systemd/man/systemd-nspawn.xml

	systemd-nspawn.xml revision 68562936c243a2e2190a7232c4805ffd094e9b3b
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering<?xml version='1.0'?> <!--*-nxml-*-->
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering        "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering<!--
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering  This file is part of systemd.
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering  Copyright 2010 Lennart Poettering
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering  systemd is free software; you can redistribute it and/or modify it
5430f7f2bc7330f3088b894166bf3524a067e3d8Lennart Poettering  under the terms of the GNU Lesser General Public License as published by
5430f7f2bc7330f3088b894166bf3524a067e3d8Lennart Poettering  the Free Software Foundation; either version 2.1 of the License, or
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering  (at your option) any later version.
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering  systemd is distributed in the hope that it will be useful, but
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering  WITHOUT ANY WARRANTY; without even the implied warranty of
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
5430f7f2bc7330f3088b894166bf3524a067e3d8Lennart Poettering  Lesser General Public License for more details.
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering
5430f7f2bc7330f3088b894166bf3524a067e3d8Lennart Poettering  You should have received a copy of the GNU Lesser General Public License
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering  along with systemd; If not, see <http://www.gnu.org/licenses/>.
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering-->
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering<refentry id="systemd-nspawn">
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering        <refentryinfo>
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                <title>systemd-nspawn</title>
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                <productname>systemd</productname>
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                <authorgroup>
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                        <author>
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                                <contrib>Developer</contrib>
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                                <firstname>Lennart</firstname>
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                                <surname>Poettering</surname>
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                                <email>lennart@poettering.net</email>
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                        </author>
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                </authorgroup>
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering        </refentryinfo>
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering        <refmeta>
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                <refentrytitle>systemd-nspawn</refentrytitle>
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                <manvolnum>1</manvolnum>
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering        </refmeta>
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering        <refnamediv>
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                <refname>systemd-nspawn</refname>
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                <refpurpose>Spawn a namespace container for debugging, testing and building</refpurpose>
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering        </refnamediv>
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering        <refsynopsisdiv>
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                <cmdsynopsis>
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                        <command>systemd-nspawn <arg choice="opt" rep="repeat">OPTIONS</arg> <arg choice="opt">COMMAND</arg> <arg choice="opt" rep="repeat">ARGS</arg></command>
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                </cmdsynopsis>
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering        </refsynopsisdiv>
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering        <refsect1>
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                <title>Description</title>
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                <para><command>systemd-nspawn</command> may be used to
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                run a command or OS in a light-weight namespace
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                container. In many ways it is similar to
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                <citerefentry><refentrytitle>chroot</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                but more powerful since it fully virtualizes the file
9f7dad774ebfad23269800b7096eaad087481debVille Skyttä                system hierarchy, as well as the process tree, the
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                various IPC subsystems and the host and domain
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                name.</para>
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                <para><command>systemd-nspawn</command> limits access
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                to various kernel interfaces in the container to
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                read-only, such as <filename>/sys</filename>,
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                <filename>/proc/sys</filename> or
4f755fc6ab8b75f89ed84c93cd5c3fac2a448b16Lennart Poettering                <filename>/sys/fs/selinux</filename>. Network
4f755fc6ab8b75f89ed84c93cd5c3fac2a448b16Lennart Poettering                interfaces and the system clock may not be changed
4f755fc6ab8b75f89ed84c93cd5c3fac2a448b16Lennart Poettering                from within the container. Device nodes may not be
4f755fc6ab8b75f89ed84c93cd5c3fac2a448b16Lennart Poettering                created. The host system cannot be rebooted and kernel
4f755fc6ab8b75f89ed84c93cd5c3fac2a448b16Lennart Poettering                modules may not be loaded from within the
4f755fc6ab8b75f89ed84c93cd5c3fac2a448b16Lennart Poettering                container.</para>
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                <para>Note that even though these security precautions
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                are taken <command>systemd-nspawn</command> is not
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                suitable for secure container setups. Many of the
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                security features may be circumvented and are hence
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                primarily useful to avoid accidental changes to the
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                host system from the container. The intended use of
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                this program is debugging and testing as well as
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                building of packages, distributions and software
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                involved with boot and systems management.</para>
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                <para>In contrast to
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                <citerefentry><refentrytitle>chroot</refentrytitle><manvolnum>1</manvolnum></citerefentry>
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                <command>systemd-nspawn</command> may be used to boot
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                full Linux-based operating systems in a
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                container.</para>
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                <para>Use a tool like
25f5971b5e0b3ab5b91a7d0359cd7f5a5094c1d0Lennart Poettering                <citerefentry><refentrytitle>yum</refentrytitle><manvolnum>8</manvolnum></citerefentry>
25f5971b5e0b3ab5b91a7d0359cd7f5a5094c1d0Lennart Poettering                or
25f5971b5e0b3ab5b91a7d0359cd7f5a5094c1d0Lennart Poettering                <citerefentry><refentrytitle>debootstrap</refentrytitle><manvolnum>8</manvolnum></citerefentry>
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                to set up an OS directory tree suitable as file system
25f5971b5e0b3ab5b91a7d0359cd7f5a5094c1d0Lennart Poettering                hierarchy for <command>systemd-nspawn</command>
25f5971b5e0b3ab5b91a7d0359cd7f5a5094c1d0Lennart Poettering                containers.</para>
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                <para>Note that <command>systemd-nspawn</command> will
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                mount file systems private to the container to
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                <filename>/dev</filename>,
2b583ce6576d4a074ce6f1570b3e60b65c64ae7dKay Sievers                <filename>/run</filename> and similar. These will
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                not be visible outside of the container, and their
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                contents will be lost when the container exits.</para>
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                <para>Note that running two
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                <command>systemd-nspawn</command> containers from the
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                same directory tree will not make processes in them
9f7dad774ebfad23269800b7096eaad087481debVille Skyttä                see each other. The PID namespace separation of the
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                two containers is complete and the containers will
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                share very few runtime objects except for the
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                underlying file system.</para>
9980033377c105d2cd6539c9d73ee61d4c2263b0Lennart Poettering
9980033377c105d2cd6539c9d73ee61d4c2263b0Lennart Poettering                <para><command>systemd-nspawn</command> implements the
9980033377c105d2cd6539c9d73ee61d4c2263b0Lennart Poettering                <ulink
9980033377c105d2cd6539c9d73ee61d4c2263b0Lennart Poettering                url="http://www.freedesktop.org/wiki/Software/systemd/ContainerInterface">Container
9980033377c105d2cd6539c9d73ee61d4c2263b0Lennart Poettering                Interface</ulink> specification.</para>
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering        </refsect1>
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering        <refsect1>
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                <title>Options</title>
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                <para>If no arguments are passed the container is set
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                up and a shell started in it, otherwise the passed
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                command and arguments are executed in it. The
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                following options are understood:</para>
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                <variablelist>
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                        <varlistentry>
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                                <term><option>--help</option></term>
a41fe3a29372f8e6c4e7733bf85940a023811301Lennart Poettering                                <term><option>-h</option></term>
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                                <listitem><para>Prints a short help
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                                text and exits.</para></listitem>
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                        </varlistentry>
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering
acbeb42770e1e99955ebc4464a0439cf741b3aebZbigniew Jędrzejewski-Szmek                        <varlistentry>
acbeb42770e1e99955ebc4464a0439cf741b3aebZbigniew Jędrzejewski-Szmek                                <term><option>--version</option></term>
acbeb42770e1e99955ebc4464a0439cf741b3aebZbigniew Jędrzejewski-Szmek
acbeb42770e1e99955ebc4464a0439cf741b3aebZbigniew Jędrzejewski-Szmek                                <listitem><para>Prints a version string
acbeb42770e1e99955ebc4464a0439cf741b3aebZbigniew Jędrzejewski-Szmek                                and exits.</para></listitem>
acbeb42770e1e99955ebc4464a0439cf741b3aebZbigniew Jędrzejewski-Szmek                        </varlistentry>
acbeb42770e1e99955ebc4464a0439cf741b3aebZbigniew Jędrzejewski-Szmek
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                        <varlistentry>
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                                <term><option>--directory=</option></term>
ab1f063390f55e14a8de87f21c4fad199eb908a6Lennart Poettering                                <term><option>-D</option></term>
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                                <listitem><para>Directory to use as
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                                file system root for the namespace
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                                container. If omitted the current
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                                directory will be
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                                used.</para></listitem>
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                        </varlistentry>
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering
0f0dbc46ccf5aaaf3131446d0a4d78bc97a37295Lennart Poettering                        <varlistentry>
0f0dbc46ccf5aaaf3131446d0a4d78bc97a37295Lennart Poettering                                <term><option>--boot</option></term>
0f0dbc46ccf5aaaf3131446d0a4d78bc97a37295Lennart Poettering                                <term><option>-b</option></term>
0f0dbc46ccf5aaaf3131446d0a4d78bc97a37295Lennart Poettering
0f0dbc46ccf5aaaf3131446d0a4d78bc97a37295Lennart Poettering                                <listitem><para>Automatically search
0f0dbc46ccf5aaaf3131446d0a4d78bc97a37295Lennart Poettering                                for an init binary and invoke it
0f0dbc46ccf5aaaf3131446d0a4d78bc97a37295Lennart Poettering                                instead of a shell or a user supplied
0f0dbc46ccf5aaaf3131446d0a4d78bc97a37295Lennart Poettering                                program.</para></listitem>
0f0dbc46ccf5aaaf3131446d0a4d78bc97a37295Lennart Poettering                        </varlistentry>
0f0dbc46ccf5aaaf3131446d0a4d78bc97a37295Lennart Poettering
687d0825a4636b1841dc0c01fbcbf3160dddab74Michal Vyskocil                        <varlistentry>
687d0825a4636b1841dc0c01fbcbf3160dddab74Michal Vyskocil                                <term><option>--user=</option></term>
4f755fc6ab8b75f89ed84c93cd5c3fac2a448b16Lennart Poettering                                <term><option>-u</option></term>
687d0825a4636b1841dc0c01fbcbf3160dddab74Michal Vyskocil
687d0825a4636b1841dc0c01fbcbf3160dddab74Michal Vyskocil                                <listitem><para>Run the command
687d0825a4636b1841dc0c01fbcbf3160dddab74Michal Vyskocil                                under specified user, create home
687d0825a4636b1841dc0c01fbcbf3160dddab74Michal Vyskocil                                directory and cd into it. As rest
687d0825a4636b1841dc0c01fbcbf3160dddab74Michal Vyskocil                                of systemd-nspawn, this is not
687d0825a4636b1841dc0c01fbcbf3160dddab74Michal Vyskocil                                the security feature and limits
687d0825a4636b1841dc0c01fbcbf3160dddab74Michal Vyskocil                                against accidental changes only.
687d0825a4636b1841dc0c01fbcbf3160dddab74Michal Vyskocil                                </para></listitem>
687d0825a4636b1841dc0c01fbcbf3160dddab74Michal Vyskocil                        </varlistentry>
687d0825a4636b1841dc0c01fbcbf3160dddab74Michal Vyskocil
144f0fc0c8a5e2f6b72179e2b5fb992474da24adLennart Poettering                        <varlistentry>
144f0fc0c8a5e2f6b72179e2b5fb992474da24adLennart Poettering                                <term><option>--uuid=</option></term>
144f0fc0c8a5e2f6b72179e2b5fb992474da24adLennart Poettering
144f0fc0c8a5e2f6b72179e2b5fb992474da24adLennart Poettering                                <listitem><para>Set the specified uuid
144f0fc0c8a5e2f6b72179e2b5fb992474da24adLennart Poettering                                for the container. The init system
144f0fc0c8a5e2f6b72179e2b5fb992474da24adLennart Poettering                                will initialize
144f0fc0c8a5e2f6b72179e2b5fb992474da24adLennart Poettering                                <filename>/etc/machine-id</filename>
144f0fc0c8a5e2f6b72179e2b5fb992474da24adLennart Poettering                                from this if this file is not set yet.
144f0fc0c8a5e2f6b72179e2b5fb992474da24adLennart Poettering                                </para></listitem>
144f0fc0c8a5e2f6b72179e2b5fb992474da24adLennart Poettering                        </varlistentry>
144f0fc0c8a5e2f6b72179e2b5fb992474da24adLennart Poettering
40c32a4ad488256e934ce9ecc05ebfac04851711Léo Gillot-Lamure                        <varlistentry>
40c32a4ad488256e934ce9ecc05ebfac04851711Léo Gillot-Lamure                                <term><option>--controllers=</option></term>
40c32a4ad488256e934ce9ecc05ebfac04851711Léo Gillot-Lamure                                <term><option>-C</option></term>
40c32a4ad488256e934ce9ecc05ebfac04851711Léo Gillot-Lamure
40c32a4ad488256e934ce9ecc05ebfac04851711Léo Gillot-Lamure                                <listitem><para>Makes the container appear in
0cd1fd4369685b10953ada832a0b505f5732667dPierre Schmitz                                other hierarchies than the name=systemd:/ one.
40c32a4ad488256e934ce9ecc05ebfac04851711Léo Gillot-Lamure                                Takes a comma-separated list of controllers.
40c32a4ad488256e934ce9ecc05ebfac04851711Léo Gillot-Lamure                                </para></listitem>
40c32a4ad488256e934ce9ecc05ebfac04851711Léo Gillot-Lamure                        </varlistentry>
40c32a4ad488256e934ce9ecc05ebfac04851711Léo Gillot-Lamure
a41fe3a29372f8e6c4e7733bf85940a023811301Lennart Poettering                        <varlistentry>
ff01d048b4c1455241c894cf7982662c9d28fd34Lennart Poettering                                <term><option>--private-network</option></term>
a41fe3a29372f8e6c4e7733bf85940a023811301Lennart Poettering
a41fe3a29372f8e6c4e7733bf85940a023811301Lennart Poettering                                <listitem><para>Turn off networking in
a41fe3a29372f8e6c4e7733bf85940a023811301Lennart Poettering                                the container. This makes all network
a41fe3a29372f8e6c4e7733bf85940a023811301Lennart Poettering                                interfaces unavailable in the
a41fe3a29372f8e6c4e7733bf85940a023811301Lennart Poettering                                container, with the exception of the
a41fe3a29372f8e6c4e7733bf85940a023811301Lennart Poettering                                loopback device.</para></listitem>
a41fe3a29372f8e6c4e7733bf85940a023811301Lennart Poettering                        </varlistentry>
a41fe3a29372f8e6c4e7733bf85940a023811301Lennart Poettering
bc2f673ec24b59948fcfc35b3077fda0314e69d8Lennart Poettering                        <varlistentry>
bc2f673ec24b59948fcfc35b3077fda0314e69d8Lennart Poettering                                <term><option>--read-only</option></term>
bc2f673ec24b59948fcfc35b3077fda0314e69d8Lennart Poettering
bc2f673ec24b59948fcfc35b3077fda0314e69d8Lennart Poettering                                <listitem><para>Mount the root file
bc2f673ec24b59948fcfc35b3077fda0314e69d8Lennart Poettering                                system read only for the
bc2f673ec24b59948fcfc35b3077fda0314e69d8Lennart Poettering                                container.</para></listitem>
bc2f673ec24b59948fcfc35b3077fda0314e69d8Lennart Poettering                        </varlistentry>
bc2f673ec24b59948fcfc35b3077fda0314e69d8Lennart Poettering
5076f0ccfd36b67512d44fe355b80305ced7dcbaLennart Poettering                        <varlistentry>
5076f0ccfd36b67512d44fe355b80305ced7dcbaLennart Poettering                                <term><option>--capability=</option></term>
5076f0ccfd36b67512d44fe355b80305ced7dcbaLennart Poettering
5076f0ccfd36b67512d44fe355b80305ced7dcbaLennart Poettering                                <listitem><para>List one or more
5076f0ccfd36b67512d44fe355b80305ced7dcbaLennart Poettering                                additional capabilities to grant the
5076f0ccfd36b67512d44fe355b80305ced7dcbaLennart Poettering                                container. Takes a comma separated
5076f0ccfd36b67512d44fe355b80305ced7dcbaLennart Poettering                                list of capability names, see
5076f0ccfd36b67512d44fe355b80305ced7dcbaLennart Poettering                                <citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
5076f0ccfd36b67512d44fe355b80305ced7dcbaLennart Poettering                                for more information. Note that the
88d04e31ce0837ebf937ab46c3c39a0d93ab4c7cLennart Poettering                                following capabilities will be granted
88d04e31ce0837ebf937ab46c3c39a0d93ab4c7cLennart Poettering                                in any way: CAP_CHOWN,
5076f0ccfd36b67512d44fe355b80305ced7dcbaLennart Poettering                                CAP_DAC_OVERRIDE, CAP_DAC_READ_SEARCH,
5076f0ccfd36b67512d44fe355b80305ced7dcbaLennart Poettering                                CAP_FOWNER, CAP_FSETID, CAP_IPC_OWNER,
5076f0ccfd36b67512d44fe355b80305ced7dcbaLennart Poettering                                CAP_KILL, CAP_LEASE,
5076f0ccfd36b67512d44fe355b80305ced7dcbaLennart Poettering                                CAP_LINUX_IMMUTABLE,
5076f0ccfd36b67512d44fe355b80305ced7dcbaLennart Poettering                                CAP_NET_BIND_SERVICE,
5076f0ccfd36b67512d44fe355b80305ced7dcbaLennart Poettering                                CAP_NET_BROADCAST, CAP_NET_RAW,
5076f0ccfd36b67512d44fe355b80305ced7dcbaLennart Poettering                                CAP_SETGID, CAP_SETFCAP, CAP_SETPCAP,
5076f0ccfd36b67512d44fe355b80305ced7dcbaLennart Poettering                                CAP_SETUID, CAP_SYS_ADMIN,
5076f0ccfd36b67512d44fe355b80305ced7dcbaLennart Poettering                                CAP_SYS_CHROOT, CAP_SYS_NICE,
5076f0ccfd36b67512d44fe355b80305ced7dcbaLennart Poettering                                CAP_SYS_PTRACE, CAP_SYS_TTY_CONFIG,
88d04e31ce0837ebf937ab46c3c39a0d93ab4c7cLennart Poettering                                CAP_SYS_RESOURCE, CAP_SYS_BOOT,
88d04e31ce0837ebf937ab46c3c39a0d93ab4c7cLennart Poettering                                CAP_AUDIT_WRITE,
88d04e31ce0837ebf937ab46c3c39a0d93ab4c7cLennart Poettering                                CAP_AUDIT_CONTROL.</para></listitem>
5076f0ccfd36b67512d44fe355b80305ced7dcbaLennart Poettering                        </varlistentry>
5076f0ccfd36b67512d44fe355b80305ced7dcbaLennart Poettering
57fb9fb56db0584581ce33ee842dcbf5f1136856Lennart Poettering                        <varlistentry>
57fb9fb56db0584581ce33ee842dcbf5f1136856Lennart Poettering                                <term><option>--link-journal=</option></term>
57fb9fb56db0584581ce33ee842dcbf5f1136856Lennart Poettering
57fb9fb56db0584581ce33ee842dcbf5f1136856Lennart Poettering                                <listitem><para>Control whether the
57fb9fb56db0584581ce33ee842dcbf5f1136856Lennart Poettering                                container's journal shall be made
57fb9fb56db0584581ce33ee842dcbf5f1136856Lennart Poettering                                visible to the host system. If enabled
57fb9fb56db0584581ce33ee842dcbf5f1136856Lennart Poettering                                allows viewing the container's journal
57fb9fb56db0584581ce33ee842dcbf5f1136856Lennart Poettering                                files from the host (but not vice
57fb9fb56db0584581ce33ee842dcbf5f1136856Lennart Poettering                                versa). Takes one of
57fb9fb56db0584581ce33ee842dcbf5f1136856Lennart Poettering                                <literal>no</literal>,
57fb9fb56db0584581ce33ee842dcbf5f1136856Lennart Poettering                                <literal>host</literal>,
57fb9fb56db0584581ce33ee842dcbf5f1136856Lennart Poettering                                <literal>guest</literal>,
57fb9fb56db0584581ce33ee842dcbf5f1136856Lennart Poettering                                <literal>auto</literal>. If
27407a01c6c115ed09ad938ab95dcb56ab963ba9Zbigniew Jędrzejewski-Szmek                                <literal>no</literal>, the journal is
27407a01c6c115ed09ad938ab95dcb56ab963ba9Zbigniew Jędrzejewski-Szmek                                not linked. If <literal>host</literal>,
57fb9fb56db0584581ce33ee842dcbf5f1136856Lennart Poettering                                the journal files are stored on the
27407a01c6c115ed09ad938ab95dcb56ab963ba9Zbigniew Jędrzejewski-Szmek                                host file system (beneath
27407a01c6c115ed09ad938ab95dcb56ab963ba9Zbigniew Jędrzejewski-Szmek                                <filename>/var/log/journal/&lt;machine-id&gt;</filename>)
27407a01c6c115ed09ad938ab95dcb56ab963ba9Zbigniew Jędrzejewski-Szmek                                and the subdirectory is bind-mounted
57fb9fb56db0584581ce33ee842dcbf5f1136856Lennart Poettering                                into the container at the same
27407a01c6c115ed09ad938ab95dcb56ab963ba9Zbigniew Jędrzejewski-Szmek                                location. If <literal>guest</literal>,
57fb9fb56db0584581ce33ee842dcbf5f1136856Lennart Poettering                                the journal files are stored on the
27407a01c6c115ed09ad938ab95dcb56ab963ba9Zbigniew Jędrzejewski-Szmek                                guest file system (beneath
27407a01c6c115ed09ad938ab95dcb56ab963ba9Zbigniew Jędrzejewski-Szmek                                <filename>/var/log/journal/&lt;machine-id&gt;</filename>)
27407a01c6c115ed09ad938ab95dcb56ab963ba9Zbigniew Jędrzejewski-Szmek                                and the subdirectory is symlinked into the host
57fb9fb56db0584581ce33ee842dcbf5f1136856Lennart Poettering                                at the same location. If
27407a01c6c115ed09ad938ab95dcb56ab963ba9Zbigniew Jędrzejewski-Szmek                                <literal>auto</literal> (the default),
27407a01c6c115ed09ad938ab95dcb56ab963ba9Zbigniew Jędrzejewski-Szmek                                and the right subdirectory of
57fb9fb56db0584581ce33ee842dcbf5f1136856Lennart Poettering                                <filename>/var/log/journal</filename>
27407a01c6c115ed09ad938ab95dcb56ab963ba9Zbigniew Jędrzejewski-Szmek                                exists, it will be bind mounted
27407a01c6c115ed09ad938ab95dcb56ab963ba9Zbigniew Jędrzejewski-Szmek                                into the container. If the
27407a01c6c115ed09ad938ab95dcb56ab963ba9Zbigniew Jędrzejewski-Szmek                                subdirectory doesn't exist, no
27407a01c6c115ed09ad938ab95dcb56ab963ba9Zbigniew Jędrzejewski-Szmek                                linking is performed. Effectively,
27407a01c6c115ed09ad938ab95dcb56ab963ba9Zbigniew Jędrzejewski-Szmek                                booting a container once with
57fb9fb56db0584581ce33ee842dcbf5f1136856Lennart Poettering                                <literal>guest</literal> or
57fb9fb56db0584581ce33ee842dcbf5f1136856Lennart Poettering                                <literal>host</literal> will link the
27407a01c6c115ed09ad938ab95dcb56ab963ba9Zbigniew Jędrzejewski-Szmek                                journal persistently if further on
57fb9fb56db0584581ce33ee842dcbf5f1136856Lennart Poettering                                the default of <literal>auto</literal>
57fb9fb56db0584581ce33ee842dcbf5f1136856Lennart Poettering                                is used.</para></listitem>
57fb9fb56db0584581ce33ee842dcbf5f1136856Lennart Poettering                        </varlistentry>
57fb9fb56db0584581ce33ee842dcbf5f1136856Lennart Poettering
57fb9fb56db0584581ce33ee842dcbf5f1136856Lennart Poettering                        <varlistentry>
57fb9fb56db0584581ce33ee842dcbf5f1136856Lennart Poettering                                <term><option>-j</option></term>
57fb9fb56db0584581ce33ee842dcbf5f1136856Lennart Poettering
57fb9fb56db0584581ce33ee842dcbf5f1136856Lennart Poettering                                <listitem><para>Equivalent to
57fb9fb56db0584581ce33ee842dcbf5f1136856Lennart Poettering                                <option>--link-journal=guest</option>.</para></listitem>
57fb9fb56db0584581ce33ee842dcbf5f1136856Lennart Poettering                        </varlistentry>
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                </variablelist>
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering        </refsect1>
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering        <refsect1>
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                <title>Example 1</title>
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering
2b3987a863975f5a1fa1754725e3d07a5d4f6478Lennart Poettering                <programlisting># yum -y --releasever=19 --nogpg --installroot=/srv/mycontainer --disablerepo='*' --enablerepo=fedora install systemd passwd yum fedora-release vim-minimal
2b3987a863975f5a1fa1754725e3d07a5d4f6478Lennart Poettering# systemd-nspawn -bD /srv/mycontainer</programlisting>
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering
25f5971b5e0b3ab5b91a7d0359cd7f5a5094c1d0Lennart Poettering                <para>This installs a minimal Fedora distribution into
2b3987a863975f5a1fa1754725e3d07a5d4f6478Lennart Poettering                the directory <filename>/srv/mycontainer/</filename> and
2b3987a863975f5a1fa1754725e3d07a5d4f6478Lennart Poettering                then boots an OS in a namespace container in
2b3987a863975f5a1fa1754725e3d07a5d4f6478Lennart Poettering                it.</para>
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering        </refsect1>
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering        <refsect1>
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                <title>Example 2</title>
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering
25f5971b5e0b3ab5b91a7d0359cd7f5a5094c1d0Lennart Poettering                <programlisting># debootstrap --arch=amd64 unstable ~/debian-tree/
25f5971b5e0b3ab5b91a7d0359cd7f5a5094c1d0Lennart Poettering# systemd-nspawn -D ~/debian-tree/</programlisting>
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering
25f5971b5e0b3ab5b91a7d0359cd7f5a5094c1d0Lennart Poettering                <para>This installs a minimal Debian unstable
25f5971b5e0b3ab5b91a7d0359cd7f5a5094c1d0Lennart Poettering                distribution into the directory
25f5971b5e0b3ab5b91a7d0359cd7f5a5094c1d0Lennart Poettering                <filename>~/debian-tree/</filename> and then spawns a
25f5971b5e0b3ab5b91a7d0359cd7f5a5094c1d0Lennart Poettering                shell in a namespace container in it.</para>
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering        </refsect1>
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering
68562936c243a2e2190a7232c4805ffd094e9b3bWilliam Giokas        <refsect1>
68562936c243a2e2190a7232c4805ffd094e9b3bWilliam Giokas                <title>Example 3</title>
68562936c243a2e2190a7232c4805ffd094e9b3bWilliam Giokas
68562936c243a2e2190a7232c4805ffd094e9b3bWilliam Giokas                <programlisting># pacstrap -c -d ~/arch-tree/ base
68562936c243a2e2190a7232c4805ffd094e9b3bWilliam Giokas# systemd-nspawn -bD ~/arch-tree/</programlisting>
68562936c243a2e2190a7232c4805ffd094e9b3bWilliam Giokas
68562936c243a2e2190a7232c4805ffd094e9b3bWilliam Giokas                <para>This installs a mimimal Arch Linux distribution into
68562936c243a2e2190a7232c4805ffd094e9b3bWilliam Giokas                the directory <filename>~/arch-tree/</filename> and then
68562936c243a2e2190a7232c4805ffd094e9b3bWilliam Giokas                boots an OS in a namespace container in it.</para>
68562936c243a2e2190a7232c4805ffd094e9b3bWilliam Giokas        </refsect1>
68562936c243a2e2190a7232c4805ffd094e9b3bWilliam Giokas
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering        <refsect1>
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                <title>Exit status</title>
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                <para>The exit code of the program executed in the
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                container is returned.</para>
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering        </refsect1>
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering        <refsect1>
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                <title>See Also</title>
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                <para>
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                        <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                        <citerefentry><refentrytitle>chroot</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
25f5971b5e0b3ab5b91a7d0359cd7f5a5094c1d0Lennart Poettering                        <citerefentry><refentrytitle>yum</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
25f5971b5e0b3ab5b91a7d0359cd7f5a5094c1d0Lennart Poettering                        <citerefentry><refentrytitle>debootstrap</refentrytitle><manvolnum>8</manvolnum></citerefentry>
68562936c243a2e2190a7232c4805ffd094e9b3bWilliam Giokas                        <citerefentry><refentrytitle>pacman</refentrytitle><manvolnum>8</manvolnum></citerefentry>
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering                </para>
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering        </refsect1>
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering
8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering</refentry>