summaryrefslogtreecommitdiff
path: root/man/systemd-nspawn.1
diff options
context:
space:
mode:
Diffstat (limited to 'man/systemd-nspawn.1')
-rw-r--r--man/systemd-nspawn.1284
1 files changed, 284 insertions, 0 deletions
diff --git a/man/systemd-nspawn.1 b/man/systemd-nspawn.1
new file mode 100644
index 0000000000..4e45f3a3e2
--- /dev/null
+++ b/man/systemd-nspawn.1
@@ -0,0 +1,284 @@
+'\" t
+.TH "SYSTEMD\-NSPAWN" "1" "" "systemd 208" "systemd-nspawn"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
+.SH "NAME"
+systemd-nspawn \- Spawn a namespace container for debugging, testing and building
+.SH "SYNOPSIS"
+.HP \w'\fBsystemd\-nspawn\fR\ 'u
+\fBsystemd\-nspawn\fR [OPTIONS...] [\fICOMMAND\fR\ [ARGS...]]
+.HP \w'\fBsystemd\-nspawn\fR\ 'u
+\fBsystemd\-nspawn\fR \-b [OPTIONS...] [ARGS...]
+.SH "DESCRIPTION"
+.PP
+\fBsystemd\-nspawn\fR
+may be used to run a command or OS in a light\-weight namespace container\&. In many ways it is similar to
+\fBchroot\fR(1), but more powerful since it fully virtualizes the file system hierarchy, as well as the process tree, the various IPC subsystems and the host and domain name\&.
+.PP
+\fBsystemd\-nspawn\fR
+limits access to various kernel interfaces in the container to read\-only, such as
+/sys,
+/proc/sys
+or
+/sys/fs/selinux\&. Network interfaces and the system clock may not be changed from within the container\&. Device nodes may not be created\&. The host system cannot be rebooted and kernel modules may not be loaded from within the container\&.
+.PP
+Note that even though these security precautions are taken
+\fBsystemd\-nspawn\fR
+is not suitable for secure container setups\&. Many of the security features may be circumvented and are hence primarily useful to avoid accidental changes to the host system from the container\&. The intended use of this program is debugging and testing as well as building of packages, distributions and software involved with boot and systems management\&.
+.PP
+In contrast to
+\fBchroot\fR(1)\ \&\fBsystemd\-nspawn\fR
+may be used to boot full Linux\-based operating systems in a container\&.
+.PP
+Use a tool like
+\fByum\fR(8),
+\fBdebootstrap\fR(8), or
+\fBpacman\fR(8)
+to set up an OS directory tree suitable as file system hierarchy for
+\fBsystemd\-nspawn\fR
+containers\&.
+.PP
+Note that
+\fBsystemd\-nspawn\fR
+will mount file systems private to the container to
+/dev,
+/run
+and similar\&. These will not be visible outside of the container, and their contents will be lost when the container exits\&.
+.PP
+Note that running two
+\fBsystemd\-nspawn\fR
+containers from the same directory tree will not make processes in them see each other\&. The PID namespace separation of the two containers is complete and the containers will share very few runtime objects except for the underlying file system\&. It is however possible to enter an existing container, see
+Example 4
+below\&.
+.PP
+\fBsystemd\-nspawn\fR
+implements the
+\m[blue]\fBContainer Interface\fR\m[]\&\s-2\u[1]\d\s+2
+specification\&.
+.PP
+As a safety check
+\fBsystemd\-nspawn\fR
+will verify the existence of
+/etc/os\-release
+in the container tree before starting the container (see
+\fBos-release\fR(5))\&. It might be necessary to add this file to the container tree manually if the OS of the container is too old to contain this file out\-of\-the\-box\&.
+.SH "INCOMPATIBILITY WITH AUDITING"
+.PP
+Note that the kernel auditing subsystem is currently broken when used together with containers\&. We hence recommend turning it off entirely by booting with
+"audit=0"
+on the kernel command line, or by turning it off at kernel build time\&. If auditing is enabled in the kernel, operating systems booted in an nspawn container might refuse log\-in attempts\&.
+.SH "OPTIONS"
+.PP
+If option
+\fB\-b\fR
+is specified, the arguments are used as arguments for the init binary\&. Otherwise,
+\fICOMMAND\fR
+specifies the program to launch in the container, and the remaining arguments are used as arguments for this program\&. If
+\fB\-b\fR
+is not used and no arguments are specifed, a shell is launched in the container\&.
+.PP
+The following options are understood:
+.PP
+\fB\-h\fR, \fB\-\-help\fR
+.RS 4
+Prints a short help text and exits\&.
+.RE
+.PP
+\fB\-\-version\fR
+.RS 4
+Prints a version string and exits\&.
+.RE
+.PP
+\fB\-D\fR, \fB\-\-directory=\fR
+.RS 4
+Directory to use as file system root for the namespace container\&. If omitted, the current directory will be used\&.
+.RE
+.PP
+\fB\-b\fR, \fB\-\-boot\fR
+.RS 4
+Automatically search for an init binary and invoke it instead of a shell or a user supplied program\&. If this option is used, arguments specified on the command line are used as arguments for the init binary\&.
+.RE
+.PP
+\fB\-u\fR, \fB\-\-user=\fR
+.RS 4
+Run the command under specified user, create home directory and cd into it\&. As rest of systemd\-nspawn, this is not the security feature and limits against accidental changes only\&.
+.RE
+.PP
+\fB\-M\fR, \fB\-\-machine=\fR
+.RS 4
+Sets the machine name for this container\&. This name may be used to identify this container on the host, and is used to initialize the container\*(Aqs hostname (which the container can choose to override, however)\&. If not specified, the last component of the root directory of the container is used\&.
+.RE
+.PP
+\fB\-\-slice=\fR
+.RS 4
+Make the container part of the specified slice, instead of the
+machine\&.slice\&.
+.RE
+.PP
+\fB\-\-uuid=\fR
+.RS 4
+Set the specified UUID for the container\&. The init system will initialize
+/etc/machine\-id
+from this if this file is not set yet\&.
+.RE
+.PP
+\fB\-\-private\-network\fR
+.RS 4
+Turn off networking in the container\&. This makes all network interfaces unavailable in the container, with the exception of the loopback device\&.
+.RE
+.PP
+\fB\-\-read\-only\fR
+.RS 4
+Mount the root file system read\-only for the container\&.
+.RE
+.PP
+\fB\-\-capability=\fR
+.RS 4
+List one or more additional capabilities to grant the container\&. Takes a comma\-separated list of capability names, see
+\fBcapabilities\fR(7)
+for more information\&. Note that the following capabilities will be granted in any way: CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_DAC_READ_SEARCH, CAP_FOWNER, CAP_FSETID, CAP_IPC_OWNER, CAP_KILL, CAP_LEASE, CAP_LINUX_IMMUTABLE, CAP_NET_BIND_SERVICE, CAP_NET_BROADCAST, CAP_NET_RAW, CAP_SETGID, CAP_SETFCAP, CAP_SETPCAP, CAP_SETUID, CAP_SYS_ADMIN, CAP_SYS_CHROOT, CAP_SYS_NICE, CAP_SYS_PTRACE, CAP_SYS_TTY_CONFIG, CAP_SYS_RESOURCE, CAP_SYS_BOOT, CAP_AUDIT_WRITE, CAP_AUDIT_CONTROL\&.
+.RE
+.PP
+\fB\-\-link\-journal=\fR
+.RS 4
+Control whether the container\*(Aqs journal shall be made visible to the host system\&. If enabled, allows viewing the container\*(Aqs journal files from the host (but not vice versa)\&. Takes one of
+"no",
+"host",
+"guest",
+"auto"\&. If
+"no", the journal is not linked\&. If
+"host", the journal files are stored on the host file system (beneath
+/var/log/journal/\fImachine\-id\fR) and the subdirectory is bind\-mounted into the container at the same location\&. If
+"guest", the journal files are stored on the guest file system (beneath
+/var/log/journal/\fImachine\-id\fR) and the subdirectory is symlinked into the host at the same location\&. If
+"auto"
+(the default), and the right subdirectory of
+/var/log/journal
+exists, it will be bind mounted into the container\&. If the subdirectory does not exist, no linking is performed\&. Effectively, booting a container once with
+"guest"
+or
+"host"
+will link the journal persistently if further on the default of
+"auto"
+is used\&.
+.RE
+.PP
+\fB\-j\fR
+.RS 4
+Equivalent to
+\fB\-\-link\-journal=guest\fR\&.
+.RE
+.PP
+\fB\-\-bind=\fR, \fB\-\-bind\-ro=\fR
+.RS 4
+Bind mount a file or directory from the host into the container\&. Either takes a path argument \-\- in which case the specified path will be mounted from the host to the same path in the container \-\-, or a colon\-separated pair of paths \-\- in which case the first specified path is the source in the host, and the second path is the destination in the container\&. The
+\fB\-\-bind\-ro=\fR
+option creates read\-only bind mount\&.
+.RE
+.SH "EXAMPLE 1"
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+# yum \-y \-\-releasever=19 \-\-nogpg \-\-installroot=/srv/mycontainer \-\-disablerepo=\*(Aq*\*(Aq \-\-enablerepo=fedora install systemd passwd yum fedora\-release vim\-minimal
+# systemd\-nspawn \-bD /srv/mycontainer
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+This installs a minimal Fedora distribution into the directory
+/srv/mycontainer/
+and then boots an OS in a namespace container in it\&.
+.SH "EXAMPLE 2"
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+# debootstrap \-\-arch=amd64 unstable ~/debian\-tree/
+# systemd\-nspawn \-D ~/debian\-tree/
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+This installs a minimal Debian unstable distribution into the directory
+~/debian\-tree/
+and then spawns a shell in a namespace container in it\&.
+.SH "EXAMPLE 3"
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+# pacstrap \-c \-d ~/arch\-tree/ base
+# systemd\-nspawn \-bD ~/arch\-tree/
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+This installs a mimimal Arch Linux distribution into the directory
+~/arch\-tree/
+and then boots an OS in a namespace container in it\&.
+.SH "EXAMPLE 4"
+.PP
+To enter the container, PID of one of the processes sharing the new namespaces must be used\&.
+\fBsystemd\-nspawn\fR
+prints the PID (as viewed from the outside) of the launched process, and it can be used to enter the container\&.
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+# nsenter \-m \-u \-i \-n \-p \-t $PID
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+\fBnsenter\fR(1)
+is part of
+\m[blue]\fButil\-linux\fR\m[]\&\s-2\u[2]\d\s+2\&. Kernel support for entering namespaces was added in Linux 3\&.8\&.
+.SH "EXIT STATUS"
+.PP
+The exit code of the program executed in the container is returned\&.
+.SH "SEE ALSO"
+.PP
+\fBsystemd\fR(1),
+\fBchroot\fR(1),
+\fBunshare\fR(1),
+\fByum\fR(8),
+\fBdebootstrap\fR(8),
+\fBpacman\fR(8),
+\fBsystemd.slice\fR(5)
+.SH "NOTES"
+.IP " 1." 4
+Container Interface
+.RS 4
+\%http://www.freedesktop.org/wiki/Software/systemd/ContainerInterface
+.RE
+.IP " 2." 4
+util-linux
+.RS 4
+\%https://github.com/karelzak/util-linux
+.RE
View Lorry Controller Status