1
0
mirror of https://github.com/systemd/systemd.git synced 2024-11-06 08:26:52 +03:00
Commit Graph

107 Commits

Author SHA1 Message Date
Lennart Poettering
82adf6af7c nspawn,man: use a common vocabulary when referring to selinux security contexts
Let's always call the security labels the same way:

  SMACK: "Smack Label"
  SELINUX: "SELinux Security Context"

And the low-level encapsulation is called "seclabel". Now let's hope we
stick to this vocabulary in future, too, and don't mix "label"s and
"security contexts" and so on wildly.
2014-02-10 13:18:16 +01:00
Lennart Poettering
ba978d7b32 nspawn: rename --file-label to --apifs-label since it's really just about the API file systems, nothing else 2014-02-07 19:29:28 +01:00
Lennart Poettering
284c0b9176 nspawn: add --quiet switch for turning off any output noise 2014-02-06 00:43:14 +01:00
Lennart Poettering
d002827b03 nspawn: various fixes in selinux hookup
- As suggested, prefix argument variables with "arg_" how we do this
  usually.

- As suggested, don't involve memory allocations when storing command
  line arguments.

- Break --help text at 80 chars

- man: explain that this is about SELinux

- don't do unnecessary memory allocations when putting together mount
  option string
2014-02-04 22:56:07 +01:00
Dan Walsh
a8828ed938 Add SELinux support to systemd-nspawn
This patch adds to new options:

-Z PROCESS_LABEL

This specifies the process label to run on processes run within the container.

-L FILE_LABEL

The file label to assign to memory file systems created within the container.

For example if you wanted to wrap an container with SELinux sandbox labels, you could execute a command line the following

chcon system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -R /srv/container
systemd-nspawn -L system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -Z system_u:system_r:svirt_lxc_net_t:s0:c0,c1 -D /srv/container /bin/sh
2014-02-04 13:33:15 -08:00
Lennart Poettering
f4889f656b nspawn: add new --setenv= switch to set an environment variable for the container to spawn 2013-12-13 16:37:16 +01:00
Zbigniew Jędrzejewski-Szmek
f9f4dd51bd man: add another nspawn example
Taken from https://bugs.freedesktop.org/show_bug.cgi?id=68369.
2013-12-12 23:19:45 -05:00
Lennart Poettering
420c7379fb nspawn: add new --drop-capability= switch 2013-11-20 22:10:42 +01:00
Zbigniew Jędrzejewski-Szmek
9cb74bcb23 man,units: fix installation of systemd-nspawn@.service and add example 2013-11-09 19:02:53 -05:00
Lennart Poettering
04d3927924 machinectl: add new command to spawn a getty inside a container 2013-10-31 01:43:38 +01:00
Jan Engelhardt
7964042405 man: wording and grammar updates
This is a recurring submission and includes corrections to various
issue spotted. I guess I can just skip over reporting ubiquitous
comma placement fixes…

Highligts in this particular commit:
- the "unsigned" type qualifier is completed to form a full type
  "unsigned int"
- alphabetic -> lexicographic (that way we automatically define how
  numbers get sorted)
2013-09-12 22:09:57 +02:00
Jan Engelhardt
6b4991cfde man: wording and grammar updates
This includes regularly-submitted corrections to comma setting and
orthographical mishaps that appeared in man/ in recent commits.

In this particular commit:
- the usual comma fixes
- expand contractions (this is prose)
2013-09-10 18:34:41 +02:00
Zbigniew Jędrzejewski-Szmek
04ac799283 man: fix spacing issue in systemd-nspawn(1)
Same as 1e158d273.
2013-08-19 16:00:22 -04:00
Lennart Poettering
431c72dc3d man: update systemd-nspawn regarding new --slice= logic 2013-07-19 17:55:52 +02:00
Jason St. John
e9dd9f9547 man: improve grammar and word formatting in numerous man pages
Use proper grammar, word usage, adjective hyphenation, commas,
capitalization, spelling, etc.

To improve readability, some run-on sentences or sentence fragments were
revised.

[zj: remove the space from 'file name', 'host name', and 'time zone'.]
2013-07-02 23:06:22 -04:00
Michael Biebl
fb69ed55e5 man: Fix small typo 2013-06-22 00:55:18 +02:00
Lennart Poettering
77b6e19458 audit: since audit is apparently never going to be fixed for containers tell the user what's going on
Let's try to be helpful to the user and give him a hint what he can do
to make nspawn work with normal OS containers.

https://bugzilla.redhat.com/show_bug.cgi?id=893751
2013-05-10 00:17:36 +02:00
Lennart Poettering
2aba426ffb man: document that the kernel's audit subsystem is currently incompatible with nspawn containers 2013-05-09 15:33:02 +02:00
Lennart Poettering
f8964235e6 nspawn: explain that we look for /etc/os-release in the container directory
https://bugs.freedesktop.org/show_bug.cgi?id=64014
2013-05-06 21:06:18 +02:00
Zbigniew Jędrzejewski-Szmek
845c53246f man: add various filenames to the index
Everything which is an absolute filename marked with <filename></filename>
lands in the index, unless noindex= attribute is present. Should make
it easier for people to find stuff when they are looking at a file on
disk.

Various formatting errors in manpages are fixed, kernel-install(1) is
restored to formatting sanity.
2013-05-03 01:00:42 -04:00
Zbigniew Jędrzejewski-Szmek
f03dc7c0c5 man: fix syntax in nsenter example
Apparently nsenter doesn't handle options concatenated together.
I'm pretty sure it worked at one point, but it seems like magic,
since each of those options can take arguments.
2013-04-17 00:09:16 -04:00
Lennart Poettering
7027ff61a3 nspawn: introduce the new /machine/ tree in the cgroup tree and move containers there
Containers will now carry a label (normally derived from the root
directory name, but configurable by the user), and the container's root
cgroup is /machine/<label>. This label is called "machine name", and can
cover both containers and VMs (as soon as libvirt also makes use of
/machine/).

libsystemd-login can be used to query the machine name from a process.

This patch also includes numerous clean-ups for the cgroup code.
2013-04-16 04:41:21 +02:00
Zbigniew Jędrzejewski-Szmek
870c4365cf man: document systemd-nspawn behaviour with -b
Cf. cb96a2c69 and 1ddf879a.
2013-02-27 22:25:40 -05:00
Lennart Poettering
17fe052346 nspawn: add --bind= and --bind-ro= to bind mount host paths into the container 2013-02-25 20:08:07 +01:00
Michal Schmidt
1ddf879acf Revert "nspawn: catch config mistake of specifying -b and args"
This reverts commit cb96a2c69a.

It is not a mistake to pass args when -b is specified. They will simply
be passed on to the container's init.

The manpage needs fixing, that's true.
2013-02-25 18:39:16 +01:00
Zbigniew Jędrzejewski-Szmek
cb96a2c69a nspawn: catch config mistake of specifying -b and args 2013-02-24 14:11:11 +01:00
Zbigniew Jędrzejewski-Szmek
1fd961211d nspawn: print PID and show how to enter the namespace
systemd-nspawn will now print the PID of the child.
An example showing how to enter the container is added
to the man page.

Support for nsenter without an explicit command was
added in https://github.com/karelzak/util-linux/commit/5758069
(post v2.22.2). So this example requires both a new kernel
and the latest util-linux.
2013-02-14 10:40:45 -05:00
Zbigniew Jędrzejewski-Szmek
e670b166a0 man: use <replaceable> in various places 2013-02-13 23:09:00 -05:00
William Giokas
a7f5bb1eaf man: Make options consistent
Option listings seemed to be pretty much random, some were short opt,
long opt, others were long opt, short opt. This just makes every option
with a short and long opt that I could find in the order short opt, long
opt, for formatting's sake.
2013-02-13 08:57:20 -05:00
Lennart Poettering
4d62fb4298 man: mention pacman at the top of the nspawn man page, too 2013-01-29 01:44:33 +01:00
William Giokas
68562936c2 man: add Arch Linux entry to systemd-nspawn(5)
Archlinux has a similar tool to debbotstrap in the arch-install-scripts
package that will install to a specified directory. This is generally
used for installation, so the -d flag must be passed to tell it to
install to a non-mountpoint directory.
2013-01-27 23:47:18 -05:00
Lennart Poettering
2b3987a863 man: update suggested yum command line in nspawn(1) 2013-01-18 18:23:20 +01:00
Lennart Poettering
88d04e31ce nspawn: add audit caps to default set to keep
Due to the brokeness of much of the userspace audit code we cannot
really start too many systems without the audit caps set. To make nspawn
easier to use just add the audit caps by default.

To boot up containers successfully the kernel's auditing needs to be
turned off still (use "audit=0" on the kernel command line), but at
least no manual caps have to be passed anymore.

In the long run auditing will be fixed for containers and ve virtualized
properly at which time it should be safe to enable these caps anyway.
2013-01-18 18:23:20 +01:00
Zbigniew Jędrzejewski-Szmek
acbeb42770 nspawn: add --version 2013-01-11 16:03:49 -05:00
Thomas Hindoe Paaboel Andersen
bb31a4ac19 man: typo fixes
https://bugs.freedesktop.org/show_bug.cgi?id=55890

Fixed typos, serial comma, and removed "either" as there were more
than two options. Also did an extra rename of "system-shutdown"
to "systemd-shutdown" that was forgotten in commit
8bd3b8620c
2012-10-26 00:16:47 +02:00
Zbigniew Jędrzejewski-Szmek
27407a01c6 nspawn: use automatic cleanup and provide debug info
The documentation for --link-journal is also reworded.
2012-10-02 14:56:26 +02:00
Zbigniew Jędrzejewski-Szmek
b2e6df73aa trivial: fix typo 2012-10-02 14:56:18 +02:00
Pierre Schmitz
0cd1fd4369 nspawn: Fix minor typo in man page 2012-09-14 17:42:12 +02:00
Lennart Poettering
d87be9b0af nspawn: handle poweroff/reboot nicely in containers 2012-09-05 16:23:41 -07:00
Lennart Poettering
57fb9fb56d nspawn: introduce new --link-journal= switch to link container journals into host 2012-07-19 02:02:39 +02:00
Lennart Poettering
9980033377 man: add various links from man pages to appropriate wiki pages 2012-06-28 18:58:56 +02:00
Lennart Poettering
5076f0ccfd nspawn: introduce new --capabilities= flag and make use of it in the nspawn test case 2012-06-28 14:05:16 +02:00
Lennart Poettering
bc2f673ec2 nspawn: add --read-only switch 2012-04-25 15:11:20 +02:00
Lennart Poettering
25f5971b5e man: rework nspawn man page to suggest yum --installroot instead of mock 2012-04-24 13:14:40 +02:00
Lennart Poettering
144f0fc0c8 nspawn: add --uuid= switch to allow setting the machine id for the container 2012-04-22 14:48:21 +02:00
Lennart Poettering
0f0dbc46cc nspawn: add -b switch to automatically look for an init binary 2012-04-22 14:11:32 +02:00
Léo Gillot-Lamure
40c32a4ad4 One can specify in which cgroup hierarchies a systemd-nspawn container will appear 2012-04-12 00:46:09 +02:00
Lennart Poettering
5430f7f2bc relicense to LGPLv2.1 (with exceptions)
We finally got the OK from all contributors with non-trivial commits to
relicense systemd from GPL2+ to LGPL2.1+.

Some udev bits continue to be GPL2+ for now, but we are looking into
relicensing them too, to allow free copy/paste of all code within
systemd.

The bits that used to be MIT continue to be MIT.

The big benefit of the relicensing is that closed source code may now
link against libsystemd-login.so and friends.
2012-04-12 00:24:39 +02:00
Kay Sievers
e0d25329b2 move /usr/bin/systemd to /usr/lib/systemd/systemd 2012-02-08 00:08:10 +01:00
Lennart Poettering
ab1f063390 exec: optionally apply cgroup attributes to the cgroups we create 2011-08-20 00:22:02 +02:00
Lennart Poettering
ff01d048b4 exec: introduce PrivateNetwork= process option to turn off network access to specific services 2011-08-02 05:24:58 +02:00
Lennart Poettering
4f755fc6ab man: nspawn fixes 2011-08-02 04:55:10 +02:00
Lennart Poettering
a41fe3a293 nspawn: add new --no-net switch to turn off networking in the container 2011-08-02 04:49:37 +02:00
Michal Vyskocil
687d0825a4 nspawn: spawn shell under specified --user
Add -u/--user option, which changes the effective and real user and
group id to the new value. The user must exists in the chroot, otherwise
it will fail. Both username and user id are accepted. The user home is
created as well.

It also setup HOME, USER, LOGNAME and SHELL variables .
2011-07-01 23:51:14 +02:00
Ville Skyttä
9f7dad774e man: Documentation spelling fixes 2011-06-20 17:57:22 +02:00
Kay Sievers
2b583ce657 use /run instead of /dev/.run
Instead of the /dev/.run trick we have currently implemented, we decided
to move the early-boot runtime dir to /run.

An existing /var/run directory is bind-mounted to /run. If /var/run is
already a symlink, no action is taken.

An existing /var/lock directory is bind-mounted to /run/lock.
If /var/lock is already a symlink, no action is taken.

To implement the directory vs. symlink logic, we have a:
  ConditionPathIsDirectory=
now, which is used in the mount units.

Skipped mount unit in case of symlink:
  $ systemctl status var-run.mount
  var-run.mount - Runtime Directory
    Loaded: loaded (/lib/systemd/system/var-run.mount)
    Active: inactive (dead)
            start condition failed at Fri, 25 Mar 2011 04:51:41 +0100; 6min ago
     Where: /var/run
      What: /run
    CGroup: name=systemd:/system/var-run.mount

The systemd rpm needs to make sure to add something like:
  %pre
  mkdir -p -m0755 /run >/dev/null 2>&1 || :
or it needs to be added to filesystem.rpm.

Udev -git already uses /run if that exists, and is writable at bootup.
Otherwise it falls back to the current /dev/.udev.

Dracut and plymouth need to be adopted to switch from /dev/.run to run
too.

Cheers,
Kay
2011-03-28 23:00:00 +02:00
Lennart Poettering
8f7a3c1402 man: document systemd-nspawn 2011-03-15 20:51:59 +01:00