SYSTEMD-NSPAWN(1) systemd-nspawn SYSTEMD-NSPAWN(1) systemd-nspawn - systemd-nspawn [...] [ [...]] systemd-nspawn --boot [...] [...] systemd-nspawn . chroot(1) IPC . systemd-nspawn --directory=. --machine= /var/lib/machines/ . chroot(1) systemd-nspawn . systemd-nspawn /sys/ /proc/sys/ /sys/fs/selinux/. . . . . --private-users= . dnf(8) debootstrap(8) pacman(8) systemd-nspawn. . systemd-nspawn /usr/lib/os-release /etc/os-release ( os-release(5)). . systemd-nspawn . systemd-nspawn@.service . systemd-nspawn . --boot systemd-nspawn . . machinectl(1) . systemd-nspawn@.service. .nspawn . systemd.nspawn(5) . systemd-nspawn@.service . systemd-nspawn /dev/ /run/ . . systemd-nspawn . (PID) . login shell machinectl(1) . systemd-nspawn [1]. systemd-nspawn systemd-machined(8) . systemd-nspawn . . : o ( --image=). ( --directory=) (UID) "". o --private-network --network-veth. systemd-mountfsd.service(8) systemd-nsresourced.service(8). --boot (init). . --boot (shell) . : -q --quiet . nspawn . 209. --settings= systemd-nspawn .nspawn . override trusted. ( ) ( --machine= ) .nspawn /etc/systemd/nspawn/ /run/systemd/nspawn/. . . . .nspawn . . .nspawn systemd.nspawn(5). override : .nspawn . trusted /etc/systemd/nspawn/ /run/systemd/nspawn/ . .nspawn . 226. --cleanup . systemd-nspawn . -M/--machine= -D/--directory= -i/--image= . 257. -D --directory= . --directory= --image= --machine=. " " machinectl(1) . ".v/" systemd.v(7) . --directory= --image= --machine= . --image=. --template= "btrfs" . ( --directory=) "btrfs" ( ) ( ) . "btrfs" . "btrfs" ( "btrfs" ) ( 'reflink' - ) . . --image= --ephemeral. . 219. -x --ephemeral . --template=. . - --template= - 'reflinks' ("btrfs" "xfs" ) ("ext4"). . . --volatile= ( ) . 219. -i --image= . . : o MBR 0x83 . o GUID (GPT) 0fc63daf-8483-4772-8e79-3d69d8477de4. o GUID (GPT) . GPT / . UAPI.2[2]. o . GPT EFI (ESP) /efi ( /boot ) . LUKS . GPT dm-verity --root-hash=. ( ) dm-verity --root-hash= --verity-data= ( --root-hash-sig=). (swap). --directory= --template=. ".v/" systemd.v(7) . 211. --image-policy= systemd.image-policy(7). --image= . "root=verity+signed+encrypted+unprotected+absent:usr=verity+signed+encrypted+unprotected+absent:home=encrypted+unprotected+absent:srv=encrypted+unprotected+absent:esp=unprotected+absent:xbootldr=unprotected+absent:tmp=encrypted+unprotected+absent:var=encrypted+unprotected+absent" . 254. --mstack= (Mount stack) . systemd.mstack(7). "overlayfs" (bind mounts) . 260. --oci-bundle= OCI OCI[3]. .nspawn JSON OCI ( ). 242. --read-only ( ) . --bind= --tmpfs= . . --volatile=. . . --volatile --volatile= . yes . "tmpfs" /usr/ ( ). state /var/ "tmpfs" ( ). overlay tmpfs "overlayfs" . no ( ) ( --read-only ). ( /var/ state) - ( EFI /efi/ /boot/) ( --bind= ). --volatile=overlay /efi/ /boot/ --volatile=state /etc/foobar --bind=/etc/foobar /etc/ . --ephemeral . . --tmpfs= --overlay= . . "systemd.volatile=" . kernel-command-line(7) . yes state /usr/ /var/ ( /etc/ "--volatile=yes"). /bin/ /lib/ ( ) /usr/ ( ) "--volatile=yes" . overlay "overlayfs" . 216. --root-hash= (dm-verity) . dm-verity ( ). 256 ( 64 ) ( SHA256 ). "user.verity.roothash" ( xattr(7)) . ( ) .roothash ( .raw ) . . /usr/ Verity . "user.verity.usrhash" .usrhash . /usr/ . RootHash= systemd.exec(5). 233. --root-hash-sig= PKCS7 --root-hash=. RootHashSignature= systemd.exec(5). 246. --verity-data= (dm-verity). dm-verity . . .verity ( .raw verity ) verity . 246. --pivot-root= / . : -- / . / / . . ostree(1). initrd PID 1 . 233. -a --as-pid2 (PID) 2 PID 1 (init). --boot PID 1 PID 1 UNIX. sysvinit (: SIGINT SIGTERM SIGHUP ). --as-pid2 init PID 1 PID 2 ( ). init . PID 1. : init PID 1. --boot. 229. -b --boot init PID 1 . init. --as-pid2. --as-pid2 ( ): 1. +---------------------------+-----------------------------+ | | | +---------------------------+-----------------------------+ | | | |--as-pid2 --boot | | | | | | | | | | | | | | | | PID 1 | | | . | +---------------------------+-----------------------------+ | --as-pid2 | | | | | | | | | | | | | | | | | | | PID 2 | | | . | | | | | | init | | | PID | | | 1. | +---------------------------+-----------------------------+ | --boot | | | | | | | init | | | | | | PID 1 | | | . | | | | | | | | | | | | | | | | | | | | | . | +---------------------------+-----------------------------+ --boot systemd-nspawn@.service. --chdir= . . 229. -E [=] --setenv=[=] init . . . "=" . 209. -u --user= . systemd-nspawn . --user= (: --set-credential= --load-credential=) --no-new-privileges=yes --boot --as-pid2 . --kill-signal= PID 1 nspawn SIGTERM . SIGRTMIN+3 --boot ( init systemd SIGRTMIN+3 ). --boot SIGKILL. signal(7). 220. --notify-ready= init . --notify-ready= . false () systemd-nspawn "READY=1" init. true () "READY=1" init . sd_notify(3). false. ( systemd-vmspawn(1) true.) 231. --suppress-sync= . . sync(2) fsync() syncfs() ... O_SYNC/O_DSYNC open(2) . ( ). - . false. 250. -M --machine= . ( machinectl(1) ) ( ). --ephemeral. . 202. --hostname= . . --machine= . . . --machine= . --hostname= --machine= . 239. --uuid= UUID . init /etc/machine-id . /etc/machine-id . -S --slice= machine.slice . (scope unit) --keep-unit. 206. --property= . --keep-unit. systemctl set-property. . 220. --register= systemd-machined(8). "yes". ( : PID 1) machinectl(1) ps(1). "no". 209. --keep-unit systemd-nspawn. --register=yes systemd-machined(8). systemd-nspawn systemd-nspawn . . --keep-unit --slice= --property=. --keep-unit --register=no systemd-machined. 209. --private-users= . UNIX (UIDs GIDs). UIDs/GIDs ( 0 ) UIDs/GIDs ( UID/GID 65536 ). : 1. . UID/GID UIDs/GIDs . 65536 UID/GID. 2. "yes" . UID/GID . UIDs/GIDs . (ACLs) UIDs/GIDs . UIDs/GIDs 65536 UID/GID 65536. 3. "pick" . UID/GID . UID/GID . UID/GID "yes". ( UID/GID ) UID/GID - - 65536 UID/GID UID/GIDs 524288 1878982656 65536 . --private-users-ownership=auto ( ) . . UID/GID ( ) . ( UID/GID ). 4. "no" . systemd-nspawn . ( systemd-nspawn@.service ). . 5. "identity" 65536 UID/GID. --private-users=0:65536. UID/GID UID/GIDs UID . . 6. "managed" UID systemd-nsresourced.service(8). . UID 64K . 65536 UID/GID UID/GID 16 . UID/GID . 16 32 UID/GIDs 16 UID/GID . --private-users=pick . GID UID. --private-users=managed ( --private-users=pick ) . UID/GID /etc/passwd /etc/group. --private-users-ownership=. UID ( ) . UID/GID UID/GID . "" UID . 220. --private-users-ownership= UIDs GIDs UID/GID --private-users= . : "off" ( ) "chown" ( chown() ) "map" ( UID 0 UID ) "foreign" ( UID ) "auto" "map" "foreign" "chown" . "chown" UIDs/GIDs ( ). . (ACLs) . "foreign" "map" UIDs/GIDs . . --private-users-ownership=auto --private-users=pick. . --shift systemd-dissect(1) UID/GID 0 UID/GID systemd-nspawn. 230. --private-users-delegate= . UID/GID 64K . 1:1 ( UID/GID ) UID/GID systemd-nsresourced.service(8). --private-users=managed systemd-nsresourced.service(8) . 16. 0 . Varlink systemd-nsresourced.service(8) (/run/systemd/io.systemd.NamespaceResource) /run/systemd/userdb/ /run/varlink/registry/. systemd-nsresourced . 260. -U --private-users=pick --private-users-ownership=auto --private-users=no. -U systemd-nspawn@.service. : --private-users-ownership=chown ( -U) UID 0: systemd-nspawn ... --private-users=0 --private-users-ownership=chown 230. --private-network . loopback --network-interface= --network-veth. CAP_NET_ADMIN . --drop-capability=. ( ) . --network-interface= . . . --network-interface= --private-network. . . systemd-nspawn@.service (drop-in) (: /etc/systemd/system/systemd-nspawn@foobar.service.d/50-network.conf) : [Unit] Wants=sys-subsystem-net-devices-ens1.device After=sys-subsystem-net-devices-ens1.device "ens1". . 209. --network-macvlan= "macvlan" . . "macvlan" MAC . "mv-". --network-macvlan= --private-network. . --network-interface= . 211. --network-ipvlan= "ipvlan" . . "ipvlan" "macvlan" MAC . "iv-". --network-ipvlan= --private-network. . --network-interface= . 219. -n --network-veth ("veth") . ( --machine=) "ve-". "host0". --network-veth --private-network. systemd-networkd.service(8) /usr/lib/systemd/network/80-container-ve.network DHCP IP . /usr/lib/systemd/network/80-container-host0.network DHCP. systemd-networkd IP . --network-veth systemd-nspawn@.service. 15 64 . . 12 . systemd-nspawn 4 . . ( systemd.net-naming-scheme(7) ). --network-veth-extra= -- --network-bridge=. 209. --network-veth-extra= . . . --network-veth -- -- . --network-bridge= --network-veth-extra=. 228. --network-bridge= --network-veth . . --network-bridge= --network-veth. "vb-" "ve-". ( ). --network-interface= . 209. --network-zone= ("veth") . "vz-". . . --network-bridge= / . "" (zone). . . ( "vz-") --network-zone= . systemd-networkd.service(8) /usr/lib/systemd/network/80-container-vz.network DHCP IP . --network-zone= . 230. --network-namespace-path= . ( bind) /proc/$PID/ns/net. . /run/netns ip-netns(8) --network-namespace-path=/run/netns/foo. --private-network --network-interface=. 236. -p --port= IP IP . ( "tcp" "udp") 1 65535 1 65535. "tcp". . --network-veth --network-zone= --network-bridge=. 219. --capability= . capabilities(7) . : CAP_AUDIT_CONTROL CAP_AUDIT_WRITE CAP_CHOWN CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_FSETID CAP_IPC_OWNER CAP_KILL CAP_LEASE CAP_LINUX_IMMUTABLE CAP_MKNOD CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SETFCAP CAP_SETGID CAP_SETPCAP CAP_SETUID CAP_SYS_ADMIN CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_NICE CAP_SYS_PTRACE CAP_SYS_RESOURCE CAP_SYS_TTY_CONFIG. CAP_NET_ADMIN --private-network. "all" . "help" . --ambient-capability=. 186. --drop-capability= . ( ). "help" . --ambient-capability=. 209. --ambient-capability= . "all" . --capability= --drop-capability=. . ( --boot). "help" . 248. --no-new-privileges= . PR_SET_NO_NEW_PRIVS . (off). "setuid" . prctl(2) . 239. --system-call-filter= . ( "@" syscall-filter systemd-analyze(1)). . "~" . . ( "~") . systemd-nspawn ( !) "~". --capabilities=. 235. -Z --selinux-context= SELinux . 209. -L --selinux-apifs-context= SELinux API . 209. --rlimit= POSIX . "LIMIT=SOFT:HARD" "LIMIT=VALUE" LIMIT RLIMIT_NOFILE RLIMIT_NICE. SOFT HARD . VALUE . "infinity" . . . setrlimit(2). (init) (PID 1) . RLIMIT_NPROC. ( --private-users= ) . . : "--rlimit=RLIMIT_NOFILE=8192:16384". 239. --oom-score-adjust= OOM (" ") . /proc/self/oom_score_adj . proc(5). -1000 1000. 239. --cpu-affinity= (CPU affinity) . ( ). sched_setaffinity(2) . 239. --personality= ("") uname(2) . "x86" "x86-64". 32 64 . . 209. --resolv-conf= /etc/resolv.conf ( DNS ). : "off" "copy-host" "copy-static" "copy-uplink" "copy-stub" "replace-host" "replace-static" "replace-uplink" "replace-stub" "bind-host" "bind-static" "bind-uplink" "bind-stub" "delete" "auto". "off" /etc/resolv.conf bind. "copy-host" /etc/resolv.conf ( ). "replace-host" inode . "bind-host" bind mount. "copy-static" "replace-static" "bind-static" resolv.conf systemd-resolved.service(8) (: /usr/lib/systemd/resolv.conf) . "copy-uplink" "replace-uplink" "bind-uplink" resolv.conf (uplink) systemd-resolved.service (: /run/systemd/resolve/resolv.conf) . "copy-stub" "replace-stub" "bind-stub" resolv.conf (stub) systemd-resolved.service (: /run/systemd/resolve/stub-resolv.conf) . "delete" /etc/resolv.conf . "auto" ( --private-network). systemd-resolved.service resolv.conf /etc/resolv.conf . bind . "copy-..." "replace-..." DNS . "bind" /etc/resolv.conf bind ( bind ). bind ( ). "auto". 239. --timezone= /etc/localtime ( ). : "off" "copy" "bind" "symlink" "delete" "auto". "off" /etc/localtime bind. "copy" /etc/localtime . "bind" bind mount. "symlink" /etc/localtime . "delete" . "auto" /etc/localtime "symlink" "copy" "bind" . "auto". 239. --link-journal= (journal) . ( ). : "no" "host" "try-host" "guest" "try-guest" "auto". "no" . "host" ( /var/log/journal/machine-id) bind mount. "guest" ( /var/log/journal/machine-id) . "try-host" "try-guest" --ephemeral. "auto" () /var/log/journal bind mount. . "guest" "host" "auto" . --link-journal=try-guest systemd-nspawn@.service. 187. -j --link-journal=try-guest. 187. --bind= --bind-ro= (bind mount) . : -- -- . "+". . bind . /var/tmp/ . . . --bind-ro= bind . "\:" . bind . . rbind norbind bind (recursive) . rbind. noidmap idmap rootidmap owneridmap (ID mapping). idmap rootidmap owneridmap /. noidmap. x UID y UID p UID inode bind : o noidmap z 0 ... y x + z x ... x + y . nobody . o idmap z UID 0 ... y z 0 ... y . nobody . o rootidmap 0 p . nobody . o owneridmap p . nobody . (ID mapping) . rootidmap owneridmap bind . --private-users nobody. UID 65534 (nobody). --bind-ro=. "idmap" . 198. --bind-user= . . . : 1. /run/host/home/ idmapped UID/GID UID/GID . 2. JSON /run/userdb/ . UID/GID . nss-systemd(8) glibc NSS . . ( ). UID/GID . . UID/GID ( --bind-user= ) "". / systemd 249 nss-systemd nsswitch.conf. nss-systemd(8) . . ( yescrypt "$y$"). . UID/GID / . /etc/passwd /etc/group . 249. --bind-user-shell= --bind-user= . . o () . . o . o . : . --bind-user=. 258. --bind-user-group= --bind-user= . . : . --bind-user=. 259. --inaccessible= . (over-mounts) ( ) . (mask) . . 242. --tmpfs= tmpfs . tmpfs ( 0755 root/root) ( ). "\:" . . --volatile= . 214. --overlay= --overlay-ro= (overlay) . . "\:" . . . --overlay-ro= --overlay= . . . . "+". . /var/tmp/ . . . "--overlay=+/var::/var" /var/ . . (Overlay Filesystem)[4]. (inode) . . "workdir=" . ( ). "lowerdir=" . . --volatile= . 220. --console= /dev/console . interactive read-only passive pipe autopipe. interactive pseudo-TTY /dev/console . systemd-nspawn. read-only . passive pseudo TTY . pipe pseudo TTY systemd-nspawn . autopipe interactive systemd-nspawn pipe . interactive systemd-nspawn read-only . pipe /dev/console . (init) /dev/console. . pseudo TTYs (EOF) . pipe . TTY TIOCSTI . pipe // . 242. --pipe -P --console=pipe. 242. --background=COLOR ANSI . ANSI X3.64 SGR "40" "41" ... "47" "48;2;..." "48;5;...". ANSI ()[5] . . 256. --load-credential=: --set-credential=: . LoadCredential= SetCredential= . systemd.exec(5) . : systemd-nspawn systemd LoadCredential=/SetCredential= . systemd PID 1 . . . --set-credential= C ( "\n" "\x00" NUL). ! systemd-sysusers.service(8) systemd-firstboot(1) . --volatile=yes /etc/ . . : # systemd-nspawn -i image.raw \ --volatile=yes \ --set-credential=firstboot.locale:de_DE.UTF-8 \ --set-credential=passwd.hashed-password.root:'$y$j9T$yAuRJu1o5HioZAGDYPU5d.$F64ni6J2y2nNQve90M/p0ZP0ECP/qqzipNyaY9fjGpC' \ -b image.raw /etc/ /var/ . systemd-firstboot.service . 247. --no-pager (pager). -h --help . --version . --no-ask-password . ( --console=interactive) . . Ctrl-] Ctrl-] Ctrl-] . Ctrl-] Ctrl-] r . 258. Ctrl-] Ctrl-] p . 258. $SYSTEMD_LOG_LEVEL ( ). . ( ) emerg alert crit err warning notice info debug 0 7. syslog(3) . console syslog kmsg journal (: SYSTEMD_LOG_LEVEL=debug,console:info debug info). . $SYSTEMD_LOG_COLOR . tty . journalctl(1) . $SYSTEMD_LOG_TIME . . journalctl(1) . $SYSTEMD_LOG_LOCATION . . . . $SYSTEMD_LOG_TID . (TID). . . $SYSTEMD_LOG_TARGET . : console ( ) console-prefixed ( "" syslog(3) kmsg ( ) journal ( ) journal-or-kmsg ( kmsg ) auto ( ) null ( ). $SYSTEMD_LOG_RATELIMIT_KMSG kmsg . . "true". systemd kmsg. $SYSTEMD_PAGER $PAGER --no-pager. $SYSTEMD_PAGER $PAGER. $SYSTEMD_PAGER $PAGER less(1) more(1) . . "cat" --no-pager. : $SYSTEMD_PAGERSECURE $SYSTEMD_PAGER $PAGER ( "cat" "") . $SYSTEMD_LESS less ( "FRSXMK"). : K Ctrl+C. less Ctrl+C . $SYSTEMD_LESS "K" less Ctrl+C . X termcap . . . $LESS less systemd. less(1) . $SYSTEMD_LESSCHARSET less ( "utf-8" UTF-8). $LESSCHARSET less systemd. $SYSTEMD_PAGERSECURE (pager) less(1) "" . sudo(8) pkexec(1) . . " " ( ). " " --no-pager PAGER=cat . . (true) " " . " " LESSSECURE=1 . less(1) " ". false (pager). SYSTEMD_PAGERSECURE=0 . $SYSTEMD_PAGERSECURE systemd " " . " " geteuid(2) sd_pid_get_owner_uid(3) sudo(8) ($SUDO_UID [6]). SYSTEMD_PAGERSECURE=1 " " . . $SYSTEMD_PAGERSECURE . $SYSTEMD_PAGER $PAGER $SYSTEMD_PAGERSECURE . $SYSTEMD_COLORS (boolean) . ( ) systemd . $COLORTERM "truecolor" "24bit" 24 256 $NO_COLOR $TERM . true $NO_COLOR. false . "16" "256" "24bit" ANSI 16 256 24 . "auto-16" "auto-256" "auto-24bit" $TERM . $SYSTEMD_URLIFY . . systemd $TERM . 1. TAR # importctl pull-tar -mN https://cloud-images.ubuntu.com/jammy/current/jammy-server-cloudimg-amd64-root.tar.xz # systemd-nspawn -M jammy-server-cloudimg-amd64-root .tar systemd-nspawn(1) . 2. Fedora # dnf -y --releasever=43 --installroot=/var/lib/machines/f43 \ --use-host-config --setopt=install_weak_deps=0 \ --repo=fedora --repo=updates install \ passwd dnf fedora-release nano util-linux systemd systemd-networkd # systemd-nspawn -bD /var/lib/machines/f43 ( --use-host-config dnf 4.) Fedora /var/lib/machines/f43 . /var/lib/machines/ systemd-nspawn -M f43. 3. Debian # debootstrap unstable ~/debian-tree/ # systemd-nspawn -D ~/debian-tree/ Debian ~/debian-tree/ . debootstrap Debian[7] Ubuntu[8] . Debian debootstrap(8). 4. Arch Linux # pacstrap -c ~/arch-tree/ base # systemd-nspawn -bD ~/arch-tree/ Arch Linux ~/arch-tree/ . 5. OpenSUSE Tumbleweed # zypper --root=/var/lib/machines/tumbleweed ar -c \ https://download.opensuse.org/tumbleweed/repo/oss tumbleweed # zypper --root=/var/lib/machines/tumbleweed refresh # zypper --root=/var/lib/machines/tumbleweed install --no-recommends \ systemd shadow zypper openSUSE-release vim # systemd-nspawn -M tumbleweed passwd root # systemd-nspawn -M tumbleweed -b 6. # systemd-nspawn -D / -xb . . 7. SELinux # chcon system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -R /srv/container # systemd-nspawn -L system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 \ -Z system_u:system_r:svirt_lxc_net_t:s0:c0,c1 -D /srv/container /bin/sh 8. OSTree # systemd-nspawn -b -i ~/image.raw \ --pivot-root=/ostree/deploy/$OS/deploy/$CHECKSUM:/sysroot \ --bind=+/sysroot/ostree/deploy/$OS/var:/var . systemd(1) systemd.nspawn(5) chroot(1) dnf(8) debootstrap(8) pacman(8) zypper(8) systemd.slice(5) machinectl(1) importctl(1) systemd-mountfsd.service(8) systemd-nsresourced.service(8) systemd.mstack(7) btrfs(8) 1. https://systemd.io/CONTAINER_INTERFACE 2. UAPI.2 https://uapi-group.org/specifications/specs/discoverable_partitions_specification 3. OCI https://github.com/opencontainers/runtime-spec/blob/master/spec.md 4. Overlay https://docs.kernel.org/filesystems/overlayfs.html 5. ANSI () https://en.wikipedia.org/wiki/ANSI_escape_code#SGR_(Select_Graphic_Rendition)_parameters 6. $SUDO_UID . 7. https://www.debian.org 8. https://www.ubuntu.com 9. https://www.archlinux.org 10. https://software.opensuse.org/distributions/tumbleweed 3 . . : . systemd 260.1 SYSTEMD-NSPAWN(1)