Commit Graph

191 Commits

Author SHA1 Message Date
Zbigniew Jędrzejewski-Szmek
514094f933 man: drop mode line in file headers
This is already included in .dir-locals, so we don't need it
in the files themselves.
2018-07-03 01:32:25 +02:00
Lennart Poettering
a7e2e50d35 summary: update nspawn description string a bit
nspawn as it is now is a generally useful tool, hence let's drop the
comments about it being useful for debug and so on only.

The new wording just makes the first sentence of the main page also the
summary.
2018-06-28 11:55:44 +09:00
Zbigniew Jędrzejewski-Szmek
fdbbee37d5 man: drop unused <authorgroup> tags from man sources
Docbook styles required those to be present, even though the templates that we
use did not show those names anywhere. But something changed semi-recently (I
would suspect docbook templates, but there was only a minor version bump in
recent years, and the changelog does not suggest anything related), and builds
now work without those entries. Let's drop this dead weight.

Tested with F26-F29, debian unstable.

$ perl -i -0pe 's/\s*<authorgroup>.*<.authorgroup>//gms' man/*xml
2018-06-14 12:22:18 +02:00
Lennart Poettering
0c69794138 tree-wide: remove Lennart's copyright lines
These lines are generally out-of-date, incomplete and unnecessary. With
SPDX and git repository much more accurate and fine grained information
about licensing and authorship is available, hence let's drop the
per-file copyright notice. Of course, removing copyright lines of others
is problematic, hence this commit only removes my own lines and leaves
all others untouched. It might be nicer if sooner or later those could
go away too, making git the only and accurate source of authorship
information.
2018-06-14 10:20:20 +02:00
Lennart Poettering
818bf54632 tree-wide: drop 'This file is part of systemd' blurb
This part of the copyright blurb stems from the GPL use recommendations:

https://www.gnu.org/licenses/gpl-howto.en.html

The concept appears to originate in times where version control was per
file, instead of per tree, and was a way to glue the files together.
Ultimately, we nowadays don't live in that world anymore, and this
information is entirely useless anyway, as people are very welcome to
copy these files into any projects they like, and they shouldn't have to
change bits that are part of our copyright header for that.

hence, let's just get rid of this old cruft, and shorten our codebase a
bit.
2018-06-14 10:20:20 +02:00
Michael Biebl
1b2ad5d9a5 doc: more spelling fixes 2018-06-12 16:31:30 +02:00
Zbigniew Jędrzejewski-Szmek
7a8aa0ec0a man: use entities for fedora number and update URL
Fedora 28 is out already, let's advertise it. While at it, drop "container"
from "f28container" — it's a subdirectory under /var/lib/machines, it's pretty
obvious that's it a container.

To make the switch easier in the future, define the number as an entity.
2018-06-05 11:04:01 +02:00
Lennart Poettering
1688841f46 nspawn: similar to the previous patches, also make /etc/localtime handling more configurable
Fixes: #9009
2018-05-22 16:21:26 +02:00
Lennart Poettering
09d423e921 nspawn: add greater control over how /etc/resolv.conf is handled
Fixes: #8014 #1781
2018-05-22 16:19:26 +02:00
Lennart Poettering
d107bb7d63 nspawn: add a new --cpu-affinity= switch
Similar as the other options added before, this is primarily useful to
provide comprehensive OCI runtime compatbility, but might be useful
otherwise, too.
2018-05-17 20:48:54 +02:00
Lennart Poettering
81f345dfed nspawn: add a new --oom-score-adjust= command line switch
This is primarily useful in order to provide comprehensive OCI runtime
compatibility with nspawn, but might have uses outside of it.
2018-05-17 20:48:12 +02:00
Lennart Poettering
66edd96310 nspawn: add a new --no-new-privileges= cmdline option to nspawn
This simply controls the PR_SET_NO_NEW_PRIVS flag for the container.
This too is primarily relevant to provide OCI runtime compaitiblity, but
might have other uses too, in particular as it nicely complements the
existing --capability= and --drop-capability= flags.
2018-05-17 20:47:20 +02:00
Lennart Poettering
3a9530e5f1 nspawn: make the hostname of the container explicitly configurable with a new --hostname= switch
Previously, the container's hostname was exclusively initialized from
the machine name configured with --machine=, i.e. the internal name and
the external name used for and by the container was synchronized. This
adds a new option --hostname= that optionally allows the internal name
to deviate from the external name.

This new option is mainly useful to ultimately implement the OCI runtime
spec directly in nspawn, but it might be useful on its own for some
other usecases too.
2018-05-17 20:46:45 +02:00
Lennart Poettering
bf428efb07 nspawn: add new --rlimit= switch, and always set resource limits explicitly for our container payloads
This ensures we set the various resource limits of our container
explicitly on each invocation so that we inherit less from our callers
into the payload.

By default resource limits are now set to the same values Linux
generally passes to the host PID 1, thus minimizing needless differences
between host and container environments.

The limits are now also configurable using a new --rlimit= switch. This
is preparation for teaching nspawn native OCI runtime support as OCI
permits setting resource limits for container payloads, and it hence
probably makes sense if we do too.
2018-05-17 20:45:54 +02:00
Lennart Poettering
1752d69a8b man: document what happens if --kill-signal= is not used in nspawn and --boot neither 2018-05-17 20:40:04 +02:00
Lennart Poettering
c7fc3c4cfe man: don't claim systemd-analyze was documented as part of the man-pages project
It's our own command, we document it in our own set of man pages.
2018-05-17 20:40:04 +02:00
Zbigniew Jędrzejewski-Szmek
11a1589223 tree-wide: drop license boilerplate
Files which are installed as-is (any .service and other unit files, .conf
files, .policy files, etc), are left as is. My assumption is that SPDX
identifiers are not yet that well known, so it's better to retain the
extended header to avoid any doubt.

I also kept any copyright lines. We can probably remove them, but it'd nice to
obtain explicit acks from all involved authors before doing that.
2018-04-06 18:58:55 +02:00
Zbigniew Jędrzejewski-Szmek
bc96c63c05 man: add a note that nspawn gives access to network by default
Fixes #6546.
2018-03-22 16:56:22 +01:00
Alan Jenkins
a30504ed69 man: systemd-nspawn: fix list of default capabilities (#7925)
* Sort them alphabetically.
* Add CAP_MKNOD (commit 7f112f50fe added it).

the list is now in sync with the one at the top of nspawn.c
2018-01-19 04:11:11 +09:00
Yu Watanabe
4deb55036b man: nspawn: add missing option 2018-01-10 23:20:20 +09:00
Zbigniew Jędrzejewski-Szmek
7f8b3d1d32 man: drop --arch from debootstrap invocation
Nowadays people use systemd on many different architectures, so we
shouldn't presuppose that they are using amd64. debootstrap defaults
to the native architecture and this should be good enough.
2018-01-04 11:16:19 +01:00
Alan Jenkins
3f2d136505 man: generalize "binary" to "program" (#7668)
Systemd services are permitted to be scripts, as well as binary
executables.

The same also applies to the underlying /sbin/mount and /sbin/swapon.
It is not necessary for the user to consider what type of program file
these are.  Nor is it necessary with systemd-nspawn, to distinguish between
init as a "binary" v.s. a user-specified "program".

Also fix a couple of grammar nits in the modified sentences.
2017-12-16 11:48:12 +01:00
Dongsu Park
d7bea6b629 nspawn: introduce an option for specifying network namespace path
Add a new option `--network-namespace-path` to systemd-nspawn to allow
users to specify an arbitrary network namespace, e.g. `/run/netns/foo`.
Then systemd-nspawn will open the netns file, pass the fd to
outer_child, and enter the namespace represented by the fd before
running inner_child.

```
$ sudo ip netns add foo
$ mount | grep /run/netns/foo
nsfs on /run/netns/foo type nsfs (rw)
...
$ sudo systemd-nspawn -D /srv/fc27 --network-namespace-path=/run/netns/foo \
  /bin/readlink -f /proc/self/ns/net
/proc/1/ns/net:[4026532009]
```

Note that the option `--network-namespace-path=` cannot be used together
with other network-related options such as `--private-network` so that
the options do not conflict with each other.

Fixes https://github.com/systemd/systemd/issues/7361
2017-12-13 10:21:06 +00:00
Zbigniew Jędrzejewski-Szmek
572eb058cf Add SPDX license identifiers to man pages 2017-11-19 19:08:15 +01:00
Lennart Poettering
994a6364d2 man: document how nspawn's --bind= and --private-users interact
Fixes: #5900
2017-11-17 11:12:33 +01:00
Lennart Poettering
bb84995789 nspawn: correctly document the relationship of --keep-unit and --register=no (#7364)
Fixes: #7228
2017-11-17 10:54:50 +01:00
Zbigniew Jędrzejewski-Szmek
12c4ee0af3 man: mention how to provision Ubuntu and Tanglu for nspawn (#7359)
Also add urls. Urls are nice.
2017-11-16 13:40:35 +01:00
Zbigniew Jędrzejewski-Szmek
551072321e man: recommend using /var/lib/machines in systemd-nspawn(1)
Also update the instruction to latest Fedora version.
2017-10-18 17:14:05 +02:00
Lennart Poettering
96bedbe2e5 nspawn: replace syscall blacklist by a whitelist
Let's lock things down a bit, and maintain a list of what's permitted
rather than a list of what's prohibited in nspawn (also to make things a
bit more like Docker and friends).

Note that this slightly alters the effect of --system-call-filter=, as
now the negative list now takes precedence over the positive list.
However, given that the option is just a few days old and not included
in any released version it should be fine to change it at this point in
time.

Note that the whitelist is good chunk more restrictive thatn the
previous blacklist. Specifically:

- fanotify is not permitted (given the buffer size issues it's
  problematic in containers)
- nfsservctl is not permitted (NFS server support is not virtualized)
- pkey_xyz stuff is not permitted (really new stuff I don't grok)
- @cpu-emulation is prohibited (untested legacy stuff mostly, and if
  people really want to run dosemu in nspawn, they should use
  --system-call-filter=@cpu-emulation and all should be good)
2017-09-14 15:45:21 +02:00
Lennart Poettering
960e4569e1 nspawn: implement configurable syscall whitelisting/blacklisting
Now that we have ported nspawn's seccomp code to the generic code in
seccomp-util, let's extend it to support whitelisting and blacklisting
of specific additional syscalls.

This uses similar syntax as PID1's support for system call filtering,
but in contrast to that always implements a blacklist (and not a
whitelist), as we prepopulate the filter with a blacklist, and the
unit's system call filter logic does not come with anything
prepopulated.

(Later on we might actually want to invert the logic here, and
whitelist rather than blacklist things, but at this point let's not do
that. In case we switch this over later, the syscall add/remove logic of
this commit should be compatible conceptually.)

Fixes: #5163

Replaces: #5944
2017-09-12 14:06:21 +02:00
Zbigniew Jędrzejewski-Szmek
f518ee04d7 man: add zypper instructions for systemd-nspawn
v2:
- add -c and update the list of packages
v3:
- link to a man page on mankier.com
2017-07-02 19:11:48 -04:00
Lennart Poettering
cd2dfc6fae nspawn: register a scope for the unit if --register=no is specified (#6166)
Previously, only when --register=yes was set (the default) the invoked
container would get its own scope, created by machined on behalf of
nspawn. With this change if --register=no is set nspawn will still get
its own scope (which is a good thing, so that --slice= and --property=
take effect), but this is not done through machined but by registering a
scope unit directly in PID 1.

Summary:

--register=yes             → allocate a new scope through machined (the default)
--register=yes --keep-unit → use the unit we are already running in an register with machined
--register=no              → allocate a new scope directly, but no machined
--register=no --keep-unit  → do not allocate nor register anything

Fixes: #5823
2017-06-28 13:22:46 -04:00
Elias Probst
cf917c27b6
man: fix typo (--network-zones--network-zone) 2017-05-13 20:56:44 +02:00
AsciiWolf
28a0ad81ee man: use https:// in URLs 2017-02-21 16:28:04 +01:00
Lennart Poettering
aa10469e17 man: document that user namespacing complicates file copies 2017-02-17 11:47:20 +01:00
Martin Pitt
4997dd91fb Merge pull request #5279 from keszybz/man-reverts
A revert and some other tweaks for the man pages
2017-02-09 08:35:28 +01:00
Zbigniew Jędrzejewski-Szmek
fc6149a6ce Merge pull request #4962 from poettering/root-directory-2
Add new MountAPIVFS= boolean unit file setting + RootImage=
2017-02-08 23:05:05 -05:00
Zbigniew Jędrzejewski-Szmek
ef3116b5d4 man: add more commas for clarify and reword a few sentences 2017-02-08 22:53:16 -05:00
Zbigniew Jędrzejewski-Szmek
3797fd0a22 man: break long lines and update Fedora versions
We should try to keep the unbreakable lines below 80 columns.
It's not always possible of course.

Also, use the dl.fp.o alias instead of a specific mirror.
2017-02-08 20:22:50 -05:00
Philip Withnall
b53ede699c nspawn: Add support for sysroot pivoting (#5258)
Add a new --pivot-root argument to systemd-nspawn, which specifies a
directory to pivot to / inside the container; while the original / is
pivoted to another specified directory (if provided). This adds
support for booting container images which may contain several bootable
sysroots, as is common with OSTree disk images. When these disk images
are booted on real hardware, ostree-prepare-root is run in conjunction
with sysroot.mount in the initramfs to achieve the same results.
2017-02-08 16:54:31 +01:00
Lennart Poettering
41488e1f7a dissect: try to read roothash value off user.verity.roothash xattr of image file
This slightly extends the roothash loading logic to first check for a
user.verity.roothash extended attribute on the image file. If it exists,
it is used as Verity root hash and the ".roothash" file is not used.

This should improve the chance that the roothash is retained when the
file is moved around, as the data snippet is attached directly to the
image file. The field is still detached from the file payload however,
in order to make sure it may be trusted independently.

This does not replace the ".roothash" file loading, it simply adds a
second way to retrieve the data.

Extended attributes are often a poor choice for storing metadata like
this as it is usually difficult to discover for admins and users, and
hard to fix if it ever gets out of sync.  However, in this case I think
it's safe as verity implies read-only access, and thus there's little
chance of it to get out of sync.
2017-02-07 12:21:29 +01:00
Lennart Poettering
91214a37ef fstab-generator: add support for volatile boots
This adds support for a new kernel command line option "systemd.volatile=" that
provides the same functionality that systemd-nspawn's --volatile= switch
provides, but for host systems (i.e. systems booting with a kernel).

It takes the same parameter and has the same effect.

In order to implement systemd.volatile=yes a new service
systemd-volatile-root.service is introduced that only runs in the initrd and
rearranges the root directory as needed to become a tmpfs instance. Note that
systemd.volatile=state is implemented different: it simply generates a
var.mount unit file that is part of the normal boot and has no effect on the
initrd execution.

The way this is implemented ensures that other explicit configuration for /var
can always override the effect of these options.  Specifically, the var.mount
unit is generated in the "late" generator directory, so that it only is in
effect if nothing else overrides it.
2016-12-21 19:09:29 +01:00
Lennart Poettering
58abb66f4b man: update the nspawn man page, and document what kind of dissection features we now support 2016-12-07 18:38:41 +01:00
Lennart Poettering
c7a4890ce4 nspawn: optionally, automatically allocated --bind=/--overlay source from /var/tmp
This extends the --bind= and --overlay= syntax so that an empty string as source/upper
directory is taken as request to automatically allocate a temporary directory
below /var/tmp, whose lifetime is bound to the nspawn runtime. In combination
with the "+" path extension this permits a switch "--overlay=+/var::/var" in
order to use the container's shipped /var, combine it with a writable temporary
directory and mount it to the runtime /var of the container.
2016-12-01 12:41:18 +01:00
Lennart Poettering
86c0dd4a71 nspawn: permit prefixing of source paths in --bind= and --overlay= with "+"
If a source path is prefixed with "+" it is taken relative to the container's
root directory instead of the host. This permits easily establishing bind and
overlay mounts based on data from the container rather than the host.

This also reworks custom_mounts_prepare(), and turns it into two functions: one
custom_mount_check_all() that remains in nspawn.c but purely verifies the
validity of the custom mounts configured. And one called
custom_mount_prepare_all() that actually does the preparation step, sorts the
custom mounts, resolves relative paths, and allocates temporary directories as
necessary.
2016-12-01 12:41:18 +01:00
Lennart Poettering
17cbb288fa nspawn: add fallback top normal copy/reflink when we cannot btrfs snapshot
Given that other file systems (notably: xfs) support reflinks these days, let's
extend the file system snapshotting logic to fall back to plan copies or
reflinks when full btrfs subvolume snapshots are not available.

This essentially makes "systemd-nspawn --ephemeral" and "systemd-nspawn
--template=" available on non-btrfs subvolumes. Of course, both operations will
still be slower on non-btrfs than on btrfs (simply because reflinking each file
individually in a directory tree is still slower than doing this in one step
for a whole subvolume), but it's probably good enough for many cases, and we
should provide the users with the tools, they have to figure out what's good
for them.

Note that "machinectl clone" already had a fallback like this in place, this
patch generalizes this, and adds similar support to our other cases.
2016-11-22 13:35:09 +01:00
Lennart Poettering
0f3be6ca4d nspawn: support ephemeral boots from images
Previously --ephemeral was only supported with container trees in btrfs
subvolumes (i.e. in combination with --directory=). This adds support for
--ephemeral in conjunction with disk images (i.e. --image=) too.

As side effect this fixes that --ephemeral was accepted but ignored when using
-M on a container that turned out to be an image.

Fixes: #4664
2016-11-22 13:35:09 +01:00
Thomas Hindoe Paaboel Andersen
2dd678171e man: typo fixes
A mix of fixes for typos and UK english
2016-10-12 23:02:44 +02:00
Zbigniew Jędrzejewski-Szmek
ae209204d8 nspawn,man: fix parsing of numeric args for --private-users, accept any boolean
This is like the previous reverted commit, but any boolean is still accepted,
not just "yes" and "no". Man page is adjusted to match the code.
2016-10-10 11:55:06 -04:00
Zbigniew Jędrzejewski-Szmek
6265bde205 man: describe how to reverse systemd-nspawn -U
Now that systemd-nspawn@.service includes -U, more users might be interested
in this tidbit ;)
2016-10-09 18:24:56 -04:00