f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering<?xml version='1.0'?> <!--*- Mode: nxml; nxml-child-indent: 2; indent-tabs-mode: nil -*-->
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering<!ENTITY % entities SYSTEM "custom-entities.ent" >
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering This file is part of systemd.
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering Copyright 2015 Lennart Poettering
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering systemd is free software; you can redistribute it and/or modify it
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering under the terms of the GNU Lesser General Public License as published by
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering the Free Software Foundation; either version 2.1 of the License, or
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering (at your option) any later version.
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering systemd is distributed in the hope that it will be useful, but
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering WITHOUT ANY WARRANTY; without even the implied warranty of
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering Lesser General Public License for more details.
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering You should have received a copy of the GNU Lesser General Public License
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering along with systemd; If not, see <http://www.gnu.org/licenses/>.
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <refentryinfo>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering </authorgroup>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering </refentryinfo>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <refentrytitle>systemd.nspawn</refentrytitle>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <refpurpose>Container settings</refpurpose>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <refsynopsisdiv>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <para><filename>/etc/systemd/nspawn/<replaceable>machine</replaceable>.nspawn</filename></para>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <para><filename>/run/systemd/nspawn/<replaceable>machine</replaceable>.nspawn</filename></para>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <para><filename>/var/lib/machines/<replaceable>machine</replaceable>.nspawn</filename></para>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering </refsynopsisdiv>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <para>An nspawn container settings file (suffix
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <filename>.nspawn</filename>) encodes additional runtime
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering information about a local container, and is searched, read and
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering when starting a container. Files of this type are named after the
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering containers they define settings for. They are optional, and only
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering required for containers whose execution environment shall differ
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering from the defaults. Files of this type mostly contain settings that
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering may also be set on the <command>systemd-nspawn</command> command
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering line, and make it easier to persistently attach specific settings
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering to specific containers. The syntax of these files is inspired by
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <filename>.desktop</filename> files following the <ulink
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering url="http://standards.freedesktop.org/desktop-entry-spec/latest/">XDG
a8eaaee72a2f06e0fb64fb71de3b71ecba31dafbJan Engelhardt Desktop Entry Specification</ulink>, which in turn are inspired by
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering Microsoft Windows <filename>.ini</filename> files.</para>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <para>Boolean arguments used in these settings files can be
b938cb902c3b5bca807a94b277672c64d6767886Jan Engelhardt written in various formats. For positive settings, the strings
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <option>1</option>, <option>yes</option>, <option>true</option>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering and <option>on</option> are equivalent. For negative settings, the
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering strings <option>0</option>, <option>no</option>,
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <option>false</option> and <option>off</option> are
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering equivalent.</para>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <para>Empty lines and lines starting with # or ; are
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering ignored. This may be used for commenting. Lines ending
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering in a backslash are concatenated with the following
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering line while reading and the backslash is replaced by a
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering space character. This may be used to wrap long lines.</para>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <title><filename>.nspawn</filename> File Discovery</title>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <para>Files are searched by appending the
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <filename>.nspawn</filename> suffix to the machine name of the
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering container, as specified with the <option>--machine=</option>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering switch of <command>systemd-nspawn</command>, or derived from the
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering directory or image file name. This file is first searched in
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <filename>/etc/systemd/nspawn/</filename> and
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <filename>/run/systemd/nspawn/</filename>. If found in these
b938cb902c3b5bca807a94b277672c64d6767886Jan Engelhardt directories, its settings are read and all of them take full effect
4f76ef0423a30ee672891056aeb5df2422947e1dThomas Hindoe Paaboel Andersen (but are possibly overridden by corresponding command line
b938cb902c3b5bca807a94b277672c64d6767886Jan Engelhardt arguments). If not found, the file will then be searched next to
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering the image file or in the immediate parent of the root directory of
b938cb902c3b5bca807a94b277672c64d6767886Jan Engelhardt the container. If the file is found there, only a subset of the
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering settings will take effect however. All settings that possibly
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering elevate privileges or grant additional access to resources of the
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering host (such as files or directories) are ignored. To which options
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering this applies is documented below.</para>
a8eaaee72a2f06e0fb64fb71de3b71ecba31dafbJan Engelhardt <para>Persistent settings files created and maintained by the
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering administrator (and thus trusted) should be placed in
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <filename>/etc/systemd/nspawn/</filename>, while automatically
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering downloaded (and thus potentially untrusted) settings files are
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering placed in <filename>/var/lib/machines/</filename> instead (next to
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering the container images), where their security impact is limited. In
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering order to add privileged settings to <filename>.nspawn</filename>
b938cb902c3b5bca807a94b277672c64d6767886Jan Engelhardt files acquired from the image vendor, it is recommended to copy the
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering settings files into <filename>/etc/systemd/nspawn/</filename> and
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering edit them there, so that the privileged options become
a8eaaee72a2f06e0fb64fb71de3b71ecba31dafbJan Engelhardt available. The precise algorithm for how the files are searched and
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering interpreted may be configured with
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <command>systemd-nspawn</command>'s <option>--settings=</option>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering for details.</para>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <para>Settings files may include an <literal>[Exec]</literal>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering section, which carries various execution parameters:</para>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <variablelist>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <varlistentry>
7732f92bad5f24a4bd03bb357af46da56b0ac94dLennart Poettering <listitem><para>Takes a boolean argument, which defaults to off. If enabled, <command>systemd-nspawn</command>
7732f92bad5f24a4bd03bb357af46da56b0ac94dLennart Poettering will automatically search for an <filename>init</filename> executable and invoke it. In this case, the
7732f92bad5f24a4bd03bb357af46da56b0ac94dLennart Poettering specified parameters using <varname>Parameters=</varname> are passed as additional arguments to the
7732f92bad5f24a4bd03bb357af46da56b0ac94dLennart Poettering <filename>init</filename> process. This setting corresponds to the <option>--boot</option> switch on the
7732f92bad5f24a4bd03bb357af46da56b0ac94dLennart Poettering <command>systemd-nspawn</command> command line. This option may not be combined with
7732f92bad5f24a4bd03bb357af46da56b0ac94dLennart Poettering <varname>ProcessTwo=yes</varname>.</para></listitem>
7732f92bad5f24a4bd03bb357af46da56b0ac94dLennart Poettering </varlistentry>
7732f92bad5f24a4bd03bb357af46da56b0ac94dLennart Poettering <varlistentry>
7732f92bad5f24a4bd03bb357af46da56b0ac94dLennart Poettering <term><varname>ProcessTwo=</varname></term>
7732f92bad5f24a4bd03bb357af46da56b0ac94dLennart Poettering <listitem><para>Takes a boolean argument, which defaults to off. If enabled, the specified program is run as
7732f92bad5f24a4bd03bb357af46da56b0ac94dLennart Poettering PID 2. A stub init process is run as PID 1. This setting corresponds to the <option>--as-pid2</option> switch
7732f92bad5f24a4bd03bb357af46da56b0ac94dLennart Poettering on the <command>systemd-nspawn</command> command line. This option may not be combined with
7732f92bad5f24a4bd03bb357af46da56b0ac94dLennart Poettering <varname>Boot=yes</varname>.</para></listitem>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering </varlistentry>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <varlistentry>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <term><varname>Parameters=</varname></term>
b938cb902c3b5bca807a94b277672c64d6767886Jan Engelhardt <listitem><para>Takes a space-separated list of
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering arguments. This is either a command line, beginning with the
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering binary name to execute, or – if <varname>Boot=</varname> is
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering enabled – the list of arguments to pass to the init
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering process. This setting corresponds to the command line
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering parameters passed on the <command>systemd-nspawn</command>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering </varlistentry>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <varlistentry>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <term><varname>Environment=</varname></term>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <listitem><para>Takes an environment variable assignment
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering consisting of key and value, separated by
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <literal>=</literal>. Sets an environment variable for the
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering main process invoked in the container. This setting may be
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering used multiple times to set multiple environment variables. It
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering corresponds to the <option>--setenv=</option> command line
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering </varlistentry>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <varlistentry>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <listitem><para>Takes a UNIX user name. Specifies the user
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering name to invoke the main process of the container as. This user
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering must be known in the container's user database. This
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering corresponds to the <option>--user=</option> command line
5f932eb9af7a5e4723855bcd776c2acaa2a31932Lennart Poettering </varlistentry>
5f932eb9af7a5e4723855bcd776c2acaa2a31932Lennart Poettering <varlistentry>
5f932eb9af7a5e4723855bcd776c2acaa2a31932Lennart Poettering <term><varname>WorkingDirectory=</varname></term>
5f932eb9af7a5e4723855bcd776c2acaa2a31932Lennart Poettering <listitem><para>Selects the working directory for the process invoked in the container. Expects an absolute
5f932eb9af7a5e4723855bcd776c2acaa2a31932Lennart Poettering path in the container's file system namespace. This corresponds to the <option>--chdir=</option> command line
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering </varlistentry>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <varlistentry>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <term><varname>Capability=</varname></term>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <term><varname>DropCapability=</varname></term>
b938cb902c3b5bca807a94b277672c64d6767886Jan Engelhardt <listitem><para>Takes a space-separated list of Linux process
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering capabilities (see
524f3e5c9d1eb2fba3d0b65d1790018163ba0b20Zbigniew Jędrzejewski-Szmek <citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering for details). The <varname>Capability=</varname> setting
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering specifies additional capabilities to pass on top of the
4f76ef0423a30ee672891056aeb5df2422947e1dThomas Hindoe Paaboel Andersen default set of capabilities. The
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <varname>DropCapability=</varname> setting specifies
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering capabilities to drop from the default set. These settings
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering correspond to the <option>--capability=</option> and
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <option>--drop-capability=</option> command line
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering switches. Note that <varname>Capability=</varname> is a
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering privileged setting, and only takes effect in
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <filename>/etc/systemd/nspawn/</filename> and
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <filename>/run/system/nspawn/</filename> (see above). On the
b938cb902c3b5bca807a94b277672c64d6767886Jan Engelhardt other hand, <varname>DropCapability=</varname> takes effect in
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering </varlistentry>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <varlistentry>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <term><varname>Personality=</varname></term>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <listitem><para>Configures the kernel personality for the
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering container. This is equivalent to the
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <option>--personality=</option> switch.</para></listitem>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering </varlistentry>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <varlistentry>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <term><varname>MachineID=</varname></term>
b938cb902c3b5bca807a94b277672c64d6767886Jan Engelhardt <listitem><para>Configures the 128-bit machine ID (UUID) to pass to
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering the container. This is equivalent to the
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <option>--uuid=</option> command line switch. This option is
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering privileged (see above). </para></listitem>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering </varlistentry>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering </variablelist>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <para>Settings files may include a <literal>[Files]</literal>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering section, which carries various parameters configuring the file
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering system of the container:</para>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <variablelist>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <varlistentry>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <term><varname>ReadOnly=</varname></term>
a8eaaee72a2f06e0fb64fb71de3b71ecba31dafbJan Engelhardt <listitem><para>Takes a boolean argument, which defaults to off. If
b938cb902c3b5bca807a94b277672c64d6767886Jan Engelhardt specified, the container will be run with a read-only file
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering system. This setting corresponds to the
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <option>--read-only</option> command line
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering </varlistentry>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <varlistentry>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <term><varname>Volatile=</varname></term>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <listitem><para>Takes a boolean argument, or the special value
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <literal>state</literal>. This configures whether to run the
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering container with volatile state and/or configuration. This
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering option is equivalent to <option>--volatile=</option>, see
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering for details about the specific options
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering </varlistentry>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <varlistentry>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <term><varname>BindReadOnly=</varname></term>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <listitem><para>Adds a bind mount from the host into the
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering container. Takes a single path, a pair of two paths separated
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering by a colon, or a triplet of two paths plus an option string
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering separated by colons. This option may be used multiple times to
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering configure multiple bind mounts. This option is equivalent to
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering the command line switches <option>--bind=</option> and
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering for details about the specific options supported. This setting
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering is privileged (see above).</para></listitem>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering </varlistentry>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <varlistentry>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <term><varname>TemporaryFileSystem=</varname></term>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <listitem><para>Adds a <literal>tmpfs</literal> mount to the
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering container. Takes a path or a pair of path and option string,
4f76ef0423a30ee672891056aeb5df2422947e1dThomas Hindoe Paaboel Andersen separated by a colon. This option may be used multiple times to
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering configure multiple <literal>tmpfs</literal> mounts. This
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering option is equivalent to the command line switch
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering for details about the specific options supported. This setting
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering is privileged (see above).</para></listitem>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering </varlistentry>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering </variablelist>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <para>Settings files may include a <literal>[Network]</literal>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering section, which carries various parameters configuring the network
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering connectivity of the container:</para>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <variablelist>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <varlistentry>
a8eaaee72a2f06e0fb64fb71de3b71ecba31dafbJan Engelhardt <listitem><para>Takes a boolean argument, which defaults to off. If
b938cb902c3b5bca807a94b277672c64d6767886Jan Engelhardt enabled, the container will run in its own network namespace
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering and not share network interfaces and configuration with the
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering host. This setting corresponds to the
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <option>--private-network</option> command line
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering </varlistentry>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <varlistentry>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <term><varname>VirtualEthernet=</varname></term>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <listitem><para>Takes a boolean argument. Configures whether
a8eaaee72a2f06e0fb64fb71de3b71ecba31dafbJan Engelhardt to create a virtual Ethernet connection
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering (<literal>veth</literal>) between host and the container. This
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering setting implies <varname>Private=yes</varname>. This setting
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering corresponds to the <option>--network-veth</option> command
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering line switch. This option is privileged (see
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering </varlistentry>
f6d6bad1461a8f545a80955fadd7ee0c10db15bbLennart Poettering <varlistentry>
f6d6bad1461a8f545a80955fadd7ee0c10db15bbLennart Poettering <term><varname>VirtualEthernetExtra=</varname></term>
f6d6bad1461a8f545a80955fadd7ee0c10db15bbLennart Poettering <listitem><para>Takes a colon-separated pair of interface
f6d6bad1461a8f545a80955fadd7ee0c10db15bbLennart Poettering names. Configures an additional virtual Ethernet connection
f6d6bad1461a8f545a80955fadd7ee0c10db15bbLennart Poettering (<literal>veth</literal>) between host and the container. The
f6d6bad1461a8f545a80955fadd7ee0c10db15bbLennart Poettering first specified name is the interface name on the host, the
f6d6bad1461a8f545a80955fadd7ee0c10db15bbLennart Poettering second the interface name in the container. The latter may be
f6d6bad1461a8f545a80955fadd7ee0c10db15bbLennart Poettering omitted in which case it is set to the same name as the host
f6d6bad1461a8f545a80955fadd7ee0c10db15bbLennart Poettering side interface. This setting implies
f6d6bad1461a8f545a80955fadd7ee0c10db15bbLennart Poettering <varname>Private=yes</varname>. This setting corresponds to
f6d6bad1461a8f545a80955fadd7ee0c10db15bbLennart Poettering the <option>--network-veth-extra=</option> command line
f6d6bad1461a8f545a80955fadd7ee0c10db15bbLennart Poettering switch, and maybe be used multiple times. It is independent of
f6d6bad1461a8f545a80955fadd7ee0c10db15bbLennart Poettering <varname>VirtualEthernet=</varname>. This option is privileged
f6d6bad1461a8f545a80955fadd7ee0c10db15bbLennart Poettering </varlistentry>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <varlistentry>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <term><varname>Interface=</varname></term>
b938cb902c3b5bca807a94b277672c64d6767886Jan Engelhardt <listitem><para>Takes a space-separated list of interfaces to
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering add to the container. This option corresponds to the
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <option>--network-interface=</option> command line switch and
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering implies <varname>Private=yes</varname>. This option is
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering privileged (see above).</para></listitem>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering </varlistentry>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <varlistentry>
b938cb902c3b5bca807a94b277672c64d6767886Jan Engelhardt <listitem><para>Takes a space-separated list of interfaces to
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering add MACLVAN or IPVLAN interfaces to, which are then added to
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering the container. These options correspond to the
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <option>--network-ipvlan=</option> command line switches and
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering imply <varname>Private=yes</varname>. These options are
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering privileged (see above).</para></listitem>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering </varlistentry>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <varlistentry>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <listitem><para>Takes an interface name. This setting implies
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <varname>VirtualEthernet=yes</varname> and
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <varname>Private=yes</varname> and has the effect that the
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering host side of the created virtual Ethernet link is connected to
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering the specified bridge interface. This option corresponds to the
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <option>--network-bridge=</option> command line switch. This
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering option is privileged (see above).</para></listitem>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering </varlistentry>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <varlistentry>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <listitem><para>Exposes a TCP or UDP port of the container on
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering the host. This option corresponds to the
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <option>--port=</option> command line switch, see
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering for the precise syntax of the argument this option takes. This
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering option is privileged (see above).</para></listitem>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering </varlistentry>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering </variablelist>
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
f757855e81fc0bc116de372220096e532afb5cb8Lennart Poettering <citerefentry><refentrytitle>systemd.directives</refentrytitle><manvolnum>7</manvolnum></citerefentry>