Difference between revisions of "Systemd-nspawn"

From ArchWiki
Jump to: navigation, search
m (machinectl: fix type on poweroff a container command)
m (avoid contractions to comply with Help:Style#Language_register)
Line 34: Line 34:
 
  # pacstrap -i -c -d ~/MyContainer base [additional pkgs/groups]
 
  # pacstrap -i -c -d ~/MyContainer base [additional pkgs/groups]
  
{{Tip| the '''-i''' option will '''avoid''' auto-confirmation of package selection. As you don't need to install the Linux kernel in the container, you can remove it from the package list selection to save space. See [[Pacman#Usage]].}}
+
{{Tip| the '''-i''' option will '''avoid''' auto-confirmation of package selection. As you do not need to install the Linux kernel in the container, you can remove it from the package list selection to save space. See [[Pacman#Usage]].}}
  
 
Once your installation is finished, boot into the container:
 
Once your installation is finished, boot into the container:
Line 40: Line 40:
 
  # systemd-nspawn -bD ~/MyContainer
 
  # systemd-nspawn -bD ~/MyContainer
  
And that's it! Log in as "root" with no password.
+
And that is it! Log in as "root" with no password.
  
 
To terminate your session hold {{ic|Ctrl}} and press {{ic|]}} three times. The container will still be running, only your session is terminated.
 
To terminate your session hold {{ic|Ctrl}} and press {{ic|]}} three times. The container will still be running, only your session is terminated.

Revision as of 09:15, 28 April 2015

systemd-nspawn is like the chroot command, but it is a chroot on steroids.

systemd-nspawn may be used to run a command or OS in a light-weight namespace container. It is more powerful than chroot since it fully virtualizes the file system hierarchy, as well as the process tree, the various IPC subsystems and the host and domain name.

systemd-nspawn limits access to various kernel interfaces in the container to read-only, such as /sys, /proc/sys or /sys/fs/selinux. Network interfaces and the system clock may not be changed from within the container. Device nodes may not be created. The host system cannot be rebooted and kernel modules may not be loaded from within the container.

This mechanism differs from Lxc-systemd or Libvirt-lxc, as it is a much simpler tool to configure.

Installation

systemd-nspawn is part of and packaged with systemd.

Examples

Create and boot a minimal Arch Linux distribution in a container

First install arch-install-scripts.

Next, create a directory to hold the container. In this example we will use ~/MyContainer.

Next, we use pacstrap to install a basic arch-system into the container. At minimum we need to install the base group.

# pacstrap -i -c -d ~/MyContainer base [additional pkgs/groups]
Tip: the -i option will avoid auto-confirmation of package selection. As you do not need to install the Linux kernel in the container, you can remove it from the package list selection to save space. See Pacman#Usage.

Once your installation is finished, boot into the container:

# systemd-nspawn -bD ~/MyContainer

And that is it! Log in as "root" with no password.

To terminate your session hold Ctrl and press ] three times. The container will still be running, only your session is terminated.

Enable Container on boot

If you want to use a container frequently, you can have systemd start it on boot.

# mv ~/MyContainer /var/lib/container/MyContainer
# systemctl enable systemd-nspawn@MyContainer.service
# systemctl start systemd-nspawn@MyContainer.service
Note: systemd-nspawn@.service is a template unit that expects nspawn containers to be under /var/lib/container.
Tip:
  • Instead of moving your container, as above, you can just symlink it to where it is expected to be,
# ln -s ~/MyContainer /var/lib/container/MyContainer
  • The template systemd-nspawn@.service contains
ExecStart = /usr/bin/systemd-nspawn --quiet --keep-unit --boot --link-journal=guest --directory=/var/lib/container/%i 

To customize the startup of a container, add .conf files (See systemd.unit(1)) under systemd-nspawn@MyContainer.service.d or by writing your own service file.

See systemd-nspawn(1) for all options.

Building and Testing packages

Tango-view-fullscreen.pngThis article or section needs expansion.Tango-view-fullscreen.png

Reason: Please share how systemd-nspawn fits into your build environment (Discuss in Talk:Systemd-nspawn#)

Management

machinectl

Managing your containers is essentially done with the machinectl command. See machinectl(1) for more detail then listed here.

Examples:

  • Spawn a new shell inside a running container:
    machinectl login MyContainer
  • Show detailed information about a container:
     machinectl status MyContainer
  • Reboot a container:
     machinectl reboot MyContainer
  • Poweroff a container:
     machinectl poweroff MyContainer
Tip: shutdown and reboot operations can be performed from within a container session using the systemd reboot and shutdown commands

systemd toolchain

Much of the core systemd toolchain has been updated to work with containers. Tools that do usually provide a -M, --machine= option which will take a container name as argument.

Examples:

  • See journal logs for a particular machine:
     $ journalctl -M MyContainer
  • Show control group contents:
    $ systemd-cgls -M MyContainer
  • See startup time of container:
    $ systemd-analyze -M MyContainer

Tips

X environment

See Xhost and Change root#Run_graphical_applications_from_chroot.

You will need to set the DISPLAY environment variable inside your container session to connect to the external X server.

Networking

The examples above will give the container a workable network, with no extra configuration needed.

You can describe more complex networks using systemd-networkd.

Examples

Tango-view-fullscreen.pngThis article or section needs expansion.Tango-view-fullscreen.png

Reason: This section needs some good example network setups (Discuss in Talk:Systemd-nspawn#)

Running on a non-systemd system

See Init#systemd-nspawn.

Troubleshooting

root login fails

If you get the following when you try to login:

arch-nspawn login: root
Login incorrect

And journalctl shows:

pam_securetty(login:auth): access denied: tty 'pts/0' is not secure !

remove /etc/securetty from the container filesystem. See [1].

See also