
<xi:include href="version-info.xml" xpointer="v255"/>
</listitem>
</varlistentry>
- <varlistentry>
- <term><option>--qemu-kvm=</option><replaceable>BOOL</replaceable></term>
+ <varlistentry>
+ <term><option>--kvm=<replaceable>BOOL</replaceable></option></term>
- <listitem><para>Configures whether to use KVM. If the option is not specified KVM support will be
- detected automatically. If true, KVM is always used, and if false, KVM is never used.</para>
+ <listitem><para>If <option>--kvm=</option> is not specified KVM support will be
+ detected automatically. If true, KVM is always used, and if false, KVM is never used.</para>
- <xi:include href="version-info.xml" xpointer="v255"/></listitem>
- </varlistentry>
+ <xi:include href="version-info.xml" xpointer="v255"/></listitem>
+ </varlistentry>
- <varlistentry>
- <term><option>--qemu-vsock=</option><replaceable>BOOL</replaceable></term>
+ <varlistentry>
+ <term><option>--vsock=<replaceable>BOOL</replaceable></option></term>
- <listitem>
- <para>Configure whether to use VSock networking.</para>
- <para>If the option is not specified VSock support will be detected automatically.
- If yes is specified VSocks are always used, and vice versa if no is set VSocks are never used.</para>
- <xi:include href="version-info.xml" xpointer="v255"/>
- </listitem>
- </varlistentry>
+ <listitem><para>If <option>--vsock=</option> is not specified VSOCK networking support will be
+ detected automatically. If true, VSOCK networking is always used, and if false, VSOCK networking is never used.</para>
- <varlistentry>
- <term><option>--vsock-cid=</option><replaceable>CID</replaceable></term>
+ <xi:include href="version-info.xml" xpointer="v255"/></listitem>
+ </varlistentry>
- <listitem>
- <para>Configure vmspawn to use a specific CID for the guest.</para>
- <para>If the option is not specified or an empty argument is supplied the guest will be assigned a random CID.</para>
- <para>Valid CIDs are in the range <constant>3</constant> to <constant>4294967294</constant> (<constant>0xFFFF_FFFE</constant>).
- CIDs outside of this range are reserved.</para>
- <xi:include href="version-info.xml" xpointer="v255"/>
- </listitem>
- </varlistentry>
+ <varlistentry>
+ <term><option>--vsock-cid=<replaceable>CID</replaceable></option></term>
- <varlistentry>
- <term><option>--qemu-gui</option></term>
+ <listitem>
+ <para>Sets the specific CID to use for the guest.
+ Valid CIDs are in the range <constant>3</constant> to <constant>4294967294</constant> (<constant>0xFFFF_FFFE</constant>).
+ CIDs outside of this range are reserved. By default vmspawn will attempt to derive a CID for the guest derived from the machine name,
+ falling back to a random CID if this CID is taken.</para>
- <listitem><para>Start QEMU in graphical mode.</para>
+ <xi:include href="version-info.xml" xpointer="v255"/>
+ </listitem>
+ </varlistentry>
- <xi:include href="version-info.xml" xpointer="v255"/></listitem>
- </varlistentry>
+ <varlistentry>
+ <term><option>--tpm=<replaceable>BOOL</replaceable></option></term>
- <varlistentry>
- <term><option>--secure-boot=</option><replaceable>BOOL</replaceable></term>
+ <listitem>
+ <para>If <option>--tpm=</option> is not specified vmspawn will detect the presence of <citerefentry project='debian'>
+ <refentrytitle>swtpm</refentrytitle><manvolnum>8</manvolnum></citerefentry> and use it if available.
+ If yes is specified <citerefentry project='debian'><refentrytitle>swtpm</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+ is always used, and if no is set <citerefentry project='debian'><refentrytitle>swtpm</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> is never used.</para>
- <listitem><para>Configure whether to search for firmware which supports Secure Boot.</para>
- <para>If the option is not specified the first firmware which is detected will be used.
- If the option is set to yes then the first firmware with Secure Boot support will be selected.
- If no is specified then the first firmware without Secure Boot will be selected.</para>
+ <para>Note: the virtual TPM used may change in future.</para>
- <xi:include href="version-info.xml" xpointer="v255"/></listitem>
- </varlistentry>
- </variablelist>
+ <xi:include href="version-info.xml" xpointer="v256"/>
+ </listitem>
+ </varlistentry>
- </refsect2><refsect2>
+ <varlistentry>
+ <term><option>--linux=<replaceable>PATH</replaceable></option></term>
+
+ <listitem>
+ <para>Set the linux kernel image to use for direct kernel boot.
+ If a directory type image is used and <option>--linux=</option> was omitted, vmspawn will search for boot loader entries
+ according to the
+ <ulink url="https://uapi-group.org/specifications/specs/boot_loader_specification">Boot Loader Specification</ulink> assuming
+ XBOOTLDR to be located at /boot and ESP to be /efi respectively.
+ If no kernel was installed into the image then the image will fail to boot.</para>
+
+ <xi:include href="version-info.xml" xpointer="v256"/>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--initrd=<replaceable>PATH</replaceable></option></term>
+
+ <listitem>
+ <para>Set the initrd to use for direct kernel boot.
+ If the <option>--linux=</option> supplied is a
+ <ulink url="https://uapi-group.org/specifications/specs/boot_loader_specification">Boot Loader Specification</ulink>
+ Type #2 entry, then this argument is not required.
+ If no initrd was installed into the image then the image will fail to boot.</para>
+
+ <para><option>--initrd=</option> can be specified multiple times and vmspawn will merge them together.</para>
+
+ <xi:include href="version-info.xml" xpointer="v256"/>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>-n</option></term>
+ <term><option>--network-tap</option></term>
+
+ <listitem>
+ <para>Create a TAP device to network with the virtual machine.</para>
+
+ <para>Note: root privileges are required to use TAP networking.
+ Additionally,
+ <citerefentry><refentrytitle>systemd-networkd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+ must be running and correctly set up on the host to provision the host interface. The relevant
+ <literal>.network</literal> file can be found at
+ <filename>/usr/lib/systemd/network/80-vm-vt.network</filename>.
+ </para>
+
+ <xi:include href="version-info.xml" xpointer="v255"/>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--network-user-mode</option></term>
+
+ <listitem><para>Use user mode networking.</para>
+
+ <xi:include href="version-info.xml" xpointer="v255"/></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--firmware=<replaceable>PATH</replaceable></option></term>
+
+ <listitem><para>Takes an absolute path, or a relative path beginning with
+ <filename>./</filename>. Specifies a JSON firmware definition file, which allows selecting the
+ firmware to boot in the VM. If not specified a suitable firmware is automatically discovered. If the
+ special string <literal>list</literal> is specified lists all discovered firmwares.</para>
+
+ <xi:include href="version-info.xml" xpointer="v256"/></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--discard-disk=<replaceable>BOOL</replaceable></option></term>
+
+ <listitem><para>Controls whether qemu processes discard requests from the VM.
+ This prevents long running VMs from using more disk space than required.
+ This is enabled by default.</para>
+
+ <xi:include href="version-info.xml" xpointer="v256"/></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--secure-boot=<replaceable>BOOL</replaceable></option></term>
+
+ <listitem><para>Configure whether to search for firmware which supports Secure Boot.</para>
+
+ <para>If the option is not specified the first firmware which is detected will be used.
+ If the option is set to yes then the first firmware with Secure Boot support will be selected.
+ If no is specified then the first firmware without Secure Boot will be selected.</para>
+
+ <xi:include href="version-info.xml" xpointer="v255"/></listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect2>
+
+ <refsect2>
<title>System Identity Options</title>
<variablelist>
@@ -145,25 +276,203 @@
<term><option>-M</option></term>
<term><option>--machine=</option></term>
- <listitem><para>Sets the machine name for this container. This
- name may be used to identify this container during its runtime
+ <listitem><para>Sets the machine name for this virtual machine. This
+ name may be used to identify this virtual machine during its runtime
(for example in tools like
<citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
and similar).</para>
+
<xi:include href="version-info.xml" xpointer="v255"/>
</listitem>
</varlistentry>
+
+ <varlistentry>
+ <term><option>--uuid=</option></term>
+
+ <listitem><para>Set the specified UUID for the virtual machine. The
+ init system will initialize
+ <filename>/etc/machine-id</filename> from this if this file is
+ not set yet. Note that this option takes effect only if
+ <filename>/etc/machine-id</filename> in the virtual machine is
+ unpopulated.</para>
+
+ <xi:include href="version-info.xml" xpointer="v256"/></listitem>
+ </varlistentry>
</variablelist>
+ </refsect2>
- </refsect2><refsect2>
+ <refsect2>
+ <title>Property Options</title>
+
+ <variablelist>
+ <varlistentry>
+ <term><option>--register=</option></term>
+
+ <listitem><para>Controls whether the virtual machine is registered with
+ <citerefentry><refentrytitle>systemd-machined</refentrytitle><manvolnum>8</manvolnum></citerefentry>. Takes a
+ boolean argument, which defaults to <literal>yes</literal> when running as root, and <literal>no</literal> when
+ running as a regular user. This ensures that the virtual machine is accessible via
+ <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para>
+
+ <para>Note: root privileges are required to use this option as registering with
+ <citerefentry><refentrytitle>systemd-machined</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+ requires privileged D-Bus method calls.</para>
+
+ <xi:include href="version-info.xml" xpointer="v256"/></listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect2>
+
+ <refsect2>
+ <title>User Namespacing Options</title>
+
+ <variablelist>
+ <varlistentry>
+ <term><option>--private-users=<replaceable>UID_SHIFT[:UID_RANGE]</replaceable></option></term>
+
+ <listitem><para>Controls user namespacing under <option>--directory=</option>.
+ If enabled,
+ <citerefentry><refentrytitle>virtiofsd</refentrytitle><manvolnum>1</manvolnum></citerefentry>
+ is instructed to map user and group ids (UIDs and GIDs).
+ This involves mapping the private UIDs/GIDs used in the virtual machine (starting with the virtual machine's
+ root user 0 and up) to a range of UIDs/GIDs on the host that are not used for other purposes (usually in the
+ range beyond the host's UID/GID 65536).</para>
+
+ <para>If one or two colon-separated numbers are specified, user namespacing is turned on. <replaceable>UID_SHIFT</replaceable>
+ specifies the first host UID/GID to map, <replaceable>UID_RANGE</replaceable> is optional and specifies number of host
+ UIDs/GIDs to assign to the virtual machine. If <replaceable>UID_RANGE</replaceable> is omitted, 65536 UIDs/GIDs are assigned.</para>
+
+ <para>When user namespaces are used, the GID range assigned to each virtual machine is always chosen identical to the
+ UID range.</para>
+
+ <xi:include href="version-info.xml" xpointer="v256"/></listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect2>
+
+ <refsect2>
+ <title>Mount Options</title>
+
+ <variablelist>
+
+ <varlistentry>
+ <term><option>--bind=<replaceable>PATH</replaceable></option></term>
+ <term><option>--bind-ro=<replaceable>PATH</replaceable></option></term>
+
+ <listitem><para>Mount a directory from the host into the virtual machine. Takes one of: a path
+ argument — in which case the specified path will be mounted from the host to the same path in the virtual machine, or
+ a colon-separated pair of paths — in which case the first specified path is the source in the host, and the
+ second path is the destination in the virtual machine. If the source path is not absolute, it is resolved
+ relative to the current working directory. The <option>--bind-ro=</option> option creates read-only bind mounts.
+ Backslash escapes are interpreted, so <literal>\:</literal> may be used to embed colons in either path.
+ This option may be specified multiple times for creating multiple independent bind mount points.</para>
+
+ <xi:include href="version-info.xml" xpointer="v256"/></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--extra-drive=<replaceable>PATH</replaceable></option></term>
+
+ <listitem><para>Takes a disk image or block device on the host and supplies it to the virtual machine as another drive.</para>
+
+ <xi:include href="version-info.xml" xpointer="v256"/></listitem>
+ </varlistentry>
+
+ </variablelist>
+ </refsect2>
+
+ <refsect2>
+ <title>Integration Options</title>
+
+ <variablelist>
+ <varlistentry>
+ <term><option>--forward-journal=<replaceable>FILE|DIR</replaceable></option></term>
+
+ <listitem><para>Forward the virtual machine's journal to the host.
+ <citerefentry><refentrytitle>systemd-journal-remote</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+ is currently used to receive the guest VM's forwarded journal entries. This option determines where
+ this journal is saved on the host and has the same semantics as
+ <option>-o</option>/<option>--output</option> described in
+ <citerefentry><refentrytitle>systemd-journal-remote</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
+
+ <xi:include href="version-info.xml" xpointer="v256"/>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--pass-ssh-key=<replaceable>BOOL</replaceable></option></term>
+
+ <listitem><para>By default an SSH key is generated to allow <command>systemd-vmspawn</command> to open
+ a D-Bus connection to the VM's systemd bus. Setting this to "no" will disable SSH key generation.</para>
+
+ <para>The generated keys are ephemeral. That is they are valid only for the current invocation of <command>systemd-vmspawn</command>,
+ and are typically not persisted.</para>
+
+ <xi:include href="version-info.xml" xpointer="v256"/>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--ssh-key-type=<replaceable>TYPE</replaceable></option></term>
+
+ <listitem><para>Configures the type of SSH key to generate, see
+ <citerefentry project="man-pages"><refentrytitle>ssh-keygen</refentrytitle><manvolnum>1</manvolnum></citerefentry>
+ for more information.</para>
+
+ <para>By default <literal>ed25519</literal> keys are generated, however <literal>rsa</literal> keys
+ may also be useful if the VM has a particularly old version of <command>sshd</command>.</para>
+
+ <xi:include href="version-info.xml" xpointer="v256"/>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect2>
+
+ <refsect2>
+ <title>Input/Output Options</title>
+
+ <variablelist>
+ <varlistentry>
+ <term><option>--console=<replaceable>MODE</replaceable></option></term>
+
+ <listitem><para>Configures how to set up the console of the VM. Takes one of
+ <literal>interactive</literal>, <literal>read-only</literal>, <literal>native</literal>,
+ <literal>gui</literal>. Defaults to <literal>interactive</literal>. <literal>interactive</literal>
+ provides an interactive terminal interface to the VM. <literal>read-only</literal> is similar, but
+ is strictly read-only, i.e. does not accept any input from the user. <literal>native</literal> also
+ provides a TTY-based interface, but uses qemu native implementation (which means the qemu monitor
+ is available). <literal>gui</literal> shows the qemu graphical UI.</para>
+
+ <xi:include href="version-info.xml" xpointer="v256"/></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--background=<replaceable>COLOR</replaceable></option></term>
+
+ <listitem><para>Change the terminal background color to the specified ANSI color as long as the VM
+ runs. The color specified should be an ANSI X3.64 SGR background color, i.e. strings such as
+ <literal>40</literal>, <literal>41</literal>, …, <literal>47</literal>, <literal>48;2;…</literal>,
+ <literal>48;5;…</literal>. See <ulink
+ url="https://en.wikipedia.org/wiki/ANSI_escape_code#SGR_(Select_Graphic_Rendition)_parameters">ANSI
+ Escape Code (Wikipedia)</ulink> for details. Assign an empty string to disable any coloring. This
+ only has an effect in <option>--console=interactive</option> and
+ <option>--console=read-only</option> modes.</para>
+
+ <xi:include href="version-info.xml" xpointer="v256"/>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect2>
+
+ <refsect2>
<title>Credentials</title>
<variablelist>
<varlistentry>
- <term><option>--load-credential=</option><replaceable>ID</replaceable>:<replaceable>PATH</replaceable></term>
- <term><option>--set-credential=</option><replaceable>ID</replaceable>:<replaceable>VALUE</replaceable></term>
+ <term><option>--load-credential=<replaceable>ID</replaceable>:<replaceable>PATH</replaceable></option></term>
+ <term><option>--set-credential=<replaceable>ID</replaceable>:<replaceable>VALUE</replaceable></option></term>
- <listitem><para>Pass a credential to the container. These two options correspond to the
+ <listitem><para>Pass a credential to the virtual machine. These two options correspond to the
<varname>LoadCredential=</varname> and <varname>SetCredential=</varname> settings in unit files. See
<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
details about these concepts, as well as the syntax of the option's arguments.</para>
@@ -201,6 +510,53 @@ $ mkosi -d arch -p systemd -p linux --autologin -o image.raw -f build
$ systemd-vmspawn --image=image.raw
</programlisting>
</example>
+
+ <example>
+ <title>Import and run a Fedora 39 Cloud image using machinectl</title>
+
+ <programlisting>
+$ curl -L \
+ -O https://download.fedoraproject.org/pub/fedora/linux/releases/&fedora_latest_version;/Cloud/x86_64/images/Fedora-Cloud-Base-&fedora_latest_version;-&fedora_cloud_release;.x86_64.raw.xz \
+ -O https://download.fedoraproject.org/pub/fedora/linux/releases/&fedora_latest_version;/Cloud/x86_64/images/Fedora-Cloud-&fedora_latest_version;-&fedora_cloud_release;-x86_64-CHECKSUM \
+ -O https://fedoraproject.org/fedora.gpg
+$ gpgv --keyring ./fedora.gpg Fedora-Cloud-&fedora_latest_version;-&fedora_cloud_release;-x86_64-CHECKSUM
+$ sha256sum -c Fedora-Cloud-&fedora_latest_version;-&fedora_cloud_release;-x86_64-CHECKSUM
+# machinectl import-raw Fedora-Cloud-Base-&fedora_latest_version;-&fedora_cloud_release;.x86_64.raw.xz fedora-&fedora_latest_version;-cloud
+# systemd-vmspawn -M fedora-&fedora_latest_version;-cloud
+ </programlisting>
+ </example>
+
+ <example>
+ <title>Build and run systemd's system image and forward the VM's journal to a local file</title>
+
+ <programlisting>
+$ mkosi build
+$ systemd-vmspawn \
+ -D mkosi.output/system \
+ --private-users $(grep $(whoami) /etc/subuid | cut -d: -f2) \
+ --linux mkosi.output/system.efi \
+ --forward-journal=vm.journal \
+ enforcing=0
+ </programlisting>
+
+ <para>Note: this example also uses a kernel command line argument to ensure SELinux isn't started in enforcing mode.</para>
+ </example>
+
+ <example>
+ <title>SSH into a running VM using <command>systemd-ssh-proxy</command></title>
+
+ <programlisting>
+$ mkosi build
+$ my_vsock_cid=3735928559
+$ systemd-vmspawn \
+ -D mkosi.output/system \
+ --private-users $(grep $(whoami) /etc/subuid | cut -d: -f2) \
+ --linux mkosi.output/system.efi \
+ --vsock-cid $my_vsock_cid \
+ enforcing=0
+$ ssh root@vsock/$my_vsock_cid -i /run/user/$UID/systemd/vmspawn/machine-*-system-ed25519
+ </programlisting>
+ </example>
</refsect1>
<refsect1>
@@ -213,9 +569,12 @@ $ systemd-vmspawn --image=image.raw
<refsect1>
<title>See Also</title>
- <para>
- <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>mkosi</refentrytitle><manvolnum>1</manvolnum></citerefentry>
- </para>
+ <para><simplelist type="inline">
+ <member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
+ <member><citerefentry project='debian'><refentrytitle>mkosi</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
+ <member><citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
+ <member><citerefentry><refentrytitle>importctl</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
+ <member><ulink url="https://uapi-group.org/specifications/specs/boot_loader_specification">Boot Loader Specification</ulink></member>
+ </simplelist></para>
</refsect1>
</refentry>