8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering<?xml version='1.0'?> <!--*-nxml-*-->

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering

dfdebb1b925332352966804303b2516a6506a429Zbigniew Jędrzejewski-Szmek<refentry id="systemd-nspawn"

dfdebb1b925332352966804303b2516a6506a429Zbigniew Jędrzejewski-Szmek xmlns:xi="http://www.w3.org/2001/XInclude">

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering <refentryinfo>

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering <title>systemd-nspawn</title>

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering <productname>systemd</productname>

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering <authorgroup>

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering <author>

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering <contrib>Developer</contrib>

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering <firstname>Lennart</firstname>

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering <surname>Poettering</surname>

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering <email>lennart@poettering.net</email>

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering </author>

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering </authorgroup>

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering </refentryinfo>

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering <refmeta>

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering <refentrytitle>systemd-nspawn</refentrytitle>

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering <manvolnum>1</manvolnum>

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering </refmeta>

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering <refnamediv>

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering <refname>systemd-nspawn</refname>

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering <refpurpose>Spawn a namespace container for debugging, testing and building</refpurpose>

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering </refnamediv>

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering <refsynopsisdiv>

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering <cmdsynopsis>

1fd961211df69ce672252d543bf4777738647048Zbigniew Jędrzejewski-Szmek <command>systemd-nspawn</command>

1fd961211df69ce672252d543bf4777738647048Zbigniew Jędrzejewski-Szmek <arg choice="opt" rep="repeat">OPTIONS</arg>

870c4365cf3d407270788abe14d216a636ecf6c3Zbigniew Jędrzejewski-Szmek <arg choice="opt"><replaceable>COMMAND</replaceable>

870c4365cf3d407270788abe14d216a636ecf6c3Zbigniew Jędrzejewski-Szmek <arg choice="opt" rep="repeat">ARGS</arg>

870c4365cf3d407270788abe14d216a636ecf6c3Zbigniew Jędrzejewski-Szmek </arg>

870c4365cf3d407270788abe14d216a636ecf6c3Zbigniew Jędrzejewski-Szmek </cmdsynopsis>

870c4365cf3d407270788abe14d216a636ecf6c3Zbigniew Jędrzejewski-Szmek <cmdsynopsis>

870c4365cf3d407270788abe14d216a636ecf6c3Zbigniew Jędrzejewski-Szmek <command>systemd-nspawn</command>

870c4365cf3d407270788abe14d216a636ecf6c3Zbigniew Jędrzejewski-Szmek <arg choice="plain">-b</arg>

870c4365cf3d407270788abe14d216a636ecf6c3Zbigniew Jędrzejewski-Szmek <arg choice="opt" rep="repeat">OPTIONS</arg>

1fd961211df69ce672252d543bf4777738647048Zbigniew Jędrzejewski-Szmek <arg choice="opt" rep="repeat">ARGS</arg>

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering </cmdsynopsis>

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering </refsynopsisdiv>

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering <refsect1>

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering <title>Description</title>

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering <para><command>systemd-nspawn</command> may be used to

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering run a command or OS in a light-weight namespace

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering container. In many ways it is similar to

5aded369782f28255bc6b494ca905d7acaea7a56Zbigniew Jędrzejewski-Szmek <citerefentry project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>1</manvolnum></citerefentry>,

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering but more powerful since it fully virtualizes the file

9f7dad774ebfad23269800b7096eaad087481debVille Skyttä system hierarchy, as well as the process tree, the

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering various IPC subsystems and the host and domain

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering name.</para>

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering <para><command>systemd-nspawn</command> limits access

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering to various kernel interfaces in the container to

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering read-only, such as <filename>/sys</filename>,

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering <filename>/proc/sys</filename> or

4f755fc6ab8b75f89ed84c93cd5c3fac2a448b16Lennart Poettering <filename>/sys/fs/selinux</filename>. Network

4f755fc6ab8b75f89ed84c93cd5c3fac2a448b16Lennart Poettering interfaces and the system clock may not be changed

4f755fc6ab8b75f89ed84c93cd5c3fac2a448b16Lennart Poettering from within the container. Device nodes may not be

4f755fc6ab8b75f89ed84c93cd5c3fac2a448b16Lennart Poettering created. The host system cannot be rebooted and kernel

4f755fc6ab8b75f89ed84c93cd5c3fac2a448b16Lennart Poettering modules may not be loaded from within the

4f755fc6ab8b75f89ed84c93cd5c3fac2a448b16Lennart Poettering container.</para>

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering <para>Note that even though these security precautions

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering are taken <command>systemd-nspawn</command> is not

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering suitable for secure container setups. Many of the

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering security features may be circumvented and are hence

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering primarily useful to avoid accidental changes to the

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering host system from the container. The intended use of

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering this program is debugging and testing as well as

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering building of packages, distributions and software

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering involved with boot and systems management.</para>

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering <para>In contrast to

5aded369782f28255bc6b494ca905d7acaea7a56Zbigniew Jędrzejewski-Szmek <citerefentry project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>1</manvolnum></citerefentry> <command>systemd-nspawn</command>

04ac799283f517672a5424e7c5bf066cfa4ca020Zbigniew Jędrzejewski-Szmek may be used to boot full Linux-based operating systems

04ac799283f517672a5424e7c5bf066cfa4ca020Zbigniew Jędrzejewski-Szmek in a container.</para>

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering <para>Use a tool like

5aded369782f28255bc6b494ca905d7acaea7a56Zbigniew Jędrzejewski-Szmek <citerefentry project='die-net'><refentrytitle>yum</refentrytitle><manvolnum>8</manvolnum></citerefentry>,

5aded369782f28255bc6b494ca905d7acaea7a56Zbigniew Jędrzejewski-Szmek <citerefentry project='die-net'><refentrytitle>debootstrap</refentrytitle><manvolnum>8</manvolnum></citerefentry>,

4d62fb4298a5904a53f484636c91540d08f68765Lennart Poettering or

c45827d6e70baf6b683d7cafb13a9a6f02852731Ronny Chevalier <citerefentry project='archlinux'><refentrytitle>pacman</refentrytitle><manvolnum>8</manvolnum></citerefentry>

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering to set up an OS directory tree suitable as file system

25f5971b5e0b3ab5b91a7d0359cd7f5a5094c1d0Lennart Poettering hierarchy for <command>systemd-nspawn</command>

25f5971b5e0b3ab5b91a7d0359cd7f5a5094c1d0Lennart Poettering containers.</para>

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering <para>Note that <command>systemd-nspawn</command> will

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering mount file systems private to the container to

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering <filename>/dev</filename>,

2b583ce6576d4a074ce6f1570b3e60b65c64ae7dKay Sievers <filename>/run</filename> and similar. These will

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering not be visible outside of the container, and their

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering contents will be lost when the container exits.</para>

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering <para>Note that running two

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering <command>systemd-nspawn</command> containers from the

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering same directory tree will not make processes in them

9f7dad774ebfad23269800b7096eaad087481debVille Skyttä see each other. The PID namespace separation of the

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering two containers is complete and the containers will

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering share very few runtime objects except for the

04d39279245834494baccfdb9349db8bf80abd13Lennart Poettering underlying file system. Use

04d39279245834494baccfdb9349db8bf80abd13Lennart Poettering <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>'s

04d39279245834494baccfdb9349db8bf80abd13Lennart Poettering <command>login</command> command to request an

04d39279245834494baccfdb9349db8bf80abd13Lennart Poettering additional login prompt in a running container.</para>

9980033377c105d2cd6539c9d73ee61d4c2263b0Lennart Poettering

9980033377c105d2cd6539c9d73ee61d4c2263b0Lennart Poettering <para><command>systemd-nspawn</command> implements the

9980033377c105d2cd6539c9d73ee61d4c2263b0Lennart Poettering <ulink

9980033377c105d2cd6539c9d73ee61d4c2263b0Lennart Poettering url="http://www.freedesktop.org/wiki/Software/systemd/ContainerInterface">Container

9980033377c105d2cd6539c9d73ee61d4c2263b0Lennart Poettering Interface</ulink> specification.</para>

f8964235e69f58225dec378437b1789744cd22a9Lennart Poettering

f8964235e69f58225dec378437b1789744cd22a9Lennart Poettering <para>As a safety check

f8964235e69f58225dec378437b1789744cd22a9Lennart Poettering <command>systemd-nspawn</command> will verify the

5ae4d543cb9b45ad6c6b82b78da1d6abc2291cdbLennart Poettering existence of <filename>/usr/lib/os-release</filename>

5ae4d543cb9b45ad6c6b82b78da1d6abc2291cdbLennart Poettering or <filename>/etc/os-release</filename> in the

5ae4d543cb9b45ad6c6b82b78da1d6abc2291cdbLennart Poettering container tree before starting the container (see

f8964235e69f58225dec378437b1789744cd22a9Lennart Poettering <citerefentry><refentrytitle>os-release</refentrytitle><manvolnum>5</manvolnum></citerefentry>). It

f8964235e69f58225dec378437b1789744cd22a9Lennart Poettering might be necessary to add this file to the container

f8964235e69f58225dec378437b1789744cd22a9Lennart Poettering tree manually if the OS of the container is too old to

f8964235e69f58225dec378437b1789744cd22a9Lennart Poettering contain this file out-of-the-box.</para>

77b6e19458f37cfde127ec6aa9494c0ac45ad890Lennart Poettering </refsect1>

77b6e19458f37cfde127ec6aa9494c0ac45ad890Lennart Poettering

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering <refsect1>

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering <title>Options</title>

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering

870c4365cf3d407270788abe14d216a636ecf6c3Zbigniew Jędrzejewski-Szmek <para>If option <option>-b</option> is specified, the

870c4365cf3d407270788abe14d216a636ecf6c3Zbigniew Jędrzejewski-Szmek arguments are used as arguments for the init

870c4365cf3d407270788abe14d216a636ecf6c3Zbigniew Jędrzejewski-Szmek binary. Otherwise, <replaceable>COMMAND</replaceable>

870c4365cf3d407270788abe14d216a636ecf6c3Zbigniew Jędrzejewski-Szmek specifies the program to launch in the container, and

870c4365cf3d407270788abe14d216a636ecf6c3Zbigniew Jędrzejewski-Szmek the remaining arguments are used as arguments for this

870c4365cf3d407270788abe14d216a636ecf6c3Zbigniew Jędrzejewski-Szmek program. If <option>-b</option> is not used and no

870c4365cf3d407270788abe14d216a636ecf6c3Zbigniew Jędrzejewski-Szmek arguments are specifed, a shell is launched in the

870c4365cf3d407270788abe14d216a636ecf6c3Zbigniew Jędrzejewski-Szmek container.</para>

870c4365cf3d407270788abe14d216a636ecf6c3Zbigniew Jędrzejewski-Szmek

870c4365cf3d407270788abe14d216a636ecf6c3Zbigniew Jędrzejewski-Szmek <para>The following options are understood:</para>

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering <variablelist>

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering <varlistentry>

ab1f063390f55e14a8de87f21c4fad199eb908a6Lennart Poettering <term><option>-D</option></term>

a7f5bb1eafadbb08c8528baae588bbe773a37e79William Giokas <term><option>--directory=</option></term>

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering <listitem><para>Directory to use as

ec16945ebfe64d5cd5403ae1a1b16bc05a779a16Lennart Poettering file system root for the container.</para>

ec16945ebfe64d5cd5403ae1a1b16bc05a779a16Lennart Poettering

ec16945ebfe64d5cd5403ae1a1b16bc05a779a16Lennart Poettering <para>If neither

ec16945ebfe64d5cd5403ae1a1b16bc05a779a16Lennart Poettering <option>--directory=</option>, nor

ec16945ebfe64d5cd5403ae1a1b16bc05a779a16Lennart Poettering <option>--image=</option> is specified

ec16945ebfe64d5cd5403ae1a1b16bc05a779a16Lennart Poettering the directory is determined as

5f129649b97bdff2bffefcd9c773157843ede6f6Lennart Poettering <filename>/var/lib/machines/</filename>

ec16945ebfe64d5cd5403ae1a1b16bc05a779a16Lennart Poettering suffixed by the machine name as

ec16945ebfe64d5cd5403ae1a1b16bc05a779a16Lennart Poettering specified with

ec16945ebfe64d5cd5403ae1a1b16bc05a779a16Lennart Poettering <option>--machine=</option>. If

ec16945ebfe64d5cd5403ae1a1b16bc05a779a16Lennart Poettering neither <option>--directory=</option>,

ec16945ebfe64d5cd5403ae1a1b16bc05a779a16Lennart Poettering <option>--image=</option>, nor

ec16945ebfe64d5cd5403ae1a1b16bc05a779a16Lennart Poettering <option>--machine=</option> are

1b9e5b126359a2a2ec37de1f94f046093abc74b8Lennart Poettering specified, the current directory will

ec16945ebfe64d5cd5403ae1a1b16bc05a779a16Lennart Poettering be used. May not be specified together

ec16945ebfe64d5cd5403ae1a1b16bc05a779a16Lennart Poettering with

1b9e5b126359a2a2ec37de1f94f046093abc74b8Lennart Poettering <option>--image=</option>.</para></listitem>

1b9e5b126359a2a2ec37de1f94f046093abc74b8Lennart Poettering </varlistentry>

1b9e5b126359a2a2ec37de1f94f046093abc74b8Lennart Poettering

ec16945ebfe64d5cd5403ae1a1b16bc05a779a16Lennart Poettering <varlistentry>

ec16945ebfe64d5cd5403ae1a1b16bc05a779a16Lennart Poettering <term><option>--template=</option></term>

ec16945ebfe64d5cd5403ae1a1b16bc05a779a16Lennart Poettering

ec16945ebfe64d5cd5403ae1a1b16bc05a779a16Lennart Poettering <listitem><para>Directory or

ec16945ebfe64d5cd5403ae1a1b16bc05a779a16Lennart Poettering <literal>btrfs</literal> subvolume to

ec16945ebfe64d5cd5403ae1a1b16bc05a779a16Lennart Poettering use as template for the container's

ec16945ebfe64d5cd5403ae1a1b16bc05a779a16Lennart Poettering root directory. If this is specified

ec16945ebfe64d5cd5403ae1a1b16bc05a779a16Lennart Poettering and the container's root directory (as

ec16945ebfe64d5cd5403ae1a1b16bc05a779a16Lennart Poettering configured by

ec16945ebfe64d5cd5403ae1a1b16bc05a779a16Lennart Poettering <option>--directory=</option>) does

ec16945ebfe64d5cd5403ae1a1b16bc05a779a16Lennart Poettering not yet exist it is created as

ec16945ebfe64d5cd5403ae1a1b16bc05a779a16Lennart Poettering <literal>btrfs</literal> subvolume and

ec16945ebfe64d5cd5403ae1a1b16bc05a779a16Lennart Poettering populated from this template

ec16945ebfe64d5cd5403ae1a1b16bc05a779a16Lennart Poettering tree. Ideally, the specified template

ec16945ebfe64d5cd5403ae1a1b16bc05a779a16Lennart Poettering path refers to the root of a

ec16945ebfe64d5cd5403ae1a1b16bc05a779a16Lennart Poettering <literal>btrfs</literal> subvolume, in

ec16945ebfe64d5cd5403ae1a1b16bc05a779a16Lennart Poettering which case a simple copy-on-write

ec16945ebfe64d5cd5403ae1a1b16bc05a779a16Lennart Poettering snapshot is taken, and populating the

ec16945ebfe64d5cd5403ae1a1b16bc05a779a16Lennart Poettering root directory is instant. If the

ec16945ebfe64d5cd5403ae1a1b16bc05a779a16Lennart Poettering specified template path does not refer

ec16945ebfe64d5cd5403ae1a1b16bc05a779a16Lennart Poettering to the root of a

ec16945ebfe64d5cd5403ae1a1b16bc05a779a16Lennart Poettering <literal>btrfs</literal> subvolume (or

ec16945ebfe64d5cd5403ae1a1b16bc05a779a16Lennart Poettering not even to a <literal>btrfs</literal>

ec16945ebfe64d5cd5403ae1a1b16bc05a779a16Lennart Poettering file system at all), the tree is

ec16945ebfe64d5cd5403ae1a1b16bc05a779a16Lennart Poettering copied, which can be substantially

ec16945ebfe64d5cd5403ae1a1b16bc05a779a16Lennart Poettering more time-consuming. Note that if this

ec16945ebfe64d5cd5403ae1a1b16bc05a779a16Lennart Poettering option is used the container's root

ec16945ebfe64d5cd5403ae1a1b16bc05a779a16Lennart Poettering directory (in contrast to the template

ec16945ebfe64d5cd5403ae1a1b16bc05a779a16Lennart Poettering directory!) must be located on a

ec16945ebfe64d5cd5403ae1a1b16bc05a779a16Lennart Poettering <literal>btrfs</literal> file system,

ec16945ebfe64d5cd5403ae1a1b16bc05a779a16Lennart Poettering so that the <literal>btrfs</literal>

ec16945ebfe64d5cd5403ae1a1b16bc05a779a16Lennart Poettering subvolume may be created. May not be

ec16945ebfe64d5cd5403ae1a1b16bc05a779a16Lennart Poettering specified together with

ec16945ebfe64d5cd5403ae1a1b16bc05a779a16Lennart Poettering <option>--image=</option> or

ec16945ebfe64d5cd5403ae1a1b16bc05a779a16Lennart Poettering <option>--ephemeral</option>.</para></listitem>

ec16945ebfe64d5cd5403ae1a1b16bc05a779a16Lennart Poettering </varlistentry>

ec16945ebfe64d5cd5403ae1a1b16bc05a779a16Lennart Poettering

ec16945ebfe64d5cd5403ae1a1b16bc05a779a16Lennart Poettering <varlistentry>

ec16945ebfe64d5cd5403ae1a1b16bc05a779a16Lennart Poettering <term><option>-x</option></term>

ec16945ebfe64d5cd5403ae1a1b16bc05a779a16Lennart Poettering <term><option>--ephemeral</option></term>

ec16945ebfe64d5cd5403ae1a1b16bc05a779a16Lennart Poettering

ec16945ebfe64d5cd5403ae1a1b16bc05a779a16Lennart Poettering <listitem><para>If specified, the

ec16945ebfe64d5cd5403ae1a1b16bc05a779a16Lennart Poettering container is run with a temporary

ec16945ebfe64d5cd5403ae1a1b16bc05a779a16Lennart Poettering <literal>btrfs</literal> snapshot of

ec16945ebfe64d5cd5403ae1a1b16bc05a779a16Lennart Poettering its root directory (as configured with

ec16945ebfe64d5cd5403ae1a1b16bc05a779a16Lennart Poettering <option>--directory=</option>), that

ec16945ebfe64d5cd5403ae1a1b16bc05a779a16Lennart Poettering is removed immediately when the

b9ba4dabbab8a58a044ec42655e11e65bd3ecc47Lennart Poettering container terminates. This option is

b9ba4dabbab8a58a044ec42655e11e65bd3ecc47Lennart Poettering only supported if the root file system

b9ba4dabbab8a58a044ec42655e11e65bd3ecc47Lennart Poettering is <literal>btrfs</literal>. May not

b9ba4dabbab8a58a044ec42655e11e65bd3ecc47Lennart Poettering be specified together with

ec16945ebfe64d5cd5403ae1a1b16bc05a779a16Lennart Poettering <option>--image=</option> or

ec16945ebfe64d5cd5403ae1a1b16bc05a779a16Lennart Poettering <option>--template=</option>.</para></listitem>

ec16945ebfe64d5cd5403ae1a1b16bc05a779a16Lennart Poettering </varlistentry>

ec16945ebfe64d5cd5403ae1a1b16bc05a779a16Lennart Poettering

1b9e5b126359a2a2ec37de1f94f046093abc74b8Lennart Poettering <varlistentry>

1b9e5b126359a2a2ec37de1f94f046093abc74b8Lennart Poettering <term><option>-i</option></term>

1b9e5b126359a2a2ec37de1f94f046093abc74b8Lennart Poettering <term><option>--image=</option></term>

1b9e5b126359a2a2ec37de1f94f046093abc74b8Lennart Poettering

1b9e5b126359a2a2ec37de1f94f046093abc74b8Lennart Poettering <listitem><para>Disk image to mount

1b9e5b126359a2a2ec37de1f94f046093abc74b8Lennart Poettering the root directory for the container

1b9e5b126359a2a2ec37de1f94f046093abc74b8Lennart Poettering from. Takes a path to a regular file

1b9e5b126359a2a2ec37de1f94f046093abc74b8Lennart Poettering or to a block device node. The file or

e0ea94c1e2ab3930c85c6057189a2a829a13a800Lennart Poettering block device must contain either:</para>

e0ea94c1e2ab3930c85c6057189a2a829a13a800Lennart Poettering

e0ea94c1e2ab3930c85c6057189a2a829a13a800Lennart Poettering <itemizedlist>

e0ea94c1e2ab3930c85c6057189a2a829a13a800Lennart Poettering <listitem><para>An MBR

e0ea94c1e2ab3930c85c6057189a2a829a13a800Lennart Poettering partition table with a single

e0ea94c1e2ab3930c85c6057189a2a829a13a800Lennart Poettering partition of type 0x83 that is

e0ea94c1e2ab3930c85c6057189a2a829a13a800Lennart Poettering marked

e0ea94c1e2ab3930c85c6057189a2a829a13a800Lennart Poettering bootable.</para></listitem>

e0ea94c1e2ab3930c85c6057189a2a829a13a800Lennart Poettering

e0ea94c1e2ab3930c85c6057189a2a829a13a800Lennart Poettering <listitem><para>A GUID

e0ea94c1e2ab3930c85c6057189a2a829a13a800Lennart Poettering partition table (GPT) with a single

e0ea94c1e2ab3930c85c6057189a2a829a13a800Lennart Poettering partition of type

e0ea94c1e2ab3930c85c6057189a2a829a13a800Lennart Poettering 0fc63daf-8483-4772-8e79-3d69d8477de4.</para></listitem>

e0ea94c1e2ab3930c85c6057189a2a829a13a800Lennart Poettering

e0ea94c1e2ab3930c85c6057189a2a829a13a800Lennart Poettering <listitem><para>A GUID

e0ea94c1e2ab3930c85c6057189a2a829a13a800Lennart Poettering partition table (GPT) with a

e0ea94c1e2ab3930c85c6057189a2a829a13a800Lennart Poettering marked root partition which is

e0ea94c1e2ab3930c85c6057189a2a829a13a800Lennart Poettering mounted as the root directory

e0ea94c1e2ab3930c85c6057189a2a829a13a800Lennart Poettering of the container. Optionally,

e0ea94c1e2ab3930c85c6057189a2a829a13a800Lennart Poettering GPT images may contain a home

e0ea94c1e2ab3930c85c6057189a2a829a13a800Lennart Poettering and/or a server data partition

e0ea94c1e2ab3930c85c6057189a2a829a13a800Lennart Poettering which are mounted to the

e0ea94c1e2ab3930c85c6057189a2a829a13a800Lennart Poettering appropriate places in the

e0ea94c1e2ab3930c85c6057189a2a829a13a800Lennart Poettering container. All these

e0ea94c1e2ab3930c85c6057189a2a829a13a800Lennart Poettering partitions must be identified

e0ea94c1e2ab3930c85c6057189a2a829a13a800Lennart Poettering by the partition types defined

e0ea94c1e2ab3930c85c6057189a2a829a13a800Lennart Poettering by the <ulink

e0ea94c1e2ab3930c85c6057189a2a829a13a800Lennart Poettering url="http://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/">Discoverable

e0ea94c1e2ab3930c85c6057189a2a829a13a800Lennart Poettering Partitions

e0ea94c1e2ab3930c85c6057189a2a829a13a800Lennart Poettering Specification</ulink>.</para></listitem>

e0ea94c1e2ab3930c85c6057189a2a829a13a800Lennart Poettering </itemizedlist>

e0ea94c1e2ab3930c85c6057189a2a829a13a800Lennart Poettering

e0ea94c1e2ab3930c85c6057189a2a829a13a800Lennart Poettering <para>Any other partitions, such as

e0ea94c1e2ab3930c85c6057189a2a829a13a800Lennart Poettering foreign partitions, swap partitions or

e0ea94c1e2ab3930c85c6057189a2a829a13a800Lennart Poettering EFI system partitions are not

e0ea94c1e2ab3930c85c6057189a2a829a13a800Lennart Poettering mounted. May not be specified together

e0ea94c1e2ab3930c85c6057189a2a829a13a800Lennart Poettering with <option>--directory=</option>,

ec16945ebfe64d5cd5403ae1a1b16bc05a779a16Lennart Poettering <option>--template=</option> or

ec16945ebfe64d5cd5403ae1a1b16bc05a779a16Lennart Poettering <option>--ephemeral</option>.</para></listitem>

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering </varlistentry>

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering

0f0dbc46ccf5aaaf3131446d0a4d78bc97a37295Lennart Poettering <varlistentry>

0f0dbc46ccf5aaaf3131446d0a4d78bc97a37295Lennart Poettering <term><option>-b</option></term>

a7f5bb1eafadbb08c8528baae588bbe773a37e79William Giokas <term><option>--boot</option></term>

0f0dbc46ccf5aaaf3131446d0a4d78bc97a37295Lennart Poettering

0f0dbc46ccf5aaaf3131446d0a4d78bc97a37295Lennart Poettering <listitem><para>Automatically search

0f0dbc46ccf5aaaf3131446d0a4d78bc97a37295Lennart Poettering for an init binary and invoke it

0f0dbc46ccf5aaaf3131446d0a4d78bc97a37295Lennart Poettering instead of a shell or a user supplied

eb91eb187b7491e05fb95215b77cb62061f41d08Lennart Poettering program. If this option is used,

eb91eb187b7491e05fb95215b77cb62061f41d08Lennart Poettering arguments specified on the command

eb91eb187b7491e05fb95215b77cb62061f41d08Lennart Poettering line are used as arguments for the

eb91eb187b7491e05fb95215b77cb62061f41d08Lennart Poettering init binary. This option may not be

eb91eb187b7491e05fb95215b77cb62061f41d08Lennart Poettering combined with

eb91eb187b7491e05fb95215b77cb62061f41d08Lennart Poettering <option>--share-system</option>.

870c4365cf3d407270788abe14d216a636ecf6c3Zbigniew Jędrzejewski-Szmek </para></listitem>

0f0dbc46ccf5aaaf3131446d0a4d78bc97a37295Lennart Poettering </varlistentry>

0f0dbc46ccf5aaaf3131446d0a4d78bc97a37295Lennart Poettering

687d0825a4636b1841dc0c01fbcbf3160dddab74Michal Vyskocil <varlistentry>

4f755fc6ab8b75f89ed84c93cd5c3fac2a448b16Lennart Poettering <term><option>-u</option></term>

a7f5bb1eafadbb08c8528baae588bbe773a37e79William Giokas <term><option>--user=</option></term>

687d0825a4636b1841dc0c01fbcbf3160dddab74Michal Vyskocil

1810e3dc6218afd69c469cfb816254730a0ef4e3Lennart Poettering <listitem><para>After transitioning

1810e3dc6218afd69c469cfb816254730a0ef4e3Lennart Poettering into the container, change to the

70a44afee385c4afadaab9a002b3f9dd44aedf4aJan Engelhardt specified user-defined in the

1810e3dc6218afd69c469cfb816254730a0ef4e3Lennart Poettering container's user database. Like all

1810e3dc6218afd69c469cfb816254730a0ef4e3Lennart Poettering other systemd-nspawn features, this is

1810e3dc6218afd69c469cfb816254730a0ef4e3Lennart Poettering not a security feature and provides

1810e3dc6218afd69c469cfb816254730a0ef4e3Lennart Poettering protection against accidental

1810e3dc6218afd69c469cfb816254730a0ef4e3Lennart Poettering destructive operations

1810e3dc6218afd69c469cfb816254730a0ef4e3Lennart Poettering only.</para></listitem>

687d0825a4636b1841dc0c01fbcbf3160dddab74Michal Vyskocil </varlistentry>

687d0825a4636b1841dc0c01fbcbf3160dddab74Michal Vyskocil

7027ff61a34a12487712b382a061c654acc3a679Lennart Poettering <varlistentry>

7027ff61a34a12487712b382a061c654acc3a679Lennart Poettering <term><option>-M</option></term>

7027ff61a34a12487712b382a061c654acc3a679Lennart Poettering <term><option>--machine=</option></term>

7027ff61a34a12487712b382a061c654acc3a679Lennart Poettering

7027ff61a34a12487712b382a061c654acc3a679Lennart Poettering <listitem><para>Sets the machine name

7027ff61a34a12487712b382a061c654acc3a679Lennart Poettering for this container. This name may be

b9ba4dabbab8a58a044ec42655e11e65bd3ecc47Lennart Poettering used to identify this container during

b9ba4dabbab8a58a044ec42655e11e65bd3ecc47Lennart Poettering its runtime (for example in tools like

b9ba4dabbab8a58a044ec42655e11e65bd3ecc47Lennart Poettering <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>

b9ba4dabbab8a58a044ec42655e11e65bd3ecc47Lennart Poettering and similar), and is used to

b9ba4dabbab8a58a044ec42655e11e65bd3ecc47Lennart Poettering initialize the container's hostname

b9ba4dabbab8a58a044ec42655e11e65bd3ecc47Lennart Poettering (which the container can choose to

b9ba4dabbab8a58a044ec42655e11e65bd3ecc47Lennart Poettering override, however). If not specified,

b9ba4dabbab8a58a044ec42655e11e65bd3ecc47Lennart Poettering the last component of the root

b9ba4dabbab8a58a044ec42655e11e65bd3ecc47Lennart Poettering directory path of the container is

b9ba4dabbab8a58a044ec42655e11e65bd3ecc47Lennart Poettering used, possibly suffixed with a random

b9ba4dabbab8a58a044ec42655e11e65bd3ecc47Lennart Poettering identifier in case

b9ba4dabbab8a58a044ec42655e11e65bd3ecc47Lennart Poettering <option>--ephemeral</option> mode is

b9ba4dabbab8a58a044ec42655e11e65bd3ecc47Lennart Poettering selected. If the root directory

b9ba4dabbab8a58a044ec42655e11e65bd3ecc47Lennart Poettering selected is the host's root directory

b9ba4dabbab8a58a044ec42655e11e65bd3ecc47Lennart Poettering the host's hostname is used as default

b9ba4dabbab8a58a044ec42655e11e65bd3ecc47Lennart Poettering instead.</para></listitem>

7027ff61a34a12487712b382a061c654acc3a679Lennart Poettering </varlistentry>

7027ff61a34a12487712b382a061c654acc3a679Lennart Poettering

144f0fc0c8a5e2f6b72179e2b5fb992474da24adLennart Poettering <varlistentry>

144f0fc0c8a5e2f6b72179e2b5fb992474da24adLennart Poettering <term><option>--uuid=</option></term>

144f0fc0c8a5e2f6b72179e2b5fb992474da24adLennart Poettering

e9dd9f9547350c7dc0473583b5c2228dc8f0ab76Jason St. John <listitem><para>Set the specified UUID

144f0fc0c8a5e2f6b72179e2b5fb992474da24adLennart Poettering for the container. The init system

144f0fc0c8a5e2f6b72179e2b5fb992474da24adLennart Poettering will initialize

144f0fc0c8a5e2f6b72179e2b5fb992474da24adLennart Poettering <filename>/etc/machine-id</filename>

144f0fc0c8a5e2f6b72179e2b5fb992474da24adLennart Poettering from this if this file is not set yet.

144f0fc0c8a5e2f6b72179e2b5fb992474da24adLennart Poettering </para></listitem>

144f0fc0c8a5e2f6b72179e2b5fb992474da24adLennart Poettering </varlistentry>

144f0fc0c8a5e2f6b72179e2b5fb992474da24adLennart Poettering

69c79d3c32ff4d6a572ee1cdec248b27df1fb6caLennart Poettering <varlistentry>

69c79d3c32ff4d6a572ee1cdec248b27df1fb6caLennart Poettering <term><option>--slice=</option></term>

69c79d3c32ff4d6a572ee1cdec248b27df1fb6caLennart Poettering

69c79d3c32ff4d6a572ee1cdec248b27df1fb6caLennart Poettering <listitem><para>Make the container

69c79d3c32ff4d6a572ee1cdec248b27df1fb6caLennart Poettering part of the specified slice, instead

69c79d3c32ff4d6a572ee1cdec248b27df1fb6caLennart Poettering of the default

69c79d3c32ff4d6a572ee1cdec248b27df1fb6caLennart Poettering <filename>machine.slice</filename>.</para>

69c79d3c32ff4d6a572ee1cdec248b27df1fb6caLennart Poettering </listitem>

69c79d3c32ff4d6a572ee1cdec248b27df1fb6caLennart Poettering </varlistentry>

69c79d3c32ff4d6a572ee1cdec248b27df1fb6caLennart Poettering

a41fe3a29372f8e6c4e7733bf85940a023811301Lennart Poettering <varlistentry>

ff01d048b4c1455241c894cf7982662c9d28fd34Lennart Poettering <term><option>--private-network</option></term>

a41fe3a29372f8e6c4e7733bf85940a023811301Lennart Poettering

69c79d3c32ff4d6a572ee1cdec248b27df1fb6caLennart Poettering <listitem><para>Disconnect networking

69c79d3c32ff4d6a572ee1cdec248b27df1fb6caLennart Poettering of the container from the host. This

69c79d3c32ff4d6a572ee1cdec248b27df1fb6caLennart Poettering makes all network interfaces

69c79d3c32ff4d6a572ee1cdec248b27df1fb6caLennart Poettering unavailable in the container, with the

69c79d3c32ff4d6a572ee1cdec248b27df1fb6caLennart Poettering exception of the loopback device and

69c79d3c32ff4d6a572ee1cdec248b27df1fb6caLennart Poettering those specified with

69c79d3c32ff4d6a572ee1cdec248b27df1fb6caLennart Poettering <option>--network-interface=</option>

ab046dde6f355f4a8b07ff6120a7ef51f5d49fc9Tom Gundersen and configured with

69c79d3c32ff4d6a572ee1cdec248b27df1fb6caLennart Poettering <option>--network-veth</option>. If

73e231abde39f22097df50542c745e01de879836Jan Engelhardt this option is specified, the

a42c8b54b1619078c02f5e439bd2564c6d0f901fLennart Poettering CAP_NET_ADMIN capability will be added

a42c8b54b1619078c02f5e439bd2564c6d0f901fLennart Poettering to the set of capabilities the

a42c8b54b1619078c02f5e439bd2564c6d0f901fLennart Poettering container retains. The latter may be

a42c8b54b1619078c02f5e439bd2564c6d0f901fLennart Poettering disabled by using

a42c8b54b1619078c02f5e439bd2564c6d0f901fLennart Poettering <option>--drop-capability=</option>.</para></listitem>

a41fe3a29372f8e6c4e7733bf85940a023811301Lennart Poettering </varlistentry>

a41fe3a29372f8e6c4e7733bf85940a023811301Lennart Poettering

aa28aefe61c5406c5cb631f3e82457b6d1bcc967Lennart Poettering <varlistentry>

aa28aefe61c5406c5cb631f3e82457b6d1bcc967Lennart Poettering <term><option>--network-interface=</option></term>

aa28aefe61c5406c5cb631f3e82457b6d1bcc967Lennart Poettering

aa28aefe61c5406c5cb631f3e82457b6d1bcc967Lennart Poettering <listitem><para>Assign the specified

aa28aefe61c5406c5cb631f3e82457b6d1bcc967Lennart Poettering network interface to the

c74e630d0ce4b1ace116e8211f3b6eb472efa7e3Lennart Poettering container. This will remove the

aa28aefe61c5406c5cb631f3e82457b6d1bcc967Lennart Poettering specified interface from the calling

aa28aefe61c5406c5cb631f3e82457b6d1bcc967Lennart Poettering namespace and place it in the

aa28aefe61c5406c5cb631f3e82457b6d1bcc967Lennart Poettering container. When the container

73e231abde39f22097df50542c745e01de879836Jan Engelhardt terminates, it is moved back to the

a42c8b54b1619078c02f5e439bd2564c6d0f901fLennart Poettering host namespace. Note that

a42c8b54b1619078c02f5e439bd2564c6d0f901fLennart Poettering <option>--network-interface=</option>

a42c8b54b1619078c02f5e439bd2564c6d0f901fLennart Poettering implies

a42c8b54b1619078c02f5e439bd2564c6d0f901fLennart Poettering <option>--private-network</option>. This

a42c8b54b1619078c02f5e439bd2564c6d0f901fLennart Poettering option may be used more than once to

a42c8b54b1619078c02f5e439bd2564c6d0f901fLennart Poettering add multiple network interfaces to the

a42c8b54b1619078c02f5e439bd2564c6d0f901fLennart Poettering container.</para></listitem>

aa28aefe61c5406c5cb631f3e82457b6d1bcc967Lennart Poettering </varlistentry>

aa28aefe61c5406c5cb631f3e82457b6d1bcc967Lennart Poettering

c74e630d0ce4b1ace116e8211f3b6eb472efa7e3Lennart Poettering <varlistentry>

c74e630d0ce4b1ace116e8211f3b6eb472efa7e3Lennart Poettering <term><option>--network-macvlan=</option></term>

c74e630d0ce4b1ace116e8211f3b6eb472efa7e3Lennart Poettering

c74e630d0ce4b1ace116e8211f3b6eb472efa7e3Lennart Poettering <listitem><para>Create a

c74e630d0ce4b1ace116e8211f3b6eb472efa7e3Lennart Poettering <literal>macvlan</literal> interface

c74e630d0ce4b1ace116e8211f3b6eb472efa7e3Lennart Poettering of the specified Ethernet network

c74e630d0ce4b1ace116e8211f3b6eb472efa7e3Lennart Poettering interface and add it to the

c74e630d0ce4b1ace116e8211f3b6eb472efa7e3Lennart Poettering container. A

c74e630d0ce4b1ace116e8211f3b6eb472efa7e3Lennart Poettering <literal>macvlan</literal> interface

c74e630d0ce4b1ace116e8211f3b6eb472efa7e3Lennart Poettering is a virtual interface that adds a

c74e630d0ce4b1ace116e8211f3b6eb472efa7e3Lennart Poettering second MAC address to an existing

c74e630d0ce4b1ace116e8211f3b6eb472efa7e3Lennart Poettering physical Ethernet link. The interface

c74e630d0ce4b1ace116e8211f3b6eb472efa7e3Lennart Poettering in the container will be named after

c74e630d0ce4b1ace116e8211f3b6eb472efa7e3Lennart Poettering the interface on the host, prefixed

c74e630d0ce4b1ace116e8211f3b6eb472efa7e3Lennart Poettering with <literal>mv-</literal>. Note that

c74e630d0ce4b1ace116e8211f3b6eb472efa7e3Lennart Poettering <option>--network-macvlan=</option>

c74e630d0ce4b1ace116e8211f3b6eb472efa7e3Lennart Poettering implies

c74e630d0ce4b1ace116e8211f3b6eb472efa7e3Lennart Poettering <option>--private-network</option>. This

c74e630d0ce4b1ace116e8211f3b6eb472efa7e3Lennart Poettering option may be used more than once to

c74e630d0ce4b1ace116e8211f3b6eb472efa7e3Lennart Poettering add multiple network interfaces to the

c74e630d0ce4b1ace116e8211f3b6eb472efa7e3Lennart Poettering container.</para></listitem>

c74e630d0ce4b1ace116e8211f3b6eb472efa7e3Lennart Poettering </varlistentry>

c74e630d0ce4b1ace116e8211f3b6eb472efa7e3Lennart Poettering

bc2f673ec24b59948fcfc35b3077fda0314e69d8Lennart Poettering <varlistentry>

4bbfe7ad22b0666e82719e39e40be1c6cbb5cc91Tom Gundersen <term><option>--network-ipvlan=</option></term>

4bbfe7ad22b0666e82719e39e40be1c6cbb5cc91Tom Gundersen

e0ea94c1e2ab3930c85c6057189a2a829a13a800Lennart Poettering <listitem><para>Create an

4bbfe7ad22b0666e82719e39e40be1c6cbb5cc91Tom Gundersen <literal>ipvlan</literal> interface

4bbfe7ad22b0666e82719e39e40be1c6cbb5cc91Tom Gundersen of the specified Ethernet network

4bbfe7ad22b0666e82719e39e40be1c6cbb5cc91Tom Gundersen interface and add it to the

4bbfe7ad22b0666e82719e39e40be1c6cbb5cc91Tom Gundersen container. An

4bbfe7ad22b0666e82719e39e40be1c6cbb5cc91Tom Gundersen <literal>ipvlan</literal> interface

4bbfe7ad22b0666e82719e39e40be1c6cbb5cc91Tom Gundersen is a virtual interface, similar to a

4bbfe7ad22b0666e82719e39e40be1c6cbb5cc91Tom Gundersen <literal>macvlan</literal> interface, which

4bbfe7ad22b0666e82719e39e40be1c6cbb5cc91Tom Gundersen uses the same MAC address as the underlying

4bbfe7ad22b0666e82719e39e40be1c6cbb5cc91Tom Gundersen interface. The interface

4bbfe7ad22b0666e82719e39e40be1c6cbb5cc91Tom Gundersen in the container will be named after

4bbfe7ad22b0666e82719e39e40be1c6cbb5cc91Tom Gundersen the interface on the host, prefixed

4bbfe7ad22b0666e82719e39e40be1c6cbb5cc91Tom Gundersen with <literal>iv-</literal>. Note that

4bbfe7ad22b0666e82719e39e40be1c6cbb5cc91Tom Gundersen <option>--network-ipvlan=</option>

4bbfe7ad22b0666e82719e39e40be1c6cbb5cc91Tom Gundersen implies

4bbfe7ad22b0666e82719e39e40be1c6cbb5cc91Tom Gundersen <option>--private-network</option>. This

4bbfe7ad22b0666e82719e39e40be1c6cbb5cc91Tom Gundersen option may be used more than once to

4bbfe7ad22b0666e82719e39e40be1c6cbb5cc91Tom Gundersen add multiple network interfaces to the

4bbfe7ad22b0666e82719e39e40be1c6cbb5cc91Tom Gundersen container.</para></listitem>

4bbfe7ad22b0666e82719e39e40be1c6cbb5cc91Tom Gundersen </varlistentry>

4bbfe7ad22b0666e82719e39e40be1c6cbb5cc91Tom Gundersen

4bbfe7ad22b0666e82719e39e40be1c6cbb5cc91Tom Gundersen <varlistentry>

0dfaa0060711a8332c8eb9f1e10f48fe182d3650Lennart Poettering <term><option>-n</option></term>

69c79d3c32ff4d6a572ee1cdec248b27df1fb6caLennart Poettering <term><option>--network-veth</option></term>

69c79d3c32ff4d6a572ee1cdec248b27df1fb6caLennart Poettering

69c79d3c32ff4d6a572ee1cdec248b27df1fb6caLennart Poettering <listitem><para>Create a virtual

c74e630d0ce4b1ace116e8211f3b6eb472efa7e3Lennart Poettering Ethernet link

c74e630d0ce4b1ace116e8211f3b6eb472efa7e3Lennart Poettering (<literal>veth</literal>) between host

c74e630d0ce4b1ace116e8211f3b6eb472efa7e3Lennart Poettering and container. The host side of the

66f756d437658cc464bfb5647c97efd0cf77f933Jan Engelhardt Ethernet link will be available as a

69c79d3c32ff4d6a572ee1cdec248b27df1fb6caLennart Poettering network interface named after the

69c79d3c32ff4d6a572ee1cdec248b27df1fb6caLennart Poettering container's name (as specified with

69c79d3c32ff4d6a572ee1cdec248b27df1fb6caLennart Poettering <option>--machine=</option>), prefixed

69c79d3c32ff4d6a572ee1cdec248b27df1fb6caLennart Poettering with <literal>ve-</literal>. The

dca348bcbb462305864526c587495a14a76bfcdeJan Engelhardt container side of the Ethernet

69c79d3c32ff4d6a572ee1cdec248b27df1fb6caLennart Poettering link will be named

69c79d3c32ff4d6a572ee1cdec248b27df1fb6caLennart Poettering <literal>host0</literal>. Note that

69c79d3c32ff4d6a572ee1cdec248b27df1fb6caLennart Poettering <option>--network-veth</option>

69c79d3c32ff4d6a572ee1cdec248b27df1fb6caLennart Poettering implies

69c79d3c32ff4d6a572ee1cdec248b27df1fb6caLennart Poettering <option>--private-network</option>.</para></listitem>

69c79d3c32ff4d6a572ee1cdec248b27df1fb6caLennart Poettering </varlistentry>

bc2f673ec24b59948fcfc35b3077fda0314e69d8Lennart Poettering

ab046dde6f355f4a8b07ff6120a7ef51f5d49fc9Tom Gundersen <varlistentry>

ab046dde6f355f4a8b07ff6120a7ef51f5d49fc9Tom Gundersen <term><option>--network-bridge=</option></term>

ab046dde6f355f4a8b07ff6120a7ef51f5d49fc9Tom Gundersen

08af0da26935e827b58809ff1946e2f7d496e666Lennart Poettering <listitem><para>Adds the host side of

08af0da26935e827b58809ff1946e2f7d496e666Lennart Poettering the Ethernet link created with

08af0da26935e827b58809ff1946e2f7d496e666Lennart Poettering <option>--network-veth</option> to the

08af0da26935e827b58809ff1946e2f7d496e666Lennart Poettering specified bridge. Note that

08af0da26935e827b58809ff1946e2f7d496e666Lennart Poettering <option>--network-bridge=</option>

ab046dde6f355f4a8b07ff6120a7ef51f5d49fc9Tom Gundersen implies

08af0da26935e827b58809ff1946e2f7d496e666Lennart Poettering <option>--network-veth</option>. If

b8bde11658366290521e3d03316378b482600323Jan Engelhardt this option is used, the host side of

08af0da26935e827b58809ff1946e2f7d496e666Lennart Poettering the Ethernet link will use the

08af0da26935e827b58809ff1946e2f7d496e666Lennart Poettering <literal>vb-</literal> prefix instead

08af0da26935e827b58809ff1946e2f7d496e666Lennart Poettering of <literal>ve-</literal>.</para></listitem>

ab046dde6f355f4a8b07ff6120a7ef51f5d49fc9Tom Gundersen </varlistentry>

ab046dde6f355f4a8b07ff6120a7ef51f5d49fc9Tom Gundersen

6d0b55c272ea31d025e8b3c311cea8cda0bfefd7Lennart Poettering <varlistentry>

6d0b55c272ea31d025e8b3c311cea8cda0bfefd7Lennart Poettering <term><option>-p</option></term>

6d0b55c272ea31d025e8b3c311cea8cda0bfefd7Lennart Poettering <term><option>--port=</option></term>

6d0b55c272ea31d025e8b3c311cea8cda0bfefd7Lennart Poettering

6d0b55c272ea31d025e8b3c311cea8cda0bfefd7Lennart Poettering <listitem><para>If private networking

6d0b55c272ea31d025e8b3c311cea8cda0bfefd7Lennart Poettering is enabled, maps an IP port on the

6d0b55c272ea31d025e8b3c311cea8cda0bfefd7Lennart Poettering host onto an IP port on the

6d0b55c272ea31d025e8b3c311cea8cda0bfefd7Lennart Poettering container. Takes a protocol specifier

6d0b55c272ea31d025e8b3c311cea8cda0bfefd7Lennart Poettering (either <literal>tcp</literal> or

6d0b55c272ea31d025e8b3c311cea8cda0bfefd7Lennart Poettering <literal>udp</literal>), separated by

6d0b55c272ea31d025e8b3c311cea8cda0bfefd7Lennart Poettering a colon from a host port number in the

6d0b55c272ea31d025e8b3c311cea8cda0bfefd7Lennart Poettering range 1 to 65535, separated by a colon

6d0b55c272ea31d025e8b3c311cea8cda0bfefd7Lennart Poettering from a container port number in the

6d0b55c272ea31d025e8b3c311cea8cda0bfefd7Lennart Poettering range from 1 to 65535. The protocol

6d0b55c272ea31d025e8b3c311cea8cda0bfefd7Lennart Poettering specifier and its separating colon may

6d0b55c272ea31d025e8b3c311cea8cda0bfefd7Lennart Poettering be omitted, in which case

6d0b55c272ea31d025e8b3c311cea8cda0bfefd7Lennart Poettering <literal>tcp</literal> is assumed.

6d0b55c272ea31d025e8b3c311cea8cda0bfefd7Lennart Poettering The container port number and its

6d0b55c272ea31d025e8b3c311cea8cda0bfefd7Lennart Poettering colon may be ommitted, in which case

6d0b55c272ea31d025e8b3c311cea8cda0bfefd7Lennart Poettering the same port as the host port is

6d0b55c272ea31d025e8b3c311cea8cda0bfefd7Lennart Poettering implied. This option is only supported

6d0b55c272ea31d025e8b3c311cea8cda0bfefd7Lennart Poettering if private networking is used, such as

6d0b55c272ea31d025e8b3c311cea8cda0bfefd7Lennart Poettering <option>--network-veth</option> or

6d0b55c272ea31d025e8b3c311cea8cda0bfefd7Lennart Poettering <option>--network-bridge=</option>.</para></listitem>

6d0b55c272ea31d025e8b3c311cea8cda0bfefd7Lennart Poettering </varlistentry>

6d0b55c272ea31d025e8b3c311cea8cda0bfefd7Lennart Poettering

69c79d3c32ff4d6a572ee1cdec248b27df1fb6caLennart Poettering <varlistentry>

69c79d3c32ff4d6a572ee1cdec248b27df1fb6caLennart Poettering <term><option>-Z</option></term>

69c79d3c32ff4d6a572ee1cdec248b27df1fb6caLennart Poettering <term><option>--selinux-context=</option></term>

69c79d3c32ff4d6a572ee1cdec248b27df1fb6caLennart Poettering

69c79d3c32ff4d6a572ee1cdec248b27df1fb6caLennart Poettering <listitem><para>Sets the SELinux

69c79d3c32ff4d6a572ee1cdec248b27df1fb6caLennart Poettering security context to be used to label

69c79d3c32ff4d6a572ee1cdec248b27df1fb6caLennart Poettering processes in the container.</para>

69c79d3c32ff4d6a572ee1cdec248b27df1fb6caLennart Poettering </listitem>

69c79d3c32ff4d6a572ee1cdec248b27df1fb6caLennart Poettering </varlistentry>

69c79d3c32ff4d6a572ee1cdec248b27df1fb6caLennart Poettering

69c79d3c32ff4d6a572ee1cdec248b27df1fb6caLennart Poettering <varlistentry>

69c79d3c32ff4d6a572ee1cdec248b27df1fb6caLennart Poettering <term><option>-L</option></term>

69c79d3c32ff4d6a572ee1cdec248b27df1fb6caLennart Poettering <term><option>--selinux-apifs-context=</option></term>

69c79d3c32ff4d6a572ee1cdec248b27df1fb6caLennart Poettering

69c79d3c32ff4d6a572ee1cdec248b27df1fb6caLennart Poettering <listitem><para>Sets the SELinux security

69c79d3c32ff4d6a572ee1cdec248b27df1fb6caLennart Poettering context to be used to label files in

69c79d3c32ff4d6a572ee1cdec248b27df1fb6caLennart Poettering the virtual API file systems in the

69c79d3c32ff4d6a572ee1cdec248b27df1fb6caLennart Poettering container.</para>

69c79d3c32ff4d6a572ee1cdec248b27df1fb6caLennart Poettering </listitem>

bc2f673ec24b59948fcfc35b3077fda0314e69d8Lennart Poettering </varlistentry>

bc2f673ec24b59948fcfc35b3077fda0314e69d8Lennart Poettering

5076f0ccfd36b67512d44fe355b80305ced7dcbaLennart Poettering <varlistentry>

5076f0ccfd36b67512d44fe355b80305ced7dcbaLennart Poettering <term><option>--capability=</option></term>

5076f0ccfd36b67512d44fe355b80305ced7dcbaLennart Poettering

5076f0ccfd36b67512d44fe355b80305ced7dcbaLennart Poettering <listitem><para>List one or more

5076f0ccfd36b67512d44fe355b80305ced7dcbaLennart Poettering additional capabilities to grant the

e9dd9f9547350c7dc0473583b5c2228dc8f0ab76Jason St. John container. Takes a comma-separated

5076f0ccfd36b67512d44fe355b80305ced7dcbaLennart Poettering list of capability names, see

5aded369782f28255bc6b494ca905d7acaea7a56Zbigniew Jędrzejewski-Szmek <citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>

5076f0ccfd36b67512d44fe355b80305ced7dcbaLennart Poettering for more information. Note that the

88d04e31ce0837ebf937ab46c3c39a0d93ab4c7cLennart Poettering following capabilities will be granted

88d04e31ce0837ebf937ab46c3c39a0d93ab4c7cLennart Poettering in any way: CAP_CHOWN,

5076f0ccfd36b67512d44fe355b80305ced7dcbaLennart Poettering CAP_DAC_OVERRIDE, CAP_DAC_READ_SEARCH,

5076f0ccfd36b67512d44fe355b80305ced7dcbaLennart Poettering CAP_FOWNER, CAP_FSETID, CAP_IPC_OWNER,

5076f0ccfd36b67512d44fe355b80305ced7dcbaLennart Poettering CAP_KILL, CAP_LEASE,

5076f0ccfd36b67512d44fe355b80305ced7dcbaLennart Poettering CAP_LINUX_IMMUTABLE,

5076f0ccfd36b67512d44fe355b80305ced7dcbaLennart Poettering CAP_NET_BIND_SERVICE,

5076f0ccfd36b67512d44fe355b80305ced7dcbaLennart Poettering CAP_NET_BROADCAST, CAP_NET_RAW,

5076f0ccfd36b67512d44fe355b80305ced7dcbaLennart Poettering CAP_SETGID, CAP_SETFCAP, CAP_SETPCAP,

5076f0ccfd36b67512d44fe355b80305ced7dcbaLennart Poettering CAP_SETUID, CAP_SYS_ADMIN,

5076f0ccfd36b67512d44fe355b80305ced7dcbaLennart Poettering CAP_SYS_CHROOT, CAP_SYS_NICE,

5076f0ccfd36b67512d44fe355b80305ced7dcbaLennart Poettering CAP_SYS_PTRACE, CAP_SYS_TTY_CONFIG,

88d04e31ce0837ebf937ab46c3c39a0d93ab4c7cLennart Poettering CAP_SYS_RESOURCE, CAP_SYS_BOOT,

a42c8b54b1619078c02f5e439bd2564c6d0f901fLennart Poettering CAP_AUDIT_WRITE,

a42c8b54b1619078c02f5e439bd2564c6d0f901fLennart Poettering CAP_AUDIT_CONTROL. Also CAP_NET_ADMIN

a42c8b54b1619078c02f5e439bd2564c6d0f901fLennart Poettering is retained if

a42c8b54b1619078c02f5e439bd2564c6d0f901fLennart Poettering <option>--private-network</option> is

a42c8b54b1619078c02f5e439bd2564c6d0f901fLennart Poettering specified. If the special value

73e231abde39f22097df50542c745e01de879836Jan Engelhardt <literal>all</literal> is passed, all

39ed67d14694983dabd6641c02216aa440eed767Lennart Poettering capabilities are

39ed67d14694983dabd6641c02216aa440eed767Lennart Poettering retained.</para></listitem>

5076f0ccfd36b67512d44fe355b80305ced7dcbaLennart Poettering </varlistentry>

5076f0ccfd36b67512d44fe355b80305ced7dcbaLennart Poettering

420c7379fb96a188459690a634d0fede55721183Lennart Poettering <varlistentry>

420c7379fb96a188459690a634d0fede55721183Lennart Poettering <term><option>--drop-capability=</option></term>

420c7379fb96a188459690a634d0fede55721183Lennart Poettering

420c7379fb96a188459690a634d0fede55721183Lennart Poettering <listitem><para>Specify one or more

420c7379fb96a188459690a634d0fede55721183Lennart Poettering additional capabilities to drop for

420c7379fb96a188459690a634d0fede55721183Lennart Poettering the container. This allows running the

420c7379fb96a188459690a634d0fede55721183Lennart Poettering container with fewer capabilities than

420c7379fb96a188459690a634d0fede55721183Lennart Poettering the default (see above).</para></listitem>

420c7379fb96a188459690a634d0fede55721183Lennart Poettering </varlistentry>

420c7379fb96a188459690a634d0fede55721183Lennart Poettering

57fb9fb56db0584581ce33ee842dcbf5f1136856Lennart Poettering <varlistentry>

57fb9fb56db0584581ce33ee842dcbf5f1136856Lennart Poettering <term><option>--link-journal=</option></term>

57fb9fb56db0584581ce33ee842dcbf5f1136856Lennart Poettering

57fb9fb56db0584581ce33ee842dcbf5f1136856Lennart Poettering <listitem><para>Control whether the

57fb9fb56db0584581ce33ee842dcbf5f1136856Lennart Poettering container's journal shall be made

79640424059328268b9fb6c5fa8eb777b27a177eJan Engelhardt visible to the host system. If enabled,

57fb9fb56db0584581ce33ee842dcbf5f1136856Lennart Poettering allows viewing the container's journal

57fb9fb56db0584581ce33ee842dcbf5f1136856Lennart Poettering files from the host (but not vice

57fb9fb56db0584581ce33ee842dcbf5f1136856Lennart Poettering versa). Takes one of

57fb9fb56db0584581ce33ee842dcbf5f1136856Lennart Poettering <literal>no</literal>,

57fb9fb56db0584581ce33ee842dcbf5f1136856Lennart Poettering <literal>host</literal>,

574edc90066c3faeadcf4666928ed9b0ac409c75Martin Pitt <literal>try-host</literal>,

57fb9fb56db0584581ce33ee842dcbf5f1136856Lennart Poettering <literal>guest</literal>,

574edc90066c3faeadcf4666928ed9b0ac409c75Martin Pitt <literal>try-guest</literal>,

57fb9fb56db0584581ce33ee842dcbf5f1136856Lennart Poettering <literal>auto</literal>. If

27407a01c6c115ed09ad938ab95dcb56ab963ba9Zbigniew Jędrzejewski-Szmek <literal>no</literal>, the journal is

27407a01c6c115ed09ad938ab95dcb56ab963ba9Zbigniew Jędrzejewski-Szmek not linked. If <literal>host</literal>,

57fb9fb56db0584581ce33ee842dcbf5f1136856Lennart Poettering the journal files are stored on the

27407a01c6c115ed09ad938ab95dcb56ab963ba9Zbigniew Jędrzejewski-Szmek host file system (beneath

e670b166a08b7c1031a9e7d7675fa9a29c3e19c9Zbigniew Jędrzejewski-Szmek <filename>/var/log/journal/<replaceable>machine-id</replaceable></filename>)

27407a01c6c115ed09ad938ab95dcb56ab963ba9Zbigniew Jędrzejewski-Szmek and the subdirectory is bind-mounted

57fb9fb56db0584581ce33ee842dcbf5f1136856Lennart Poettering into the container at the same

27407a01c6c115ed09ad938ab95dcb56ab963ba9Zbigniew Jędrzejewski-Szmek location. If <literal>guest</literal>,

57fb9fb56db0584581ce33ee842dcbf5f1136856Lennart Poettering the journal files are stored on the

27407a01c6c115ed09ad938ab95dcb56ab963ba9Zbigniew Jędrzejewski-Szmek guest file system (beneath

e670b166a08b7c1031a9e7d7675fa9a29c3e19c9Zbigniew Jędrzejewski-Szmek <filename>/var/log/journal/<replaceable>machine-id</replaceable></filename>)

27407a01c6c115ed09ad938ab95dcb56ab963ba9Zbigniew Jędrzejewski-Szmek and the subdirectory is symlinked into the host

574edc90066c3faeadcf4666928ed9b0ac409c75Martin Pitt at the same location. <literal>try-host</literal>

574edc90066c3faeadcf4666928ed9b0ac409c75Martin Pitt and <literal>try-guest</literal> do the same

574edc90066c3faeadcf4666928ed9b0ac409c75Martin Pitt but do not fail if the host does not have

f131770b1465fbf423881f16ba85523a05f846feVeres Lajos persistent journalling enabled.

574edc90066c3faeadcf4666928ed9b0ac409c75Martin Pitt If <literal>auto</literal> (the default),

27407a01c6c115ed09ad938ab95dcb56ab963ba9Zbigniew Jędrzejewski-Szmek and the right subdirectory of

57fb9fb56db0584581ce33ee842dcbf5f1136856Lennart Poettering <filename>/var/log/journal</filename>

27407a01c6c115ed09ad938ab95dcb56ab963ba9Zbigniew Jędrzejewski-Szmek exists, it will be bind mounted

27407a01c6c115ed09ad938ab95dcb56ab963ba9Zbigniew Jędrzejewski-Szmek into the container. If the

6b4991cfde6c0a0b62e836ca75ae362779c474d4Jan Engelhardt subdirectory does not exist, no

27407a01c6c115ed09ad938ab95dcb56ab963ba9Zbigniew Jędrzejewski-Szmek linking is performed. Effectively,

27407a01c6c115ed09ad938ab95dcb56ab963ba9Zbigniew Jędrzejewski-Szmek booting a container once with

57fb9fb56db0584581ce33ee842dcbf5f1136856Lennart Poettering <literal>guest</literal> or

57fb9fb56db0584581ce33ee842dcbf5f1136856Lennart Poettering <literal>host</literal> will link the

27407a01c6c115ed09ad938ab95dcb56ab963ba9Zbigniew Jędrzejewski-Szmek journal persistently if further on

57fb9fb56db0584581ce33ee842dcbf5f1136856Lennart Poettering the default of <literal>auto</literal>

57fb9fb56db0584581ce33ee842dcbf5f1136856Lennart Poettering is used.</para></listitem>

57fb9fb56db0584581ce33ee842dcbf5f1136856Lennart Poettering </varlistentry>

57fb9fb56db0584581ce33ee842dcbf5f1136856Lennart Poettering

57fb9fb56db0584581ce33ee842dcbf5f1136856Lennart Poettering <varlistentry>

57fb9fb56db0584581ce33ee842dcbf5f1136856Lennart Poettering <term><option>-j</option></term>

57fb9fb56db0584581ce33ee842dcbf5f1136856Lennart Poettering

57fb9fb56db0584581ce33ee842dcbf5f1136856Lennart Poettering <listitem><para>Equivalent to

574edc90066c3faeadcf4666928ed9b0ac409c75Martin Pitt <option>--link-journal=try-guest</option>.</para></listitem>

57fb9fb56db0584581ce33ee842dcbf5f1136856Lennart Poettering </varlistentry>

17fe052346f1d905b5ce0f12123b5ce24e992c6bLennart Poettering

69c79d3c32ff4d6a572ee1cdec248b27df1fb6caLennart Poettering <varlistentry>

69c79d3c32ff4d6a572ee1cdec248b27df1fb6caLennart Poettering <term><option>--read-only</option></term>

69c79d3c32ff4d6a572ee1cdec248b27df1fb6caLennart Poettering

69c79d3c32ff4d6a572ee1cdec248b27df1fb6caLennart Poettering <listitem><para>Mount the root file

69c79d3c32ff4d6a572ee1cdec248b27df1fb6caLennart Poettering system read-only for the

69c79d3c32ff4d6a572ee1cdec248b27df1fb6caLennart Poettering container.</para></listitem>

69c79d3c32ff4d6a572ee1cdec248b27df1fb6caLennart Poettering </varlistentry>

69c79d3c32ff4d6a572ee1cdec248b27df1fb6caLennart Poettering

17fe052346f1d905b5ce0f12123b5ce24e992c6bLennart Poettering <varlistentry>

17fe052346f1d905b5ce0f12123b5ce24e992c6bLennart Poettering <term><option>--bind=</option></term>

17fe052346f1d905b5ce0f12123b5ce24e992c6bLennart Poettering <term><option>--bind-ro=</option></term>

17fe052346f1d905b5ce0f12123b5ce24e992c6bLennart Poettering

17fe052346f1d905b5ce0f12123b5ce24e992c6bLennart Poettering <listitem><para>Bind mount a file or

17fe052346f1d905b5ce0f12123b5ce24e992c6bLennart Poettering directory from the host into the

17fe052346f1d905b5ce0f12123b5ce24e992c6bLennart Poettering container. Either takes a path

17fe052346f1d905b5ce0f12123b5ce24e992c6bLennart Poettering argument -- in which case the

17fe052346f1d905b5ce0f12123b5ce24e992c6bLennart Poettering specified path will be mounted from

17fe052346f1d905b5ce0f12123b5ce24e992c6bLennart Poettering the host to the same path in the

17fe052346f1d905b5ce0f12123b5ce24e992c6bLennart Poettering container --, or a colon-separated

17fe052346f1d905b5ce0f12123b5ce24e992c6bLennart Poettering pair of paths -- in which case the

17fe052346f1d905b5ce0f12123b5ce24e992c6bLennart Poettering first specified path is the source in

17fe052346f1d905b5ce0f12123b5ce24e992c6bLennart Poettering the host, and the second path is the

17fe052346f1d905b5ce0f12123b5ce24e992c6bLennart Poettering destination in the container. The

17fe052346f1d905b5ce0f12123b5ce24e992c6bLennart Poettering <option>--bind-ro=</option> option

17fe052346f1d905b5ce0f12123b5ce24e992c6bLennart Poettering creates read-only bind

08af0da26935e827b58809ff1946e2f7d496e666Lennart Poettering mounts.</para></listitem>

17fe052346f1d905b5ce0f12123b5ce24e992c6bLennart Poettering </varlistentry>

f4889f656b477887b02caa5e9d27387309c75a87Lennart Poettering

06c17c39a8345deef1ecff4dd5ef262f968c9be2Lennart Poettering <varlistentry>

06c17c39a8345deef1ecff4dd5ef262f968c9be2Lennart Poettering <term><option>--tmpfs=</option></term>

06c17c39a8345deef1ecff4dd5ef262f968c9be2Lennart Poettering

06c17c39a8345deef1ecff4dd5ef262f968c9be2Lennart Poettering <listitem><para>Mount a tmpfs file

06c17c39a8345deef1ecff4dd5ef262f968c9be2Lennart Poettering system into the container. Takes a

06c17c39a8345deef1ecff4dd5ef262f968c9be2Lennart Poettering single absolute path argument that

06c17c39a8345deef1ecff4dd5ef262f968c9be2Lennart Poettering specifies where to mount the tmpfs

06c17c39a8345deef1ecff4dd5ef262f968c9be2Lennart Poettering instance to (in which case the

06c17c39a8345deef1ecff4dd5ef262f968c9be2Lennart Poettering directory access mode will be chosen

06c17c39a8345deef1ecff4dd5ef262f968c9be2Lennart Poettering as 0755, owned by root/root), or

06c17c39a8345deef1ecff4dd5ef262f968c9be2Lennart Poettering optionally a colon-separated pair of

06c17c39a8345deef1ecff4dd5ef262f968c9be2Lennart Poettering path and mount option string, that is

06c17c39a8345deef1ecff4dd5ef262f968c9be2Lennart Poettering used for mounting (in which case the

06c17c39a8345deef1ecff4dd5ef262f968c9be2Lennart Poettering kernel default for access mode and

06c17c39a8345deef1ecff4dd5ef262f968c9be2Lennart Poettering owner will be chosen, unless otherwise

06c17c39a8345deef1ecff4dd5ef262f968c9be2Lennart Poettering specified). This option is

06c17c39a8345deef1ecff4dd5ef262f968c9be2Lennart Poettering particularly useful for mounting

06c17c39a8345deef1ecff4dd5ef262f968c9be2Lennart Poettering directories such as

06c17c39a8345deef1ecff4dd5ef262f968c9be2Lennart Poettering <filename>/var</filename> as tmpfs, to

06c17c39a8345deef1ecff4dd5ef262f968c9be2Lennart Poettering allow state-less systems, in

06c17c39a8345deef1ecff4dd5ef262f968c9be2Lennart Poettering particular when combined with

06c17c39a8345deef1ecff4dd5ef262f968c9be2Lennart Poettering <option>--read-only</option>.</para></listitem>

06c17c39a8345deef1ecff4dd5ef262f968c9be2Lennart Poettering </varlistentry>

06c17c39a8345deef1ecff4dd5ef262f968c9be2Lennart Poettering

f4889f656b477887b02caa5e9d27387309c75a87Lennart Poettering <varlistentry>

f4889f656b477887b02caa5e9d27387309c75a87Lennart Poettering <term><option>--setenv=</option></term>

f4889f656b477887b02caa5e9d27387309c75a87Lennart Poettering

f4889f656b477887b02caa5e9d27387309c75a87Lennart Poettering <listitem><para>Specifies an

f4889f656b477887b02caa5e9d27387309c75a87Lennart Poettering environment variable assignment to

f4889f656b477887b02caa5e9d27387309c75a87Lennart Poettering pass to the init process in the

f4889f656b477887b02caa5e9d27387309c75a87Lennart Poettering container, in the format

f4889f656b477887b02caa5e9d27387309c75a87Lennart Poettering <literal>NAME=VALUE</literal>. This

f4889f656b477887b02caa5e9d27387309c75a87Lennart Poettering may be used to override the default

f4889f656b477887b02caa5e9d27387309c75a87Lennart Poettering variables or to set additional

f4889f656b477887b02caa5e9d27387309c75a87Lennart Poettering variables. This parameter may be used

f4889f656b477887b02caa5e9d27387309c75a87Lennart Poettering more than once.</para></listitem>

f4889f656b477887b02caa5e9d27387309c75a87Lennart Poettering </varlistentry>

f4889f656b477887b02caa5e9d27387309c75a87Lennart Poettering

8a96d94e4c33173d1426b7e0a6325405804ba224Lennart Poettering <varlistentry>

8a96d94e4c33173d1426b7e0a6325405804ba224Lennart Poettering <term><option>--share-system</option></term>

8a96d94e4c33173d1426b7e0a6325405804ba224Lennart Poettering

8a96d94e4c33173d1426b7e0a6325405804ba224Lennart Poettering <listitem><para>Allows the container

8a96d94e4c33173d1426b7e0a6325405804ba224Lennart Poettering to share certain system facilities

8a96d94e4c33173d1426b7e0a6325405804ba224Lennart Poettering with the host. More specifically, this

8a96d94e4c33173d1426b7e0a6325405804ba224Lennart Poettering turns off PID namespacing, UTS

8a96d94e4c33173d1426b7e0a6325405804ba224Lennart Poettering namespacing and IPC namespacing, and

8a96d94e4c33173d1426b7e0a6325405804ba224Lennart Poettering thus allows the guest to see and

8a96d94e4c33173d1426b7e0a6325405804ba224Lennart Poettering interact more easily with processes

8a96d94e4c33173d1426b7e0a6325405804ba224Lennart Poettering outside of the container. Note that

8a96d94e4c33173d1426b7e0a6325405804ba224Lennart Poettering using this option makes it impossible

eb91eb187b7491e05fb95215b77cb62061f41d08Lennart Poettering to start up a full Operating System in

eb91eb187b7491e05fb95215b77cb62061f41d08Lennart Poettering the container, as an init system

eb91eb187b7491e05fb95215b77cb62061f41d08Lennart Poettering cannot operate in this mode. It is

eb91eb187b7491e05fb95215b77cb62061f41d08Lennart Poettering only useful to run specific programs

eb91eb187b7491e05fb95215b77cb62061f41d08Lennart Poettering or applications this way, without

eb91eb187b7491e05fb95215b77cb62061f41d08Lennart Poettering involving an init system in the

eb91eb187b7491e05fb95215b77cb62061f41d08Lennart Poettering container. This option implies

eb91eb187b7491e05fb95215b77cb62061f41d08Lennart Poettering <option>--register=no</option>. This

eb91eb187b7491e05fb95215b77cb62061f41d08Lennart Poettering option may not be combined with

eb91eb187b7491e05fb95215b77cb62061f41d08Lennart Poettering <option>--boot</option>.</para></listitem>

8a96d94e4c33173d1426b7e0a6325405804ba224Lennart Poettering </varlistentry>

8a96d94e4c33173d1426b7e0a6325405804ba224Lennart Poettering

eb91eb187b7491e05fb95215b77cb62061f41d08Lennart Poettering <varlistentry>

eb91eb187b7491e05fb95215b77cb62061f41d08Lennart Poettering <term><option>--register=</option></term>

eb91eb187b7491e05fb95215b77cb62061f41d08Lennart Poettering

eb91eb187b7491e05fb95215b77cb62061f41d08Lennart Poettering <listitem><para>Controls whether the

eb91eb187b7491e05fb95215b77cb62061f41d08Lennart Poettering container is registered with

eb91eb187b7491e05fb95215b77cb62061f41d08Lennart Poettering <citerefentry><refentrytitle>systemd-machined</refentrytitle><manvolnum>8</manvolnum></citerefentry>. Takes

eb91eb187b7491e05fb95215b77cb62061f41d08Lennart Poettering a boolean argument, defaults to

eb91eb187b7491e05fb95215b77cb62061f41d08Lennart Poettering <literal>yes</literal>. This option

eb91eb187b7491e05fb95215b77cb62061f41d08Lennart Poettering should be enabled when the container

eb91eb187b7491e05fb95215b77cb62061f41d08Lennart Poettering runs a full Operating System (more

eb91eb187b7491e05fb95215b77cb62061f41d08Lennart Poettering specifically: an init system), and is

89f7c8465cd1ab37347dd0c15920bce31e8225dfLennart Poettering useful to ensure that the container is

89f7c8465cd1ab37347dd0c15920bce31e8225dfLennart Poettering accessible via

eb91eb187b7491e05fb95215b77cb62061f41d08Lennart Poettering <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>

eb91eb187b7491e05fb95215b77cb62061f41d08Lennart Poettering and shown by tools such as

5aded369782f28255bc6b494ca905d7acaea7a56Zbigniew Jędrzejewski-Szmek <citerefentry project='man-pages'><refentrytitle>ps</refentrytitle><manvolnum>1</manvolnum></citerefentry>. If

eb91eb187b7491e05fb95215b77cb62061f41d08Lennart Poettering the container does not run an init

73e231abde39f22097df50542c745e01de879836Jan Engelhardt system, it is recommended to set this

eb91eb187b7491e05fb95215b77cb62061f41d08Lennart Poettering option to <literal>no</literal>. Note

eb91eb187b7491e05fb95215b77cb62061f41d08Lennart Poettering that <option>--share-system</option>

eb91eb187b7491e05fb95215b77cb62061f41d08Lennart Poettering implies

eb91eb187b7491e05fb95215b77cb62061f41d08Lennart Poettering <option>--register=no</option>.

eb91eb187b7491e05fb95215b77cb62061f41d08Lennart Poettering </para></listitem>

eb91eb187b7491e05fb95215b77cb62061f41d08Lennart Poettering </varlistentry>

89f7c8465cd1ab37347dd0c15920bce31e8225dfLennart Poettering

89f7c8465cd1ab37347dd0c15920bce31e8225dfLennart Poettering <varlistentry>

89f7c8465cd1ab37347dd0c15920bce31e8225dfLennart Poettering <term><option>--keep-unit</option></term>

89f7c8465cd1ab37347dd0c15920bce31e8225dfLennart Poettering

89f7c8465cd1ab37347dd0c15920bce31e8225dfLennart Poettering <listitem><para>Instead of creating a

89f7c8465cd1ab37347dd0c15920bce31e8225dfLennart Poettering transient scope unit to run the

89f7c8465cd1ab37347dd0c15920bce31e8225dfLennart Poettering container in, simply register the

89f7c8465cd1ab37347dd0c15920bce31e8225dfLennart Poettering service or scope unit

89f7c8465cd1ab37347dd0c15920bce31e8225dfLennart Poettering <command>systemd-nspawn</command> has

66f756d437658cc464bfb5647c97efd0cf77f933Jan Engelhardt been invoked in with

89f7c8465cd1ab37347dd0c15920bce31e8225dfLennart Poettering <citerefentry><refentrytitle>systemd-machined</refentrytitle><manvolnum>8</manvolnum></citerefentry>. This

89f7c8465cd1ab37347dd0c15920bce31e8225dfLennart Poettering has no effect if

89f7c8465cd1ab37347dd0c15920bce31e8225dfLennart Poettering <option>--register=no</option> is

89f7c8465cd1ab37347dd0c15920bce31e8225dfLennart Poettering used. This switch should be used if

89f7c8465cd1ab37347dd0c15920bce31e8225dfLennart Poettering <command>systemd-nspawn</command> is

66f756d437658cc464bfb5647c97efd0cf77f933Jan Engelhardt invoked from within a service unit,

89f7c8465cd1ab37347dd0c15920bce31e8225dfLennart Poettering and the service unit's sole purpose

89f7c8465cd1ab37347dd0c15920bce31e8225dfLennart Poettering is to run a single

89f7c8465cd1ab37347dd0c15920bce31e8225dfLennart Poettering <command>systemd-nspawn</command>

89f7c8465cd1ab37347dd0c15920bce31e8225dfLennart Poettering container. This option is not

89f7c8465cd1ab37347dd0c15920bce31e8225dfLennart Poettering available if run from a user

89f7c8465cd1ab37347dd0c15920bce31e8225dfLennart Poettering session.</para></listitem>

89f7c8465cd1ab37347dd0c15920bce31e8225dfLennart Poettering </varlistentry>

89f7c8465cd1ab37347dd0c15920bce31e8225dfLennart Poettering

6afc95b73605833e6e966af1c466b5c08feb953fLennart Poettering <varlistentry>

6afc95b73605833e6e966af1c466b5c08feb953fLennart Poettering <term><option>--personality=</option></term>

6afc95b73605833e6e966af1c466b5c08feb953fLennart Poettering

6afc95b73605833e6e966af1c466b5c08feb953fLennart Poettering <listitem><para>Control the

6afc95b73605833e6e966af1c466b5c08feb953fLennart Poettering architecture ("personality") reported

6afc95b73605833e6e966af1c466b5c08feb953fLennart Poettering by

6afc95b73605833e6e966af1c466b5c08feb953fLennart Poettering <citerefentry><refentrytitle>uname</refentrytitle><manvolnum>2</manvolnum></citerefentry>

6afc95b73605833e6e966af1c466b5c08feb953fLennart Poettering in the container. Currently, only

6afc95b73605833e6e966af1c466b5c08feb953fLennart Poettering <literal>x86</literal> and

6afc95b73605833e6e966af1c466b5c08feb953fLennart Poettering <literal>x86-64</literal> are

6afc95b73605833e6e966af1c466b5c08feb953fLennart Poettering supported. This is useful when running

70a44afee385c4afadaab9a002b3f9dd44aedf4aJan Engelhardt a 32-bit container on a 64-bit

b8bde11658366290521e3d03316378b482600323Jan Engelhardt host. If this setting is not used,

6afc95b73605833e6e966af1c466b5c08feb953fLennart Poettering the personality reported in the

6afc95b73605833e6e966af1c466b5c08feb953fLennart Poettering container is the same as the one

6afc95b73605833e6e966af1c466b5c08feb953fLennart Poettering reported on the

6afc95b73605833e6e966af1c466b5c08feb953fLennart Poettering host.</para></listitem>

6afc95b73605833e6e966af1c466b5c08feb953fLennart Poettering </varlistentry>

dfdebb1b925332352966804303b2516a6506a429Zbigniew Jędrzejewski-Szmek

dfdebb1b925332352966804303b2516a6506a429Zbigniew Jędrzejewski-Szmek <varlistentry>

dfdebb1b925332352966804303b2516a6506a429Zbigniew Jędrzejewski-Szmek <term><option>-q</option></term>

dfdebb1b925332352966804303b2516a6506a429Zbigniew Jędrzejewski-Szmek <term><option>--quiet</option></term>

dfdebb1b925332352966804303b2516a6506a429Zbigniew Jędrzejewski-Szmek

dfdebb1b925332352966804303b2516a6506a429Zbigniew Jędrzejewski-Szmek <listitem><para>Turns off any status

dfdebb1b925332352966804303b2516a6506a429Zbigniew Jędrzejewski-Szmek output by the tool itself. When this

dfdebb1b925332352966804303b2516a6506a429Zbigniew Jędrzejewski-Szmek switch is used, the only output

dfdebb1b925332352966804303b2516a6506a429Zbigniew Jędrzejewski-Szmek from nspawn will be the console output

dfdebb1b925332352966804303b2516a6506a429Zbigniew Jędrzejewski-Szmek of the container OS itself.</para></listitem>

dfdebb1b925332352966804303b2516a6506a429Zbigniew Jędrzejewski-Szmek </varlistentry>

dfdebb1b925332352966804303b2516a6506a429Zbigniew Jędrzejewski-Szmek

108e8cd11e88bd4795a62bf335921d438592601cLennart Poettering <varlistentry>

108e8cd11e88bd4795a62bf335921d438592601cLennart Poettering <term><option>--volatile</option><replaceable>=MODE</replaceable></term>

108e8cd11e88bd4795a62bf335921d438592601cLennart Poettering

108e8cd11e88bd4795a62bf335921d438592601cLennart Poettering <listitem><para>Boots the container in

ec16945ebfe64d5cd5403ae1a1b16bc05a779a16Lennart Poettering volatile mode. When no mode parameter

ec16945ebfe64d5cd5403ae1a1b16bc05a779a16Lennart Poettering is passed or when mode is specified as

ec16945ebfe64d5cd5403ae1a1b16bc05a779a16Lennart Poettering <literal>yes</literal> full volatile

ec16945ebfe64d5cd5403ae1a1b16bc05a779a16Lennart Poettering mode is enabled. This means the root

ec16945ebfe64d5cd5403ae1a1b16bc05a779a16Lennart Poettering directory is mounted as mostly

ec16945ebfe64d5cd5403ae1a1b16bc05a779a16Lennart Poettering unpopulated <literal>tmpfs</literal>

ec16945ebfe64d5cd5403ae1a1b16bc05a779a16Lennart Poettering instance, and

108e8cd11e88bd4795a62bf335921d438592601cLennart Poettering <filename>/usr</filename> from the OS

108e8cd11e88bd4795a62bf335921d438592601cLennart Poettering tree is mounted into it, read-only

108e8cd11e88bd4795a62bf335921d438592601cLennart Poettering (the system thus starts up with

108e8cd11e88bd4795a62bf335921d438592601cLennart Poettering read-only OS resources, but pristine

108e8cd11e88bd4795a62bf335921d438592601cLennart Poettering state and configuration, any changes

108e8cd11e88bd4795a62bf335921d438592601cLennart Poettering to the either are lost on

108e8cd11e88bd4795a62bf335921d438592601cLennart Poettering shutdown). When the mode parameter is

108e8cd11e88bd4795a62bf335921d438592601cLennart Poettering specified as <literal>state</literal>

108e8cd11e88bd4795a62bf335921d438592601cLennart Poettering the OS tree is mounted read-only, but

108e8cd11e88bd4795a62bf335921d438592601cLennart Poettering <filename>/var</filename> is mounted

108e8cd11e88bd4795a62bf335921d438592601cLennart Poettering as <literal>tmpfs</literal> instance

108e8cd11e88bd4795a62bf335921d438592601cLennart Poettering into it (the system thus starts up

108e8cd11e88bd4795a62bf335921d438592601cLennart Poettering with read-only OS resources and

06b643e7f5a3b79005dd57497897ab7255fe3659Ruben Kerkhof configuration, but pristine state, any

108e8cd11e88bd4795a62bf335921d438592601cLennart Poettering changes to the latter are lost on

108e8cd11e88bd4795a62bf335921d438592601cLennart Poettering shutdown). When the mode parameter is

108e8cd11e88bd4795a62bf335921d438592601cLennart Poettering specified as <literal>no</literal>

ec16945ebfe64d5cd5403ae1a1b16bc05a779a16Lennart Poettering (the default) the whole OS tree is

ec16945ebfe64d5cd5403ae1a1b16bc05a779a16Lennart Poettering made available writable.</para>

108e8cd11e88bd4795a62bf335921d438592601cLennart Poettering

108e8cd11e88bd4795a62bf335921d438592601cLennart Poettering <para>Note that setting this to

108e8cd11e88bd4795a62bf335921d438592601cLennart Poettering <literal>yes</literal> or

108e8cd11e88bd4795a62bf335921d438592601cLennart Poettering <literal>state</literal> will only

108e8cd11e88bd4795a62bf335921d438592601cLennart Poettering work correctly with operating systems

108e8cd11e88bd4795a62bf335921d438592601cLennart Poettering in the container that can boot up with

108e8cd11e88bd4795a62bf335921d438592601cLennart Poettering only <filename>/usr</filename>

108e8cd11e88bd4795a62bf335921d438592601cLennart Poettering mounted, and are able to populate

108e8cd11e88bd4795a62bf335921d438592601cLennart Poettering <filename>/var</filename>

108e8cd11e88bd4795a62bf335921d438592601cLennart Poettering automatically, as

108e8cd11e88bd4795a62bf335921d438592601cLennart Poettering needed.</para></listitem>

108e8cd11e88bd4795a62bf335921d438592601cLennart Poettering </varlistentry>

108e8cd11e88bd4795a62bf335921d438592601cLennart Poettering

dfdebb1b925332352966804303b2516a6506a429Zbigniew Jędrzejewski-Szmek <xi:include href="standard-options.xml" xpointer="help" />

dfdebb1b925332352966804303b2516a6506a429Zbigniew Jędrzejewski-Szmek <xi:include href="standard-options.xml" xpointer="version" />

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering </variablelist>

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering </refsect1>

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering <refsect1>

1db8c66f2e500272cb5582f9087b8e2a123aee10Ronny Chevalier <title>Examples</title>

e0ea94c1e2ab3930c85c6057189a2a829a13a800Lennart Poettering

e0ea94c1e2ab3930c85c6057189a2a829a13a800Lennart Poettering <example>

e0ea94c1e2ab3930c85c6057189a2a829a13a800Lennart Poettering <title>Download a Fedora image and start a shell in it</title>

e0ea94c1e2ab3930c85c6057189a2a829a13a800Lennart Poettering

e0ea94c1e2ab3930c85c6057189a2a829a13a800Lennart Poettering <programlisting># machinectl pull-raw --verify=no http://ftp.halifax.rwth-aachen.de/fedora/linux/releases/21/Cloud/Images/x86_64/Fedora-Cloud-Base-20141203-21.x86_64.raw.xz

e0ea94c1e2ab3930c85c6057189a2a829a13a800Lennart Poettering# systemd-nspawn -M Fedora-Cloud-Base-20141203-21</programlisting>

e0ea94c1e2ab3930c85c6057189a2a829a13a800Lennart Poettering

e0ea94c1e2ab3930c85c6057189a2a829a13a800Lennart Poettering<para>This downloads an image using <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry> and opens a shell in it.</para>

e0ea94c1e2ab3930c85c6057189a2a829a13a800Lennart Poettering </example>

e0ea94c1e2ab3930c85c6057189a2a829a13a800Lennart Poettering

1db8c66f2e500272cb5582f9087b8e2a123aee10Ronny Chevalier <example>

e0ea94c1e2ab3930c85c6057189a2a829a13a800Lennart Poettering <title>Build and boot a minimal Fedora distribution in a container</title>

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering

667993e88eb7519c6674fe9a9e985619817465e0Lennart Poettering <programlisting># yum -y --releasever=21 --nogpg --installroot=/srv/mycontainer --disablerepo='*' --enablerepo=fedora install systemd passwd yum fedora-release vim-minimal

2b3987a863975f5a1fa1754725e3d07a5d4f6478Lennart Poettering# systemd-nspawn -bD /srv/mycontainer</programlisting>

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering

1db8c66f2e500272cb5582f9087b8e2a123aee10Ronny Chevalier <para>This installs a minimal Fedora distribution into

1db8c66f2e500272cb5582f9087b8e2a123aee10Ronny Chevalier the directory <filename noindex='true'>/srv/mycontainer/</filename> and

1db8c66f2e500272cb5582f9087b8e2a123aee10Ronny Chevalier then boots an OS in a namespace container in

1db8c66f2e500272cb5582f9087b8e2a123aee10Ronny Chevalier it.</para>

1db8c66f2e500272cb5582f9087b8e2a123aee10Ronny Chevalier </example>

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering

1db8c66f2e500272cb5582f9087b8e2a123aee10Ronny Chevalier <example>

1db8c66f2e500272cb5582f9087b8e2a123aee10Ronny Chevalier <title>Spawn a shell in a container of a minimal Debian unstable distribution</title>

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering

1db8c66f2e500272cb5582f9087b8e2a123aee10Ronny Chevalier <programlisting># debootstrap --arch=amd64 unstable ~/debian-tree/

25f5971b5e0b3ab5b91a7d0359cd7f5a5094c1d0Lennart Poettering# systemd-nspawn -D ~/debian-tree/</programlisting>

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering

1db8c66f2e500272cb5582f9087b8e2a123aee10Ronny Chevalier <para>This installs a minimal Debian unstable

1db8c66f2e500272cb5582f9087b8e2a123aee10Ronny Chevalier distribution into the directory

1db8c66f2e500272cb5582f9087b8e2a123aee10Ronny Chevalier <filename>~/debian-tree/</filename> and then spawns a

1db8c66f2e500272cb5582f9087b8e2a123aee10Ronny Chevalier shell in a namespace container in it.</para>

1db8c66f2e500272cb5582f9087b8e2a123aee10Ronny Chevalier </example>

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering

1db8c66f2e500272cb5582f9087b8e2a123aee10Ronny Chevalier <example>

1db8c66f2e500272cb5582f9087b8e2a123aee10Ronny Chevalier <title>Boot a minimal Arch Linux distribution in a container</title>

68562936c243a2e2190a7232c4805ffd094e9b3bWilliam Giokas

1db8c66f2e500272cb5582f9087b8e2a123aee10Ronny Chevalier <programlisting># pacstrap -c -d ~/arch-tree/ base

68562936c243a2e2190a7232c4805ffd094e9b3bWilliam Giokas# systemd-nspawn -bD ~/arch-tree/</programlisting>

68562936c243a2e2190a7232c4805ffd094e9b3bWilliam Giokas

1db8c66f2e500272cb5582f9087b8e2a123aee10Ronny Chevalier <para>This installs a mimimal Arch Linux distribution into

1db8c66f2e500272cb5582f9087b8e2a123aee10Ronny Chevalier the directory <filename>~/arch-tree/</filename> and then

1db8c66f2e500272cb5582f9087b8e2a123aee10Ronny Chevalier boots an OS in a namespace container in it.</para>

1db8c66f2e500272cb5582f9087b8e2a123aee10Ronny Chevalier </example>

68562936c243a2e2190a7232c4805ffd094e9b3bWilliam Giokas

1db8c66f2e500272cb5582f9087b8e2a123aee10Ronny Chevalier <example>

b9ba4dabbab8a58a044ec42655e11e65bd3ecc47Lennart Poettering <title>Boot into an ephemeral <literal>btrfs</literal> snapshot of the host system</title>

f9f4dd51bdb016bab84f7fb3cf47a2ad102b4c76Zbigniew Jędrzejewski-Szmek

b9ba4dabbab8a58a044ec42655e11e65bd3ecc47Lennart Poettering <programlisting># systemd-nspawn -D / -xb</programlisting>

f9f4dd51bdb016bab84f7fb3cf47a2ad102b4c76Zbigniew Jędrzejewski-Szmek

1db8c66f2e500272cb5582f9087b8e2a123aee10Ronny Chevalier <para>This runs a copy of the host system in a

b9ba4dabbab8a58a044ec42655e11e65bd3ecc47Lennart Poettering <literal>btrfs</literal> snapshot which is

b9ba4dabbab8a58a044ec42655e11e65bd3ecc47Lennart Poettering removed immediately when the container

b9ba4dabbab8a58a044ec42655e11e65bd3ecc47Lennart Poettering exits. All file system changes made during

b9ba4dabbab8a58a044ec42655e11e65bd3ecc47Lennart Poettering runtime will be lost on shutdown,

b9ba4dabbab8a58a044ec42655e11e65bd3ecc47Lennart Poettering hence.</para>

1db8c66f2e500272cb5582f9087b8e2a123aee10Ronny Chevalier </example>

f9f4dd51bdb016bab84f7fb3cf47a2ad102b4c76Zbigniew Jędrzejewski-Szmek

0b3b83e59b637660524e90a07f9ef691856b19bfLennart Poettering <example>

0b3b83e59b637660524e90a07f9ef691856b19bfLennart Poettering <title>Run a container with SELinux sandbox security contexts</title>

a8828ed93878b4b4866d40ebfb660e54995ff72eDaniel J Walsh

0b3b83e59b637660524e90a07f9ef691856b19bfLennart Poettering <programlisting># chcon system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -R /srv/container

a8828ed93878b4b4866d40ebfb660e54995ff72eDaniel J Walsh# systemd-nspawn -L system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -Z system_u:system_r:svirt_lxc_net_t:s0:c0,c1 -D /srv/container /bin/sh</programlisting>

0b3b83e59b637660524e90a07f9ef691856b19bfLennart Poettering </example>

a8828ed93878b4b4866d40ebfb660e54995ff72eDaniel J Walsh </refsect1>

f9f4dd51bdb016bab84f7fb3cf47a2ad102b4c76Zbigniew Jędrzejewski-Szmek

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering <refsect1>

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering <title>Exit status</title>

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering <para>The exit code of the program executed in the

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering container is returned.</para>

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering </refsect1>

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering <refsect1>

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering <title>See Also</title>

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering <para>

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,

5aded369782f28255bc6b494ca905d7acaea7a56Zbigniew Jędrzejewski-Szmek <citerefentry project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>1</manvolnum></citerefentry>,

5aded369782f28255bc6b494ca905d7acaea7a56Zbigniew Jędrzejewski-Szmek <citerefentry project='die-net'><refentrytitle>yum</refentrytitle><manvolnum>8</manvolnum></citerefentry>,

5aded369782f28255bc6b494ca905d7acaea7a56Zbigniew Jędrzejewski-Szmek <citerefentry project='die-net'><refentrytitle>debootstrap</refentrytitle><manvolnum>8</manvolnum></citerefentry>,

c45827d6e70baf6b683d7cafb13a9a6f02852731Ronny Chevalier <citerefentry project='archlinux'><refentrytitle>pacman</refentrytitle><manvolnum>8</manvolnum></citerefentry>,

04d39279245834494baccfdb9349db8bf80abd13Lennart Poettering <citerefentry><refentrytitle>systemd.slice</refentrytitle><manvolnum>5</manvolnum></citerefentry>,

b9ba4dabbab8a58a044ec42655e11e65bd3ecc47Lennart Poettering <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,

b9ba4dabbab8a58a044ec42655e11e65bd3ecc47Lennart Poettering <citerefentry><refentrytitle>btrfs</refentrytitle><manvolnum>8</manvolnum></citerefentry>

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering </para>

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering </refsect1>

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering

8f7a3c1402a8de36b2c63935358a53510d2fe7c1Lennart Poettering</refentry>