nspawn: optionally run a stub init process as PID 1 This adds a new switch --as-pid2, which allows running commands as PID 2, while a stub init process is run as PID 1. This is useful in order to run arbitrary commands in a container, as PID1's semantics are different from all other processes regarding reaping of unknown children or signal handling.

nspawn: add new --chdir= switch Fixes: #2192

doc: improved wording in some places Avoid "mountpoint mounted" (word repetition), "queriable" (no match in m-w.com and dict.cc).

nspawn: add new --network-veth-extra= switch for defining additional veth links The new switch operates like --network-veth, but may be specified multiple times (to define multiple link pairs) and allows flexible definition of the interface names. This is an independent reimplementation of #1678, but defines different semantics, keeping the behaviour completely independent of --network-veth. It also comes will full hook-up for .nspawn files, and the matching documentation.

doc: correct orthography, word forms and missing/extraneous words

doc: correct punctuation and improve typography in documentation

man: let's enclose * in shell examples in '' Technically, it's safer that way, since dnf is supposed to parse the "*", not the shell. It doesn't really matter too much in real life (as the expression is too complex), but let's better be safe than sorry, and make sure people won't file bugs about this...

man: also add --enablerepo=updates to dnf invocation Without the updates repo, we are installing packages from the time that that version of Fedora was released. Normally, during the lifetime of the release most packages are updated, so most of the packages installed would be outdated, and the first update after installation would update a massive set of packages. Avoid all this by installing from the updates repo from the start.

man: remove --nogpg from dnf install command line Keys for previous and future Fedora distributions were added for the fedora-repos package recently: https://bugzilla.redhat.com/show_bug.cgi?id=1246701. There is no need to skip signature checking. Also, update to the latest and greatest and remove unnecessary quotes.

man: drop reference to yum from man pages Apparently, yum is obsolete, and dnf is the new yum. Mention only dnf hence, and don't mention yum anymore.

man: typo fixes

nspawn: add new .nspawn files for container settings .nspawn fiels are simple settings files that may accompany container images and directories and contain settings otherwise passed on the nspawn command line. This provides an efficient way to attach execution data directly to containers.

nspawn: add (no)rbind option to --bind and --bind-ro --bind and --bind-ro perform the bind mount non-recursively. It is sometimes (often?) desirable to do a recursive mount. This patch adds an optional set of bind mount options in the form of: --bind=src-path:dst-path:options options are comma separated and currently only "rbind" and "norbind" are allowed. Default value is "rbind".

man: Document \: escapes in nspawn's --overlay option

man: Document \: escapes in nspawn's --bind option

man: Document \: escapes in nspawn's --tmpfs option

man: point nspawn --machine to machinectl search-path The --machine option used to describe searching for machines in /var/lib/machines, which is not the whole story, so let's link to where it's described in more detail.

man: revert dynamic paths for split-usr setups This did not really work out as we had hoped. Trying to do this upstream introduced several problems that probably makes it better suited as a downstream patch after all. At any rate, it is not releaseable in the current state, so we at least need to revert this before the release. * by adjusting the path to binaries, but not do the same thing to the search path we end up with inconsistent man-pages. Adjusting the search path too would be quite messy, and it is not at all obvious that this is worth the effort, but at any rate it would have to be done before we could ship this. * this means that distributed man-pages does not make sense as they depend on config options, and for better or worse we are still distributing man pages, so that is something that definitely needs sorting out before we could ship with this patch. * we have long held that split-usr is only minimally supported in order to boot, and something we hope will eventually go away. So before we start adding even more magic/effort in order to make this work nicely, we should probably question if it makes sense at all.

man: generate configured paths in manpages In particular, use /lib/systemd instead of /usr/lib/systemd in distributions like Debian which still have not adopted a /usr merge setup. Use XML entities from man/custom-entities.ent to replace configured paths while doing XSLT processing of the original XML files. There was precedent of some files (such as systemd.generator.xml) which were already using this approach. This addresses most of the (manual) fixes from this patch: http://anonscm.debian.org/cgit/pkg-systemd/systemd.git/tree/debian/patches/Fix-paths-in-man-pages.patch?h=experimental-220 The idea of using generic XML entities was presented here: http://lists.freedesktop.org/archives/systemd-devel/2015-May/032240.html This patch solves almost all the issues, with the exception of: - Path to /bin/mount and /bin/umount. - Generic statements about preference of /lib over /etc. These will be handled separately by follow up patches. Tested: - With default configure settings, ran "make install" to two separate directories and compared the output to confirm they matched exactly. - Used a set of configure flags including $CONFFLAGS from Debian: http://anonscm.debian.org/cgit/pkg-systemd/systemd.git/tree/debian/rules Installed the tree and confirmed the paths use /lib/systemd instead of /usr/lib/systemd and that no other unexpected differences exist. - Confirmed that `make distcheck` still passes.

fix typos in systemd-nspawn man page

nspawn: finish user namespace support

nspawn: rework custom mount point order, and add support for overlayfs Previously all bind mount mounts were applied in the order specified, followed by all tmpfs mounts in the order specified. This is problematic, if bind mounts shall be placed within tmpfs mounts. This patch hence reworks the custom mount point logic, and alwas applies them in strict prefix-first order. This means the order of mounts specified on the command line becomes irrelevant, the right operation will always be executed. While we are at it this commit also adds native support for overlayfs mounts, as supported by recent kernels.

treewide: Correct typos and spell plural of bus consistent

man: document that nspawn -x, --template= and machinectl clone leave hostname and machine id unmodified

man: nspawn is used in production these days, admit that Previously, the man page suggested to only use nspawn for testing, building, and debugging things. However, it is nowadays used in production and used as building block for rocket, hence let's just admit that it's pretty much production ready.

man: document that nspawn's --bind= switch may be used multiple times

man: fix a bunch of links All hail linkchecker!

nspawn: make kill signal to use for PID 1 configurable

nspawn: add support for --property= to set scope properties This is similar to systemd-run's --property= setting.

Reindent man pages to 2ch

man: switch yum to dnf for Fedora The dnf name is here to stay, we might as well adjust.

man: document new download magic

nspawn: add ipvlan support

nspawn,machined: change default container image location from /var/lib/container to /var/lib/machines Given that this is also the place to store raw disk images which are very much bootable with qemu/kvm it sounds like a misnomer to call the directory "container". Hence, let's change this sooner rather than later, and use the generic name, in particular since we otherwise try to use the generic "machine" preferably over the more specific "container" or "vm".

nspawn: add "-n" shortcut for "--network-veth" Now that networkd's IP masquerading support means that running containers with "--network-veth" will provide network access out of the box for the container, let's add a shortcut "-n" for it, to make it easily accessible.

nspawn: add new option "--port=" for exposing container ports on the local host This exposes an IP port on the container as local port using DNAT.

tree-wide: spelling fixes https://github.com/vlajos/misspell_fixer https://github.com/torstehu/systemd/commit/b6fdeb618cf2f3ce1645b3315f15f482710c7ffa Thanks to Torstein Husebo <torstein@huseboe.net>.

man: fedora 21 has been release, suggest 21 as fedora version in example yum command line

nspawn: when booting in ephemeral mode, append random token to machine name Also, when booting up an ephemeral container of / use the system hostname as default machine name. This way specifiyng -M is unnecessary when booting up an ephemeral container, while allowing any number of ephemeral containers to run from the same tree.

nspawn: beef up nspawn with some btrfs magic This adds --template= to duplicate an OS tree as btrfs snpashot and run it This also adds --ephemeral or -x to create a snapshot of an OS tree and boot that, removing it after exit.

nspawn: Add try-{host,guest} journal link modes --link-journal={host,guest} fail if the host does not have persistent journalling enabled and /var/log/journal/ does not exist. Even worse, as there is no stdout/err any more, there is no error message to point that out. Introduce two new modes "try-host" and "try-guest" which don't fail in this case, and instead just silently skip the guest journal setup. Change -j to mean "try-guest" instead of "guest", and fix the wrong --help output for it (it said "host" before). Change systemd-nspawn@.service.in to use "try-guest" so that this unit works with both persistent and non-persistent journals on the host without failing. https://bugs.debian.org/770275

man: fix project reference for archlinux

man: move one more nspawn example into a proper <example> section

man: use <example> instead of multiple <refsect1> for examples

Fix a few more typos

man: add a mapping for external manpages It is annoying when we have dead links on fd.o. Add project='man-pages|die-net|archlinux' to <citerefentry>-ies. In generated html, add external links to http://man7.org/linux/man-pages/man, http://linux.die.net/man/, https://www.archlinux.org/. By default, pages in sections 2 and 4 go to man7, since Michael Kerrisk is the autorative source on kernel related stuff. The rest of links goes to linux.die.net, because they have the manpages. Except for the pacman stuff, since it seems to be only available from archlinux.org. Poor gummiboot gets no link, because gummitboot(8) ain't to be found on the net. According to common wisdom, that would mean that it does not exist. But I have seen Kay using it, so I know it does, and deserves to be found. Can somebody be nice and put it up somewhere?

man: document nspawn's new --volatile switch

os-release: define /usr/lib/os-release as fallback for /etc/os-release The file should have been in /usr/lib/ in the first place, since it describes the OS container in /usr (and not the configuration in /etc), hence, let's support os-release files in /usr/lib as fallback if no version in /etc exists, following the usual override logic. A prior commit already enabled tmpfiles to create /etc/os-release as a symlink to /usr/lib/os-release should it be missing, thus providing nice compatibility with applications only checking in /etc. While it's probably a good idea if all apps check both locations via a fallback logic, it is only necessary in the early boot process, as long as the /etc/os-release symlink has not been restored, in case we boot with an empty /etc.

nspawn: add new --tmpfs= option to mount a tmpfs on specific directories, such as /var

doc: comma placement corrections and word order Set commas where there should be some. Some improvements to word order.

doc: corrections to words and forms This patch exchange words which are inappropriate for a situation, deletes duplicated words, and adds particles where needed.

doc: typographical fine tuning

man: improve nspawn's --user= documentation

nspawn: add --image= switch to boot GPT disk images that follow the Discoverable Partitions Specification

nspawn: add new switch --network-macvlan= to add a macvlan device to the container

man: xinclude --help/--version/--no-pager

nspawn: when adding a veth interface to a bridge, use the "vb-" rather than "ve-" interface name prefix This way we can recognize the interfaces later on to apply different host-side configuration to them.

nspawn: add new --personality= switch to make it easier to run 32bit containers on a 64bit host

doc: resolve missing/extraneous words or inappropriate forms Issues fixed: * missing words required by grammar * duplicated or extraneous words * inappropriate forms (e.g. singular/plural), and declinations * orthographic misspellings

doc: update punctuation Resolve spotted issues related to missing or extraneous commas, dashes.

nspawn: add new --network-bridge= switch This adds the host side of the veth link to the given bridge. Also refactor the creation of the veth interfaces a bit to set it up from the host rather than the container. This simplifies the addition to the bridge, but otherwise the behavior is unchanged.

nspawn: add new --network-veth switch to add a virtual ethernet link to the host

nspawn: --private-network should imply CAP_NET_ADMIN

nspawn: add new --network-interface= switch to move an existing interface into the container

nspawn: introduce --capability=all for retaining all capabilities

nspawn: newer kernels (>= 3.14) allow resetting the audit loginuid, make use of this

machined: optionally, allow registration of pre-existing units (scopes or services) as machine with machined

nspawn: add --register=yes|no switch to optionally disable registration of the container with machined

nspawn: add new --share-system switch to run a container without PID/UTS/IPC namespacing

nspawn,man: use a common vocabulary when referring to selinux security contexts Let's always call the security labels the same way: SMACK: "Smack Label" SELINUX: "SELinux Security Context" And the low-level encapsulation is called "seclabel". Now let's hope we stick to this vocabulary in future, too, and don't mix "label"s and "security contexts" and so on wildly.

nspawn: rename --file-label to --apifs-label since it's really just about the API file systems, nothing else

nspawn: add --quiet switch for turning off any output noise

nspawn: various fixes in selinux hookup - As suggested, prefix argument variables with "arg_" how we do this usually. - As suggested, don't involve memory allocations when storing command line arguments. - Break --help text at 80 chars - man: explain that this is about SELinux - don't do unnecessary memory allocations when putting together mount option string

Add SELinux support to systemd-nspawn This patch adds to new options: -Z PROCESS_LABEL This specifies the process label to run on processes run within the container. -L FILE_LABEL The file label to assign to memory file systems created within the container. For example if you wanted to wrap an container with SELinux sandbox labels, you could execute a command line the following chcon system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -R /srv/container systemd-nspawn -L system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -Z system_u:system_r:svirt_lxc_net_t:s0:c0,c1 -D /srv/container /bin/sh

nspawn: add new --setenv= switch to set an environment variable for the container to spawn

man: add another nspawn example Taken from https://bugs.freedesktop.org/show_bug.cgi?id=68369.

nspawn: add new --drop-capability= switch

man,units: fix installation of systemd-nspawn@.service and add example

machinectl: add new command to spawn a getty inside a container

man: wording and grammar updates This is a recurring submission and includes corrections to various issue spotted. I guess I can just skip over reporting ubiquitous comma placement fixes… Highligts in this particular commit: - the "unsigned" type qualifier is completed to form a full type "unsigned int" - alphabetic -> lexicographic (that way we automatically define how numbers get sorted)

man: wording and grammar updates This includes regularly-submitted corrections to comma setting and orthographical mishaps that appeared in man/ in recent commits. In this particular commit: - the usual comma fixes - expand contractions (this is prose)

man: fix spacing issue in systemd-nspawn(1) Same as 1e158d273.

man: update systemd-nspawn regarding new --slice= logic

man: improve grammar and word formatting in numerous man pages Use proper grammar, word usage, adjective hyphenation, commas, capitalization, spelling, etc. To improve readability, some run-on sentences or sentence fragments were revised. [zj: remove the space from 'file name', 'host name', and 'time zone'.]

man: Fix small typo

audit: since audit is apparently never going to be fixed for containers tell the user what's going on Let's try to be helpful to the user and give him a hint what he can do to make nspawn work with normal OS containers. https://bugzilla.redhat.com/show_bug.cgi?id=893751

man: document that the kernel's audit subsystem is currently incompatible with nspawn containers

nspawn: explain that we look for /etc/os-release in the container directory https://bugs.freedesktop.org/show_bug.cgi?id=64014

man: add various filenames to the index Everything which is an absolute filename marked with <filename></filename> lands in the index, unless noindex= attribute is present. Should make it easier for people to find stuff when they are looking at a file on disk. Various formatting errors in manpages are fixed, kernel-install(1) is restored to formatting sanity.

man: fix syntax in nsenter example Apparently nsenter doesn't handle options concatenated together. I'm pretty sure it worked at one point, but it seems like magic, since each of those options can take arguments.

nspawn: introduce the new /machine/ tree in the cgroup tree and move containers there Containers will now carry a label (normally derived from the root directory name, but configurable by the user), and the container's root cgroup is /machine/<label>. This label is called "machine name", and can cover both containers and VMs (as soon as libvirt also makes use of /machine/). libsystemd-login can be used to query the machine name from a process. This patch also includes numerous clean-ups for the cgroup code.

man: document systemd-nspawn behaviour with -b Cf. cb96a2c69 and 1ddf879a.

nspawn: add --bind= and --bind-ro= to bind mount host paths into the container

Revert "nspawn: catch config mistake of specifying -b and args" This reverts commit cb96a2c69a312fb089fef4501650f4fc40a1420b. It is not a mistake to pass args when -b is specified. They will simply be passed on to the container's init. The manpage needs fixing, that's true.

nspawn: catch config mistake of specifying -b and args

nspawn: print PID and show how to enter the namespace systemd-nspawn will now print the PID of the child. An example showing how to enter the container is added to the man page. Support for nsenter without an explicit command was added in https://github.com/karelzak/util-linux/commit/5758069 (post v2.22.2). So this example requires both a new kernel and the latest util-linux.

man: use <replaceable> in various places

man: Make options consistent Option listings seemed to be pretty much random, some were short opt, long opt, others were long opt, short opt. This just makes every option with a short and long opt that I could find in the order short opt, long opt, for formatting's sake.

man: mention pacman at the top of the nspawn man page, too

man: add Arch Linux entry to systemd-nspawn(5) Archlinux has a similar tool to debbotstrap in the arch-install-scripts package that will install to a specified directory. This is generally used for installation, so the -d flag must be passed to tell it to install to a non-mountpoint directory.

man: update suggested yum command line in nspawn(1)

nspawn: add audit caps to default set to keep Due to the brokeness of much of the userspace audit code we cannot really start too many systems without the audit caps set. To make nspawn easier to use just add the audit caps by default. To boot up containers successfully the kernel's auditing needs to be turned off still (use "audit=0" on the kernel command line), but at least no manual caps have to be passed anymore. In the long run auditing will be fixed for containers and ve virtualized properly at which time it should be safe to enable these caps anyway.

nspawn: add --version

man: typo fixes https://bugs.freedesktop.org/show_bug.cgi?id=55890 Fixed typos, serial comma, and removed "either" as there were more than two options. Also did an extra rename of "system-shutdown" to "systemd-shutdown" that was forgotten in commit 8bd3b8620c80d0f2383f2fb04315411fc8077ca1

nspawn: use automatic cleanup and provide debug info The documentation for --link-journal is also reworded.

trivial: fix typo

nspawn: Fix minor typo in man page

nspawn: handle poweroff/reboot nicely in containers

nspawn: introduce new --link-journal= switch to link container journals into host

man: add various links from man pages to appropriate wiki pages

nspawn: introduce new --capabilities= flag and make use of it in the nspawn test case

nspawn: add --read-only switch

man: rework nspawn man page to suggest yum --installroot instead of mock

nspawn: add --uuid= switch to allow setting the machine id for the container

nspawn: add -b switch to automatically look for an init binary

One can specify in which cgroup hierarchies a systemd-nspawn container will appear

relicense to LGPLv2.1 (with exceptions) We finally got the OK from all contributors with non-trivial commits to relicense systemd from GPL2+ to LGPL2.1+. Some udev bits continue to be GPL2+ for now, but we are looking into relicensing them too, to allow free copy/paste of all code within systemd. The bits that used to be MIT continue to be MIT. The big benefit of the relicensing is that closed source code may now link against libsystemd-login.so and friends.

move /usr/bin/systemd to /usr/lib/systemd/systemd

exec: optionally apply cgroup attributes to the cgroups we create

exec: introduce PrivateNetwork= process option to turn off network access to specific services

man: nspawn fixes

nspawn: add new --no-net switch to turn off networking in the container

nspawn: spawn shell under specified --user Add -u/--user option, which changes the effective and real user and group id to the new value. The user must exists in the chroot, otherwise it will fail. Both username and user id are accepted. The user home is created as well. It also setup HOME, USER, LOGNAME and SHELL variables .

man: Documentation spelling fixes

use /run instead of /dev/.run Instead of the /dev/.run trick we have currently implemented, we decided to move the early-boot runtime dir to /run. An existing /var/run directory is bind-mounted to /run. If /var/run is already a symlink, no action is taken. An existing /var/lock directory is bind-mounted to /run/lock. If /var/lock is already a symlink, no action is taken. To implement the directory vs. symlink logic, we have a: ConditionPathIsDirectory= now, which is used in the mount units. Skipped mount unit in case of symlink: $ systemctl status var-run.mount var-run.mount - Runtime Directory Loaded: loaded (/lib/systemd/system/var-run.mount) Active: inactive (dead) start condition failed at Fri, 25 Mar 2011 04:51:41 +0100; 6min ago Where: /var/run What: /run CGroup: name=systemd:/system/var-run.mount The systemd rpm needs to make sure to add something like: %pre mkdir -p -m0755 /run >/dev/null 2>&1 || : or it needs to be added to filesystem.rpm. Udev -git already uses /run if that exists, and is writable at bootup. Otherwise it falls back to the current /dev/.udev. Dracut and plymouth need to be adopted to switch from /dev/.run to run too. Cheers, Kay

man: document systemd-nspawn