diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 15:35:18 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 15:35:18 +0000 |
commit | b750101eb236130cf056c675997decbac904cc49 (patch) | |
tree | a5df1a06754bdd014cb975c051c83b01c9a97532 /man/systemd-nspawn.xml | |
parent | Initial commit. (diff) | |
download | systemd-b750101eb236130cf056c675997decbac904cc49.tar.xz systemd-b750101eb236130cf056c675997decbac904cc49.zip |
Adding upstream version 252.22.upstream/252.22
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'man/systemd-nspawn.xml')
-rw-r--r-- | man/systemd-nspawn.xml | 1767 |
1 files changed, 1767 insertions, 0 deletions
diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml new file mode 100644 index 0000000..fc471c3 --- /dev/null +++ b/man/systemd-nspawn.xml @@ -0,0 +1,1767 @@ +<?xml version='1.0'?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" + "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [ +<!ENTITY % entities SYSTEM "custom-entities.ent" > +%entities; +]> +<!-- SPDX-License-Identifier: LGPL-2.1-or-later --> + +<refentry id="systemd-nspawn" + xmlns:xi="http://www.w3.org/2001/XInclude"> + + <refentryinfo> + <title>systemd-nspawn</title> + <productname>systemd</productname> + </refentryinfo> + + <refmeta> + <refentrytitle>systemd-nspawn</refentrytitle> + <manvolnum>1</manvolnum> + </refmeta> + + <refnamediv> + <refname>systemd-nspawn</refname> + <refpurpose>Spawn a command or OS in a light-weight container</refpurpose> + </refnamediv> + + <refsynopsisdiv> + <cmdsynopsis> + <command>systemd-nspawn</command> + <arg choice="opt" rep="repeat">OPTIONS</arg> + <arg choice="opt"><replaceable>COMMAND</replaceable> + <arg choice="opt" rep="repeat">ARGS</arg> + </arg> + </cmdsynopsis> + <cmdsynopsis> + <command>systemd-nspawn</command> + <arg choice="plain">--boot</arg> + <arg choice="opt" rep="repeat">OPTIONS</arg> + <arg choice="opt" rep="repeat">ARGS</arg> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1> + <title>Description</title> + + <para><command>systemd-nspawn</command> may be used to run a command or OS in a light-weight namespace + container. In many ways it is similar to <citerefentry + project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>1</manvolnum></citerefentry>, but more powerful + since it fully virtualizes the file system hierarchy, as well as the process tree, the various IPC subsystems and + the host and domain name.</para> + + <para><command>systemd-nspawn</command> may be invoked on any directory tree containing an operating system tree, + using the <option>--directory=</option> command line option. By using the <option>--machine=</option> option an OS + tree is automatically searched for in a couple of locations, most importantly in + <filename>/var/lib/machines/</filename>, the suggested directory to place OS container images installed on the + system.</para> + + <para>In contrast to <citerefentry + project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>1</manvolnum></citerefentry> <command>systemd-nspawn</command> + may be used to boot full Linux-based operating systems in a container.</para> + + <para><command>systemd-nspawn</command> limits access to various kernel interfaces in the container to read-only, + such as <filename>/sys/</filename>, <filename>/proc/sys/</filename> or <filename>/sys/fs/selinux/</filename>. The + host's network interfaces and the system clock may not be changed from within the container. Device nodes may not + be created. The host system cannot be rebooted and kernel modules may not be loaded from within the + container.</para> + + <para>Use a tool like <citerefentry + project='mankier'><refentrytitle>dnf</refentrytitle><manvolnum>8</manvolnum></citerefentry>, <citerefentry + project='die-net'><refentrytitle>debootstrap</refentrytitle><manvolnum>8</manvolnum></citerefentry>, or + <citerefentry project='archlinux'><refentrytitle>pacman</refentrytitle><manvolnum>8</manvolnum></citerefentry> to + set up an OS directory tree suitable as file system hierarchy for <command>systemd-nspawn</command> containers. See + the Examples section below for details on suitable invocation of these commands.</para> + + <para>As a safety check <command>systemd-nspawn</command> will verify the existence of + <filename>/usr/lib/os-release</filename> or <filename>/etc/os-release</filename> in the container tree before + booting a container (see + <citerefentry><refentrytitle>os-release</refentrytitle><manvolnum>5</manvolnum></citerefentry>). It might be + necessary to add this file to the container tree manually if the OS of the container is too old to contain this + file out-of-the-box.</para> + + <para><command>systemd-nspawn</command> may be invoked directly from the interactive command line or run as system + service in the background. In this mode each container instance runs as its own service instance; a default + template unit file <filename>systemd-nspawn@.service</filename> is provided to make this easy, taking the container + name as instance identifier. Note that different default options apply when <command>systemd-nspawn</command> is + invoked by the template unit file than interactively on the command line. Most importantly the template unit file + makes use of the <option>--boot</option> option which is not the default in case <command>systemd-nspawn</command> + is invoked from the interactive command line. Further differences with the defaults are documented along with the + various supported options below.</para> + + <para>The <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry> tool may + be used to execute a number of operations on containers. In particular it provides easy-to-use commands to run + containers as system services using the <filename>systemd-nspawn@.service</filename> template unit + file.</para> + + <para>Along with each container a settings file with the <filename>.nspawn</filename> suffix may exist, containing + additional settings to apply when running the container. See + <citerefentry><refentrytitle>systemd.nspawn</refentrytitle><manvolnum>5</manvolnum></citerefentry> for + details. Settings files override the default options used by the <filename>systemd-nspawn@.service</filename> + template unit file, making it usually unnecessary to alter this template file directly.</para> + + <para>Note that <command>systemd-nspawn</command> will mount file systems private to the container to + <filename>/dev/</filename>, <filename>/run/</filename> and similar. These will not be visible outside of the + container, and their contents will be lost when the container exits.</para> + + <para>Note that running two <command>systemd-nspawn</command> containers from the same directory tree will not make + processes in them see each other. The PID namespace separation of the two containers is complete and the containers + will share very few runtime objects except for the underlying file system. Rather use + <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>'s + <command>login</command> or <command>shell</command> commands to request an additional login session in a running + container.</para> + + <para><command>systemd-nspawn</command> implements the <ulink + url="https://systemd.io/CONTAINER_INTERFACE">Container Interface</ulink> specification.</para> + + <para>While running, containers invoked with <command>systemd-nspawn</command> are registered with the + <citerefentry><refentrytitle>systemd-machined</refentrytitle><manvolnum>8</manvolnum></citerefentry> service that + keeps track of running containers, and provides programming interfaces to interact with them.</para> + </refsect1> + + <refsect1> + <title>Options</title> + + <para>If option <option>--boot</option> is specified, the arguments + are used as arguments for the init program. Otherwise, + <replaceable>COMMAND</replaceable> specifies the program to launch + in the container, and the remaining arguments are used as + arguments for this program. If <option>--boot</option> is not used and + no arguments are specified, a shell is launched in the + container.</para> + + <para>The following options are understood:</para> + + <variablelist> + + <varlistentry> + <term><option>-q</option></term> + <term><option>--quiet</option></term> + + <listitem><para>Turns off any status output by the tool + itself. When this switch is used, the only output from nspawn + will be the console output of the container OS + itself.</para></listitem> + </varlistentry> + + <varlistentry> + <term><option>--settings=</option><replaceable>MODE</replaceable></term> + + <listitem><para>Controls whether + <command>systemd-nspawn</command> shall search for and use + additional per-container settings from + <filename>.nspawn</filename> files. Takes a boolean or the + special values <option>override</option> or + <option>trusted</option>.</para> + + <para>If enabled (the default), a settings file named after the + machine (as specified with the <option>--machine=</option> + setting, or derived from the directory or image file name) + with the suffix <filename>.nspawn</filename> is searched in + <filename>/etc/systemd/nspawn/</filename> and + <filename>/run/systemd/nspawn/</filename>. If it is found + there, its settings are read and used. If it is not found + there, it is subsequently searched in the same directory as the + image file or in the immediate parent of the root directory of + the container. In this case, if the file is found, its settings + will be also read and used, but potentially unsafe settings + are ignored. Note that in both these cases, settings on the + command line take precedence over the corresponding settings + from loaded <filename>.nspawn</filename> files, if both are + specified. Unsafe settings are considered all settings that + elevate the container's privileges or grant access to + additional resources such as files or directories of the + host. For details about the format and contents of + <filename>.nspawn</filename> files, consult + <citerefentry><refentrytitle>systemd.nspawn</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para> + + <para>If this option is set to <option>override</option>, the + file is searched, read and used the same way, however, the order of + precedence is reversed: settings read from the + <filename>.nspawn</filename> file will take precedence over + the corresponding command line options, if both are + specified.</para> + + <para>If this option is set to <option>trusted</option>, the + file is searched, read and used the same way, but regardless + of being found in <filename>/etc/systemd/nspawn/</filename>, + <filename>/run/systemd/nspawn/</filename> or next to the image + file or container root directory, all settings will take + effect, however, command line arguments still take precedence + over corresponding settings.</para> + + <para>If disabled, no <filename>.nspawn</filename> file is read + and no settings except the ones on the command line are in + effect.</para></listitem> + </varlistentry> + + </variablelist> + + <refsect2> + <title>Image Options</title> + + <variablelist> + + <varlistentry> + <term><option>-D</option></term> + <term><option>--directory=</option></term> + + <listitem><para>Directory to use as file system root for the + container.</para> + + <para>If neither <option>--directory=</option>, nor + <option>--image=</option> is specified the directory is + determined by searching for a directory named the same as the + machine name specified with <option>--machine=</option>. See + <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry> + section "Files and Directories" for the precise search path.</para> + + <para>If neither <option>--directory=</option>, + <option>--image=</option>, nor <option>--machine=</option> + are specified, the current directory will + be used. May not be specified together with + <option>--image=</option>.</para></listitem> + </varlistentry> + + <varlistentry> + <term><option>--template=</option></term> + + <listitem><para>Directory or <literal>btrfs</literal> subvolume to use as template for the + container's root directory. If this is specified and the container's root directory (as configured by + <option>--directory=</option>) does not yet exist it is created as <literal>btrfs</literal> snapshot + (if supported) or plain directory (otherwise) and populated from this template tree. Ideally, the + specified template path refers to the root of a <literal>btrfs</literal> subvolume, in which case a + simple copy-on-write snapshot is taken, and populating the root directory is instant. If the + specified template path does not refer to the root of a <literal>btrfs</literal> subvolume (or not + even to a <literal>btrfs</literal> file system at all), the tree is copied (though possibly in a + 'reflink' copy-on-write scheme — if the file system supports that), which can be substantially more + time-consuming. Note that the snapshot taken is of the specified directory or subvolume, including + all subdirectories and subvolumes below it, but excluding any sub-mounts. May not be specified + together with <option>--image=</option> or <option>--ephemeral</option>.</para> + + <para>Note that this switch leaves hostname, machine ID and + all other settings that could identify the instance + unmodified.</para></listitem> + </varlistentry> + + <varlistentry> + <term><option>-x</option></term> + <term><option>--ephemeral</option></term> + + <listitem><para>If specified, the container is run with a temporary snapshot of its file system that is removed + immediately when the container terminates. May not be specified together with + <option>--template=</option>.</para> + <para>Note that this switch leaves hostname, machine ID and all other settings that could identify + the instance unmodified. Please note that — as with <option>--template=</option> — taking the + temporary snapshot is more efficient on file systems that support subvolume snapshots or 'reflinks' + natively (<literal>btrfs</literal> or new <literal>xfs</literal>) than on more traditional file + systems that do not (<literal>ext4</literal>). Note that the snapshot taken is of the specified + directory or subvolume, including all subdirectories and subvolumes below it, but excluding any + sub-mounts.</para> + + <para>With this option no modifications of the container image are retained. Use + <option>--volatile=</option> (described below) for other mechanisms to restrict persistency of + container images during runtime.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><option>-i</option></term> + <term><option>--image=</option></term> + + <listitem><para>Disk image to mount the root directory for the + container from. Takes a path to a regular file or to a block + device node. The file or block device must contain + either:</para> + + <itemizedlist> + <listitem><para>An MBR partition table with a single + partition of type 0x83 that is marked + bootable.</para></listitem> + + <listitem><para>A GUID partition table (GPT) with a single + partition of type + 0fc63daf-8483-4772-8e79-3d69d8477de4.</para></listitem> + + <listitem><para>A GUID partition table (GPT) with a marked + root partition which is mounted as the root directory of the + container. Optionally, GPT images may contain a home and/or + a server data partition which are mounted to the appropriate + places in the container. All these partitions must be + identified by the partition types defined by the <ulink + url="https://systemd.io/DISCOVERABLE_PARTITIONS">Discoverable + Partitions Specification</ulink>.</para></listitem> + + <listitem><para>No partition table, and a single file system spanning the whole image.</para></listitem> + </itemizedlist> + + <para>On GPT images, if an EFI System Partition (ESP) is discovered, it is automatically mounted to + <filename>/efi</filename> (or <filename>/boot</filename> as fallback) in case a directory by this name exists + and is empty.</para> + + <para>Partitions encrypted with LUKS are automatically decrypted. Also, on GPT images dm-verity data integrity + hash partitions are set up if the root hash for them is specified using the <option>--root-hash=</option> + option.</para> + + <para>Single file system images (i.e. file systems without a surrounding partition table) can be opened using + dm-verity if the integrity data is passed using the <option>--root-hash=</option> and + <option>--verity-data=</option> (and optionally <option>--root-hash-sig=</option>) options.</para> + + <para>Any other partitions, such as foreign partitions or swap partitions are not mounted. May not be specified + together with <option>--directory=</option>, <option>--template=</option>.</para></listitem> + </varlistentry> + + <varlistentry> + <term><option>--oci-bundle=</option></term> + + <listitem><para>Takes the path to an OCI runtime bundle to invoke, as specified in the <ulink + url="https://github.com/opencontainers/runtime-spec/blob/master/spec.md">OCI Runtime Specification</ulink>. In + this case no <filename>.nspawn</filename> file is loaded, and the root directory and various settings are read + from the OCI runtime JSON data (but data passed on the command line takes precedence).</para></listitem> + </varlistentry> + + <varlistentry> + <term><option>--read-only</option></term> + + <listitem><para>Mount the container's root file system (and any other file systems container in the container + image) read-only. This has no effect on additional mounts made with <option>--bind=</option>, + <option>--tmpfs=</option> and similar options. This mode is implied if the container image file or directory is + marked read-only itself. It is also implied if <option>--volatile=</option> is used. In this case the container + image on disk is strictly read-only, while changes are permitted but kept non-persistently in memory only. For + further details, see below.</para></listitem> + </varlistentry> + + <varlistentry> + <term><option>--volatile</option></term> + <term><option>--volatile=</option><replaceable>MODE</replaceable></term> + + <listitem><para>Boots the container in volatile mode. When no mode parameter is passed or when mode is + specified as <option>yes</option>, full volatile mode is enabled. This means the root directory is mounted as a + mostly unpopulated <literal>tmpfs</literal> instance, and <filename>/usr/</filename> from the OS tree is + mounted into it in read-only mode (the system thus starts up with read-only OS image, but pristine state and + configuration, any changes are lost on shutdown). When the mode parameter is specified as + <option>state</option>, the OS tree is mounted read-only, but <filename>/var/</filename> is mounted as a + writable <literal>tmpfs</literal> instance into it (the system thus starts up with read-only OS resources and + configuration, but pristine state, and any changes to the latter are lost on shutdown). When the mode parameter + is specified as <option>overlay</option> the read-only root file system is combined with a writable + <filename>tmpfs</filename> instance through <literal>overlayfs</literal>, so that it appears at it normally + would, but any changes are applied to the temporary file system only and lost when the container is + terminated. When the mode parameter is specified as <option>no</option> (the default), the whole OS tree is + made available writable (unless <option>--read-only</option> is specified, see above).</para> + + <para>Note that if one of the volatile modes is chosen, its effect is limited to the root file system + (or <filename>/var/</filename> in case of <option>state</option>), and any other mounts placed in the + hierarchy are unaffected — regardless if they are established automatically (e.g. the EFI system + partition that might be mounted to <filename>/efi/</filename> or <filename>/boot/</filename>) or + explicitly (e.g. through an additional command line option such as <option>--bind=</option>, see + below). This means, even if <option>--volatile=overlay</option> is used changes to + <filename>/efi/</filename> or <filename>/boot/</filename> are prohibited in case such a partition + exists in the container image operated on, and even if <option>--volatile=state</option> is used the + hypothetical file <filename index="false">/etc/foobar</filename> is potentially writable if + <option>--bind=/etc/foobar</option> if used to mount it from outside the read-only container + <filename>/etc/</filename> directory.</para> + + <para>The <option>--ephemeral</option> option is closely related to this setting, and provides similar + behaviour by making a temporary, ephemeral copy of the whole OS image and executing that. For further details, + see above.</para> + + <para>The <option>--tmpfs=</option> and <option>--overlay=</option> options provide similar functionality, but + for specific sub-directories of the OS image only. For details, see below.</para> + + <para>This option provides similar functionality for containers as the <literal>systemd.volatile=</literal> + kernel command line switch provides for host systems. See + <citerefentry><refentrytitle>kernel-command-line</refentrytitle><manvolnum>7</manvolnum></citerefentry> for + details.</para> + + <para>Note that setting this option to <option>yes</option> or <option>state</option> will only work + correctly with operating systems in the container that can boot up with only + <filename>/usr/</filename> mounted, and are able to automatically populate <filename>/var/</filename> + (and <filename>/etc/</filename> in case of <literal>--volatile=yes</literal>). Specifically, this + means that operating systems that follow the historic split of <filename>/bin/</filename> and + <filename>/lib/</filename> (and related directories) from <filename>/usr/</filename> (i.e. where the + former are not symlinks into the latter) are not supported by <literal>--volatile=yes</literal> as + container payload. The <option>overlay</option> option does not require any particular preparations + in the OS, but do note that <literal>overlayfs</literal> behaviour differs from regular file systems + in a number of ways, and hence compatibility is limited.</para></listitem> + </varlistentry> + + <varlistentry> + <term><option>--root-hash=</option></term> + + <listitem><para>Takes a data integrity (dm-verity) root hash specified in hexadecimal. This option enables data + integrity checks using dm-verity, if the used image contains the appropriate integrity data (see above). The + specified hash must match the root hash of integrity data, and is usually at least 256 bits (and hence 64 + formatted hexadecimal characters) long (in case of SHA256 for example). If this option is not specified, but + the image file carries the <literal>user.verity.roothash</literal> extended file attribute (see <citerefentry + project='man-pages'><refentrytitle>xattr</refentrytitle><manvolnum>7</manvolnum></citerefentry>), then the root + hash is read from it, also as formatted hexadecimal characters. If the extended file attribute is not found (or + is not supported by the underlying file system), but a file with the <filename>.roothash</filename> suffix is + found next to the image file, bearing otherwise the same name (except if the image has the + <filename>.raw</filename> suffix, in which case the root hash file must not have it in its name), the root hash + is read from it and automatically used, also as formatted hexadecimal characters.</para> + + <para>Note that this configures the root hash for the root file system. Disk images may also contain + separate file systems for the <filename>/usr/</filename> hierarchy, which may be Verity protected as + well. The root hash for this protection may be configured via the + <literal>user.verity.usrhash</literal> extended file attribute or via a <filename>.usrhash</filename> + file adjacent to the disk image, following the same format and logic as for the root hash for the + root file system described here. Note that there's currently no switch to configure the root hash for + the <filename>/usr/</filename> from the command line.</para> + + <para>Also see the <varname>RootHash=</varname> option in + <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><option>--root-hash-sig=</option></term> + + <listitem><para>Takes a PKCS7 signature of the <option>--root-hash=</option> option. + The semantics are the same as for the <varname>RootHashSignature=</varname> option, see + <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>. + </para></listitem> + </varlistentry> + + <varlistentry> + <term><option>--verity-data=</option></term> + + <listitem><para>Takes the path to a data integrity (dm-verity) file. This option enables data integrity checks + using dm-verity, if a root-hash is passed and if the used image itself does not contains the integrity data. + The integrity data must be matched by the root hash. If this option is not specified, but a file with the + <filename>.verity</filename> suffix is found next to the image file, bearing otherwise the same name (except if + the image has the <filename>.raw</filename> suffix, in which case the verity data file must not have it in its name), + the verity data is read from it and automatically used.</para></listitem> + </varlistentry> + + <varlistentry> + <term><option>--pivot-root=</option></term> + + <listitem><para>Pivot the specified directory to <filename>/</filename> inside the container, and either unmount the + container's old root, or pivot it to another specified directory. Takes one of: a path argument — in which case the + specified path will be pivoted to <filename>/</filename> and the old root will be unmounted; or a colon-separated pair + of new root path and pivot destination for the old root. The new root path will be pivoted to <filename>/</filename>, + and the old <filename>/</filename> will be pivoted to the other directory. Both paths must be absolute, and are resolved + in the container's file system namespace.</para> + + <para>This is for containers which have several bootable directories in them; for example, several + <ulink url="https://ostree.readthedocs.io/en/latest/">OSTree</ulink> deployments. It emulates the + behavior of the boot loader and the initrd which normally select which directory to mount as the root + and start the container's PID 1 in.</para></listitem> + </varlistentry> + </variablelist> + + </refsect2><refsect2> + <title>Execution Options</title> + + <variablelist> + <varlistentry> + <term><option>-a</option></term> + <term><option>--as-pid2</option></term> + + <listitem><para>Invoke the shell or specified program as process ID (PID) 2 instead of PID 1 (init). By + default, if neither this option nor <option>--boot</option> is used, the selected program is run as the process + with PID 1, a mode only suitable for programs that are aware of the special semantics that the process with + PID 1 has on UNIX. For example, it needs to reap all processes reparented to it, and should implement + <command>sysvinit</command> compatible signal handling (specifically: it needs to reboot on SIGINT, reexecute + on SIGTERM, reload configuration on SIGHUP, and so on). With <option>--as-pid2</option> a minimal stub init + process is run as PID 1 and the selected program is executed as PID 2 (and hence does not need to implement any + special semantics). The stub init process will reap processes as necessary and react appropriately to + signals. It is recommended to use this mode to invoke arbitrary commands in containers, unless they have been + modified to run correctly as PID 1. Or in other words: this switch should be used for pretty much all commands, + except when the command refers to an init or shell implementation, as these are generally capable of running + correctly as PID 1. This option may not be combined with <option>--boot</option>.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><option>-b</option></term> + <term><option>--boot</option></term> + + <listitem><para>Automatically search for an init program and invoke it as PID 1, instead of a shell or a user + supplied program. If this option is used, arguments specified on the command line are used as arguments for the + init program. This option may not be combined with <option>--as-pid2</option>.</para> + + <para>The following table explains the different modes of invocation and relationship to + <option>--as-pid2</option> (see above):</para> + + <table> + <title>Invocation Mode</title> + <tgroup cols='2' align='left' colsep='1' rowsep='1'> + <colspec colname="switch" /> + <colspec colname="explanation" /> + <thead> + <row> + <entry>Switch</entry> + <entry>Explanation</entry> + </row> + </thead> + <tbody> + <row> + <entry>Neither <option>--as-pid2</option> nor <option>--boot</option> specified</entry> + <entry>The passed parameters are interpreted as the command line, which is executed as PID 1 in the container.</entry> + </row> + + <row> + <entry><option>--as-pid2</option> specified</entry> + <entry>The passed parameters are interpreted as the command line, which is executed as PID 2 in the container. A stub init process is run as PID 1.</entry> + </row> + + <row> + <entry><option>--boot</option> specified</entry> + <entry>An init program is automatically searched for and run as PID 1 in the container. The passed parameters are used as invocation parameters for this process.</entry> + </row> + + </tbody> + </tgroup> + </table> + + <para>Note that <option>--boot</option> is the default mode of operation if the + <filename>systemd-nspawn@.service</filename> template unit file is used.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><option>--chdir=</option></term> + + <listitem><para>Change to the specified working directory before invoking the process in the container. Expects + an absolute path in the container's file system namespace.</para></listitem> + </varlistentry> + + <varlistentry> + <term><option>-E <replaceable>NAME</replaceable>[=<replaceable>VALUE</replaceable>]</option></term> + <term><option>--setenv=<replaceable>NAME</replaceable>[=<replaceable>VALUE</replaceable>]</option></term> + + <listitem><para>Specifies an environment variable to pass to the init process in the container. This + may be used to override the default variables or to set additional variables. It may be used more + than once to set multiple variables. When <literal>=</literal> and <replaceable>VALUE</replaceable> + are omitted, the value of the variable with the same name in the program environment will be used. + </para></listitem> + </varlistentry> + + <varlistentry> + <term><option>-u</option></term> + <term><option>--user=</option></term> + + <listitem><para>After transitioning into the container, change to the specified user defined in the + container's user database. Like all other systemd-nspawn features, this is not a security feature and + provides protection against accidental destructive operations only.</para></listitem> + </varlistentry> + + <varlistentry> + <term><option>--kill-signal=</option></term> + + <listitem><para>Specify the process signal to send to the container's PID 1 when nspawn itself receives + <constant>SIGTERM</constant>, in order to trigger an orderly shutdown of the container. Defaults to + <constant>SIGRTMIN+3</constant> if <option>--boot</option> is used (on systemd-compatible init systems + <constant>SIGRTMIN+3</constant> triggers an orderly shutdown). If <option>--boot</option> is not used and this + option is not specified the container's processes are terminated abruptly via <constant>SIGKILL</constant>. For + a list of valid signals, see <citerefentry + project='man-pages'><refentrytitle>signal</refentrytitle><manvolnum>7</manvolnum></citerefentry>.</para></listitem> + </varlistentry> + + <varlistentry> + <term><option>--notify-ready=</option></term> + + <listitem><para>Configures support for notifications from the container's init process. + <option>--notify-ready=</option> takes a boolean (<option>no</option> and <option>yes</option>). + With option <option>no</option> systemd-nspawn notifies systemd + with a <literal>READY=1</literal> message when the init process is created. + With option <option>yes</option> systemd-nspawn waits for the + <literal>READY=1</literal> message from the init process in the container + before sending its own to systemd. For more details about notifications + see <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry>.</para></listitem> + </varlistentry> + + <varlistentry> + <term><option>--suppress-sync=</option></term> + + <listitem><para>Expects a boolean argument. If true, turns off any form of on-disk file system + synchronization for the container payload. This means all system calls such as <citerefentry + project='man-pages'><refentrytitle>sync</refentrytitle><manvolnum>2</manvolnum></citerefentry>, + <function>fsync()</function>, <function>syncfs()</function>, … will execute no operation, and the + <constant>O_SYNC</constant>/<constant>O_DSYNC</constant> flags to <citerefentry + project='man-pages'><refentrytitle>open</refentrytitle><manvolnum>2</manvolnum></citerefentry> and + related calls will be made unavailable. This is potentially dangerous, as assumed data integrity + guarantees to the container payload are not actually enforced (i.e. data assumed to have been written + to disk might be lost if the system is shut down abnormally). However, this can dramatically improve + container runtime performance – as long as these guarantees are not required or desirable, for + example because any data written by the container is of temporary, redundant nature, or just an + intermediary artifact that will be further processed and finalized by a later step in a + pipeline. Defaults to false.</para></listitem> + </varlistentry> + </variablelist> + + </refsect2><refsect2> + <title>System Identity Options</title> + + <variablelist> + <varlistentry> + <term><option>-M</option></term> + <term><option>--machine=</option></term> + + <listitem><para>Sets the machine name for this container. This + name may be used to identify this container during its runtime + (for example in tools like + <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry> + and similar), and is used to initialize the container's + hostname (which the container can choose to override, + however). If not specified, the last component of the root + directory path of the container is used, possibly suffixed + with a random identifier in case <option>--ephemeral</option> + mode is selected. If the root directory selected is the host's + root directory the host's hostname is used as default + instead.</para></listitem> + </varlistentry> + + <varlistentry> + <term><option>--hostname=</option></term> + + <listitem><para>Controls the hostname to set within the container, if different from the machine name. Expects + a valid hostname as argument. If this option is used, the kernel hostname of the container will be set to this + value, otherwise it will be initialized to the machine name as controlled by the <option>--machine=</option> + option described above. The machine name is used for various aspect of identification of the container from the + outside, the kernel hostname configurable with this option is useful for the container to identify itself from + the inside. It is usually a good idea to keep both forms of identification synchronized, in order to avoid + confusion. It is hence recommended to avoid usage of this option, and use <option>--machine=</option> + exclusively. Note that regardless whether the container's hostname is initialized from the name set with + <option>--hostname=</option> or the one set with <option>--machine=</option>, the container can later override + its kernel hostname freely on its own as well.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><option>--uuid=</option></term> + + <listitem><para>Set the specified UUID for the container. The + init system will initialize + <filename>/etc/machine-id</filename> from this if this file is + not set yet. Note that this option takes effect only if + <filename>/etc/machine-id</filename> in the container is + unpopulated.</para></listitem> + </varlistentry> + </variablelist> + + </refsect2><refsect2> + <title>Property Options</title> + + <variablelist> + <varlistentry> + <term><option>-S</option></term> + <term><option>--slice=</option></term> + + <listitem><para>Make the container part of the specified slice, instead of the default + <filename>machine.slice</filename>. This applies only if the machine is run in its own scope unit, i.e. if + <option>--keep-unit</option> isn't used.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><option>--property=</option></term> + + <listitem><para>Set a unit property on the scope unit to register for the machine. This applies only if the + machine is run in its own scope unit, i.e. if <option>--keep-unit</option> isn't used. Takes unit property + assignments in the same format as <command>systemctl set-property</command>. This is useful to set memory + limits and similar for the container.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><option>--register=</option></term> + + <listitem><para>Controls whether the container is registered with + <citerefentry><refentrytitle>systemd-machined</refentrytitle><manvolnum>8</manvolnum></citerefentry>. Takes a + boolean argument, which defaults to <literal>yes</literal>. This option should be enabled when the container + runs a full Operating System (more specifically: a system and service manager as PID 1), and is useful to + ensure that the container is accessible via + <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry> and shown by + tools such as <citerefentry + project='man-pages'><refentrytitle>ps</refentrytitle><manvolnum>1</manvolnum></citerefentry>. If the container + does not run a service manager, it is recommended to set this option to + <literal>no</literal>.</para></listitem> + </varlistentry> + + <varlistentry> + <term><option>--keep-unit</option></term> + + <listitem><para>Instead of creating a transient scope unit to run the container in, simply use the service or + scope unit <command>systemd-nspawn</command> has been invoked in. If <option>--register=yes</option> is set + this unit is registered with + <citerefentry><refentrytitle>systemd-machined</refentrytitle><manvolnum>8</manvolnum></citerefentry>. This + switch should be used if <command>systemd-nspawn</command> is invoked from within a service unit, and the + service unit's sole purpose is to run a single <command>systemd-nspawn</command> container. This option is not + available if run from a user session.</para> + <para>Note that passing <option>--keep-unit</option> disables the effect of <option>--slice=</option> and + <option>--property=</option>. Use <option>--keep-unit</option> and <option>--register=no</option> in + combination to disable any kind of unit allocation or registration with + <command>systemd-machined</command>.</para></listitem> + </varlistentry> + </variablelist> + + </refsect2><refsect2> + <title>User Namespacing Options</title> + + <variablelist> + <varlistentry> + <term><option>--private-users=</option></term> + + <listitem><para>Controls user namespacing. If enabled, the container will run with its own private set of UNIX + user and group ids (UIDs and GIDs). This involves mapping the private UIDs/GIDs used in the container (starting + with the container's root user 0 and up) to a range of UIDs/GIDs on the host that are not used for other + purposes (usually in the range beyond the host's UID/GID 65536). The parameter may be specified as follows:</para> + + <orderedlist> + <listitem><para>If one or two colon-separated numbers are specified, user namespacing is turned on. The first + parameter specifies the first host UID/GID to assign to the container, the second parameter specifies the + number of host UIDs/GIDs to assign to the container. If the second parameter is omitted, 65536 UIDs/GIDs are + assigned.</para></listitem> + + <listitem><para>If the parameter is <literal>yes</literal>, user namespacing is turned on. The + UID/GID range to use is determined automatically from the file ownership of the root directory of + the container's directory tree. To use this option, make sure to prepare the directory tree in + advance, and ensure that all files and directories in it are owned by UIDs/GIDs in the range you'd + like to use. Also, make sure that used file ACLs exclusively reference UIDs/GIDs in the appropriate + range. In this mode, the number of UIDs/GIDs assigned to the container is 65536, and the owner + UID/GID of the root directory must be a multiple of 65536.</para></listitem> + + <listitem><para>If the parameter is <literal>no</literal>, user namespacing is turned off. This is + the default.</para> + </listitem> + + <listitem><para>If the parameter is <literal>identity</literal>, user namespacing is employed with + an identity mapping for the first 65536 UIDs/GIDs. This is mostly equivalent to + <option>--private-users=0:65536</option>. While it does not provide UID/GID isolation, since all + host and container UIDs/GIDs are chosen identically it does provide process capability isolation, + and hence is often a good choice if proper user namespacing with distinct UID maps is not + appropriate.</para></listitem> + + <listitem><para>The special value <literal>pick</literal> turns on user namespacing. In this case + the UID/GID range is automatically chosen. As first step, the file owner UID/GID of the root + directory of the container's directory tree is read, and it is checked that no other container is + currently using it. If this check is successful, the UID/GID range determined this way is used, + similarly to the behavior if <literal>yes</literal> is specified. If the check is not successful + (and thus the UID/GID range indicated in the root directory's file owner is already used elsewhere) + a new – currently unused – UID/GID range of 65536 UIDs/GIDs is randomly chosen between the host + UID/GIDs of 524288 and 1878982656, always starting at a multiple of 65536, and, if possible, + consistently hashed from the machine name. This setting implies + <option>--private-users-ownership=auto</option> (see below), which possibly has the effect that the + files and directories in the container's directory tree will be owned by the appropriate users of + the range picked. Using this option makes user namespace behavior fully automatic. Note that the + first invocation of a previously unused container image might result in picking a new UID/GID range + for it, and thus in the (possibly expensive) file ownership adjustment operation. However, + subsequent invocations of the container will be cheap (unless of course the picked UID/GID range is + assigned to a different use by then).</para></listitem> + </orderedlist> + + <para>It is recommended to assign at least 65536 UIDs/GIDs to each container, so that the usable UID/GID range in the + container covers 16 bit. For best security, do not assign overlapping UID/GID ranges to multiple containers. It is + hence a good idea to use the upper 16 bit of the host 32-bit UIDs/GIDs as container identifier, while the lower 16 + bit encode the container UID/GID used. This is in fact the behavior enforced by the + <option>--private-users=pick</option> option.</para> + + <para>When user namespaces are used, the GID range assigned to each container is always chosen identical to the + UID range.</para> + + <para>In most cases, using <option>--private-users=pick</option> is the recommended option as it enhances + container security massively and operates fully automatically in most cases.</para> + + <para>Note that the picked UID/GID range is not written to <filename>/etc/passwd</filename> or + <filename>/etc/group</filename>. In fact, the allocation of the range is not stored persistently anywhere, + except in the file ownership of the files and directories of the container.</para> + + <para>Note that when user namespacing is used file ownership on disk reflects this, and all of the container's + files and directories are owned by the container's effective user and group IDs. This means that copying files + from and to the container image requires correction of the numeric UID/GID values, according to the UID/GID + shift applied.</para></listitem> + </varlistentry> + + <varlistentry> + <term><option>--private-users-ownership=</option></term> + + <listitem><para>Controls how to adjust the container image's UIDs and GIDs to match the UID/GID range + chosen with <option>--private-users=</option>, see above. Takes one of <literal>off</literal> (to + leave the image as is), <literal>chown</literal> (to recursively <function>chown()</function> the + container's directory tree as needed), <literal>map</literal> (in order to use transparent ID mapping + mounts) or <literal>auto</literal> for automatically using <literal>map</literal> where available and + <literal>chown</literal> where not.</para> + + <para>If <literal>chown</literal> is selected, all files and directories in the container's directory + tree will be adjusted so that they are owned by the appropriate UIDs/GIDs selected for the container + (see above). This operation is potentially expensive, as it involves iterating through the full + directory tree of the container. Besides actual file ownership, file ACLs are adjusted as + well.</para> + + <para>Typically <literal>map</literal> is the best choice, since it transparently maps UIDs/GIDs in + memory as needed without modifying the image, and without requiring an expensive recursive adjustment + operation. However, it is not available for all file systems, currently.</para> + + <para>The <option>--private-users-ownership=auto</option> option is implied if + <option>--private-users=pick</option> is used. This option has no effect if user namespacing is not + used.</para></listitem> + </varlistentry> + + <varlistentry> + <term><option>-U</option></term> + + <listitem><para>If the kernel supports the user namespaces feature, equivalent to + <option>--private-users=pick --private-users-ownership=auto</option>, otherwise equivalent to + <option>--private-users=no</option>.</para> + + <para>Note that <option>-U</option> is the default if the + <filename>systemd-nspawn@.service</filename> template unit file is used.</para> + + <para>Note: it is possible to undo the effect of <option>--private-users-ownership=chown</option> (or + <option>-U</option>) on the file system by redoing the operation with the first UID of 0:</para> + + <programlisting>systemd-nspawn … --private-users=0 --private-users-ownership=chown</programlisting> + </listitem> + </varlistentry> + + </variablelist> + + </refsect2><refsect2> + <title>Networking Options</title> + + <variablelist> + + <varlistentry> + <term><option>--private-network</option></term> + + <listitem><para>Disconnect networking of the container from + the host. This makes all network interfaces unavailable in the + container, with the exception of the loopback device and those + specified with <option>--network-interface=</option> and + configured with <option>--network-veth</option>. If this + option is specified, the <constant>CAP_NET_ADMIN</constant> capability will be + added to the set of capabilities the container retains. The + latter may be disabled by using <option>--drop-capability=</option>. + If this option is not specified (or implied by one of the options + listed below), the container will have full access to the host network. + </para></listitem> + </varlistentry> + + <varlistentry> + <term><option>--network-interface=</option></term> + + <listitem><para>Assign the specified network interface to the container. This will remove the + specified interface from the calling namespace and place it in the container. When the container + terminates, it is moved back to the calling namespace. Note that + <option>--network-interface=</option> implies <option>--private-network</option>. This option may be + used more than once to add multiple network interfaces to the container.</para> + + <para>Note that any network interface specified this way must already exist at the time the container + is started. If the container shall be started automatically at boot via a + <filename>systemd-nspawn@.service</filename> unit file instance, it might hence make sense to add a + unit file drop-in to the service instance + (e.g. <filename>/etc/systemd/system/systemd-nspawn@foobar.service.d/50-network.conf</filename>) with + contents like the following:</para> + + <programlisting>[Unit] +Wants=sys-subsystem-net-devices-ens1.device +After=sys-subsystem-net-devices-ens1.device</programlisting> + + <para>This will make sure that activation of the container service will be delayed until the + <literal>ens1</literal> network interface has shown up. This is required since hardware probing is + fully asynchronous, and network interfaces might be discovered only later during the boot process, + after the container would normally be started without these explicit dependencies.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><option>--network-macvlan=</option></term> + + <listitem><para>Create a <literal>macvlan</literal> interface of the specified Ethernet network + interface and add it to the container. A <literal>macvlan</literal> interface is a virtual interface + that adds a second MAC address to an existing physical Ethernet link. The interface in the container + will be named after the interface on the host, prefixed with <literal>mv-</literal>. Note that + <option>--network-macvlan=</option> implies <option>--private-network</option>. This option may be + used more than once to add multiple network interfaces to the container.</para> + + <para>As with <option>--network-interface=</option>, the underlying Ethernet network interface must + already exist at the time the container is started, and thus similar unit file drop-ins as described + above might be useful.</para></listitem> + </varlistentry> + + <varlistentry> + <term><option>--network-ipvlan=</option></term> + + <listitem><para>Create an <literal>ipvlan</literal> interface of the specified Ethernet network + interface and add it to the container. An <literal>ipvlan</literal> interface is a virtual interface, + similar to a <literal>macvlan</literal> interface, which uses the same MAC address as the underlying + interface. The interface in the container will be named after the interface on the host, prefixed + with <literal>iv-</literal>. Note that <option>--network-ipvlan=</option> implies + <option>--private-network</option>. This option may be used more than once to add multiple network + interfaces to the container.</para> + + <para>As with <option>--network-interface=</option>, the underlying Ethernet network interface must + already exist at the time the container is started, and thus similar unit file drop-ins as described + above might be useful.</para></listitem> + </varlistentry> + + <varlistentry> + <term><option>-n</option></term> + <term><option>--network-veth</option></term> + + <listitem><para>Create a virtual Ethernet link (<literal>veth</literal>) between host and container. The host + side of the Ethernet link will be available as a network interface named after the container's name (as + specified with <option>--machine=</option>), prefixed with <literal>ve-</literal>. The container side of the + Ethernet link will be named <literal>host0</literal>. The <option>--network-veth</option> option implies + <option>--private-network</option>.</para> + + <para>Note that + <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> + includes by default a network file <filename>/usr/lib/systemd/network/80-container-ve.network</filename> + matching the host-side interfaces created this way, which contains settings to enable automatic address + provisioning on the created virtual link via DHCP, as well as automatic IP routing onto the host's external + network interfaces. It also contains <filename>/usr/lib/systemd/network/80-container-host0.network</filename> + matching the container-side interface created this way, containing settings to enable client side address + assignment via DHCP. In case <filename>systemd-networkd</filename> is running on both the host and inside the + container, automatic IP communication from the container to the host is thus available, with further + connectivity to the external network.</para> + + <para>Note that <option>--network-veth</option> is the default if the + <filename>systemd-nspawn@.service</filename> template unit file is used.</para> + + <para>Note that on Linux network interface names may have a length of 15 characters at maximum, while + container names may have a length up to 64 characters. As this option derives the host-side interface + name from the container name the name is possibly truncated. Thus, care needs to be taken to ensure + that interface names remain unique in this case, or even better container names are generally not + chosen longer than 12 characters, to avoid the truncation. If the name is truncated, + <command>systemd-nspawn</command> will automatically append a 4-digit hash value to the name to + reduce the chance of collisions. However, the hash algorithm is not collision-free. (See + <citerefentry><refentrytitle>systemd.net-naming-scheme</refentrytitle><manvolnum>7</manvolnum></citerefentry> + for details on older naming algorithms for this interface). Alternatively, the + <option>--network-veth-extra=</option> option may be used, which allows free configuration of the + host-side interface name independently of the container name — but might require a bit more + additional configuration in case bridging in a fashion similar to <option>--network-bridge=</option> + is desired.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><option>--network-veth-extra=</option></term> + + <listitem><para>Adds an additional virtual Ethernet link + between host and container. Takes a colon-separated pair of + host interface name and container interface name. The latter + may be omitted in which case the container and host sides will + be assigned the same name. This switch is independent of + <option>--network-veth</option>, and — in contrast — may be + used multiple times, and allows configuration of the network + interface names. Note that <option>--network-bridge=</option> + has no effect on interfaces created with + <option>--network-veth-extra=</option>.</para></listitem> + </varlistentry> + + <varlistentry> + <term><option>--network-bridge=</option></term> + + <listitem><para>Adds the host side of the Ethernet link created with <option>--network-veth</option> + to the specified Ethernet bridge interface. Expects a valid network interface name of a bridge device + as argument. Note that <option>--network-bridge=</option> implies <option>--network-veth</option>. If + this option is used, the host side of the Ethernet link will use the <literal>vb-</literal> prefix + instead of <literal>ve-</literal>. Regardless of the used naming prefix the same network interface + name length limits imposed by Linux apply, along with the complications this creates (for details see + above).</para> + + <para>As with <option>--network-interface=</option>, the underlying bridge network interface must + already exist at the time the container is started, and thus similar unit file drop-ins as described + above might be useful.</para></listitem> + </varlistentry> + + <varlistentry> + <term><option>--network-zone=</option></term> + + <listitem><para>Creates a virtual Ethernet link (<literal>veth</literal>) to the container and adds it to an + automatically managed Ethernet bridge interface. The bridge interface is named after the passed argument, + prefixed with <literal>vz-</literal>. The bridge interface is automatically created when the first container + configured for its name is started, and is automatically removed when the last container configured for its + name exits. Hence, each bridge interface configured this way exists only as long as there's at least one + container referencing it running. This option is very similar to <option>--network-bridge=</option>, besides + this automatic creation/removal of the bridge device.</para> + + <para>This setting makes it easy to place multiple related containers on a common, virtual Ethernet-based + broadcast domain, here called a "zone". Each container may only be part of one zone, but each zone may contain + any number of containers. Each zone is referenced by its name. Names may be chosen freely (as long as they form + valid network interface names when prefixed with <literal>vz-</literal>), and it is sufficient to pass the same + name to the <option>--network-zone=</option> switch of the various concurrently running containers to join + them in one zone.</para> + + <para>Note that + <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> + includes by default a network file <filename>/usr/lib/systemd/network/80-container-vz.network</filename> + matching the bridge interfaces created this way, which contains settings to enable automatic address + provisioning on the created virtual network via DHCP, as well as automatic IP routing onto the host's external + network interfaces. Using <option>--network-zone=</option> is hence in most cases fully automatic and + sufficient to connect multiple local containers in a joined broadcast domain to the host, with further + connectivity to the external network.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><option>--network-namespace-path=</option></term> + + <listitem><para>Takes the path to a file representing a kernel + network namespace that the container shall run in. The specified path + should refer to a (possibly bind-mounted) network namespace file, as + exposed by the kernel below <filename>/proc/$PID/ns/net</filename>. + This makes the container enter the given network namespace. One of the + typical use cases is to give a network namespace under + <filename>/run/netns</filename> created by <citerefentry + project='man-pages'><refentrytitle>ip-netns</refentrytitle><manvolnum>8</manvolnum></citerefentry>, + for example, <option>--network-namespace-path=/run/netns/foo</option>. + Note that this option cannot be used together with other + network-related options, such as <option>--private-network</option> + or <option>--network-interface=</option>.</para></listitem> + </varlistentry> + + <varlistentry> + <term><option>-p</option></term> + <term><option>--port=</option></term> + + <listitem><para>If private networking is enabled, maps an IP + port on the host onto an IP port on the container. Takes a + protocol specifier (either <literal>tcp</literal> or + <literal>udp</literal>), separated by a colon from a host port + number in the range 1 to 65535, separated by a colon from a + container port number in the range from 1 to 65535. The + protocol specifier and its separating colon may be omitted, in + which case <literal>tcp</literal> is assumed. The container + port number and its colon may be omitted, in which case the + same port as the host port is implied. This option is only + supported if private networking is used, such as with + <option>--network-veth</option>, <option>--network-zone=</option> + <option>--network-bridge=</option>.</para></listitem> + </varlistentry> + </variablelist> + + </refsect2><refsect2> + <title>Security Options</title> + + <variablelist> + <varlistentry> + <term><option>--capability=</option></term> + + <listitem><para>List one or more additional capabilities to grant the container. Takes a + comma-separated list of capability names, see <citerefentry + project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry> + for more information. Note that the following capabilities will be granted in any way: + <constant>CAP_AUDIT_CONTROL</constant>, <constant>CAP_AUDIT_WRITE</constant>, + <constant>CAP_CHOWN</constant>, <constant>CAP_DAC_OVERRIDE</constant>, + <constant>CAP_DAC_READ_SEARCH</constant>, <constant>CAP_FOWNER</constant>, + <constant>CAP_FSETID</constant>, <constant>CAP_IPC_OWNER</constant>, <constant>CAP_KILL</constant>, + <constant>CAP_LEASE</constant>, <constant>CAP_LINUX_IMMUTABLE</constant>, + <constant>CAP_MKNOD</constant>, <constant>CAP_NET_BIND_SERVICE</constant>, + <constant>CAP_NET_BROADCAST</constant>, <constant>CAP_NET_RAW</constant>, + <constant>CAP_SETFCAP</constant>, <constant>CAP_SETGID</constant>, <constant>CAP_SETPCAP</constant>, + <constant>CAP_SETUID</constant>, <constant>CAP_SYS_ADMIN</constant>, + <constant>CAP_SYS_BOOT</constant>, <constant>CAP_SYS_CHROOT</constant>, + <constant>CAP_SYS_NICE</constant>, <constant>CAP_SYS_PTRACE</constant>, + <constant>CAP_SYS_RESOURCE</constant>, <constant>CAP_SYS_TTY_CONFIG</constant>. Also + <constant>CAP_NET_ADMIN</constant> is retained if <option>--private-network</option> is specified. + If the special value <literal>all</literal> is passed, all capabilities are retained.</para> + + <para>If the special value of <literal>help</literal> is passed, the program will print known + capability names and exit.</para> + + <para>This option sets the bounding set of capabilities which + also limits the ambient capabilities as given with the + <option>--ambient-capability=</option>.</para></listitem> + </varlistentry> + + <varlistentry> + <term><option>--drop-capability=</option></term> + + <listitem><para>Specify one or more additional capabilities to + drop for the container. This allows running the container with + fewer capabilities than the default (see + above).</para> + + <para>If the special value of <literal>help</literal> is passed, the program will print known + capability names and exit.</para> + + <para>This option sets the bounding set of capabilities which + also limits the ambient capabilities as given with the + <option>--ambient-capability=</option>.</para></listitem> + </varlistentry> + + <varlistentry> + <term><option>--ambient-capability=</option></term> + + <listitem><para>Specify one or more additional capabilities to + pass in the inheritable and ambient set to the program started + within the container. The value <literal>all</literal> is not + supported for this setting.</para> + + <para>All capabilities specified here must be in the set + allowed with the <option>--capability=</option> and + <option>--drop-capability=</option> options. Otherwise, an + error message will be shown.</para> + + <para>This option cannot be combined with the boot mode of the + container (as requested via <option>--boot</option>).</para> + + <para>If the special value of <literal>help</literal> is + passed, the program will print known capability names and + exit.</para></listitem> + </varlistentry> + + <varlistentry> + <term><option>--no-new-privileges=</option></term> + + <listitem><para>Takes a boolean argument. Specifies the value of the + <constant>PR_SET_NO_NEW_PRIVS</constant> flag for the container payload. Defaults to off. When turned + on the payload code of the container cannot acquire new privileges, i.e. the "setuid" file bit as + well as file system capabilities will not have an effect anymore. See <citerefentry + project='man-pages'><refentrytitle>prctl</refentrytitle><manvolnum>2</manvolnum></citerefentry> for + details about this flag. </para></listitem> + </varlistentry> + + <varlistentry> + <term><option>--system-call-filter=</option></term> <listitem><para>Alter the system call filter + applied to containers. Takes a space-separated list of system call names or group names (the latter + prefixed with <literal>@</literal>, as listed by the <command>syscall-filter</command> command of + <citerefentry><refentrytitle>systemd-analyze</refentrytitle><manvolnum>1</manvolnum></citerefentry>). Passed + system calls will be permitted. The list may optionally be prefixed by <literal>~</literal>, in which + case all listed system calls are prohibited. If this command line option is used multiple times the + configured lists are combined. If both a positive and a negative list (that is one system call list + without and one with the <literal>~</literal> prefix) are configured, the negative list takes + precedence over the positive list. Note that <command>systemd-nspawn</command> always implements a + system call allow list (as opposed to a deny list!), and this command line option hence adds or + removes entries from the default allow list, depending on the <literal>~</literal> prefix. Note that + the applied system call filter is also altered implicitly if additional capabilities are passed using + the <command>--capabilities=</command>.</para></listitem> + </varlistentry> + + <varlistentry> + <term><option>-Z</option></term> + <term><option>--selinux-context=</option></term> + + <listitem><para>Sets the SELinux security context to be used + to label processes in the container.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><option>-L</option></term> + <term><option>--selinux-apifs-context=</option></term> + + <listitem><para>Sets the SELinux security context to be used + to label files in the virtual API file systems in the + container.</para> + </listitem> + </varlistentry> + </variablelist> + + </refsect2><refsect2> + <title>Resource Options</title> + + <variablelist> + + <varlistentry> + <term><option>--rlimit=</option></term> + + <listitem><para>Sets the specified POSIX resource limit for the container payload. Expects an assignment of the + form + <literal><replaceable>LIMIT</replaceable>=<replaceable>SOFT</replaceable>:<replaceable>HARD</replaceable></literal> + or <literal><replaceable>LIMIT</replaceable>=<replaceable>VALUE</replaceable></literal>, where + <replaceable>LIMIT</replaceable> should refer to a resource limit type, such as + <constant>RLIMIT_NOFILE</constant> or <constant>RLIMIT_NICE</constant>. The <replaceable>SOFT</replaceable> and + <replaceable>HARD</replaceable> fields should refer to the numeric soft and hard resource limit values. If the + second form is used, <replaceable>VALUE</replaceable> may specify a value that is used both as soft and hard + limit. In place of a numeric value the special string <literal>infinity</literal> may be used to turn off + resource limiting for the specific type of resource. This command line option may be used multiple times to + control limits on multiple limit types. If used multiple times for the same limit type, the last use + wins. For details about resource limits see <citerefentry + project='man-pages'><refentrytitle>setrlimit</refentrytitle><manvolnum>2</manvolnum></citerefentry>. By default + resource limits for the container's init process (PID 1) are set to the same values the Linux kernel originally + passed to the host init system. Note that some resource limits are enforced on resources counted per user, in + particular <constant>RLIMIT_NPROC</constant>. This means that unless user namespacing is deployed + (i.e. <option>--private-users=</option> is used, see above), any limits set will be applied to the resource + usage of the same user on all local containers as well as the host. This means particular care needs to be + taken with these limits as they might be triggered by possibly less trusted code. Example: + <literal>--rlimit=RLIMIT_NOFILE=8192:16384</literal>.</para></listitem> + </varlistentry> + + <varlistentry> + <term><option>--oom-score-adjust=</option></term> + + <listitem><para>Changes the OOM ("Out Of Memory") score adjustment value for the container payload. This controls + <filename>/proc/self/oom_score_adj</filename> which influences the preference with which this container is + terminated when memory becomes scarce. For details see <citerefentry + project='man-pages'><refentrytitle>proc</refentrytitle><manvolnum>5</manvolnum></citerefentry>. Takes an + integer in the range -1000…1000.</para></listitem> + </varlistentry> + + <varlistentry> + <term><option>--cpu-affinity=</option></term> + + <listitem><para>Controls the CPU affinity of the container payload. Takes a comma separated list of CPU numbers + or number ranges (the latter's start and end value separated by dashes). See <citerefentry + project='man-pages'><refentrytitle>sched_setaffinity</refentrytitle><manvolnum>2</manvolnum></citerefentry> for + details.</para></listitem> + </varlistentry> + + <varlistentry> + <term><option>--personality=</option></term> + + <listitem><para>Control the architecture ("personality") + reported by + <citerefentry project='man-pages'><refentrytitle>uname</refentrytitle><manvolnum>2</manvolnum></citerefentry> + in the container. Currently, only <literal>x86</literal> and + <literal>x86-64</literal> are supported. This is useful when + running a 32-bit container on a 64-bit host. If this setting + is not used, the personality reported in the container is the + same as the one reported on the host.</para></listitem> + </varlistentry> + </variablelist> + + </refsect2><refsect2> + <title>Integration Options</title> + + <variablelist> + <varlistentry> + <term><option>--resolv-conf=</option></term> + + <listitem><para>Configures how <filename>/etc/resolv.conf</filename> inside of the container shall be + handled (i.e. DNS configuration synchronization from host to container). Takes one of + <literal>off</literal>, <literal>copy-host</literal>, <literal>copy-static</literal>, + <literal>copy-uplink</literal>, <literal>copy-stub</literal>, <literal>replace-host</literal>, + <literal>replace-static</literal>, <literal>replace-uplink</literal>, + <literal>replace-stub</literal>, <literal>bind-host</literal>, <literal>bind-static</literal>, + <literal>bind-uplink</literal>, <literal>bind-stub</literal>, <literal>delete</literal> or + <literal>auto</literal>.</para> + + <para>If set to <literal>off</literal> the <filename>/etc/resolv.conf</filename> file in the + container is left as it is included in the image, and neither modified nor bind mounted over.</para> + + <para>If set to <literal>copy-host</literal>, the <filename>/etc/resolv.conf</filename> file from the + host is copied into the container, unless the file exists already and is not a regular file (e.g. a + symlink). Similarly, if <literal>replace-host</literal> is used the file is copied, replacing any + existing inode, including symlinks. Similarly, if <literal>bind-host</literal> is used, the file is + bind mounted from the host into the container.</para> + + <para>If set to <literal>copy-static</literal>, <literal>replace-static</literal> or + <literal>bind-static</literal> the static <filename>resolv.conf</filename> file supplied with + <citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> + (specifically: <filename>/usr/lib/systemd/resolv.conf</filename>) is copied or bind mounted into the + container.</para> + + <para>If set to <literal>copy-uplink</literal>, <literal>replace-uplink</literal> or + <literal>bind-uplink</literal> the uplink <filename>resolv.conf</filename> file managed by + <filename>systemd-resolved.service</filename> (specifically: + <filename>/run/systemd/resolve/resolv.conf</filename>) is copied or bind mounted into the + container.</para> + + <para>If set to <literal>copy-stub</literal>, <literal>replace-stub</literal> or + <literal>bind-stub</literal> the stub <filename>resolv.conf</filename> file managed by + <filename>systemd-resolved.service</filename> (specifically: + <filename>/run/systemd/resolve/stub-resolv.conf</filename>) is copied or bind mounted into the + container.</para> + + <para>If set to <literal>delete</literal> the <filename>/etc/resolv.conf</filename> file in the + container is deleted if it exists.</para> + + <para>Finally, if set to <literal>auto</literal> the file is left as it is if private networking is + turned on (see <option>--private-network</option>). Otherwise, if + <filename>systemd-resolved.service</filename> is running its stub <filename>resolv.conf</filename> + file is used, and if not the host's <filename>/etc/resolv.conf</filename> file. In the latter cases + the file is copied if the image is writable, and bind mounted otherwise.</para> + + <para>It's recommended to use <literal>copy-…</literal> or <literal>replace-…</literal> if the + container shall be able to make changes to the DNS configuration on its own, deviating from the + host's settings. Otherwise <literal>bind</literal> is preferable, as it means direct changes to + <filename>/etc/resolv.conf</filename> in the container are not allowed, as it is a read-only bind + mount (but note that if the container has enough privileges, it might simply go ahead and unmount the + bind mount anyway). Note that both if the file is bind mounted and if it is copied no further + propagation of configuration is generally done after the one-time early initialization (this is + because the file is usually updated through copying and renaming). Defaults to + <literal>auto</literal>.</para></listitem> + </varlistentry> + + <varlistentry> + <term><option>--timezone=</option></term> + + <listitem><para>Configures how <filename>/etc/localtime</filename> inside of the container + (i.e. local timezone synchronization from host to container) shall be handled. Takes one of + <literal>off</literal>, <literal>copy</literal>, <literal>bind</literal>, <literal>symlink</literal>, + <literal>delete</literal> or <literal>auto</literal>. If set to <literal>off</literal> the + <filename>/etc/localtime</filename> file in the container is left as it is included in the image, and + neither modified nor bind mounted over. If set to <literal>copy</literal> the + <filename>/etc/localtime</filename> file of the host is copied into the container. Similarly, if + <literal>bind</literal> is used, the file is bind mounted from the host into the container. If set to + <literal>symlink</literal>, a symlink is created pointing from <filename>/etc/localtime</filename> in + the container to the timezone file in the container that matches the timezone setting on the host. If + set to <literal>delete</literal>, the file in the container is deleted, should it exist. If set to + <literal>auto</literal> and the <filename>/etc/localtime</filename> file of the host is a symlink, + then <literal>symlink</literal> mode is used, and <literal>copy</literal> otherwise, except if the + image is read-only in which case <literal>bind</literal> is used instead. Defaults to + <literal>auto</literal>.</para></listitem> + </varlistentry> + + <varlistentry> + <term><option>--link-journal=</option></term> + + <listitem><para>Control whether the container's journal shall + be made visible to the host system. If enabled, allows viewing + the container's journal files from the host (but not vice + versa). Takes one of <literal>no</literal>, + <literal>host</literal>, <literal>try-host</literal>, + <literal>guest</literal>, <literal>try-guest</literal>, + <literal>auto</literal>. If <literal>no</literal>, the journal + is not linked. If <literal>host</literal>, the journal files + are stored on the host file system (beneath + <filename>/var/log/journal/<replaceable>machine-id</replaceable></filename>) + and the subdirectory is bind-mounted into the container at the + same location. If <literal>guest</literal>, the journal files + are stored on the guest file system (beneath + <filename>/var/log/journal/<replaceable>machine-id</replaceable></filename>) + and the subdirectory is symlinked into the host at the same + location. <literal>try-host</literal> and + <literal>try-guest</literal> do the same but do not fail if + the host does not have persistent journaling enabled. If + <literal>auto</literal> (the default), and the right + subdirectory of <filename>/var/log/journal</filename> exists, + it will be bind mounted into the container. If the + subdirectory does not exist, no linking is performed. + Effectively, booting a container once with + <literal>guest</literal> or <literal>host</literal> will link + the journal persistently if further on the default of + <literal>auto</literal> is used.</para> + + <para>Note that <option>--link-journal=try-guest</option> is the default if the + <filename>systemd-nspawn@.service</filename> template unit file is used.</para></listitem> + </varlistentry> + + <varlistentry> + <term><option>-j</option></term> + + <listitem><para>Equivalent to + <option>--link-journal=try-guest</option>.</para></listitem> + </varlistentry> + + </variablelist> + + </refsect2><refsect2> + <title>Mount Options</title> + + <variablelist> + + <varlistentry> + <term><option>--bind=</option></term> + <term><option>--bind-ro=</option></term> + + <listitem><para>Bind mount a file or directory from the host into the container. Takes one of: a path + argument — in which case the specified path will be mounted from the host to the same path in the container, or + a colon-separated pair of paths — in which case the first specified path is the source in the host, and the + second path is the destination in the container, or a colon-separated triple of source path, destination path + and mount options. The source path may optionally be prefixed with a <literal>+</literal> character. If so, the + source path is taken relative to the image's root directory. This permits setting up bind mounts within the + container image. The source path may be specified as empty string, in which case a temporary directory below + the host's <filename>/var/tmp/</filename> directory is used. It is automatically removed when the container is + shut down. If the source path is not absolute, it is resolved relative to the current working directory. + The <option>--bind-ro=</option> option creates read-only bind mounts. Backslash escapes are interpreted, + so <literal>\:</literal> may be used to embed colons in either path. This option may be specified + multiple times for creating multiple independent bind mount points.</para> + + <para>Mount options are comma-separated. <option>rbind</option> and <option>norbind</option> control whether + to create a recursive or a regular bind mount. Defaults to "rbind". <option>noidmap</option>, + <option>idmap</option>, and <option>rootidmap</option> control ID mapping.</para> + + <para>Using <option>idmap</option> or <option>rootidmap</option> requires support by the source filesystem + for user/group ID mapped mounts. Defaults to "noidmap". With <option>x</option> being the container's UID range + offset, <option>y</option> being the length of the container's UID range, and <option>p</option> being the + owner UID of the bind mount source inode on the host: + + <itemizedlist> + <listitem><para>If <option>noidmap</option> is used, any user <option>z</option> in the range + <option>0 … y</option> seen from inside of the container is mapped to <option>x + z</option> in the + <option>x … x + y</option> range on the host. All host users outside of that range are mapped to + <option>nobody</option> inside the container.</para></listitem> + <listitem><para>If <option>idmap</option> is used, any user <option>z</option> in the UID range + <option>0 … y</option> as seen from inside the container is mapped to the same <option>z</option> + in the same <option>0 … y</option> range on the host. All host users outside of that range are + mapped to <option>nobody</option> inside the container.</para></listitem> + <listitem><para>If <option>rootidmap</option> is used, the user <option>0</option> seen from inside + of the container is mapped to <option>p</option> on the host. All host users outside of that range + are mapped to <option>nobody</option> inside the container.</para></listitem> + </itemizedlist></para> + + <para>Whichever ID mapping option is used, the same mapping will be used for users and groups IDs. If + <option>rootidmap</option> is used, the group owning the bind mounted directory will have no effect</para> + + <para>Note that when this option is used in combination with <option>--private-users</option>, the resulting + mount points will be owned by the <constant>nobody</constant> user. That's because the mount and its files and + directories continue to be owned by the relevant host users and groups, which do not exist in the container, + and thus show up under the wildcard UID 65534 (nobody). If such bind mounts are created, it is recommended to + make them read-only, using <option>--bind-ro=</option>. Alternatively you can use the "idmap" mount option to + map the filesystem IDs.</para></listitem> + </varlistentry> + + <varlistentry> + <term><option>--bind-user=</option></term> + + <listitem><para>Binds the home directory of the specified user on the host into the container. Takes + the name of an existing user on the host as argument. May be used multiple times to bind multiple + users into the container. This does three things:</para> + + <orderedlist> + <listitem><para>The user's home directory is bind mounted from the host into + <filename>/run/host/home/</filename>.</para></listitem> + + <listitem><para>An additional UID/GID mapping is added that maps the host user's UID/GID to a + container UID/GID, allocated from the 60514…60577 range.</para></listitem> + + <listitem><para>A JSON user and group record is generated in <filename>/run/userdb/</filename> that + describes the mapped user. It contains a minimized representation of the host's user record, + adjusted to the UID/GID and home directory path assigned to the user in the container. The + <citerefentry><refentrytitle>nss-systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry> + glibc NSS module will pick up these records from there and make them available in the container's + user/group databases.</para></listitem> + </orderedlist> + + <para>The combination of the three operations above ensures that it is possible to log into the + container using the same account information as on the host. The user is only mapped transiently, + while the container is running, and the mapping itself does not result in persistent changes to the + container (except maybe for log messages generated at login time, and similar). Note that in + particular the UID/GID assignment in the container is not made persistently. If the user is mapped + transiently, it is best to not allow the user to make persistent changes to the container. If the + user leaves files or directories owned by the user, and those UIDs/GIDs are reused during later + container invocations (possibly with a different <option>--bind-user=</option> mapping), those files + and directories will be accessible to the "new" user.</para> + + <para>The user/group record mapping only works if the container contains systemd 249 or newer, with + <command>nss-systemd</command> properly configured in <filename>nsswitch.conf</filename>. See + <citerefentry><refentrytitle>nss-systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry> for + details.</para> + + <para>Note that the user record propagated from the host into the container will contain the UNIX + password hash of the user, so that seamless logins in the container are possible. If the container is + less trusted than the host it's hence important to use a strong UNIX password hash function + (e.g. yescrypt or similar, with the <literal>$y$</literal> hash prefix).</para> + + <para>When binding a user from the host into the container checks are executed to ensure that the + username is not yet known in the container. Moreover, it is checked that the UID/GID allocated for it + is not currently defined in the user/group databases of the container. Both checks directly access + the container's <filename>/etc/passwd</filename> and <filename>/etc/group</filename>, and thus might + not detect existing accounts in other databases.</para> + + <para>This operation is only supported in combination with + <option>--private-users=</option>/<option>-U</option>.</para></listitem> + </varlistentry> + + <varlistentry> + <term><option>--inaccessible=</option></term> + + <listitem><para>Make the specified path inaccessible in the container. This over-mounts the specified path + (which must exist in the container) with a file node of the same type that is empty and has the most + restrictive access mode supported. This is an effective way to mask files, directories and other file system + objects from the container payload. This option may be used more than once in case all specified paths are + masked.</para></listitem> + </varlistentry> + + <varlistentry> + <term><option>--tmpfs=</option></term> + + <listitem><para>Mount a tmpfs file system into the container. Takes a single absolute path argument that + specifies where to mount the tmpfs instance to (in which case the directory access mode will be chosen as 0755, + owned by root/root), or optionally a colon-separated pair of path and mount option string that is used for + mounting (in which case the kernel default for access mode and owner will be chosen, unless otherwise + specified). Backslash escapes are interpreted in the path, so <literal>\:</literal> may be used to embed colons + in the path.</para> + + <para>Note that this option cannot be used to replace the root file system of the container with a temporary + file system. However, the <option>--volatile=</option> option described below provides similar + functionality, with a focus on implementing stateless operating system images.</para></listitem> + </varlistentry> + + <varlistentry> + <term><option>--overlay=</option></term> + <term><option>--overlay-ro=</option></term> + + <listitem><para>Combine multiple directory trees into one overlay file system and mount it into the + container. Takes a list of colon-separated paths to the directory trees to combine and the + destination mount point.</para> + + <para>Backslash escapes are interpreted in the paths, so <literal>\:</literal> may be used to embed + colons in the paths.</para> + + <para>If three or more paths are specified, then the last specified path is the destination mount + point in the container, all paths specified before refer to directory trees on the host and are + combined in the specified order into one overlay file system. The left-most path is hence the lowest + directory tree, the second-to-last path the highest directory tree in the stacking order. If + <option>--overlay-ro=</option> is used instead of <option>--overlay=</option>, a read-only overlay + file system is created. If a writable overlay file system is created, all changes made to it are + written to the highest directory tree in the stacking order, i.e. the second-to-last specified. + </para> + + <para>If only two paths are specified, then the second specified path is used both as the top-level + directory tree in the stacking order as seen from the host, as well as the mount point for the + overlay file system in the container. At least two paths have to be specified.</para> + + <para>The source paths may optionally be prefixed with <literal>+</literal> character. If so they are + taken relative to the image's root directory. The uppermost source path may also be specified as an + empty string, in which case a temporary directory below the host's <filename>/var/tmp/</filename> is + used. The directory is removed automatically when the container is shut down. This behaviour is + useful in order to make read-only container directories writable while the container is running. For + example, use <literal>--overlay=+/var::/var</literal> in order to automatically overlay a writable + temporary directory on a read-only <filename>/var/</filename> directory. If a source path is not + absolute, it is resolved relative to the current working directory.</para> + + <para>For details about overlay file systems, see <ulink + url="https://docs.kernel.org/filesystems/overlayfs.html">Overlay Filesystem</ulink>. + Note that the semantics of overlay file systems are substantially different from normal file systems, + in particular regarding reported device and inode information. Device and inode information may + change for a file while it is being written to, and processes might see out-of-date versions of files + at times. Note that this switch automatically derives the <literal>workdir=</literal> mount option + for the overlay file system from the top-level directory tree, making it a sibling of it. It is hence + essential that the top-level directory tree is not a mount point itself (since the working directory + must be on the same file system as the top-most directory tree). Also note that the + <literal>lowerdir=</literal> mount option receives the paths to stack in the opposite order of this + switch.</para> + + <para>Note that this option cannot be used to replace the root file system of the container with an overlay + file system. However, the <option>--volatile=</option> option described above provides similar functionality, + with a focus on implementing stateless operating system images.</para></listitem> + </varlistentry> + </variablelist> + </refsect2> + + <refsect2> + <title>Input/Output Options</title> + + <variablelist> + <varlistentry> + <term><option>--console=</option><replaceable>MODE</replaceable></term> + + <listitem><para>Configures how to set up standard input, output and error output for the container + payload, as well as the <filename>/dev/console</filename> device for the container. Takes one of + <option>interactive</option>, <option>read-only</option>, <option>passive</option>, + <option>pipe</option> or <option>autopipe</option>. If <option>interactive</option>, a pseudo-TTY is + allocated and made available as <filename>/dev/console</filename> in the container. It is then + bi-directionally connected to the standard input and output passed to + <command>systemd-nspawn</command>. <option>read-only</option> is similar but only the output of the + container is propagated and no input from the caller is read. If <option>passive</option>, a pseudo + TTY is allocated, but it is not connected anywhere. In <option>pipe</option> mode no pseudo TTY is + allocated, but the standard input, output and error output file descriptors passed to + <command>systemd-nspawn</command> are passed on — as they are — to the container payload, see the + following paragraph. Finally, <option>autopipe</option> mode operates like + <option>interactive</option> when <command>systemd-nspawn</command> is invoked on a terminal, and + like <option>pipe</option> otherwise. Defaults to <option>interactive</option> if + <command>systemd-nspawn</command> is invoked from a terminal, and <option>read-only</option> + otherwise.</para> + + <para>In <option>pipe</option> mode, <filename>/dev/console</filename> will not exist in the + container. This means that the container payload generally cannot be a full init system as init + systems tend to require <filename>/dev/console</filename> to be available. On the other hand, in this + mode container invocations can be used within shell pipelines. This is because intermediary pseudo + TTYs do not permit independent bidirectional propagation of the end-of-file (EOF) condition, which is + necessary for shell pipelines to work correctly. <emphasis>Note that the <option>pipe</option> mode + should be used carefully</emphasis>, as passing arbitrary file descriptors to less trusted container + payloads might open up unwanted interfaces for access by the container payload. For example, if a + passed file descriptor refers to a TTY of some form, APIs such as <constant>TIOCSTI</constant> may be + used to synthesize input that might be used for escaping the container. Hence <option>pipe</option> + mode should only be used if the payload is sufficiently trusted or when the standard + input/output/error output file descriptors are known safe, for example pipes.</para></listitem> + </varlistentry> + + <varlistentry> + <term><option>--pipe</option></term> + <term><option>-P</option></term> + + <listitem><para>Equivalent to <option>--console=pipe</option>.</para></listitem> + </varlistentry> + </variablelist> + + </refsect2> + <refsect2> + <title>Credentials</title> + + <variablelist> + <varlistentry> + <term><option>--load-credential=</option><replaceable>ID</replaceable>:<replaceable>PATH</replaceable></term> + <term><option>--set-credential=</option><replaceable>ID</replaceable>:<replaceable>VALUE</replaceable></term> + + <listitem><para>Pass a credential to the container. These two options correspond to the + <varname>LoadCredential=</varname> and <varname>SetCredential=</varname> settings in unit files. See + <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> for + details about these concepts, as well as the syntax of the option's arguments.</para> + + <para>Note: when <command>systemd-nspawn</command> runs as systemd system service it can propagate + the credentials it received via <varname>LoadCredential=</varname>/<varname>SetCredential=</varname> + to the container payload. A systemd service manager running as PID 1 in the container can further + propagate them to the services it itself starts. It is thus possible to easily propagate credentials + from a parent service manager to a container manager service and from there into its payload. This + can even be done recursively.</para> + + <para>In order to embed binary data into the credential data for <option>--set-credential=</option>, + use C-style escaping (i.e. <literal>\n</literal> to embed a newline, or <literal>\x00</literal> to + embed a <constant>NUL</constant> byte). Note that the invoking shell might already apply unescaping + once, hence this might require double escaping!.</para> + + <para>The + <citerefentry><refentrytitle>systemd-sysusers.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> + and + <citerefentry><refentrytitle>systemd-firstboot</refentrytitle><manvolnum>1</manvolnum></citerefentry> + services read credentials configured this way for the purpose of configuring the container's root + user's password and shell, as well as system locale, keymap and timezone during the first boot + process of the container. This is particularly useful in combination with + <option>--volatile=yes</option> where every single boot appears as first boot, since configuration + applied to <filename>/etc/</filename> is lost on container reboot cycles. See the respective man + pages for details. Example:</para> + + <programlisting># systemd-nspawn -i image.raw \ + --volatile=yes \ + --set-credential=firstboot.locale:de_DE.UTF-8 \ + --set-credential=passwd.hashed-password.root:'$y$j9T$yAuRJu1o5HioZAGDYPU5d.$F64ni6J2y2nNQve90M/p0ZP0ECP/qqzipNyaY9fjGpC' \ + -b</programlisting> + + <para>The above command line will invoke the specified image file <filename>image.raw</filename> in + volatile mode, i.e. with empty <filename>/etc/</filename> and <filename>/var/</filename>. The + container payload will recognize this as a first boot, and will invoke + <filename>systemd-firstboot.service</filename>, which then reads the two passed credentials to + configure the system's initial locale and root password.</para> + </listitem> + </varlistentry> + </variablelist> + + </refsect2><refsect2> + <title>Other</title> + + <variablelist> + <xi:include href="standard-options.xml" xpointer="no-pager" /> + <xi:include href="standard-options.xml" xpointer="help" /> + <xi:include href="standard-options.xml" xpointer="version" /> + </variablelist> + </refsect2> + </refsect1> + + <xi:include href="common-variables.xml" /> + + <refsect1> + <title>Examples</title> + + <example> + <title>Download a + <ulink url="https://getfedora.org">Fedora</ulink> image and start a shell in it</title> + + <programlisting># machinectl pull-raw --verify=no \ + https://download.fedoraproject.org/pub/fedora/linux/releases/&fedora_latest_version;/Cloud/x86_64/images/Fedora-Cloud-Base-&fedora_latest_version;-&fedora_cloud_release;.x86_64.raw.xz \ + Fedora-Cloud-Base-&fedora_latest_version;-&fedora_cloud_release;.x86-64 +# systemd-nspawn -M Fedora-Cloud-Base-&fedora_latest_version;-&fedora_cloud_release;.x86-64</programlisting> + + <para>This downloads an image using + <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry> + and opens a shell in it.</para> + </example> + + <example> + <title>Build and boot a minimal Fedora distribution in a container</title> + + <programlisting># dnf -y --releasever=&fedora_latest_version; --installroot=/var/lib/machines/f&fedora_latest_version; \ + --repo=fedora --repo=updates --setopt=install_weak_deps=False install \ + passwd dnf fedora-release vim-minimal util-linux systemd systemd-networkd +# systemd-nspawn -bD /var/lib/machines/f&fedora_latest_version;</programlisting> + + <para>This installs a minimal Fedora distribution into the + directory <filename index="false">/var/lib/machines/f&fedora_latest_version;</filename> + and then boots that OS in a namespace container. Because the installation + is located underneath the standard <filename>/var/lib/machines/</filename> + directory, it is also possible to start the machine using + <command>systemd-nspawn -M f&fedora_latest_version;</command>.</para> + </example> + + <example> + <title>Spawn a shell in a container of a minimal Debian unstable distribution</title> + + <programlisting># debootstrap unstable ~/debian-tree/ +# systemd-nspawn -D ~/debian-tree/</programlisting> + + <para>This installs a minimal Debian unstable distribution into + the directory <filename>~/debian-tree/</filename> and then + spawns a shell from this image in a namespace container.</para> + + <para><command>debootstrap</command> supports + <ulink url="https://www.debian.org">Debian</ulink>, + <ulink url="https://www.ubuntu.com">Ubuntu</ulink>, + and <ulink url="https://www.tanglu.org">Tanglu</ulink> + out of the box, so the same command can be used to install any of those. For other + distributions from the Debian family, a mirror has to be specified, see + <citerefentry project='die-net'><refentrytitle>debootstrap</refentrytitle><manvolnum>8</manvolnum></citerefentry>. + </para> + </example> + + <example> + <title>Boot a minimal + <ulink url="https://www.archlinux.org">Arch Linux</ulink> distribution in a container</title> + + <programlisting># pacstrap -c ~/arch-tree/ base +# systemd-nspawn -bD ~/arch-tree/</programlisting> + + <para>This installs a minimal Arch Linux distribution into the + directory <filename>~/arch-tree/</filename> and then boots an OS + in a namespace container in it.</para> + </example> + + <example> + <title>Install the + <ulink url="https://software.opensuse.org/distributions/tumbleweed">OpenSUSE Tumbleweed</ulink> + rolling distribution</title> + + <programlisting># zypper --root=/var/lib/machines/tumbleweed ar -c \ + https://download.opensuse.org/tumbleweed/repo/oss tumbleweed +# zypper --root=/var/lib/machines/tumbleweed refresh +# zypper --root=/var/lib/machines/tumbleweed install --no-recommends \ + systemd shadow zypper openSUSE-release vim +# systemd-nspawn -M tumbleweed passwd root +# systemd-nspawn -M tumbleweed -b</programlisting> + </example> + + <example> + <title>Boot into an ephemeral snapshot of the host system</title> + + <programlisting># systemd-nspawn -D / -xb</programlisting> + + <para>This runs a copy of the host system in a snapshot which is removed immediately when the container + exits. All file system changes made during runtime will be lost on shutdown, hence.</para> + </example> + + <example> + <title>Run a container with SELinux sandbox security contexts</title> + + <programlisting># chcon system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -R /srv/container +# systemd-nspawn -L system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 \ + -Z system_u:system_r:svirt_lxc_net_t:s0:c0,c1 -D /srv/container /bin/sh</programlisting> + </example> + + <example> + <title>Run a container with an OSTree deployment</title> + + <programlisting># systemd-nspawn -b -i ~/image.raw \ + --pivot-root=/ostree/deploy/$OS/deploy/$CHECKSUM:/sysroot \ + --bind=+/sysroot/ostree/deploy/$OS/var:/var</programlisting> + </example> + </refsect1> + + <refsect1> + <title>Exit status</title> + + <para>The exit code of the program executed in the container is + returned.</para> + </refsect1> + + <refsect1> + <title>See Also</title> + <para> + <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, + <citerefentry><refentrytitle>systemd.nspawn</refentrytitle><manvolnum>5</manvolnum></citerefentry>, + <citerefentry project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>1</manvolnum></citerefentry>, + <citerefentry project='mankier'><refentrytitle>dnf</refentrytitle><manvolnum>8</manvolnum></citerefentry>, + <citerefentry project='die-net'><refentrytitle>debootstrap</refentrytitle><manvolnum>8</manvolnum></citerefentry>, + <citerefentry project='archlinux'><refentrytitle>pacman</refentrytitle><manvolnum>8</manvolnum></citerefentry>, + <citerefentry project='mankier'><refentrytitle>zypper</refentrytitle><manvolnum>8</manvolnum></citerefentry>, + <citerefentry><refentrytitle>systemd.slice</refentrytitle><manvolnum>5</manvolnum></citerefentry>, + <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>, + <citerefentry project='man-pages'><refentrytitle>btrfs</refentrytitle><manvolnum>8</manvolnum></citerefentry> + </para> + </refsect1> + +</refentry> |