| Variable | Value |
|---|
Edit count of the user (user_editcount) | 55 |
Name of the user account (user_name) | 'Hololeap' |
Age of the user account (user_age) | 295807609 |
Page ID (page_id) | 334302 |
Page namespace (page_namespace) | 0 |
Page title (without namespace) (page_title) | 'Systemd/systemd-nspawn' |
Full page title (page_prefixedtitle) | 'Systemd/systemd-nspawn' |
Action (action) | 'edit' |
Edit summary/reason (summary) | 'Add Ajak's systemd-nspawn page' |
Old content model (old_content_model) | 'wikitext' |
New content model (new_content_model) | 'wikitext' |
Old page wikitext, before the edit (old_wikitext) | '{{lowercase title}}
{{Stub}}
{{InfoBox stack
|{{InfoBox project|systemd|header=true}}
|{{InfoBox homepage|https://nspawn.org/}}
|{{InfoBox odoc|https://www.freedesktop.org/software/systemd/man/systemd-nspawn.html}}
}}
'''{{c|systemd-nspawn}}''' is [[Article description::a lightweight, loosely {{Link|chroot}}-like, OS-level [https://opencontainers.org/ OCI container] environment native to {{Link|systemd}}.]] Each container exists in its own namespace but within the host's running kernel. Thus, no hardware emulation is taking place and unlike {{Link|QEMU}} and {{Link|Virtualbox}} non-native CPU instruction sets are not directly supported.
Like a lot of technologies, containerization has trade-offs. A core benefit of containerization is that there is much less overhead than with a traditional virtual machine, so it's possible to spawn a large number of containers much more quickly than a large number of VMs. Unfortunately, though uncommon, exploits leading to container escapes have happened and are more prevalent than VM escapes. Further, any containerized processes that causes a kernel crash will bring down the host system as they share a kernel. Lastly, containers are not, by default, more secure than any other processes on the host system. Hardening containers can be done through a mix of technologies such as cgroups, to constrain resource utilization, and {{Link|SELinux}} to prevent privilege escalation and enforce access controls.
== Installation ==
In order to use {{c|systemd-nspawn}} a system must be set to a {{Link|Profile_(Portage)|profile}} that uses the {{Link|systemd}} init system.
=== Files ===
* {{Path|/var/lib/machines/*}} — the canonical location for {{c|systemd-nspawn}} container file systems.
To prevent confusion, it is best practice to name the subdirectory holding the container's root file system after the container's hostname.
=== Service ===
Assuming a properly structured and syntactically unit file, containers should be discoverable by {{c|machinectl}}. The unit file needs to be located at {{path|/etc/systemd/nswpan/<machine_name>.nspawn}}. Thereafter it can be managed like any other service.
== Usage ==
Assuming, for example, a Gentoo root file system exists at {{path|/var/lib/machines/larrythecow/}} that has been extracted from a stage3 tarball for the host's instruction set architecture the following commands should bring the container up:
{{RootCmd|systemd-nspawn -b -D /var/lib/machines/larrythecow}}
The handbook can be followed as normal from this point forward excluding unnecessary bits, such as kernel and bootloader configuration. Once done, the container can be used by itself or as an up-to-date template from which other containers can be spawned. The latter case is made easier if the container's root file system is stored on a {{Link|Btrfs|BTRFS}} subvolume.
=== Invocation ===
{{Invocation|systemd-nspawn --help|output=<pre>
systemd-nspawn [OPTIONS...] [PATH] [ARGUMENTS...]
Spawn a command or OS in a light-weight container.
-h --help Show this help
--version Print version string
-q --quiet Do not show status information
--no-pager Do not pipe output into a pager
--settings=BOOLEAN Load additional settings from .nspawn file
Image:
-D --directory=PATH Root directory for the container
--template=PATH Initialize root directory from template directory,
if missing
-x --ephemeral Run container with snapshot of root directory, and
remove it after exit
-i --image=PATH Root file system disk image (or device node) for
the container
--oci-bundle=PATH OCI bundle directory
--read-only Mount the root directory read-only
--volatile[=MODE] Run the system in volatile mode
--root-hash=HASH Specify verity root hash for root disk image
--root-hash-sig=SIG Specify pkcs7 signature of root hash for verity
as a DER encoded PKCS7, either as a path to a file
or as an ASCII base64 encoded string prefixed by
'base64:'
--verity-data=PATH Specify hash device for verity
--pivot-root=PATH[:PATH]
Pivot root to given directory in the container
Execution:
-a --as-pid2 Maintain a stub init as PID1, invoke binary as PID2
-b --boot Boot up full system (i.e. invoke init)
--chdir=PATH Set working directory in the container
-E --setenv=NAME[=VALUE] Pass an environment variable to PID 1
-u --user=USER Run the command under specified user or UID
--kill-signal=SIGNAL Select signal to use for shutting down PID 1
--notify-ready=BOOLEAN Receive notifications from the child init process
--suppress-sync=BOOLEAN
Suppress any form of disk data synchronization
System Identity:
-M --machine=NAME Set the machine name for the container
--hostname=NAME Override the hostname for the container
--uuid=UUID Set a specific machine UUID for the container
Properties:
-S --slice=SLICE Place the container in the specified slice
--property=NAME=VALUE Set scope unit property
--register=BOOLEAN Register container as machine
--keep-unit Do not register a scope for the machine, reuse
the service unit nspawn is running in
User Namespacing:
--private-users=no Run without user namespacing
--private-users=yes|pick|identity
Run within user namespace, autoselect UID/GID range
--private-users=UIDBASE[:NUIDS]
Similar, but with user configured UID/GID range
--private-users-ownership=MODE
Adjust ('chown') or map ('map') OS tree ownership
to private UID/GID range
-U Equivalent to --private-users=pick and
--private-users-ownership=auto
Networking:
--private-network Disable network in container
--network-interface=INTERFACE
Assign an existing network interface to the
container
--network-macvlan=INTERFACE
Create a macvlan network interface based on an
existing network interface to the container
--network-ipvlan=INTERFACE
Create an ipvlan network interface based on an
existing network interface to the container
-n --network-veth Add a virtual Ethernet connection between host
and container
--network-veth-extra=HOSTIF[:CONTAINERIF]
Add an additional virtual Ethernet link between
host and container
--network-bridge=INTERFACE
Add a virtual Ethernet connection to the container
and attach it to an existing bridge on the host
--network-zone=NAME Similar, but attach the new interface to an
an automatically managed bridge interface
--network-namespace-path=PATH
Set network namespace to the one represented by
the specified kernel namespace file node
-p --port=[PROTOCOL:]HOSTPORT[:CONTAINERPORT]
Expose a container IP port on the host
Security:
--capability=CAP In addition to the default, retain specified
capability
--drop-capability=CAP Drop the specified capability from the default set
--ambient-capability=CAP
Sets the specified capability for the started
process. Not useful if booting a machine.
--no-new-privileges Set PR_SET_NO_NEW_PRIVS flag for container payload
--system-call-filter=LIST|~LIST
Permit/prohibit specific system calls
-Z --selinux-context=SECLABEL
Set the SELinux security context to be used by
processes in the container
-L --selinux-apifs-context=SECLABEL
Set the SELinux security context to be used by
API/tmpfs file systems in the container
Resources:
--rlimit=NAME=LIMIT Set a resource limit for the payload
--oom-score-adjust=VALUE
Adjust the OOM score value for the payload
--cpu-affinity=CPUS Adjust the CPU affinity of the container
--personality=ARCH Pick personality for this container
Integration:
--resolv-conf=MODE Select mode of /etc/resolv.conf initialization
--timezone=MODE Select mode of /etc/localtime initialization
--link-journal=MODE Link up guest journal, one of no, auto, guest,
host, try-guest, try-host
-j Equivalent to --link-journal=try-guest
Mounts:
--bind=PATH[:PATH[:OPTIONS]]
Bind mount a file or directory from the host into
the container
--bind-ro=PATH[:PATH[:OPTIONS]
Similar, but creates a read-only bind mount
--inaccessible=PATH Over-mount file node with inaccessible node to mask
it
--tmpfs=PATH:[OPTIONS] Mount an empty tmpfs to the specified directory
--overlay=PATH[:PATH...]:PATH
Create an overlay mount from the host to
the container
--overlay-ro=PATH[:PATH...]:PATH
Similar, but creates a read-only overlay mount
--bind-user=NAME Bind user from host to container
Input/Output:
--console=MODE Select how stdin/stdout/stderr and /dev/console are
set up for the container.
-P --pipe Equivalent to --console=pipe
Credentials:
--set-credential=ID:VALUE
Pass a credential with literal value to container.
--load-credential=ID:PATH
Load credential to pass to container from file or
AF_UNIX stream socket.
See the systemd-nspawn(1) man page for details.
</pre>}}
== Container setup ==
=== OpenRC ===
Import the releng GPG key so that systemd can find it.
{{RootCmd|gpg --no-default-keyring --primary-keyring{{=}}/etc/systemd/import-pubring.gpg --auto-key-locate{{=}}clear,nodefault,wkd --locate-key releng@gentoo.org}}
Unpack a stage3 in /var/lib/machines.
{{RootCmd|machinectl pull-tar https://distfiles.gentoo.org/releases/amd64/autobuilds/20240317T170433Z/stage3-amd64-openrc-20240317T170433Z.tar.xz openrc-20240317}}
Edit /var/lib/machines/.../etc/inittab to disable agetty on tty[1-6] and enable it on console.
{{FileBox|filename=/etc/inittab|1=
# TERMINALS
x1:12345:respawn:/sbin/agetty 38400 console linux
#c1:12345:respawn:/sbin/agetty --noclear 38400 tty1 linux
#c2:2345:respawn:/sbin/agetty 38400 tty2 linux
#c3:2345:respawn:/sbin/agetty 38400 tty3 linux
#c4:2345:respawn:/sbin/agetty 38400 tty4 linux
#c5:2345:respawn:/sbin/agetty 38400 tty5 linux
#c6:2345:respawn:/sbin/agetty 38400 tty6 linux
}}
Clear the root password in /var/lib/machines/.../etc/shadow.
{{FileBox|filename=/etc/shadow|1=
root::10770:0:::::
}}
Invoke systemd-nspawn with the -b option to boot.
{{RootCmd|systemd-nspawn -M openrc-20240317 -b}}
== Troubleshooting ==
=== Can I combine QEMU and {{c|systemd-nspawn}} to cross-compile binaries? ===
Yes, follow the instructions to {{Link|Embedded_Handbook/General/Compiling_with_qemu_user_chroot|build QEMU with static-user support}}. Make sure the systemd-binfmt service is enabled. Then, start the container as normal:
{{RootCmd|systemd-nspawn -D /var/lib/machines/<container_with_different_cpu_isa>}}
== See also ==
* {{See also|Docker}}
* {{See also|Podman}}
* {{See also|LXC}}
* {{See also|LXD}}
== External resources ==
* [https://rich0gentoo.wordpress.com/2014/07/14/quick-systemd-nspawn-guide/ Rich0's Gentoo Blog: Quick systemd-nspawn guide]
* [https://blog.oddbit.com/post/2016-02-07-systemd-nspawn-for-fun-and-wel/ Systemd-nspawn for fun and… well, mostly for fun]
* [https://benjamintoll.com/2022/02/04/on-running-systemd-nspawn-containers/ On Running systemd-nspawn Containers]
=== Image Repositories ===
* [https://nspawn.org/images/ https://nspawn.org/images/]
[[Category:Virtualization]]
[[Category:Systemd]]' |
New page wikitext, after the edit (new_wikitext) | '{{lowercase title}}
{{Stub}}
{{InfoBox stack
|{{InfoBox project|systemd|header=true}}
|{{InfoBox homepage|https://nspawn.org/}}
|{{InfoBox odoc|https://www.freedesktop.org/software/systemd/man/systemd-nspawn.html}}
}}
'''{{c|systemd-nspawn}}''' is [[Article description::a lightweight, loosely {{Link|chroot}}-like, OS-level [https://opencontainers.org/ OCI container] environment native to {{Link|systemd}}.]] Each container exists in its own namespace but within the host's running kernel. Thus, no hardware emulation is taking place and unlike {{Link|QEMU}} and {{Link|Virtualbox}} non-native CPU instruction sets are not directly supported.
Like a lot of technologies, containerization has trade-offs. A core benefit of containerization is that there is much less overhead than with a traditional virtual machine, so it's possible to spawn a large number of containers much more quickly than a large number of VMs. Unfortunately, though uncommon, exploits leading to container escapes have happened and are more prevalent than VM escapes. Further, any containerized processes that causes a kernel crash will bring down the host system as they share a kernel. Lastly, containers are not, by default, more secure than any other processes on the host system. Hardening containers can be done through a mix of technologies such as cgroups, to constrain resource utilization, and {{Link|SELinux}} to prevent privilege escalation and enforce access controls.
== Installation ==
In order to use {{c|systemd-nspawn}} a system must be set to a {{Link|Profile_(Portage)|profile}} that uses the {{Link|systemd}} init system.
=== Files ===
* {{Path|/var/lib/machines/*}} — the canonical location for {{c|systemd-nspawn}} container file systems.
To prevent confusion, it is best practice to name the subdirectory holding the container's root file system after the container's hostname.
=== Service ===
Assuming a properly structured and syntactically unit file, containers should be discoverable by {{c|machinectl}}. The unit file needs to be located at {{path|/etc/systemd/nswpan/<machine_name>.nspawn}}. Thereafter it can be managed like any other service.
== Usage ==
Assuming, for example, a Gentoo root file system exists at {{path|/var/lib/machines/larrythecow/}} that has been extracted from a stage3 tarball for the host's instruction set architecture the following commands should bring the container up:
{{RootCmd|systemd-nspawn -b -D /var/lib/machines/larrythecow}}
The handbook can be followed as normal from this point forward excluding unnecessary bits, such as kernel and bootloader configuration. Once done, the container can be used by itself or as an up-to-date template from which other containers can be spawned. The latter case is made easier if the container's root file system is stored on a {{Link|Btrfs|BTRFS}} subvolume.
=== Invocation ===
{{Invocation|systemd-nspawn --help|output=<pre>
systemd-nspawn [OPTIONS...] [PATH] [ARGUMENTS...]
Spawn a command or OS in a light-weight container.
-h --help Show this help
--version Print version string
-q --quiet Do not show status information
--no-pager Do not pipe output into a pager
--settings=BOOLEAN Load additional settings from .nspawn file
Image:
-D --directory=PATH Root directory for the container
--template=PATH Initialize root directory from template directory,
if missing
-x --ephemeral Run container with snapshot of root directory, and
remove it after exit
-i --image=PATH Root file system disk image (or device node) for
the container
--oci-bundle=PATH OCI bundle directory
--read-only Mount the root directory read-only
--volatile[=MODE] Run the system in volatile mode
--root-hash=HASH Specify verity root hash for root disk image
--root-hash-sig=SIG Specify pkcs7 signature of root hash for verity
as a DER encoded PKCS7, either as a path to a file
or as an ASCII base64 encoded string prefixed by
'base64:'
--verity-data=PATH Specify hash device for verity
--pivot-root=PATH[:PATH]
Pivot root to given directory in the container
Execution:
-a --as-pid2 Maintain a stub init as PID1, invoke binary as PID2
-b --boot Boot up full system (i.e. invoke init)
--chdir=PATH Set working directory in the container
-E --setenv=NAME[=VALUE] Pass an environment variable to PID 1
-u --user=USER Run the command under specified user or UID
--kill-signal=SIGNAL Select signal to use for shutting down PID 1
--notify-ready=BOOLEAN Receive notifications from the child init process
--suppress-sync=BOOLEAN
Suppress any form of disk data synchronization
System Identity:
-M --machine=NAME Set the machine name for the container
--hostname=NAME Override the hostname for the container
--uuid=UUID Set a specific machine UUID for the container
Properties:
-S --slice=SLICE Place the container in the specified slice
--property=NAME=VALUE Set scope unit property
--register=BOOLEAN Register container as machine
--keep-unit Do not register a scope for the machine, reuse
the service unit nspawn is running in
User Namespacing:
--private-users=no Run without user namespacing
--private-users=yes|pick|identity
Run within user namespace, autoselect UID/GID range
--private-users=UIDBASE[:NUIDS]
Similar, but with user configured UID/GID range
--private-users-ownership=MODE
Adjust ('chown') or map ('map') OS tree ownership
to private UID/GID range
-U Equivalent to --private-users=pick and
--private-users-ownership=auto
Networking:
--private-network Disable network in container
--network-interface=INTERFACE
Assign an existing network interface to the
container
--network-macvlan=INTERFACE
Create a macvlan network interface based on an
existing network interface to the container
--network-ipvlan=INTERFACE
Create an ipvlan network interface based on an
existing network interface to the container
-n --network-veth Add a virtual Ethernet connection between host
and container
--network-veth-extra=HOSTIF[:CONTAINERIF]
Add an additional virtual Ethernet link between
host and container
--network-bridge=INTERFACE
Add a virtual Ethernet connection to the container
and attach it to an existing bridge on the host
--network-zone=NAME Similar, but attach the new interface to an
an automatically managed bridge interface
--network-namespace-path=PATH
Set network namespace to the one represented by
the specified kernel namespace file node
-p --port=[PROTOCOL:]HOSTPORT[:CONTAINERPORT]
Expose a container IP port on the host
Security:
--capability=CAP In addition to the default, retain specified
capability
--drop-capability=CAP Drop the specified capability from the default set
--ambient-capability=CAP
Sets the specified capability for the started
process. Not useful if booting a machine.
--no-new-privileges Set PR_SET_NO_NEW_PRIVS flag for container payload
--system-call-filter=LIST|~LIST
Permit/prohibit specific system calls
-Z --selinux-context=SECLABEL
Set the SELinux security context to be used by
processes in the container
-L --selinux-apifs-context=SECLABEL
Set the SELinux security context to be used by
API/tmpfs file systems in the container
Resources:
--rlimit=NAME=LIMIT Set a resource limit for the payload
--oom-score-adjust=VALUE
Adjust the OOM score value for the payload
--cpu-affinity=CPUS Adjust the CPU affinity of the container
--personality=ARCH Pick personality for this container
Integration:
--resolv-conf=MODE Select mode of /etc/resolv.conf initialization
--timezone=MODE Select mode of /etc/localtime initialization
--link-journal=MODE Link up guest journal, one of no, auto, guest,
host, try-guest, try-host
-j Equivalent to --link-journal=try-guest
Mounts:
--bind=PATH[:PATH[:OPTIONS]]
Bind mount a file or directory from the host into
the container
--bind-ro=PATH[:PATH[:OPTIONS]
Similar, but creates a read-only bind mount
--inaccessible=PATH Over-mount file node with inaccessible node to mask
it
--tmpfs=PATH:[OPTIONS] Mount an empty tmpfs to the specified directory
--overlay=PATH[:PATH...]:PATH
Create an overlay mount from the host to
the container
--overlay-ro=PATH[:PATH...]:PATH
Similar, but creates a read-only overlay mount
--bind-user=NAME Bind user from host to container
Input/Output:
--console=MODE Select how stdin/stdout/stderr and /dev/console are
set up for the container.
-P --pipe Equivalent to --console=pipe
Credentials:
--set-credential=ID:VALUE
Pass a credential with literal value to container.
--load-credential=ID:PATH
Load credential to pass to container from file or
AF_UNIX stream socket.
See the systemd-nspawn(1) man page for details.
</pre>}}
== Container setup ==
=== OpenRC ===
Import the releng GPG key so that systemd can find it.
{{RootCmd|gpg --no-default-keyring --primary-keyring{{=}}/etc/systemd/import-pubring.gpg --auto-key-locate{{=}}clear,nodefault,wkd --locate-key releng@gentoo.org}}
Unpack a stage3 in /var/lib/machines.
{{RootCmd|machinectl pull-tar https://distfiles.gentoo.org/releases/amd64/autobuilds/20240317T170433Z/stage3-amd64-openrc-20240317T170433Z.tar.xz openrc-20240317}}
Edit /var/lib/machines/.../etc/inittab to disable agetty on tty[1-6] and enable it on console.
{{FileBox|filename=/etc/inittab|1=
# TERMINALS
x1:12345:respawn:/sbin/agetty 38400 console linux
#c1:12345:respawn:/sbin/agetty --noclear 38400 tty1 linux
#c2:2345:respawn:/sbin/agetty 38400 tty2 linux
#c3:2345:respawn:/sbin/agetty 38400 tty3 linux
#c4:2345:respawn:/sbin/agetty 38400 tty4 linux
#c5:2345:respawn:/sbin/agetty 38400 tty5 linux
#c6:2345:respawn:/sbin/agetty 38400 tty6 linux
}}
Clear the root password in /var/lib/machines/.../etc/shadow.
{{FileBox|filename=/etc/shadow|1=
root::10770:0:::::
}}
Invoke systemd-nspawn with the -b option to boot.
{{RootCmd|systemd-nspawn -M openrc-20240317 -b}}
== Troubleshooting ==
=== Can I combine QEMU and {{c|systemd-nspawn}} to cross-compile binaries? ===
Yes, follow the instructions to {{Link|Embedded_Handbook/General/Compiling_with_qemu_user_chroot|build QEMU with static-user support}}. Make sure the systemd-binfmt service is enabled. Then, start the container as normal:
{{RootCmd|systemd-nspawn -D /var/lib/machines/<container_with_different_cpu_isa>}}
== See also ==
* {{See also|Docker}}
* {{See also|Podman}}
* {{See also|LXC}}
* {{See also|LXD}}
== External resources ==
* [https://rich0gentoo.wordpress.com/2014/07/14/quick-systemd-nspawn-guide/ Rich0's Gentoo Blog: Quick systemd-nspawn guide]
* [https://blog.oddbit.com/post/2016-02-07-systemd-nspawn-for-fun-and-wel/ Systemd-nspawn for fun and… well, mostly for fun]
* [https://benjamintoll.com/2022/02/04/on-running-systemd-nspawn-containers/ On Running systemd-nspawn Containers]
* [https://wiki.gentoo.org/wiki/User:Ajak/systemd-nspawn_for_Development_and_Update_Automation]
=== Image Repositories ===
* [https://nspawn.org/images/ https://nspawn.org/images/]
[[Category:Virtualization]]
[[Category:Systemd]]' |
Unified diff of changes made by edit (edit_diff) | '@@ -239,4 +239,5 @@
* [https://blog.oddbit.com/post/2016-02-07-systemd-nspawn-for-fun-and-wel/ Systemd-nspawn for fun and… well, mostly for fun]
* [https://benjamintoll.com/2022/02/04/on-running-systemd-nspawn-containers/ On Running systemd-nspawn Containers]
+* [https://wiki.gentoo.org/wiki/User:Ajak/systemd-nspawn_for_Development_and_Update_Automation]
=== Image Repositories ===
' |
Old page size (old_size) | 12790 |
Lines added in edit (added_lines) | [
0 => '* [https://wiki.gentoo.org/wiki/User:Ajak/systemd-nspawn_for_Development_and_Update_Automation]'
] |
Lines removed in edit (removed_lines) | [] |
New page text, stripped of any markup (new_text) | '
This article is a stub. Please help out by expanding it - how to get started.
Resources
Project
Home
Official documentation
systemd-nspawn is a lightweight, loosely chroot-like, OS-level OCI container environment native to systemd. Each container exists in its own namespace but within the host's running kernel. Thus, no hardware emulation is taking place and unlike QEMU and Virtualbox non-native CPU instruction sets are not directly supported.
Like a lot of technologies, containerization has trade-offs. A core benefit of containerization is that there is much less overhead than with a traditional virtual machine, so it's possible to spawn a large number of containers much more quickly than a large number of VMs. Unfortunately, though uncommon, exploits leading to container escapes have happened and are more prevalent than VM escapes. Further, any containerized processes that causes a kernel crash will bring down the host system as they share a kernel. Lastly, containers are not, by default, more secure than any other processes on the host system. Hardening containers can be done through a mix of technologies such as cgroups, to constrain resource utilization, and SELinux to prevent privilege escalation and enforce access controls.
Contents
1 Installation
1.1 Files
1.2 Service
2 Usage
2.1 Invocation
3 Container setup
3.1 OpenRC
4 Troubleshooting
4.1 Can I combine QEMU and systemd-nspawn to cross-compile binaries?
5 See also
6 External resources
6.1 Image Repositories
Installation[edit]
In order to use systemd-nspawn a system must be set to a profile that uses the systemd init system.
Files[edit]
/var/lib/machines/* — the canonical location for systemd-nspawn container file systems.
To prevent confusion, it is best practice to name the subdirectory holding the container's root file system after the container's hostname.
Service[edit]
Assuming a properly structured and syntactically unit file, containers should be discoverable by machinectl. The unit file needs to be located at /etc/systemd/nswpan/<machine_name>.nspawn. Thereafter it can be managed like any other service.
Usage[edit]
Assuming, for example, a Gentoo root file system exists at /var/lib/machines/larrythecow/ that has been extracted from a stage3 tarball for the host's instruction set architecture the following commands should bring the container up:
root #systemd-nspawn -b -D /var/lib/machines/larrythecow
The handbook can be followed as normal from this point forward excluding unnecessary bits, such as kernel and bootloader configuration. Once done, the container can be used by itself or as an up-to-date template from which other containers can be spawned. The latter case is made easier if the container's root file system is stored on a BTRFS subvolume.
Invocation[edit]
user $systemd-nspawn --helpsystemd-nspawn [OPTIONS...] [PATH] [ARGUMENTS...]
Spawn a command or OS in a light-weight container.
-h --help Show this help
--version Print version string
-q --quiet Do not show status information
--no-pager Do not pipe output into a pager
--settings=BOOLEAN Load additional settings from .nspawn file
Image:
-D --directory=PATH Root directory for the container
--template=PATH Initialize root directory from template directory,
if missing
-x --ephemeral Run container with snapshot of root directory, and
remove it after exit
-i --image=PATH Root file system disk image (or device node) for
the container
--oci-bundle=PATH OCI bundle directory
--read-only Mount the root directory read-only
--volatile[=MODE] Run the system in volatile mode
--root-hash=HASH Specify verity root hash for root disk image
--root-hash-sig=SIG Specify pkcs7 signature of root hash for verity
as a DER encoded PKCS7, either as a path to a file
or as an ASCII base64 encoded string prefixed by
'base64:'
--verity-data=PATH Specify hash device for verity
--pivot-root=PATH[:PATH]
Pivot root to given directory in the container
Execution:
-a --as-pid2 Maintain a stub init as PID1, invoke binary as PID2
-b --boot Boot up full system (i.e. invoke init)
--chdir=PATH Set working directory in the container
-E --setenv=NAME[=VALUE] Pass an environment variable to PID 1
-u --user=USER Run the command under specified user or UID
--kill-signal=SIGNAL Select signal to use for shutting down PID 1
--notify-ready=BOOLEAN Receive notifications from the child init process
--suppress-sync=BOOLEAN
Suppress any form of disk data synchronization
System Identity:
-M --machine=NAME Set the machine name for the container
--hostname=NAME Override the hostname for the container
--uuid=UUID Set a specific machine UUID for the container
Properties:
-S --slice=SLICE Place the container in the specified slice
--property=NAME=VALUE Set scope unit property
--register=BOOLEAN Register container as machine
--keep-unit Do not register a scope for the machine, reuse
the service unit nspawn is running in
User Namespacing:
--private-users=no Run without user namespacing
--private-users=yes|pick|identity
Run within user namespace, autoselect UID/GID range
--private-users=UIDBASE[:NUIDS]
Similar, but with user configured UID/GID range
--private-users-ownership=MODE
Adjust ('chown') or map ('map') OS tree ownership
to private UID/GID range
-U Equivalent to --private-users=pick and
--private-users-ownership=auto
Networking:
--private-network Disable network in container
--network-interface=INTERFACE
Assign an existing network interface to the
container
--network-macvlan=INTERFACE
Create a macvlan network interface based on an
existing network interface to the container
--network-ipvlan=INTERFACE
Create an ipvlan network interface based on an
existing network interface to the container
-n --network-veth Add a virtual Ethernet connection between host
and container
--network-veth-extra=HOSTIF[:CONTAINERIF]
Add an additional virtual Ethernet link between
host and container
--network-bridge=INTERFACE
Add a virtual Ethernet connection to the container
and attach it to an existing bridge on the host
--network-zone=NAME Similar, but attach the new interface to an
an automatically managed bridge interface
--network-namespace-path=PATH
Set network namespace to the one represented by
the specified kernel namespace file node
-p --port=[PROTOCOL:]HOSTPORT[:CONTAINERPORT]
Expose a container IP port on the host
Security:
--capability=CAP In addition to the default, retain specified
capability
--drop-capability=CAP Drop the specified capability from the default set
--ambient-capability=CAP
Sets the specified capability for the started
process. Not useful if booting a machine.
--no-new-privileges Set PR_SET_NO_NEW_PRIVS flag for container payload
--system-call-filter=LIST|~LIST
Permit/prohibit specific system calls
-Z --selinux-context=SECLABEL
Set the SELinux security context to be used by
processes in the container
-L --selinux-apifs-context=SECLABEL
Set the SELinux security context to be used by
API/tmpfs file systems in the container
Resources:
--rlimit=NAME=LIMIT Set a resource limit for the payload
--oom-score-adjust=VALUE
Adjust the OOM score value for the payload
--cpu-affinity=CPUS Adjust the CPU affinity of the container
--personality=ARCH Pick personality for this container
Integration:
--resolv-conf=MODE Select mode of /etc/resolv.conf initialization
--timezone=MODE Select mode of /etc/localtime initialization
--link-journal=MODE Link up guest journal, one of no, auto, guest,
host, try-guest, try-host
-j Equivalent to --link-journal=try-guest
Mounts:
--bind=PATH[:PATH[:OPTIONS]]
Bind mount a file or directory from the host into
the container
--bind-ro=PATH[:PATH[:OPTIONS]
Similar, but creates a read-only bind mount
--inaccessible=PATH Over-mount file node with inaccessible node to mask
it
--tmpfs=PATH:[OPTIONS] Mount an empty tmpfs to the specified directory
--overlay=PATH[:PATH...]:PATH
Create an overlay mount from the host to
the container
--overlay-ro=PATH[:PATH...]:PATH
Similar, but creates a read-only overlay mount
--bind-user=NAME Bind user from host to container
Input/Output:
--console=MODE Select how stdin/stdout/stderr and /dev/console are
set up for the container.
-P --pipe Equivalent to --console=pipe
Credentials:
--set-credential=ID:VALUE
Pass a credential with literal value to container.
--load-credential=ID:PATH
Load credential to pass to container from file or
AF_UNIX stream socket.
See the systemd-nspawn(1) man page for details.
Container setup[edit]
OpenRC[edit]
Import the releng GPG key so that systemd can find it.
root #gpg --no-default-keyring --primary-keyring=/etc/systemd/import-pubring.gpg --auto-key-locate=clear,nodefault,wkd --locate-key releng@gentoo.org
Unpack a stage3 in /var/lib/machines.
root #machinectl pull-tar https://distfiles.gentoo.org/releases/amd64/autobuilds/20240317T170433Z/stage3-amd64-openrc-20240317T170433Z.tar.xz openrc-20240317
Edit /var/lib/machines/.../etc/inittab to disable agetty on tty[1-6] and enable it on console.
FILE /etc/inittab # TERMINALS
x1:12345:respawn:/sbin/agetty 38400 console linux
#c1:12345:respawn:/sbin/agetty --noclear 38400 tty1 linux
#c2:2345:respawn:/sbin/agetty 38400 tty2 linux
#c3:2345:respawn:/sbin/agetty 38400 tty3 linux
#c4:2345:respawn:/sbin/agetty 38400 tty4 linux
#c5:2345:respawn:/sbin/agetty 38400 tty5 linux
#c6:2345:respawn:/sbin/agetty 38400 tty6 linux
Clear the root password in /var/lib/machines/.../etc/shadow.
FILE /etc/shadow root::10770:0:::::
Invoke systemd-nspawn with the -b option to boot.
root #systemd-nspawn -M openrc-20240317 -b
Troubleshooting[edit]
Can I combine QEMU and systemd-nspawn to cross-compile binaries?[edit]
Yes, follow the instructions to build QEMU with static-user support. Make sure the systemd-binfmt service is enabled. Then, start the container as normal:
root #systemd-nspawn -D /var/lib/machines/<container_with_different_cpu_isa>
See also[edit]
Docker — a container virtualization environment
Podman — a daemonless container engine for developing, managing, and running OCI Containers on Linux.
LXC — a virtualization system making use of Linux's namespaces and cgroups.
LXD — is a next generation system container manager.
External resources[edit]
Rich0's Gentoo Blog: Quick systemd-nspawn guide
Systemd-nspawn for fun and… well, mostly for fun
On Running systemd-nspawn Containers
[1]
Image Repositories[edit]
https://nspawn.org/images/' |
Parsed HTML source of the new revision (new_html) | '<div class="mw-parser-output"><p><span></span>
</p>
<div class="alert alert-info"><span class="fa fa-fw fa-pencil"></span> This article is a <a href="/wiki/Category:Stub" title="Category:Stub">stub</a>. Please help out by <a rel="nofollow" class="external text" href="https://wiki.gentoo.org/index.php?title=Systemd/systemd-nspawn&action=edit">expanding it</a> - <a href="/wiki/Gentoo_Wiki:Contributor%27s_guide" title="Gentoo Wiki:Contributor's guide">how to get started</a>. </div>
<div id="infobox-stack" class="list-group" style="width: 25em; float: right; clear: right; font-size: 90%; margin-left: 1em;">
<div class="list-group-item text-center" style="padding-top: 3px; padding-bottom: 3px; background-color: #463C65; color: white;"><b>Resources</b></div>
<div id="infobox" class="list-group-item" style="display: flex; align-items: center; padding: 5px; min-height: 3em;"><span style="display: inline-block; width: 3em; overflow: hidden; text-align: center;"><a href="/wiki/Project:Systemd" title="Project:Systemd"><img alt="Gentoo peach graphic" src="/images/thumb/a/ad/Gentoo-logo-peach.svg/25px-Gentoo-logo-peach.svg.png" decoding="async" width="25" height="26" srcset="/images/thumb/a/ad/Gentoo-logo-peach.svg/38px-Gentoo-logo-peach.svg.png 1.5x, /images/thumb/a/ad/Gentoo-logo-peach.svg/50px-Gentoo-logo-peach.svg.png 2x" /></a></span><span><a href="/wiki/Project:Systemd" title="Project:Systemd">Project</a></span></div>
<div id="infobox" class="list-group-item" style="display: flex; align-items: center; padding: 5px; min-height: 3em;"><span style="display: inline-block; width: 3em; overflow: hidden; text-align: center;"><span class="fa fa-home fa-fw fa-2x"></span></span><span><a rel="nofollow" class="external text" href="https://nspawn.org/">Home</a></span></div>
<div id="infobox" class="list-group-item" style="display: flex; align-items: center; padding: 5px; min-height: 3em;"><span style="display: inline-block; width: 3em; overflow: hidden; text-align: center;"><span class="fa fa-file-text fa-fw fa-2x"></span></span><span><a rel="nofollow" class="external text" href="https://www.freedesktop.org/software/systemd/man/systemd-nspawn.html">Official documentation</a></span></div>
</div>
<p><b><span style="font-family: monospace; font-size: 95%; font-weight: bold;" class="tripleclick-separator">systemd-nspawn</span></b> is a lightweight, loosely <a href="/wiki/Chroot" title="Chroot">chroot</a>-like, OS-level <a rel="nofollow" class="external text" href="https://opencontainers.org/">OCI container</a> environment native to <a href="/wiki/Systemd" title="Systemd">systemd</a>. Each container exists in its own namespace but within the host's running kernel. Thus, no hardware emulation is taking place and unlike <a href="/wiki/QEMU" title="QEMU">QEMU</a> and <a href="/wiki/Virtualbox" class="mw-redirect" title="Virtualbox">Virtualbox</a> non-native CPU instruction sets are not directly supported.
</p><p>Like a lot of technologies, containerization has trade-offs. A core benefit of containerization is that there is much less overhead than with a traditional virtual machine, so it's possible to spawn a large number of containers much more quickly than a large number of VMs. Unfortunately, though uncommon, exploits leading to container escapes have happened and are more prevalent than VM escapes. Further, any containerized processes that causes a kernel crash will bring down the host system as they share a kernel. Lastly, containers are not, by default, more secure than any other processes on the host system. Hardening containers can be done through a mix of technologies such as cgroups, to constrain resource utilization, and <a href="/wiki/SELinux" title="SELinux">SELinux</a> to prevent privilege escalation and enforce access controls.
</p>
<div id="toc" class="toc" role="navigation" aria-labelledby="mw-toc-heading"><input type="checkbox" role="button" id="toctogglecheckbox" class="toctogglecheckbox" style="display:none" /><div class="toctitle" lang="en" dir="ltr"><h2 id="mw-toc-heading">Contents</h2><span class="toctogglespan"><label class="toctogglelabel" for="toctogglecheckbox"></label></span></div>
<ul>
<li class="toclevel-1 tocsection-1"><a href="#Installation"><span class="tocnumber">1</span> <span class="toctext">Installation</span></a>
<ul>
<li class="toclevel-2 tocsection-2"><a href="#Files"><span class="tocnumber">1.1</span> <span class="toctext">Files</span></a></li>
<li class="toclevel-2 tocsection-3"><a href="#Service"><span class="tocnumber">1.2</span> <span class="toctext">Service</span></a></li>
</ul>
</li>
<li class="toclevel-1 tocsection-4"><a href="#Usage"><span class="tocnumber">2</span> <span class="toctext">Usage</span></a>
<ul>
<li class="toclevel-2 tocsection-5"><a href="#Invocation"><span class="tocnumber">2.1</span> <span class="toctext">Invocation</span></a></li>
</ul>
</li>
<li class="toclevel-1 tocsection-6"><a href="#Container_setup"><span class="tocnumber">3</span> <span class="toctext">Container setup</span></a>
<ul>
<li class="toclevel-2 tocsection-7"><a href="#OpenRC"><span class="tocnumber">3.1</span> <span class="toctext">OpenRC</span></a></li>
</ul>
</li>
<li class="toclevel-1 tocsection-8"><a href="#Troubleshooting"><span class="tocnumber">4</span> <span class="toctext">Troubleshooting</span></a>
<ul>
<li class="toclevel-2 tocsection-9"><a href="#Can_I_combine_QEMU_and_systemd-nspawn_to_cross-compile_binaries.3F"><span class="tocnumber">4.1</span> <span class="toctext">Can I combine QEMU and <span>systemd-nspawn</span> to cross-compile binaries?</span></a></li>
</ul>
</li>
<li class="toclevel-1 tocsection-10"><a href="#See_also"><span class="tocnumber">5</span> <span class="toctext">See also</span></a></li>
<li class="toclevel-1 tocsection-11"><a href="#External_resources"><span class="tocnumber">6</span> <span class="toctext">External resources</span></a>
<ul>
<li class="toclevel-2 tocsection-12"><a href="#Image_Repositories"><span class="tocnumber">6.1</span> <span class="toctext">Image Repositories</span></a></li>
</ul>
</li>
</ul>
</div>
<h2><span class="mw-headline" id="Installation">Installation</span><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/index.php?title=Systemd/systemd-nspawn&action=edit&section=1" title="Edit section: Installation">edit</a><span class="mw-editsection-bracket">]</span></span></h2>
<p>In order to use <span style="font-family: monospace; font-size: 95%; font-weight: bold;" class="tripleclick-separator">systemd-nspawn</span> a system must be set to a <a href="/wiki/Profile_(Portage)" title="Profile (Portage)">profile</a> that uses the <a href="/wiki/Systemd" title="Systemd">systemd</a> init system.
</p>
<h3><span class="mw-headline" id="Files">Files</span><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/index.php?title=Systemd/systemd-nspawn&action=edit&section=2" title="Edit section: Files">edit</a><span class="mw-editsection-bracket">]</span></span></h3>
<ul><li><span style="font-family: monospace; font-size: 95%; color: #3c763d; font-weight: 600;">/var/lib/machines/*</span> — the canonical location for <span style="font-family: monospace; font-size: 95%; font-weight: bold;" class="tripleclick-separator">systemd-nspawn</span> container file systems.</li></ul>
<p>To prevent confusion, it is best practice to name the subdirectory holding the container's root file system after the container's hostname.
</p>
<h3><span class="mw-headline" id="Service">Service</span><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/index.php?title=Systemd/systemd-nspawn&action=edit&section=3" title="Edit section: Service">edit</a><span class="mw-editsection-bracket">]</span></span></h3>
<p>Assuming a properly structured and syntactically unit file, containers should be discoverable by <span style="font-family: monospace; font-size: 95%; font-weight: bold;" class="tripleclick-separator">machinectl</span>. The unit file needs to be located at <span style="font-family: monospace; font-size: 95%; color: #3c763d; font-weight: 600;">/etc/systemd/nswpan/<machine_name>.nspawn</span>. Thereafter it can be managed like any other service.
</p>
<h2><span class="mw-headline" id="Usage">Usage</span><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/index.php?title=Systemd/systemd-nspawn&action=edit&section=4" title="Edit section: Usage">edit</a><span class="mw-editsection-bracket">]</span></span></h2>
<p>Assuming, for example, a Gentoo root file system exists at <span style="font-family: monospace; font-size: 95%; color: #3c763d; font-weight: 600;">/var/lib/machines/larrythecow/</span> that has been extracted from a stage3 tarball for the host's instruction set architecture the following commands should bring the container up:
</p>
<div class="cmd-box"><div><code style="color: #ef2929; font-weight: bold;">root <span style="color:royalblue;">#</span></code><span class="tripleclick-separator"></span><code>systemd-nspawn -b -D /var/lib/machines/larrythecow</code></div></div>
<p>The handbook can be followed as normal from this point forward excluding unnecessary bits, such as kernel and bootloader configuration. Once done, the container can be used by itself or as an up-to-date template from which other containers can be spawned. The latter case is made easier if the container's root file system is stored on a <a href="/wiki/Btrfs" title="Btrfs">BTRFS</a> subvolume.
</p>
<h3><span class="mw-headline" id="Invocation">Invocation</span><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/index.php?title=Systemd/systemd-nspawn&action=edit&section=5" title="Edit section: Invocation">edit</a><span class="mw-editsection-bracket">]</span></span></h3>
<div class="cmd-box"><div><code style="color: #4E9A06; font-weight: bold;">user <span style="color:royalblue;">$</span></code><span class="tripleclick-separator"></span><code>systemd-nspawn --help</code></div><span class="mw-collapsible mw-collapsed"><pre>systemd-nspawn [OPTIONS...] [PATH] [ARGUMENTS...]
Spawn a command or OS in a light-weight container.
-h --help Show this help
--version Print version string
-q --quiet Do not show status information
--no-pager Do not pipe output into a pager
--settings=BOOLEAN Load additional settings from .nspawn file
Image:
-D --directory=PATH Root directory for the container
--template=PATH Initialize root directory from template directory,
if missing
-x --ephemeral Run container with snapshot of root directory, and
remove it after exit
-i --image=PATH Root file system disk image (or device node) for
the container
--oci-bundle=PATH OCI bundle directory
--read-only Mount the root directory read-only
--volatile[=MODE] Run the system in volatile mode
--root-hash=HASH Specify verity root hash for root disk image
--root-hash-sig=SIG Specify pkcs7 signature of root hash for verity
as a DER encoded PKCS7, either as a path to a file
or as an ASCII base64 encoded string prefixed by
'base64:'
--verity-data=PATH Specify hash device for verity
--pivot-root=PATH[:PATH]
Pivot root to given directory in the container
Execution:
-a --as-pid2 Maintain a stub init as PID1, invoke binary as PID2
-b --boot Boot up full system (i.e. invoke init)
--chdir=PATH Set working directory in the container
-E --setenv=NAME[=VALUE] Pass an environment variable to PID 1
-u --user=USER Run the command under specified user or UID
--kill-signal=SIGNAL Select signal to use for shutting down PID 1
--notify-ready=BOOLEAN Receive notifications from the child init process
--suppress-sync=BOOLEAN
Suppress any form of disk data synchronization
System Identity:
-M --machine=NAME Set the machine name for the container
--hostname=NAME Override the hostname for the container
--uuid=UUID Set a specific machine UUID for the container
Properties:
-S --slice=SLICE Place the container in the specified slice
--property=NAME=VALUE Set scope unit property
--register=BOOLEAN Register container as machine
--keep-unit Do not register a scope for the machine, reuse
the service unit nspawn is running in
User Namespacing:
--private-users=no Run without user namespacing
--private-users=yes|pick|identity
Run within user namespace, autoselect UID/GID range
--private-users=UIDBASE[:NUIDS]
Similar, but with user configured UID/GID range
--private-users-ownership=MODE
Adjust ('chown') or map ('map') OS tree ownership
to private UID/GID range
-U Equivalent to --private-users=pick and
--private-users-ownership=auto
Networking:
--private-network Disable network in container
--network-interface=INTERFACE
Assign an existing network interface to the
container
--network-macvlan=INTERFACE
Create a macvlan network interface based on an
existing network interface to the container
--network-ipvlan=INTERFACE
Create an ipvlan network interface based on an
existing network interface to the container
-n --network-veth Add a virtual Ethernet connection between host
and container
--network-veth-extra=HOSTIF[:CONTAINERIF]
Add an additional virtual Ethernet link between
host and container
--network-bridge=INTERFACE
Add a virtual Ethernet connection to the container
and attach it to an existing bridge on the host
--network-zone=NAME Similar, but attach the new interface to an
an automatically managed bridge interface
--network-namespace-path=PATH
Set network namespace to the one represented by
the specified kernel namespace file node
-p --port=[PROTOCOL:]HOSTPORT[:CONTAINERPORT]
Expose a container IP port on the host
Security:
--capability=CAP In addition to the default, retain specified
capability
--drop-capability=CAP Drop the specified capability from the default set
--ambient-capability=CAP
Sets the specified capability for the started
process. Not useful if booting a machine.
--no-new-privileges Set PR_SET_NO_NEW_PRIVS flag for container payload
--system-call-filter=LIST|~LIST
Permit/prohibit specific system calls
-Z --selinux-context=SECLABEL
Set the SELinux security context to be used by
processes in the container
-L --selinux-apifs-context=SECLABEL
Set the SELinux security context to be used by
API/tmpfs file systems in the container
Resources:
--rlimit=NAME=LIMIT Set a resource limit for the payload
--oom-score-adjust=VALUE
Adjust the OOM score value for the payload
--cpu-affinity=CPUS Adjust the CPU affinity of the container
--personality=ARCH Pick personality for this container
Integration:
--resolv-conf=MODE Select mode of /etc/resolv.conf initialization
--timezone=MODE Select mode of /etc/localtime initialization
--link-journal=MODE Link up guest journal, one of no, auto, guest,
host, try-guest, try-host
-j Equivalent to --link-journal=try-guest
Mounts:
--bind=PATH[:PATH[:OPTIONS]]
Bind mount a file or directory from the host into
the container
--bind-ro=PATH[:PATH[:OPTIONS]
Similar, but creates a read-only bind mount
--inaccessible=PATH Over-mount file node with inaccessible node to mask
it
--tmpfs=PATH:[OPTIONS] Mount an empty tmpfs to the specified directory
--overlay=PATH[:PATH...]:PATH
Create an overlay mount from the host to
the container
--overlay-ro=PATH[:PATH...]:PATH
Similar, but creates a read-only overlay mount
--bind-user=NAME Bind user from host to container
Input/Output:
--console=MODE Select how stdin/stdout/stderr and /dev/console are
set up for the container.
-P --pipe Equivalent to --console=pipe
Credentials:
--set-credential=ID:VALUE
Pass a credential with literal value to container.
--load-credential=ID:PATH
Load credential to pass to container from file or
AF_UNIX stream socket.
See the systemd-nspawn(1) man page for details.
</pre></span></div>
<h2><span class="mw-headline" id="Container_setup">Container setup</span><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/index.php?title=Systemd/systemd-nspawn&action=edit&section=6" title="Edit section: Container setup">edit</a><span class="mw-editsection-bracket">]</span></span></h2>
<h3><span class="mw-headline" id="OpenRC">OpenRC</span><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/index.php?title=Systemd/systemd-nspawn&action=edit&section=7" title="Edit section: OpenRC">edit</a><span class="mw-editsection-bracket">]</span></span></h3>
<p>Import the releng GPG key so that systemd can find it.
</p>
<div class="cmd-box"><div><code style="color: #ef2929; font-weight: bold;">root <span style="color:royalblue;">#</span></code><span class="tripleclick-separator"></span><code>gpg --no-default-keyring --primary-keyring=/etc/systemd/import-pubring.gpg --auto-key-locate=clear,nodefault,wkd --locate-key releng@gentoo.org</code></div></div>
<p>Unpack a stage3 in /var/lib/machines.
</p>
<div class="cmd-box"><div><code style="color: #ef2929; font-weight: bold;">root <span style="color:royalblue;">#</span></code><span class="tripleclick-separator"></span><code>machinectl pull-tar <a rel="nofollow" class="external free" href="https://distfiles.gentoo.org/releases/amd64/autobuilds/20240317T170433Z/stage3-amd64-openrc-20240317T170433Z.tar.xz">https://distfiles.gentoo.org/releases/amd64/autobuilds/20240317T170433Z/stage3-amd64-openrc-20240317T170433Z.tar.xz</a> openrc-20240317</code></div></div>
<p>Edit /var/lib/machines/.../etc/inittab to disable agetty on tty[1-6] and enable it on console.
</p>
<div class="box-caption"><span class="label" style="margin-right: .5em; background-color: #54487A">FILE</span> <strong><code style="border: none; background: none; color: #54487A; margin-right: .5em;">/etc/inittab</code></strong><strong></strong></div> <div class="mw-highlight mw-highlight-lang-text mw-content-ltr" dir="ltr"><pre><span></span># TERMINALS
x1:12345:respawn:/sbin/agetty 38400 console linux
#c1:12345:respawn:/sbin/agetty --noclear 38400 tty1 linux
#c2:2345:respawn:/sbin/agetty 38400 tty2 linux
#c3:2345:respawn:/sbin/agetty 38400 tty3 linux
#c4:2345:respawn:/sbin/agetty 38400 tty4 linux
#c5:2345:respawn:/sbin/agetty 38400 tty5 linux
#c6:2345:respawn:/sbin/agetty 38400 tty6 linux
</pre></div>
<p>Clear the root password in /var/lib/machines/.../etc/shadow.
</p>
<div class="box-caption"><span class="label" style="margin-right: .5em; background-color: #54487A">FILE</span> <strong><code style="border: none; background: none; color: #54487A; margin-right: .5em;">/etc/shadow</code></strong><strong></strong></div> <div class="mw-highlight mw-highlight-lang-text mw-content-ltr" dir="ltr"><pre><span></span>root::10770:0:::::
</pre></div>
<p>Invoke systemd-nspawn with the -b option to boot.
</p>
<div class="cmd-box"><div><code style="color: #ef2929; font-weight: bold;">root <span style="color:royalblue;">#</span></code><span class="tripleclick-separator"></span><code>systemd-nspawn -M openrc-20240317 -b</code></div></div>
<h2><span class="mw-headline" id="Troubleshooting">Troubleshooting</span><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/index.php?title=Systemd/systemd-nspawn&action=edit&section=8" title="Edit section: Troubleshooting">edit</a><span class="mw-editsection-bracket">]</span></span></h2>
<h3><span id="Can_I_combine_QEMU_and_systemd-nspawn_to_cross-compile_binaries?"></span><span class="mw-headline" id="Can_I_combine_QEMU_and_systemd-nspawn_to_cross-compile_binaries.3F">Can I combine QEMU and <span style="font-family: monospace; font-size: 95%; font-weight: bold;" class="tripleclick-separator">systemd-nspawn</span> to cross-compile binaries?</span><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/index.php?title=Systemd/systemd-nspawn&action=edit&section=9" title="Edit section: Can I combine QEMU and systemd-nspawn to cross-compile binaries?">edit</a><span class="mw-editsection-bracket">]</span></span></h3>
<p>Yes, follow the instructions to <a href="/wiki/Embedded_Handbook/General/Compiling_with_qemu_user_chroot" class="mw-redirect" title="Embedded Handbook/General/Compiling with qemu user chroot">build QEMU with static-user support</a>. Make sure the systemd-binfmt service is enabled. Then, start the container as normal:
</p>
<div class="cmd-box"><div><code style="color: #ef2929; font-weight: bold;">root <span style="color:royalblue;">#</span></code><span class="tripleclick-separator"></span><code>systemd-nspawn -D /var/lib/machines/<container_with_different_cpu_isa></code></div></div>
<h2><span class="mw-headline" id="See_also">See also</span><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/index.php?title=Systemd/systemd-nspawn&action=edit&section=10" title="Edit section: See also">edit</a><span class="mw-editsection-bracket">]</span></span></h2>
<ul><li><a href="/wiki/Docker" title="Docker">Docker</a> — a <a href="https://en.wikipedia.org/wiki/Container_(virtualization)" class="extiw" title="wikipedia:Container (virtualization)">container</a> virtualization environment</li>
<li><a href="/wiki/Podman" title="Podman">Podman</a> — a daemonless container engine for developing, managing, and running <a rel="nofollow" class="external text" href="https://opencontainers.org/">OCI Containers</a> on Linux.</li>
<li><a href="/wiki/LXC" title="LXC">LXC</a> — a virtualization system making use of Linux's namespaces and <a href="https://en.wikipedia.org/wiki/Cgroups" class="extiw" title="wikipedia:Cgroups">cgroups</a>.</li>
<li><a href="/wiki/LXD" title="LXD">LXD</a> — is a next generation system container manager.</li></ul>
<h2><span class="mw-headline" id="External_resources">External resources</span><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/index.php?title=Systemd/systemd-nspawn&action=edit&section=11" title="Edit section: External resources">edit</a><span class="mw-editsection-bracket">]</span></span></h2>
<ul><li><a rel="nofollow" class="external text" href="https://rich0gentoo.wordpress.com/2014/07/14/quick-systemd-nspawn-guide/">Rich0's Gentoo Blog: Quick systemd-nspawn guide</a></li>
<li><a rel="nofollow" class="external text" href="https://blog.oddbit.com/post/2016-02-07-systemd-nspawn-for-fun-and-wel/">Systemd-nspawn for fun and… well, mostly for fun</a></li>
<li><a rel="nofollow" class="external text" href="https://benjamintoll.com/2022/02/04/on-running-systemd-nspawn-containers/">On Running systemd-nspawn Containers</a></li>
<li><a rel="nofollow" class="external autonumber" href="https://wiki.gentoo.org/wiki/User:Ajak/systemd-nspawn_for_Development_and_Update_Automation">[1]</a></li></ul>
<h3><span class="mw-headline" id="Image_Repositories">Image Repositories</span><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/index.php?title=Systemd/systemd-nspawn&action=edit&section=12" title="Edit section: Image Repositories">edit</a><span class="mw-editsection-bracket">]</span></span></h3>
<ul><li><a rel="nofollow" class="external text" href="https://nspawn.org/images/">https://nspawn.org/images/</a></li></ul>
' |
Unix timestamp of change (timestamp) | 1730996841 |
Wiki