← Back to branch summary

~ubuntu-branches/ubuntu/trusty/systemd/trusty

« back to all changes in this revision

Viewing changes to man/systemd-nspawn.html

  • Committer: Package Import Robot
  • Author(s): Michael Biebl, Michael Biebl, Michael Stapelberg, Daniel Schaal, Ondrej Balaz
  • Date: 2013-09-12 00:13:11 UTC
  • mfrom: (1.1.11) (9.1.2 experimental)
  • mto: This revision was merged to the branch mainline in revision 53.
  • Revision ID: package-import@ubuntu.com-20130912001311-dz35it34wr2lbday
Tags: 204-3
http://bugs.debian.org/719444
http://bugs.debian.org/721347
http://bugs.debian.org/722180
http://bugs.debian.org/709780
http://bugs.debian.org/711245
[ Michael Biebl ]
* Upload to unstable.
* Use /bin/bash in debug-shell.service as Debian doesn't have /sbin/sushell.
* Only import net.ifaces cmdline property for network devices.
* Generate strict dependencies between the binary packages using a
  shlibs.local file and add an explicit versioned dependency on
  libsystemd-login0 to systemd to ensure packages are upgraded in sync.
  Closes: #719444
* Drop obsolete Replaces: libudev0 from udev package.
* Use correct paths for various binaries, like /sbin/quotaon, which are
  installed in / and not /usr in Debian.  Closes: #721347
* Don't install kernel-install(8) man page since we don't install the
  corresponding binary either.  Closes: #722180
* Cherry-pick upstream fixes to make switching runlevels and starting
  reboot via ctrl-alt-del more robust.
* Cherry-pick upstream fix to properly apply ACLs to Journal files.

[ Michael Stapelberg ]
* Make systemctl enable|disable call update-rc.d for SysV init scripts.
  Closes: #709780
* Don't mount /tmp as tmpfs by default and make it possible to enable this
  feature via "systemctl enable tmp.mount".

[ Daniel Schaal ]
* Add bug-script to systemd and udev.  Closes: #711245

[ Ondrej Balaz ]
* Recognize discard option in /etc/crypttab.

Show diffs side-by-side

added added

removed removed

Lines of Context:
man/systemd-nspawn.html
1
 
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>systemd-nspawn</title><meta name="generator" content="DocBook XSL Stylesheets V1.76.1"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" title="systemd-nspawn"><a name="systemd-nspawn"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>systemd-nspawn — Spawn a namespace container for debugging, testing and building</p></div><div class="refsynopsisdiv" title="Synopsis"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">systemd-nspawn [OPTIONS...]  [COMMAND]  [ARGS...]</code> </p></div></div><div class="refsect1" title="Description"><a name="id389371"></a><h2>Description</h2><p><span class="command"><strong>systemd-nspawn</strong></span> may be used to
 
1
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>systemd-nspawn</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><style>
 
2
    a.headerlink {
 
3
      color: #c60f0f;
 
4
      font-size: 0.8em;
 
5
      padding: 0 4px 0 4px;
 
6
      text-decoration: none;
 
7
      visibility: hidden;
 
8
    }
 
9
 
 
10
    a.headerlink:hover {
 
11
      background-color: #c60f0f;
 
12
      color: white;
 
13
    }
 
14
 
 
15
    h1:hover > a.headerlink, h2:hover > a.headerlink, h3:hover > a.headerlink, dt:hover > a.headerlink {
 
16
      visibility: visible;
 
17
    }
 
18
  </style><a href="index.html">Index </a>·
 
19
  <a href="systemd.directives.html">Directives </a>·
 
20
  <a href="../python-systemd/index.html">Python </a>·
 
21
  <a href="../libudev/index.html">libudev </a>·
 
22
  <a href="../libudev/index.html">gudev </a><span style="float:right">systemd 204</span><hr><div class="refentry"><a name="systemd-nspawn"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>systemd-nspawn — Spawn a namespace container for debugging, testing and building</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">systemd-nspawn</code>  [OPTIONS...] [<em class="replaceable"><code>COMMAND</code></em>
 
23
                         [ARGS...]
 
24
                        ]</p></div><div class="cmdsynopsis"><p><code class="command">systemd-nspawn</code>   -b  [OPTIONS...] [ARGS...]</p></div></div><div class="refsect1"><a name="idm259778472480"></a><h2 id="Description">Description<a class="headerlink" title="Permalink to this headline" href="#Description">¶</a></h2><p><span class="command"><strong>systemd-nspawn</strong></span> may be used to
2
25
                run a command or OS in a light-weight namespace
3
26
                container. In many ways it is similar to
4
 
                <span class="citerefentry"><span class="refentrytitle">chroot</span>(1)</span>,
 
27
                <a href="chroot.html"><span class="citerefentry"><span class="refentrytitle">chroot</span>(1)</span></a>,
5
28
                but more powerful since it fully virtualizes the file
6
29
                system hierarchy, as well as the process tree, the
7
30
                various IPC subsystems and the host and domain
23
46
                this program is debugging and testing as well as
24
47
                building of packages, distributions and software
25
48
                involved with boot and systems management.</p><p>In contrast to
26
 
                <span class="citerefentry"><span class="refentrytitle">chroot</span>(1)</span>
 
49
                <a href="chroot.html"><span class="citerefentry"><span class="refentrytitle">chroot</span>(1)</span></a>
27
50
                <span class="command"><strong>systemd-nspawn</strong></span> may be used to boot
28
51
                full Linux-based operating systems in a
29
52
                container.</p><p>Use a tool like
30
 
                <span class="citerefentry"><span class="refentrytitle">debootstrap</span>(8)</span> or <span class="citerefentry"><span class="refentrytitle">mock</span>(1)</span>
 
53
                <a href="yum.html"><span class="citerefentry"><span class="refentrytitle">yum</span>(8)</span></a>,
 
54
                <a href="debootstrap.html"><span class="citerefentry"><span class="refentrytitle">debootstrap</span>(8)</span></a>
 
55
                or
 
56
                <a href="pacman.html"><span class="citerefentry"><span class="refentrytitle">pacman</span>(8)</span></a>
31
57
                to set up an OS directory tree suitable as file system
32
 
                hierarchy for <span class="command"><strong>systemd-nspawn</strong></span> containers.</p><p>Note that <span class="command"><strong>systemd-nspawn</strong></span> will
 
58
                hierarchy for <span class="command"><strong>systemd-nspawn</strong></span>
 
59
                containers.</p><p>Note that <span class="command"><strong>systemd-nspawn</strong></span> will
33
60
                mount file systems private to the container to
34
61
                <code class="filename">/dev</code>,
35
62
                <code class="filename">/run</code> and similar. These will
40
67
                see each other. The PID namespace separation of the
41
68
                two containers is complete and the containers will
42
69
                share very few runtime objects except for the
43
 
                underlying file system.</p></div><div class="refsect1" title="Options"><a name="id421642"></a><h2>Options</h2><p>If no arguments are passed the container is set
44
 
                up and a shell started in it, otherwise the passed
45
 
                command and arguments are executed in it. The
46
 
                following options are understood:</p><div class="variablelist"><dl><dt><span class="term"><code class="option">--help</code>, </span><span class="term"><code class="option">-h</code></span></dt><dd><p>Prints a short help
47
 
                                text and exits.</p></dd><dt><span class="term"><code class="option">--directory=</code>, </span><span class="term"><code class="option">-D</code></span></dt><dd><p>Directory to use as
 
70
                underlying file system. It is however possible to
 
71
                enter an existing container, see
 
72
                <a class="link" href="#example-nsenter" title="Example 4">Example 4</a> below.
 
73
                </p><p><span class="command"><strong>systemd-nspawn</strong></span> implements the
 
74
                <a class="ulink" href="http://www.freedesktop.org/wiki/Software/systemd/ContainerInterface" target="_top">Container
 
75
                Interface</a> specification.</p><p>As a safety check
 
76
                <span class="command"><strong>systemd-nspawn</strong></span> will verify the
 
77
                existance of <code class="filename">/etc/os-release</code> in
 
78
                the container tree before starting the container (see
 
79
                <a href="os-release.html"><span class="citerefentry"><span class="refentrytitle">os-release</span>(5)</span></a>). It
 
80
                might be necessary to add this file to the container
 
81
                tree manually if the OS of the container is too old to
 
82
                contain this file out-of-the-box.</p><p>Note that the kernel auditing subsystem is
 
83
                currently broken when used together with
 
84
                containers. We hence recommend turning it off entirely
 
85
                when using <span class="command"><strong>systemd-nspawn</strong></span> by
 
86
                booting with <code class="literal">audit=0</code> on the kernel
 
87
                command line, or by turning it off at kernel build
 
88
                time. If auditing is enabled in the kernel operating
 
89
                systems booted in an nspawn container might refuse
 
90
                log-in attempts.</p></div><div class="refsect1"><a name="idm259782111488"></a><h2 id="Options">Options<a class="headerlink" title="Permalink to this headline" href="#Options">¶</a></h2><p>If option <code class="option">-b</code> is specified, the
 
91
                arguments are used as arguments for the init
 
92
                binary. Otherwise, <em class="replaceable"><code>COMMAND</code></em>
 
93
                specifies the program to launch in the container, and
 
94
                the remaining arguments are used as arguments for this
 
95
                program. If <code class="option">-b</code> is not used and no
 
96
                arguments are specifed, a shell is launched in the
 
97
                container.</p><p>The following options are understood:</p><div class="variablelist"><dl class="variablelist"><dt id="-h"><span class="term"><code class="option">-h</code>, </span><span class="term"><code class="option">--help</code></span><a class="headerlink" title="Permalink to this term" href="#-h">¶</a></dt><dd><p>Prints a short help
 
98
                                text and exits.</p></dd><dt id="--version"><span class="term"><code class="option">--version</code></span><a class="headerlink" title="Permalink to this term" href="#--version">¶</a></dt><dd><p>Prints a version string
 
99
                                and exits.</p></dd><dt id="-D"><span class="term"><code class="option">-D</code>, </span><span class="term"><code class="option">--directory=</code></span><a class="headerlink" title="Permalink to this term" href="#-D">¶</a></dt><dd><p>Directory to use as
48
100
                                file system root for the namespace
49
101
                                container. If omitted the current
50
102
                                directory will be
51
 
                                used.</p></dd><dt><span class="term"><code class="option">--user=</code>, </span><span class="term"><code class="option">-u</code></span></dt><dd><p>Run the command
 
103
                                used.</p></dd><dt id="-b"><span class="term"><code class="option">-b</code>, </span><span class="term"><code class="option">--boot</code></span><a class="headerlink" title="Permalink to this term" href="#-b">¶</a></dt><dd><p>Automatically search
 
104
                                for an init binary and invoke it
 
105
                                instead of a shell or a user supplied
 
106
                                program. If this option is used, arguments
 
107
                                specified on the command line are used
 
108
                                as arguments for the init binary.
 
109
                                </p></dd><dt id="-u"><span class="term"><code class="option">-u</code>, </span><span class="term"><code class="option">--user=</code></span><a class="headerlink" title="Permalink to this term" href="#-u">¶</a></dt><dd><p>Run the command
52
110
                                under specified user, create home
53
111
                                directory and cd into it. As rest
54
112
                                of systemd-nspawn, this is not
55
113
                                the security feature and limits
56
114
                                against accidental changes only.
57
 
                                </p></dd><dt><span class="term"><code class="option">--private-network</code></span></dt><dd><p>Turn off networking in
 
115
                                </p></dd><dt id="-M"><span class="term"><code class="option">-M</code>, </span><span class="term"><code class="option">--machine=</code></span><a class="headerlink" title="Permalink to this term" href="#-M">¶</a></dt><dd><p>Sets the machine name
 
116
                                for this container. This name may be
 
117
                                used to identify this container on the
 
118
                                host, and is used to initialize the
 
119
                                container's hostname (which the
 
120
                                container can choose to override,
 
121
                                however). If not specified the last
 
122
                                component of the root directory of the
 
123
                                container is used.</p></dd><dt id="--uuid="><span class="term"><code class="option">--uuid=</code></span><a class="headerlink" title="Permalink to this term" href="#--uuid=">¶</a></dt><dd><p>Set the specified uuid
 
124
                                for the container. The init system
 
125
                                will initialize
 
126
                                <code class="filename">/etc/machine-id</code>
 
127
                                from this if this file is not set yet.
 
128
                                </p></dd><dt id="-C"><span class="term"><code class="option">-C</code>, </span><span class="term"><code class="option">--controllers=</code></span><a class="headerlink" title="Permalink to this term" href="#-C">¶</a></dt><dd><p>Makes the container appear in
 
129
                                other hierarchies than the name=systemd:/ one.
 
130
                                Takes a comma-separated list of controllers.
 
131
                                </p></dd><dt id="--private-network"><span class="term"><code class="option">--private-network</code></span><a class="headerlink" title="Permalink to this term" href="#--private-network">¶</a></dt><dd><p>Turn off networking in
58
132
                                the container. This makes all network
59
133
                                interfaces unavailable in the
60
134
                                container, with the exception of the
61
 
                                loopback device.</p></dd></dl></div></div><div class="refsect1" title="Example 1"><a name="id421726"></a><h2>Example 1</h2><pre class="programlisting"># debootstrap --arch=amd64 unstable debian-tree/
62
 
# systemd-nspawn -D debian-tree/</pre><p>This installs a minimal Debian unstable
 
135
                                loopback device.</p></dd><dt id="--read-only"><span class="term"><code class="option">--read-only</code></span><a class="headerlink" title="Permalink to this term" href="#--read-only">¶</a></dt><dd><p>Mount the root file
 
136
                                system read only for the
 
137
                                container.</p></dd><dt id="--capability="><span class="term"><code class="option">--capability=</code></span><a class="headerlink" title="Permalink to this term" href="#--capability=">¶</a></dt><dd><p>List one or more
 
138
                                additional capabilities to grant the
 
139
                                container. Takes a comma separated
 
140
                                list of capability names, see
 
141
                                <a href="capabilities.html"><span class="citerefentry"><span class="refentrytitle">capabilities</span>(7)</span></a>
 
142
                                for more information. Note that the
 
143
                                following capabilities will be granted
 
144
                                in any way: CAP_CHOWN,
 
145
                                CAP_DAC_OVERRIDE, CAP_DAC_READ_SEARCH,
 
146
                                CAP_FOWNER, CAP_FSETID, CAP_IPC_OWNER,
 
147
                                CAP_KILL, CAP_LEASE,
 
148
                                CAP_LINUX_IMMUTABLE,
 
149
                                CAP_NET_BIND_SERVICE,
 
150
                                CAP_NET_BROADCAST, CAP_NET_RAW,
 
151
                                CAP_SETGID, CAP_SETFCAP, CAP_SETPCAP,
 
152
                                CAP_SETUID, CAP_SYS_ADMIN,
 
153
                                CAP_SYS_CHROOT, CAP_SYS_NICE,
 
154
                                CAP_SYS_PTRACE, CAP_SYS_TTY_CONFIG,
 
155
                                CAP_SYS_RESOURCE, CAP_SYS_BOOT,
 
156
                                CAP_AUDIT_WRITE,
 
157
                                CAP_AUDIT_CONTROL.</p></dd><dt id="--link-journal="><span class="term"><code class="option">--link-journal=</code></span><a class="headerlink" title="Permalink to this term" href="#--link-journal=">¶</a></dt><dd><p>Control whether the
 
158
                                container's journal shall be made
 
159
                                visible to the host system. If enabled
 
160
                                allows viewing the container's journal
 
161
                                files from the host (but not vice
 
162
                                versa). Takes one of
 
163
                                <code class="literal">no</code>,
 
164
                                <code class="literal">host</code>,
 
165
                                <code class="literal">guest</code>,
 
166
                                <code class="literal">auto</code>. If
 
167
                                <code class="literal">no</code>, the journal is
 
168
                                not linked. If <code class="literal">host</code>,
 
169
                                the journal files are stored on the
 
170
                                host file system (beneath
 
171
                                <code class="filename">/var/log/journal/<em class="replaceable"><code>machine-id</code></em></code>)
 
172
                                and the subdirectory is bind-mounted
 
173
                                into the container at the same
 
174
                                location. If <code class="literal">guest</code>,
 
175
                                the journal files are stored on the
 
176
                                guest file system (beneath
 
177
                                <code class="filename">/var/log/journal/<em class="replaceable"><code>machine-id</code></em></code>)
 
178
                                and the subdirectory is symlinked into the host
 
179
                                at the same location. If
 
180
                                <code class="literal">auto</code> (the default),
 
181
                                and the right subdirectory of
 
182
                                <code class="filename">/var/log/journal</code>
 
183
                                exists, it will be bind mounted
 
184
                                into the container. If the
 
185
                                subdirectory doesn't exist, no
 
186
                                linking is performed. Effectively,
 
187
                                booting a container once with
 
188
                                <code class="literal">guest</code> or
 
189
                                <code class="literal">host</code> will link the
 
190
                                journal persistently if further on
 
191
                                the default of <code class="literal">auto</code>
 
192
                                is used.</p></dd><dt id="-j"><span class="term"><code class="option">-j</code></span><a class="headerlink" title="Permalink to this term" href="#-j">¶</a></dt><dd><p>Equivalent to
 
193
                                <code class="option">--link-journal=guest</code>.</p></dd><dt id="--bind="><span class="term"><code class="option">--bind=</code>, </span><span class="term"><code class="option">--bind-ro=</code></span><a class="headerlink" title="Permalink to this term" href="#--bind=">¶</a></dt><dd><p>Bind mount a file or
 
194
                                directory from the host into the
 
195
                                container. Either takes a path
 
196
                                argument -- in which case the
 
197
                                specified path will be mounted from
 
198
                                the host to the same path in the
 
199
                                container --, or a colon-separated
 
200
                                pair of paths -- in which case the
 
201
                                first specified path is the source in
 
202
                                the host, and the second path is the
 
203
                                destination in the container. The
 
204
                                <code class="option">--bind-ro=</code> option
 
205
                                creates read-only bind
 
206
                                mount.</p></dd></dl></div></div><div class="refsect1"><a name="idm259777421088"></a><h2 id="Example 1">Example 1<a class="headerlink" title="Permalink to this headline" href="#Example%201">¶</a></h2><pre class="programlisting"># yum -y --releasever=19 --nogpg --installroot=/srv/mycontainer --disablerepo='*' --enablerepo=fedora install systemd passwd yum fedora-release vim-minimal
 
207
# systemd-nspawn -bD /srv/mycontainer</pre><p>This installs a minimal Fedora distribution into
 
208
                the directory <code class="filename">/srv/mycontainer/</code> and
 
209
                then boots an OS in a namespace container in
 
210
                it.</p></div><div class="refsect1"><a name="idm259777418240"></a><h2 id="Example 2">Example 2<a class="headerlink" title="Permalink to this headline" href="#Example%202">¶</a></h2><pre class="programlisting"># debootstrap --arch=amd64 unstable ~/debian-tree/
 
211
# systemd-nspawn -D ~/debian-tree/</pre><p>This installs a minimal Debian unstable
63
212
                distribution into the directory
64
 
                <code class="filename">debian-tree/</code> and then spawns a
65
 
                shell in a namespace container in it.</p></div><div class="refsect1" title="Example 2"><a name="id389146"></a><h2>Example 2</h2><pre class="programlisting"># mock --init
66
 
# systemd-nspawn -D /var/lib/mock/fedora-rawhide-x86_64/root/ /sbin/init systemd.log_level=debug</pre><p>This installs a minimal Fedora distribution into
67
 
                a subdirectory of <code class="filename">/var/lib/mock/</code>
68
 
                and then boots an OS in a namespace container in it,
69
 
                with systemd as init system, configured for debug
70
 
                logging.</p></div><div class="refsect1" title="Exit status"><a name="id389170"></a><h2>Exit status</h2><p>The exit code of the program executed in the
71
 
                container is returned.</p></div><div class="refsect1" title="See Also"><a name="id389181"></a><h2>See Also</h2><p>
72
 
                        <span class="citerefentry"><span class="refentrytitle">systemd</span>(1)</span>,
73
 
                        <span class="citerefentry"><span class="refentrytitle">chroot</span>(1)</span>,
74
 
                        <span class="citerefentry"><span class="refentrytitle">debootstrap</span>(8)</span>,
75
 
                        <span class="citerefentry"><span class="refentrytitle">mock</span>(1)</span>
 
213
                <code class="filename">~/debian-tree/</code> and then spawns a
 
214
                shell in a namespace container in it.</p></div><div class="refsect1"><a name="idm259777415520"></a><h2 id="Example 3">Example 3<a class="headerlink" title="Permalink to this headline" href="#Example%203">¶</a></h2><pre class="programlisting"># pacstrap -c -d ~/arch-tree/ base
 
215
# systemd-nspawn -bD ~/arch-tree/</pre><p>This installs a mimimal Arch Linux distribution into
 
216
                the directory <code class="filename">~/arch-tree/</code> and then
 
217
                boots an OS in a namespace container in it.</p></div><div class="refsect1"><a name="example-nsenter"></a><h2 id="Example 4">Example 4<a class="headerlink" title="Permalink to this headline" href="#Example%204">¶</a></h2><p>To enter the container, PID of one of the
 
218
                processes sharing the new namespaces must be used.
 
219
                <span class="command"><strong>systemd-nspawn</strong></span> prints the PID
 
220
                (as viewed from the outside) of the launched process,
 
221
                and it can be used to enter the container.</p><pre class="programlisting"># nsenter -m -u -i -n -p -t $PID</pre><p><a href="nsenter.html"><span class="citerefentry"><span class="refentrytitle">nsenter</span>(1)</span></a>
 
222
                is part of
 
223
                <a class="ulink" href="https://github.com/karelzak/util-linux" target="_top">util-linux</a>.
 
224
                Kernel support for entering namespaces was added in
 
225
                Linux 3.8.</p></div><div class="refsect1"><a name="idm259777408320"></a><h2 id="Exit status">Exit status<a class="headerlink" title="Permalink to this headline" href="#Exit%20status">¶</a></h2><p>The exit code of the program executed in the
 
226
                container is returned.</p></div><div class="refsect1"><a name="idm259777407072"></a><h2 id="See Also">See Also<a class="headerlink" title="Permalink to this headline" href="#See%20Also">¶</a></h2><p>
 
227
                        <a href="systemd.html"><span class="citerefentry"><span class="refentrytitle">systemd</span>(1)</span></a>,
 
228
                        <a href="chroot.html"><span class="citerefentry"><span class="refentrytitle">chroot</span>(1)</span></a>,
 
229
                        <a href="unshare.html"><span class="citerefentry"><span class="refentrytitle">unshare</span>(1)</span></a>,
 
230
                        <a href="yum.html"><span class="citerefentry"><span class="refentrytitle">yum</span>(8)</span></a>,
 
231
                        <a href="debootstrap.html"><span class="citerefentry"><span class="refentrytitle">debootstrap</span>(8)</span></a>,
 
232
                        <a href="pacman.html"><span class="citerefentry"><span class="refentrytitle">pacman</span>(8)</span></a>
76
233
                </p></div></div></body></html>