2018-07-03 05:15:39 +08:00
|
|
|
|
<?xml version='1.0'?>
|
2019-03-14 21:40:58 +08:00
|
|
|
|
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
|
2015-09-06 07:22:14 +08:00
|
|
|
|
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
|
|
|
|
|
<!ENTITY % entities SYSTEM "custom-entities.ent" >
|
|
|
|
|
%entities;
|
|
|
|
|
]>
|
2020-11-09 12:23:58 +08:00
|
|
|
|
<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
|
2015-09-06 07:22:14 +08:00
|
|
|
|
|
|
|
|
|
<refentry id="systemd.nspawn">
|
|
|
|
|
|
|
|
|
|
<refentryinfo>
|
|
|
|
|
<title>systemd.nspawn</title>
|
|
|
|
|
<productname>systemd</productname>
|
|
|
|
|
</refentryinfo>
|
|
|
|
|
|
|
|
|
|
<refmeta>
|
|
|
|
|
<refentrytitle>systemd.nspawn</refentrytitle>
|
|
|
|
|
<manvolnum>5</manvolnum>
|
|
|
|
|
</refmeta>
|
|
|
|
|
|
|
|
|
|
<refnamediv>
|
|
|
|
|
<refname>systemd.nspawn</refname>
|
|
|
|
|
<refpurpose>Container settings</refpurpose>
|
|
|
|
|
</refnamediv>
|
|
|
|
|
|
|
|
|
|
<refsynopsisdiv>
|
|
|
|
|
<para><filename>/etc/systemd/nspawn/<replaceable>machine</replaceable>.nspawn</filename></para>
|
|
|
|
|
<para><filename>/run/systemd/nspawn/<replaceable>machine</replaceable>.nspawn</filename></para>
|
|
|
|
|
<para><filename>/var/lib/machines/<replaceable>machine</replaceable>.nspawn</filename></para>
|
|
|
|
|
</refsynopsisdiv>
|
|
|
|
|
|
|
|
|
|
<refsect1>
|
|
|
|
|
<title>Description</title>
|
|
|
|
|
|
2019-11-24 23:14:52 +08:00
|
|
|
|
<para>An nspawn container settings file (suffix <filename>.nspawn</filename>) contains runtime
|
|
|
|
|
configuration for a local container, and is used used by
|
|
|
|
|
<citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
|
|
|
|
|
Files of this type are named after the containers they define settings for. They are optional, and only
|
|
|
|
|
required for containers whose execution environment shall differ from the defaults. Files of this type
|
|
|
|
|
mostly contain settings that may also be set on the <command>systemd-nspawn</command> command line, and
|
|
|
|
|
make it easier to persistently attach specific settings to specific containers. The syntax of these files
|
|
|
|
|
is inspired by <filename>.desktop</filename> files, similarly to other configuration files supported by
|
|
|
|
|
the systemd project. See
|
|
|
|
|
<citerefentry><refentrytitle>systemd.syntax</refentrytitle><manvolnum>7</manvolnum></citerefentry> for an
|
|
|
|
|
overview.</para>
|
2015-09-06 07:22:14 +08:00
|
|
|
|
</refsect1>
|
|
|
|
|
|
|
|
|
|
<refsect1>
|
|
|
|
|
<title><filename>.nspawn</filename> File Discovery</title>
|
|
|
|
|
|
2019-11-24 23:14:52 +08:00
|
|
|
|
<para>Files are searched for by appending the <filename>.nspawn</filename> suffix to the machine name of
|
|
|
|
|
the container, as specified with the <option>--machine=</option> switch of
|
|
|
|
|
<command>systemd-nspawn</command>, or derived from the directory or image file name. This file is first
|
|
|
|
|
searched for in <filename>/etc/systemd/nspawn/</filename> and
|
|
|
|
|
<filename>/run/systemd/nspawn/</filename>. If found there, the settings are read and all of them take
|
|
|
|
|
full effect (but may still be overridden by corresponding command line arguments). Otherwise, the file
|
|
|
|
|
will then be searched for next to the image file or in the immediate parent of the root directory of the
|
|
|
|
|
container. If the file is found there, only a subset of the settings will take effect however. All
|
|
|
|
|
settings that possibly elevate privileges or grant additional access to resources of the host (such as
|
|
|
|
|
files or directories) are ignored. To which options this applies is documented below.</para>
|
2015-09-06 07:22:14 +08:00
|
|
|
|
|
2014-08-03 13:11:37 +08:00
|
|
|
|
<para>Persistent settings files created and maintained by the
|
2015-09-06 07:22:14 +08:00
|
|
|
|
administrator (and thus trusted) should be placed in
|
|
|
|
|
<filename>/etc/systemd/nspawn/</filename>, while automatically
|
|
|
|
|
downloaded (and thus potentially untrusted) settings files are
|
|
|
|
|
placed in <filename>/var/lib/machines/</filename> instead (next to
|
|
|
|
|
the container images), where their security impact is limited. In
|
|
|
|
|
order to add privileged settings to <filename>.nspawn</filename>
|
2014-08-03 13:11:12 +08:00
|
|
|
|
files acquired from the image vendor, it is recommended to copy the
|
2015-09-06 07:22:14 +08:00
|
|
|
|
settings files into <filename>/etc/systemd/nspawn/</filename> and
|
|
|
|
|
edit them there, so that the privileged options become
|
2014-08-03 13:11:37 +08:00
|
|
|
|
available. The precise algorithm for how the files are searched and
|
2015-09-06 07:22:14 +08:00
|
|
|
|
interpreted may be configured with
|
|
|
|
|
<command>systemd-nspawn</command>'s <option>--settings=</option>
|
|
|
|
|
switch, see
|
|
|
|
|
<citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>
|
|
|
|
|
for details.</para>
|
|
|
|
|
</refsect1>
|
|
|
|
|
|
|
|
|
|
<refsect1>
|
|
|
|
|
<title>[Exec] Section Options</title>
|
|
|
|
|
|
2020-07-06 17:00:06 +08:00
|
|
|
|
<para>Settings files may include an [Exec]
|
2015-09-06 07:22:14 +08:00
|
|
|
|
section, which carries various execution parameters:</para>
|
|
|
|
|
|
2019-02-13 17:57:49 +08:00
|
|
|
|
<variablelist class='nspawn-directives'>
|
2015-09-06 07:22:14 +08:00
|
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
|
<term><varname>Boot=</varname></term>
|
|
|
|
|
|
2016-02-04 03:32:06 +08:00
|
|
|
|
<listitem><para>Takes a boolean argument, which defaults to off. If enabled, <command>systemd-nspawn</command>
|
|
|
|
|
will automatically search for an <filename>init</filename> executable and invoke it. In this case, the
|
|
|
|
|
specified parameters using <varname>Parameters=</varname> are passed as additional arguments to the
|
|
|
|
|
<filename>init</filename> process. This setting corresponds to the <option>--boot</option> switch on the
|
|
|
|
|
<command>systemd-nspawn</command> command line. This option may not be combined with
|
2019-06-04 19:44:46 +08:00
|
|
|
|
<varname>ProcessTwo=yes</varname>. This option is specified by default in the
|
|
|
|
|
<filename>systemd-nspawn@.service</filename> template unit.</para></listitem>
|
2016-02-04 03:32:06 +08:00
|
|
|
|
</varlistentry>
|
|
|
|
|
|
2018-10-23 01:26:05 +08:00
|
|
|
|
<varlistentry>
|
|
|
|
|
<term><varname>Ephemeral=</varname></term>
|
|
|
|
|
|
|
|
|
|
<listitem><para>Takes a boolean argument, which defaults to off, If enabled, the container is run with
|
|
|
|
|
a temporary snapshot of its file system that is removed immediately when the container terminates.
|
|
|
|
|
This is equivalent to the <option>--ephemeral</option> command line switch. See
|
|
|
|
|
<citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> for details
|
|
|
|
|
about the specific options supported.</para></listitem>
|
|
|
|
|
</varlistentry>
|
|
|
|
|
|
2016-02-04 03:32:06 +08:00
|
|
|
|
<varlistentry>
|
|
|
|
|
<term><varname>ProcessTwo=</varname></term>
|
|
|
|
|
|
|
|
|
|
<listitem><para>Takes a boolean argument, which defaults to off. If enabled, the specified program is run as
|
|
|
|
|
PID 2. A stub init process is run as PID 1. This setting corresponds to the <option>--as-pid2</option> switch
|
|
|
|
|
on the <command>systemd-nspawn</command> command line. This option may not be combined with
|
|
|
|
|
<varname>Boot=yes</varname>.</para></listitem>
|
2015-09-06 07:22:14 +08:00
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
|
<term><varname>Parameters=</varname></term>
|
|
|
|
|
|
2019-06-04 19:44:46 +08:00
|
|
|
|
<listitem><para>Takes a whitespace-separated list of arguments. Single (<literal>'</literal>) and
|
|
|
|
|
double (<literal>"</literal>) quotes may be used around arguments with whitespace. This is either a
|
|
|
|
|
command line, beginning with the binary name to execute, or – if <varname>Boot=</varname> is enabled
|
|
|
|
|
– the list of arguments to pass to the init process. This setting corresponds to the command line
|
|
|
|
|
parameters passed on the <command>systemd-nspawn</command> command line.</para>
|
|
|
|
|
|
|
|
|
|
<para>Note: <option>Boot=no</option>, <option>Parameters=a b "c c"</option> is the same as
|
|
|
|
|
<command>systemd-nspawn a b "c c"</command>, and <option>Boot=yes</option>, <option>Parameters=b 'c c'</option>
|
|
|
|
|
is the same as <command>systemd-nspawn --boot b 'c c'</command>.</para></listitem>
|
2015-09-06 07:22:14 +08:00
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
|
<term><varname>Environment=</varname></term>
|
|
|
|
|
|
|
|
|
|
<listitem><para>Takes an environment variable assignment
|
|
|
|
|
consisting of key and value, separated by
|
|
|
|
|
<literal>=</literal>. Sets an environment variable for the
|
|
|
|
|
main process invoked in the container. This setting may be
|
|
|
|
|
used multiple times to set multiple environment variables. It
|
|
|
|
|
corresponds to the <option>--setenv=</option> command line
|
|
|
|
|
switch.</para></listitem>
|
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
|
<term><varname>User=</varname></term>
|
|
|
|
|
|
|
|
|
|
<listitem><para>Takes a UNIX user name. Specifies the user
|
|
|
|
|
name to invoke the main process of the container as. This user
|
|
|
|
|
must be known in the container's user database. This
|
|
|
|
|
corresponds to the <option>--user=</option> command line
|
2016-02-02 08:52:01 +08:00
|
|
|
|
switch.</para></listitem>
|
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
|
<term><varname>WorkingDirectory=</varname></term>
|
|
|
|
|
|
|
|
|
|
<listitem><para>Selects the working directory for the process invoked in the container. Expects an absolute
|
|
|
|
|
path in the container's file system namespace. This corresponds to the <option>--chdir=</option> command line
|
2015-09-06 07:22:14 +08:00
|
|
|
|
switch.</para></listitem>
|
|
|
|
|
</varlistentry>
|
|
|
|
|
|
2017-02-08 23:54:31 +08:00
|
|
|
|
<varlistentry>
|
|
|
|
|
<term><varname>PivotRoot=</varname></term>
|
|
|
|
|
|
|
|
|
|
<listitem><para>Selects a directory to pivot to <filename>/</filename> inside the container when starting up.
|
|
|
|
|
Takes a single path, or a pair of two paths separated by a colon. Both paths must be absolute, and are resolved
|
|
|
|
|
in the container's file system namespace. This corresponds to the <option>--pivot-root=</option> command line
|
|
|
|
|
switch.</para></listitem>
|
|
|
|
|
</varlistentry>
|
|
|
|
|
|
2015-09-06 07:22:14 +08:00
|
|
|
|
<varlistentry>
|
|
|
|
|
<term><varname>Capability=</varname></term>
|
|
|
|
|
<term><varname>DropCapability=</varname></term>
|
|
|
|
|
|
2014-08-03 13:11:12 +08:00
|
|
|
|
<listitem><para>Takes a space-separated list of Linux process
|
2015-09-06 07:22:14 +08:00
|
|
|
|
capabilities (see
|
2016-01-26 06:56:42 +08:00
|
|
|
|
<citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
|
2015-09-06 07:22:14 +08:00
|
|
|
|
for details). The <varname>Capability=</varname> setting
|
|
|
|
|
specifies additional capabilities to pass on top of the
|
2015-09-08 02:06:58 +08:00
|
|
|
|
default set of capabilities. The
|
2015-09-06 07:22:14 +08:00
|
|
|
|
<varname>DropCapability=</varname> setting specifies
|
|
|
|
|
capabilities to drop from the default set. These settings
|
|
|
|
|
correspond to the <option>--capability=</option> and
|
|
|
|
|
<option>--drop-capability=</option> command line
|
|
|
|
|
switches. Note that <varname>Capability=</varname> is a
|
|
|
|
|
privileged setting, and only takes effect in
|
|
|
|
|
<filename>.nspawn</filename> files in
|
|
|
|
|
<filename>/etc/systemd/nspawn/</filename> and
|
|
|
|
|
<filename>/run/system/nspawn/</filename> (see above). On the
|
2014-08-03 13:11:12 +08:00
|
|
|
|
other hand, <varname>DropCapability=</varname> takes effect in
|
2019-11-29 17:08:05 +08:00
|
|
|
|
all cases. If the special value <literal>all</literal> is passed, all
|
2020-12-04 18:27:12 +08:00
|
|
|
|
capabilities are retained (or dropped).</para>
|
|
|
|
|
<para>These settings change the bounding set of capabilities which
|
|
|
|
|
also limits the ambient capabilities as given with the
|
|
|
|
|
<varname>AmbientCapability=</varname>.</para></listitem>
|
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
|
<term><varname>AmbientCapability=</varname></term>
|
|
|
|
|
<listitem><para>Takes a space-separated list of Linux process
|
|
|
|
|
capabilities (see
|
|
|
|
|
<citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
|
|
|
|
|
for details). The <varname>AmbientCapability=</varname> setting
|
2021-07-27 15:37:29 +08:00
|
|
|
|
specifies capability which will be passed to the started program
|
2020-12-04 18:27:12 +08:00
|
|
|
|
in the inheritable and ambient capability sets. This will grant
|
|
|
|
|
these capabilities to this process. This setting correspond to
|
|
|
|
|
the <option>--ambient-capability=</option> command line switch.
|
|
|
|
|
</para>
|
|
|
|
|
|
|
|
|
|
<para>The value <literal>all</literal> is not supported for this
|
|
|
|
|
setting.</para>
|
|
|
|
|
|
|
|
|
|
<para>The setting of <varname>AmbientCapability=</varname> must
|
|
|
|
|
be covered by the bounding set settings which were established by
|
|
|
|
|
<varname>Capability=</varname> and <varname>DropCapability=</varname>.
|
|
|
|
|
</para>
|
|
|
|
|
|
|
|
|
|
<para>Note that <varname>AmbientCapability=</varname> is a privileged
|
|
|
|
|
setting (see above).</para></listitem>
|
2015-09-06 07:22:14 +08:00
|
|
|
|
</varlistentry>
|
|
|
|
|
|
2018-05-08 01:35:48 +08:00
|
|
|
|
<varlistentry>
|
|
|
|
|
<term><varname>NoNewPrivileges=</varname></term>
|
|
|
|
|
|
|
|
|
|
<listitem><para>Takes a boolean argument that controls the <constant>PR_SET_NO_NEW_PRIVS</constant> flag for
|
|
|
|
|
the container payload. This is equivalent to the
|
|
|
|
|
<option>--no-new-privileges=</option> command line switch. See
|
|
|
|
|
<citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> for
|
|
|
|
|
details.</para>
|
|
|
|
|
</listitem>
|
|
|
|
|
</varlistentry>
|
|
|
|
|
|
2016-03-15 13:18:23 +08:00
|
|
|
|
<varlistentry>
|
2016-04-01 21:07:17 +08:00
|
|
|
|
<term><varname>KillSignal=</varname></term>
|
2016-03-15 13:18:23 +08:00
|
|
|
|
|
|
|
|
|
<listitem><para>Specify the process signal to send to the
|
|
|
|
|
container's PID 1 when nspawn itself receives SIGTERM, in
|
|
|
|
|
order to trigger an orderly shutdown of the container.
|
|
|
|
|
Defaults to SIGRTMIN+3 if <option>Boot=</option> is used
|
|
|
|
|
(on systemd-compatible init systems SIGRTMIN+3 triggers an
|
|
|
|
|
orderly shutdown). For a list of valid signals, see
|
|
|
|
|
<citerefentry project='man-pages'><refentrytitle>signal</refentrytitle><manvolnum>7</manvolnum></citerefentry>.</para></listitem>
|
|
|
|
|
</varlistentry>
|
|
|
|
|
|
2015-09-06 07:22:14 +08:00
|
|
|
|
<varlistentry>
|
|
|
|
|
<term><varname>Personality=</varname></term>
|
|
|
|
|
|
|
|
|
|
<listitem><para>Configures the kernel personality for the
|
|
|
|
|
container. This is equivalent to the
|
|
|
|
|
<option>--personality=</option> switch.</para></listitem>
|
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
|
<term><varname>MachineID=</varname></term>
|
|
|
|
|
|
2014-08-03 13:11:12 +08:00
|
|
|
|
<listitem><para>Configures the 128-bit machine ID (UUID) to pass to
|
2015-09-06 07:22:14 +08:00
|
|
|
|
the container. This is equivalent to the
|
|
|
|
|
<option>--uuid=</option> command line switch. This option is
|
|
|
|
|
privileged (see above). </para></listitem>
|
|
|
|
|
</varlistentry>
|
2016-04-22 19:46:23 +08:00
|
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
|
<term><varname>PrivateUsers=</varname></term>
|
|
|
|
|
|
|
|
|
|
<listitem><para>Configures support for usernamespacing. This is equivalent to the
|
|
|
|
|
<option>--private-users=</option> command line switch, and takes the same options. This option is privileged
|
2016-06-23 05:30:36 +08:00
|
|
|
|
(see above). This option is the default if the <filename>systemd-nspawn@.service</filename> template unit file
|
|
|
|
|
is used.</para></listitem>
|
2016-04-22 19:46:23 +08:00
|
|
|
|
</varlistentry>
|
2016-06-10 19:09:06 +08:00
|
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
|
<term><varname>NotifyReady=</varname></term>
|
|
|
|
|
|
2017-09-11 23:45:21 +08:00
|
|
|
|
<listitem><para>Configures support for notifications from the container's init process. This is equivalent to
|
2017-10-11 03:59:03 +08:00
|
|
|
|
the <option>--notify-ready=</option> command line switch, and takes the same parameters. See
|
2017-09-11 23:45:21 +08:00
|
|
|
|
<citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> for details
|
|
|
|
|
about the specific options supported.</para></listitem>
|
2016-06-10 19:09:06 +08:00
|
|
|
|
</varlistentry>
|
2017-09-11 23:45:21 +08:00
|
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
|
<term><varname>SystemCallFilter=</varname></term>
|
|
|
|
|
|
|
|
|
|
<listitem><para>Configures the system call filter applied to containers. This is equivalent to the
|
|
|
|
|
<option>--system-call-filter=</option> command line switch, and takes the same list parameter. See
|
|
|
|
|
<citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> for
|
|
|
|
|
details.</para></listitem>
|
|
|
|
|
</varlistentry>
|
2018-05-07 23:59:18 +08:00
|
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
|
<term><varname>LimitCPU=</varname></term>
|
|
|
|
|
<term><varname>LimitFSIZE=</varname></term>
|
|
|
|
|
<term><varname>LimitDATA=</varname></term>
|
|
|
|
|
<term><varname>LimitSTACK=</varname></term>
|
|
|
|
|
<term><varname>LimitCORE=</varname></term>
|
|
|
|
|
<term><varname>LimitRSS=</varname></term>
|
|
|
|
|
<term><varname>LimitNOFILE=</varname></term>
|
|
|
|
|
<term><varname>LimitAS=</varname></term>
|
|
|
|
|
<term><varname>LimitNPROC=</varname></term>
|
|
|
|
|
<term><varname>LimitMEMLOCK=</varname></term>
|
|
|
|
|
<term><varname>LimitLOCKS=</varname></term>
|
|
|
|
|
<term><varname>LimitSIGPENDING=</varname></term>
|
|
|
|
|
<term><varname>LimitMSGQUEUE=</varname></term>
|
|
|
|
|
<term><varname>LimitNICE=</varname></term>
|
|
|
|
|
<term><varname>LimitRTPRIO=</varname></term>
|
|
|
|
|
<term><varname>LimitRTTIME=</varname></term>
|
|
|
|
|
|
|
|
|
|
<listitem><para>Configures various types of resource limits applied to containers. This is equivalent to the
|
|
|
|
|
<option>--rlimit=</option> command line switch, and takes the same arguments. See
|
|
|
|
|
<citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> for
|
|
|
|
|
details.</para></listitem>
|
|
|
|
|
</varlistentry>
|
2018-05-08 00:37:32 +08:00
|
|
|
|
|
2018-05-08 03:17:09 +08:00
|
|
|
|
<varlistentry>
|
|
|
|
|
<term><varname>OOMScoreAdjust=</varname></term>
|
|
|
|
|
|
|
|
|
|
<listitem><para>Configures the OOM score adjustment value. This is equivalent to the
|
|
|
|
|
<option>--oom-score-adjust=</option> command line switch, and takes the same argument. See
|
|
|
|
|
<citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> for
|
|
|
|
|
details.</para></listitem>
|
|
|
|
|
</varlistentry>
|
|
|
|
|
|
2018-05-08 03:47:15 +08:00
|
|
|
|
<varlistentry>
|
|
|
|
|
<term><varname>CPUAffinity=</varname></term>
|
|
|
|
|
|
|
|
|
|
<listitem><para>Configures the CPU affinity. This is equivalent to the <option>--cpu-affinity=</option> command
|
|
|
|
|
line switch, and takes the same argument. See
|
|
|
|
|
<citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> for
|
|
|
|
|
details.</para></listitem>
|
|
|
|
|
</varlistentry>
|
|
|
|
|
|
2018-05-08 00:37:32 +08:00
|
|
|
|
<varlistentry>
|
|
|
|
|
<term><varname>Hostname=</varname></term>
|
|
|
|
|
|
|
|
|
|
<listitem><para>Configures the kernel hostname set for the container. This is equivalent to the
|
|
|
|
|
<option>--hostname=</option> command line switch, and takes the same argument. See
|
|
|
|
|
<citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> for
|
|
|
|
|
details.</para></listitem>
|
|
|
|
|
</varlistentry>
|
2018-05-13 03:50:57 +08:00
|
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
|
<term><varname>ResolvConf=</varname></term>
|
|
|
|
|
|
|
|
|
|
<listitem><para>Configures how <filename>/etc/resolv.conf</filename> in the container shall be handled. This is
|
|
|
|
|
equivalent to the <option>--resolv-conf=</option> command line switch, and takes the same argument. See
|
|
|
|
|
<citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> for
|
|
|
|
|
details.</para></listitem>
|
|
|
|
|
</varlistentry>
|
2018-05-13 04:17:16 +08:00
|
|
|
|
|
2018-05-17 11:43:03 +08:00
|
|
|
|
<varlistentry>
|
|
|
|
|
<term><varname>Timezone=</varname></term>
|
|
|
|
|
|
|
|
|
|
<listitem><para>Configures how <filename>/etc/localtime</filename> in the container shall be handled. This is
|
2018-10-15 05:16:43 +08:00
|
|
|
|
equivalent to the <option>--timezone=</option> command line switch, and takes the same argument. See
|
2018-05-17 11:43:03 +08:00
|
|
|
|
<citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> for
|
|
|
|
|
details.</para></listitem>
|
|
|
|
|
</varlistentry>
|
|
|
|
|
|
2018-05-13 04:17:16 +08:00
|
|
|
|
<varlistentry>
|
|
|
|
|
<term><varname>LinkJournal=</varname></term>
|
|
|
|
|
|
|
|
|
|
<listitem><para>Configures how to link host and container journal setups. This is equivalent to the
|
|
|
|
|
<option>--link-journal=</option> command line switch, and takes the same parameter. See
|
|
|
|
|
<citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> for
|
|
|
|
|
details.</para></listitem>
|
|
|
|
|
</varlistentry>
|
2017-09-11 23:45:21 +08:00
|
|
|
|
|
2015-09-06 07:22:14 +08:00
|
|
|
|
</variablelist>
|
|
|
|
|
</refsect1>
|
|
|
|
|
|
|
|
|
|
<refsect1>
|
|
|
|
|
<title>[Files] Section Options</title>
|
|
|
|
|
|
2020-07-06 17:00:06 +08:00
|
|
|
|
<para>Settings files may include a [Files]
|
2015-09-06 07:22:14 +08:00
|
|
|
|
section, which carries various parameters configuring the file
|
|
|
|
|
system of the container:</para>
|
|
|
|
|
|
2019-02-13 17:57:49 +08:00
|
|
|
|
<variablelist class='nspawn-directives'>
|
2015-09-06 07:22:14 +08:00
|
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
|
<term><varname>ReadOnly=</varname></term>
|
|
|
|
|
|
2014-08-03 13:11:37 +08:00
|
|
|
|
<listitem><para>Takes a boolean argument, which defaults to off. If
|
2014-08-03 13:11:12 +08:00
|
|
|
|
specified, the container will be run with a read-only file
|
2015-09-06 07:22:14 +08:00
|
|
|
|
system. This setting corresponds to the
|
|
|
|
|
<option>--read-only</option> command line
|
|
|
|
|
switch.</para></listitem>
|
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
|
<term><varname>Volatile=</varname></term>
|
|
|
|
|
|
|
|
|
|
<listitem><para>Takes a boolean argument, or the special value
|
|
|
|
|
<literal>state</literal>. This configures whether to run the
|
|
|
|
|
container with volatile state and/or configuration. This
|
|
|
|
|
option is equivalent to <option>--volatile=</option>, see
|
|
|
|
|
<citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>
|
|
|
|
|
for details about the specific options
|
|
|
|
|
supported.</para></listitem>
|
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
|
<term><varname>Bind=</varname></term>
|
|
|
|
|
<term><varname>BindReadOnly=</varname></term>
|
|
|
|
|
|
|
|
|
|
<listitem><para>Adds a bind mount from the host into the
|
|
|
|
|
container. Takes a single path, a pair of two paths separated
|
|
|
|
|
by a colon, or a triplet of two paths plus an option string
|
|
|
|
|
separated by colons. This option may be used multiple times to
|
|
|
|
|
configure multiple bind mounts. This option is equivalent to
|
|
|
|
|
the command line switches <option>--bind=</option> and
|
|
|
|
|
<option>--bind-ro=</option>, see
|
|
|
|
|
<citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>
|
|
|
|
|
for details about the specific options supported. This setting
|
|
|
|
|
is privileged (see above).</para></listitem>
|
|
|
|
|
</varlistentry>
|
|
|
|
|
|
2021-05-07 17:44:26 +08:00
|
|
|
|
<varlistentry>
|
|
|
|
|
<term><varname>BindUser=</varname></term>
|
|
|
|
|
|
|
|
|
|
<listitem><para>Binds a user from the host into the container. This option is equivalent to the
|
|
|
|
|
command line switch <option>--bind-user=</option>, see
|
|
|
|
|
<citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>
|
|
|
|
|
for details about the specific options supported. This setting is privileged (see
|
|
|
|
|
above).</para></listitem>
|
|
|
|
|
</varlistentry>
|
|
|
|
|
|
2015-09-06 07:22:14 +08:00
|
|
|
|
<varlistentry>
|
|
|
|
|
<term><varname>TemporaryFileSystem=</varname></term>
|
|
|
|
|
|
|
|
|
|
<listitem><para>Adds a <literal>tmpfs</literal> mount to the
|
|
|
|
|
container. Takes a path or a pair of path and option string,
|
2015-09-08 02:06:58 +08:00
|
|
|
|
separated by a colon. This option may be used multiple times to
|
2015-09-06 07:22:14 +08:00
|
|
|
|
configure multiple <literal>tmpfs</literal> mounts. This
|
|
|
|
|
option is equivalent to the command line switch
|
|
|
|
|
<option>--tmpfs=</option>, see
|
|
|
|
|
<citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>
|
|
|
|
|
for details about the specific options supported. This setting
|
|
|
|
|
is privileged (see above).</para></listitem>
|
|
|
|
|
</varlistentry>
|
2016-04-22 19:46:23 +08:00
|
|
|
|
|
2018-07-31 19:18:55 +08:00
|
|
|
|
<varlistentry>
|
|
|
|
|
<term><varname>Inaccessible=</varname></term>
|
|
|
|
|
|
2020-07-06 16:49:59 +08:00
|
|
|
|
<listitem><para>Masks the specified file or directory in the container, by over-mounting it with an empty file
|
2019-04-27 08:22:40 +08:00
|
|
|
|
node of the same type with the most restrictive access mode. Takes a file system path as argument. This option
|
2018-07-31 19:18:55 +08:00
|
|
|
|
may be used multiple times to mask multiple files or directories. This option is equivalent to the command line
|
|
|
|
|
switch <option>--inaccessible=</option>, see
|
|
|
|
|
<citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> for details
|
|
|
|
|
about the specific options supported. This setting is privileged (see above).</para></listitem>
|
|
|
|
|
</varlistentry>
|
|
|
|
|
|
2016-11-30 06:55:04 +08:00
|
|
|
|
<varlistentry>
|
|
|
|
|
<term><varname>Overlay=</varname></term>
|
|
|
|
|
<term><varname>OverlayReadOnly=</varname></term>
|
|
|
|
|
|
|
|
|
|
<listitem><para>Adds an overlay mount point. Takes a colon-separated list of paths. This option may be used
|
|
|
|
|
multiple times to configure multiple overlay mounts. This option is equivalent to the command line switches
|
|
|
|
|
<option>--overlay=</option> and <option>--overlay-ro=</option>, see
|
|
|
|
|
<citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> for details
|
|
|
|
|
about the specific options supported. This setting is privileged (see above).</para></listitem>
|
|
|
|
|
</varlistentry>
|
|
|
|
|
|
2016-04-22 19:46:23 +08:00
|
|
|
|
<varlistentry>
|
2021-04-28 00:31:24 +08:00
|
|
|
|
<term><varname>PrivateUsersOwnership=</varname></term>
|
2016-04-22 19:46:23 +08:00
|
|
|
|
|
2021-04-28 00:31:24 +08:00
|
|
|
|
<listitem><para>Configures whether the ownership of the files and directories in the container tree
|
|
|
|
|
shall be adjusted to the UID/GID range used, if necessary and user namespacing is enabled. This is
|
|
|
|
|
equivalent to the <option>--private-users-ownership=</option> command line switch. This option is
|
|
|
|
|
privileged (see above).</para></listitem>
|
2016-04-22 19:46:23 +08:00
|
|
|
|
</varlistentry>
|
|
|
|
|
|
2015-09-06 07:22:14 +08:00
|
|
|
|
</variablelist>
|
|
|
|
|
</refsect1>
|
|
|
|
|
|
|
|
|
|
<refsect1>
|
|
|
|
|
<title>[Network] Section Options</title>
|
|
|
|
|
|
2020-07-06 17:00:06 +08:00
|
|
|
|
<para>Settings files may include a [Network]
|
2015-09-06 07:22:14 +08:00
|
|
|
|
section, which carries various parameters configuring the network
|
|
|
|
|
connectivity of the container:</para>
|
|
|
|
|
|
2019-02-13 17:57:49 +08:00
|
|
|
|
<variablelist class='nspawn-directives'>
|
2015-09-06 07:22:14 +08:00
|
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
|
<term><varname>Private=</varname></term>
|
|
|
|
|
|
2014-08-03 13:11:37 +08:00
|
|
|
|
<listitem><para>Takes a boolean argument, which defaults to off. If
|
2014-08-03 13:11:12 +08:00
|
|
|
|
enabled, the container will run in its own network namespace
|
2015-09-06 07:22:14 +08:00
|
|
|
|
and not share network interfaces and configuration with the
|
|
|
|
|
host. This setting corresponds to the
|
|
|
|
|
<option>--private-network</option> command line
|
|
|
|
|
switch.</para></listitem>
|
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
|
<term><varname>VirtualEthernet=</varname></term>
|
|
|
|
|
|
2016-06-23 05:30:36 +08:00
|
|
|
|
<listitem><para>Takes a boolean argument. Configures whether to create a virtual Ethernet connection
|
|
|
|
|
(<literal>veth</literal>) between host and the container. This setting implies
|
|
|
|
|
<varname>Private=yes</varname>. This setting corresponds to the <option>--network-veth</option> command line
|
|
|
|
|
switch. This option is privileged (see above). This option is the default if the
|
|
|
|
|
<filename>systemd-nspawn@.service</filename> template unit file is used.</para></listitem>
|
2015-09-06 07:22:14 +08:00
|
|
|
|
</varlistentry>
|
|
|
|
|
|
2015-11-13 04:54:28 +08:00
|
|
|
|
<varlistentry>
|
|
|
|
|
<term><varname>VirtualEthernetExtra=</varname></term>
|
|
|
|
|
|
2020-04-22 22:42:38 +08:00
|
|
|
|
<listitem><para>Takes a colon-separated pair of interface names. Configures an additional virtual
|
|
|
|
|
Ethernet connection (<literal>veth</literal>) between host and the container. The first specified
|
|
|
|
|
name is the interface name on the host, the second the interface name in the container. The latter
|
|
|
|
|
may be omitted in which case it is set to the same name as the host side interface. This setting
|
|
|
|
|
implies <varname>Private=yes</varname>. This setting corresponds to the
|
|
|
|
|
<option>--network-veth-extra=</option> command line switch, and maybe be used multiple times. It is
|
|
|
|
|
independent of <varname>VirtualEthernet=</varname>. Note that this option is unrelated to the
|
|
|
|
|
<varname>Bridge=</varname> setting below, and thus any connections created this way are not
|
|
|
|
|
automatically added to any bridge device on the host side. This option is privileged (see
|
|
|
|
|
above).</para></listitem>
|
2015-11-13 04:54:28 +08:00
|
|
|
|
</varlistentry>
|
|
|
|
|
|
2015-09-06 07:22:14 +08:00
|
|
|
|
<varlistentry>
|
|
|
|
|
<term><varname>Interface=</varname></term>
|
|
|
|
|
|
2014-08-03 13:11:12 +08:00
|
|
|
|
<listitem><para>Takes a space-separated list of interfaces to
|
2015-09-06 07:22:14 +08:00
|
|
|
|
add to the container. This option corresponds to the
|
|
|
|
|
<option>--network-interface=</option> command line switch and
|
|
|
|
|
implies <varname>Private=yes</varname>. This option is
|
|
|
|
|
privileged (see above).</para></listitem>
|
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
|
<term><varname>MACVLAN=</varname></term>
|
|
|
|
|
<term><varname>IPVLAN=</varname></term>
|
|
|
|
|
|
2014-08-03 13:11:12 +08:00
|
|
|
|
<listitem><para>Takes a space-separated list of interfaces to
|
2015-09-06 07:22:14 +08:00
|
|
|
|
add MACLVAN or IPVLAN interfaces to, which are then added to
|
|
|
|
|
the container. These options correspond to the
|
|
|
|
|
<option>--network-macvlan=</option> and
|
|
|
|
|
<option>--network-ipvlan=</option> command line switches and
|
|
|
|
|
imply <varname>Private=yes</varname>. These options are
|
|
|
|
|
privileged (see above).</para></listitem>
|
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
|
<term><varname>Bridge=</varname></term>
|
|
|
|
|
|
|
|
|
|
<listitem><para>Takes an interface name. This setting implies
|
|
|
|
|
<varname>VirtualEthernet=yes</varname> and
|
|
|
|
|
<varname>Private=yes</varname> and has the effect that the
|
|
|
|
|
host side of the created virtual Ethernet link is connected to
|
|
|
|
|
the specified bridge interface. This option corresponds to the
|
|
|
|
|
<option>--network-bridge=</option> command line switch. This
|
|
|
|
|
option is privileged (see above).</para></listitem>
|
|
|
|
|
</varlistentry>
|
|
|
|
|
|
2016-05-07 03:04:52 +08:00
|
|
|
|
<varlistentry>
|
|
|
|
|
<term><varname>Zone=</varname></term>
|
|
|
|
|
|
|
|
|
|
<listitem><para>Takes a network zone name. This setting implies <varname>VirtualEthernet=yes</varname> and
|
|
|
|
|
<varname>Private=yes</varname> and has the effect that the host side of the created virtual Ethernet link is
|
|
|
|
|
connected to an automatically managed bridge interface named after the passed argument, prefixed with
|
|
|
|
|
<literal>vz-</literal>. This option corresponds to the <option>--network-zone=</option> command line
|
|
|
|
|
switch. This option is privileged (see above).</para></listitem>
|
|
|
|
|
</varlistentry>
|
|
|
|
|
|
2015-09-06 07:22:14 +08:00
|
|
|
|
<varlistentry>
|
|
|
|
|
<term><varname>Port=</varname></term>
|
|
|
|
|
|
|
|
|
|
<listitem><para>Exposes a TCP or UDP port of the container on
|
|
|
|
|
the host. This option corresponds to the
|
|
|
|
|
<option>--port=</option> command line switch, see
|
|
|
|
|
<citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>
|
|
|
|
|
for the precise syntax of the argument this option takes. This
|
|
|
|
|
option is privileged (see above).</para></listitem>
|
|
|
|
|
</varlistentry>
|
|
|
|
|
</variablelist>
|
|
|
|
|
</refsect1>
|
|
|
|
|
|
|
|
|
|
<refsect1>
|
|
|
|
|
<title>See Also</title>
|
|
|
|
|
<para>
|
|
|
|
|
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
|
|
|
|
|
<citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
|
|
|
|
|
<citerefentry><refentrytitle>systemd.directives</refentrytitle><manvolnum>7</manvolnum></citerefentry>
|
|
|
|
|
</para>
|
|
|
|
|
</refsect1>
|
|
|
|
|
|
|
|
|
|
</refentry>
|