mirror of
https://git.proxmox.com/git/systemd
synced 2025-06-05 18:23:08 +00:00
234 lines
21 KiB
HTML
234 lines
21 KiB
HTML
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>systemd-nspawn</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><style>
|
|
a.headerlink {
|
|
color: #c60f0f;
|
|
font-size: 0.8em;
|
|
padding: 0 4px 0 4px;
|
|
text-decoration: none;
|
|
visibility: hidden;
|
|
}
|
|
|
|
a.headerlink:hover {
|
|
background-color: #c60f0f;
|
|
color: white;
|
|
}
|
|
|
|
h1:hover > a.headerlink, h2:hover > a.headerlink, h3:hover > a.headerlink, dt:hover > a.headerlink {
|
|
visibility: visible;
|
|
}
|
|
</style><a href="index.html">Index </a>·
|
|
<a href="systemd.directives.html">Directives </a>·
|
|
<a href="../python-systemd/index.html">Python </a>·
|
|
<a href="../libudev/index.html">libudev </a>·
|
|
<a href="../libudev/index.html">gudev </a><span style="float:right">systemd 204</span><hr><div class="refentry"><a name="systemd-nspawn"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>systemd-nspawn — Spawn a namespace container for debugging, testing and building</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">systemd-nspawn</code> [OPTIONS...] [<em class="replaceable"><code>COMMAND</code></em>
|
|
[ARGS...]
|
|
]</p></div><div class="cmdsynopsis"><p><code class="command">systemd-nspawn</code> -b [OPTIONS...] [ARGS...]</p></div></div><div class="refsect1"><a name="idm259778472480"></a><h2 id="Description">Description<a class="headerlink" title="Permalink to this headline" href="#Description">¶</a></h2><p><span class="command"><strong>systemd-nspawn</strong></span> may be used to
|
|
run a command or OS in a light-weight namespace
|
|
container. In many ways it is similar to
|
|
<a href="chroot.html"><span class="citerefentry"><span class="refentrytitle">chroot</span>(1)</span></a>,
|
|
but more powerful since it fully virtualizes the file
|
|
system hierarchy, as well as the process tree, the
|
|
various IPC subsystems and the host and domain
|
|
name.</p><p><span class="command"><strong>systemd-nspawn</strong></span> limits access
|
|
to various kernel interfaces in the container to
|
|
read-only, such as <code class="filename">/sys</code>,
|
|
<code class="filename">/proc/sys</code> or
|
|
<code class="filename">/sys/fs/selinux</code>. Network
|
|
interfaces and the system clock may not be changed
|
|
from within the container. Device nodes may not be
|
|
created. The host system cannot be rebooted and kernel
|
|
modules may not be loaded from within the
|
|
container.</p><p>Note that even though these security precautions
|
|
are taken <span class="command"><strong>systemd-nspawn</strong></span> is not
|
|
suitable for secure container setups. Many of the
|
|
security features may be circumvented and are hence
|
|
primarily useful to avoid accidental changes to the
|
|
host system from the container. The intended use of
|
|
this program is debugging and testing as well as
|
|
building of packages, distributions and software
|
|
involved with boot and systems management.</p><p>In contrast to
|
|
<a href="chroot.html"><span class="citerefentry"><span class="refentrytitle">chroot</span>(1)</span></a>
|
|
<span class="command"><strong>systemd-nspawn</strong></span> may be used to boot
|
|
full Linux-based operating systems in a
|
|
container.</p><p>Use a tool like
|
|
<a href="yum.html"><span class="citerefentry"><span class="refentrytitle">yum</span>(8)</span></a>,
|
|
<a href="debootstrap.html"><span class="citerefentry"><span class="refentrytitle">debootstrap</span>(8)</span></a>
|
|
or
|
|
<a href="pacman.html"><span class="citerefentry"><span class="refentrytitle">pacman</span>(8)</span></a>
|
|
to set up an OS directory tree suitable as file system
|
|
hierarchy for <span class="command"><strong>systemd-nspawn</strong></span>
|
|
containers.</p><p>Note that <span class="command"><strong>systemd-nspawn</strong></span> will
|
|
mount file systems private to the container to
|
|
<code class="filename">/dev</code>,
|
|
<code class="filename">/run</code> and similar. These will
|
|
not be visible outside of the container, and their
|
|
contents will be lost when the container exits.</p><p>Note that running two
|
|
<span class="command"><strong>systemd-nspawn</strong></span> containers from the
|
|
same directory tree will not make processes in them
|
|
see each other. The PID namespace separation of the
|
|
two containers is complete and the containers will
|
|
share very few runtime objects except for the
|
|
underlying file system. It is however possible to
|
|
enter an existing container, see
|
|
<a class="link" href="#example-nsenter" title="Example 4">Example 4</a> below.
|
|
</p><p><span class="command"><strong>systemd-nspawn</strong></span> implements the
|
|
<a class="ulink" href="http://www.freedesktop.org/wiki/Software/systemd/ContainerInterface" target="_top">Container
|
|
Interface</a> specification.</p><p>As a safety check
|
|
<span class="command"><strong>systemd-nspawn</strong></span> will verify the
|
|
existance of <code class="filename">/etc/os-release</code> in
|
|
the container tree before starting the container (see
|
|
<a href="os-release.html"><span class="citerefentry"><span class="refentrytitle">os-release</span>(5)</span></a>). It
|
|
might be necessary to add this file to the container
|
|
tree manually if the OS of the container is too old to
|
|
contain this file out-of-the-box.</p><p>Note that the kernel auditing subsystem is
|
|
currently broken when used together with
|
|
containers. We hence recommend turning it off entirely
|
|
when using <span class="command"><strong>systemd-nspawn</strong></span> by
|
|
booting with <code class="literal">audit=0</code> on the kernel
|
|
command line, or by turning it off at kernel build
|
|
time. If auditing is enabled in the kernel operating
|
|
systems booted in an nspawn container might refuse
|
|
log-in attempts.</p></div><div class="refsect1"><a name="idm259782111488"></a><h2 id="Options">Options<a class="headerlink" title="Permalink to this headline" href="#Options">¶</a></h2><p>If option <code class="option">-b</code> is specified, the
|
|
arguments are used as arguments for the init
|
|
binary. Otherwise, <em class="replaceable"><code>COMMAND</code></em>
|
|
specifies the program to launch in the container, and
|
|
the remaining arguments are used as arguments for this
|
|
program. If <code class="option">-b</code> is not used and no
|
|
arguments are specifed, a shell is launched in the
|
|
container.</p><p>The following options are understood:</p><div class="variablelist"><dl class="variablelist"><dt id="-h"><span class="term"><code class="option">-h</code>, </span><span class="term"><code class="option">--help</code></span><a class="headerlink" title="Permalink to this term" href="#-h">¶</a></dt><dd><p>Prints a short help
|
|
text and exits.</p></dd><dt id="--version"><span class="term"><code class="option">--version</code></span><a class="headerlink" title="Permalink to this term" href="#--version">¶</a></dt><dd><p>Prints a version string
|
|
and exits.</p></dd><dt id="-D"><span class="term"><code class="option">-D</code>, </span><span class="term"><code class="option">--directory=</code></span><a class="headerlink" title="Permalink to this term" href="#-D">¶</a></dt><dd><p>Directory to use as
|
|
file system root for the namespace
|
|
container. If omitted the current
|
|
directory will be
|
|
used.</p></dd><dt id="-b"><span class="term"><code class="option">-b</code>, </span><span class="term"><code class="option">--boot</code></span><a class="headerlink" title="Permalink to this term" href="#-b">¶</a></dt><dd><p>Automatically search
|
|
for an init binary and invoke it
|
|
instead of a shell or a user supplied
|
|
program. If this option is used, arguments
|
|
specified on the command line are used
|
|
as arguments for the init binary.
|
|
</p></dd><dt id="-u"><span class="term"><code class="option">-u</code>, </span><span class="term"><code class="option">--user=</code></span><a class="headerlink" title="Permalink to this term" href="#-u">¶</a></dt><dd><p>Run the command
|
|
under specified user, create home
|
|
directory and cd into it. As rest
|
|
of systemd-nspawn, this is not
|
|
the security feature and limits
|
|
against accidental changes only.
|
|
</p></dd><dt id="-M"><span class="term"><code class="option">-M</code>, </span><span class="term"><code class="option">--machine=</code></span><a class="headerlink" title="Permalink to this term" href="#-M">¶</a></dt><dd><p>Sets the machine name
|
|
for this container. This name may be
|
|
used to identify this container on the
|
|
host, and is used to initialize the
|
|
container's hostname (which the
|
|
container can choose to override,
|
|
however). If not specified the last
|
|
component of the root directory of the
|
|
container is used.</p></dd><dt id="--uuid="><span class="term"><code class="option">--uuid=</code></span><a class="headerlink" title="Permalink to this term" href="#--uuid=">¶</a></dt><dd><p>Set the specified uuid
|
|
for the container. The init system
|
|
will initialize
|
|
<code class="filename">/etc/machine-id</code>
|
|
from this if this file is not set yet.
|
|
</p></dd><dt id="-C"><span class="term"><code class="option">-C</code>, </span><span class="term"><code class="option">--controllers=</code></span><a class="headerlink" title="Permalink to this term" href="#-C">¶</a></dt><dd><p>Makes the container appear in
|
|
other hierarchies than the name=systemd:/ one.
|
|
Takes a comma-separated list of controllers.
|
|
</p></dd><dt id="--private-network"><span class="term"><code class="option">--private-network</code></span><a class="headerlink" title="Permalink to this term" href="#--private-network">¶</a></dt><dd><p>Turn off networking in
|
|
the container. This makes all network
|
|
interfaces unavailable in the
|
|
container, with the exception of the
|
|
loopback device.</p></dd><dt id="--read-only"><span class="term"><code class="option">--read-only</code></span><a class="headerlink" title="Permalink to this term" href="#--read-only">¶</a></dt><dd><p>Mount the root file
|
|
system read only for the
|
|
container.</p></dd><dt id="--capability="><span class="term"><code class="option">--capability=</code></span><a class="headerlink" title="Permalink to this term" href="#--capability=">¶</a></dt><dd><p>List one or more
|
|
additional capabilities to grant the
|
|
container. Takes a comma separated
|
|
list of capability names, see
|
|
<a href="capabilities.html"><span class="citerefentry"><span class="refentrytitle">capabilities</span>(7)</span></a>
|
|
for more information. Note that the
|
|
following capabilities will be granted
|
|
in any way: CAP_CHOWN,
|
|
CAP_DAC_OVERRIDE, CAP_DAC_READ_SEARCH,
|
|
CAP_FOWNER, CAP_FSETID, CAP_IPC_OWNER,
|
|
CAP_KILL, CAP_LEASE,
|
|
CAP_LINUX_IMMUTABLE,
|
|
CAP_NET_BIND_SERVICE,
|
|
CAP_NET_BROADCAST, CAP_NET_RAW,
|
|
CAP_SETGID, CAP_SETFCAP, CAP_SETPCAP,
|
|
CAP_SETUID, CAP_SYS_ADMIN,
|
|
CAP_SYS_CHROOT, CAP_SYS_NICE,
|
|
CAP_SYS_PTRACE, CAP_SYS_TTY_CONFIG,
|
|
CAP_SYS_RESOURCE, CAP_SYS_BOOT,
|
|
CAP_AUDIT_WRITE,
|
|
CAP_AUDIT_CONTROL.</p></dd><dt id="--link-journal="><span class="term"><code class="option">--link-journal=</code></span><a class="headerlink" title="Permalink to this term" href="#--link-journal=">¶</a></dt><dd><p>Control whether the
|
|
container's journal shall be made
|
|
visible to the host system. If enabled
|
|
allows viewing the container's journal
|
|
files from the host (but not vice
|
|
versa). Takes one of
|
|
<code class="literal">no</code>,
|
|
<code class="literal">host</code>,
|
|
<code class="literal">guest</code>,
|
|
<code class="literal">auto</code>. If
|
|
<code class="literal">no</code>, the journal is
|
|
not linked. If <code class="literal">host</code>,
|
|
the journal files are stored on the
|
|
host file system (beneath
|
|
<code class="filename">/var/log/journal/<em class="replaceable"><code>machine-id</code></em></code>)
|
|
and the subdirectory is bind-mounted
|
|
into the container at the same
|
|
location. If <code class="literal">guest</code>,
|
|
the journal files are stored on the
|
|
guest file system (beneath
|
|
<code class="filename">/var/log/journal/<em class="replaceable"><code>machine-id</code></em></code>)
|
|
and the subdirectory is symlinked into the host
|
|
at the same location. If
|
|
<code class="literal">auto</code> (the default),
|
|
and the right subdirectory of
|
|
<code class="filename">/var/log/journal</code>
|
|
exists, it will be bind mounted
|
|
into the container. If the
|
|
subdirectory doesn't exist, no
|
|
linking is performed. Effectively,
|
|
booting a container once with
|
|
<code class="literal">guest</code> or
|
|
<code class="literal">host</code> will link the
|
|
journal persistently if further on
|
|
the default of <code class="literal">auto</code>
|
|
is used.</p></dd><dt id="-j"><span class="term"><code class="option">-j</code></span><a class="headerlink" title="Permalink to this term" href="#-j">¶</a></dt><dd><p>Equivalent to
|
|
<code class="option">--link-journal=guest</code>.</p></dd><dt id="--bind="><span class="term"><code class="option">--bind=</code>, </span><span class="term"><code class="option">--bind-ro=</code></span><a class="headerlink" title="Permalink to this term" href="#--bind=">¶</a></dt><dd><p>Bind mount a file or
|
|
directory from the host into the
|
|
container. Either takes a path
|
|
argument -- in which case the
|
|
specified path will be mounted from
|
|
the host to the same path in the
|
|
container --, or a colon-separated
|
|
pair of paths -- in which case the
|
|
first specified path is the source in
|
|
the host, and the second path is the
|
|
destination in the container. The
|
|
<code class="option">--bind-ro=</code> option
|
|
creates read-only bind
|
|
mount.</p></dd></dl></div></div><div class="refsect1"><a name="idm259777421088"></a><h2 id="Example 1">Example 1<a class="headerlink" title="Permalink to this headline" href="#Example%201">¶</a></h2><pre class="programlisting"># yum -y --releasever=19 --nogpg --installroot=/srv/mycontainer --disablerepo='*' --enablerepo=fedora install systemd passwd yum fedora-release vim-minimal
|
|
# systemd-nspawn -bD /srv/mycontainer</pre><p>This installs a minimal Fedora distribution into
|
|
the directory <code class="filename">/srv/mycontainer/</code> and
|
|
then boots an OS in a namespace container in
|
|
it.</p></div><div class="refsect1"><a name="idm259777418240"></a><h2 id="Example 2">Example 2<a class="headerlink" title="Permalink to this headline" href="#Example%202">¶</a></h2><pre class="programlisting"># debootstrap --arch=amd64 unstable ~/debian-tree/
|
|
# systemd-nspawn -D ~/debian-tree/</pre><p>This installs a minimal Debian unstable
|
|
distribution into the directory
|
|
<code class="filename">~/debian-tree/</code> and then spawns a
|
|
shell in a namespace container in it.</p></div><div class="refsect1"><a name="idm259777415520"></a><h2 id="Example 3">Example 3<a class="headerlink" title="Permalink to this headline" href="#Example%203">¶</a></h2><pre class="programlisting"># pacstrap -c -d ~/arch-tree/ base
|
|
# systemd-nspawn -bD ~/arch-tree/</pre><p>This installs a mimimal Arch Linux distribution into
|
|
the directory <code class="filename">~/arch-tree/</code> and then
|
|
boots an OS in a namespace container in it.</p></div><div class="refsect1"><a name="example-nsenter"></a><h2 id="Example 4">Example 4<a class="headerlink" title="Permalink to this headline" href="#Example%204">¶</a></h2><p>To enter the container, PID of one of the
|
|
processes sharing the new namespaces must be used.
|
|
<span class="command"><strong>systemd-nspawn</strong></span> prints the PID
|
|
(as viewed from the outside) of the launched process,
|
|
and it can be used to enter the container.</p><pre class="programlisting"># nsenter -m -u -i -n -p -t $PID</pre><p><a href="nsenter.html"><span class="citerefentry"><span class="refentrytitle">nsenter</span>(1)</span></a>
|
|
is part of
|
|
<a class="ulink" href="https://github.com/karelzak/util-linux" target="_top">util-linux</a>.
|
|
Kernel support for entering namespaces was added in
|
|
Linux 3.8.</p></div><div class="refsect1"><a name="idm259777408320"></a><h2 id="Exit status">Exit status<a class="headerlink" title="Permalink to this headline" href="#Exit%20status">¶</a></h2><p>The exit code of the program executed in the
|
|
container is returned.</p></div><div class="refsect1"><a name="idm259777407072"></a><h2 id="See Also">See Also<a class="headerlink" title="Permalink to this headline" href="#See%20Also">¶</a></h2><p>
|
|
<a href="systemd.html"><span class="citerefentry"><span class="refentrytitle">systemd</span>(1)</span></a>,
|
|
<a href="chroot.html"><span class="citerefentry"><span class="refentrytitle">chroot</span>(1)</span></a>,
|
|
<a href="unshare.html"><span class="citerefentry"><span class="refentrytitle">unshare</span>(1)</span></a>,
|
|
<a href="yum.html"><span class="citerefentry"><span class="refentrytitle">yum</span>(8)</span></a>,
|
|
<a href="debootstrap.html"><span class="citerefentry"><span class="refentrytitle">debootstrap</span>(8)</span></a>,
|
|
<a href="pacman.html"><span class="citerefentry"><span class="refentrytitle">pacman</span>(8)</span></a>
|
|
</p></div></div></body></html>
|