diff options
Diffstat (limited to 'man/systemd.nspawn.xml')
-rw-r--r-- | man/systemd.nspawn.xml | 685 |
1 files changed, 685 insertions, 0 deletions
diff --git a/man/systemd.nspawn.xml b/man/systemd.nspawn.xml new file mode 100644 index 0000000..7980619 --- /dev/null +++ b/man/systemd.nspawn.xml @@ -0,0 +1,685 @@ +<?xml version='1.0'?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" + "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [ +<!ENTITY % entities SYSTEM "custom-entities.ent" > +%entities; +]> +<!-- SPDX-License-Identifier: LGPL-2.1-or-later --> + +<refentry id="systemd.nspawn" xmlns:xi="http://www.w3.org/2001/XInclude"> + + <refentryinfo> + <title>systemd.nspawn</title> + <productname>systemd</productname> + </refentryinfo> + + <refmeta> + <refentrytitle>systemd.nspawn</refentrytitle> + <manvolnum>5</manvolnum> + </refmeta> + + <refnamediv> + <refname>systemd.nspawn</refname> + <refpurpose>Container settings</refpurpose> + </refnamediv> + + <refsynopsisdiv> + <para><filename>/etc/systemd/nspawn/<replaceable>machine</replaceable>.nspawn</filename></para> + <para><filename>/run/systemd/nspawn/<replaceable>machine</replaceable>.nspawn</filename></para> + <para><filename>/var/lib/machines/<replaceable>machine</replaceable>.nspawn</filename></para> + </refsynopsisdiv> + + <refsect1> + <title>Description</title> + + <para>An nspawn container settings file (suffix <filename>.nspawn</filename>) contains runtime + configuration for a local container, and is used by + <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>. + Files of this type are named after the containers they define settings for. They are optional, and only + required for containers whose execution environment shall differ from the defaults. Files of this type + mostly contain settings that may also be set on the <command>systemd-nspawn</command> command line, and + make it easier to persistently attach specific settings to specific containers. The syntax of these files + is inspired by <filename>.desktop</filename> files, similarly to other configuration files supported by + the systemd project. See + <citerefentry><refentrytitle>systemd.syntax</refentrytitle><manvolnum>7</manvolnum></citerefentry> for an + overview.</para> + </refsect1> + + <refsect1> + <title><filename>.nspawn</filename> File Discovery</title> + + <para>Files are searched for by appending the <filename>.nspawn</filename> suffix to the machine name of + the container, as specified with the <option>--machine=</option> switch of + <command>systemd-nspawn</command>, or derived from the directory or image file name. This file is first + searched for in <filename>/etc/systemd/nspawn/</filename> and + <filename>/run/systemd/nspawn/</filename>. If found there, the settings are read and all of them take + full effect (but may still be overridden by corresponding command line arguments). Otherwise, the file + will then be searched for next to the image file or in the immediate parent of the root directory of the + container. If the file is found there, only a subset of the settings will take effect however. All + settings that possibly elevate privileges or grant additional access to resources of the host (such as + files or directories) are ignored. To which options this applies is documented below.</para> + + <para>Persistent settings files created and maintained by the + administrator (and thus trusted) should be placed in + <filename>/etc/systemd/nspawn/</filename>, while automatically + downloaded (and thus potentially untrusted) settings files are + placed in <filename>/var/lib/machines/</filename> instead (next to + the container images), where their security impact is limited. In + order to add privileged settings to <filename>.nspawn</filename> + files acquired from the image vendor, it is recommended to copy the + settings files into <filename>/etc/systemd/nspawn/</filename> and + edit them there, so that the privileged options become + available. The precise algorithm for how the files are searched and + interpreted may be configured with + <command>systemd-nspawn</command>'s <option>--settings=</option> + switch, see + <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> + for details.</para> + </refsect1> + + <refsect1> + <title>[Exec] Section Options</title> + + <para>Settings files may include an [Exec] + section, which carries various execution parameters:</para> + + <variablelist class='nspawn-directives'> + + <varlistentry> + <term><varname>Boot=</varname></term> + + <listitem><para>Takes a boolean argument, which defaults to off. If enabled, <command>systemd-nspawn</command> + will automatically search for an <filename>init</filename> executable and invoke it. In this case, the + specified parameters using <varname>Parameters=</varname> are passed as additional arguments to the + <filename>init</filename> process. This setting corresponds to the <option>--boot</option> switch on the + <command>systemd-nspawn</command> command line. This option may not be combined with + <varname>ProcessTwo=yes</varname>. This option is specified by default in the + <filename>systemd-nspawn@.service</filename> template unit.</para> + + <xi:include href="version-info.xml" xpointer="v226"/></listitem> + </varlistentry> + + <varlistentry> + <term><varname>Ephemeral=</varname></term> + + <listitem><para>Takes a boolean argument, which defaults to off, If enabled, the container is run with + a temporary snapshot of its file system that is removed immediately when the container terminates. + This is equivalent to the <option>--ephemeral</option> command line switch. See + <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> for details + about the specific options supported.</para> + + <xi:include href="version-info.xml" xpointer="v240"/></listitem> + </varlistentry> + + <varlistentry> + <term><varname>ProcessTwo=</varname></term> + + <listitem><para>Takes a boolean argument, which defaults to off. If enabled, the specified program is run as + PID 2. A stub init process is run as PID 1. This setting corresponds to the <option>--as-pid2</option> switch + on the <command>systemd-nspawn</command> command line. This option may not be combined with + <varname>Boot=yes</varname>.</para> + + <xi:include href="version-info.xml" xpointer="v229"/></listitem> + </varlistentry> + + <varlistentry> + <term><varname>Parameters=</varname></term> + + <listitem><para>Takes a whitespace-separated list of arguments. Single (<literal>'</literal>) and + double (<literal>"</literal>) quotes may be used around arguments with whitespace. This is either a + command line, beginning with the binary name to execute, or – if <varname>Boot=</varname> is enabled + – the list of arguments to pass to the init process. This setting corresponds to the command line + parameters passed on the <command>systemd-nspawn</command> command line.</para> + + <para>Note: <option>Boot=no</option>, <option>Parameters=a b "c c"</option> is the same as + <command>systemd-nspawn a b "c c"</command>, and <option>Boot=yes</option>, <option>Parameters=b 'c c'</option> + is the same as <command>systemd-nspawn --boot b 'c c'</command>.</para> + + <xi:include href="version-info.xml" xpointer="v226"/></listitem> + </varlistentry> + + <varlistentry> + <term><varname>Environment=</varname></term> + + <listitem><para>Takes an environment variable assignment + consisting of key and value, separated by + <literal>=</literal>. Sets an environment variable for the + main process invoked in the container. This setting may be + used multiple times to set multiple environment variables. It + corresponds to the <option>--setenv=</option> command line + switch.</para> + + <xi:include href="version-info.xml" xpointer="v226"/></listitem> + </varlistentry> + + <varlistentry> + <term><varname>User=</varname></term> + + <listitem><para>Takes a UNIX user name. Specifies the user + name to invoke the main process of the container as. This user + must be known in the container's user database. This + corresponds to the <option>--user=</option> command line + switch.</para> + + <xi:include href="version-info.xml" xpointer="v226"/></listitem> + </varlistentry> + + <varlistentry> + <term><varname>WorkingDirectory=</varname></term> + + <listitem><para>Selects the working directory for the process invoked in the container. Expects an absolute + path in the container's file system namespace. This corresponds to the <option>--chdir=</option> command line + switch.</para> + + <xi:include href="version-info.xml" xpointer="v229"/></listitem> + </varlistentry> + + <varlistentry> + <term><varname>PivotRoot=</varname></term> + + <listitem><para>Selects a directory to pivot to <filename>/</filename> inside the container when starting up. + Takes a single path, or a pair of two paths separated by a colon. Both paths must be absolute, and are resolved + in the container's file system namespace. This corresponds to the <option>--pivot-root=</option> command line + switch.</para> + + <xi:include href="version-info.xml" xpointer="v233"/></listitem> + </varlistentry> + + <varlistentry> + <term><varname>Capability=</varname></term> + <term><varname>DropCapability=</varname></term> + + <listitem><para>Takes a space-separated list of Linux process + capabilities (see + <citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry> + for details). The <varname>Capability=</varname> setting + specifies additional capabilities to pass on top of the + default set of capabilities. The + <varname>DropCapability=</varname> setting specifies + capabilities to drop from the default set. These settings + correspond to the <option>--capability=</option> and + <option>--drop-capability=</option> command line + switches. Note that <varname>Capability=</varname> is a + privileged setting, and only takes effect in + <filename>.nspawn</filename> files in + <filename>/etc/systemd/nspawn/</filename> and + <filename>/run/system/nspawn/</filename> (see above). On the + other hand, <varname>DropCapability=</varname> takes effect in + all cases. If the special value <literal>all</literal> is passed, all + capabilities are retained (or dropped).</para> + <para>These settings change the bounding set of capabilities which + also limits the ambient capabilities as given with the + <varname>AmbientCapability=</varname>.</para> + + <xi:include href="version-info.xml" xpointer="v226"/></listitem> + </varlistentry> + + <varlistentry> + <term><varname>AmbientCapability=</varname></term> + <listitem><para>Takes a space-separated list of Linux process + capabilities (see + <citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry> + for details). The <varname>AmbientCapability=</varname> setting + specifies capabilities which will be passed to the started program + in the inheritable and ambient capability sets. This will grant + these capabilities to this process. This setting correspond to + the <option>--ambient-capability=</option> command line switch. + </para> + + <para>The value <literal>all</literal> is not supported for this + setting.</para> + + <para>The setting of <varname>AmbientCapability=</varname> must + be covered by the bounding set settings which were established by + <varname>Capability=</varname> and <varname>DropCapability=</varname>. + </para> + + <para>Note that <varname>AmbientCapability=</varname> is a privileged + setting (see above).</para> + + <xi:include href="version-info.xml" xpointer="v248"/></listitem> + </varlistentry> + + <varlistentry> + <term><varname>NoNewPrivileges=</varname></term> + + <listitem><para>Takes a boolean argument that controls the <constant>PR_SET_NO_NEW_PRIVS</constant> flag for + the container payload. This is equivalent to the + <option>--no-new-privileges=</option> command line switch. See + <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> for + details.</para> + + <xi:include href="version-info.xml" xpointer="v239"/> + </listitem> + </varlistentry> + + <varlistentry> + <term><varname>KillSignal=</varname></term> + + <listitem><para>Specify the process signal to send to the + container's PID 1 when nspawn itself receives SIGTERM, in + order to trigger an orderly shutdown of the container. + Defaults to SIGRTMIN+3 if <option>Boot=</option> is used + (on systemd-compatible init systems SIGRTMIN+3 triggers an + orderly shutdown). For a list of valid signals, see + <citerefentry project='man-pages'><refentrytitle>signal</refentrytitle><manvolnum>7</manvolnum></citerefentry>.</para> + + <xi:include href="version-info.xml" xpointer="v230"/></listitem> + </varlistentry> + + <varlistentry> + <term><varname>Personality=</varname></term> + + <listitem><para>Configures the kernel personality for the + container. This is equivalent to the + <option>--personality=</option> switch.</para> + + <xi:include href="version-info.xml" xpointer="v226"/></listitem> + </varlistentry> + + <varlistentry> + <term><varname>MachineID=</varname></term> + + <listitem><para>Configures the 128-bit machine ID (UUID) to pass to + the container. This is equivalent to the + <option>--uuid=</option> command line switch. This option is + privileged (see above). </para> + + <xi:include href="version-info.xml" xpointer="v226"/></listitem> + </varlistentry> + + <varlistentry> + <term><varname>PrivateUsers=</varname></term> + + <listitem><para>Configures support for usernamespacing. This is equivalent to the + <option>--private-users=</option> command line switch, and takes the same options. This option is privileged + (see above). This option is the default if the <filename>systemd-nspawn@.service</filename> template unit file + is used.</para> + + <xi:include href="version-info.xml" xpointer="v230"/></listitem> + </varlistentry> + + <varlistentry> + <term><varname>NotifyReady=</varname></term> + + <listitem><para>Configures support for notifications from the container's init process. This is equivalent to + the <option>--notify-ready=</option> command line switch, and takes the same parameters. See + <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> for details + about the specific options supported.</para> + + <xi:include href="version-info.xml" xpointer="v231"/></listitem> + </varlistentry> + + <varlistentry> + <term><varname>SystemCallFilter=</varname></term> + + <listitem><para>Configures the system call filter applied to containers. This is equivalent to the + <option>--system-call-filter=</option> command line switch, and takes the same list parameter. See + <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> for + details.</para> + + <xi:include href="version-info.xml" xpointer="v235"/></listitem> + </varlistentry> + + <varlistentry> + <term><varname>LimitCPU=</varname></term> + <term><varname>LimitFSIZE=</varname></term> + <term><varname>LimitDATA=</varname></term> + <term><varname>LimitSTACK=</varname></term> + <term><varname>LimitCORE=</varname></term> + <term><varname>LimitRSS=</varname></term> + <term><varname>LimitNOFILE=</varname></term> + <term><varname>LimitAS=</varname></term> + <term><varname>LimitNPROC=</varname></term> + <term><varname>LimitMEMLOCK=</varname></term> + <term><varname>LimitLOCKS=</varname></term> + <term><varname>LimitSIGPENDING=</varname></term> + <term><varname>LimitMSGQUEUE=</varname></term> + <term><varname>LimitNICE=</varname></term> + <term><varname>LimitRTPRIO=</varname></term> + <term><varname>LimitRTTIME=</varname></term> + + <listitem><para>Configures various types of resource limits applied to containers. This is equivalent to the + <option>--rlimit=</option> command line switch, and takes the same arguments. See + <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> for + details.</para> + + <xi:include href="version-info.xml" xpointer="v239"/></listitem> + </varlistentry> + + <varlistentry> + <term><varname>OOMScoreAdjust=</varname></term> + + <listitem><para>Configures the OOM score adjustment value. This is equivalent to the + <option>--oom-score-adjust=</option> command line switch, and takes the same argument. See + <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> for + details.</para> + + <xi:include href="version-info.xml" xpointer="v239"/></listitem> + </varlistentry> + + <varlistentry> + <term><varname>CPUAffinity=</varname></term> + + <listitem><para>Configures the CPU affinity. This is equivalent to the <option>--cpu-affinity=</option> command + line switch, and takes the same argument. See + <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> for + details.</para> + + <xi:include href="version-info.xml" xpointer="v239"/></listitem> + </varlistentry> + + <varlistentry> + <term><varname>Hostname=</varname></term> + + <listitem><para>Configures the kernel hostname set for the container. This is equivalent to the + <option>--hostname=</option> command line switch, and takes the same argument. See + <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> for + details.</para> + + <xi:include href="version-info.xml" xpointer="v239"/></listitem> + </varlistentry> + + <varlistentry> + <term><varname>ResolvConf=</varname></term> + + <listitem><para>Configures how <filename>/etc/resolv.conf</filename> in the container shall be handled. This is + equivalent to the <option>--resolv-conf=</option> command line switch, and takes the same argument. See + <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> for + details.</para> + + <xi:include href="version-info.xml" xpointer="v239"/></listitem> + </varlistentry> + + <varlistentry> + <term><varname>Timezone=</varname></term> + + <listitem><para>Configures how <filename>/etc/localtime</filename> in the container shall be handled. This is + equivalent to the <option>--timezone=</option> command line switch, and takes the same argument. See + <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> for + details.</para> + + <xi:include href="version-info.xml" xpointer="v239"/></listitem> + </varlistentry> + + <varlistentry> + <term><varname>LinkJournal=</varname></term> + + <listitem><para>Configures how to link host and container journal setups. This is equivalent to the + <option>--link-journal=</option> command line switch, and takes the same parameter. See + <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> for + details.</para> + + <xi:include href="version-info.xml" xpointer="v239"/></listitem> + </varlistentry> + + <varlistentry> + <term><varname>SuppressSync=</varname></term> + + <listitem><para>Configures whether to suppress disk synchronization for the container payload. This + is equivalent to the <option>--suppress-sync=</option> command line switch, and takes the same + parameter. See + <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> + for details.</para> + + <xi:include href="version-info.xml" xpointer="v250"/></listitem> + </varlistentry> + + </variablelist> + </refsect1> + + <refsect1> + <title>[Files] Section Options</title> + + <para>Settings files may include a [Files] + section, which carries various parameters configuring the file + system of the container:</para> + + <variablelist class='nspawn-directives'> + + <varlistentry> + <term><varname>ReadOnly=</varname></term> + + <listitem><para>Takes a boolean argument, which defaults to off. If + specified, the container will be run with a read-only file + system. This setting corresponds to the + <option>--read-only</option> command line + switch.</para> + + <xi:include href="version-info.xml" xpointer="v226"/></listitem> + </varlistentry> + + <varlistentry> + <term><varname>Volatile=</varname></term> + + <listitem><para>Takes a boolean argument, or the special value + <literal>state</literal>. This configures whether to run the + container with volatile state and/or configuration. This + option is equivalent to <option>--volatile=</option>, see + <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> + for details about the specific options + supported.</para> + + <xi:include href="version-info.xml" xpointer="v226"/></listitem> + </varlistentry> + + <varlistentry> + <term><varname>Bind=</varname></term> + <term><varname>BindReadOnly=</varname></term> + + <listitem><para>Adds a bind mount from the host into the + container. Takes a single path, a pair of two paths separated + by a colon, or a triplet of two paths plus an option string + separated by colons. This option may be used multiple times to + configure multiple bind mounts. This option is equivalent to + the command line switches <option>--bind=</option> and + <option>--bind-ro=</option>, see + <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> + for details about the specific options supported. This setting + is privileged (see above).</para> + + <xi:include href="version-info.xml" xpointer="v226"/></listitem> + </varlistentry> + + <varlistentry> + <term><varname>BindUser=</varname></term> + + <listitem><para>Binds a user from the host into the container. This option is equivalent to the + command line switch <option>--bind-user=</option>, see + <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> + for details about the specific options supported. This setting is privileged (see + above).</para> + + <xi:include href="version-info.xml" xpointer="v249"/></listitem> + </varlistentry> + + <varlistentry> + <term><varname>TemporaryFileSystem=</varname></term> + + <listitem><para>Adds a <literal>tmpfs</literal> mount to the + container. Takes a path or a pair of path and option string, + separated by a colon. This option may be used multiple times to + configure multiple <literal>tmpfs</literal> mounts. This + option is equivalent to the command line switch + <option>--tmpfs=</option>, see + <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> + for details about the specific options supported. This setting + is privileged (see above).</para> + + <xi:include href="version-info.xml" xpointer="v226"/></listitem> + </varlistentry> + + <varlistentry> + <term><varname>Inaccessible=</varname></term> + + <listitem><para>Masks the specified file or directory in the container, by over-mounting it with an empty file + node of the same type with the most restrictive access mode. Takes a file system path as argument. This option + may be used multiple times to mask multiple files or directories. This option is equivalent to the command line + switch <option>--inaccessible=</option>, see + <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> for details + about the specific options supported. This setting is privileged (see above).</para> + + <xi:include href="version-info.xml" xpointer="v242"/></listitem> + </varlistentry> + + <varlistentry> + <term><varname>Overlay=</varname></term> + <term><varname>OverlayReadOnly=</varname></term> + + <listitem><para>Adds an overlay mount point. Takes a colon-separated list of paths. This option may be used + multiple times to configure multiple overlay mounts. This option is equivalent to the command line switches + <option>--overlay=</option> and <option>--overlay-ro=</option>, see + <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> for details + about the specific options supported. This setting is privileged (see above).</para> + + <xi:include href="version-info.xml" xpointer="v233"/></listitem> + </varlistentry> + + <varlistentry> + <term><varname>PrivateUsersOwnership=</varname></term> + + <listitem><para>Configures whether the ownership of the files and directories in the container tree + shall be adjusted to the UID/GID range used, if necessary and user namespacing is enabled. This is + equivalent to the <option>--private-users-ownership=</option> command line switch. This option is + privileged (see above).</para> + + <xi:include href="version-info.xml" xpointer="v249"/></listitem> + </varlistentry> + + </variablelist> + </refsect1> + + <refsect1> + <title>[Network] Section Options</title> + + <para>Settings files may include a [Network] + section, which carries various parameters configuring the network + connectivity of the container:</para> + + <variablelist class='nspawn-directives'> + + <varlistentry> + <term><varname>Private=</varname></term> + + <listitem><para>Takes a boolean argument, which defaults to off. If + enabled, the container will run in its own network namespace + and not share network interfaces and configuration with the + host. This setting corresponds to the + <option>--private-network</option> command line + switch.</para> + + <xi:include href="version-info.xml" xpointer="v226"/></listitem> + </varlistentry> + + <varlistentry> + <term><varname>VirtualEthernet=</varname></term> + + <listitem><para>Takes a boolean argument. Configures whether to create a virtual Ethernet connection + (<literal>veth</literal>) between host and the container. This setting implies + <varname>Private=yes</varname>. This setting corresponds to the <option>--network-veth</option> command line + switch. This option is privileged (see above). This option is the default if the + <filename>systemd-nspawn@.service</filename> template unit file is used.</para> + + <xi:include href="version-info.xml" xpointer="v226"/></listitem> + </varlistentry> + + <varlistentry> + <term><varname>VirtualEthernetExtra=</varname></term> + + <listitem><para>Takes a colon-separated pair of interface names. Configures an additional virtual + Ethernet connection (<literal>veth</literal>) between host and the container. The first specified + name is the interface name on the host, the second the interface name in the container. The latter + may be omitted in which case it is set to the same name as the host side interface. This setting + implies <varname>Private=yes</varname>. This setting corresponds to the + <option>--network-veth-extra=</option> command line switch, and may be used multiple times. It is + independent of <varname>VirtualEthernet=</varname>. Note that this option is unrelated to the + <varname>Bridge=</varname> setting below, and thus any connections created this way are not + automatically added to any bridge device on the host side. This option is privileged (see + above).</para> + + <xi:include href="version-info.xml" xpointer="v228"/></listitem> + </varlistentry> + + <varlistentry> + <term><varname>Interface=</varname></term> + + <listitem><para>Takes a space-separated list of interfaces to add to the container. + The interface object is defined either by a single interface name, referencing the name on the host, + or a colon-separated pair of interfaces, in which case the first one references the name on the host, + and the second one the name in the container. + This option corresponds to the + <option>--network-interface=</option> command line switch and + implies <varname>Private=yes</varname>. This option is + privileged (see above).</para> + + <xi:include href="version-info.xml" xpointer="v226"/></listitem> + </varlistentry> + + <varlistentry> + <term><varname>MACVLAN=</varname></term> + <term><varname>IPVLAN=</varname></term> + + <listitem><para>Takes a space-separated list of interfaces to + add MACLVAN or IPVLAN interfaces to, which are then added to + the container. The interface object is defined either by a single interface name, referencing the name + on the host, or a colon-separated pair of interfaces, in which case the first one references the name + on the host, and the second one the name in the container. These options correspond to the + <option>--network-macvlan=</option> and + <option>--network-ipvlan=</option> command line switches and + imply <varname>Private=yes</varname>. These options are + privileged (see above).</para> + + <xi:include href="version-info.xml" xpointer="v226"/></listitem> + </varlistentry> + + <varlistentry> + <term><varname>Bridge=</varname></term> + + <listitem><para>Takes an interface name. This setting implies + <varname>VirtualEthernet=yes</varname> and + <varname>Private=yes</varname> and has the effect that the + host side of the created virtual Ethernet link is connected to + the specified bridge interface. This option corresponds to the + <option>--network-bridge=</option> command line switch. This + option is privileged (see above).</para> + + <xi:include href="version-info.xml" xpointer="v226"/></listitem> + </varlistentry> + + <varlistentry> + <term><varname>Zone=</varname></term> + + <listitem><para>Takes a network zone name. This setting implies <varname>VirtualEthernet=yes</varname> and + <varname>Private=yes</varname> and has the effect that the host side of the created virtual Ethernet link is + connected to an automatically managed bridge interface named after the passed argument, prefixed with + <literal>vz-</literal>. This option corresponds to the <option>--network-zone=</option> command line + switch. This option is privileged (see above).</para> + + <xi:include href="version-info.xml" xpointer="v230"/></listitem> + </varlistentry> + + <varlistentry> + <term><varname>Port=</varname></term> + + <listitem><para>Exposes a TCP or UDP port of the container on + the host. This option corresponds to the + <option>--port=</option> command line switch, see + <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> + for the precise syntax of the argument this option takes. This + option is privileged (see above).</para> + + <xi:include href="version-info.xml" xpointer="v226"/></listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1> + <title>See Also</title> + <para> + <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, + <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>, + <citerefentry><refentrytitle>systemd.directives</refentrytitle><manvolnum>7</manvolnum></citerefentry> + </para> + </refsect1> + +</refentry> |