1MACHINECTL(1)                     machinectl                     MACHINECTL(1)
2
3
4

NAME

6       machinectl - Control the systemd machine manager
7

SYNOPSIS

9       machinectl [OPTIONS...] {COMMAND} [NAME...]
10

DESCRIPTION

12       machinectl may be used to introspect and control the state of the
13       systemd(1) virtual machine and container registration manager systemd-
14       machined.service(8).
15
16       machinectl may be used to execute operations on machines and images.
17       Machines in this sense are considered running instances of:
18
19       ·   Virtual Machines (VMs) that virtualize hardware to run full
20           operating system (OS) instances (including their kernels) in a
21           virtualized environment on top of the host OS.
22
23       ·   Containers that share the hardware and OS kernel with the host OS,
24           in order to run OS userspace instances on top the host OS.
25
26       ·   The host system itself.
27
28       Machines are identified by names that follow the same rules as UNIX and
29       DNS hostnames. For details, see below.
30
31       Machines are instantiated from disk or file system images that
32       frequently — but not necessarily — carry the same name as machines
33       running from them. Images in this sense may be:
34
35       ·   Directory trees containing an OS, including the top-level
36           directories /usr, /etc, and so on.
37
38       ·   btrfs subvolumes containing OS trees, similar to regular directory
39           trees.
40
41       ·   Binary "raw" disk image files containing MBR or GPT partition
42           tables and Linux file systems.
43
44       ·   Similarly, block devices containing MBR or GPT partition tables and
45           file systems.
46
47       ·   The file system tree of the host OS itself.
48

COMMANDS

50       The following commands are understood:
51
52   Machine Commands
53       list
54           List currently running (online) virtual machines and containers. To
55           enumerate machine images that can be started, use list-images (see
56           below). Note that this command hides the special ".host" machine by
57           default. Use the --all switch to show it.
58
59       status NAME...
60           Show runtime status information about one or more virtual machines
61           and containers, followed by the most recent log data from the
62           journal. This function is intended to generate human-readable
63           output. If you are looking for computer-parsable output, use show
64           instead. Note that the log data shown is reported by the virtual
65           machine or container manager, and frequently contains console
66           output of the machine, but not necessarily journal contents of the
67           machine itself.
68
69       show [NAME...]
70           Show properties of one or more registered virtual machines or
71           containers or the manager itself. If no argument is specified,
72           properties of the manager will be shown. If a NAME is specified,
73           properties of this virtual machine or container are shown. By
74           default, empty properties are suppressed. Use --all to show those
75           too. To select specific properties to show, use --property=. This
76           command is intended to be used whenever computer-parsable output is
77           required, and does not print the control group tree or journal
78           entries. Use status if you are looking for formatted human-readable
79           output.
80
81       start NAME...
82           Start a container as a system service, using systemd-nspawn(1).
83           This starts systemd-nspawn@.service, instantiated for the specified
84           machine name, similar to the effect of systemctl start on the
85           service name.  systemd-nspawn looks for a container image by the
86           specified name in /var/lib/machines/ (and other search paths, see
87           below) and runs it. Use list-images (see below) for listing
88           available container images to start.
89
90           Note that systemd-machined.service(8) also interfaces with a
91           variety of other container and VM managers, systemd-nspawn is just
92           one implementation of it. Most of the commands available in
93           machinectl may be used on containers or VMs controlled by other
94           managers, not just systemd-nspawn. Starting VMs and container
95           images on those managers requires manager-specific tools.
96
97           To interactively start a container on the command line with full
98           access to the container's console, please invoke systemd-nspawn
99           directly. To stop a running container use machinectl poweroff.
100
101       login [NAME]
102           Open an interactive terminal login session in a container or on the
103           local host. If an argument is supplied, it refers to the container
104           machine to connect to. If none is specified, or the container name
105           is specified as the empty string, or the special machine name
106           ".host" (see below) is specified, the connection is made to the
107           local host instead. This will create a TTY connection to a specific
108           container or the local host and asks for the execution of a getty
109           on it. Note that this is only supported for containers running
110           systemd(1) as init system.
111
112           This command will open a full login prompt on the container or the
113           local host, which then asks for username and password. Use shell
114           (see below) or systemd-run(1) with the --machine= switch to
115           directly invoke a single command, either interactively or in the
116           background.
117
118       shell [[NAME@]NAME [PATH [ARGUMENTS...]]]
119           Open an interactive shell session in a container or on the local
120           host. The first argument refers to the container machine to connect
121           to. If none is specified, or the machine name is specified as the
122           empty string, or the special machine name ".host" (see below) is
123           specified, the connection is made to the local host instead. This
124           works similar to login but immediately invokes a user process. This
125           command runs the specified executable with the specified arguments,
126           or the default shell for the user if none is specified, or /bin/sh
127           if no default shell is found. By default, --uid=, or by prefixing
128           the machine name with a username and an "@" character, a different
129           user may be selected. Use --setenv= to set environment variables
130           for the executed process.
131
132           Note that machinectl shell does not propagate the exit code/status
133           of the invoked shell process. Use systemd-run instead if that
134           information is required (see below).
135
136           When using the shell command without arguments, (thus invoking the
137           executed shell or command on the local host), it is in many ways
138           similar to a su(1) session, but, unlike su, completely isolates the
139           new session from the originating session, so that it shares no
140           process or session properties, and is in a clean and well-defined
141           state. It will be tracked in a new utmp, login, audit, security and
142           keyring session, and will not inherit any environment variables or
143           resource limits, among other properties.
144
145           Note that systemd-run(1) with its --machine= switch may be used in
146           place of the machinectl shell command, and allows non-interactive
147           operation, more detailed and low-level configuration of the invoked
148           unit, as well as access to runtime and exit code/status information
149           of the invoked shell process. In particular, use systemd-run's
150           --wait switch to propagate exit status information of the invoked
151           process. Use systemd-run's --pty switch for acquiring an
152           interactive shell, similar to machinectl shell. In general,
153           systemd-run is preferable for scripting purposes. However, note
154           that systemd-run might require higher privileges than machinectl
155           shell.
156
157       enable NAME..., disable NAME...
158           Enable or disable a container as a system service to start at
159           system boot, using systemd-nspawn(1). This enables or disables
160           systemd-nspawn@.service, instantiated for the specified machine
161           name, similar to the effect of systemctl enable or systemctl
162           disable on the service name.
163
164       poweroff NAME...
165           Power off one or more containers. This will trigger a reboot by
166           sending SIGRTMIN+4 to the container's init process, which causes
167           systemd-compatible init systems to shut down cleanly. Use stop as
168           alias for poweroff. This operation does not work on containers that
169           do not run a systemd(1)-compatible init system, such as sysvinit.
170           Use terminate (see below) to immediately terminate a container or
171           VM, without cleanly shutting it down.
172
173       reboot NAME...
174           Reboot one or more containers. This will trigger a reboot by
175           sending SIGINT to the container's init process, which is roughly
176           equivalent to pressing Ctrl+Alt+Del on a non-containerized system,
177           and is compatible with containers running any system manager.
178
179       terminate NAME...
180           Immediately terminates a virtual machine or container, without
181           cleanly shutting it down. This kills all processes of the virtual
182           machine or container and deallocates all resources attached to that
183           instance. Use poweroff to issue a clean shutdown request.
184
185       kill NAME...
186           Send a signal to one or more processes of the virtual machine or
187           container. This means processes as seen by the host, not the
188           processes inside the virtual machine or container. Use --kill-who=
189           to select which process to kill. Use --signal= to select the signal
190           to send.
191
192       bind NAME PATH [PATH]
193           Bind mounts a file or directory from the host into the specified
194           container. The first path argument is the source file or directory
195           on the host, the second path argument is the destination file or
196           directory in the container. When the latter is omitted, the
197           destination path in the container is the same as the source path on
198           the host. When combined with the --read-only switch, a ready-only
199           bind mount is created. When combined with the --mkdir switch, the
200           destination path is first created before the mount is applied. Note
201           that this option is currently only supported for systemd-nspawn(1)
202           containers, and only if user namespacing (--private-users) is not
203           used. This command supports bind mounting directories, regular
204           files, device nodes, AF_UNIX socket nodes, as well as FIFOs.
205
206       copy-to NAME PATH [PATH]
207           Copies files or directories from the host system into a running
208           container. Takes a container name, followed by the source path on
209           the host and the destination path in the container. If the
210           destination path is omitted, the same as the source path is used.
211
212           If host and container share the same user and group namespace, file
213           ownership by numeric user ID and group ID is preserved for the
214           copy, otherwise all files and directories in the copy will be owned
215           by the root user and group (UID/GID 0).
216
217       copy-from NAME PATH [PATH]
218           Copies files or directories from a container into the host system.
219           Takes a container name, followed by the source path in the
220           container and the destination path on the host. If the destination
221           path is omitted, the same as the source path is used.
222
223           If host and container share the same user and group namespace, file
224           ownership by numeric user ID and group ID is preserved for the
225           copy, otherwise all files and directories in the copy will be owned
226           by the root user and group (UID/GID 0).
227
228   Image Commands
229       list-images
230           Show a list of locally installed container and VM images. This
231           enumerates all raw disk images and container directories and
232           subvolumes in /var/lib/machines/ (and other search paths, see
233           below). Use start (see above) to run a container off one of the
234           listed images. Note that, by default, containers whose name begins
235           with a dot (".") are not shown. To show these too, specify --all.
236           Note that a special image ".host" always implicitly exists and
237           refers to the image the host itself is booted from.
238
239       image-status [NAME...]
240           Show terse status information about one or more container or VM
241           images. This function is intended to generate human-readable
242           output. Use show-image (see below) to generate computer-parsable
243           output instead.
244
245       show-image [NAME...]
246           Show properties of one or more registered virtual machine or
247           container images, or the manager itself. If no argument is
248           specified, properties of the manager will be shown. If a NAME is
249           specified, properties of this virtual machine or container image
250           are shown. By default, empty properties are suppressed. Use --all
251           to show those too. To select specific properties to show, use
252           --property=. This command is intended to be used whenever
253           computer-parsable output is required. Use image-status if you are
254           looking for formatted human-readable output.
255
256       clone NAME NAME
257           Clones a container or VM image. The arguments specify the name of
258           the image to clone and the name of the newly cloned image. Note
259           that plain directory container images are cloned into btrfs
260           subvolume images with this command, if the underlying file system
261           supports this. Note that cloning a container or VM image is
262           optimized for file systems that support copy-on-write, and might
263           not be efficient on others, due to file system limitations.
264
265           Note that this command leaves hostname, machine ID and all other
266           settings that could identify the instance unmodified. The original
267           image and the cloned copy will hence share these credentials, and
268           it might be necessary to manually change them in the copy.
269
270           If combined with the --read-only switch a read-only cloned image is
271           created.
272
273       rename NAME NAME
274           Renames a container or VM image. The arguments specify the name of
275           the image to rename and the new name of the image.
276
277       read-only NAME [BOOL]
278           Marks or (unmarks) a container or VM image read-only. Takes a VM or
279           container image name, followed by a boolean as arguments. If the
280           boolean is omitted, positive is implied, i.e. the image is marked
281           read-only.
282
283       remove NAME...
284           Removes one or more container or VM images. The special image
285           ".host", which refers to the host's own directory tree, may not be
286           removed.
287
288       set-limit [NAME] BYTES
289           Sets the maximum size in bytes that a specific container or VM
290           image, or all images, may grow up to on disk (disk quota). Takes
291           either one or two parameters. The first, optional parameter refers
292           to a container or VM image name. If specified, the size limit of
293           the specified image is changed. If omitted, the overall size limit
294           of the sum of all images stored locally is changed. The final
295           argument specifies the size limit in bytes, possibly suffixed by
296           the usual K, M, G, T units. If the size limit shall be disabled,
297           specify "-" as size.
298
299           Note that per-container size limits are only supported on btrfs
300           file systems.
301
302       clean
303           Remove hidden VM or container images (or all). This command removes
304           all hidden machine images from /var/lib/machines, i.e. those whose
305           name begins with a dot. Use machinectl list-images --all to see a
306           list of all machine images, including the hidden ones.
307
308           When combined with the --all switch removes all images, not just
309           hidden ones. This command effectively empties /var/lib/machines.
310
311           Note that commands such as machinectl pull-tar or machinectl
312           pull-raw usually create hidden, read-only, unmodified machine
313           images from the downloaded image first, before cloning a writable
314           working copy of it, in order to avoid duplicate downloads in case
315           of images that are reused multiple times. Use machinectl clean to
316           remove old, hidden images created this way.
317
318   Image Transfer Commands
319       pull-tar URL [NAME]
320           Downloads a .tar container image from the specified URL, and makes
321           it available under the specified local machine name. The URL must
322           be of type "http://" or "https://", and must refer to a .tar,
323           .tar.gz, .tar.xz or .tar.bz2 archive file. If the local machine
324           name is omitted, it is automatically derived from the last
325           component of the URL, with its suffix removed.
326
327           The image is verified before it is made available, unless
328           --verify=no is specified. Verification is done either via an inline
329           signed file with the name of the image and the suffix .sha256 or
330           via separate SHA256SUMS and SHA256SUMS.gpg files. The signature
331           files need to be made available on the same web server, under the
332           same URL as the .tar file. With --verify=checksum, only the SHA256
333           checksum for the file is verified, based on the .sha256 suffixed
334           file or the SHA256SUMS file. With --verify=signature, the sha
335           checksum file is first verified with the inline signature in the
336           .sha256 file or the detached GPG signature file SHA256SUMS.gpg. The
337           public key for this verification step needs to be available in
338           /usr/lib/systemd/import-pubring.gpg or
339           /etc/systemd/import-pubring.gpg.
340
341           The container image will be downloaded and stored in a read-only
342           subvolume in /var/lib/machines/ that is named after the specified
343           URL and its HTTP etag. A writable snapshot is then taken from this
344           subvolume, and named after the specified local name. This behavior
345           ensures that creating multiple container instances of the same URL
346           is efficient, as multiple downloads are not necessary. In order to
347           create only the read-only image, and avoid creating its writable
348           snapshot, specify "-" as local machine name.
349
350           Note that the read-only subvolume is prefixed with .tar-, and is
351           thus not shown by list-images, unless --all is passed.
352
353           Note that pressing C-c during execution of this command will not
354           abort the download. Use cancel-transfer, described below.
355
356       pull-raw URL [NAME]
357           Downloads a .raw container or VM disk image from the specified URL,
358           and makes it available under the specified local machine name. The
359           URL must be of type "http://" or "https://". The container image
360           must either be a .qcow2 or raw disk image, optionally compressed as
361           .gz, .xz, or .bz2. If the local machine name is omitted, it is
362           automatically derived from the last component of the URL, with its
363           suffix removed.
364
365           Image verification is identical for raw and tar images (see above).
366
367           If the downloaded image is in .qcow2 format it is converted into a
368           raw image file before it is made available.
369
370           Downloaded images of this type will be placed as read-only .raw
371           file in /var/lib/machines/. A local, writable (reflinked) copy is
372           then made under the specified local machine name. To omit creation
373           of the local, writable copy pass "-" as local machine name.
374
375           Similar to the behavior of pull-tar, the read-only image is
376           prefixed with .raw-, and thus not shown by list-images, unless
377           --all is passed.
378
379           Note that pressing C-c during execution of this command will not
380           abort the download. Use cancel-transfer, described below.
381
382       import-tar FILE [NAME], import-raw FILE [NAME]
383           Imports a TAR or RAW container or VM image, and places it under the
384           specified name in /var/lib/machines/. When import-tar is used, the
385           file specified as the first argument should be a tar archive,
386           possibly compressed with xz, gzip or bzip2. It will then be
387           unpacked into its own subvolume in /var/lib/machines. When
388           import-raw is used, the file should be a qcow2 or raw disk image,
389           possibly compressed with xz, gzip or bzip2. If the second argument
390           (the resulting image name) is not specified, it is automatically
391           derived from the file name. If the filename is passed as "-", the
392           image is read from standard input, in which case the second
393           argument is mandatory.
394
395           Optionally, the --read-only switch may be used to create a
396           read-only container or VM image. No cryptographic validation is
397           done when importing the images.
398
399           Much like image downloads, ongoing imports may be listed with
400           list-transfers and aborted with cancel-transfer.
401
402       import-fs DIRECTORY [NAME]
403           Imports a container image stored in a local directory into
404           /var/lib/machines/, operates similar to import-tar or import-raw,
405           but the first argument is the source directory. If supported, this
406           command will create btrfs snapshot or subvolume for the new image.
407
408       export-tar NAME [FILE], export-raw NAME [FILE]
409           Exports a TAR or RAW container or VM image and stores it in the
410           specified file. The first parameter should be a VM or container
411           image name. The second parameter should be a file path the TAR or
412           RAW image is written to. If the path ends in ".gz", the file is
413           compressed with gzip, if it ends in ".xz", with xz, and if it ends
414           in ".bz2", with bzip2. If the path ends in neither, the file is
415           left uncompressed. If the second argument is missing, the image is
416           written to standard output. The compression may also be explicitly
417           selected with the --format= switch. This is in particular useful if
418           the second parameter is left unspecified.
419
420           Much like image downloads and imports, ongoing exports may be
421           listed with list-transfers and aborted with cancel-transfer.
422
423           Note that, currently, only directory and subvolume images may be
424           exported as TAR images, and only raw disk images as RAW images.
425
426       list-transfers
427           Shows a list of container or VM image downloads, imports and
428           exports that are currently in progress.
429
430       cancel-transfer ID...
431           Aborts a download, import or export of the container or VM image
432           with the specified ID. To list ongoing transfers and their IDs, use
433           list-transfers.
434

OPTIONS

436       The following options are understood:
437
438       -p, --property=
439           When showing machine or image properties, limit the output to
440           certain properties as specified by the argument. If not specified,
441           all set properties are shown. The argument should be a property
442           name, such as "Name". If specified more than once, all properties
443           with the specified names are shown.
444
445       -a, --all
446           When showing machine or image properties, show all properties
447           regardless of whether they are set or not.
448
449           When listing VM or container images, do not suppress images
450           beginning in a dot character (".").
451
452           When cleaning VM or container images, remove all images, not just
453           hidden ones.
454
455       --value
456           When printing properties with show, only print the value, and skip
457           the property name and "=".
458
459       -l, --full
460           Do not ellipsize process tree entries or table. This implies
461           --max-addresses=full.
462
463       --kill-who=
464           When used with kill, choose which processes to kill. Must be one of
465           leader, or all to select whether to kill only the leader process of
466           the machine or all processes of the machine. If omitted, defaults
467           to all.
468
469       -s, --signal=
470           When used with kill, choose which signal to send to selected
471           processes. Must be one of the well-known signal specifiers, such as
472           SIGTERM, SIGINT or SIGSTOP. If omitted, defaults to SIGTERM.
473
474       --uid=
475           When used with the shell command, chooses the user ID to open the
476           interactive shell session as. If the argument to the shell command
477           also specifies a user name, this option is ignored. If the name is
478           not specified in either way, "root" will be used by default. Note
479           that this switch is not supported for the login command (see
480           below).
481
482       -E NAME=VALUE, --setenv=NAME=VALUE
483           When used with the shell command, sets an environment variable to
484           pass to the executed shell. Takes an environment variable name and
485           value, separated by "=". This switch may be used multiple times to
486           set multiple environment variables. Note that this switch is not
487           supported for the login command (see below).
488
489       --mkdir
490           When used with bind, creates the destination file or directory
491           before applying the bind mount. Note that even though the name of
492           this option suggests that it is suitable only for directories, this
493           option also creates the destination file node to mount over if the
494           object to mount is not a directory, but a regular file, device
495           node, socket or FIFO.
496
497       --read-only
498           When used with bind, creates a read-only bind mount.
499
500           When used with clone, import-raw or import-tar a read-only
501           container or VM image is created.
502
503       -n, --lines=
504           When used with status, controls the number of journal lines to
505           show, counting from the most recent ones. Takes a positive integer
506           argument. Defaults to 10.
507
508       -o, --output=
509           When used with status, controls the formatting of the journal
510           entries that are shown. For the available choices, see
511           journalctl(1). Defaults to "short".
512
513       --verify=
514           When downloading a container or VM image, specify whether the image
515           shall be verified before it is made available. Takes one of "no",
516           "checksum" and "signature". If "no", no verification is done. If
517           "checksum" is specified, the download is checked for integrity
518           after the transfer is complete, but no signatures are verified. If
519           "signature" is specified, the checksum is verified and the image's
520           signature is checked against a local keyring of trustable vendors.
521           It is strongly recommended to set this option to "signature" if the
522           server and protocol support this. Defaults to "signature".
523
524       --force
525           When downloading a container or VM image, and a local copy by the
526           specified local machine name already exists, delete it first and
527           replace it by the newly downloaded image.
528
529       --format=
530           When used with the export-tar or export-raw commands, specifies the
531           compression format to use for the resulting file. Takes one of
532           "uncompressed", "xz", "gzip", "bzip2". By default, the format is
533           determined automatically from the image file name passed.
534
535       --max-addresses=
536           When used with the list-machines command, limits the number of ip
537           addresses output for every machine. Defaults to 1. All addresses
538           can be requested with "all" as argument to --max-addresses=. If the
539           argument to --max-addresses= is less than the actual number of
540           addresses, "..."follows the last address.
541
542       -q, --quiet
543           Suppresses additional informational output while running.
544
545       -H, --host=
546           Execute the operation remotely. Specify a hostname, or a username
547           and hostname separated by "@", to connect to. The hostname may
548           optionally be suffixed by a port ssh is listening on, separated by
549           ":", and then a container name, separated by "/", which connects
550           directly to a specific container on the specified host. This will
551           use SSH to talk to the remote machine manager instance. Container
552           names may be enumerated with machinectl -H HOST. Put IPv6 addresses
553           in brackets.
554
555       -M, --machine=
556           Connect to systemd-machined.service(8) running in a local
557           container, to perform the specified operation within the container.
558
559       --no-pager
560           Do not pipe output into a pager.
561
562       --no-legend
563           Do not print the legend, i.e. column headers and the footer with
564           hints.
565
566       --no-ask-password
567           Do not query the user for authentication for privileged operations.
568
569       -h, --help
570           Print a short help text and exit.
571
572       --version
573           Print a short version string and exit.
574

MACHINE AND IMAGE NAMES

576       The machinectl tool operates on machines and images whose names must be
577       chosen following strict rules. Machine names must be suitable for use
578       as hostnames following a conservative subset of DNS and UNIX/Linux
579       semantics. Specifically, they must consist of one or more non-empty
580       label strings, separated by dots. No leading or trailing dots are
581       allowed. No sequences of multiple dots are allowed. The label strings
582       may only consist of alphanumeric characters as well as the dash and
583       underscore. The maximum length of a machine name is 64 characters.
584
585       A special machine with the name ".host" refers to the running host
586       system itself. This is useful for execution operations or inspecting
587       the host system as well. Note that machinectl list will not show this
588       special machine unless the --all switch is specified.
589
590       Requirements on image names are less strict, however, they must be
591       valid UTF-8, must be suitable as file names (hence not be the single or
592       double dot, and not include a slash), and may not contain control
593       characters. Since many operations search for an image by the name of a
594       requested machine, it is recommended to name images in the same strict
595       fashion as machines.
596
597       A special image with the name ".host" refers to the image of the
598       running host system. It hence conceptually maps to the special ".host"
599       machine name described above. Note that machinectl list-images will not
600       show this special image either, unless --all is specified.
601

FILES AND DIRECTORIES

603       Machine images are preferably stored in /var/lib/machines/, but are
604       also searched for in /usr/local/lib/machines/ and /usr/lib/machines/.
605       For compatibility reasons, the directory /var/lib/container/ is
606       searched, too. Note that images stored below /usr are always considered
607       read-only. It is possible to symlink machines images from other
608       directories into /var/lib/machines/ to make them available for control
609       with machinectl.
610
611       Note that some image operations are only supported, efficient or atomic
612       on btrfs file systems.
613
614       Disk images are understood by systemd-nspawn(1) and machinectl in three
615       formats:
616
617       ·   A simple directory tree, containing the files and directories of
618           the container to boot.
619
620       ·   Subvolumes (on btrfs file systems), which are similar to the simple
621           directories, described above. However, they have additional
622           benefits, such as efficient cloning and quota reporting.
623
624       ·   "Raw" disk images, i.e. binary images of disks with a GPT or MBR
625           partition table. Images of this type are regular files with the
626           suffix ".raw".
627
628       See systemd-nspawn(1) for more information on image formats, in
629       particular its --directory= and --image= options.
630

EXAMPLES

632       Example 1. Download an Ubuntu image and open a shell in it
633
634           # machinectl pull-tar https://cloud-images.ubuntu.com/trusty/current/trusty-server-cloudimg-amd64-root.tar.gz
635           # systemd-nspawn -M trusty-server-cloudimg-amd64-root
636
637       This downloads and verifies the specified .tar image, and then uses
638       systemd-nspawn(1) to open a shell in it.
639
640       Example 2. Download a Fedora image, set a root password in it, start it
641       as a service
642
643           # machinectl pull-raw --verify=no \
644                 https://download.fedoraproject.org/pub/fedora/linux/releases/33/Cloud/x86_64/images/Fedora-Cloud-Base-33-1.2.x86_64.raw.xz \
645                 Fedora-Cloud-Base-33-1.2.x86-64
646           # systemd-nspawn -M Fedora-Cloud-Base-33-1.2.x86-64
647           # passwd
648           # exit
649           # machinectl start Fedora-Cloud-Base-33-1.2.x86-64
650           # machinectl login Fedora-Cloud-Base-33-1.2.x86-64
651
652       This downloads the specified .raw image with verification disabled.
653       Then, a shell is opened in it and a root password is set. Afterwards
654       the shell is left, and the machine started as system service. With the
655       last command a login prompt into the container is requested.
656
657       Example 3. Exports a container image as tar file
658
659           # machinectl export-tar fedora myfedora.tar.xz
660
661       Exports the container "fedora" as an xz-compressed tar file
662       myfedora.tar.xz into the current directory.
663
664       Example 4. Create a new shell session
665
666           # machinectl shell --uid=lennart
667
668       This creates a new shell session on the local host for the user ID
669       "lennart", in a su(1)-like fashion.
670

EXIT STATUS

672       On success, 0 is returned, a non-zero failure code otherwise.
673

ENVIRONMENT

675       $SYSTEMD_PAGER
676           Pager to use when --no-pager is not given; overrides $PAGER. If
677           neither $SYSTEMD_PAGER nor $PAGER are set, a set of well-known
678           pager implementations are tried in turn, including less(1) and
679           more(1), until one is found. If no pager implementation is
680           discovered no pager is invoked. Setting this environment variable
681           to an empty string or the value "cat" is equivalent to passing
682           --no-pager.
683
684       $SYSTEMD_LESS
685           Override the options passed to less (by default "FRSXMK").
686
687           Users might want to change two options in particular:
688
689           K
690               This option instructs the pager to exit immediately when Ctrl+C
691               is pressed. To allow less to handle Ctrl+C itself to switch
692               back to the pager command prompt, unset this option.
693
694               If the value of $SYSTEMD_LESS does not include "K", and the
695               pager that is invoked is less, Ctrl+C will be ignored by the
696               executable, and needs to be handled by the pager.
697
698           X
699               This option instructs the pager to not send termcap
700               initialization and deinitialization strings to the terminal. It
701               is set by default to allow command output to remain visible in
702               the terminal even after the pager exits. Nevertheless, this
703               prevents some pager functionality from working, in particular
704               paged output cannot be scrolled with the mouse.
705
706           See less(1) for more discussion.
707
708       $SYSTEMD_LESSCHARSET
709           Override the charset passed to less (by default "utf-8", if the
710           invoking terminal is determined to be UTF-8 compatible).
711
712       $SYSTEMD_PAGERSECURE
713           Takes a boolean argument. When true, the "secure" mode of the pager
714           is enabled; if false, disabled. If $SYSTEMD_PAGERSECURE is not set
715           at all, secure mode is enabled if the effective UID is not the same
716           as the owner of the login session, see geteuid(2) and
717           sd_pid_get_owner_uid(3). In secure mode, LESSSECURE=1 will be set
718           when invoking the pager, and the pager shall disable commands that
719           open or create new files or start new subprocesses. When
720           $SYSTEMD_PAGERSECURE is not set at all, pagers which are not known
721           to implement secure mode will not be used. (Currently only less(1)
722           implements secure mode.)
723
724           Note: when commands are invoked with elevated privileges, for
725           example under sudo(8) or pkexec(1), care must be taken to ensure
726           that unintended interactive features are not enabled. "Secure" mode
727           for the pager may be enabled automatically as describe above.
728           Setting SYSTEMD_PAGERSECURE=0 or not removing it from the inherited
729           environment allows the user to invoke arbitrary commands. Note that
730           if the $SYSTEMD_PAGER or $PAGER variables are to be honoured,
731           $SYSTEMD_PAGERSECURE must be set too. It might be reasonable to
732           completly disable the pager using --no-pager instead.
733
734       $SYSTEMD_COLORS
735           The value must be a boolean. Controls whether colorized output
736           should be generated. This can be specified to override the decision
737           that systemd makes based on $TERM and what the console is connected
738           to.
739
740       $SYSTEMD_URLIFY
741           The value must be a boolean. Controls whether clickable links
742           should be generated in the output for terminal emulators supporting
743           this. This can be specified to override the decision that systemd
744           makes based on $TERM and other conditions.
745

SEE ALSO

747       systemd(1), systemd-machined.service(8), systemd-nspawn(1),
748       systemd.special(7), tar(1), xz(1), gzip(1), bzip2(1)
749
750
751
752systemd 246                                                      MACHINECTL(1)
Impressum