summaryrefslogtreecommitdiffstats
path: root/man/systemd-nspawn.xml
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 15:35:18 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 15:35:18 +0000
commitb750101eb236130cf056c675997decbac904cc49 (patch)
treea5df1a06754bdd014cb975c051c83b01c9a97532 /man/systemd-nspawn.xml
parentInitial commit. (diff)
downloadsystemd-b750101eb236130cf056c675997decbac904cc49.tar.xz
systemd-b750101eb236130cf056c675997decbac904cc49.zip
Adding upstream version 252.22.upstream/252.22
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'man/systemd-nspawn.xml')
-rw-r--r--man/systemd-nspawn.xml1767
1 files changed, 1767 insertions, 0 deletions
diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml
new file mode 100644
index 0000000..fc471c3
--- /dev/null
+++ b/man/systemd-nspawn.xml
@@ -0,0 +1,1767 @@
+<?xml version='1.0'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+<!ENTITY % entities SYSTEM "custom-entities.ent" >
+%entities;
+]>
+<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
+
+<refentry id="systemd-nspawn"
+ xmlns:xi="http://www.w3.org/2001/XInclude">
+
+ <refentryinfo>
+ <title>systemd-nspawn</title>
+ <productname>systemd</productname>
+ </refentryinfo>
+
+ <refmeta>
+ <refentrytitle>systemd-nspawn</refentrytitle>
+ <manvolnum>1</manvolnum>
+ </refmeta>
+
+ <refnamediv>
+ <refname>systemd-nspawn</refname>
+ <refpurpose>Spawn a command or OS in a light-weight container</refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv>
+ <cmdsynopsis>
+ <command>systemd-nspawn</command>
+ <arg choice="opt" rep="repeat">OPTIONS</arg>
+ <arg choice="opt"><replaceable>COMMAND</replaceable>
+ <arg choice="opt" rep="repeat">ARGS</arg>
+ </arg>
+ </cmdsynopsis>
+ <cmdsynopsis>
+ <command>systemd-nspawn</command>
+ <arg choice="plain">--boot</arg>
+ <arg choice="opt" rep="repeat">OPTIONS</arg>
+ <arg choice="opt" rep="repeat">ARGS</arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1>
+ <title>Description</title>
+
+ <para><command>systemd-nspawn</command> may be used to run a command or OS in a light-weight namespace
+ container. In many ways it is similar to <citerefentry
+ project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>1</manvolnum></citerefentry>, but more powerful
+ since it fully virtualizes the file system hierarchy, as well as the process tree, the various IPC subsystems and
+ the host and domain name.</para>
+
+ <para><command>systemd-nspawn</command> may be invoked on any directory tree containing an operating system tree,
+ using the <option>--directory=</option> command line option. By using the <option>--machine=</option> option an OS
+ tree is automatically searched for in a couple of locations, most importantly in
+ <filename>/var/lib/machines/</filename>, the suggested directory to place OS container images installed on the
+ system.</para>
+
+ <para>In contrast to <citerefentry
+ project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>1</manvolnum></citerefentry> <command>systemd-nspawn</command>
+ may be used to boot full Linux-based operating systems in a container.</para>
+
+ <para><command>systemd-nspawn</command> limits access to various kernel interfaces in the container to read-only,
+ such as <filename>/sys/</filename>, <filename>/proc/sys/</filename> or <filename>/sys/fs/selinux/</filename>. The
+ host's network interfaces and the system clock may not be changed from within the container. Device nodes may not
+ be created. The host system cannot be rebooted and kernel modules may not be loaded from within the
+ container.</para>
+
+ <para>Use a tool like <citerefentry
+ project='mankier'><refentrytitle>dnf</refentrytitle><manvolnum>8</manvolnum></citerefentry>, <citerefentry
+ project='die-net'><refentrytitle>debootstrap</refentrytitle><manvolnum>8</manvolnum></citerefentry>, or
+ <citerefentry project='archlinux'><refentrytitle>pacman</refentrytitle><manvolnum>8</manvolnum></citerefentry> to
+ set up an OS directory tree suitable as file system hierarchy for <command>systemd-nspawn</command> containers. See
+ the Examples section below for details on suitable invocation of these commands.</para>
+
+ <para>As a safety check <command>systemd-nspawn</command> will verify the existence of
+ <filename>/usr/lib/os-release</filename> or <filename>/etc/os-release</filename> in the container tree before
+ booting a container (see
+ <citerefentry><refentrytitle>os-release</refentrytitle><manvolnum>5</manvolnum></citerefentry>). It might be
+ necessary to add this file to the container tree manually if the OS of the container is too old to contain this
+ file out-of-the-box.</para>
+
+ <para><command>systemd-nspawn</command> may be invoked directly from the interactive command line or run as system
+ service in the background. In this mode each container instance runs as its own service instance; a default
+ template unit file <filename>systemd-nspawn@.service</filename> is provided to make this easy, taking the container
+ name as instance identifier. Note that different default options apply when <command>systemd-nspawn</command> is
+ invoked by the template unit file than interactively on the command line. Most importantly the template unit file
+ makes use of the <option>--boot</option> option which is not the default in case <command>systemd-nspawn</command>
+ is invoked from the interactive command line. Further differences with the defaults are documented along with the
+ various supported options below.</para>
+
+ <para>The <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry> tool may
+ be used to execute a number of operations on containers. In particular it provides easy-to-use commands to run
+ containers as system services using the <filename>systemd-nspawn@.service</filename> template unit
+ file.</para>
+
+ <para>Along with each container a settings file with the <filename>.nspawn</filename> suffix may exist, containing
+ additional settings to apply when running the container. See
+ <citerefentry><refentrytitle>systemd.nspawn</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
+ details. Settings files override the default options used by the <filename>systemd-nspawn@.service</filename>
+ template unit file, making it usually unnecessary to alter this template file directly.</para>
+
+ <para>Note that <command>systemd-nspawn</command> will mount file systems private to the container to
+ <filename>/dev/</filename>, <filename>/run/</filename> and similar. These will not be visible outside of the
+ container, and their contents will be lost when the container exits.</para>
+
+ <para>Note that running two <command>systemd-nspawn</command> containers from the same directory tree will not make
+ processes in them see each other. The PID namespace separation of the two containers is complete and the containers
+ will share very few runtime objects except for the underlying file system. Rather use
+ <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>'s
+ <command>login</command> or <command>shell</command> commands to request an additional login session in a running
+ container.</para>
+
+ <para><command>systemd-nspawn</command> implements the <ulink
+ url="https://systemd.io/CONTAINER_INTERFACE">Container Interface</ulink> specification.</para>
+
+ <para>While running, containers invoked with <command>systemd-nspawn</command> are registered with the
+ <citerefentry><refentrytitle>systemd-machined</refentrytitle><manvolnum>8</manvolnum></citerefentry> service that
+ keeps track of running containers, and provides programming interfaces to interact with them.</para>
+ </refsect1>
+
+ <refsect1>
+ <title>Options</title>
+
+ <para>If option <option>--boot</option> is specified, the arguments
+ are used as arguments for the init program. Otherwise,
+ <replaceable>COMMAND</replaceable> specifies the program to launch
+ in the container, and the remaining arguments are used as
+ arguments for this program. If <option>--boot</option> is not used and
+ no arguments are specified, a shell is launched in the
+ container.</para>
+
+ <para>The following options are understood:</para>
+
+ <variablelist>
+
+ <varlistentry>
+ <term><option>-q</option></term>
+ <term><option>--quiet</option></term>
+
+ <listitem><para>Turns off any status output by the tool
+ itself. When this switch is used, the only output from nspawn
+ will be the console output of the container OS
+ itself.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--settings=</option><replaceable>MODE</replaceable></term>
+
+ <listitem><para>Controls whether
+ <command>systemd-nspawn</command> shall search for and use
+ additional per-container settings from
+ <filename>.nspawn</filename> files. Takes a boolean or the
+ special values <option>override</option> or
+ <option>trusted</option>.</para>
+
+ <para>If enabled (the default), a settings file named after the
+ machine (as specified with the <option>--machine=</option>
+ setting, or derived from the directory or image file name)
+ with the suffix <filename>.nspawn</filename> is searched in
+ <filename>/etc/systemd/nspawn/</filename> and
+ <filename>/run/systemd/nspawn/</filename>. If it is found
+ there, its settings are read and used. If it is not found
+ there, it is subsequently searched in the same directory as the
+ image file or in the immediate parent of the root directory of
+ the container. In this case, if the file is found, its settings
+ will be also read and used, but potentially unsafe settings
+ are ignored. Note that in both these cases, settings on the
+ command line take precedence over the corresponding settings
+ from loaded <filename>.nspawn</filename> files, if both are
+ specified. Unsafe settings are considered all settings that
+ elevate the container's privileges or grant access to
+ additional resources such as files or directories of the
+ host. For details about the format and contents of
+ <filename>.nspawn</filename> files, consult
+ <citerefentry><refentrytitle>systemd.nspawn</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
+
+ <para>If this option is set to <option>override</option>, the
+ file is searched, read and used the same way, however, the order of
+ precedence is reversed: settings read from the
+ <filename>.nspawn</filename> file will take precedence over
+ the corresponding command line options, if both are
+ specified.</para>
+
+ <para>If this option is set to <option>trusted</option>, the
+ file is searched, read and used the same way, but regardless
+ of being found in <filename>/etc/systemd/nspawn/</filename>,
+ <filename>/run/systemd/nspawn/</filename> or next to the image
+ file or container root directory, all settings will take
+ effect, however, command line arguments still take precedence
+ over corresponding settings.</para>
+
+ <para>If disabled, no <filename>.nspawn</filename> file is read
+ and no settings except the ones on the command line are in
+ effect.</para></listitem>
+ </varlistentry>
+
+ </variablelist>
+
+ <refsect2>
+ <title>Image Options</title>
+
+ <variablelist>
+
+ <varlistentry>
+ <term><option>-D</option></term>
+ <term><option>--directory=</option></term>
+
+ <listitem><para>Directory to use as file system root for the
+ container.</para>
+
+ <para>If neither <option>--directory=</option>, nor
+ <option>--image=</option> is specified the directory is
+ determined by searching for a directory named the same as the
+ machine name specified with <option>--machine=</option>. See
+ <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
+ section "Files and Directories" for the precise search path.</para>
+
+ <para>If neither <option>--directory=</option>,
+ <option>--image=</option>, nor <option>--machine=</option>
+ are specified, the current directory will
+ be used. May not be specified together with
+ <option>--image=</option>.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--template=</option></term>
+
+ <listitem><para>Directory or <literal>btrfs</literal> subvolume to use as template for the
+ container's root directory. If this is specified and the container's root directory (as configured by
+ <option>--directory=</option>) does not yet exist it is created as <literal>btrfs</literal> snapshot
+ (if supported) or plain directory (otherwise) and populated from this template tree. Ideally, the
+ specified template path refers to the root of a <literal>btrfs</literal> subvolume, in which case a
+ simple copy-on-write snapshot is taken, and populating the root directory is instant. If the
+ specified template path does not refer to the root of a <literal>btrfs</literal> subvolume (or not
+ even to a <literal>btrfs</literal> file system at all), the tree is copied (though possibly in a
+ 'reflink' copy-on-write scheme — if the file system supports that), which can be substantially more
+ time-consuming. Note that the snapshot taken is of the specified directory or subvolume, including
+ all subdirectories and subvolumes below it, but excluding any sub-mounts. May not be specified
+ together with <option>--image=</option> or <option>--ephemeral</option>.</para>
+
+ <para>Note that this switch leaves hostname, machine ID and
+ all other settings that could identify the instance
+ unmodified.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>-x</option></term>
+ <term><option>--ephemeral</option></term>
+
+ <listitem><para>If specified, the container is run with a temporary snapshot of its file system that is removed
+ immediately when the container terminates. May not be specified together with
+ <option>--template=</option>.</para>
+ <para>Note that this switch leaves hostname, machine ID and all other settings that could identify
+ the instance unmodified. Please note that — as with <option>--template=</option> — taking the
+ temporary snapshot is more efficient on file systems that support subvolume snapshots or 'reflinks'
+ natively (<literal>btrfs</literal> or new <literal>xfs</literal>) than on more traditional file
+ systems that do not (<literal>ext4</literal>). Note that the snapshot taken is of the specified
+ directory or subvolume, including all subdirectories and subvolumes below it, but excluding any
+ sub-mounts.</para>
+
+ <para>With this option no modifications of the container image are retained. Use
+ <option>--volatile=</option> (described below) for other mechanisms to restrict persistency of
+ container images during runtime.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>-i</option></term>
+ <term><option>--image=</option></term>
+
+ <listitem><para>Disk image to mount the root directory for the
+ container from. Takes a path to a regular file or to a block
+ device node. The file or block device must contain
+ either:</para>
+
+ <itemizedlist>
+ <listitem><para>An MBR partition table with a single
+ partition of type 0x83 that is marked
+ bootable.</para></listitem>
+
+ <listitem><para>A GUID partition table (GPT) with a single
+ partition of type
+ 0fc63daf-8483-4772-8e79-3d69d8477de4.</para></listitem>
+
+ <listitem><para>A GUID partition table (GPT) with a marked
+ root partition which is mounted as the root directory of the
+ container. Optionally, GPT images may contain a home and/or
+ a server data partition which are mounted to the appropriate
+ places in the container. All these partitions must be
+ identified by the partition types defined by the <ulink
+ url="https://systemd.io/DISCOVERABLE_PARTITIONS">Discoverable
+ Partitions Specification</ulink>.</para></listitem>
+
+ <listitem><para>No partition table, and a single file system spanning the whole image.</para></listitem>
+ </itemizedlist>
+
+ <para>On GPT images, if an EFI System Partition (ESP) is discovered, it is automatically mounted to
+ <filename>/efi</filename> (or <filename>/boot</filename> as fallback) in case a directory by this name exists
+ and is empty.</para>
+
+ <para>Partitions encrypted with LUKS are automatically decrypted. Also, on GPT images dm-verity data integrity
+ hash partitions are set up if the root hash for them is specified using the <option>--root-hash=</option>
+ option.</para>
+
+ <para>Single file system images (i.e. file systems without a surrounding partition table) can be opened using
+ dm-verity if the integrity data is passed using the <option>--root-hash=</option> and
+ <option>--verity-data=</option> (and optionally <option>--root-hash-sig=</option>) options.</para>
+
+ <para>Any other partitions, such as foreign partitions or swap partitions are not mounted. May not be specified
+ together with <option>--directory=</option>, <option>--template=</option>.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--oci-bundle=</option></term>
+
+ <listitem><para>Takes the path to an OCI runtime bundle to invoke, as specified in the <ulink
+ url="https://github.com/opencontainers/runtime-spec/blob/master/spec.md">OCI Runtime Specification</ulink>. In
+ this case no <filename>.nspawn</filename> file is loaded, and the root directory and various settings are read
+ from the OCI runtime JSON data (but data passed on the command line takes precedence).</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--read-only</option></term>
+
+ <listitem><para>Mount the container's root file system (and any other file systems container in the container
+ image) read-only. This has no effect on additional mounts made with <option>--bind=</option>,
+ <option>--tmpfs=</option> and similar options. This mode is implied if the container image file or directory is
+ marked read-only itself. It is also implied if <option>--volatile=</option> is used. In this case the container
+ image on disk is strictly read-only, while changes are permitted but kept non-persistently in memory only. For
+ further details, see below.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--volatile</option></term>
+ <term><option>--volatile=</option><replaceable>MODE</replaceable></term>
+
+ <listitem><para>Boots the container in volatile mode. When no mode parameter is passed or when mode is
+ specified as <option>yes</option>, full volatile mode is enabled. This means the root directory is mounted as a
+ mostly unpopulated <literal>tmpfs</literal> instance, and <filename>/usr/</filename> from the OS tree is
+ mounted into it in read-only mode (the system thus starts up with read-only OS image, but pristine state and
+ configuration, any changes are lost on shutdown). When the mode parameter is specified as
+ <option>state</option>, the OS tree is mounted read-only, but <filename>/var/</filename> is mounted as a
+ writable <literal>tmpfs</literal> instance into it (the system thus starts up with read-only OS resources and
+ configuration, but pristine state, and any changes to the latter are lost on shutdown). When the mode parameter
+ is specified as <option>overlay</option> the read-only root file system is combined with a writable
+ <filename>tmpfs</filename> instance through <literal>overlayfs</literal>, so that it appears at it normally
+ would, but any changes are applied to the temporary file system only and lost when the container is
+ terminated. When the mode parameter is specified as <option>no</option> (the default), the whole OS tree is
+ made available writable (unless <option>--read-only</option> is specified, see above).</para>
+
+ <para>Note that if one of the volatile modes is chosen, its effect is limited to the root file system
+ (or <filename>/var/</filename> in case of <option>state</option>), and any other mounts placed in the
+ hierarchy are unaffected — regardless if they are established automatically (e.g. the EFI system
+ partition that might be mounted to <filename>/efi/</filename> or <filename>/boot/</filename>) or
+ explicitly (e.g. through an additional command line option such as <option>--bind=</option>, see
+ below). This means, even if <option>--volatile=overlay</option> is used changes to
+ <filename>/efi/</filename> or <filename>/boot/</filename> are prohibited in case such a partition
+ exists in the container image operated on, and even if <option>--volatile=state</option> is used the
+ hypothetical file <filename index="false">/etc/foobar</filename> is potentially writable if
+ <option>--bind=/etc/foobar</option> if used to mount it from outside the read-only container
+ <filename>/etc/</filename> directory.</para>
+
+ <para>The <option>--ephemeral</option> option is closely related to this setting, and provides similar
+ behaviour by making a temporary, ephemeral copy of the whole OS image and executing that. For further details,
+ see above.</para>
+
+ <para>The <option>--tmpfs=</option> and <option>--overlay=</option> options provide similar functionality, but
+ for specific sub-directories of the OS image only. For details, see below.</para>
+
+ <para>This option provides similar functionality for containers as the <literal>systemd.volatile=</literal>
+ kernel command line switch provides for host systems. See
+ <citerefentry><refentrytitle>kernel-command-line</refentrytitle><manvolnum>7</manvolnum></citerefentry> for
+ details.</para>
+
+ <para>Note that setting this option to <option>yes</option> or <option>state</option> will only work
+ correctly with operating systems in the container that can boot up with only
+ <filename>/usr/</filename> mounted, and are able to automatically populate <filename>/var/</filename>
+ (and <filename>/etc/</filename> in case of <literal>--volatile=yes</literal>). Specifically, this
+ means that operating systems that follow the historic split of <filename>/bin/</filename> and
+ <filename>/lib/</filename> (and related directories) from <filename>/usr/</filename> (i.e. where the
+ former are not symlinks into the latter) are not supported by <literal>--volatile=yes</literal> as
+ container payload. The <option>overlay</option> option does not require any particular preparations
+ in the OS, but do note that <literal>overlayfs</literal> behaviour differs from regular file systems
+ in a number of ways, and hence compatibility is limited.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--root-hash=</option></term>
+
+ <listitem><para>Takes a data integrity (dm-verity) root hash specified in hexadecimal. This option enables data
+ integrity checks using dm-verity, if the used image contains the appropriate integrity data (see above). The
+ specified hash must match the root hash of integrity data, and is usually at least 256 bits (and hence 64
+ formatted hexadecimal characters) long (in case of SHA256 for example). If this option is not specified, but
+ the image file carries the <literal>user.verity.roothash</literal> extended file attribute (see <citerefentry
+ project='man-pages'><refentrytitle>xattr</refentrytitle><manvolnum>7</manvolnum></citerefentry>), then the root
+ hash is read from it, also as formatted hexadecimal characters. If the extended file attribute is not found (or
+ is not supported by the underlying file system), but a file with the <filename>.roothash</filename> suffix is
+ found next to the image file, bearing otherwise the same name (except if the image has the
+ <filename>.raw</filename> suffix, in which case the root hash file must not have it in its name), the root hash
+ is read from it and automatically used, also as formatted hexadecimal characters.</para>
+
+ <para>Note that this configures the root hash for the root file system. Disk images may also contain
+ separate file systems for the <filename>/usr/</filename> hierarchy, which may be Verity protected as
+ well. The root hash for this protection may be configured via the
+ <literal>user.verity.usrhash</literal> extended file attribute or via a <filename>.usrhash</filename>
+ file adjacent to the disk image, following the same format and logic as for the root hash for the
+ root file system described here. Note that there's currently no switch to configure the root hash for
+ the <filename>/usr/</filename> from the command line.</para>
+
+ <para>Also see the <varname>RootHash=</varname> option in
+ <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--root-hash-sig=</option></term>
+
+ <listitem><para>Takes a PKCS7 signature of the <option>--root-hash=</option> option.
+ The semantics are the same as for the <varname>RootHashSignature=</varname> option, see
+ <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--verity-data=</option></term>
+
+ <listitem><para>Takes the path to a data integrity (dm-verity) file. This option enables data integrity checks
+ using dm-verity, if a root-hash is passed and if the used image itself does not contains the integrity data.
+ The integrity data must be matched by the root hash. If this option is not specified, but a file with the
+ <filename>.verity</filename> suffix is found next to the image file, bearing otherwise the same name (except if
+ the image has the <filename>.raw</filename> suffix, in which case the verity data file must not have it in its name),
+ the verity data is read from it and automatically used.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--pivot-root=</option></term>
+
+ <listitem><para>Pivot the specified directory to <filename>/</filename> inside the container, and either unmount the
+ container's old root, or pivot it to another specified directory. Takes one of: a path argument — in which case the
+ specified path will be pivoted to <filename>/</filename> and the old root will be unmounted; or a colon-separated pair
+ of new root path and pivot destination for the old root. The new root path will be pivoted to <filename>/</filename>,
+ and the old <filename>/</filename> will be pivoted to the other directory. Both paths must be absolute, and are resolved
+ in the container's file system namespace.</para>
+
+ <para>This is for containers which have several bootable directories in them; for example, several
+ <ulink url="https://ostree.readthedocs.io/en/latest/">OSTree</ulink> deployments. It emulates the
+ behavior of the boot loader and the initrd which normally select which directory to mount as the root
+ and start the container's PID 1 in.</para></listitem>
+ </varlistentry>
+ </variablelist>
+
+ </refsect2><refsect2>
+ <title>Execution Options</title>
+
+ <variablelist>
+ <varlistentry>
+ <term><option>-a</option></term>
+ <term><option>--as-pid2</option></term>
+
+ <listitem><para>Invoke the shell or specified program as process ID (PID) 2 instead of PID 1 (init). By
+ default, if neither this option nor <option>--boot</option> is used, the selected program is run as the process
+ with PID 1, a mode only suitable for programs that are aware of the special semantics that the process with
+ PID 1 has on UNIX. For example, it needs to reap all processes reparented to it, and should implement
+ <command>sysvinit</command> compatible signal handling (specifically: it needs to reboot on SIGINT, reexecute
+ on SIGTERM, reload configuration on SIGHUP, and so on). With <option>--as-pid2</option> a minimal stub init
+ process is run as PID 1 and the selected program is executed as PID 2 (and hence does not need to implement any
+ special semantics). The stub init process will reap processes as necessary and react appropriately to
+ signals. It is recommended to use this mode to invoke arbitrary commands in containers, unless they have been
+ modified to run correctly as PID 1. Or in other words: this switch should be used for pretty much all commands,
+ except when the command refers to an init or shell implementation, as these are generally capable of running
+ correctly as PID 1. This option may not be combined with <option>--boot</option>.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>-b</option></term>
+ <term><option>--boot</option></term>
+
+ <listitem><para>Automatically search for an init program and invoke it as PID 1, instead of a shell or a user
+ supplied program. If this option is used, arguments specified on the command line are used as arguments for the
+ init program. This option may not be combined with <option>--as-pid2</option>.</para>
+
+ <para>The following table explains the different modes of invocation and relationship to
+ <option>--as-pid2</option> (see above):</para>
+
+ <table>
+ <title>Invocation Mode</title>
+ <tgroup cols='2' align='left' colsep='1' rowsep='1'>
+ <colspec colname="switch" />
+ <colspec colname="explanation" />
+ <thead>
+ <row>
+ <entry>Switch</entry>
+ <entry>Explanation</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>Neither <option>--as-pid2</option> nor <option>--boot</option> specified</entry>
+ <entry>The passed parameters are interpreted as the command line, which is executed as PID 1 in the container.</entry>
+ </row>
+
+ <row>
+ <entry><option>--as-pid2</option> specified</entry>
+ <entry>The passed parameters are interpreted as the command line, which is executed as PID 2 in the container. A stub init process is run as PID 1.</entry>
+ </row>
+
+ <row>
+ <entry><option>--boot</option> specified</entry>
+ <entry>An init program is automatically searched for and run as PID 1 in the container. The passed parameters are used as invocation parameters for this process.</entry>
+ </row>
+
+ </tbody>
+ </tgroup>
+ </table>
+
+ <para>Note that <option>--boot</option> is the default mode of operation if the
+ <filename>systemd-nspawn@.service</filename> template unit file is used.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--chdir=</option></term>
+
+ <listitem><para>Change to the specified working directory before invoking the process in the container. Expects
+ an absolute path in the container's file system namespace.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>-E <replaceable>NAME</replaceable>[=<replaceable>VALUE</replaceable>]</option></term>
+ <term><option>--setenv=<replaceable>NAME</replaceable>[=<replaceable>VALUE</replaceable>]</option></term>
+
+ <listitem><para>Specifies an environment variable to pass to the init process in the container. This
+ may be used to override the default variables or to set additional variables. It may be used more
+ than once to set multiple variables. When <literal>=</literal> and <replaceable>VALUE</replaceable>
+ are omitted, the value of the variable with the same name in the program environment will be used.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>-u</option></term>
+ <term><option>--user=</option></term>
+
+ <listitem><para>After transitioning into the container, change to the specified user defined in the
+ container's user database. Like all other systemd-nspawn features, this is not a security feature and
+ provides protection against accidental destructive operations only.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--kill-signal=</option></term>
+
+ <listitem><para>Specify the process signal to send to the container's PID 1 when nspawn itself receives
+ <constant>SIGTERM</constant>, in order to trigger an orderly shutdown of the container. Defaults to
+ <constant>SIGRTMIN+3</constant> if <option>--boot</option> is used (on systemd-compatible init systems
+ <constant>SIGRTMIN+3</constant> triggers an orderly shutdown). If <option>--boot</option> is not used and this
+ option is not specified the container's processes are terminated abruptly via <constant>SIGKILL</constant>. For
+ a list of valid signals, see <citerefentry
+ project='man-pages'><refentrytitle>signal</refentrytitle><manvolnum>7</manvolnum></citerefentry>.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--notify-ready=</option></term>
+
+ <listitem><para>Configures support for notifications from the container's init process.
+ <option>--notify-ready=</option> takes a boolean (<option>no</option> and <option>yes</option>).
+ With option <option>no</option> systemd-nspawn notifies systemd
+ with a <literal>READY=1</literal> message when the init process is created.
+ With option <option>yes</option> systemd-nspawn waits for the
+ <literal>READY=1</literal> message from the init process in the container
+ before sending its own to systemd. For more details about notifications
+ see <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry>.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--suppress-sync=</option></term>
+
+ <listitem><para>Expects a boolean argument. If true, turns off any form of on-disk file system
+ synchronization for the container payload. This means all system calls such as <citerefentry
+ project='man-pages'><refentrytitle>sync</refentrytitle><manvolnum>2</manvolnum></citerefentry>,
+ <function>fsync()</function>, <function>syncfs()</function>, … will execute no operation, and the
+ <constant>O_SYNC</constant>/<constant>O_DSYNC</constant> flags to <citerefentry
+ project='man-pages'><refentrytitle>open</refentrytitle><manvolnum>2</manvolnum></citerefentry> and
+ related calls will be made unavailable. This is potentially dangerous, as assumed data integrity
+ guarantees to the container payload are not actually enforced (i.e. data assumed to have been written
+ to disk might be lost if the system is shut down abnormally). However, this can dramatically improve
+ container runtime performance – as long as these guarantees are not required or desirable, for
+ example because any data written by the container is of temporary, redundant nature, or just an
+ intermediary artifact that will be further processed and finalized by a later step in a
+ pipeline. Defaults to false.</para></listitem>
+ </varlistentry>
+ </variablelist>
+
+ </refsect2><refsect2>
+ <title>System Identity Options</title>
+
+ <variablelist>
+ <varlistentry>
+ <term><option>-M</option></term>
+ <term><option>--machine=</option></term>
+
+ <listitem><para>Sets the machine name for this container. This
+ name may be used to identify this container during its runtime
+ (for example in tools like
+ <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
+ and similar), and is used to initialize the container's
+ hostname (which the container can choose to override,
+ however). If not specified, the last component of the root
+ directory path of the container is used, possibly suffixed
+ with a random identifier in case <option>--ephemeral</option>
+ mode is selected. If the root directory selected is the host's
+ root directory the host's hostname is used as default
+ instead.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--hostname=</option></term>
+
+ <listitem><para>Controls the hostname to set within the container, if different from the machine name. Expects
+ a valid hostname as argument. If this option is used, the kernel hostname of the container will be set to this
+ value, otherwise it will be initialized to the machine name as controlled by the <option>--machine=</option>
+ option described above. The machine name is used for various aspect of identification of the container from the
+ outside, the kernel hostname configurable with this option is useful for the container to identify itself from
+ the inside. It is usually a good idea to keep both forms of identification synchronized, in order to avoid
+ confusion. It is hence recommended to avoid usage of this option, and use <option>--machine=</option>
+ exclusively. Note that regardless whether the container's hostname is initialized from the name set with
+ <option>--hostname=</option> or the one set with <option>--machine=</option>, the container can later override
+ its kernel hostname freely on its own as well.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--uuid=</option></term>
+
+ <listitem><para>Set the specified UUID for the container. The
+ init system will initialize
+ <filename>/etc/machine-id</filename> from this if this file is
+ not set yet. Note that this option takes effect only if
+ <filename>/etc/machine-id</filename> in the container is
+ unpopulated.</para></listitem>
+ </varlistentry>
+ </variablelist>
+
+ </refsect2><refsect2>
+ <title>Property Options</title>
+
+ <variablelist>
+ <varlistentry>
+ <term><option>-S</option></term>
+ <term><option>--slice=</option></term>
+
+ <listitem><para>Make the container part of the specified slice, instead of the default
+ <filename>machine.slice</filename>. This applies only if the machine is run in its own scope unit, i.e. if
+ <option>--keep-unit</option> isn't used.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--property=</option></term>
+
+ <listitem><para>Set a unit property on the scope unit to register for the machine. This applies only if the
+ machine is run in its own scope unit, i.e. if <option>--keep-unit</option> isn't used. Takes unit property
+ assignments in the same format as <command>systemctl set-property</command>. This is useful to set memory
+ limits and similar for the container.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--register=</option></term>
+
+ <listitem><para>Controls whether the container is registered with
+ <citerefentry><refentrytitle>systemd-machined</refentrytitle><manvolnum>8</manvolnum></citerefentry>. Takes a
+ boolean argument, which defaults to <literal>yes</literal>. This option should be enabled when the container
+ runs a full Operating System (more specifically: a system and service manager as PID 1), and is useful to
+ ensure that the container is accessible via
+ <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry> and shown by
+ tools such as <citerefentry
+ project='man-pages'><refentrytitle>ps</refentrytitle><manvolnum>1</manvolnum></citerefentry>. If the container
+ does not run a service manager, it is recommended to set this option to
+ <literal>no</literal>.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--keep-unit</option></term>
+
+ <listitem><para>Instead of creating a transient scope unit to run the container in, simply use the service or
+ scope unit <command>systemd-nspawn</command> has been invoked in. If <option>--register=yes</option> is set
+ this unit is registered with
+ <citerefentry><refentrytitle>systemd-machined</refentrytitle><manvolnum>8</manvolnum></citerefentry>. This
+ switch should be used if <command>systemd-nspawn</command> is invoked from within a service unit, and the
+ service unit's sole purpose is to run a single <command>systemd-nspawn</command> container. This option is not
+ available if run from a user session.</para>
+ <para>Note that passing <option>--keep-unit</option> disables the effect of <option>--slice=</option> and
+ <option>--property=</option>. Use <option>--keep-unit</option> and <option>--register=no</option> in
+ combination to disable any kind of unit allocation or registration with
+ <command>systemd-machined</command>.</para></listitem>
+ </varlistentry>
+ </variablelist>
+
+ </refsect2><refsect2>
+ <title>User Namespacing Options</title>
+
+ <variablelist>
+ <varlistentry>
+ <term><option>--private-users=</option></term>
+
+ <listitem><para>Controls user namespacing. If enabled, the container will run with its own private set of UNIX
+ user and group ids (UIDs and GIDs). This involves mapping the private UIDs/GIDs used in the container (starting
+ with the container's root user 0 and up) to a range of UIDs/GIDs on the host that are not used for other
+ purposes (usually in the range beyond the host's UID/GID 65536). The parameter may be specified as follows:</para>
+
+ <orderedlist>
+ <listitem><para>If one or two colon-separated numbers are specified, user namespacing is turned on. The first
+ parameter specifies the first host UID/GID to assign to the container, the second parameter specifies the
+ number of host UIDs/GIDs to assign to the container. If the second parameter is omitted, 65536 UIDs/GIDs are
+ assigned.</para></listitem>
+
+ <listitem><para>If the parameter is <literal>yes</literal>, user namespacing is turned on. The
+ UID/GID range to use is determined automatically from the file ownership of the root directory of
+ the container's directory tree. To use this option, make sure to prepare the directory tree in
+ advance, and ensure that all files and directories in it are owned by UIDs/GIDs in the range you'd
+ like to use. Also, make sure that used file ACLs exclusively reference UIDs/GIDs in the appropriate
+ range. In this mode, the number of UIDs/GIDs assigned to the container is 65536, and the owner
+ UID/GID of the root directory must be a multiple of 65536.</para></listitem>
+
+ <listitem><para>If the parameter is <literal>no</literal>, user namespacing is turned off. This is
+ the default.</para>
+ </listitem>
+
+ <listitem><para>If the parameter is <literal>identity</literal>, user namespacing is employed with
+ an identity mapping for the first 65536 UIDs/GIDs. This is mostly equivalent to
+ <option>--private-users=0:65536</option>. While it does not provide UID/GID isolation, since all
+ host and container UIDs/GIDs are chosen identically it does provide process capability isolation,
+ and hence is often a good choice if proper user namespacing with distinct UID maps is not
+ appropriate.</para></listitem>
+
+ <listitem><para>The special value <literal>pick</literal> turns on user namespacing. In this case
+ the UID/GID range is automatically chosen. As first step, the file owner UID/GID of the root
+ directory of the container's directory tree is read, and it is checked that no other container is
+ currently using it. If this check is successful, the UID/GID range determined this way is used,
+ similarly to the behavior if <literal>yes</literal> is specified. If the check is not successful
+ (and thus the UID/GID range indicated in the root directory's file owner is already used elsewhere)
+ a new – currently unused – UID/GID range of 65536 UIDs/GIDs is randomly chosen between the host
+ UID/GIDs of 524288 and 1878982656, always starting at a multiple of 65536, and, if possible,
+ consistently hashed from the machine name. This setting implies
+ <option>--private-users-ownership=auto</option> (see below), which possibly has the effect that the
+ files and directories in the container's directory tree will be owned by the appropriate users of
+ the range picked. Using this option makes user namespace behavior fully automatic. Note that the
+ first invocation of a previously unused container image might result in picking a new UID/GID range
+ for it, and thus in the (possibly expensive) file ownership adjustment operation. However,
+ subsequent invocations of the container will be cheap (unless of course the picked UID/GID range is
+ assigned to a different use by then).</para></listitem>
+ </orderedlist>
+
+ <para>It is recommended to assign at least 65536 UIDs/GIDs to each container, so that the usable UID/GID range in the
+ container covers 16 bit. For best security, do not assign overlapping UID/GID ranges to multiple containers. It is
+ hence a good idea to use the upper 16 bit of the host 32-bit UIDs/GIDs as container identifier, while the lower 16
+ bit encode the container UID/GID used. This is in fact the behavior enforced by the
+ <option>--private-users=pick</option> option.</para>
+
+ <para>When user namespaces are used, the GID range assigned to each container is always chosen identical to the
+ UID range.</para>
+
+ <para>In most cases, using <option>--private-users=pick</option> is the recommended option as it enhances
+ container security massively and operates fully automatically in most cases.</para>
+
+ <para>Note that the picked UID/GID range is not written to <filename>/etc/passwd</filename> or
+ <filename>/etc/group</filename>. In fact, the allocation of the range is not stored persistently anywhere,
+ except in the file ownership of the files and directories of the container.</para>
+
+ <para>Note that when user namespacing is used file ownership on disk reflects this, and all of the container's
+ files and directories are owned by the container's effective user and group IDs. This means that copying files
+ from and to the container image requires correction of the numeric UID/GID values, according to the UID/GID
+ shift applied.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--private-users-ownership=</option></term>
+
+ <listitem><para>Controls how to adjust the container image's UIDs and GIDs to match the UID/GID range
+ chosen with <option>--private-users=</option>, see above. Takes one of <literal>off</literal> (to
+ leave the image as is), <literal>chown</literal> (to recursively <function>chown()</function> the
+ container's directory tree as needed), <literal>map</literal> (in order to use transparent ID mapping
+ mounts) or <literal>auto</literal> for automatically using <literal>map</literal> where available and
+ <literal>chown</literal> where not.</para>
+
+ <para>If <literal>chown</literal> is selected, all files and directories in the container's directory
+ tree will be adjusted so that they are owned by the appropriate UIDs/GIDs selected for the container
+ (see above). This operation is potentially expensive, as it involves iterating through the full
+ directory tree of the container. Besides actual file ownership, file ACLs are adjusted as
+ well.</para>
+
+ <para>Typically <literal>map</literal> is the best choice, since it transparently maps UIDs/GIDs in
+ memory as needed without modifying the image, and without requiring an expensive recursive adjustment
+ operation. However, it is not available for all file systems, currently.</para>
+
+ <para>The <option>--private-users-ownership=auto</option> option is implied if
+ <option>--private-users=pick</option> is used. This option has no effect if user namespacing is not
+ used.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>-U</option></term>
+
+ <listitem><para>If the kernel supports the user namespaces feature, equivalent to
+ <option>--private-users=pick --private-users-ownership=auto</option>, otherwise equivalent to
+ <option>--private-users=no</option>.</para>
+
+ <para>Note that <option>-U</option> is the default if the
+ <filename>systemd-nspawn@.service</filename> template unit file is used.</para>
+
+ <para>Note: it is possible to undo the effect of <option>--private-users-ownership=chown</option> (or
+ <option>-U</option>) on the file system by redoing the operation with the first UID of 0:</para>
+
+ <programlisting>systemd-nspawn … --private-users=0 --private-users-ownership=chown</programlisting>
+ </listitem>
+ </varlistentry>
+
+ </variablelist>
+
+ </refsect2><refsect2>
+ <title>Networking Options</title>
+
+ <variablelist>
+
+ <varlistentry>
+ <term><option>--private-network</option></term>
+
+ <listitem><para>Disconnect networking of the container from
+ the host. This makes all network interfaces unavailable in the
+ container, with the exception of the loopback device and those
+ specified with <option>--network-interface=</option> and
+ configured with <option>--network-veth</option>. If this
+ option is specified, the <constant>CAP_NET_ADMIN</constant> capability will be
+ added to the set of capabilities the container retains. The
+ latter may be disabled by using <option>--drop-capability=</option>.
+ If this option is not specified (or implied by one of the options
+ listed below), the container will have full access to the host network.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--network-interface=</option></term>
+
+ <listitem><para>Assign the specified network interface to the container. This will remove the
+ specified interface from the calling namespace and place it in the container. When the container
+ terminates, it is moved back to the calling namespace. Note that
+ <option>--network-interface=</option> implies <option>--private-network</option>. This option may be
+ used more than once to add multiple network interfaces to the container.</para>
+
+ <para>Note that any network interface specified this way must already exist at the time the container
+ is started. If the container shall be started automatically at boot via a
+ <filename>systemd-nspawn@.service</filename> unit file instance, it might hence make sense to add a
+ unit file drop-in to the service instance
+ (e.g. <filename>/etc/systemd/system/systemd-nspawn@foobar.service.d/50-network.conf</filename>) with
+ contents like the following:</para>
+
+ <programlisting>[Unit]
+Wants=sys-subsystem-net-devices-ens1.device
+After=sys-subsystem-net-devices-ens1.device</programlisting>
+
+ <para>This will make sure that activation of the container service will be delayed until the
+ <literal>ens1</literal> network interface has shown up. This is required since hardware probing is
+ fully asynchronous, and network interfaces might be discovered only later during the boot process,
+ after the container would normally be started without these explicit dependencies.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--network-macvlan=</option></term>
+
+ <listitem><para>Create a <literal>macvlan</literal> interface of the specified Ethernet network
+ interface and add it to the container. A <literal>macvlan</literal> interface is a virtual interface
+ that adds a second MAC address to an existing physical Ethernet link. The interface in the container
+ will be named after the interface on the host, prefixed with <literal>mv-</literal>. Note that
+ <option>--network-macvlan=</option> implies <option>--private-network</option>. This option may be
+ used more than once to add multiple network interfaces to the container.</para>
+
+ <para>As with <option>--network-interface=</option>, the underlying Ethernet network interface must
+ already exist at the time the container is started, and thus similar unit file drop-ins as described
+ above might be useful.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--network-ipvlan=</option></term>
+
+ <listitem><para>Create an <literal>ipvlan</literal> interface of the specified Ethernet network
+ interface and add it to the container. An <literal>ipvlan</literal> interface is a virtual interface,
+ similar to a <literal>macvlan</literal> interface, which uses the same MAC address as the underlying
+ interface. The interface in the container will be named after the interface on the host, prefixed
+ with <literal>iv-</literal>. Note that <option>--network-ipvlan=</option> implies
+ <option>--private-network</option>. This option may be used more than once to add multiple network
+ interfaces to the container.</para>
+
+ <para>As with <option>--network-interface=</option>, the underlying Ethernet network interface must
+ already exist at the time the container is started, and thus similar unit file drop-ins as described
+ above might be useful.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>-n</option></term>
+ <term><option>--network-veth</option></term>
+
+ <listitem><para>Create a virtual Ethernet link (<literal>veth</literal>) between host and container. The host
+ side of the Ethernet link will be available as a network interface named after the container's name (as
+ specified with <option>--machine=</option>), prefixed with <literal>ve-</literal>. The container side of the
+ Ethernet link will be named <literal>host0</literal>. The <option>--network-veth</option> option implies
+ <option>--private-network</option>.</para>
+
+ <para>Note that
+ <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+ includes by default a network file <filename>/usr/lib/systemd/network/80-container-ve.network</filename>
+ matching the host-side interfaces created this way, which contains settings to enable automatic address
+ provisioning on the created virtual link via DHCP, as well as automatic IP routing onto the host's external
+ network interfaces. It also contains <filename>/usr/lib/systemd/network/80-container-host0.network</filename>
+ matching the container-side interface created this way, containing settings to enable client side address
+ assignment via DHCP. In case <filename>systemd-networkd</filename> is running on both the host and inside the
+ container, automatic IP communication from the container to the host is thus available, with further
+ connectivity to the external network.</para>
+
+ <para>Note that <option>--network-veth</option> is the default if the
+ <filename>systemd-nspawn@.service</filename> template unit file is used.</para>
+
+ <para>Note that on Linux network interface names may have a length of 15 characters at maximum, while
+ container names may have a length up to 64 characters. As this option derives the host-side interface
+ name from the container name the name is possibly truncated. Thus, care needs to be taken to ensure
+ that interface names remain unique in this case, or even better container names are generally not
+ chosen longer than 12 characters, to avoid the truncation. If the name is truncated,
+ <command>systemd-nspawn</command> will automatically append a 4-digit hash value to the name to
+ reduce the chance of collisions. However, the hash algorithm is not collision-free. (See
+ <citerefentry><refentrytitle>systemd.net-naming-scheme</refentrytitle><manvolnum>7</manvolnum></citerefentry>
+ for details on older naming algorithms for this interface). Alternatively, the
+ <option>--network-veth-extra=</option> option may be used, which allows free configuration of the
+ host-side interface name independently of the container name — but might require a bit more
+ additional configuration in case bridging in a fashion similar to <option>--network-bridge=</option>
+ is desired.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--network-veth-extra=</option></term>
+
+ <listitem><para>Adds an additional virtual Ethernet link
+ between host and container. Takes a colon-separated pair of
+ host interface name and container interface name. The latter
+ may be omitted in which case the container and host sides will
+ be assigned the same name. This switch is independent of
+ <option>--network-veth</option>, and — in contrast — may be
+ used multiple times, and allows configuration of the network
+ interface names. Note that <option>--network-bridge=</option>
+ has no effect on interfaces created with
+ <option>--network-veth-extra=</option>.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--network-bridge=</option></term>
+
+ <listitem><para>Adds the host side of the Ethernet link created with <option>--network-veth</option>
+ to the specified Ethernet bridge interface. Expects a valid network interface name of a bridge device
+ as argument. Note that <option>--network-bridge=</option> implies <option>--network-veth</option>. If
+ this option is used, the host side of the Ethernet link will use the <literal>vb-</literal> prefix
+ instead of <literal>ve-</literal>. Regardless of the used naming prefix the same network interface
+ name length limits imposed by Linux apply, along with the complications this creates (for details see
+ above).</para>
+
+ <para>As with <option>--network-interface=</option>, the underlying bridge network interface must
+ already exist at the time the container is started, and thus similar unit file drop-ins as described
+ above might be useful.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--network-zone=</option></term>
+
+ <listitem><para>Creates a virtual Ethernet link (<literal>veth</literal>) to the container and adds it to an
+ automatically managed Ethernet bridge interface. The bridge interface is named after the passed argument,
+ prefixed with <literal>vz-</literal>. The bridge interface is automatically created when the first container
+ configured for its name is started, and is automatically removed when the last container configured for its
+ name exits. Hence, each bridge interface configured this way exists only as long as there's at least one
+ container referencing it running. This option is very similar to <option>--network-bridge=</option>, besides
+ this automatic creation/removal of the bridge device.</para>
+
+ <para>This setting makes it easy to place multiple related containers on a common, virtual Ethernet-based
+ broadcast domain, here called a "zone". Each container may only be part of one zone, but each zone may contain
+ any number of containers. Each zone is referenced by its name. Names may be chosen freely (as long as they form
+ valid network interface names when prefixed with <literal>vz-</literal>), and it is sufficient to pass the same
+ name to the <option>--network-zone=</option> switch of the various concurrently running containers to join
+ them in one zone.</para>
+
+ <para>Note that
+ <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+ includes by default a network file <filename>/usr/lib/systemd/network/80-container-vz.network</filename>
+ matching the bridge interfaces created this way, which contains settings to enable automatic address
+ provisioning on the created virtual network via DHCP, as well as automatic IP routing onto the host's external
+ network interfaces. Using <option>--network-zone=</option> is hence in most cases fully automatic and
+ sufficient to connect multiple local containers in a joined broadcast domain to the host, with further
+ connectivity to the external network.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--network-namespace-path=</option></term>
+
+ <listitem><para>Takes the path to a file representing a kernel
+ network namespace that the container shall run in. The specified path
+ should refer to a (possibly bind-mounted) network namespace file, as
+ exposed by the kernel below <filename>/proc/$PID/ns/net</filename>.
+ This makes the container enter the given network namespace. One of the
+ typical use cases is to give a network namespace under
+ <filename>/run/netns</filename> created by <citerefentry
+ project='man-pages'><refentrytitle>ip-netns</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ for example, <option>--network-namespace-path=/run/netns/foo</option>.
+ Note that this option cannot be used together with other
+ network-related options, such as <option>--private-network</option>
+ or <option>--network-interface=</option>.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>-p</option></term>
+ <term><option>--port=</option></term>
+
+ <listitem><para>If private networking is enabled, maps an IP
+ port on the host onto an IP port on the container. Takes a
+ protocol specifier (either <literal>tcp</literal> or
+ <literal>udp</literal>), separated by a colon from a host port
+ number in the range 1 to 65535, separated by a colon from a
+ container port number in the range from 1 to 65535. The
+ protocol specifier and its separating colon may be omitted, in
+ which case <literal>tcp</literal> is assumed. The container
+ port number and its colon may be omitted, in which case the
+ same port as the host port is implied. This option is only
+ supported if private networking is used, such as with
+ <option>--network-veth</option>, <option>--network-zone=</option>
+ <option>--network-bridge=</option>.</para></listitem>
+ </varlistentry>
+ </variablelist>
+
+ </refsect2><refsect2>
+ <title>Security Options</title>
+
+ <variablelist>
+ <varlistentry>
+ <term><option>--capability=</option></term>
+
+ <listitem><para>List one or more additional capabilities to grant the container. Takes a
+ comma-separated list of capability names, see <citerefentry
+ project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
+ for more information. Note that the following capabilities will be granted in any way:
+ <constant>CAP_AUDIT_CONTROL</constant>, <constant>CAP_AUDIT_WRITE</constant>,
+ <constant>CAP_CHOWN</constant>, <constant>CAP_DAC_OVERRIDE</constant>,
+ <constant>CAP_DAC_READ_SEARCH</constant>, <constant>CAP_FOWNER</constant>,
+ <constant>CAP_FSETID</constant>, <constant>CAP_IPC_OWNER</constant>, <constant>CAP_KILL</constant>,
+ <constant>CAP_LEASE</constant>, <constant>CAP_LINUX_IMMUTABLE</constant>,
+ <constant>CAP_MKNOD</constant>, <constant>CAP_NET_BIND_SERVICE</constant>,
+ <constant>CAP_NET_BROADCAST</constant>, <constant>CAP_NET_RAW</constant>,
+ <constant>CAP_SETFCAP</constant>, <constant>CAP_SETGID</constant>, <constant>CAP_SETPCAP</constant>,
+ <constant>CAP_SETUID</constant>, <constant>CAP_SYS_ADMIN</constant>,
+ <constant>CAP_SYS_BOOT</constant>, <constant>CAP_SYS_CHROOT</constant>,
+ <constant>CAP_SYS_NICE</constant>, <constant>CAP_SYS_PTRACE</constant>,
+ <constant>CAP_SYS_RESOURCE</constant>, <constant>CAP_SYS_TTY_CONFIG</constant>. Also
+ <constant>CAP_NET_ADMIN</constant> is retained if <option>--private-network</option> is specified.
+ If the special value <literal>all</literal> is passed, all capabilities are retained.</para>
+
+ <para>If the special value of <literal>help</literal> is passed, the program will print known
+ capability names and exit.</para>
+
+ <para>This option sets the bounding set of capabilities which
+ also limits the ambient capabilities as given with the
+ <option>--ambient-capability=</option>.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--drop-capability=</option></term>
+
+ <listitem><para>Specify one or more additional capabilities to
+ drop for the container. This allows running the container with
+ fewer capabilities than the default (see
+ above).</para>
+
+ <para>If the special value of <literal>help</literal> is passed, the program will print known
+ capability names and exit.</para>
+
+ <para>This option sets the bounding set of capabilities which
+ also limits the ambient capabilities as given with the
+ <option>--ambient-capability=</option>.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--ambient-capability=</option></term>
+
+ <listitem><para>Specify one or more additional capabilities to
+ pass in the inheritable and ambient set to the program started
+ within the container. The value <literal>all</literal> is not
+ supported for this setting.</para>
+
+ <para>All capabilities specified here must be in the set
+ allowed with the <option>--capability=</option> and
+ <option>--drop-capability=</option> options. Otherwise, an
+ error message will be shown.</para>
+
+ <para>This option cannot be combined with the boot mode of the
+ container (as requested via <option>--boot</option>).</para>
+
+ <para>If the special value of <literal>help</literal> is
+ passed, the program will print known capability names and
+ exit.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--no-new-privileges=</option></term>
+
+ <listitem><para>Takes a boolean argument. Specifies the value of the
+ <constant>PR_SET_NO_NEW_PRIVS</constant> flag for the container payload. Defaults to off. When turned
+ on the payload code of the container cannot acquire new privileges, i.e. the "setuid" file bit as
+ well as file system capabilities will not have an effect anymore. See <citerefentry
+ project='man-pages'><refentrytitle>prctl</refentrytitle><manvolnum>2</manvolnum></citerefentry> for
+ details about this flag. </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--system-call-filter=</option></term> <listitem><para>Alter the system call filter
+ applied to containers. Takes a space-separated list of system call names or group names (the latter
+ prefixed with <literal>@</literal>, as listed by the <command>syscall-filter</command> command of
+ <citerefentry><refentrytitle>systemd-analyze</refentrytitle><manvolnum>1</manvolnum></citerefentry>). Passed
+ system calls will be permitted. The list may optionally be prefixed by <literal>~</literal>, in which
+ case all listed system calls are prohibited. If this command line option is used multiple times the
+ configured lists are combined. If both a positive and a negative list (that is one system call list
+ without and one with the <literal>~</literal> prefix) are configured, the negative list takes
+ precedence over the positive list. Note that <command>systemd-nspawn</command> always implements a
+ system call allow list (as opposed to a deny list!), and this command line option hence adds or
+ removes entries from the default allow list, depending on the <literal>~</literal> prefix. Note that
+ the applied system call filter is also altered implicitly if additional capabilities are passed using
+ the <command>--capabilities=</command>.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>-Z</option></term>
+ <term><option>--selinux-context=</option></term>
+
+ <listitem><para>Sets the SELinux security context to be used
+ to label processes in the container.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>-L</option></term>
+ <term><option>--selinux-apifs-context=</option></term>
+
+ <listitem><para>Sets the SELinux security context to be used
+ to label files in the virtual API file systems in the
+ container.</para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+
+ </refsect2><refsect2>
+ <title>Resource Options</title>
+
+ <variablelist>
+
+ <varlistentry>
+ <term><option>--rlimit=</option></term>
+
+ <listitem><para>Sets the specified POSIX resource limit for the container payload. Expects an assignment of the
+ form
+ <literal><replaceable>LIMIT</replaceable>=<replaceable>SOFT</replaceable>:<replaceable>HARD</replaceable></literal>
+ or <literal><replaceable>LIMIT</replaceable>=<replaceable>VALUE</replaceable></literal>, where
+ <replaceable>LIMIT</replaceable> should refer to a resource limit type, such as
+ <constant>RLIMIT_NOFILE</constant> or <constant>RLIMIT_NICE</constant>. The <replaceable>SOFT</replaceable> and
+ <replaceable>HARD</replaceable> fields should refer to the numeric soft and hard resource limit values. If the
+ second form is used, <replaceable>VALUE</replaceable> may specify a value that is used both as soft and hard
+ limit. In place of a numeric value the special string <literal>infinity</literal> may be used to turn off
+ resource limiting for the specific type of resource. This command line option may be used multiple times to
+ control limits on multiple limit types. If used multiple times for the same limit type, the last use
+ wins. For details about resource limits see <citerefentry
+ project='man-pages'><refentrytitle>setrlimit</refentrytitle><manvolnum>2</manvolnum></citerefentry>. By default
+ resource limits for the container's init process (PID 1) are set to the same values the Linux kernel originally
+ passed to the host init system. Note that some resource limits are enforced on resources counted per user, in
+ particular <constant>RLIMIT_NPROC</constant>. This means that unless user namespacing is deployed
+ (i.e. <option>--private-users=</option> is used, see above), any limits set will be applied to the resource
+ usage of the same user on all local containers as well as the host. This means particular care needs to be
+ taken with these limits as they might be triggered by possibly less trusted code. Example:
+ <literal>--rlimit=RLIMIT_NOFILE=8192:16384</literal>.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--oom-score-adjust=</option></term>
+
+ <listitem><para>Changes the OOM ("Out Of Memory") score adjustment value for the container payload. This controls
+ <filename>/proc/self/oom_score_adj</filename> which influences the preference with which this container is
+ terminated when memory becomes scarce. For details see <citerefentry
+ project='man-pages'><refentrytitle>proc</refentrytitle><manvolnum>5</manvolnum></citerefentry>. Takes an
+ integer in the range -1000…1000.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--cpu-affinity=</option></term>
+
+ <listitem><para>Controls the CPU affinity of the container payload. Takes a comma separated list of CPU numbers
+ or number ranges (the latter's start and end value separated by dashes). See <citerefentry
+ project='man-pages'><refentrytitle>sched_setaffinity</refentrytitle><manvolnum>2</manvolnum></citerefentry> for
+ details.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--personality=</option></term>
+
+ <listitem><para>Control the architecture ("personality")
+ reported by
+ <citerefentry project='man-pages'><refentrytitle>uname</refentrytitle><manvolnum>2</manvolnum></citerefentry>
+ in the container. Currently, only <literal>x86</literal> and
+ <literal>x86-64</literal> are supported. This is useful when
+ running a 32-bit container on a 64-bit host. If this setting
+ is not used, the personality reported in the container is the
+ same as the one reported on the host.</para></listitem>
+ </varlistentry>
+ </variablelist>
+
+ </refsect2><refsect2>
+ <title>Integration Options</title>
+
+ <variablelist>
+ <varlistentry>
+ <term><option>--resolv-conf=</option></term>
+
+ <listitem><para>Configures how <filename>/etc/resolv.conf</filename> inside of the container shall be
+ handled (i.e. DNS configuration synchronization from host to container). Takes one of
+ <literal>off</literal>, <literal>copy-host</literal>, <literal>copy-static</literal>,
+ <literal>copy-uplink</literal>, <literal>copy-stub</literal>, <literal>replace-host</literal>,
+ <literal>replace-static</literal>, <literal>replace-uplink</literal>,
+ <literal>replace-stub</literal>, <literal>bind-host</literal>, <literal>bind-static</literal>,
+ <literal>bind-uplink</literal>, <literal>bind-stub</literal>, <literal>delete</literal> or
+ <literal>auto</literal>.</para>
+
+ <para>If set to <literal>off</literal> the <filename>/etc/resolv.conf</filename> file in the
+ container is left as it is included in the image, and neither modified nor bind mounted over.</para>
+
+ <para>If set to <literal>copy-host</literal>, the <filename>/etc/resolv.conf</filename> file from the
+ host is copied into the container, unless the file exists already and is not a regular file (e.g. a
+ symlink). Similarly, if <literal>replace-host</literal> is used the file is copied, replacing any
+ existing inode, including symlinks. Similarly, if <literal>bind-host</literal> is used, the file is
+ bind mounted from the host into the container.</para>
+
+ <para>If set to <literal>copy-static</literal>, <literal>replace-static</literal> or
+ <literal>bind-static</literal> the static <filename>resolv.conf</filename> file supplied with
+ <citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+ (specifically: <filename>/usr/lib/systemd/resolv.conf</filename>) is copied or bind mounted into the
+ container.</para>
+
+ <para>If set to <literal>copy-uplink</literal>, <literal>replace-uplink</literal> or
+ <literal>bind-uplink</literal> the uplink <filename>resolv.conf</filename> file managed by
+ <filename>systemd-resolved.service</filename> (specifically:
+ <filename>/run/systemd/resolve/resolv.conf</filename>) is copied or bind mounted into the
+ container.</para>
+
+ <para>If set to <literal>copy-stub</literal>, <literal>replace-stub</literal> or
+ <literal>bind-stub</literal> the stub <filename>resolv.conf</filename> file managed by
+ <filename>systemd-resolved.service</filename> (specifically:
+ <filename>/run/systemd/resolve/stub-resolv.conf</filename>) is copied or bind mounted into the
+ container.</para>
+
+ <para>If set to <literal>delete</literal> the <filename>/etc/resolv.conf</filename> file in the
+ container is deleted if it exists.</para>
+
+ <para>Finally, if set to <literal>auto</literal> the file is left as it is if private networking is
+ turned on (see <option>--private-network</option>). Otherwise, if
+ <filename>systemd-resolved.service</filename> is running its stub <filename>resolv.conf</filename>
+ file is used, and if not the host's <filename>/etc/resolv.conf</filename> file. In the latter cases
+ the file is copied if the image is writable, and bind mounted otherwise.</para>
+
+ <para>It's recommended to use <literal>copy-…</literal> or <literal>replace-…</literal> if the
+ container shall be able to make changes to the DNS configuration on its own, deviating from the
+ host's settings. Otherwise <literal>bind</literal> is preferable, as it means direct changes to
+ <filename>/etc/resolv.conf</filename> in the container are not allowed, as it is a read-only bind
+ mount (but note that if the container has enough privileges, it might simply go ahead and unmount the
+ bind mount anyway). Note that both if the file is bind mounted and if it is copied no further
+ propagation of configuration is generally done after the one-time early initialization (this is
+ because the file is usually updated through copying and renaming). Defaults to
+ <literal>auto</literal>.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--timezone=</option></term>
+
+ <listitem><para>Configures how <filename>/etc/localtime</filename> inside of the container
+ (i.e. local timezone synchronization from host to container) shall be handled. Takes one of
+ <literal>off</literal>, <literal>copy</literal>, <literal>bind</literal>, <literal>symlink</literal>,
+ <literal>delete</literal> or <literal>auto</literal>. If set to <literal>off</literal> the
+ <filename>/etc/localtime</filename> file in the container is left as it is included in the image, and
+ neither modified nor bind mounted over. If set to <literal>copy</literal> the
+ <filename>/etc/localtime</filename> file of the host is copied into the container. Similarly, if
+ <literal>bind</literal> is used, the file is bind mounted from the host into the container. If set to
+ <literal>symlink</literal>, a symlink is created pointing from <filename>/etc/localtime</filename> in
+ the container to the timezone file in the container that matches the timezone setting on the host. If
+ set to <literal>delete</literal>, the file in the container is deleted, should it exist. If set to
+ <literal>auto</literal> and the <filename>/etc/localtime</filename> file of the host is a symlink,
+ then <literal>symlink</literal> mode is used, and <literal>copy</literal> otherwise, except if the
+ image is read-only in which case <literal>bind</literal> is used instead. Defaults to
+ <literal>auto</literal>.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--link-journal=</option></term>
+
+ <listitem><para>Control whether the container's journal shall
+ be made visible to the host system. If enabled, allows viewing
+ the container's journal files from the host (but not vice
+ versa). Takes one of <literal>no</literal>,
+ <literal>host</literal>, <literal>try-host</literal>,
+ <literal>guest</literal>, <literal>try-guest</literal>,
+ <literal>auto</literal>. If <literal>no</literal>, the journal
+ is not linked. If <literal>host</literal>, the journal files
+ are stored on the host file system (beneath
+ <filename>/var/log/journal/<replaceable>machine-id</replaceable></filename>)
+ and the subdirectory is bind-mounted into the container at the
+ same location. If <literal>guest</literal>, the journal files
+ are stored on the guest file system (beneath
+ <filename>/var/log/journal/<replaceable>machine-id</replaceable></filename>)
+ and the subdirectory is symlinked into the host at the same
+ location. <literal>try-host</literal> and
+ <literal>try-guest</literal> do the same but do not fail if
+ the host does not have persistent journaling enabled. If
+ <literal>auto</literal> (the default), and the right
+ subdirectory of <filename>/var/log/journal</filename> exists,
+ it will be bind mounted into the container. If the
+ subdirectory does not exist, no linking is performed.
+ Effectively, booting a container once with
+ <literal>guest</literal> or <literal>host</literal> will link
+ the journal persistently if further on the default of
+ <literal>auto</literal> is used.</para>
+
+ <para>Note that <option>--link-journal=try-guest</option> is the default if the
+ <filename>systemd-nspawn@.service</filename> template unit file is used.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>-j</option></term>
+
+ <listitem><para>Equivalent to
+ <option>--link-journal=try-guest</option>.</para></listitem>
+ </varlistentry>
+
+ </variablelist>
+
+ </refsect2><refsect2>
+ <title>Mount Options</title>
+
+ <variablelist>
+
+ <varlistentry>
+ <term><option>--bind=</option></term>
+ <term><option>--bind-ro=</option></term>
+
+ <listitem><para>Bind mount a file or directory from the host into the container. Takes one of: a path
+ argument — in which case the specified path will be mounted from the host to the same path in the container, or
+ a colon-separated pair of paths — in which case the first specified path is the source in the host, and the
+ second path is the destination in the container, or a colon-separated triple of source path, destination path
+ and mount options. The source path may optionally be prefixed with a <literal>+</literal> character. If so, the
+ source path is taken relative to the image's root directory. This permits setting up bind mounts within the
+ container image. The source path may be specified as empty string, in which case a temporary directory below
+ the host's <filename>/var/tmp/</filename> directory is used. It is automatically removed when the container is
+ shut down. If the source path is not absolute, it is resolved relative to the current working directory.
+ The <option>--bind-ro=</option> option creates read-only bind mounts. Backslash escapes are interpreted,
+ so <literal>\:</literal> may be used to embed colons in either path. This option may be specified
+ multiple times for creating multiple independent bind mount points.</para>
+
+ <para>Mount options are comma-separated. <option>rbind</option> and <option>norbind</option> control whether
+ to create a recursive or a regular bind mount. Defaults to "rbind". <option>noidmap</option>,
+ <option>idmap</option>, and <option>rootidmap</option> control ID mapping.</para>
+
+ <para>Using <option>idmap</option> or <option>rootidmap</option> requires support by the source filesystem
+ for user/group ID mapped mounts. Defaults to "noidmap". With <option>x</option> being the container's UID range
+ offset, <option>y</option> being the length of the container's UID range, and <option>p</option> being the
+ owner UID of the bind mount source inode on the host:
+
+ <itemizedlist>
+ <listitem><para>If <option>noidmap</option> is used, any user <option>z</option> in the range
+ <option>0 … y</option> seen from inside of the container is mapped to <option>x + z</option> in the
+ <option>x … x + y</option> range on the host. All host users outside of that range are mapped to
+ <option>nobody</option> inside the container.</para></listitem>
+ <listitem><para>If <option>idmap</option> is used, any user <option>z</option> in the UID range
+ <option>0 … y</option> as seen from inside the container is mapped to the same <option>z</option>
+ in the same <option>0 … y</option> range on the host. All host users outside of that range are
+ mapped to <option>nobody</option> inside the container.</para></listitem>
+ <listitem><para>If <option>rootidmap</option> is used, the user <option>0</option> seen from inside
+ of the container is mapped to <option>p</option> on the host. All host users outside of that range
+ are mapped to <option>nobody</option> inside the container.</para></listitem>
+ </itemizedlist></para>
+
+ <para>Whichever ID mapping option is used, the same mapping will be used for users and groups IDs. If
+ <option>rootidmap</option> is used, the group owning the bind mounted directory will have no effect</para>
+
+ <para>Note that when this option is used in combination with <option>--private-users</option>, the resulting
+ mount points will be owned by the <constant>nobody</constant> user. That's because the mount and its files and
+ directories continue to be owned by the relevant host users and groups, which do not exist in the container,
+ and thus show up under the wildcard UID 65534 (nobody). If such bind mounts are created, it is recommended to
+ make them read-only, using <option>--bind-ro=</option>. Alternatively you can use the "idmap" mount option to
+ map the filesystem IDs.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--bind-user=</option></term>
+
+ <listitem><para>Binds the home directory of the specified user on the host into the container. Takes
+ the name of an existing user on the host as argument. May be used multiple times to bind multiple
+ users into the container. This does three things:</para>
+
+ <orderedlist>
+ <listitem><para>The user's home directory is bind mounted from the host into
+ <filename>/run/host/home/</filename>.</para></listitem>
+
+ <listitem><para>An additional UID/GID mapping is added that maps the host user's UID/GID to a
+ container UID/GID, allocated from the 60514…60577 range.</para></listitem>
+
+ <listitem><para>A JSON user and group record is generated in <filename>/run/userdb/</filename> that
+ describes the mapped user. It contains a minimized representation of the host's user record,
+ adjusted to the UID/GID and home directory path assigned to the user in the container. The
+ <citerefentry><refentrytitle>nss-systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+ glibc NSS module will pick up these records from there and make them available in the container's
+ user/group databases.</para></listitem>
+ </orderedlist>
+
+ <para>The combination of the three operations above ensures that it is possible to log into the
+ container using the same account information as on the host. The user is only mapped transiently,
+ while the container is running, and the mapping itself does not result in persistent changes to the
+ container (except maybe for log messages generated at login time, and similar). Note that in
+ particular the UID/GID assignment in the container is not made persistently. If the user is mapped
+ transiently, it is best to not allow the user to make persistent changes to the container. If the
+ user leaves files or directories owned by the user, and those UIDs/GIDs are reused during later
+ container invocations (possibly with a different <option>--bind-user=</option> mapping), those files
+ and directories will be accessible to the "new" user.</para>
+
+ <para>The user/group record mapping only works if the container contains systemd 249 or newer, with
+ <command>nss-systemd</command> properly configured in <filename>nsswitch.conf</filename>. See
+ <citerefentry><refentrytitle>nss-systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry> for
+ details.</para>
+
+ <para>Note that the user record propagated from the host into the container will contain the UNIX
+ password hash of the user, so that seamless logins in the container are possible. If the container is
+ less trusted than the host it's hence important to use a strong UNIX password hash function
+ (e.g. yescrypt or similar, with the <literal>$y$</literal> hash prefix).</para>
+
+ <para>When binding a user from the host into the container checks are executed to ensure that the
+ username is not yet known in the container. Moreover, it is checked that the UID/GID allocated for it
+ is not currently defined in the user/group databases of the container. Both checks directly access
+ the container's <filename>/etc/passwd</filename> and <filename>/etc/group</filename>, and thus might
+ not detect existing accounts in other databases.</para>
+
+ <para>This operation is only supported in combination with
+ <option>--private-users=</option>/<option>-U</option>.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--inaccessible=</option></term>
+
+ <listitem><para>Make the specified path inaccessible in the container. This over-mounts the specified path
+ (which must exist in the container) with a file node of the same type that is empty and has the most
+ restrictive access mode supported. This is an effective way to mask files, directories and other file system
+ objects from the container payload. This option may be used more than once in case all specified paths are
+ masked.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--tmpfs=</option></term>
+
+ <listitem><para>Mount a tmpfs file system into the container. Takes a single absolute path argument that
+ specifies where to mount the tmpfs instance to (in which case the directory access mode will be chosen as 0755,
+ owned by root/root), or optionally a colon-separated pair of path and mount option string that is used for
+ mounting (in which case the kernel default for access mode and owner will be chosen, unless otherwise
+ specified). Backslash escapes are interpreted in the path, so <literal>\:</literal> may be used to embed colons
+ in the path.</para>
+
+ <para>Note that this option cannot be used to replace the root file system of the container with a temporary
+ file system. However, the <option>--volatile=</option> option described below provides similar
+ functionality, with a focus on implementing stateless operating system images.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--overlay=</option></term>
+ <term><option>--overlay-ro=</option></term>
+
+ <listitem><para>Combine multiple directory trees into one overlay file system and mount it into the
+ container. Takes a list of colon-separated paths to the directory trees to combine and the
+ destination mount point.</para>
+
+ <para>Backslash escapes are interpreted in the paths, so <literal>\:</literal> may be used to embed
+ colons in the paths.</para>
+
+ <para>If three or more paths are specified, then the last specified path is the destination mount
+ point in the container, all paths specified before refer to directory trees on the host and are
+ combined in the specified order into one overlay file system. The left-most path is hence the lowest
+ directory tree, the second-to-last path the highest directory tree in the stacking order. If
+ <option>--overlay-ro=</option> is used instead of <option>--overlay=</option>, a read-only overlay
+ file system is created. If a writable overlay file system is created, all changes made to it are
+ written to the highest directory tree in the stacking order, i.e. the second-to-last specified.
+ </para>
+
+ <para>If only two paths are specified, then the second specified path is used both as the top-level
+ directory tree in the stacking order as seen from the host, as well as the mount point for the
+ overlay file system in the container. At least two paths have to be specified.</para>
+
+ <para>The source paths may optionally be prefixed with <literal>+</literal> character. If so they are
+ taken relative to the image's root directory. The uppermost source path may also be specified as an
+ empty string, in which case a temporary directory below the host's <filename>/var/tmp/</filename> is
+ used. The directory is removed automatically when the container is shut down. This behaviour is
+ useful in order to make read-only container directories writable while the container is running. For
+ example, use <literal>--overlay=+/var::/var</literal> in order to automatically overlay a writable
+ temporary directory on a read-only <filename>/var/</filename> directory. If a source path is not
+ absolute, it is resolved relative to the current working directory.</para>
+
+ <para>For details about overlay file systems, see <ulink
+ url="https://docs.kernel.org/filesystems/overlayfs.html">Overlay Filesystem</ulink>.
+ Note that the semantics of overlay file systems are substantially different from normal file systems,
+ in particular regarding reported device and inode information. Device and inode information may
+ change for a file while it is being written to, and processes might see out-of-date versions of files
+ at times. Note that this switch automatically derives the <literal>workdir=</literal> mount option
+ for the overlay file system from the top-level directory tree, making it a sibling of it. It is hence
+ essential that the top-level directory tree is not a mount point itself (since the working directory
+ must be on the same file system as the top-most directory tree). Also note that the
+ <literal>lowerdir=</literal> mount option receives the paths to stack in the opposite order of this
+ switch.</para>
+
+ <para>Note that this option cannot be used to replace the root file system of the container with an overlay
+ file system. However, the <option>--volatile=</option> option described above provides similar functionality,
+ with a focus on implementing stateless operating system images.</para></listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect2>
+
+ <refsect2>
+ <title>Input/Output Options</title>
+
+ <variablelist>
+ <varlistentry>
+ <term><option>--console=</option><replaceable>MODE</replaceable></term>
+
+ <listitem><para>Configures how to set up standard input, output and error output for the container
+ payload, as well as the <filename>/dev/console</filename> device for the container. Takes one of
+ <option>interactive</option>, <option>read-only</option>, <option>passive</option>,
+ <option>pipe</option> or <option>autopipe</option>. If <option>interactive</option>, a pseudo-TTY is
+ allocated and made available as <filename>/dev/console</filename> in the container. It is then
+ bi-directionally connected to the standard input and output passed to
+ <command>systemd-nspawn</command>. <option>read-only</option> is similar but only the output of the
+ container is propagated and no input from the caller is read. If <option>passive</option>, a pseudo
+ TTY is allocated, but it is not connected anywhere. In <option>pipe</option> mode no pseudo TTY is
+ allocated, but the standard input, output and error output file descriptors passed to
+ <command>systemd-nspawn</command> are passed on — as they are — to the container payload, see the
+ following paragraph. Finally, <option>autopipe</option> mode operates like
+ <option>interactive</option> when <command>systemd-nspawn</command> is invoked on a terminal, and
+ like <option>pipe</option> otherwise. Defaults to <option>interactive</option> if
+ <command>systemd-nspawn</command> is invoked from a terminal, and <option>read-only</option>
+ otherwise.</para>
+
+ <para>In <option>pipe</option> mode, <filename>/dev/console</filename> will not exist in the
+ container. This means that the container payload generally cannot be a full init system as init
+ systems tend to require <filename>/dev/console</filename> to be available. On the other hand, in this
+ mode container invocations can be used within shell pipelines. This is because intermediary pseudo
+ TTYs do not permit independent bidirectional propagation of the end-of-file (EOF) condition, which is
+ necessary for shell pipelines to work correctly. <emphasis>Note that the <option>pipe</option> mode
+ should be used carefully</emphasis>, as passing arbitrary file descriptors to less trusted container
+ payloads might open up unwanted interfaces for access by the container payload. For example, if a
+ passed file descriptor refers to a TTY of some form, APIs such as <constant>TIOCSTI</constant> may be
+ used to synthesize input that might be used for escaping the container. Hence <option>pipe</option>
+ mode should only be used if the payload is sufficiently trusted or when the standard
+ input/output/error output file descriptors are known safe, for example pipes.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--pipe</option></term>
+ <term><option>-P</option></term>
+
+ <listitem><para>Equivalent to <option>--console=pipe</option>.</para></listitem>
+ </varlistentry>
+ </variablelist>
+
+ </refsect2>
+ <refsect2>
+ <title>Credentials</title>
+
+ <variablelist>
+ <varlistentry>
+ <term><option>--load-credential=</option><replaceable>ID</replaceable>:<replaceable>PATH</replaceable></term>
+ <term><option>--set-credential=</option><replaceable>ID</replaceable>:<replaceable>VALUE</replaceable></term>
+
+ <listitem><para>Pass a credential to the container. These two options correspond to the
+ <varname>LoadCredential=</varname> and <varname>SetCredential=</varname> settings in unit files. See
+ <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
+ details about these concepts, as well as the syntax of the option's arguments.</para>
+
+ <para>Note: when <command>systemd-nspawn</command> runs as systemd system service it can propagate
+ the credentials it received via <varname>LoadCredential=</varname>/<varname>SetCredential=</varname>
+ to the container payload. A systemd service manager running as PID 1 in the container can further
+ propagate them to the services it itself starts. It is thus possible to easily propagate credentials
+ from a parent service manager to a container manager service and from there into its payload. This
+ can even be done recursively.</para>
+
+ <para>In order to embed binary data into the credential data for <option>--set-credential=</option>,
+ use C-style escaping (i.e. <literal>\n</literal> to embed a newline, or <literal>\x00</literal> to
+ embed a <constant>NUL</constant> byte). Note that the invoking shell might already apply unescaping
+ once, hence this might require double escaping!.</para>
+
+ <para>The
+ <citerefentry><refentrytitle>systemd-sysusers.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+ and
+ <citerefentry><refentrytitle>systemd-firstboot</refentrytitle><manvolnum>1</manvolnum></citerefentry>
+ services read credentials configured this way for the purpose of configuring the container's root
+ user's password and shell, as well as system locale, keymap and timezone during the first boot
+ process of the container. This is particularly useful in combination with
+ <option>--volatile=yes</option> where every single boot appears as first boot, since configuration
+ applied to <filename>/etc/</filename> is lost on container reboot cycles. See the respective man
+ pages for details. Example:</para>
+
+ <programlisting># systemd-nspawn -i image.raw \
+ --volatile=yes \
+ --set-credential=firstboot.locale:de_DE.UTF-8 \
+ --set-credential=passwd.hashed-password.root:'$y$j9T$yAuRJu1o5HioZAGDYPU5d.$F64ni6J2y2nNQve90M/p0ZP0ECP/qqzipNyaY9fjGpC' \
+ -b</programlisting>
+
+ <para>The above command line will invoke the specified image file <filename>image.raw</filename> in
+ volatile mode, i.e. with empty <filename>/etc/</filename> and <filename>/var/</filename>. The
+ container payload will recognize this as a first boot, and will invoke
+ <filename>systemd-firstboot.service</filename>, which then reads the two passed credentials to
+ configure the system's initial locale and root password.</para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+
+ </refsect2><refsect2>
+ <title>Other</title>
+
+ <variablelist>
+ <xi:include href="standard-options.xml" xpointer="no-pager" />
+ <xi:include href="standard-options.xml" xpointer="help" />
+ <xi:include href="standard-options.xml" xpointer="version" />
+ </variablelist>
+ </refsect2>
+ </refsect1>
+
+ <xi:include href="common-variables.xml" />
+
+ <refsect1>
+ <title>Examples</title>
+
+ <example>
+ <title>Download a
+ <ulink url="https://getfedora.org">Fedora</ulink> image and start a shell in it</title>
+
+ <programlisting># machinectl pull-raw --verify=no \
+ https://download.fedoraproject.org/pub/fedora/linux/releases/&fedora_latest_version;/Cloud/x86_64/images/Fedora-Cloud-Base-&fedora_latest_version;-&fedora_cloud_release;.x86_64.raw.xz \
+ Fedora-Cloud-Base-&fedora_latest_version;-&fedora_cloud_release;.x86-64
+# systemd-nspawn -M Fedora-Cloud-Base-&fedora_latest_version;-&fedora_cloud_release;.x86-64</programlisting>
+
+ <para>This downloads an image using
+ <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
+ and opens a shell in it.</para>
+ </example>
+
+ <example>
+ <title>Build and boot a minimal Fedora distribution in a container</title>
+
+ <programlisting># dnf -y --releasever=&fedora_latest_version; --installroot=/var/lib/machines/f&fedora_latest_version; \
+ --repo=fedora --repo=updates --setopt=install_weak_deps=False install \
+ passwd dnf fedora-release vim-minimal util-linux systemd systemd-networkd
+# systemd-nspawn -bD /var/lib/machines/f&fedora_latest_version;</programlisting>
+
+ <para>This installs a minimal Fedora distribution into the
+ directory <filename index="false">/var/lib/machines/f&fedora_latest_version;</filename>
+ and then boots that OS in a namespace container. Because the installation
+ is located underneath the standard <filename>/var/lib/machines/</filename>
+ directory, it is also possible to start the machine using
+ <command>systemd-nspawn -M f&fedora_latest_version;</command>.</para>
+ </example>
+
+ <example>
+ <title>Spawn a shell in a container of a minimal Debian unstable distribution</title>
+
+ <programlisting># debootstrap unstable ~/debian-tree/
+# systemd-nspawn -D ~/debian-tree/</programlisting>
+
+ <para>This installs a minimal Debian unstable distribution into
+ the directory <filename>~/debian-tree/</filename> and then
+ spawns a shell from this image in a namespace container.</para>
+
+ <para><command>debootstrap</command> supports
+ <ulink url="https://www.debian.org">Debian</ulink>,
+ <ulink url="https://www.ubuntu.com">Ubuntu</ulink>,
+ and <ulink url="https://www.tanglu.org">Tanglu</ulink>
+ out of the box, so the same command can be used to install any of those. For other
+ distributions from the Debian family, a mirror has to be specified, see
+ <citerefentry project='die-net'><refentrytitle>debootstrap</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
+ </para>
+ </example>
+
+ <example>
+ <title>Boot a minimal
+ <ulink url="https://www.archlinux.org">Arch Linux</ulink> distribution in a container</title>
+
+ <programlisting># pacstrap -c ~/arch-tree/ base
+# systemd-nspawn -bD ~/arch-tree/</programlisting>
+
+ <para>This installs a minimal Arch Linux distribution into the
+ directory <filename>~/arch-tree/</filename> and then boots an OS
+ in a namespace container in it.</para>
+ </example>
+
+ <example>
+ <title>Install the
+ <ulink url="https://software.opensuse.org/distributions/tumbleweed">OpenSUSE Tumbleweed</ulink>
+ rolling distribution</title>
+
+ <programlisting># zypper --root=/var/lib/machines/tumbleweed ar -c \
+ https://download.opensuse.org/tumbleweed/repo/oss tumbleweed
+# zypper --root=/var/lib/machines/tumbleweed refresh
+# zypper --root=/var/lib/machines/tumbleweed install --no-recommends \
+ systemd shadow zypper openSUSE-release vim
+# systemd-nspawn -M tumbleweed passwd root
+# systemd-nspawn -M tumbleweed -b</programlisting>
+ </example>
+
+ <example>
+ <title>Boot into an ephemeral snapshot of the host system</title>
+
+ <programlisting># systemd-nspawn -D / -xb</programlisting>
+
+ <para>This runs a copy of the host system in a snapshot which is removed immediately when the container
+ exits. All file system changes made during runtime will be lost on shutdown, hence.</para>
+ </example>
+
+ <example>
+ <title>Run a container with SELinux sandbox security contexts</title>
+
+ <programlisting># chcon system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -R /srv/container
+# systemd-nspawn -L system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 \
+ -Z system_u:system_r:svirt_lxc_net_t:s0:c0,c1 -D /srv/container /bin/sh</programlisting>
+ </example>
+
+ <example>
+ <title>Run a container with an OSTree deployment</title>
+
+ <programlisting># systemd-nspawn -b -i ~/image.raw \
+ --pivot-root=/ostree/deploy/$OS/deploy/$CHECKSUM:/sysroot \
+ --bind=+/sysroot/ostree/deploy/$OS/var:/var</programlisting>
+ </example>
+ </refsect1>
+
+ <refsect1>
+ <title>Exit status</title>
+
+ <para>The exit code of the program executed in the container is
+ returned.</para>
+ </refsect1>
+
+ <refsect1>
+ <title>See Also</title>
+ <para>
+ <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>systemd.nspawn</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+ <citerefentry project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
+ <citerefentry project='mankier'><refentrytitle>dnf</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ <citerefentry project='die-net'><refentrytitle>debootstrap</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ <citerefentry project='archlinux'><refentrytitle>pacman</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ <citerefentry project='mankier'><refentrytitle>zypper</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>systemd.slice</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
+ <citerefentry project='man-pages'><refentrytitle>btrfs</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+ </para>
+ </refsect1>
+
+</refentry>