systemd-nspawn

systemd-nspawn is like the chroot command, but it is a chroot on steroids.

systemd-nspawn may be used to run a command or OS in a light-weight namespace container. It is more powerful than chroot since it fully virtualizes the file system hierarchy, as well as the process tree, the various IPC subsystems and the host and domain name.

systemd-nspawn limits access to various kernel interfaces in the container to read-only, such as /sys, /proc/sys or /sys/fs/selinux. Network interfaces and the system clock may not be changed from within the container. Device nodes may not be created. The host system cannot be rebooted and kernel modules may not be loaded from within the container.

This mechanism differs from Lxc-systemd or Libvirt-lxc, as it is a much simpler tool to configure.

Installation

systemd-nspawn is part of and packaged with systemd.

Examples

Create and boot a minimal Arch Linux distribution in a container

First install arch-install-scripts.

Next, create a directory to hold the container. In this example we will use ~/MyContainer.

Next, we use pacstrap to install a basic arch-system into the container. At minimum we need to install the base group.

# pacstrap -i -c -d ~/MyContainer base [additional pkgs/groups]
Tip: The -i option will avoid auto-confirmation of package selection. As you do not need to install the Linux kernel in the container, you can remove it from the package list selection to save space. See Pacman#Usage.

Once your installation is finished, boot into the container:

# systemd-nspawn -b -D ~/MyContainer -n

The -b option will boot the container (i.e. run systemd as PID=1), instead of just running a shell. -D specifies the directory that becomes the container's root directory and -n will set up a private network between host and container.

After the container starts, log in as "root" with no password.

The container can be powered off by running poweroff from within the container. From the host, containers can be controlled by the machinectl tool.

Note: To terminate the container from within the container, hold Ctrl and rapidly press ] three times.

Enable Container on boot

If you want to use a container frequently, you can have systemd start it on boot.

# mv ~/MyContainer /var/lib/machines/MyContainer
# systemctl enable systemd-nspawn@MyContainer.service
# systemctl start systemd-nspawn@MyContainer.service
Note: systemd-nspawn@.service is a template unit that expects nspawn containers to be under /var/lib/machines.
Tip:
  • Instead of moving your container, as above, you can just symlink it to where it is expected to be,
# ln -s ~/MyContainer /var/lib/machines/MyContainer
  • To customize the startup of a container, edit the systemd-nspawn@MyContainer unit instance. See systemd-nspawn(1) for all options.

Building and Testing packages

Tango-view-fullscreen.png

Tango-view-fullscreen.png

This article or section needs expansion.

Reason: Please share how systemd-nspawn fits into your build environment (Discuss in Talk:Systemd-nspawn#)

Management

machinectl

Managing your containers is essentially done with the machinectl command. See machinectl(1) for more detail then listed here.

Examples:

  • Spawn a new shell inside a running container:
    $ machinectl login MyContainer
  • Show detailed information about a container:
    $ machinectl status MyContainer
  • Reboot a container:
    $ machinectl reboot MyContainer
  • Poweroff a container:
    $ machinectl poweroff MyContainer
Tip: Poweroff and reboot operations can be performed from within a container session using the systemctl poweroff or reboot commands.

systemd toolchain

Much of the core systemd toolchain has been updated to work with containers. Tools that do usually provide a -M, --machine= option which will take a container name as argument.

Examples:

  • See journal logs for a particular machine:
     $ journalctl -M MyContainer
  • Show control group contents:
    $ systemd-cgls -M MyContainer
  • See startup time of container:
    $ systemd-analyze -M MyContainer

Tips

X environment

See Xhost and Change root#Run graphical applications from chroot.

You will need to set the DISPLAY environment variable inside your container session to connect to the external X server.

Networking

The examples above will give the container a workable local network, with no extra configuration needed. It does not allow containers to access the internet.

You can describe more complex networks using systemd-networkd. See systemd-networkd#Usage with containers for examples.

nsswitch.conf

To make it easier to connect to a container from the host, you can enable local DNS resolution for container names. In /etc/nsswitch.conf, add mymachines to the hosts: section, e.g.

hosts: files mymachines dns myhostname

Then, any DNS lookup for hostname foo on the host will first consult /etc/hosts, then the names of local containers, then upstream DNS etc.

Running on a non-systemd system

See Init#systemd-nspawn.

Troubleshooting

root login fails

If you get the following when you try to login:

arch-nspawn login: root
Login incorrect

And journalctl shows:

pam_securetty(login:auth): access denied: tty 'pts/0' is not secureĀ !

add pts/0 to the list of terminal names in /etc/securetty on the container filesystem. See [1].

See also