1MACHINECTL(1) machinectl MACHINECTL(1)
2
6 machinectl - Control the systemd machine manager
7
9 machinectl [OPTIONS...] {COMMAND} [NAME...]
10
12 machinectl may be used to introspect and control the state of the
13 systemd(1) virtual machine and container registration manager systemd-
14 machined.service(8).
15 machinectl may be used to execute operations on machines and images.
17 Machines in this sense are considered running instances of:
18 • Virtual Machines (VMs) that virtualize hardware to run full
20 operating system (OS) instances (including their kernels) in a
21 virtualized environment on top of the host OS.
22 • Containers that share the hardware and OS kernel with the host OS,
24 in order to run OS userspace instances on top the host OS.
25 • The host system itself.
27 Machines are identified by names that follow the same rules as UNIX and
29 DNS hostnames. For details, see below.
30 Machines are instantiated from disk or file system images that
32 frequently — but not necessarily — carry the same name as machines
33 running from them. Images in this sense may be:
34 • Directory trees containing an OS, including the top-level
36 directories /usr/, /etc/, and so on.
37 • btrfs subvolumes containing OS trees, similar to regular directory
39 trees.
40 • Binary "raw" disk image files containing MBR or GPT partition
42 tables and Linux file systems.
43 • Similarly, block devices containing MBR or GPT partition tables and
45 file systems.
46 • The file system tree of the host OS itself.
48
50 The following commands are understood:
51 Machine Commands
53 list
54 List currently running (online) virtual machines and containers. To
55 enumerate machine images that can be started, use list-images (see
56 below). Note that this command hides the special ".host" machine by
57 default. Use the --all switch to show it.
58 status NAME...
60 Show runtime status information about one or more virtual machines
61 and containers, followed by the most recent log data from the
62 journal. This function is intended to generate human-readable
63 output. If you are looking for computer-parsable output, use show
64 instead. Note that the log data shown is reported by the virtual
65 machine or container manager, and frequently contains console
66 output of the machine, but not necessarily journal contents of the
67 machine itself.
68 show [NAME...]
70 Show properties of one or more registered virtual machines or
71 containers or the manager itself. If no argument is specified,
72 properties of the manager will be shown. If a NAME is specified,
73 properties of this virtual machine or container are shown. By
74 default, empty properties are suppressed. Use --all to show those
75 too. To select specific properties to show, use --property=. This
76 command is intended to be used whenever computer-parsable output is
77 required, and does not print the control group tree or journal
78 entries. Use status if you are looking for formatted human-readable
79 output.
80 start NAME...
82 Start a container as a system service, using systemd-nspawn(1).
83 This starts systemd-nspawn@.service, instantiated for the specified
84 machine name, similar to the effect of systemctl start on the
85 service name. systemd-nspawn looks for a container image by the
86 specified name in /var/lib/machines/ (and other search paths, see
87 below) and runs it. Use list-images (see below) for listing
88 available container images to start.
89 Note that systemd-machined.service(8) also interfaces with a
91 variety of other container and VM managers, systemd-nspawn is just
92 one implementation of it. Most of the commands available in
93 machinectl may be used on containers or VMs controlled by other
94 managers, not just systemd-nspawn. Starting VMs and container
95 images on those managers requires manager-specific tools.
96 To interactively start a container on the command line with full
98 access to the container's console, please invoke systemd-nspawn
99 directly. To stop a running container use machinectl poweroff.
100 login [NAME]
102 Open an interactive terminal login session in a container or on the
103 local host. If an argument is supplied, it refers to the container
104 machine to connect to. If none is specified, or the container name
105 is specified as the empty string, or the special machine name
106 ".host" (see below) is specified, the connection is made to the
107 local host instead. This will create a TTY connection to a specific
108 container or the local host and asks for the execution of a getty
109 on it. Note that this is only supported for containers running
110 systemd(1) as init system.
111 This command will open a full login prompt on the container or the
113 local host, which then asks for username and password. Use shell
114 (see below) or systemd-run(1) with the --machine= switch to
115 directly invoke a single command, either interactively or in the
116 background.
117 shell [[NAME@]NAME [PATH [ARGUMENTS...]]]
119 Open an interactive shell session in a container or on the local
120 host. The first argument refers to the container machine to connect
121 to. If none is specified, or the machine name is specified as the
122 empty string, or the special machine name ".host" (see below) is
123 specified, the connection is made to the local host instead. This
124 works similarly to login, but immediately invokes a user process.
125 This command runs the specified executable with the specified
126 arguments, or the default shell for the user if none is specified,
127 or /bin/sh if no default shell is found. By default, --uid=, or by
128 prefixing the machine name with a username and an "@" character, a
129 different user may be selected. Use --setenv= to set environment
130 variables for the executed process.
131 Note that machinectl shell does not propagate the exit code/status
133 of the invoked shell process. Use systemd-run instead if that
134 information is required (see below).
135 Using the shell command without arguments (thus invoking the
137 executed shell or command on the local host), is in many ways
138 similar to a su(1) session, but, unlike su, completely isolates the
139 new session from the originating session, so that it shares no
140 process or session properties and is in a clean well-defined state.
141 It will be tracked in a new utmp, login, audit, security, and
142 keyring sessions, and will not inherit any environment variables or
143 resource limits, among other properties.
144 Note that systemd-run(1) with its --machine= switch may be used in
146 place of the machinectl shell command, and allows non-interactive
147 operation, more detailed and low-level configuration of the invoked
148 unit, as well as access to runtime and exit code/status information
149 of the invoked shell process. In particular, use systemd-run's
150 --wait switch to propagate exit status information of the invoked
151 process. Use systemd-run's --pty switch to acquire an interactive
152 shell, similarly to machinectl shell. In general, systemd-run is
153 preferable for scripting purposes. However, note that systemd-run
154 might require higher privileges than machinectl shell.
155 enable NAME..., disable NAME...
157 Enable or disable a container as a system service to start at
158 system boot, using systemd-nspawn(1). This enables or disables
159 systemd-nspawn@.service, instantiated for the specified machine
160 name, similarly to the effect of systemctl enable or systemctl
161 disable on the service name.
162 This command implicitly reloads the system manager configuration
164 after completing the operation. Note that this command does not
165 implicitly start or power off the containers that are being
166 operated on. If this is desired, combine the command with the --now
167 switch.
168 poweroff NAME...
170 Power off one or more containers. This will trigger a reboot by
171 sending SIGRTMIN+4 to the container's init process, which causes
172 systemd-compatible init systems to shut down cleanly. Use stop as
173 alias for poweroff. This operation does not work on containers that
174 do not run a systemd(1)-compatible init system, such as sysvinit.
175 Use terminate (see below) to immediately terminate a container or
176 VM, without cleanly shutting it down.
177 reboot NAME...
179 Reboot one or more containers. This will trigger a reboot by
180 sending SIGINT to the container's init process, which is roughly
181 equivalent to pressing Ctrl+Alt+Del on a non-containerized system,
182 and is compatible with containers running any system manager.
183 terminate NAME...
185 Immediately terminates a virtual machine or container, without
186 cleanly shutting it down. This kills all processes of the virtual
187 machine or container and deallocates all resources attached to that
188 instance. Use poweroff to issue a clean shutdown request.
189 kill NAME...
191 Send a signal to one or more processes of the virtual machine or
192 container. This means processes as seen by the host, not the
193 processes inside the virtual machine or container. Use --kill-whom=
194 to select which process to kill. Use --signal= to select the signal
195 to send.
196 bind NAME PATH [PATH]
198 Bind mounts a file or directory from the host into the specified
199 container. The first path argument is the source file or directory
200 on the host, the second path argument is the destination file or
201 directory in the container. When the latter is omitted, the
202 destination path in the container is the same as the source path on
203 the host. When combined with the --read-only switch, a ready-only
204 bind mount is created. When combined with the --mkdir switch, the
205 destination path is first created before the mount is applied. Note
206 that this option is currently only supported for systemd-nspawn(1)
207 containers, and only if user namespacing (--private-users) is not
208 used. This command supports bind mounting directories, regular
209 files, device nodes, AF_UNIX socket nodes, as well as FIFOs.
210 copy-to NAME PATH [PATH] --force
212 Copies files or directories from the host system into a running
213 container. Takes a container name, followed by the source path on
214 the host and the destination path in the container. If the
215 destination path is omitted, the same as the source path is used.
216 If host and container share the same user and group namespace, file
218 ownership by numeric user ID and group ID is preserved for the
219 copy, otherwise all files and directories in the copy will be owned
220 by the root user and group (UID/GID 0).
221 copy-from NAME PATH [PATH] --force
223 Copies files or directories from a container into the host system.
224 Takes a container name, followed by the source path in the
225 container and the destination path on the host. If the destination
226 path is omitted, the same as the source path is used.
227 If host and container share the same user and group namespace, file
229 ownership by numeric user ID and group ID is preserved for the
230 copy, otherwise all files and directories in the copy will be owned
231 by the root user and group (UID/GID 0).
232 Image Commands
234 list-images
235 Show a list of locally installed container and VM images. This
236 enumerates all raw disk images and container directories and
237 subvolumes in /var/lib/machines/ (and other search paths, see
238 below). Use start (see above) to run a container off one of the
239 listed images. Note that, by default, containers whose name begins
240 with a dot (".") are not shown. To show these too, specify --all.
241 Note that a special image ".host" always implicitly exists and
242 refers to the image the host itself is booted from.
243 image-status [NAME...]
245 Show terse status information about one or more container or VM
246 images. This function is intended to generate human-readable
247 output. Use show-image (see below) to generate computer-parsable
248 output instead.
249 show-image [NAME...]
251 Show properties of one or more registered virtual machine or
252 container images, or the manager itself. If no argument is
253 specified, properties of the manager will be shown. If a NAME is
254 specified, properties of this virtual machine or container image
255 are shown. By default, empty properties are suppressed. Use --all
256 to show those too. To select specific properties to show, use
257 --property=. This command is intended to be used whenever
258 computer-parsable output is required. Use image-status if you are
259 looking for formatted human-readable output.
260 clone NAME NAME
262 Clones a container or VM image. The arguments specify the name of
263 the image to clone and the name of the newly cloned image. Note
264 that plain directory container images are cloned into btrfs
265 subvolume images with this command, if the underlying file system
266 supports this. Note that cloning a container or VM image is
267 optimized for file systems that support copy-on-write, and might
268 not be efficient on others, due to file system limitations.
269 Note that this command leaves hostname, machine ID and all other
271 settings that could identify the instance unmodified. The original
272 image and the cloned copy will hence share these credentials, and
273 it might be necessary to manually change them in the copy.
274 If combined with the --read-only switch a read-only cloned image is
276 created.
277 rename NAME NAME
279 Renames a container or VM image. The arguments specify the name of
280 the image to rename and the new name of the image.
281 read-only NAME [BOOL]
283 Marks or (unmarks) a container or VM image read-only. Takes a VM or
284 container image name, followed by a boolean as arguments. If the
285 boolean is omitted, positive is implied, i.e. the image is marked
286 read-only.
287 remove NAME...
289 Removes one or more container or VM images. The special image
290 ".host", which refers to the host's own directory tree, may not be
291 removed.
292 set-limit [NAME] BYTES
294 Sets the maximum size in bytes that a specific container or VM
295 image, or all images, may grow up to on disk (disk quota). Takes
296 either one or two parameters. The first, optional parameter refers
297 to a container or VM image name. If specified, the size limit of
298 the specified image is changed. If omitted, the overall size limit
299 of the sum of all images stored locally is changed. The final
300 argument specifies the size limit in bytes, possibly suffixed by
301 the usual K, M, G, T units. If the size limit shall be disabled,
302 specify "-" as size.
303 Note that per-container size limits are only supported on btrfs
305 file systems.
306 clean
308 Remove hidden VM or container images (or all). This command removes
309 all hidden machine images from /var/lib/machines/, i.e. those whose
310 name begins with a dot. Use machinectl list-images --all to see a
311 list of all machine images, including the hidden ones.
312 When combined with the --all switch removes all images, not just
314 hidden ones. This command effectively empties /var/lib/machines/.
315 Note that commands such as machinectl pull-tar or machinectl
317 pull-raw usually create hidden, read-only, unmodified machine
318 images from the downloaded image first, before cloning a writable
319 working copy of it, in order to avoid duplicate downloads in case
320 of images that are reused multiple times. Use machinectl clean to
321 remove old, hidden images created this way.
322 Image Transfer Commands
324 pull-tar URL [NAME]
325 Downloads a .tar container image from the specified URL, and makes
326 it available under the specified local machine name. The URL must
327 be of type "http://" or "https://", and must refer to a .tar,
328 .tar.gz, .tar.xz or .tar.bz2 archive file. If the local machine
329 name is omitted, it is automatically derived from the last
330 component of the URL, with its suffix removed.
331 The image is verified before it is made available, unless
333 --verify=no is specified. Verification is done either via an inline
334 signed file with the name of the image and the suffix .sha256 or
335 via separate SHA256SUMS and SHA256SUMS.gpg files. The signature
336 files need to be made available on the same web server, under the
337 same URL as the .tar file. With --verify=checksum, only the SHA256
338 checksum for the file is verified, based on the .sha256 suffixed
339 file or the SHA256SUMS file. With --verify=signature, the sha
340 checksum file is first verified with the inline signature in the
341 .sha256 file or the detached GPG signature file SHA256SUMS.gpg. The
342 public key for this verification step needs to be available in
343 /usr/lib/systemd/import-pubring.gpg or
344 /etc/systemd/import-pubring.gpg.
345 The container image will be downloaded and stored in a read-only
347 subvolume in /var/lib/machines/ that is named after the specified
348 URL and its HTTP etag. A writable snapshot is then taken from this
349 subvolume, and named after the specified local name. This behavior
350 ensures that creating multiple container instances of the same URL
351 is efficient, as multiple downloads are not necessary. In order to
352 create only the read-only image, and avoid creating its writable
353 snapshot, specify "-" as local machine name.
354 Note that the read-only subvolume is prefixed with .tar-, and is
356 thus not shown by list-images, unless --all is passed.
357 Note that pressing C-c during execution of this command will not
359 abort the download. Use cancel-transfer, described below.
360 pull-raw URL [NAME]
362 Downloads a .raw container or VM disk image from the specified URL,
363 and makes it available under the specified local machine name. The
364 URL must be of type "http://" or "https://". The container image
365 must either be a .qcow2 or raw disk image, optionally compressed as
366 .gz, .xz, or .bz2. If the local machine name is omitted, it is
367 automatically derived from the last component of the URL, with its
368 suffix removed.
369 Image verification is identical for raw and tar images (see above).
371 If the downloaded image is in .qcow2 format it is converted into a
373 raw image file before it is made available.
374 Downloaded images of this type will be placed as read-only .raw
376 file in /var/lib/machines/. A local, writable (reflinked) copy is
377 then made under the specified local machine name. To omit creation
378 of the local, writable copy pass "-" as local machine name.
379 Similarly to the behavior of pull-tar, the read-only image is
381 prefixed with .raw-, and thus not shown by list-images, unless
382 --all is passed.
383 Note that pressing C-c during execution of this command will not
385 abort the download. Use cancel-transfer, described below.
386 import-tar FILE [NAME], import-raw FILE [NAME]
388 Imports a TAR or RAW container or VM image, and places it under the
389 specified name in /var/lib/machines/. When import-tar is used, the
390 file specified as the first argument should be a tar archive,
391 possibly compressed with xz, gzip or bzip2. It will then be
392 unpacked into its own subvolume in /var/lib/machines/. When
393 import-raw is used, the file should be a qcow2 or raw disk image,
394 possibly compressed with xz, gzip or bzip2. If the second argument
395 (the resulting image name) is not specified, it is automatically
396 derived from the file name. If the filename is passed as "-", the
397 image is read from standard input, in which case the second
398 argument is mandatory.
399 Optionally, the --read-only switch may be used to create a
401 read-only container or VM image. No cryptographic validation is
402 done when importing the images.
403 Much like image downloads, ongoing imports may be listed with
405 list-transfers and aborted with cancel-transfer.
406 import-fs DIRECTORY [NAME]
408 Imports a container image stored in a local directory into
409 /var/lib/machines/, operates similarly to import-tar or import-raw,
410 but the first argument is the source directory. If supported, this
411 command will create a btrfs snapshot or subvolume for the new
412 image.
413 export-tar NAME [FILE], export-raw NAME [FILE]
415 Exports a TAR or RAW container or VM image and stores it in the
416 specified file. The first parameter should be a VM or container
417 image name. The second parameter should be a file path the TAR or
418 RAW image is written to. If the path ends in ".gz", the file is
419 compressed with gzip, if it ends in ".xz", with xz, and if it ends
420 in ".bz2", with bzip2. If the path ends in neither, the file is
421 left uncompressed. If the second argument is missing, the image is
422 written to standard output. The compression may also be explicitly
423 selected with the --format= switch. This is in particular useful if
424 the second parameter is left unspecified.
425 Much like image downloads and imports, ongoing exports may be
427 listed with list-transfers and aborted with cancel-transfer.
428 Note that, currently, only directory and subvolume images may be
430 exported as TAR images, and only raw disk images as RAW images.
431 list-transfers
433 Shows a list of container or VM image downloads, imports and
434 exports that are currently in progress.
435 cancel-transfer ID...
437 Aborts a download, import or export of the container or VM image
438 with the specified ID. To list ongoing transfers and their IDs, use
439 list-transfers.
440
442 The following options are understood:
443 -p, --property=
445 When showing machine or image properties, limit the output to
446 certain properties as specified by the argument. If not specified,
447 all set properties are shown. The argument should be a property
448 name, such as "Name". If specified more than once, all properties
449 with the specified names are shown.
450 -a, --all
452 When showing machine or image properties, show all properties
453 regardless of whether they are set or not.
454 When listing VM or container images, do not suppress images
456 beginning in a dot character (".").
457 When cleaning VM or container images, remove all images, not just
459 hidden ones.
460 --value
462 When printing properties with show, only print the value, and skip
463 the property name and "=".
464 -l, --full
466 Do not ellipsize process tree entries or table. This implies
467 --max-addresses=full.
468 --kill-whom=
470 When used with kill, choose which processes to kill. Must be one of
471 leader, or all to select whether to kill only the leader process of
472 the machine or all processes of the machine. If omitted, defaults
473 to all.
474 -s, --signal=
476 When used with kill, choose which signal to send to selected
477 processes. Must be one of the well-known signal specifiers such as
478 SIGTERM, SIGINT or SIGSTOP. If omitted, defaults to SIGTERM.
479 The special value "help" will list the known values and the program
481 will exit immediately, and the special value "list" will list known
482 values along with the numerical signal numbers and the program will
483 exit immediately.
484 --uid=
486 When used with the shell command, chooses the user ID to open the
487 interactive shell session as. If the argument to the shell command
488 also specifies a user name, this option is ignored. If the name is
489 not specified in either way, "root" will be used by default. Note
490 that this switch is not supported for the login command (see
491 below).
492 -E NAME[=VALUE], --setenv=NAME[=VALUE]
494 When used with the shell command, sets an environment variable for
495 the executed shell. This option may be used more than once to set
496 multiple variables. When "=" and VALUE are omitted, the value of
497 the variable with the same name in the program environment will be
498 used.
499 Note that this option is not supported for the login command.
501 --mkdir
503 When used with bind, creates the destination file or directory
504 before applying the bind mount. Note that even though the name of
505 this option suggests that it is suitable only for directories, this
506 option also creates the destination file node to mount over if the
507 object to mount is not a directory, but a regular file, device
508 node, socket or FIFO.
509 --read-only
511 When used with bind, creates a read-only bind mount.
512 When used with clone, import-raw or import-tar a read-only
514 container or VM image is created.
515 -n, --lines=
517 When used with status, controls the number of journal lines to
518 show, counting from the most recent ones. Takes a positive integer
519 argument. Defaults to 10.
520 -o, --output=
522 When used with status, controls the formatting of the journal
523 entries that are shown. For the available choices, see
524 journalctl(1). Defaults to "short".
525 --verify=
527 When downloading a container or VM image, specify whether the image
528 shall be verified before it is made available. Takes one of "no",
529 "checksum" and "signature". If "no", no verification is done. If
530 "checksum" is specified, the download is checked for integrity
531 after the transfer is complete, but no signatures are verified. If
532 "signature" is specified, the checksum is verified and the image's
533 signature is checked against a local keyring of trustable vendors.
534 It is strongly recommended to set this option to "signature" if the
535 server and protocol support this. Defaults to "signature".
536 --now
538 When used with enable or disable, the containers will also be
539 started or powered off. The start or poweroff operation is only
540 carried out when the respective enable or disable operation has
541 been successful.
542 --force
544 When downloading a container or VM image, and a local copy by the
545 specified local machine name already exists, delete it first and
546 replace it by the newly downloaded image.
547 --format=
549 When used with the export-tar or export-raw commands, specifies the
550 compression format to use for the resulting file. Takes one of
551 "uncompressed", "xz", "gzip", "bzip2". By default, the format is
552 determined automatically from the image file name passed.
553 --max-addresses=
555 When used with the list-machines command, limits the number of IP
556 addresses shown for every machine. Defaults to 1. All addresses can
557 be requested with "all". If the limit is 0, the address column is
558 not shown. Otherwise, if the machine has more addresses than shown,
559 "..." follows the last address.
560 -q, --quiet
562 Suppresses additional informational output while running.
563 -H, --host=
565 Execute the operation remotely. Specify a hostname, or a username
566 and hostname separated by "@", to connect to. The hostname may
567 optionally be suffixed by a port ssh is listening on, separated by
568 ":", and then a container name, separated by "/", which connects
569 directly to a specific container on the specified host. This will
570 use SSH to talk to the remote machine manager instance. Container
571 names may be enumerated with machinectl -H HOST. Put IPv6 addresses
572 in brackets.
573 -M, --machine=
575 Connect to systemd-machined.service(8) running in a local
576 container, to perform the specified operation within the container.
577 --no-pager
579 Do not pipe output into a pager.
580 --no-legend
582 Do not print the legend, i.e. column headers and the footer with
583 hints.
584 --no-ask-password
586 Do not query the user for authentication for privileged operations.
587 -h, --help
589 Print a short help text and exit.
590 --version
592 Print a short version string and exit.
593
595 The machinectl tool operates on machines and images whose names must be
596 chosen following strict rules. Machine names must be suitable for use
597 as hostnames following a conservative subset of DNS and UNIX/Linux
598 semantics. Specifically, they must consist of one or more non-empty
599 label strings, separated by dots. No leading or trailing dots are
600 allowed. No sequences of multiple dots are allowed. The label strings
601 may only consist of alphanumeric characters as well as the dash and
602 underscore. The maximum length of a machine name is 64 characters.
603 A special machine with the name ".host" refers to the running host
605 system itself. This is useful for execution operations or inspecting
606 the host system as well. Note that machinectl list will not show this
607 special machine unless the --all switch is specified.
608 Requirements on image names are less strict, however, they must be
610 valid UTF-8, must be suitable as file names (hence not be the single or
611 double dot, and not include a slash), and may not contain control
612 characters. Since many operations search for an image by the name of a
613 requested machine, it is recommended to name images in the same strict
614 fashion as machines.
615 A special image with the name ".host" refers to the image of the
617 running host system. It hence conceptually maps to the special ".host"
618 machine name described above. Note that machinectl list-images will not
619 show this special image either, unless --all is specified.
620
622 Machine images are preferably stored in /var/lib/machines/, but are
623 also searched for in /usr/local/lib/machines/ and /usr/lib/machines/.
624 For compatibility reasons, the directory /var/lib/container/ is
625 searched, too. Note that images stored below /usr/ are always
626 considered read-only. It is possible to symlink machines images from
627 other directories into /var/lib/machines/ to make them available for
628 control with machinectl.
629 Note that some image operations are only supported, efficient or atomic
631 on btrfs file systems.
632 Disk images are understood by systemd-nspawn(1) and machinectl in three
634 formats:
635 • A simple directory tree, containing the files and directories of
637 the container to boot.
638 • Subvolumes (on btrfs file systems), which are similar to the simple
640 directories, described above. However, they have additional
641 benefits, such as efficient cloning and quota reporting.
642 • "Raw" disk images, i.e. binary images of disks with a GPT or MBR
644 partition table. Images of this type are regular files with the
645 suffix ".raw".
646 See systemd-nspawn(1) for more information on image formats, in
648 particular its --directory= and --image= options.
649
651 Example 1. Download an Ubuntu image and open a shell in it
652 # machinectl pull-tar https://cloud-images.ubuntu.com/trusty/current/trusty-server-cloudimg-amd64-root.tar.gz
654 # systemd-nspawn -M trusty-server-cloudimg-amd64-root
655 This downloads and verifies the specified .tar image, and then uses
657 systemd-nspawn(1) to open a shell in it.
658 Example 2. Download a Fedora image, set a root password in it, start it
660 as a service
661 # machinectl pull-raw --verify=no \
663 https://download.fedoraproject.org/pub/fedora/linux/releases/37/Cloud/x86_64/images/Fedora-Cloud-Base-37-1.7.x86_64.raw.xz \
664 Fedora-Cloud-Base-37-1.7.x86-64
665 # systemd-nspawn -M Fedora-Cloud-Base-37-1.7.x86-64
666 # passwd
667 # exit
668 # machinectl start Fedora-Cloud-Base-37-1.7.x86-64
669 # machinectl login Fedora-Cloud-Base-37-1.7.x86-64
670 This downloads the specified .raw image with verification disabled.
672 Then, a shell is opened in it and a root password is set. Afterwards
673 the shell is left, and the machine started as system service. With the
674 last command a login prompt into the container is requested.
675 Example 3. Exports a container image as tar file
677 # machinectl export-tar fedora myfedora.tar.xz
679 Exports the container "fedora" as an xz-compressed tar file
681 myfedora.tar.xz into the current directory.
682 Example 4. Create a new shell session
684 # machinectl shell --uid=lennart
686 This creates a new shell session on the local host for the user ID
688 "lennart", in a su(1)-like fashion.
689
691 On success, 0 is returned, a non-zero failure code otherwise.
692
694 $SYSTEMD_LOG_LEVEL
695 The maximum log level of emitted messages (messages with a higher
696 log level, i.e. less important ones, will be suppressed). Either
697 one of (in order of decreasing importance) emerg, alert, crit, err,
698 warning, notice, info, debug, or an integer in the range 0...7. See
699 syslog(3) for more information.
700 $SYSTEMD_LOG_COLOR
702 A boolean. If true, messages written to the tty will be colored
703 according to priority.
704 This setting is only useful when messages are written directly to
706 the terminal, because journalctl(1) and other tools that display
707 logs will color messages based on the log level on their own.
708 $SYSTEMD_LOG_TIME
710 A boolean. If true, console log messages will be prefixed with a
711 timestamp.
712 This setting is only useful when messages are written directly to
714 the terminal or a file, because journalctl(1) and other tools that
715 display logs will attach timestamps based on the entry metadata on
716 their own.
717 $SYSTEMD_LOG_LOCATION
719 A boolean. If true, messages will be prefixed with a filename and
720 line number in the source code where the message originates.
721 Note that the log location is often attached as metadata to journal
723 entries anyway. Including it directly in the message text can
724 nevertheless be convenient when debugging programs.
725 $SYSTEMD_LOG_TID
727 A boolean. If true, messages will be prefixed with the current
728 numerical thread ID (TID).
729 Note that the this information is attached as metadata to journal
731 entries anyway. Including it directly in the message text can
732 nevertheless be convenient when debugging programs.
733 $SYSTEMD_LOG_TARGET
735 The destination for log messages. One of console (log to the
736 attached tty), console-prefixed (log to the attached tty but with
737 prefixes encoding the log level and "facility", see syslog(3), kmsg
738 (log to the kernel circular log buffer), journal (log to the
739 journal), journal-or-kmsg (log to the journal if available, and to
740 kmsg otherwise), auto (determine the appropriate log target
741 automatically, the default), null (disable log output).
742 $SYSTEMD_PAGER
744 Pager to use when --no-pager is not given; overrides $PAGER. If
745 neither $SYSTEMD_PAGER nor $PAGER are set, a set of well-known
746 pager implementations are tried in turn, including less(1) and
747 more(1), until one is found. If no pager implementation is
748 discovered no pager is invoked. Setting this environment variable
749 to an empty string or the value "cat" is equivalent to passing
750 --no-pager.
751 Note: if $SYSTEMD_PAGERSECURE is not set, $SYSTEMD_PAGER (as well
753 as $PAGER) will be silently ignored.
754 $SYSTEMD_LESS
756 Override the options passed to less (by default "FRSXMK").
757 Users might want to change two options in particular:
759 K
761 This option instructs the pager to exit immediately when Ctrl+C
762 is pressed. To allow less to handle Ctrl+C itself to switch
763 back to the pager command prompt, unset this option.
764 If the value of $SYSTEMD_LESS does not include "K", and the
766 pager that is invoked is less, Ctrl+C will be ignored by the
767 executable, and needs to be handled by the pager.
768 X
770 This option instructs the pager to not send termcap
771 initialization and deinitialization strings to the terminal. It
772 is set by default to allow command output to remain visible in
773 the terminal even after the pager exits. Nevertheless, this
774 prevents some pager functionality from working, in particular
775 paged output cannot be scrolled with the mouse.
776 See less(1) for more discussion.
778 $SYSTEMD_LESSCHARSET
780 Override the charset passed to less (by default "utf-8", if the
781 invoking terminal is determined to be UTF-8 compatible).
782 $SYSTEMD_PAGERSECURE
784 Takes a boolean argument. When true, the "secure" mode of the pager
785 is enabled; if false, disabled. If $SYSTEMD_PAGERSECURE is not set
786 at all, secure mode is enabled if the effective UID is not the same
787 as the owner of the login session, see geteuid(2) and
788 sd_pid_get_owner_uid(3). In secure mode, LESSSECURE=1 will be set
789 when invoking the pager, and the pager shall disable commands that
790 open or create new files or start new subprocesses. When
791 $SYSTEMD_PAGERSECURE is not set at all, pagers which are not known
792 to implement secure mode will not be used. (Currently only less(1)
793 implements secure mode.)
794 Note: when commands are invoked with elevated privileges, for
796 example under sudo(8) or pkexec(1), care must be taken to ensure
797 that unintended interactive features are not enabled. "Secure" mode
798 for the pager may be enabled automatically as describe above.
799 Setting SYSTEMD_PAGERSECURE=0 or not removing it from the inherited
800 environment allows the user to invoke arbitrary commands. Note that
801 if the $SYSTEMD_PAGER or $PAGER variables are to be honoured,
802 $SYSTEMD_PAGERSECURE must be set too. It might be reasonable to
803 completely disable the pager using --no-pager instead.
804 $SYSTEMD_COLORS
806 Takes a boolean argument. When true, systemd and related utilities
807 will use colors in their output, otherwise the output will be
808 monochrome. Additionally, the variable can take one of the
809 following special values: "16", "256" to restrict the use of colors
810 to the base 16 or 256 ANSI colors, respectively. This can be
811 specified to override the automatic decision based on $TERM and
812 what the console is connected to.
813 $SYSTEMD_URLIFY
815 The value must be a boolean. Controls whether clickable links
816 should be generated in the output for terminal emulators supporting
817 this. This can be specified to override the decision that systemd
818 makes based on $TERM and other conditions.
819
821 systemd(1), systemd-machined.service(8), systemd-nspawn(1),
822 systemd.special(7), tar(1), xz(1), gzip(1), bzip2(1)
823systemd 253 MACHINECTL(1)