SYSTEMD-NSPAWN(1) systemd-nspawn SYSTEMD-NSPAWN(1)NAME
systemd-nspawn - Spawn a namespace container for debugging, testing and
building
SYNOPSIS
systemd-nspawn [OPTIONS...] [COMMAND] [ARGS...]
DESCRIPTION
systemd-nspawn may be used to run a command or OS in a light-weight
namespace container. In many ways it is similar to chroot(1), but more
powerful since it fully virtualizes the file system hierarchy, as well
as the process tree, the various IPC subsystems and the host and domain
name.
systemd-nspawn limits access to various kernel interfaces in the
container to read-only, such as /sys, /proc/sys or /sys/fs/selinux.
Network interfaces and the system clock may not be changed from within
the container. Device nodes may not be created. The host system cannot
be rebooted and kernel modules may not be loaded from within the
container.
Note that even though these security precautions are taken
systemd-nspawn is not suitable for secure container setups. Many of the
security features may be circumvented and are hence primarily useful to
avoid accidental changes to the host system from the container. The
intended use of this program is debugging and testing as well as
building of packages, distributions and software involved with boot and
systems management.
In contrast to chroot(1) systemd-nspawn may be used to boot full
Linux-based operating systems in a container.
Use a tool like yum(8) or debootstrap(8) to set up an OS directory tree
suitable as file system hierarchy for systemd-nspawn containers.
Note that systemd-nspawn will mount file systems private to the
container to /dev, /run and similar. These will not be visible outside
of the container, and their contents will be lost when the container
exits.
Note that running two systemd-nspawn containers from the same directory
tree will not make processes in them see each other. The PID namespace
separation of the two containers is complete and the containers will
share very few runtime objects except for the underlying file system.
OPTIONS
If no arguments are passed the container is set up and a shell started
in it, otherwise the passed command and arguments are executed in it.
The following options are understood:
--help, -h
Prints a short help text and exits.
--directory=, -D
Directory to use as file system root for the namespace container.
If omitted the current directory will be used.
--boot, -b
Automatically search for an init binary and invoke it instead of a
shell or a user supplied program.
--user=, -u
Run the command under specified user, create home directory and cd
into it. As rest of systemd-nspawn, this is not the security
feature and limits against accidental changes only.
--uuid=
Set the specified uuid for the container. The init system will
initialize /etc/machine-id from this if this file is not set yet.
--controllers=, -C
Makes the container appear in other hierarchies that the
name=systemd:/ one. Takes a comma-separated list of controllers.
--private-network
Turn off networking in the container. This makes all network
interfaces unavailable in the container, with the exception of the
loopback device.
--read-only
Mount the root file system read only for the container.
EXAMPLE 1
# yum --releasever=17 --nogpgcheck --installroot ~/fedora-tree/ install yum passwd vim-minimal rootfiles systemd
# systemd-nspawn -D ~/fedora-tree /usr/lib/systemd/systemd
This installs a minimal Fedora distribution into the directory
~/fedora-tree/ and then boots an OS in a namespace container in it,
with systemd as init system.
EXAMPLE 2
# debootstrap --arch=amd64 unstable ~/debian-tree/
# systemd-nspawn -D ~/debian-tree/
This installs a minimal Debian unstable distribution into the directory
~/debian-tree/ and then spawns a shell in a namespace container in it.
EXIT STATUS
The exit code of the program executed in the container is returned.
SEE ALSOsystemd(1), chroot(1), yum(8), debootstrap(8)AUTHOR
Lennart Poettering <lennart@poettering.net>
Developer
systemd 02/15/2013 SYSTEMD-NSPAWN(1)