MACHINECTL(1) | machinectl | MACHINECTL(1) |
NAME
machinectl - Control the systemd machine manager
SYNOPSIS
machinectl [OPTIONS...] {COMMAND} [NAME...]
DESCRIPTION
machinectl may be used to introspect and control the state of the systemd(1) virtual machine and container registration manager systemd-machined.service(8).
machinectl may be used to execute operations on machines and images. Machines in this sense are considered running instances of:
Machines are identified by names that follow the same rules as UNIX and DNS hostnames. For details, see below.
Machines are instantiated from disk or file system images that frequently — but not necessarily — carry the same name as machines running from them. Images in this sense may be:
Images may be downloaded, imported and exported via the importctl(1) tool.
COMMANDS
The following commands are understood:
Machine Commands
list
Added in version 206.
status NAME...
Added in version 206.
show [NAME...]
Added in version 206.
start NAME...
Note that systemd-machined.service(8) also interfaces with a variety of other container and VM managers, systemd-nspawn is just one implementation of it. Most of the commands available in machinectl may be used on containers or VMs controlled by other managers, not just systemd-nspawn. Starting VMs and container images on those managers requires manager-specific tools.
To interactively start a container on the command line with full access to the container's console, please invoke systemd-nspawn directly. To stop a running container use machinectl poweroff.
Added in version 219.
login [NAME]
This command will open a full login prompt on the container or the local host, which then asks for username and password. Use shell (see below) or systemd-run(1) with the --machine= switch to directly invoke a single command, either interactively or in the background.
Added in version 209.
shell [[NAME@]NAME [PATH [ARGUMENTS...]]]
Note that machinectl shell does not propagate the exit code/status of the invoked shell process. Use systemd-run instead if that information is required (see below).
Using the shell command without arguments (thus invoking the executed shell or command on the local host), is in many ways similar to a su(1) session, but, unlike su, completely isolates the new session from the originating session, so that it shares no process or session properties and is in a clean well-defined state. It will be tracked in a new utmp, login, audit, security, and keyring sessions, and will not inherit any environment variables or resource limits, among other properties.
Note that systemd-run(1) with its --machine= switch may be used in place of the machinectl shell command, and allows non-interactive operation, more detailed and low-level configuration of the invoked unit, as well as access to runtime and exit code/status information of the invoked shell process. In particular, use systemd-run's --wait switch to propagate exit status information of the invoked process. Use systemd-run's --pty switch to acquire an interactive shell, similarly to machinectl shell. In general, systemd-run is preferable for scripting purposes. However, note that systemd-run might require higher privileges than machinectl shell.
Added in version 225.
enable NAME..., disable NAME...
This command implicitly reloads the system manager configuration after completing the operation. Note that this command does not implicitly start or power off the containers that are being operated on. If this is desired, combine the command with the --now switch.
Added in version 219.
poweroff NAME...
Added in version 212.
reboot NAME...
Added in version 209.
terminate NAME...
Added in version 206.
kill NAME...
Added in version 206.
bind NAME PATH [PATH]
Added in version 219.
copy-to NAME PATH [PATH] --force
If host and container share the same user and group namespace, file ownership by numeric user ID and group ID is preserved for the copy, otherwise all files and directories in the copy will be owned by the root user and group (UID/GID 0).
Added in version 219.
copy-from NAME PATH [PATH] --force
If host and container share the same user and group namespace, file ownership by numeric user ID and group ID is preserved for the copy, otherwise all files and directories in the copy will be owned by the root user and group (UID/GID 0).
Added in version 219.
Image Commands
list-images
Added in version 219.
image-status [NAME...]
Added in version 219.
show-image [NAME...]
Added in version 219.
edit NAME|FILE
Added in version 254.
cat NAME|FILE
Added in version 254.
clone NAME NAME
Note that this command leaves hostname, machine ID and all other settings that could identify the instance unmodified. The original image and the cloned copy will hence share these credentials, and it might be necessary to manually change them in the copy.
If combined with the --read-only switch a read-only cloned image is created.
Added in version 219.
rename NAME NAME
Added in version 219.
read-only NAME [BOOL]
Added in version 219.
remove NAME...
Added in version 219.
set-limit [NAME] BYTES
Note that per-container size limits are only supported on btrfs file systems.
Added in version 220.
clean
When combined with the --all switch removes all images, not just hidden ones. This command effectively empties /var/lib/machines/.
Note that commands such as importctl pull-tar or importctl pull-raw usually create hidden, read-only, unmodified machine images from the downloaded image first, before cloning a writable working copy of it, in order to avoid duplicate downloads in case of images that are reused multiple times. Use machinectl clean to remove old, hidden images created this way.
Added in version 230.
OPTIONS
The following options are understood:
-p, --property=
Added in version 206.
--value
Added in version 230.
-P
Added in version 256.
-a, --all
When listing VM or container images, do not suppress images beginning in a dot character (".").
When cleaning VM or container images, remove all images, not just hidden ones.
Added in version 206.
-l, --full
Added in version 206.
--kill-whom=
Added in version 206.
-s, --signal=
The special value "help" will list the known values and the program will exit immediately, and the special value "list" will list known values along with the numerical signal numbers and the program will exit immediately.
--uid=
Added in version 225.
-E NAME[=VALUE], --setenv=NAME[=VALUE]
Note that this option is not supported for the login command.
Added in version 230.
--mkdir
Added in version 219.
--read-only
When used with clone a read-only container or VM image is created.
Added in version 219.
-n, --lines=
Added in version 219.
-o, --output=
Added in version 219.
--runner=nspawn|vmspawn
Added in version 256.
-V
Added in version 256.
--now
Added in version 253.
--force
Added in version 219.
--max-addresses=
Added in version 232.
-q, --quiet
Added in version 236.
-H, --host=
-M, --machine=
Added in version 235.
--no-pager
--no-legend
--no-ask-password
-h, --help
--version
MACHINE AND IMAGE NAMES
The machinectl tool operates on machines and images whose names must be chosen following strict rules. Machine names must be suitable for use as hostnames following a conservative subset of DNS and UNIX/Linux semantics. Specifically, they must consist of one or more non-empty label strings, separated by dots. No leading or trailing dots are allowed. No sequences of multiple dots are allowed. The label strings may only consist of alphanumeric characters as well as the dash and underscore. The maximum length of a machine name is 64 characters.
A special machine with the name ".host" refers to the running host system itself. This is useful for execution operations or inspecting the host system as well. Note that machinectl list will not show this special machine unless the --all switch is specified.
Requirements on image names are less strict, however, they must be valid UTF-8, must be suitable as file names (hence not be the single or double dot, and not include a slash), and may not contain control characters. Since many operations search for an image by the name of a requested machine, it is recommended to name images in the same strict fashion as machines.
A special image with the name ".host" refers to the image of the running host system. It hence conceptually maps to the special ".host" machine name described above. Note that machinectl list-images will not show this special image either, unless --all is specified.
FILES AND DIRECTORIES
Machine images are preferably stored in /var/lib/machines/, but are also searched for in /usr/local/lib/machines/ and /usr/lib/machines/. For compatibility reasons, the directory /var/lib/container/ is searched, too. Note that images stored below /usr/ are always considered read-only. It is possible to symlink machines images from other directories into /var/lib/machines/ to make them available for control with machinectl.
Note that some image operations are only supported, efficient or atomic on btrfs file systems.
Disk images are understood by systemd-nspawn(1) and machinectl in three formats:
See systemd-nspawn(1) for more information on image formats, in particular its --directory= and --image= options.
EXAMPLES
Example 1. Download an Ubuntu RAW image, set a root password in it, start it as a service
# importctl pull-raw -mN \ https://cloud-images.ubuntu.com/jammy/current/jammy-server-cloudimg-amd64-disk-kvm.img \ jammy # systemd-firstboot --image=/var/lib/machines/jammy.raw --prompt-root-password --force # machinectl start jammy # machinectl login jammy
This downloads the specified .raw image and makes it available under the local name "jammy". Then, a root password is set with systemd-firstboot(1). Afterwards the machine is started as system service. With the last command a login prompt into the container is requested.
EXIT STATUS
On success, 0 is returned, a non-zero failure code otherwise.
ENVIRONMENT
$SYSTEMD_LOG_LEVEL
$SYSTEMD_LOG_COLOR
This setting is only useful when messages are written directly to the terminal, because journalctl(1) and other tools that display logs will color messages based on the log level on their own.
$SYSTEMD_LOG_TIME
This setting is only useful when messages are written directly to the terminal or a file, because journalctl(1) and other tools that display logs will attach timestamps based on the entry metadata on their own.
$SYSTEMD_LOG_LOCATION
Note that the log location is often attached as metadata to journal entries anyway. Including it directly in the message text can nevertheless be convenient when debugging programs.
$SYSTEMD_LOG_TID
Note that the this information is attached as metadata to journal entries anyway. Including it directly in the message text can nevertheless be convenient when debugging programs.
$SYSTEMD_LOG_TARGET
$SYSTEMD_LOG_RATELIMIT_KMSG
$SYSTEMD_PAGER
Note: if $SYSTEMD_PAGERSECURE is not set, $SYSTEMD_PAGER (as well as $PAGER) will be silently ignored.
$SYSTEMD_LESS
Users might want to change two options in particular:
K
If the value of $SYSTEMD_LESS does not include "K", and the pager that is invoked is less, Ctrl+C will be ignored by the executable, and needs to be handled by the pager.
X
Note that setting the regular $LESS environment variable has no effect for less invocations by systemd tools.
See less(1) for more discussion.
$SYSTEMD_LESSCHARSET
Note that setting the regular $LESSCHARSET environment variable has no effect for less invocations by systemd tools.
$SYSTEMD_PAGERSECURE
Note: when commands are invoked with elevated privileges, for example under sudo(8) or pkexec(1), care must be taken to ensure that unintended interactive features are not enabled. "Secure" mode for the pager may be enabled automatically as describe above. Setting SYSTEMD_PAGERSECURE=0 or not removing it from the inherited environment allows the user to invoke arbitrary commands. Note that if the $SYSTEMD_PAGER or $PAGER variables are to be honoured, $SYSTEMD_PAGERSECURE must be set too. It might be reasonable to completely disable the pager using --no-pager instead.
$SYSTEMD_COLORS
$SYSTEMD_URLIFY
SEE ALSO
systemd(1), systemd-machined.service(8), systemd-nspawn(1), systemd.special(7), importctl(1), tar(1), xz(1), gzip(1), bzip2(1)
systemd 256.8 |