systemd-nspawn
Related articles
systemd-nspawn is like the chroot command, but it is a chroot on steroids.
systemd-nspawn may be used to run a command or OS in a light-weight namespace container. It is more powerful than chroot since it fully virtualizes the file system hierarchy, as well as the process tree, the various IPC subsystems and the host and domain name.
systemd-nspawn limits access to various kernel interfaces in the container to read-only, such as /sys
, /proc/sys
or /sys/fs/selinux
. Network interfaces and the system clock may not be changed from within the container. Device nodes may not be created. The host system cannot be rebooted and kernel modules may not be loaded from within the container.
This mechanism differs from Lxc-systemd or Libvirt-lxc, as it is a much simpler tool to configure.
Installation
systemd-nspawn is part of and packaged with systemd.
Examples
Create and boot a minimal Arch Linux distribution in a container
First install arch-install-scripts.
Next, create a directory to hold the container. In this example we will use ~/MyContainer
.
Next, we use pacstrap to install a basic arch-system into the container. At minimum we need to install the base group.
# pacstrap -i -c -d ~/MyContainer base [additional pkgs/groups]
Once your installation is finished, boot into the container:
# systemd-nspawn -bD ~/MyContainer
And that's it! Log in as "root" with no password.
To terminate your session hold Ctrl
and press ]
three times. The container will still be running, only your session is terminated.
Enable Container on boot
If you want to use a container frequently, you can have systemd start it on boot.
# mv ~/MyContainer /var/lib/container/MyContainer # systemctl enable systemd-nspawn@MyContainer.service # systemctl start systemd-nspawn@MyContainer.service
Building and Testing packages
Management
machinectl
Managing your containers is essentially done with the machinectl
command. See machinectl(1)
for more detail then listed here.
Examples:
- Spawn a new shell inside a running container:
machinectl login MyContainer
- Show detailed information about a container:
machinectl status MyContainer
- Reboot a container:
machinectl reboot MyContainer
- Poweroff a container:
machinectrl poweroff MyContainer
systemd toolchain
Much of the core systemd toolchain has been updated to work with containers. Tools that do usually provide a -M, --machine=
option which will take a container name as argument.
Examples:
- See journal logs for a particular machine:
$ journalctl -M MyContainer
- Show control group contents:
$ systemd-cgls -M MyContainer
- See startup time of container:
$ systemd-analyze -M MyContainer
Tips
X environment
See Xhost and Change root#Run_graphical_applications_from_chroot.
You will need to set the DISPLAY
environment variable inside your container session to connect to the external X server.
Networking
The examples above will give the container a workable network, with no extra configuration needed.
You can describe more complex networks using systemd-networkd.
Examples
Troubleshooting
root login fails
If you get the following when you try to login:
arch-nspawn login: root Login incorrect
And journalctl shows:
pam_securetty(login:auth): access denied: tty 'pts/0' is not secureĀ !
remove /etc/securetty
from the container filesystem. See [1].