mirror of
https://github.com/systemd/systemd.git
synced 2024-12-22 17:35:35 +03:00
man: document the various new options nspawn learnt
This commit is contained in:
parent
bd4b15f274
commit
3d6c367510
@ -238,6 +238,15 @@
|
||||
together with <option>--directory=</option>, <option>--template=</option>.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--oci-bundle=</option></term>
|
||||
|
||||
<listitem><para>Takes the path to an OCI runtime bundle to invoke, as specified in the <ulink
|
||||
url="https://github.com/opencontainers/runtime-spec/blob/master/spec.md">OCI Runtime Specification</ulink>. In
|
||||
this case no <filename>.nspawn</filename> file is loaded, and the root directory and various settings are read
|
||||
from the OCI runtime JSON data (but data passed on the command line takes precedence).</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--root-hash=</option></term>
|
||||
|
||||
@ -952,6 +961,16 @@
|
||||
make them read-only, using <option>--bind-ro=</option>.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--inaccessible=</option></term>
|
||||
|
||||
<listitem><para>Make the specified path inaccessible in the container. This over-mounts the specified path
|
||||
(which must exist in the container) with a file node of the same type that is empty and has the most
|
||||
restrictive access mode supported. This is an effective way to mask files, directories and other file system
|
||||
objects from the container payload. This option may be used more than once in case all specified paths are
|
||||
masked.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--tmpfs=</option></term>
|
||||
|
||||
@ -1084,6 +1103,42 @@
|
||||
same as the one reported on the host.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--console=</option><replaceable>MODE</replaceable></term>
|
||||
|
||||
<listitem><para>Configures how to set up standard input, output and error output for the container payload, as
|
||||
well as the <filename>/dev/console</filename> device for the container. Takes one of
|
||||
<option>interactive</option>, <option>read-only</option>, <option>passive</option> or <option>pipe</option>. If
|
||||
<option>interactive</option> a pseudo-TTY is allocated and made available as <filename>/dev/console</filename>
|
||||
in the container. It is then bi-directionally connected to the standard input and output passed to
|
||||
<command>systemd-nspawn</command>. <option>read-only</option> is similar but only the output of the container
|
||||
is propagated and no input from the caller is read. In <option>passive</option> mode a pseudo TTY is allocated,
|
||||
but it is not connected anywhere. Finally, in <option>pipe</option> mode no pseudo TTY is allocated, but the
|
||||
passed standard input, output and error output file descriptors are passed on — as they are — to the container
|
||||
payload. In this mode <filename>/dev/console</filename> will not exist in the container. Note that in this mode
|
||||
the container payload generally cannot be a full init system as init systems tend to require
|
||||
<filename>/dev/console</filename> to be available. On the other hand, in this mode container invocations can be
|
||||
used within shell pipelines. This is because intermediary pseudo TTYs do not permit independent bidirectional
|
||||
propagation of the end-of-file (EOF) condition, which is necessary for shell pipelines to work
|
||||
correctly.</para>
|
||||
|
||||
<para>Note that the <option>pipe</option> mode should be used carefully, as passing arbitrary file descriptors
|
||||
to less trusted container payloads might open up unwanted interfaces for access by the container payload. For
|
||||
example, if a passed file descriptor refers to a TTY of some form, APIs such as <constant>TIOCSTI</constant>
|
||||
may be used to synthesize input that might be used for escaping the container. Hence <option>pipe</option> mode
|
||||
should only be used if the payload is sufficiently trusted or when the standard input/output/error output file
|
||||
descriptors are known safe, for example pipes. Defaults to <option>interactive</option> if
|
||||
<command>systemd-nspawn</command> is invoked from a terminal, and <option>read-only</option>
|
||||
otherwise.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--pipe</option></term>
|
||||
<term><option>-P</option></term>
|
||||
|
||||
<listitem><para>Equivalent to <option>--console=pipe</option>.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>-q</option></term>
|
||||
<term><option>--quiet</option></term>
|
||||
|
@ -425,6 +425,17 @@
|
||||
is privileged (see above).</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><varname>Inaccessible=</varname></term>
|
||||
|
||||
<listitem><para>Masks the specified file or directly in the container, by over-mounting it with an empty file
|
||||
node of the same type with the most restrictive access mode. Takes a file system path as arugment. This option
|
||||
may be used multiple times to mask multiple files or directories. This option is equivalent to the command line
|
||||
switch <option>--inaccessible=</option>, see
|
||||
<citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> for details
|
||||
about the specific options supported. This setting is privileged (see above).</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><varname>Overlay=</varname></term>
|
||||
<term><varname>OverlayReadOnly=</varname></term>
|
||||
|
Loading…
Reference in New Issue
Block a user