1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
|
<?xml version='1.0'?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % entities SYSTEM "custom-entities.ent" >
%entities;
]>
<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
<refentry id="importctl" conditional='ENABLE_MACHINED'
xmlns:xi="http://www.w3.org/2001/XInclude">
<refentryinfo>
<title>importctl</title>
<productname>systemd</productname>
</refentryinfo>
<refmeta>
<refentrytitle>importctl</refentrytitle>
<manvolnum>1</manvolnum>
</refmeta>
<refnamediv>
<refname>importctl</refname>
<refpurpose>Download, import or export disk images</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>importctl</command>
<arg choice="opt" rep="repeat">OPTIONS</arg>
<arg choice="req">COMMAND</arg>
<arg choice="opt" rep="repeat">NAME</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para><command>importctl</command> may be used to download, import, and export disk images via
<citerefentry><refentrytitle>systemd-importd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
<para><command>importctl</command> operates both on block-level disk images (such as DDIs) as well as
file-system-level images (tarballs). It supports disk images are one of the four following
classes:</para>
<itemizedlist>
<listitem><para>VM images or full OS container images, that may be run via
<citerefentry><refentrytitle>systemd-vmspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> or
<citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>, and
managed via
<citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para></listitem>
<listitem><para>Portable service images, that may be attached an managed via
<citerefentry><refentrytitle>portablectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para></listitem>
<listitem><para>System extension (sysext) images, that may be activated via
<citerefentry><refentrytitle>systemd-sysext</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para></listitem>
<listitem><para>Configuration extension (confext) images, that may be activated via
<citerefentry><refentrytitle>systemd-confext</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para></listitem>
</itemizedlist>
<para>When images are downloaded or imported they are placed in the following directories, depending on
the <option>--class=</option> parameter:</para>
<table>
<title>Classes and Directories</title>
<tgroup cols='2'>
<colspec colname='class' />
<colspec colname='directory' />
<thead>
<row>
<entry>Class</entry>
<entry>Directory</entry>
</row>
</thead>
<tbody>
<row>
<entry><literal>machine</literal></entry>
<entry><filename>/var/lib/machines/</filename></entry>
</row>
<row>
<entry><literal>portable</literal></entry>
<entry><filename>/var/lib/portables/</filename></entry>
</row>
<row>
<entry><literal>sysext</literal></entry>
<entry><filename>/var/lib/extensions/</filename></entry>
</row>
<row>
<entry><literal>confext</literal></entry>
<entry><filename>/var/lib/confexts/</filename></entry>
</row>
</tbody>
</tgroup>
</table>
</refsect1>
<refsect1>
<title>Commands</title>
<para>The following commands are understood:</para>
<variablelist>
<varlistentry>
<term><command>pull-tar</command> <replaceable>URL</replaceable> [<replaceable>NAME</replaceable>]</term>
<listitem><para>Downloads a <filename>.tar</filename> image from the specified URL, and makes it
available under the specified local name in the image directory for the selected
<option>--class=</option>. The URL must be of type <literal>http://</literal> or
<literal>https://</literal>, and must refer to a <filename>.tar</filename>,
<filename>.tar.gz</filename>, <filename>.tar.xz</filename> or <filename>.tar.bz2</filename> archive
file. If the local image name is omitted, it is automatically derived from the last component of the
URL, with its suffix removed.</para>
<para>The image is verified before it is made available, unless <option>--verify=no</option> is
specified. Verification is done either via an inline signed file with the name of the image and the
suffix <filename>.sha256</filename> or via separate <filename>SHA256SUMS</filename> and
<filename>SHA256SUMS.gpg</filename> files. The signature files need to be made available on the same
web server, under the same URL as the <filename>.tar</filename> file. With
<option>--verify=checksum</option>, only the SHA256 checksum for the file is verified, based on the
<filename>.sha256</filename> suffixed file or the <filename>SHA256SUMS</filename> file. With
<option>--verify=signature</option>, the sha checksum file is first verified with the inline
signature in the <filename>.sha256</filename> file or the detached GPG signature file
<filename>SHA256SUMS.gpg</filename>. The public key for this verification step needs to be available
in <filename>/usr/lib/systemd/import-pubring.gpg</filename> or
<filename>/etc/systemd/import-pubring.gpg</filename>.</para>
<para>If <option>-keep-download=yes</option> is specified the image will be downloaded and stored in
a read-only subvolume/directory in the image directory that is named after the specified URL and its
HTTP etag. A writable snapshot is then taken from this subvolume, and named after the specified local
name. This behavior ensures that creating multiple instances of the same URL is efficient, as
multiple downloads are not necessary. In order to create only the read-only image, and avoid creating
its writable snapshot, specify <literal>-</literal> as local name.</para>
<para>Note that pressing C-c during execution of this command will not abort the download. Use
<command>cancel-transfer</command>, described below.</para>
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
</varlistentry>
<varlistentry>
<term><command>pull-raw</command> <replaceable>URL</replaceable> [<replaceable>NAME</replaceable>]</term>
<listitem><para>Downloads a <filename>.raw</filename> disk image from the specified URL, and makes it
available under the specified local name in the image directory for the selected
<option>--class=</option>. The URL must be of type <literal>http://</literal> or
<literal>https://</literal>. The image must either be a <filename>.qcow2</filename> or raw disk
image, optionally compressed as <filename>.gz</filename>, <filename>.xz</filename>, or
<filename>.bz2</filename>. If the local name is omitted, it is automatically derived from the last
component of the URL, with its suffix removed.</para>
<para>Image verification is identical for raw and tar images (see above).</para>
<para>If the downloaded image is in <filename>.qcow2</filename> format it is converted into a raw
image file before it is made available.</para>
<para>If <option>-keep-download=yes</option> is specified the image will be downloaded and stored in
a read-only file in the image directory that is named after the specified URL and its HTTP etag. A
writable copy is then made from this file, and named after the specified local name. This behavior
ensures that creating multiple instances of the same URL is efficient, as multiple downloads are not
necessary. In order to create only the read-only image, and avoid creating its writable copy,
specify <literal>-</literal> as local name.</para>
<para>Note that pressing C-c during execution of this command will not abort the download. Use
<command>cancel-transfer</command>, described below.</para>
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
</varlistentry>
<varlistentry>
<term><command>import-tar</command> <replaceable>FILE</replaceable> [<replaceable>NAME</replaceable>]</term>
<term><command>import-raw</command> <replaceable>FILE</replaceable> [<replaceable>NAME</replaceable>]</term>
<listitem><para>Imports a TAR or RAW image, and places it under the specified name in the image
directory for the image class selected via <option>--class=</option>. When
<command>import-tar</command> is used, the file specified as the first argument should be a tar
archive, possibly compressed with xz, gzip or bzip2. It will then be unpacked into its own
subvolume/directory. When <command>import-raw</command> is used, the file should be a qcow2 or raw
disk image, possibly compressed with xz, gzip or bzip2. If the second argument (the resulting image
name) is not specified, it is automatically derived from the file name. If the filename is passed as
<literal>-</literal>, the image is read from standard input, in which case the second argument is
mandatory.</para>
<para>No cryptographic validation is done when importing the images.</para>
<para>Much like image downloads, ongoing imports may be listed with <command>list</command>
and aborted with <command>cancel-transfer</command>.</para>
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
</varlistentry>
<varlistentry>
<term><command>import-fs</command> <replaceable>DIRECTORY</replaceable> [<replaceable>NAME</replaceable>]</term>
<listitem><para>Imports an image stored in a local directory into the image directory for the image
class selected via <option>--class=</option> and operates similarly to <command>import-tar</command>
or <command>import-raw</command>, but the first argument is the source directory. If supported, this
command will create a btrfs snapshot or subvolume for the new image.</para>
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
</varlistentry>
<varlistentry>
<term><command>export-tar</command> <replaceable>NAME</replaceable> [<replaceable>FILE</replaceable>]</term>
<term><command>export-raw</command> <replaceable>NAME</replaceable> [<replaceable>FILE</replaceable>]</term>
<listitem><para>Exports a TAR or RAW image and stores it in the specified file. The first parameter
should be an image name. The second parameter should be a file path the TAR or RAW
image is written to. If the path ends in <literal>.gz</literal>, the file is compressed with gzip, if
it ends in <literal>.xz</literal>, with xz, and if it ends in <literal>.bz2</literal>, with bzip2. If
the path ends in neither, the file is left uncompressed. If the second argument is missing, the image
is written to standard output. The compression may also be explicitly selected with the
<option>--format=</option> switch. This is in particular useful if the second parameter is left
unspecified.</para>
<para>Much like image downloads and imports, ongoing exports may be listed with
<command>list</command> and aborted with <command>cancel-transfer</command>.</para>
<para>Note that, currently, only directory and subvolume images may be exported as TAR images, and
only raw disk images as RAW images.</para>
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
</varlistentry>
<varlistentry>
<term><command>list-transfer</command></term>
<listitem><para>Shows a list of image downloads, imports and exports that are currently in
progress.</para>
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
</varlistentry>
<varlistentry>
<term><command>cancel-transfer</command> <replaceable>ID</replaceable>…</term>
<listitem><para>Aborts a download, import or export of the image with the specified ID. To list
ongoing transfers and their IDs, use <command>list</command>. </para>
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
</varlistentry>
<varlistentry>
<term><command>list-images</command></term>
<listitem><para>Shows a list of already downloaded/imported images.</para>
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>Options</title>
<para>The following options are understood:</para>
<variablelist>
<varlistentry>
<term><option>--read-only</option></term>
<listitem>
<para>When used with <command>pull-raw</command>, <command>pull-tar</command>,
<command>import-raw</command>, <command>import-tar</command> or <command>import-fs</command> a
read-only image is created.</para>
<xi:include href="version-info.xml" xpointer="v256"/>
</listitem>
</varlistentry>
<varlistentry>
<term><option>--verify=</option></term>
<listitem><para>When downloading an image, specify whether the image shall be verified before it is
made available. Takes one of <literal>no</literal>, <literal>checksum</literal> and
<literal>signature</literal>. If <literal>no</literal>, no verification is done. If
<literal>checksum</literal> is specified, the download is checked for integrity after the transfer is
complete, but no signatures are verified. If <literal>signature</literal> is specified, the checksum
is verified and the image's signature is checked against a local keyring of trustable vendors. It is
strongly recommended to set this option to <literal>signature</literal> if the server and protocol
support this. Defaults to <literal>signature</literal>.</para>
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
</varlistentry>
<varlistentry>
<term><option>--force</option></term>
<listitem><para>When downloading an image, and a local copy by the specified local name already
exists, delete it first and replace it by the newly downloaded image.</para>
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
</varlistentry>
<varlistentry>
<term><option>--format=</option></term>
<listitem><para>When used with the <option>export-tar</option> or <option>export-raw</option>
commands, specifies the compression format to use for the resulting file. Takes one of
<literal>uncompressed</literal>, <literal>xz</literal>, <literal>gzip</literal>,
<literal>bzip2</literal>. By default, the format is determined automatically from the output image
file name passed.</para>
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
</varlistentry>
<varlistentry>
<term><option>-q</option></term>
<term><option>--quiet</option></term>
<listitem><para>Suppresses additional informational output while running.</para>
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
</varlistentry>
<xi:include href="user-system-options.xml" xpointer="host" />
<varlistentry>
<term><option>-M</option></term>
<term><option>--machine=</option></term>
<listitem><para>Connect to
<citerefentry><refentrytitle>systemd-import.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
running in a local container, to perform the specified operation within the container.</para>
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
</varlistentry>
<varlistentry>
<term><option>--class=</option></term>
<term><option>-m</option></term>
<term><option>-P</option></term>
<term><option>-S</option></term>
<term><option>-C</option></term>
<listitem><para>Selects the image class for the downloaded images. This primarily selects the
directory to download into. The <option>--class=</option> switch takes <literal>machine</literal>,
<literal>portable</literal>, <literal>sysext</literal> or <literal>confext</literal> as argument. The
short options <option>-m</option>, <option>-P</option>, <option>-S</option>, <option>-C</option> are
shortcuts for <option>--class=machine</option>, <option>--class=portable</option>,
<option>--class=sysext</option>, <option>--class=confext</option>.</para>
<para>Note that <option>--keep-download=</option> defaults to true for
<option>--class=machine</option> and false otherwise, see below.</para>
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
</varlistentry>
<varlistentry>
<term><option>--keep-download=</option></term>
<term><option>-N</option></term>
<listitem><para>Takes a boolean argument. When specified with <command>pull-raw</command> or
<command>pull-tar</command>, selects whether to download directly into the specified local image
name, or whether to download into a read-only copy first of which to make a writable copy after the
download is completed. Defaults to true for <option>--class=machine</option>, false otherwise.</para>
<para>The <option>-N</option> switch is a shortcut for <option>--keep-download=no</option>.</para>
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
</varlistentry>
<xi:include href="standard-options.xml" xpointer="json" />
<xi:include href="standard-options.xml" xpointer="j" />
<xi:include href="standard-options.xml" xpointer="no-pager" />
<xi:include href="standard-options.xml" xpointer="no-legend" />
<xi:include href="standard-options.xml" xpointer="no-ask-password" />
<xi:include href="standard-options.xml" xpointer="help" />
<xi:include href="standard-options.xml" xpointer="version" />
</variablelist>
</refsect1>
<refsect1>
<title>Examples</title>
<example id="example-import-tar">
<title>Download an Ubuntu TAR image and open a shell in it</title>
<programlisting># importctl pull-tar -mN https://cloud-images.ubuntu.com/jammy/current/jammy-server-cloudimg-amd64-root.tar.xz
# systemd-nspawn -M jammy-server-cloudimg-amd64-root</programlisting>
<para>This downloads and verifies the specified <filename>.tar</filename> image, and then uses
<citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> to
open a shell in it.</para>
</example>
<example id="example-import-raw">
<title>Download an Ubuntu RAW image, set a root password in it, start
it as a service</title>
<programlisting># importctl pull-raw -mN \
https://cloud-images.ubuntu.com/jammy/current/jammy-server-cloudimg-amd64-disk-kvm.img \
jammy
# systemd-firstboot --image=/var/lib/machines/jammy.raw --prompt-root-password --force
# machinectl start jammy
# machinectl login jammy</programlisting>
<para>This downloads the specified <filename>.raw</filename> image and makes it available under the
local name <literal>jammy</literal>. Then, a root password is set with
<citerefentry><refentrytitle>systemd-firstboot</refentrytitle><manvolnum>1</manvolnum></citerefentry>. Afterwards
the machine is started as system service. With the last command a login prompt into the container is
requested.</para>
</example>
<example id="example-export-tar">
<title>Exports a container image as tar file</title>
<programlisting># importctl export-tar -m fedora myfedora.tar.xz</programlisting>
<para>Exports the container <literal>fedora</literal> as an xz-compressed tar file
<filename>myfedora.tar.xz</filename> into the current directory.</para>
</example>
</refsect1>
<refsect1>
<title>Exit status</title>
<para>On success, 0 is returned, a non-zero failure code
otherwise.</para>
</refsect1>
<xi:include href="common-variables.xml" />
<refsect1>
<title>See Also</title>
<para><simplelist type="inline">
<member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>systemd-importd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>systemd-vmspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>portablectl</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>systemd-sysext</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>systemd-confext</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
<member><citerefentry project='die-net'><refentrytitle>tar</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
<member><citerefentry project='die-net'><refentrytitle>xz</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
<member><citerefentry project='die-net'><refentrytitle>gzip</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
<member><citerefentry project='die-net'><refentrytitle>bzip2</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
</simplelist></para>
</refsect1>
</refentry>
|
