summaryrefslogtreecommitdiff
path: root/man/systemd-nspawn.xml
diff options
context:
space:
mode:
Diffstat (limited to 'man/systemd-nspawn.xml')
-rw-r--r--man/systemd-nspawn.xml166
1 files changed, 141 insertions, 25 deletions
diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml
index fef5c2c83a..d9fb899895 100644
--- a/man/systemd-nspawn.xml
+++ b/man/systemd-nspawn.xml
@@ -49,7 +49,17 @@
<refsynopsisdiv>
<cmdsynopsis>
- <command>systemd-nspawn <arg choice="opt" rep="repeat">OPTIONS</arg> <arg choice="opt">COMMAND</arg> <arg choice="opt" rep="repeat">ARGS</arg></command>
+ <command>systemd-nspawn</command>
+ <arg choice="opt" rep="repeat">OPTIONS</arg>
+ <arg choice="opt"><replaceable>COMMAND</replaceable>
+ <arg choice="opt" rep="repeat">ARGS</arg>
+ </arg>
+ </cmdsynopsis>
+ <cmdsynopsis>
+ <command>systemd-nspawn</command>
+ <arg choice="plain">-b</arg>
+ <arg choice="opt" rep="repeat">OPTIONS</arg>
+ <arg choice="opt" rep="repeat">ARGS</arg>
</cmdsynopsis>
</refsynopsisdiv>
@@ -93,9 +103,10 @@
container.</para>
<para>Use a tool like
- <citerefentry><refentrytitle>yum</refentrytitle><manvolnum>8</manvolnum></citerefentry>
- or
+ <citerefentry><refentrytitle>yum</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
<citerefentry><refentrytitle>debootstrap</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+ or
+ <citerefentry><refentrytitle>pacman</refentrytitle><manvolnum>8</manvolnum></citerefentry>
to set up an OS directory tree suitable as file system
hierarchy for <command>systemd-nspawn</command>
containers.</para>
@@ -113,34 +124,69 @@
see each other. The PID namespace separation of the
two containers is complete and the containers will
share very few runtime objects except for the
- underlying file system.</para>
+ underlying file system. It is however possible to
+ enter an existing container, see
+ <link linkend='example-nsenter'>Example 4</link> below.
+ </para>
<para><command>systemd-nspawn</command> implements the
<ulink
url="http://www.freedesktop.org/wiki/Software/systemd/ContainerInterface">Container
Interface</ulink> specification.</para>
+
+ <para>As a safety check
+ <command>systemd-nspawn</command> will verify the
+ existance of <filename>/etc/os-release</filename> in
+ the container tree before starting the container (see
+ <citerefentry><refentrytitle>os-release</refentrytitle><manvolnum>5</manvolnum></citerefentry>). It
+ might be necessary to add this file to the container
+ tree manually if the OS of the container is too old to
+ contain this file out-of-the-box.</para>
+
+ <para>Note that the kernel auditing subsystem is
+ currently broken when used together with
+ containers. We hence recommend turning it off entirely
+ when using <command>systemd-nspawn</command> by
+ booting with <literal>audit=0</literal> on the kernel
+ command line, or by turning it off at kernel build
+ time. If auditing is enabled in the kernel operating
+ systems booted in an nspawn container might refuse
+ log-in attempts.</para>
</refsect1>
<refsect1>
<title>Options</title>
- <para>If no arguments are passed the container is set
- up and a shell started in it, otherwise the passed
- command and arguments are executed in it. The
- following options are understood:</para>
+ <para>If option <option>-b</option> is specified, the
+ arguments are used as arguments for the init
+ binary. Otherwise, <replaceable>COMMAND</replaceable>
+ specifies the program to launch in the container, and
+ the remaining arguments are used as arguments for this
+ program. If <option>-b</option> is not used and no
+ arguments are specifed, a shell is launched in the
+ container.</para>
+
+ <para>The following options are understood:</para>
<variablelist>
<varlistentry>
- <term><option>--help</option></term>
<term><option>-h</option></term>
+ <term><option>--help</option></term>
<listitem><para>Prints a short help
text and exits.</para></listitem>
</varlistentry>
<varlistentry>
- <term><option>--directory=</option></term>
+ <term><option>--version</option></term>
+
+ <listitem><para>Prints a version string
+ and exits.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
<term><option>-D</option></term>
+ <term><option>--directory=</option></term>
<listitem><para>Directory to use as
file system root for the namespace
@@ -150,18 +196,21 @@
</varlistentry>
<varlistentry>
- <term><option>--boot</option></term>
<term><option>-b</option></term>
+ <term><option>--boot</option></term>
<listitem><para>Automatically search
for an init binary and invoke it
instead of a shell or a user supplied
- program.</para></listitem>
+ program. If this option is used, arguments
+ specified on the command line are used
+ as arguments for the init binary.
+ </para></listitem>
</varlistentry>
<varlistentry>
- <term><option>--user=</option></term>
<term><option>-u</option></term>
+ <term><option>--user=</option></term>
<listitem><para>Run the command
under specified user, create home
@@ -173,6 +222,21 @@
</varlistentry>
<varlistentry>
+ <term><option>-M</option></term>
+ <term><option>--machine=</option></term>
+
+ <listitem><para>Sets the machine name
+ for this container. This name may be
+ used to identify this container on the
+ host, and is used to initialize the
+ container's hostname (which the
+ container can choose to override,
+ however). If not specified the last
+ component of the root directory of the
+ container is used.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
<term><option>--uuid=</option></term>
<listitem><para>Set the specified uuid
@@ -184,8 +248,8 @@
</varlistentry>
<varlistentry>
- <term><option>--controllers=</option></term>
<term><option>-C</option></term>
+ <term><option>--controllers=</option></term>
<listitem><para>Makes the container appear in
other hierarchies than the name=systemd:/ one.
@@ -220,8 +284,8 @@
list of capability names, see
<citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
for more information. Note that the
- following capabilities will be
- granted in any way: CAP_CHOWN,
+ following capabilities will be granted
+ in any way: CAP_CHOWN,
CAP_DAC_OVERRIDE, CAP_DAC_READ_SEARCH,
CAP_FOWNER, CAP_FSETID, CAP_IPC_OWNER,
CAP_KILL, CAP_LEASE,
@@ -232,7 +296,9 @@
CAP_SETUID, CAP_SYS_ADMIN,
CAP_SYS_CHROOT, CAP_SYS_NICE,
CAP_SYS_PTRACE, CAP_SYS_TTY_CONFIG,
- CAP_SYS_RESOURCE, CAP_SYS_BOOT.</para></listitem>
+ CAP_SYS_RESOURCE, CAP_SYS_BOOT,
+ CAP_AUDIT_WRITE,
+ CAP_AUDIT_CONTROL.</para></listitem>
</varlistentry>
<varlistentry>
@@ -252,13 +318,13 @@
not linked. If <literal>host</literal>,
the journal files are stored on the
host file system (beneath
- <filename>/var/log/journal/&lt;machine-id&gt;</filename>)
+ <filename>/var/log/journal/<replaceable>machine-id</replaceable></filename>)
and the subdirectory is bind-mounted
into the container at the same
location. If <literal>guest</literal>,
the journal files are stored on the
guest file system (beneath
- <filename>/var/log/journal/&lt;machine-id&gt;</filename>)
+ <filename>/var/log/journal/<replaceable>machine-id</replaceable></filename>)
and the subdirectory is symlinked into the host
at the same location. If
<literal>auto</literal> (the default),
@@ -282,6 +348,26 @@
<listitem><para>Equivalent to
<option>--link-journal=guest</option>.</para></listitem>
</varlistentry>
+
+ <varlistentry>
+ <term><option>--bind=</option></term>
+ <term><option>--bind-ro=</option></term>
+
+ <listitem><para>Bind mount a file or
+ directory from the host into the
+ container. Either takes a path
+ argument -- in which case the
+ specified path will be mounted from
+ the host to the same path in the
+ container --, or a colon-separated
+ pair of paths -- in which case the
+ first specified path is the source in
+ the host, and the second path is the
+ destination in the container. The
+ <option>--bind-ro=</option> option
+ creates read-only bind
+ mount.</para></listitem>
+ </varlistentry>
</variablelist>
</refsect1>
@@ -289,13 +375,13 @@
<refsect1>
<title>Example 1</title>
- <programlisting># yum --releasever=17 --nogpgcheck --installroot ~/fedora-tree/ install yum passwd vim-minimal rootfiles systemd
-# systemd-nspawn -D ~/fedora-tree /usr/lib/systemd/systemd</programlisting>
+ <programlisting># yum -y --releasever=19 --nogpg --installroot=/srv/mycontainer --disablerepo='*' --enablerepo=fedora install systemd passwd yum fedora-release vim-minimal
+# systemd-nspawn -bD /srv/mycontainer</programlisting>
<para>This installs a minimal Fedora distribution into
- the directory <filename>~/fedora-tree/</filename>
- and then boots an OS in a namespace container in it,
- with systemd as init system.</para>
+ the directory <filename noindex='true'>/srv/mycontainer/</filename> and
+ then boots an OS in a namespace container in
+ it.</para>
</refsect1>
<refsect1>
@@ -308,7 +394,35 @@
distribution into the directory
<filename>~/debian-tree/</filename> and then spawns a
shell in a namespace container in it.</para>
+ </refsect1>
+
+ <refsect1>
+ <title>Example 3</title>
+
+ <programlisting># pacstrap -c -d ~/arch-tree/ base
+# systemd-nspawn -bD ~/arch-tree/</programlisting>
+
+ <para>This installs a mimimal Arch Linux distribution into
+ the directory <filename>~/arch-tree/</filename> and then
+ boots an OS in a namespace container in it.</para>
+ </refsect1>
+
+ <refsect1 id='example-nsenter'>
+ <title>Example 4</title>
+
+ <para>To enter the container, PID of one of the
+ processes sharing the new namespaces must be used.
+ <command>systemd-nspawn</command> prints the PID
+ (as viewed from the outside) of the launched process,
+ and it can be used to enter the container.</para>
+
+ <programlisting># nsenter -m -u -i -n -p -t $PID</programlisting>
+ <para><citerefentry><refentrytitle>nsenter</refentrytitle><manvolnum>1</manvolnum></citerefentry>
+ is part of
+ <ulink url="https://github.com/karelzak/util-linux">util-linux</ulink>.
+ Kernel support for entering namespaces was added in
+ Linux 3.8.</para>
</refsect1>
<refsect1>
@@ -323,8 +437,10 @@
<para>
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
<citerefentry><refentrytitle>chroot</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>unshare</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
<citerefentry><refentrytitle>yum</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>debootstrap</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+ <citerefentry><refentrytitle>debootstrap</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>pacman</refentrytitle><manvolnum>8</manvolnum></citerefentry>
</para>
</refsect1>
View Lorry Controller Status