systemd-nspawn
Related articles
systemd-nspawn is like the chroot command, but it is a chroot on steroids.
systemd-nspawn may be used to run a command or OS in a light-weight namespace container. It is more powerful than chroot since it fully virtualizes the file system hierarchy, as well as the process tree, the various IPC subsystems and the host and domain name.
systemd-nspawn limits access to various kernel interfaces in the container to read-only, such as /sys
, /proc/sys
or /sys/fs/selinux
. Network interfaces and the system clock may not be changed from within the container. Device nodes may not be created. The host system cannot be rebooted and kernel modules may not be loaded from within the container.
This mechanism differs from Lxc-systemd or Libvirt-lxc, as it is a much simpler tool to configure.
Installation
systemd-nspawn is part of and packaged with systemd.
Examples
Create and boot a minimal Arch Linux distribution in a container
First install arch-install-scripts.
Next, create a directory to hold the container. In this example we will use ~/MyContainer
.
Next, we use pacstrap to install a basic arch-system into the container. At minimum we need to install the base group.
# pacstrap -i -c -d ~/MyContainer base [additional pkgs/groups]
Once your installation is finished, boot into the container:
# systemd-nspawn -b -D ~/MyContainer -n
The -b
option will boot the container (i.e. run systemd
as PID=1), instead of just running a shell. -D
specifies the directory that becomes the container's root directory and -n
will set up a private network between host and container.
After the container starts, log in as "root" with no password.
The container can be powered off by running poweroff
from within the container. From the host, containers can be controlled by the machinectl tool.
Enable Container on boot
If you want to use a container frequently, you can have systemd start it on boot.
# mv ~/MyContainer /var/lib/machines/MyContainer # systemctl enable systemd-nspawn@MyContainer.service # systemctl start systemd-nspawn@MyContainer.service
Building and Testing packages
Management
machinectl
Managing your containers is essentially done with the machinectl
command. See machinectl(1)
for more detail then listed here.
Examples:
- Spawn a new shell inside a running container:
$ machinectl login MyContainer
- Show detailed information about a container:
$ machinectl status MyContainer
- Reboot a container:
$ machinectl reboot MyContainer
- Poweroff a container:
$ machinectl poweroff MyContainer
systemd toolchain
Much of the core systemd toolchain has been updated to work with containers. Tools that do usually provide a -M, --machine=
option which will take a container name as argument.
Examples:
- See journal logs for a particular machine:
$ journalctl -M MyContainer
- Show control group contents:
$ systemd-cgls -M MyContainer
- See startup time of container:
$ systemd-analyze -M MyContainer
Tips
X environment
See Xhost and Change root#Run graphical applications from chroot.
You will need to set the DISPLAY
environment variable inside your container session to connect to the external X server.
Networking
The examples above will give the container a workable local network, with no extra configuration needed. It does not allow containers to access the internet.
You can describe more complex networks using systemd-networkd. See systemd-networkd#Usage with containers for examples.
nsswitch.conf
To make it easier to connect to a container from the host, you can enable local DNS resolution for container names. In /etc/nsswitch.conf
, add mymachines
to the hosts:
section, e.g.
hosts: files mymachines dns myhostname
Then, any DNS lookup for hostname foo
on the host will first consult /etc/hosts
, then the names of local containers, then upstream DNS etc.
Running on a non-systemd system
See Init#systemd-nspawn.
Troubleshooting
root login fails
If you get the following when you try to login:
arch-nspawn login: root Login incorrect
And journalctl shows:
pam_securetty(login:auth): access denied: tty 'pts/0' is not secureĀ !
add pts/0
to the list of terminal names in /etc/securetty
on the container filesystem. See [1].