1SYSTEMD.NSPAWN(5) systemd.nspawn SYSTEMD.NSPAWN(5)
2
6 systemd.nspawn - Container settings
7
9 /etc/systemd/nspawn/machine.nspawn
10 /run/systemd/nspawn/machine.nspawn
12 /var/lib/machines/machine.nspawn
14
16 An nspawn container settings file (suffix .nspawn) encodes additional
17 runtime information about a local container, and is searched, read and
18 used by systemd-nspawn(1) when starting a container. Files of this type
19 are named after the containers they define settings for. They are
20 optional, and only required for containers whose execution environment
21 shall differ from the defaults. Files of this type mostly contain
22 settings that may also be set on the systemd-nspawn command line, and
23 make it easier to persistently attach specific settings to specific
24 containers. The syntax of these files is inspired by .desktop files
25 following the XDG Desktop Entry Specification[1], which in turn are
26 inspired by Microsoft Windows .ini files.
27 Boolean arguments used in these settings files can be written in
29 various formats. For positive settings, the strings 1, yes, true and on
30 are equivalent. For negative settings, the strings 0, no, false and off
31 are equivalent.
32 Empty lines and lines starting with # or ; are ignored. This may be
34 used for commenting. Lines ending in a backslash are concatenated with
35 the following line while reading and the backslash is replaced by a
36 space character. This may be used to wrap long lines.
37
39 Files are searched by appending the .nspawn suffix to the machine name
40 of the container, as specified with the --machine= switch of
41 systemd-nspawn, or derived from the directory or image file name. This
42 file is first searched in /etc/systemd/nspawn/ and
43 /run/systemd/nspawn/. If found in these directories, its settings are
44 read and all of them take full effect (but are possibly overridden by
45 corresponding command line arguments). If not found, the file will then
46 be searched next to the image file or in the immediate parent of the
47 root directory of the container. If the file is found there, only a
48 subset of the settings will take effect however. All settings that
49 possibly elevate privileges or grant additional access to resources of
50 the host (such as files or directories) are ignored. To which options
51 this applies is documented below.
52 Persistent settings files created and maintained by the administrator
54 (and thus trusted) should be placed in /etc/systemd/nspawn/, while
55 automatically downloaded (and thus potentially untrusted) settings
56 files are placed in /var/lib/machines/ instead (next to the container
57 images), where their security impact is limited. In order to add
58 privileged settings to .nspawn files acquired from the image vendor, it
59 is recommended to copy the settings files into /etc/systemd/nspawn/ and
60 edit them there, so that the privileged options become available. The
61 precise algorithm for how the files are searched and interpreted may be
62 configured with systemd-nspawn's --settings= switch, see systemd-
63 nspawn(1) for details.
64
66 Settings files may include an "[Exec]" section, which carries various
67 execution parameters:
68 Boot=
70 Takes a boolean argument, which defaults to off. If enabled,
71 systemd-nspawn will automatically search for an init executable and
72 invoke it. In this case, the specified parameters using Parameters=
73 are passed as additional arguments to the init process. This
74 setting corresponds to the --boot switch on the systemd-nspawn
75 command line. This option may not be combined with ProcessTwo=yes.
76 This option is the default if the systemd-nspawn@.service template
77 unit file is used.
78 Ephemeral=
80 Takes a boolean argument, which defaults to off, If enabled, the
81 container is run with a temporary snapshot of its file system that
82 is removed immediately when the container terminates. This is
83 equivalent to the --ephemeral command line switch. See systemd-
84 nspawn(1) for details about the specific options supported.
85 ProcessTwo=
87 Takes a boolean argument, which defaults to off. If enabled, the
88 specified program is run as PID 2. A stub init process is run as
89 PID 1. This setting corresponds to the --as-pid2 switch on the
90 systemd-nspawn command line. This option may not be combined with
91 Boot=yes.
92 Parameters=
94 Takes a space-separated list of arguments. This is either a command
95 line, beginning with the binary name to execute, or – if Boot= is
96 enabled – the list of arguments to pass to the init process. This
97 setting corresponds to the command line parameters passed on the
98 systemd-nspawn command line.
99 Environment=
101 Takes an environment variable assignment consisting of key and
102 value, separated by "=". Sets an environment variable for the main
103 process invoked in the container. This setting may be used multiple
104 times to set multiple environment variables. It corresponds to the
105 --setenv= command line switch.
106 User=
108 Takes a UNIX user name. Specifies the user name to invoke the main
109 process of the container as. This user must be known in the
110 container's user database. This corresponds to the --user= command
111 line switch.
112 WorkingDirectory=
114 Selects the working directory for the process invoked in the
115 container. Expects an absolute path in the container's file system
116 namespace. This corresponds to the --chdir= command line switch.
117 PivotRoot=
119 Selects a directory to pivot to / inside the container when
120 starting up. Takes a single path, or a pair of two paths separated
121 by a colon. Both paths must be absolute, and are resolved in the
122 container's file system namespace. This corresponds to the
123 --pivot-root= command line switch.
124 Capability=, DropCapability=
126 Takes a space-separated list of Linux process capabilities (see
127 capabilities(7) for details). The Capability= setting specifies
128 additional capabilities to pass on top of the default set of
129 capabilities. The DropCapability= setting specifies capabilities to
130 drop from the default set. These settings correspond to the
131 --capability= and --drop-capability= command line switches. Note
132 that Capability= is a privileged setting, and only takes effect in
133 .nspawn files in /etc/systemd/nspawn/ and /run/system/nspawn/ (see
134 above). On the other hand, DropCapability= takes effect in all
135 cases.
136 NoNewPrivileges=
138 Takes a boolean argument that controls the PR_SET_NO_NEW_PRIVS flag
139 for the container payload. This is equivalent to the
140 --no-new-privileges= command line switch. See systemd-nspawn(1) for
141 details.
142 KillSignal=
144 Specify the process signal to send to the container's PID 1 when
145 nspawn itself receives SIGTERM, in order to trigger an orderly
146 shutdown of the container. Defaults to SIGRTMIN+3 if Boot= is used
147 (on systemd-compatible init systems SIGRTMIN+3 triggers an orderly
148 shutdown). For a list of valid signals, see signal(7).
149 Personality=
151 Configures the kernel personality for the container. This is
152 equivalent to the --personality= switch.
153 MachineID=
155 Configures the 128-bit machine ID (UUID) to pass to the container.
156 This is equivalent to the --uuid= command line switch. This option
157 is privileged (see above).
158 PrivateUsers=
160 Configures support for usernamespacing. This is equivalent to the
161 --private-users= command line switch, and takes the same options.
162 This option is privileged (see above). This option is the default
163 if the systemd-nspawn@.service template unit file is used.
164 NotifyReady=
166 Configures support for notifications from the container's init
167 process. This is equivalent to the --notify-ready= command line
168 switch, and takes the same parameters. See systemd-nspawn(1) for
169 details about the specific options supported.
170 SystemCallFilter=
172 Configures the system call filter applied to containers. This is
173 equivalent to the --system-call-filter= command line switch, and
174 takes the same list parameter. See systemd-nspawn(1) for details.
175 LimitCPU=, LimitFSIZE=, LimitDATA=, LimitSTACK=, LimitCORE=, LimitRSS=,
177 LimitNOFILE=, LimitAS=, LimitNPROC=, LimitMEMLOCK=, LimitLOCKS=,
178 LimitSIGPENDING=, LimitMSGQUEUE=, LimitNICE=, LimitRTPRIO=,
179 LimitRTTIME=
180 Configures various types of resource limits applied to containers.
181 This is equivalent to the --rlimit= command line switch, and takes
182 the same arguments. See systemd-nspawn(1) for details.
183 OOMScoreAdjust=
185 Configures the OOM score adjustment value. This is equivalent to
186 the --oom-score-adjust= command line switch, and takes the same
187 argument. See systemd-nspawn(1) for details.
188 CPUAffinity=
190 Configures the CPU affinity. This is equivalent to the
191 --cpu-affinity= command line switch, and takes the same argument.
192 See systemd-nspawn(1) for details.
193 Hostname=
195 Configures the kernel hostname set for the container. This is
196 equivalent to the --hostname= command line switch, and takes the
197 same argument. See systemd-nspawn(1) for details.
198 ResolvConf=
200 Configures how /etc/resolv.conf in the container shall be handled.
201 This is equivalent to the --resolv-conf= command line switch, and
202 takes the same argument. See systemd-nspawn(1) for details.
203 Timezone=
205 Configures how /etc/localtime in the container shall be handled.
206 This is equivalent to the --timezone= command line switch, and
207 takes the same argument. See systemd-nspawn(1) for details.
208 LinkJournal=
210 Configures how to link host and container journal setups. This is
211 equivalent to the --link-journal= command line switch, and takes
212 the same parameter. See systemd-nspawn(1) for details.
213
215 Settings files may include a "[Files]" section, which carries various
216 parameters configuring the file system of the container:
217 ReadOnly=
219 Takes a boolean argument, which defaults to off. If specified, the
220 container will be run with a read-only file system. This setting
221 corresponds to the --read-only command line switch.
222 Volatile=
224 Takes a boolean argument, or the special value "state". This
225 configures whether to run the container with volatile state and/or
226 configuration. This option is equivalent to --volatile=, see
227 systemd-nspawn(1) for details about the specific options supported.
228 Bind=, BindReadOnly=
230 Adds a bind mount from the host into the container. Takes a single
231 path, a pair of two paths separated by a colon, or a triplet of two
232 paths plus an option string separated by colons. This option may be
233 used multiple times to configure multiple bind mounts. This option
234 is equivalent to the command line switches --bind= and --bind-ro=,
235 see systemd-nspawn(1) for details about the specific options
236 supported. This setting is privileged (see above).
237 TemporaryFileSystem=
239 Adds a "tmpfs" mount to the container. Takes a path or a pair of
240 path and option string, separated by a colon. This option may be
241 used multiple times to configure multiple "tmpfs" mounts. This
242 option is equivalent to the command line switch --tmpfs=, see
243 systemd-nspawn(1) for details about the specific options supported.
244 This setting is privileged (see above).
245 Overlay=, OverlayReadOnly=
247 Adds an overlay mount point. Takes a colon-separated list of paths.
248 This option may be used multiple times to configure multiple
249 overlay mounts. This option is equivalent to the command line
250 switches --overlay= and --overlay-ro=, see systemd-nspawn(1) for
251 details about the specific options supported. This setting is
252 privileged (see above).
253 PrivateUsersChown=
255 Configures whether the ownership of the files and directories in
256 the container tree shall be adjusted to the UID/GID range used, if
257 necessary and user namespacing is enabled. This is equivalent to
258 the --private-users-chown command line switch. This option is
259 privileged (see above).
260
262 Settings files may include a "[Network]" section, which carries various
263 parameters configuring the network connectivity of the container:
264 Private=
266 Takes a boolean argument, which defaults to off. If enabled, the
267 container will run in its own network namespace and not share
268 network interfaces and configuration with the host. This setting
269 corresponds to the --private-network command line switch.
270 VirtualEthernet=
272 Takes a boolean argument. Configures whether to create a virtual
273 Ethernet connection ("veth") between host and the container. This
274 setting implies Private=yes. This setting corresponds to the
275 --network-veth command line switch. This option is privileged (see
276 above). This option is the default if the systemd-nspawn@.service
277 template unit file is used.
278 VirtualEthernetExtra=
280 Takes a colon-separated pair of interface names. Configures an
281 additional virtual Ethernet connection ("veth") between host and
282 the container. The first specified name is the interface name on
283 the host, the second the interface name in the container. The
284 latter may be omitted in which case it is set to the same name as
285 the host side interface. This setting implies Private=yes. This
286 setting corresponds to the --network-veth-extra= command line
287 switch, and maybe be used multiple times. It is independent of
288 VirtualEthernet=. This option is privileged (see above).
289 Interface=
291 Takes a space-separated list of interfaces to add to the container.
292 This option corresponds to the --network-interface= command line
293 switch and implies Private=yes. This option is privileged (see
294 above).
295 MACVLAN=, IPVLAN=
297 Takes a space-separated list of interfaces to add MACLVAN or IPVLAN
298 interfaces to, which are then added to the container. These options
299 correspond to the --network-macvlan= and --network-ipvlan= command
300 line switches and imply Private=yes. These options are privileged
301 (see above).
302 Bridge=
304 Takes an interface name. This setting implies VirtualEthernet=yes
305 and Private=yes and has the effect that the host side of the
306 created virtual Ethernet link is connected to the specified bridge
307 interface. This option corresponds to the --network-bridge= command
308 line switch. This option is privileged (see above).
309 Zone=
311 Takes a network zone name. This setting implies VirtualEthernet=yes
312 and Private=yes and has the effect that the host side of the
313 created virtual Ethernet link is connected to an automatically
314 managed bridge interface named after the passed argument, prefixed
315 with "vz-". This option corresponds to the --network-zone= command
316 line switch. This option is privileged (see above).
317 Port=
319 Exposes a TCP or UDP port of the container on the host. This option
320 corresponds to the --port= command line switch, see systemd-
321 nspawn(1) for the precise syntax of the argument this option takes.
322 This option is privileged (see above).
323
325 systemd(1), systemd-nspawn(1), systemd.directives(7)
326
328 1. XDG Desktop Entry Specification
329 http://standards.freedesktop.org/desktop-entry-spec/latest/
330systemd 241 SYSTEMD.NSPAWN(5)