Difference between revisions of "Systemd-nspawn"

From ArchWiki
Jump to: navigation, search
m (added xhost suggestion)
(more details)
Line 1: Line 1:
[[Category:Security]]
+
 
Quick guide on how to create a lightweight systemd container for Arch Linux, using systemd-nspawn and pacstrap, in under 1 minute!
+
== Systemd-nspwan ==
 +
'''systemd-nspawn''' is like the [[chroot]] command, but it is a ''chroot on steroids''.
 +
 
 +
'''systemd-nspawn''' may be used to run a command or OS in a light-weight namespace container. It is more powerful than [[chroot]] since it fully virtualizes the file system hierarchy, as well as the process tree, the various IPC subsystems and the host and domain name.
 +
'''systemd-nspawn''' limits access to various kernel interfaces in the container to read-only, such as /sys, /proc/sys or /sys/fs/selinux. Network interfaces and the system clock may not be changed from within the container. Device nodes may not be created. The host system cannot be rebooted and kernel modules may not be loaded from within the container.
 +
This mechanism differs from [[Lxc-systemd]] or [[Libvirt]]-lxc, as it is a much simple tool to configure.
 +
 
  
 
== Installation ==
 
== Installation ==
 +
Before you start installing the container, please take note of the following necessities:
 +
* You need to build a custom [[Kernel#Compilation]] as the Archlinux [[kernel]] does not enable by default the user namespace. This setting is under {{ic|General setup ---> Namespaces support --->}}.
 +
Once your kernel is build, you can verify the feature is enables when running this command:
 +
{{hc|$ zgrep USER_NS /proc/config.gz|CONFIG_USER_NS = y}}
 +
* You need to add "audit=0" to the kernel parameters, as compatibility with the kernel auditing subsystem is currently broken.
 +
* You need to run {{Pkg|systemd}} >= 209. As it is still under heavy development, best is to run the more recent version.
 +
 +
  
 
  pacman -S arch-install-scripts
 
  pacman -S arch-install-scripts
Line 9: Line 23:
 
  systemd-nspawn -bD /srv/subarch
 
  systemd-nspawn -bD /srv/subarch
  
You also need to add "audit=0" to the kernel parameters, as compatibility with the kernel auditing subsystem is currently broken. For more details, see the systemd-nspawn's man page.
+
You also need to For more details, see the systemd-nspawn's man page.
  
 
And that's it! Log in as "root" with no password.
 
And that's it! Log in as "root" with no password.

Revision as of 07:56, 17 March 2014

Systemd-nspwan

systemd-nspawn is like the chroot command, but it is a chroot on steroids.

systemd-nspawn may be used to run a command or OS in a light-weight namespace container. It is more powerful than chroot since it fully virtualizes the file system hierarchy, as well as the process tree, the various IPC subsystems and the host and domain name. systemd-nspawn limits access to various kernel interfaces in the container to read-only, such as /sys, /proc/sys or /sys/fs/selinux. Network interfaces and the system clock may not be changed from within the container. Device nodes may not be created. The host system cannot be rebooted and kernel modules may not be loaded from within the container. This mechanism differs from Lxc-systemd or Libvirt-lxc, as it is a much simple tool to configure.


Installation

Before you start installing the container, please take note of the following necessities:

  • You need to build a custom Kernel#Compilation as the Archlinux kernel does not enable by default the user namespace. This setting is under General setup ---> Namespaces support --->.

Once your kernel is build, you can verify the feature is enables when running this command:

$ zgrep USER_NS /proc/config.gz
CONFIG_USER_NS = y
  • You need to add "audit=0" to the kernel parameters, as compatibility with the kernel auditing subsystem is currently broken.
  • You need to run systemd >= 209. As it is still under heavy development, best is to run the more recent version.


pacman -S arch-install-scripts
mkdir /srv/subarch
pacstrap -c -d /srv/subarch base
systemd-nspawn -bD /srv/subarch

You also need to For more details, see the systemd-nspawn's man page.

And that's it! Log in as "root" with no password.

See Xhost if you ever need to run X applications under the new container.

You can remove the kernel to save space within the container. DO NOT RUN THIS ON THE HOST!

pacman -Rsn linux

Once you're done with the container just shut it down with systemctl stop machine-subarch.scope. (replace "subarch" with the name of yout container)

Warning: "poweroff" within the container should also work, although it actually powers off the physical server.

See also