VIRT-SANDBOX-SERVICE-CREATE(Virtualization SuppoVIRT-SANDBOX-SERVICE-CREATE(1)NAME
virt-sandbox-service create - Create a Security container
SYNOPSIS
virt-sandbox-service [-c URI] create [-h] [-C] [-f FILE_TYPE]
[--homedir HOMEDIR] [-G GID] [-i IMAGESIZE]
[[-m TYPE:DST=SRC ] ...]
[-N NETWORK] [-p PATH] [-s SECURITY]
[[-u UNITFILES] ...] [--username USERNAME]
[-U UID] [[-P package] ... ]
NAME -- COMMAND [ARG1 [ARG2...]]
DESCRIPTION
virt-sandbox-service is used to manage secure sandboxed system
services. These applications will be launched via libvirt and run
within a virtualization technology such as LinuX Containers (LXC), or
optionally QEMU/KVM. The container / virtual machines will be secured
by SELinux and resource separated using cgroups.
The create command can setup a sandbox for running one or more systemd
unit files. It can also setup a sandbox for running a command in an
GenericContainer. Specify a unit file to create the SystemdContainer
and the command to create an GenericContainer.
OPTIONS-h, --help
Display help message
-c URI, --connect URI
The connection URI for the hypervisor (currently only LXC URIs are
supported).
-u UNIT_FILE, --unitfile UNIT_FILE
Name of the systemd unit file to be to run within the Systemd
Container. Can be repeated if multiple unit files are required
within the sandbox. Cannot be specified if you are using a
COMMAND. If the unit file end with @, this will be considered as a
template, and a instantiated systemd unit will be created, using
the name of the container as a instance identifier.
-C, --copy
Copy content from /etc and /var directories that will be mounted
within the container.
-G GID, --gid GID
Set login gid to use within the container.
Default: "Login GID of UID".
-f FILETYPE, --filetype FILETYPE
Set SELinux file type to use within container.
Default: "svirt_lxc_file_t".
-p PATH, --path PATH
Set path to store container content. NB if this argument is used
when creating a container, the exact same argument must also be
used when later cloning or deleting the container.
Default: "/var/lib/libvirt/filesystems".
--homedir HOMEDIR
Set homedir path to use within container.
Default: "UID's Homedir".
-m TYPE:DST=SRC, --mount TYPE:DST=SRC
Sets up a mount inside the sandbox at DST backed by SRC. The
meaning of SRC depends on the value of "TYPE" specified:
host-bind
If TYPE is host-bind, then SRC is interpreted as the path to a
directory on the host filesystem. If "SRC" is the empty string,
then a temporary (empty) directory is created on the host
before starting the sandbox and deleted afterwards. The
"--include" option is useful for populating these temporary
directories with copies of host files.
host-image
If TYPE is host-image, then SRC is interpreted as the path to a
disk image file on the host filesystem. The image should be
formatted with a filesystem that can be auto-detected by the
sandbox, such as ext3, ext4, etc. The disk image itself should
be a raw file, not qcow2 or any other special format
guest-bind
If TYPE is guest-bind, then SRC is interpreted as the path to
another directory in the container filesystem.
ram If TYPE is ram, then SRC is interpreted as specifying the size
of the RAM disk in bytes. The suffix K, KiB, M, MiB, G, GiB can
used to alter the units from bytes to a coarser level.
Some examples
-m host-bind:/tmp=/var/lib/sandbox/demo/tmp
-m host-image:/=/var/lib/sandbox/demo.img
-m guest-bind:/home=/tmp/home
-m ram:/tmp=500M
-N NETWORK-OPTIONS, --network NETWORK-OPTIONS
Add a network interface to the sandbox. By default the sandbox will
only have a loopback interface. This option allows for connectivity
to the LAN in some manner. NETWORK-OPTIONS is a set of key=val
pairs, separated by commas. The following options are valid
dhcp
Configure the network interface using dhcp. This key takes no
value. No other keys may be specified. eg
-N dhcp,source=default
--network dhcp,source=lan
where 'source' is the name of any libvirt virtual network.
source=NETWORK
Set the name of the network to connect the interface to.
"NETWORK" is the name of any libvirt virtual network. See also
virsh net-list
mac=NN:NN:NN:NN:NN:NN
Set the MAC address of the network interface, where each NN is
a pair of hex digits.
address=IP-ADDRESS/PREFIX%BROADCAST
Configure the network interface with the static IPv4 or IPv6
address IP-ADDRESS. The PREFIX value is the length of the
network prefix in IP-ADDRESS. The optional BROADCAST parameter
specifies the broadcast address. Some examples
address=192.168.122.1/24
address=192.168.122.1/24%192.168.122.255
address=2001:212::204:2/64
route=IP-NETWORK/PREFIX%GATEWAY
Configure the network interface with the static IPv4 or IPv6
route IP-NETWORK. The PREFIX value is the length of the network
prefix in IP-NETWORK. The GATEWAY parameter specifies the
address of the gateway for the route. Some examples
route=192.168.122.255/24%192.168.1.1
-s SECURITY-OPTIONS, --security=SECURITY-OPTIONS
Use alternative security options. SECURITY-OPTIONS is a set of
key=val pairs, separated by commas. The following options are valid
for SELinux
dynamic
Dynamically allocate an SELinux label, using the default base
context. The default base context is
system_u:system_r:svirt_lxc_net_t:s0 for LXC,
system_u:system_r:svirt_t:s0 for KVM,
system_u:system_r:svirt_tcg_t:s0 for QEMU.
dynamic,label=USER:ROLE:TYPE:LEVEL
Dynamically allocate an SELinux label, using the base context
USER:ROLE:TYPE:LEVEL, instead of the default base context.
static,label=USER:ROLE:TYPE:LEVEL
To set a completely static label. For example,
static,label=system_u:system_r:svirt_t:s0:c412,c355
-i SIZE, --image SIZE
Create file system image file of this size to store container
content.
-P PACKAGE, --package PACKAGE
Package(s) to be used within the container.
-U UID, --uid UID
Set uid to use within container.
Default: "CURRENT UID".
--username USERNAME
Set username to use within container.
Default: "UID's Username".
EXAMPLE
Create httpd1 Systemd container
# virt-sandbox-service create -C -u httpd.service httpd1
Created container dir /var/lib/libvirt/filesystems/httpd1
Created sandbox config /etc/libvirt-sandbox/services/httpd1/config/sandbox.cfg
Created unit file /etc/systemd/system/httpd@httpd1.service
Create foobar1 Generic container
# virt-sandbox-service create -U 1234 foobar1 -- /usr/bin/foobar -a -b
Created container dir /var/lib/libvirt/filesystems/foobar1
Created sandbox config /etc/libvirt-sandbox/services/foobar1/config/sandbox.cfg
SEE ALSOlibvirt(8), selinux(8), systemd(8), "virt-sandbox-service(1)"
FILES
Container content will be stored in subdirectories of
"/var/lib/libvirt/filesystems", by default. You can manage the content
in these directories outside of the container and processes within the
container will see the content.
AUTHORS
Daniel Walsh <dwalsh@redhat.com> Daniel P. Berrange <dan@berrange.com>
COPYRIGHT
Copyright (C) 2011-2013 Red Hat, Inc.
LICENSE
virt-sandbox is distributed under the terms of the GNU LGPL v2+. This
is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE
libvirt-sandbox-0.5.0 2013-10-03 VIRT-SANDBOX-SERVICE-CREATE(1)