1SYSTEMD.NSPAWN(5) systemd.nspawn SYSTEMD.NSPAWN(5)
2
6 systemd.nspawn - Container settings
7
9 /etc/systemd/nspawn/machine.nspawn
10 /run/systemd/nspawn/machine.nspawn
12 /var/lib/machines/machine.nspawn
14
16 An nspawn container settings file (suffix .nspawn) encodes additional
17 runtime information about a local container, and is searched, read and
18 used by systemd-nspawn(1) when starting a container. Files of this type
19 are named after the containers they define settings for. They are
20 optional, and only required for containers whose execution environment
21 shall differ from the defaults. Files of this type mostly contain
22 settings that may also be set on the systemd-nspawn command line, and
23 make it easier to persistently attach specific settings to specific
24 containers. The syntax of these files is inspired by .desktop files
25 following the XDG Desktop Entry Specification[1], which in turn are
26 inspired by Microsoft Windows .ini files.
27 Boolean arguments used in these settings files can be written in
29 various formats. For positive settings, the strings 1, yes, true and on
30 are equivalent. For negative settings, the strings 0, no, false and off
31 are equivalent.
32 Empty lines and lines starting with # or ; are ignored. This may be
34 used for commenting. Lines ending in a backslash are concatenated with
35 the following line while reading and the backslash is replaced by a
36 space character. This may be used to wrap long lines.
37
39 Files are searched by appending the .nspawn suffix to the machine name
40 of the container, as specified with the --machine= switch of
41 systemd-nspawn, or derived from the directory or image file name. This
42 file is first searched in /etc/systemd/nspawn/ and
43 /run/systemd/nspawn/. If found in these directories, its settings are
44 read and all of them take full effect (but are possibly overridden by
45 corresponding command line arguments). If not found, the file will then
46 be searched next to the image file or in the immediate parent of the
47 root directory of the container. If the file is found there, only a
48 subset of the settings will take effect however. All settings that
49 possibly elevate privileges or grant additional access to resources of
50 the host (such as files or directories) are ignored. To which options
51 this applies is documented below.
52 Persistent settings files created and maintained by the administrator
54 (and thus trusted) should be placed in /etc/systemd/nspawn/, while
55 automatically downloaded (and thus potentially untrusted) settings
56 files are placed in /var/lib/machines/ instead (next to the container
57 images), where their security impact is limited. In order to add
58 privileged settings to .nspawn files acquired from the image vendor, it
59 is recommended to copy the settings files into /etc/systemd/nspawn/ and
60 edit them there, so that the privileged options become available. The
61 precise algorithm for how the files are searched and interpreted may be
62 configured with systemd-nspawn's --settings= switch, see systemd-
63 nspawn(1) for details.
64
66 Settings files may include an "[Exec]" section, which carries various
67 execution parameters:
68 Boot=
70 Takes a boolean argument, which defaults to off. If enabled,
71 systemd-nspawn will automatically search for an init executable and
72 invoke it. In this case, the specified parameters using Parameters=
73 are passed as additional arguments to the init process. This
74 setting corresponds to the --boot switch on the systemd-nspawn
75 command line. This option may not be combined with ProcessTwo=yes.
76 This option is specified by default in the systemd-nspawn@.service
77 template unit.
78 Ephemeral=
80 Takes a boolean argument, which defaults to off, If enabled, the
81 container is run with a temporary snapshot of its file system that
82 is removed immediately when the container terminates. This is
83 equivalent to the --ephemeral command line switch. See systemd-
84 nspawn(1) for details about the specific options supported.
85 ProcessTwo=
87 Takes a boolean argument, which defaults to off. If enabled, the
88 specified program is run as PID 2. A stub init process is run as
89 PID 1. This setting corresponds to the --as-pid2 switch on the
90 systemd-nspawn command line. This option may not be combined with
91 Boot=yes.
92 Parameters=
94 Takes a whitespace-separated list of arguments. Single ("'") and
95 double (""") quotes may be used around arguments with whitespace.
96 This is either a command line, beginning with the binary name to
97 execute, or – if Boot= is enabled – the list of arguments to pass
98 to the init process. This setting corresponds to the command line
99 parameters passed on the systemd-nspawn command line.
100 Note: Boot=no, Parameters=a b "c c" is the same as systemd-nspawn a
102 b "c c", and Boot=yes, Parameters=b 'c c' is the same as
103 systemd-nspawn --boot b 'c c'.
104 Environment=
106 Takes an environment variable assignment consisting of key and
107 value, separated by "=". Sets an environment variable for the main
108 process invoked in the container. This setting may be used multiple
109 times to set multiple environment variables. It corresponds to the
110 --setenv= command line switch.
111 User=
113 Takes a UNIX user name. Specifies the user name to invoke the main
114 process of the container as. This user must be known in the
115 container's user database. This corresponds to the --user= command
116 line switch.
117 WorkingDirectory=
119 Selects the working directory for the process invoked in the
120 container. Expects an absolute path in the container's file system
121 namespace. This corresponds to the --chdir= command line switch.
122 PivotRoot=
124 Selects a directory to pivot to / inside the container when
125 starting up. Takes a single path, or a pair of two paths separated
126 by a colon. Both paths must be absolute, and are resolved in the
127 container's file system namespace. This corresponds to the
128 --pivot-root= command line switch.
129 Capability=, DropCapability=
131 Takes a space-separated list of Linux process capabilities (see
132 capabilities(7) for details). The Capability= setting specifies
133 additional capabilities to pass on top of the default set of
134 capabilities. The DropCapability= setting specifies capabilities to
135 drop from the default set. These settings correspond to the
136 --capability= and --drop-capability= command line switches. Note
137 that Capability= is a privileged setting, and only takes effect in
138 .nspawn files in /etc/systemd/nspawn/ and /run/system/nspawn/ (see
139 above). On the other hand, DropCapability= takes effect in all
140 cases.
141 NoNewPrivileges=
143 Takes a boolean argument that controls the PR_SET_NO_NEW_PRIVS flag
144 for the container payload. This is equivalent to the
145 --no-new-privileges= command line switch. See systemd-nspawn(1) for
146 details.
147 KillSignal=
149 Specify the process signal to send to the container's PID 1 when
150 nspawn itself receives SIGTERM, in order to trigger an orderly
151 shutdown of the container. Defaults to SIGRTMIN+3 if Boot= is used
152 (on systemd-compatible init systems SIGRTMIN+3 triggers an orderly
153 shutdown). For a list of valid signals, see signal(7).
154 Personality=
156 Configures the kernel personality for the container. This is
157 equivalent to the --personality= switch.
158 MachineID=
160 Configures the 128-bit machine ID (UUID) to pass to the container.
161 This is equivalent to the --uuid= command line switch. This option
162 is privileged (see above).
163 PrivateUsers=
165 Configures support for usernamespacing. This is equivalent to the
166 --private-users= command line switch, and takes the same options.
167 This option is privileged (see above). This option is the default
168 if the systemd-nspawn@.service template unit file is used.
169 NotifyReady=
171 Configures support for notifications from the container's init
172 process. This is equivalent to the --notify-ready= command line
173 switch, and takes the same parameters. See systemd-nspawn(1) for
174 details about the specific options supported.
175 SystemCallFilter=
177 Configures the system call filter applied to containers. This is
178 equivalent to the --system-call-filter= command line switch, and
179 takes the same list parameter. See systemd-nspawn(1) for details.
180 LimitCPU=, LimitFSIZE=, LimitDATA=, LimitSTACK=, LimitCORE=, LimitRSS=,
182 LimitNOFILE=, LimitAS=, LimitNPROC=, LimitMEMLOCK=, LimitLOCKS=,
183 LimitSIGPENDING=, LimitMSGQUEUE=, LimitNICE=, LimitRTPRIO=,
184 LimitRTTIME=
185 Configures various types of resource limits applied to containers.
186 This is equivalent to the --rlimit= command line switch, and takes
187 the same arguments. See systemd-nspawn(1) for details.
188 OOMScoreAdjust=
190 Configures the OOM score adjustment value. This is equivalent to
191 the --oom-score-adjust= command line switch, and takes the same
192 argument. See systemd-nspawn(1) for details.
193 CPUAffinity=
195 Configures the CPU affinity. This is equivalent to the
196 --cpu-affinity= command line switch, and takes the same argument.
197 See systemd-nspawn(1) for details.
198 Hostname=
200 Configures the kernel hostname set for the container. This is
201 equivalent to the --hostname= command line switch, and takes the
202 same argument. See systemd-nspawn(1) for details.
203 ResolvConf=
205 Configures how /etc/resolv.conf in the container shall be handled.
206 This is equivalent to the --resolv-conf= command line switch, and
207 takes the same argument. See systemd-nspawn(1) for details.
208 Timezone=
210 Configures how /etc/localtime in the container shall be handled.
211 This is equivalent to the --timezone= command line switch, and
212 takes the same argument. See systemd-nspawn(1) for details.
213 LinkJournal=
215 Configures how to link host and container journal setups. This is
216 equivalent to the --link-journal= command line switch, and takes
217 the same parameter. See systemd-nspawn(1) for details.
218
220 Settings files may include a "[Files]" section, which carries various
221 parameters configuring the file system of the container:
222 ReadOnly=
224 Takes a boolean argument, which defaults to off. If specified, the
225 container will be run with a read-only file system. This setting
226 corresponds to the --read-only command line switch.
227 Volatile=
229 Takes a boolean argument, or the special value "state". This
230 configures whether to run the container with volatile state and/or
231 configuration. This option is equivalent to --volatile=, see
232 systemd-nspawn(1) for details about the specific options supported.
233 Bind=, BindReadOnly=
235 Adds a bind mount from the host into the container. Takes a single
236 path, a pair of two paths separated by a colon, or a triplet of two
237 paths plus an option string separated by colons. This option may be
238 used multiple times to configure multiple bind mounts. This option
239 is equivalent to the command line switches --bind= and --bind-ro=,
240 see systemd-nspawn(1) for details about the specific options
241 supported. This setting is privileged (see above).
242 TemporaryFileSystem=
244 Adds a "tmpfs" mount to the container. Takes a path or a pair of
245 path and option string, separated by a colon. This option may be
246 used multiple times to configure multiple "tmpfs" mounts. This
247 option is equivalent to the command line switch --tmpfs=, see
248 systemd-nspawn(1) for details about the specific options supported.
249 This setting is privileged (see above).
250 Inaccessible=
252 Masks the specified file or directly in the container, by
253 over-mounting it with an empty file node of the same type with the
254 most restrictive access mode. Takes a file system path as argument.
255 This option may be used multiple times to mask multiple files or
256 directories. This option is equivalent to the command line switch
257 --inaccessible=, see systemd-nspawn(1) for details about the
258 specific options supported. This setting is privileged (see above).
259 Overlay=, OverlayReadOnly=
261 Adds an overlay mount point. Takes a colon-separated list of paths.
262 This option may be used multiple times to configure multiple
263 overlay mounts. This option is equivalent to the command line
264 switches --overlay= and --overlay-ro=, see systemd-nspawn(1) for
265 details about the specific options supported. This setting is
266 privileged (see above).
267 PrivateUsersChown=
269 Configures whether the ownership of the files and directories in
270 the container tree shall be adjusted to the UID/GID range used, if
271 necessary and user namespacing is enabled. This is equivalent to
272 the --private-users-chown command line switch. This option is
273 privileged (see above).
274
276 Settings files may include a "[Network]" section, which carries various
277 parameters configuring the network connectivity of the container:
278 Private=
280 Takes a boolean argument, which defaults to off. If enabled, the
281 container will run in its own network namespace and not share
282 network interfaces and configuration with the host. This setting
283 corresponds to the --private-network command line switch.
284 VirtualEthernet=
286 Takes a boolean argument. Configures whether to create a virtual
287 Ethernet connection ("veth") between host and the container. This
288 setting implies Private=yes. This setting corresponds to the
289 --network-veth command line switch. This option is privileged (see
290 above). This option is the default if the systemd-nspawn@.service
291 template unit file is used.
292 VirtualEthernetExtra=
294 Takes a colon-separated pair of interface names. Configures an
295 additional virtual Ethernet connection ("veth") between host and
296 the container. The first specified name is the interface name on
297 the host, the second the interface name in the container. The
298 latter may be omitted in which case it is set to the same name as
299 the host side interface. This setting implies Private=yes. This
300 setting corresponds to the --network-veth-extra= command line
301 switch, and maybe be used multiple times. It is independent of
302 VirtualEthernet=. This option is privileged (see above).
303 Interface=
305 Takes a space-separated list of interfaces to add to the container.
306 This option corresponds to the --network-interface= command line
307 switch and implies Private=yes. This option is privileged (see
308 above).
309 MACVLAN=, IPVLAN=
311 Takes a space-separated list of interfaces to add MACLVAN or IPVLAN
312 interfaces to, which are then added to the container. These options
313 correspond to the --network-macvlan= and --network-ipvlan= command
314 line switches and imply Private=yes. These options are privileged
315 (see above).
316 Bridge=
318 Takes an interface name. This setting implies VirtualEthernet=yes
319 and Private=yes and has the effect that the host side of the
320 created virtual Ethernet link is connected to the specified bridge
321 interface. This option corresponds to the --network-bridge= command
322 line switch. This option is privileged (see above).
323 Zone=
325 Takes a network zone name. This setting implies VirtualEthernet=yes
326 and Private=yes and has the effect that the host side of the
327 created virtual Ethernet link is connected to an automatically
328 managed bridge interface named after the passed argument, prefixed
329 with "vz-". This option corresponds to the --network-zone= command
330 line switch. This option is privileged (see above).
331 Port=
333 Exposes a TCP or UDP port of the container on the host. This option
334 corresponds to the --port= command line switch, see systemd-
335 nspawn(1) for the precise syntax of the argument this option takes.
336 This option is privileged (see above).
337
339 systemd(1), systemd-nspawn(1), systemd.directives(7)
340
342 1. XDG Desktop Entry Specification
343 http://standards.freedesktop.org/desktop-entry-spec/latest/
344systemd 243 SYSTEMD.NSPAWN(5)