Difference between revisions of "Systemd-nspawn"

From ArchWiki
Jump to: navigation, search
(Links & references)
(Usage)
Line 38: Line 38:
 
=== Boot your container at your machine startup ===
 
=== Boot your container at your machine startup ===
 
If you need to make a frequent use of your container, an easy way is to boot the container when you [[Init]] your machine. Then, you will be able to login using the ''machinectl'' mechanism.
 
If you need to make a frequent use of your container, an easy way is to boot the container when you [[Init]] your machine. Then, you will be able to login using the ''machinectl'' mechanism.
 +
 +
First, you need to ''register'' your container on the host. To do this, you can either {{ic|# mv /path/to/''MyContainer'' /var/lib/container/''MyContainer''}} OR just create a directory symlink:
 +
 +
{{bc|$ cd /var/lib/container
 +
# ln -s /path/to/''MyContainer'' ''MyContainer''}}
 +
Then, you will [[Systemd#Basic systemctl usage|enable and start]] the {{ic|systemd-nspawn@''MyContainer''.service}}. To be sure your container is now registered, run the following command:
 +
 +
{{hc|$ machinectl list|
 +
MACHINE                          CONTAINER SERVICE       
 +
''MyContainer''                      container nspawn         
 +
 +
1 machines listed.}}
  
 
See [[Xhost]] if you ever need to run X applications under the new container.
 
See [[Xhost]] if you ever need to run X applications under the new container.

Revision as of 10:22, 17 March 2014

Related articles

systemd-nspawn is like the chroot command, but it is a chroot on steroids.

systemd-nspawn may be used to run a command or OS in a light-weight namespace container. It is more powerful than chroot since it fully virtualizes the file system hierarchy, as well as the process tree, the various IPC subsystems and the host and domain name. systemd-nspawn limits access to various kernel interfaces in the container to read-only, such as /sys, /proc/sys or /sys/fs/selinux. Network interfaces and the system clock may not be changed from within the container. Device nodes may not be created. The host system cannot be rebooted and kernel modules may not be loaded from within the container. This mechanism differs from Lxc-systemd or Libvirt-lxc, as it is a much simple tool to configure.


Installation

Before you start installing the container, please take note of the following necessities:

  • You need to build a custom Kernel#Compilation as the Archlinux kernel does not enable by default the user namespace. This setting is under General setup ---> Namespaces support --->.

Once your kernel is build, you can verify the feature is enables when running this command:

$ zgrep USER_NS /proc/config.gz
CONFIG_USER_NS = y
  • You need to add "audit=0" to the kernel parameters, as compatibility with the kernel auditing subsystem is currently broken.
  • You need to run systemd >= 209. As it is still under heavy development, best is to run the more recent version.

installation with pacstrap

You need to install the package arch-install-scripts from the official repositories. Then, make a directory where you want. For example $ mkdir ~/MyContainer.

The next command will install all packages form the base group. It is strongly recommended to install packages from the base-devel group too.

pacstrap -i -c -d ~/MyContainer base
Tip: the -i option will avoid auto-confirmation of package selections. As you don't need to install the Linux kernel on the container, you want to remove it from the package list selection.

Once your installation is finished, boot the conatainer:

systemd-nspawn -bD ~/MyContainer

And that's it! Log in as "root" with no password.

installation with the Arch Linux ISO

Depending on your host machine filesystem setup, pacstrap can leave you with a broken filesystem with a lot of missing libraries. Thus, a safest way to install your container is to boot from the Arch Iso and follow the Installation guide. Unless you plan to mount at boot any external devices, you do not want to edit any Fstab. Do not install a Boot loaders neither the Kernel (see Tip above).

Usage

Boot your container at your machine startup

If you need to make a frequent use of your container, an easy way is to boot the container when you Init your machine. Then, you will be able to login using the machinectl mechanism.

First, you need to register your container on the host. To do this, you can either # mv /path/to/MyContainer /var/lib/container/MyContainer OR just create a directory symlink:

$ cd /var/lib/container
# ln -s /path/to/MyContainer MyContainer

Then, you will enable and start the systemd-nspawn@MyContainer.service. To be sure your container is now registered, run the following command:

$ machinectl list
MACHINE                          CONTAINER SERVICE         
MyContainer                      container nspawn          

1 machines listed.

See Xhost if you ever need to run X applications under the new container.

Once you're done with the container just shut it down with systemctl stop machine-subarch.scope. (replace "subarch" with the name of yout container)

Warning: "poweroff" within the container should also work, although it actually powers off the physical server.

Links & references