1MACHINECTL(1) machinectl MACHINECTL(1)
2
6 machinectl - Control the systemd machine manager
7
9 machinectl [OPTIONS...] {COMMAND} [NAME...]
10
12 machinectl may be used to introspect and control the state of the
13 systemd(1) virtual machine and container registration manager systemd-
14 machined.service(8).
15 machinectl may be used to execute operations on machines and images.
17 Machines in this sense are considered running instances of:
18 • Virtual Machines (VMs) that virtualize hardware to run full
20 operating system (OS) instances (including their kernels) in a
21 virtualized environment on top of the host OS.
22 • Containers that share the hardware and OS kernel with the host OS,
24 in order to run OS userspace instances on top the host OS.
25 • The host system itself.
27 Machines are identified by names that follow the same rules as UNIX and
29 DNS hostnames. For details, see below.
30 Machines are instantiated from disk or file system images that
32 frequently — but not necessarily — carry the same name as machines
33 running from them. Images in this sense may be:
34 • Directory trees containing an OS, including the top-level
36 directories /usr/, /etc/, and so on.
37 • btrfs subvolumes containing OS trees, similar to regular directory
39 trees.
40 • Binary "raw" disk image files containing MBR or GPT partition
42 tables and Linux file systems.
43 • Similarly, block devices containing MBR or GPT partition tables and
45 file systems.
46 • The file system tree of the host OS itself.
48
50 The following commands are understood:
51 Machine Commands
53 list
54 List currently running (online) virtual machines and containers. To
55 enumerate machine images that can be started, use list-images (see
56 below). Note that this command hides the special ".host" machine by
57 default. Use the --all switch to show it.
58 status NAME...
60 Show runtime status information about one or more virtual machines
61 and containers, followed by the most recent log data from the
62 journal. This function is intended to generate human-readable
63 output. If you are looking for computer-parsable output, use show
64 instead. Note that the log data shown is reported by the virtual
65 machine or container manager, and frequently contains console
66 output of the machine, but not necessarily journal contents of the
67 machine itself.
68 show [NAME...]
70 Show properties of one or more registered virtual machines or
71 containers or the manager itself. If no argument is specified,
72 properties of the manager will be shown. If a NAME is specified,
73 properties of this virtual machine or container are shown. By
74 default, empty properties are suppressed. Use --all to show those
75 too. To select specific properties to show, use --property=. This
76 command is intended to be used whenever computer-parsable output is
77 required, and does not print the control group tree or journal
78 entries. Use status if you are looking for formatted human-readable
79 output.
80 start NAME...
82 Start a container as a system service, using systemd-nspawn(1).
83 This starts systemd-nspawn@.service, instantiated for the specified
84 machine name, similar to the effect of systemctl start on the
85 service name. systemd-nspawn looks for a container image by the
86 specified name in /var/lib/machines/ (and other search paths, see
87 below) and runs it. Use list-images (see below) for listing
88 available container images to start.
89 Note that systemd-machined.service(8) also interfaces with a
91 variety of other container and VM managers, systemd-nspawn is just
92 one implementation of it. Most of the commands available in
93 machinectl may be used on containers or VMs controlled by other
94 managers, not just systemd-nspawn. Starting VMs and container
95 images on those managers requires manager-specific tools.
96 To interactively start a container on the command line with full
98 access to the container's console, please invoke systemd-nspawn
99 directly. To stop a running container use machinectl poweroff.
100 login [NAME]
102 Open an interactive terminal login session in a container or on the
103 local host. If an argument is supplied, it refers to the container
104 machine to connect to. If none is specified, or the container name
105 is specified as the empty string, or the special machine name
106 ".host" (see below) is specified, the connection is made to the
107 local host instead. This will create a TTY connection to a specific
108 container or the local host and asks for the execution of a getty
109 on it. Note that this is only supported for containers running
110 systemd(1) as init system.
111 This command will open a full login prompt on the container or the
113 local host, which then asks for username and password. Use shell
114 (see below) or systemd-run(1) with the --machine= switch to
115 directly invoke a single command, either interactively or in the
116 background.
117 shell [[NAME@]NAME [PATH [ARGUMENTS...]]]
119 Open an interactive shell session in a container or on the local
120 host. The first argument refers to the container machine to connect
121 to. If none is specified, or the machine name is specified as the
122 empty string, or the special machine name ".host" (see below) is
123 specified, the connection is made to the local host instead. This
124 works similarly to login, but immediately invokes a user process.
125 This command runs the specified executable with the specified
126 arguments, or the default shell for the user if none is specified,
127 or /bin/sh if no default shell is found. By default, --uid=, or by
128 prefixing the machine name with a username and an "@" character, a
129 different user may be selected. Use --setenv= to set environment
130 variables for the executed process.
131 Note that machinectl shell does not propagate the exit code/status
133 of the invoked shell process. Use systemd-run instead if that
134 information is required (see below).
135 Using the shell command without arguments (thus invoking the
137 executed shell or command on the local host), is in many ways
138 similar to a su(1) session, but, unlike su, completely isolates the
139 new session from the originating session, so that it shares no
140 process or session properties and is in a clean well-defined state.
141 It will be tracked in a new utmp, login, audit, security, and
142 keyring sessions, and will not inherit any environment variables or
143 resource limits, among other properties.
144 Note that systemd-run(1) with its --machine= switch may be used in
146 place of the machinectl shell command, and allows non-interactive
147 operation, more detailed and low-level configuration of the invoked
148 unit, as well as access to runtime and exit code/status information
149 of the invoked shell process. In particular, use systemd-run's
150 --wait switch to propagate exit status information of the invoked
151 process. Use systemd-run's --pty switch to acquire an interactive
152 shell, similarly to machinectl shell. In general, systemd-run is
153 preferable for scripting purposes. However, note that systemd-run
154 might require higher privileges than machinectl shell.
155 enable NAME..., disable NAME...
157 Enable or disable a container as a system service to start at
158 system boot, using systemd-nspawn(1). This enables or disables
159 systemd-nspawn@.service, instantiated for the specified machine
160 name, similarly to the effect of systemctl enable or systemctl
161 disable on the service name.
162 This command implicitly reloads the system manager configuration
164 after completing the operation. Note that this command does not
165 implicitly start or power off the containers that are being
166 operated on. If this is desired, combine the command with the --now
167 switch.
168 poweroff NAME...
170 Power off one or more containers. This will trigger a reboot by
171 sending SIGRTMIN+4 to the container's init process, which causes
172 systemd-compatible init systems to shut down cleanly. Use stop as
173 alias for poweroff. This operation does not work on containers that
174 do not run a systemd(1)-compatible init system, such as sysvinit.
175 Use terminate (see below) to immediately terminate a container or
176 VM, without cleanly shutting it down.
177 reboot NAME...
179 Reboot one or more containers. This will trigger a reboot by
180 sending SIGINT to the container's init process, which is roughly
181 equivalent to pressing Ctrl+Alt+Del on a non-containerized system,
182 and is compatible with containers running any system manager.
183 terminate NAME...
185 Immediately terminates a virtual machine or container, without
186 cleanly shutting it down. This kills all processes of the virtual
187 machine or container and deallocates all resources attached to that
188 instance. Use poweroff to issue a clean shutdown request.
189 kill NAME...
191 Send a signal to one or more processes of the virtual machine or
192 container. This means processes as seen by the host, not the
193 processes inside the virtual machine or container. Use --kill-whom=
194 to select which process to kill. Use --signal= to select the signal
195 to send.
196 bind NAME PATH [PATH]
198 Bind mounts a file or directory from the host into the specified
199 container. The first path argument is the source file or directory
200 on the host, the second path argument is the destination file or
201 directory in the container. When the latter is omitted, the
202 destination path in the container is the same as the source path on
203 the host. When combined with the --read-only switch, a ready-only
204 bind mount is created. When combined with the --mkdir switch, the
205 destination path is first created before the mount is applied. Note
206 that this option is currently only supported for systemd-nspawn(1)
207 containers, and only if user namespacing (--private-users) is not
208 used. This command supports bind mounting directories, regular
209 files, device nodes, AF_UNIX socket nodes, as well as FIFOs.
210 copy-to NAME PATH [PATH] --force
212 Copies files or directories from the host system into a running
213 container. Takes a container name, followed by the source path on
214 the host and the destination path in the container. If the
215 destination path is omitted, the same as the source path is used.
216 If host and container share the same user and group namespace, file
218 ownership by numeric user ID and group ID is preserved for the
219 copy, otherwise all files and directories in the copy will be owned
220 by the root user and group (UID/GID 0).
221 copy-from NAME PATH [PATH] --force
223 Copies files or directories from a container into the host system.
224 Takes a container name, followed by the source path in the
225 container and the destination path on the host. If the destination
226 path is omitted, the same as the source path is used.
227 If host and container share the same user and group namespace, file
229 ownership by numeric user ID and group ID is preserved for the
230 copy, otherwise all files and directories in the copy will be owned
231 by the root user and group (UID/GID 0).
232 Image Commands
234 list-images
235 Show a list of locally installed container and VM images. This
236 enumerates all raw disk images and container directories and
237 subvolumes in /var/lib/machines/ (and other search paths, see
238 below). Use start (see above) to run a container off one of the
239 listed images. Note that, by default, containers whose name begins
240 with a dot (".") are not shown. To show these too, specify --all.
241 Note that a special image ".host" always implicitly exists and
242 refers to the image the host itself is booted from.
243 image-status [NAME...]
245 Show terse status information about one or more container or VM
246 images. This function is intended to generate human-readable
247 output. Use show-image (see below) to generate computer-parsable
248 output instead.
249 show-image [NAME...]
251 Show properties of one or more registered virtual machine or
252 container images, or the manager itself. If no argument is
253 specified, properties of the manager will be shown. If a NAME is
254 specified, properties of this virtual machine or container image
255 are shown. By default, empty properties are suppressed. Use --all
256 to show those too. To select specific properties to show, use
257 --property=. This command is intended to be used whenever
258 computer-parsable output is required. Use image-status if you are
259 looking for formatted human-readable output.
260 edit NAME|FILE
262 Edit the settings file of the specified machines. For the format of
263 the settings file, refer to systemd.nspawn(5). If an existing
264 settings file of the given machine can't be found, edit
265 automatically create a new settings file from scratch under /etc/
266 cat NAME|FILE
268 Show the settings file of the specified machines.
269 clone NAME NAME
271 Clones a container or VM image. The arguments specify the name of
272 the image to clone and the name of the newly cloned image. Note
273 that plain directory container images are cloned into btrfs
274 subvolume images with this command, if the underlying file system
275 supports this. Note that cloning a container or VM image is
276 optimized for file systems that support copy-on-write, and might
277 not be efficient on others, due to file system limitations.
278 Note that this command leaves hostname, machine ID and all other
280 settings that could identify the instance unmodified. The original
281 image and the cloned copy will hence share these credentials, and
282 it might be necessary to manually change them in the copy.
283 If combined with the --read-only switch a read-only cloned image is
285 created.
286 rename NAME NAME
288 Renames a container or VM image. The arguments specify the name of
289 the image to rename and the new name of the image.
290 read-only NAME [BOOL]
292 Marks or (unmarks) a container or VM image read-only. Takes a VM or
293 container image name, followed by a boolean as arguments. If the
294 boolean is omitted, positive is implied, i.e. the image is marked
295 read-only.
296 remove NAME...
298 Removes one or more container or VM images. The special image
299 ".host", which refers to the host's own directory tree, may not be
300 removed.
301 set-limit [NAME] BYTES
303 Sets the maximum size in bytes that a specific container or VM
304 image, or all images, may grow up to on disk (disk quota). Takes
305 either one or two parameters. The first, optional parameter refers
306 to a container or VM image name. If specified, the size limit of
307 the specified image is changed. If omitted, the overall size limit
308 of the sum of all images stored locally is changed. The final
309 argument specifies the size limit in bytes, possibly suffixed by
310 the usual K, M, G, T units. If the size limit shall be disabled,
311 specify "-" as size.
312 Note that per-container size limits are only supported on btrfs
314 file systems.
315 clean
317 Remove hidden VM or container images (or all). This command removes
318 all hidden machine images from /var/lib/machines/, i.e. those whose
319 name begins with a dot. Use machinectl list-images --all to see a
320 list of all machine images, including the hidden ones.
321 When combined with the --all switch removes all images, not just
323 hidden ones. This command effectively empties /var/lib/machines/.
324 Note that commands such as machinectl pull-tar or machinectl
326 pull-raw usually create hidden, read-only, unmodified machine
327 images from the downloaded image first, before cloning a writable
328 working copy of it, in order to avoid duplicate downloads in case
329 of images that are reused multiple times. Use machinectl clean to
330 remove old, hidden images created this way.
331 Image Transfer Commands
333 pull-tar URL [NAME]
334 Downloads a .tar container image from the specified URL, and makes
335 it available under the specified local machine name. The URL must
336 be of type "http://" or "https://", and must refer to a .tar,
337 .tar.gz, .tar.xz or .tar.bz2 archive file. If the local machine
338 name is omitted, it is automatically derived from the last
339 component of the URL, with its suffix removed.
340 The image is verified before it is made available, unless
342 --verify=no is specified. Verification is done either via an inline
343 signed file with the name of the image and the suffix .sha256 or
344 via separate SHA256SUMS and SHA256SUMS.gpg files. The signature
345 files need to be made available on the same web server, under the
346 same URL as the .tar file. With --verify=checksum, only the SHA256
347 checksum for the file is verified, based on the .sha256 suffixed
348 file or the SHA256SUMS file. With --verify=signature, the sha
349 checksum file is first verified with the inline signature in the
350 .sha256 file or the detached GPG signature file SHA256SUMS.gpg. The
351 public key for this verification step needs to be available in
352 /usr/lib/systemd/import-pubring.gpg or
353 /etc/systemd/import-pubring.gpg.
354 The container image will be downloaded and stored in a read-only
356 subvolume in /var/lib/machines/ that is named after the specified
357 URL and its HTTP etag. A writable snapshot is then taken from this
358 subvolume, and named after the specified local name. This behavior
359 ensures that creating multiple container instances of the same URL
360 is efficient, as multiple downloads are not necessary. In order to
361 create only the read-only image, and avoid creating its writable
362 snapshot, specify "-" as local machine name.
363 Note that the read-only subvolume is prefixed with .tar-, and is
365 thus not shown by list-images, unless --all is passed.
366 Note that pressing C-c during execution of this command will not
368 abort the download. Use cancel-transfer, described below.
369 pull-raw URL [NAME]
371 Downloads a .raw container or VM disk image from the specified URL,
372 and makes it available under the specified local machine name. The
373 URL must be of type "http://" or "https://". The container image
374 must either be a .qcow2 or raw disk image, optionally compressed as
375 .gz, .xz, or .bz2. If the local machine name is omitted, it is
376 automatically derived from the last component of the URL, with its
377 suffix removed.
378 Image verification is identical for raw and tar images (see above).
380 If the downloaded image is in .qcow2 format it is converted into a
382 raw image file before it is made available.
383 Downloaded images of this type will be placed as read-only .raw
385 file in /var/lib/machines/. A local, writable (reflinked) copy is
386 then made under the specified local machine name. To omit creation
387 of the local, writable copy pass "-" as local machine name.
388 Similarly to the behavior of pull-tar, the read-only image is
390 prefixed with .raw-, and thus not shown by list-images, unless
391 --all is passed.
392 Note that pressing C-c during execution of this command will not
394 abort the download. Use cancel-transfer, described below.
395 import-tar FILE [NAME], import-raw FILE [NAME]
397 Imports a TAR or RAW container or VM image, and places it under the
398 specified name in /var/lib/machines/. When import-tar is used, the
399 file specified as the first argument should be a tar archive,
400 possibly compressed with xz, gzip or bzip2. It will then be
401 unpacked into its own subvolume in /var/lib/machines/. When
402 import-raw is used, the file should be a qcow2 or raw disk image,
403 possibly compressed with xz, gzip or bzip2. If the second argument
404 (the resulting image name) is not specified, it is automatically
405 derived from the file name. If the filename is passed as "-", the
406 image is read from standard input, in which case the second
407 argument is mandatory.
408 Optionally, the --read-only switch may be used to create a
410 read-only container or VM image. No cryptographic validation is
411 done when importing the images.
412 Much like image downloads, ongoing imports may be listed with
414 list-transfers and aborted with cancel-transfer.
415 import-fs DIRECTORY [NAME]
417 Imports a container image stored in a local directory into
418 /var/lib/machines/, operates similarly to import-tar or import-raw,
419 but the first argument is the source directory. If supported, this
420 command will create a btrfs snapshot or subvolume for the new
421 image.
422 export-tar NAME [FILE], export-raw NAME [FILE]
424 Exports a TAR or RAW container or VM image and stores it in the
425 specified file. The first parameter should be a VM or container
426 image name. The second parameter should be a file path the TAR or
427 RAW image is written to. If the path ends in ".gz", the file is
428 compressed with gzip, if it ends in ".xz", with xz, and if it ends
429 in ".bz2", with bzip2. If the path ends in neither, the file is
430 left uncompressed. If the second argument is missing, the image is
431 written to standard output. The compression may also be explicitly
432 selected with the --format= switch. This is in particular useful if
433 the second parameter is left unspecified.
434 Much like image downloads and imports, ongoing exports may be
436 listed with list-transfers and aborted with cancel-transfer.
437 Note that, currently, only directory and subvolume images may be
439 exported as TAR images, and only raw disk images as RAW images.
440 list-transfers
442 Shows a list of container or VM image downloads, imports and
443 exports that are currently in progress.
444 cancel-transfer ID...
446 Aborts a download, import or export of the container or VM image
447 with the specified ID. To list ongoing transfers and their IDs, use
448 list-transfers.
449
451 The following options are understood:
452 -p, --property=
454 When showing machine or image properties, limit the output to
455 certain properties as specified by the argument. If not specified,
456 all set properties are shown. The argument should be a property
457 name, such as "Name". If specified more than once, all properties
458 with the specified names are shown.
459 -a, --all
461 When showing machine or image properties, show all properties
462 regardless of whether they are set or not.
463 When listing VM or container images, do not suppress images
465 beginning in a dot character (".").
466 When cleaning VM or container images, remove all images, not just
468 hidden ones.
469 --value
471 When printing properties with show, only print the value, and skip
472 the property name and "=".
473 -l, --full
475 Do not ellipsize process tree entries or table. This implies
476 --max-addresses=full.
477 --kill-whom=
479 When used with kill, choose which processes to kill. Must be one of
480 leader, or all to select whether to kill only the leader process of
481 the machine or all processes of the machine. If omitted, defaults
482 to all.
483 -s, --signal=
485 When used with kill, choose which signal to send to selected
486 processes. Must be one of the well-known signal specifiers such as
487 SIGTERM, SIGINT or SIGSTOP. If omitted, defaults to SIGTERM.
488 The special value "help" will list the known values and the program
490 will exit immediately, and the special value "list" will list known
491 values along with the numerical signal numbers and the program will
492 exit immediately.
493 --uid=
495 When used with the shell command, chooses the user ID to open the
496 interactive shell session as. If the argument to the shell command
497 also specifies a user name, this option is ignored. If the name is
498 not specified in either way, "root" will be used by default. Note
499 that this switch is not supported for the login command (see
500 below).
501 -E NAME[=VALUE], --setenv=NAME[=VALUE]
503 When used with the shell command, sets an environment variable for
504 the executed shell. This option may be used more than once to set
505 multiple variables. When "=" and VALUE are omitted, the value of
506 the variable with the same name in the program environment will be
507 used.
508 Note that this option is not supported for the login command.
510 --mkdir
512 When used with bind, creates the destination file or directory
513 before applying the bind mount. Note that even though the name of
514 this option suggests that it is suitable only for directories, this
515 option also creates the destination file node to mount over if the
516 object to mount is not a directory, but a regular file, device
517 node, socket or FIFO.
518 --read-only
520 When used with bind, creates a read-only bind mount.
521 When used with clone, import-raw or import-tar a read-only
523 container or VM image is created.
524 -n, --lines=
526 When used with status, controls the number of journal lines to
527 show, counting from the most recent ones. Takes a positive integer
528 argument. Defaults to 10.
529 -o, --output=
531 When used with status, controls the formatting of the journal
532 entries that are shown. For the available choices, see
533 journalctl(1). Defaults to "short".
534 --verify=
536 When downloading a container or VM image, specify whether the image
537 shall be verified before it is made available. Takes one of "no",
538 "checksum" and "signature". If "no", no verification is done. If
539 "checksum" is specified, the download is checked for integrity
540 after the transfer is complete, but no signatures are verified. If
541 "signature" is specified, the checksum is verified and the image's
542 signature is checked against a local keyring of trustable vendors.
543 It is strongly recommended to set this option to "signature" if the
544 server and protocol support this. Defaults to "signature".
545 --now
547 When used with enable or disable, the containers will also be
548 started or powered off. The start or poweroff operation is only
549 carried out when the respective enable or disable operation has
550 been successful.
551 --force
553 When downloading a container or VM image, and a local copy by the
554 specified local machine name already exists, delete it first and
555 replace it by the newly downloaded image.
556 --format=
558 When used with the export-tar or export-raw commands, specifies the
559 compression format to use for the resulting file. Takes one of
560 "uncompressed", "xz", "gzip", "bzip2". By default, the format is
561 determined automatically from the image file name passed.
562 --max-addresses=
564 When used with the list-machines command, limits the number of IP
565 addresses shown for every machine. Defaults to 1. All addresses can
566 be requested with "all". If the limit is 0, the address column is
567 not shown. Otherwise, if the machine has more addresses than shown,
568 "..." follows the last address.
569 -q, --quiet
571 Suppresses additional informational output while running.
572 -H, --host=
574 Execute the operation remotely. Specify a hostname, or a username
575 and hostname separated by "@", to connect to. The hostname may
576 optionally be suffixed by a port ssh is listening on, separated by
577 ":", and then a container name, separated by "/", which connects
578 directly to a specific container on the specified host. This will
579 use SSH to talk to the remote machine manager instance. Container
580 names may be enumerated with machinectl -H HOST. Put IPv6 addresses
581 in brackets.
582 -M, --machine=
584 Connect to systemd-machined.service(8) running in a local
585 container, to perform the specified operation within the container.
586 --no-pager
588 Do not pipe output into a pager.
589 --no-legend
591 Do not print the legend, i.e. column headers and the footer with
592 hints.
593 --no-ask-password
595 Do not query the user for authentication for privileged operations.
596 -h, --help
598 Print a short help text and exit.
599 --version
601 Print a short version string and exit.
602
604 The machinectl tool operates on machines and images whose names must be
605 chosen following strict rules. Machine names must be suitable for use
606 as hostnames following a conservative subset of DNS and UNIX/Linux
607 semantics. Specifically, they must consist of one or more non-empty
608 label strings, separated by dots. No leading or trailing dots are
609 allowed. No sequences of multiple dots are allowed. The label strings
610 may only consist of alphanumeric characters as well as the dash and
611 underscore. The maximum length of a machine name is 64 characters.
612 A special machine with the name ".host" refers to the running host
614 system itself. This is useful for execution operations or inspecting
615 the host system as well. Note that machinectl list will not show this
616 special machine unless the --all switch is specified.
617 Requirements on image names are less strict, however, they must be
619 valid UTF-8, must be suitable as file names (hence not be the single or
620 double dot, and not include a slash), and may not contain control
621 characters. Since many operations search for an image by the name of a
622 requested machine, it is recommended to name images in the same strict
623 fashion as machines.
624 A special image with the name ".host" refers to the image of the
626 running host system. It hence conceptually maps to the special ".host"
627 machine name described above. Note that machinectl list-images will not
628 show this special image either, unless --all is specified.
629
631 Machine images are preferably stored in /var/lib/machines/, but are
632 also searched for in /usr/local/lib/machines/ and /usr/lib/machines/.
633 For compatibility reasons, the directory /var/lib/container/ is
634 searched, too. Note that images stored below /usr/ are always
635 considered read-only. It is possible to symlink machines images from
636 other directories into /var/lib/machines/ to make them available for
637 control with machinectl.
638 Note that some image operations are only supported, efficient or atomic
640 on btrfs file systems.
641 Disk images are understood by systemd-nspawn(1) and machinectl in three
643 formats:
644 • A simple directory tree, containing the files and directories of
646 the container to boot.
647 • Subvolumes (on btrfs file systems), which are similar to the simple
649 directories, described above. However, they have additional
650 benefits, such as efficient cloning and quota reporting.
651 • "Raw" disk images, i.e. binary images of disks with a GPT or MBR
653 partition table. Images of this type are regular files with the
654 suffix ".raw".
655 See systemd-nspawn(1) for more information on image formats, in
657 particular its --directory= and --image= options.
658
660 Example 1. Download a Ubuntu image and open a shell in it
661 # machinectl pull-tar https://cloud-images.ubuntu.com/trusty/current/trusty-server-cloudimg-amd64-root.tar.gz
663 # systemd-nspawn -M trusty-server-cloudimg-amd64-root
664 This downloads and verifies the specified .tar image, and then uses
666 systemd-nspawn(1) to open a shell in it.
667 Example 2. Download a Fedora image, set a root password in it, start it
669 as a service
670 # machinectl pull-raw --verify=no \
672 https://download.fedoraproject.org/pub/fedora/linux/releases/37/Cloud/x86_64/images/Fedora-Cloud-Base-37-1.7.x86_64.raw.xz \
673 Fedora-Cloud-Base-37-1.7.x86-64
674 # systemd-nspawn -M Fedora-Cloud-Base-37-1.7.x86-64
675 # passwd
676 # exit
677 # machinectl start Fedora-Cloud-Base-37-1.7.x86-64
678 # machinectl login Fedora-Cloud-Base-37-1.7.x86-64
679 This downloads the specified .raw image with verification disabled.
681 Then, a shell is opened in it and a root password is set. Afterwards
682 the shell is left, and the machine started as system service. With the
683 last command a login prompt into the container is requested.
684 Example 3. Exports a container image as tar file
686 # machinectl export-tar fedora myfedora.tar.xz
688 Exports the container "fedora" as an xz-compressed tar file
690 myfedora.tar.xz into the current directory.
691 Example 4. Create a new shell session
693 # machinectl shell --uid=lennart
695 This creates a new shell session on the local host for the user ID
697 "lennart", in a su(1)-like fashion.
698
700 On success, 0 is returned, a non-zero failure code otherwise.
701
703 $SYSTEMD_LOG_LEVEL
704 The maximum log level of emitted messages (messages with a higher
705 log level, i.e. less important ones, will be suppressed). Either
706 one of (in order of decreasing importance) emerg, alert, crit, err,
707 warning, notice, info, debug, or an integer in the range 0...7. See
708 syslog(3) for more information.
709 $SYSTEMD_LOG_COLOR
711 A boolean. If true, messages written to the tty will be colored
712 according to priority.
713 This setting is only useful when messages are written directly to
715 the terminal, because journalctl(1) and other tools that display
716 logs will color messages based on the log level on their own.
717 $SYSTEMD_LOG_TIME
719 A boolean. If true, console log messages will be prefixed with a
720 timestamp.
721 This setting is only useful when messages are written directly to
723 the terminal or a file, because journalctl(1) and other tools that
724 display logs will attach timestamps based on the entry metadata on
725 their own.
726 $SYSTEMD_LOG_LOCATION
728 A boolean. If true, messages will be prefixed with a filename and
729 line number in the source code where the message originates.
730 Note that the log location is often attached as metadata to journal
732 entries anyway. Including it directly in the message text can
733 nevertheless be convenient when debugging programs.
734 $SYSTEMD_LOG_TID
736 A boolean. If true, messages will be prefixed with the current
737 numerical thread ID (TID).
738 Note that the this information is attached as metadata to journal
740 entries anyway. Including it directly in the message text can
741 nevertheless be convenient when debugging programs.
742 $SYSTEMD_LOG_TARGET
744 The destination for log messages. One of console (log to the
745 attached tty), console-prefixed (log to the attached tty but with
746 prefixes encoding the log level and "facility", see syslog(3), kmsg
747 (log to the kernel circular log buffer), journal (log to the
748 journal), journal-or-kmsg (log to the journal if available, and to
749 kmsg otherwise), auto (determine the appropriate log target
750 automatically, the default), null (disable log output).
751 $SYSTEMD_LOG_RATELIMIT_KMSG
753 Whether to ratelimit kmsg or not. Takes a boolean. Defaults to
754 "true". If disabled, systemd will not ratelimit messages written to
755 kmsg.
756 $SYSTEMD_PAGER
758 Pager to use when --no-pager is not given; overrides $PAGER. If
759 neither $SYSTEMD_PAGER nor $PAGER are set, a set of well-known
760 pager implementations are tried in turn, including less(1) and
761 more(1), until one is found. If no pager implementation is
762 discovered no pager is invoked. Setting this environment variable
763 to an empty string or the value "cat" is equivalent to passing
764 --no-pager.
765 Note: if $SYSTEMD_PAGERSECURE is not set, $SYSTEMD_PAGER (as well
767 as $PAGER) will be silently ignored.
768 $SYSTEMD_LESS
770 Override the options passed to less (by default "FRSXMK").
771 Users might want to change two options in particular:
773 K
775 This option instructs the pager to exit immediately when Ctrl+C
776 is pressed. To allow less to handle Ctrl+C itself to switch
777 back to the pager command prompt, unset this option.
778 If the value of $SYSTEMD_LESS does not include "K", and the
780 pager that is invoked is less, Ctrl+C will be ignored by the
781 executable, and needs to be handled by the pager.
782 X
784 This option instructs the pager to not send termcap
785 initialization and deinitialization strings to the terminal. It
786 is set by default to allow command output to remain visible in
787 the terminal even after the pager exits. Nevertheless, this
788 prevents some pager functionality from working, in particular
789 paged output cannot be scrolled with the mouse.
790 See less(1) for more discussion.
792 $SYSTEMD_LESSCHARSET
794 Override the charset passed to less (by default "utf-8", if the
795 invoking terminal is determined to be UTF-8 compatible).
796 $SYSTEMD_PAGERSECURE
798 Takes a boolean argument. When true, the "secure" mode of the pager
799 is enabled; if false, disabled. If $SYSTEMD_PAGERSECURE is not set
800 at all, secure mode is enabled if the effective UID is not the same
801 as the owner of the login session, see geteuid(2) and
802 sd_pid_get_owner_uid(3). In secure mode, LESSSECURE=1 will be set
803 when invoking the pager, and the pager shall disable commands that
804 open or create new files or start new subprocesses. When
805 $SYSTEMD_PAGERSECURE is not set at all, pagers which are not known
806 to implement secure mode will not be used. (Currently only less(1)
807 implements secure mode.)
808 Note: when commands are invoked with elevated privileges, for
810 example under sudo(8) or pkexec(1), care must be taken to ensure
811 that unintended interactive features are not enabled. "Secure" mode
812 for the pager may be enabled automatically as describe above.
813 Setting SYSTEMD_PAGERSECURE=0 or not removing it from the inherited
814 environment allows the user to invoke arbitrary commands. Note that
815 if the $SYSTEMD_PAGER or $PAGER variables are to be honoured,
816 $SYSTEMD_PAGERSECURE must be set too. It might be reasonable to
817 completely disable the pager using --no-pager instead.
818 $SYSTEMD_COLORS
820 Takes a boolean argument. When true, systemd and related utilities
821 will use colors in their output, otherwise the output will be
822 monochrome. Additionally, the variable can take one of the
823 following special values: "16", "256" to restrict the use of colors
824 to the base 16 or 256 ANSI colors, respectively. This can be
825 specified to override the automatic decision based on $TERM and
826 what the console is connected to.
827 $SYSTEMD_URLIFY
829 The value must be a boolean. Controls whether clickable links
830 should be generated in the output for terminal emulators supporting
831 this. This can be specified to override the decision that systemd
832 makes based on $TERM and other conditions.
833
835 systemd(1), systemd-machined.service(8), systemd-nspawn(1),
836 systemd.special(7), tar(1), xz(1), gzip(1), bzip2(1)
837systemd 254 MACHINECTL(1)