1<?xml version='1.0'?> 2<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" 3 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [ 4<!ENTITY % entities SYSTEM "custom-entities.ent" > 5%entities; 6]> 7<!-- SPDX-License-Identifier: LGPL-2.1-or-later --> 8 9<refentry id="systemd.nspawn"> 10 11 <refentryinfo> 12 <title>systemd.nspawn</title> 13 <productname>systemd</productname> 14 </refentryinfo> 15 16 <refmeta> 17 <refentrytitle>systemd.nspawn</refentrytitle> 18 <manvolnum>5</manvolnum> 19 </refmeta> 20 21 <refnamediv> 22 <refname>systemd.nspawn</refname> 23 <refpurpose>Container settings</refpurpose> 24 </refnamediv> 25 26 <refsynopsisdiv> 27 <para><filename>/etc/systemd/nspawn/<replaceable>machine</replaceable>.nspawn</filename></para> 28 <para><filename>/run/systemd/nspawn/<replaceable>machine</replaceable>.nspawn</filename></para> 29 <para><filename>/var/lib/machines/<replaceable>machine</replaceable>.nspawn</filename></para> 30 </refsynopsisdiv> 31 32 <refsect1> 33 <title>Description</title> 34 35 <para>An nspawn container settings file (suffix <filename>.nspawn</filename>) contains runtime 36 configuration for a local container, and is used by 37 <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>. 38 Files of this type are named after the containers they define settings for. They are optional, and only 39 required for containers whose execution environment shall differ from the defaults. Files of this type 40 mostly contain settings that may also be set on the <command>systemd-nspawn</command> command line, and 41 make it easier to persistently attach specific settings to specific containers. The syntax of these files 42 is inspired by <filename>.desktop</filename> files, similarly to other configuration files supported by 43 the systemd project. See 44 <citerefentry><refentrytitle>systemd.syntax</refentrytitle><manvolnum>7</manvolnum></citerefentry> for an 45 overview.</para> 46 </refsect1> 47 48 <refsect1> 49 <title><filename>.nspawn</filename> File Discovery</title> 50 51 <para>Files are searched for by appending the <filename>.nspawn</filename> suffix to the machine name of 52 the container, as specified with the <option>--machine=</option> switch of 53 <command>systemd-nspawn</command>, or derived from the directory or image file name. This file is first 54 searched for in <filename>/etc/systemd/nspawn/</filename> and 55 <filename>/run/systemd/nspawn/</filename>. If found there, the settings are read and all of them take 56 full effect (but may still be overridden by corresponding command line arguments). Otherwise, the file 57 will then be searched for next to the image file or in the immediate parent of the root directory of the 58 container. If the file is found there, only a subset of the settings will take effect however. All 59 settings that possibly elevate privileges or grant additional access to resources of the host (such as 60 files or directories) are ignored. To which options this applies is documented below.</para> 61 62 <para>Persistent settings files created and maintained by the 63 administrator (and thus trusted) should be placed in 64 <filename>/etc/systemd/nspawn/</filename>, while automatically 65 downloaded (and thus potentially untrusted) settings files are 66 placed in <filename>/var/lib/machines/</filename> instead (next to 67 the container images), where their security impact is limited. In 68 order to add privileged settings to <filename>.nspawn</filename> 69 files acquired from the image vendor, it is recommended to copy the 70 settings files into <filename>/etc/systemd/nspawn/</filename> and 71 edit them there, so that the privileged options become 72 available. The precise algorithm for how the files are searched and 73 interpreted may be configured with 74 <command>systemd-nspawn</command>'s <option>--settings=</option> 75 switch, see 76 <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> 77 for details.</para> 78 </refsect1> 79 80 <refsect1> 81 <title>[Exec] Section Options</title> 82 83 <para>Settings files may include an [Exec] 84 section, which carries various execution parameters:</para> 85 86 <variablelist class='nspawn-directives'> 87 88 <varlistentry> 89 <term><varname>Boot=</varname></term> 90 91 <listitem><para>Takes a boolean argument, which defaults to off. If enabled, <command>systemd-nspawn</command> 92 will automatically search for an <filename>init</filename> executable and invoke it. In this case, the 93 specified parameters using <varname>Parameters=</varname> are passed as additional arguments to the 94 <filename>init</filename> process. This setting corresponds to the <option>--boot</option> switch on the 95 <command>systemd-nspawn</command> command line. This option may not be combined with 96 <varname>ProcessTwo=yes</varname>. This option is specified by default in the 97 <filename>systemd-nspawn@.service</filename> template unit.</para></listitem> 98 </varlistentry> 99 100 <varlistentry> 101 <term><varname>Ephemeral=</varname></term> 102 103 <listitem><para>Takes a boolean argument, which defaults to off, If enabled, the container is run with 104 a temporary snapshot of its file system that is removed immediately when the container terminates. 105 This is equivalent to the <option>--ephemeral</option> command line switch. See 106 <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> for details 107 about the specific options supported.</para></listitem> 108 </varlistentry> 109 110 <varlistentry> 111 <term><varname>ProcessTwo=</varname></term> 112 113 <listitem><para>Takes a boolean argument, which defaults to off. If enabled, the specified program is run as 114 PID 2. A stub init process is run as PID 1. This setting corresponds to the <option>--as-pid2</option> switch 115 on the <command>systemd-nspawn</command> command line. This option may not be combined with 116 <varname>Boot=yes</varname>.</para></listitem> 117 </varlistentry> 118 119 <varlistentry> 120 <term><varname>Parameters=</varname></term> 121 122 <listitem><para>Takes a whitespace-separated list of arguments. Single (<literal>'</literal>) and 123 double (<literal>"</literal>) quotes may be used around arguments with whitespace. This is either a 124 command line, beginning with the binary name to execute, or – if <varname>Boot=</varname> is enabled 125 – the list of arguments to pass to the init process. This setting corresponds to the command line 126 parameters passed on the <command>systemd-nspawn</command> command line.</para> 127 128 <para>Note: <option>Boot=no</option>, <option>Parameters=a b "c c"</option> is the same as 129 <command>systemd-nspawn a b "c c"</command>, and <option>Boot=yes</option>, <option>Parameters=b 'c c'</option> 130 is the same as <command>systemd-nspawn --boot b 'c c'</command>.</para></listitem> 131 </varlistentry> 132 133 <varlistentry> 134 <term><varname>Environment=</varname></term> 135 136 <listitem><para>Takes an environment variable assignment 137 consisting of key and value, separated by 138 <literal>=</literal>. Sets an environment variable for the 139 main process invoked in the container. This setting may be 140 used multiple times to set multiple environment variables. It 141 corresponds to the <option>--setenv=</option> command line 142 switch.</para></listitem> 143 </varlistentry> 144 145 <varlistentry> 146 <term><varname>User=</varname></term> 147 148 <listitem><para>Takes a UNIX user name. Specifies the user 149 name to invoke the main process of the container as. This user 150 must be known in the container's user database. This 151 corresponds to the <option>--user=</option> command line 152 switch.</para></listitem> 153 </varlistentry> 154 155 <varlistentry> 156 <term><varname>WorkingDirectory=</varname></term> 157 158 <listitem><para>Selects the working directory for the process invoked in the container. Expects an absolute 159 path in the container's file system namespace. This corresponds to the <option>--chdir=</option> command line 160 switch.</para></listitem> 161 </varlistentry> 162 163 <varlistentry> 164 <term><varname>PivotRoot=</varname></term> 165 166 <listitem><para>Selects a directory to pivot to <filename>/</filename> inside the container when starting up. 167 Takes a single path, or a pair of two paths separated by a colon. Both paths must be absolute, and are resolved 168 in the container's file system namespace. This corresponds to the <option>--pivot-root=</option> command line 169 switch.</para></listitem> 170 </varlistentry> 171 172 <varlistentry> 173 <term><varname>Capability=</varname></term> 174 <term><varname>DropCapability=</varname></term> 175 176 <listitem><para>Takes a space-separated list of Linux process 177 capabilities (see 178 <citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry> 179 for details). The <varname>Capability=</varname> setting 180 specifies additional capabilities to pass on top of the 181 default set of capabilities. The 182 <varname>DropCapability=</varname> setting specifies 183 capabilities to drop from the default set. These settings 184 correspond to the <option>--capability=</option> and 185 <option>--drop-capability=</option> command line 186 switches. Note that <varname>Capability=</varname> is a 187 privileged setting, and only takes effect in 188 <filename>.nspawn</filename> files in 189 <filename>/etc/systemd/nspawn/</filename> and 190 <filename>/run/system/nspawn/</filename> (see above). On the 191 other hand, <varname>DropCapability=</varname> takes effect in 192 all cases. If the special value <literal>all</literal> is passed, all 193 capabilities are retained (or dropped).</para> 194 <para>These settings change the bounding set of capabilities which 195 also limits the ambient capabilities as given with the 196 <varname>AmbientCapability=</varname>.</para></listitem> 197 </varlistentry> 198 199 <varlistentry> 200 <term><varname>AmbientCapability=</varname></term> 201 <listitem><para>Takes a space-separated list of Linux process 202 capabilities (see 203 <citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry> 204 for details). The <varname>AmbientCapability=</varname> setting 205 specifies capabilities which will be passed to the started program 206 in the inheritable and ambient capability sets. This will grant 207 these capabilities to this process. This setting correspond to 208 the <option>--ambient-capability=</option> command line switch. 209 </para> 210 211 <para>The value <literal>all</literal> is not supported for this 212 setting.</para> 213 214 <para>The setting of <varname>AmbientCapability=</varname> must 215 be covered by the bounding set settings which were established by 216 <varname>Capability=</varname> and <varname>DropCapability=</varname>. 217 </para> 218 219 <para>Note that <varname>AmbientCapability=</varname> is a privileged 220 setting (see above).</para></listitem> 221 </varlistentry> 222 223 <varlistentry> 224 <term><varname>NoNewPrivileges=</varname></term> 225 226 <listitem><para>Takes a boolean argument that controls the <constant>PR_SET_NO_NEW_PRIVS</constant> flag for 227 the container payload. This is equivalent to the 228 <option>--no-new-privileges=</option> command line switch. See 229 <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> for 230 details.</para> 231 </listitem> 232 </varlistentry> 233 234 <varlistentry> 235 <term><varname>KillSignal=</varname></term> 236 237 <listitem><para>Specify the process signal to send to the 238 container's PID 1 when nspawn itself receives SIGTERM, in 239 order to trigger an orderly shutdown of the container. 240 Defaults to SIGRTMIN+3 if <option>Boot=</option> is used 241 (on systemd-compatible init systems SIGRTMIN+3 triggers an 242 orderly shutdown). For a list of valid signals, see 243 <citerefentry project='man-pages'><refentrytitle>signal</refentrytitle><manvolnum>7</manvolnum></citerefentry>.</para></listitem> 244 </varlistentry> 245 246 <varlistentry> 247 <term><varname>Personality=</varname></term> 248 249 <listitem><para>Configures the kernel personality for the 250 container. This is equivalent to the 251 <option>--personality=</option> switch.</para></listitem> 252 </varlistentry> 253 254 <varlistentry> 255 <term><varname>MachineID=</varname></term> 256 257 <listitem><para>Configures the 128-bit machine ID (UUID) to pass to 258 the container. This is equivalent to the 259 <option>--uuid=</option> command line switch. This option is 260 privileged (see above). </para></listitem> 261 </varlistentry> 262 263 <varlistentry> 264 <term><varname>PrivateUsers=</varname></term> 265 266 <listitem><para>Configures support for usernamespacing. This is equivalent to the 267 <option>--private-users=</option> command line switch, and takes the same options. This option is privileged 268 (see above). This option is the default if the <filename>systemd-nspawn@.service</filename> template unit file 269 is used.</para></listitem> 270 </varlistentry> 271 272 <varlistentry> 273 <term><varname>NotifyReady=</varname></term> 274 275 <listitem><para>Configures support for notifications from the container's init process. This is equivalent to 276 the <option>--notify-ready=</option> command line switch, and takes the same parameters. See 277 <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> for details 278 about the specific options supported.</para></listitem> 279 </varlistentry> 280 281 <varlistentry> 282 <term><varname>SystemCallFilter=</varname></term> 283 284 <listitem><para>Configures the system call filter applied to containers. This is equivalent to the 285 <option>--system-call-filter=</option> command line switch, and takes the same list parameter. See 286 <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> for 287 details.</para></listitem> 288 </varlistentry> 289 290 <varlistentry> 291 <term><varname>LimitCPU=</varname></term> 292 <term><varname>LimitFSIZE=</varname></term> 293 <term><varname>LimitDATA=</varname></term> 294 <term><varname>LimitSTACK=</varname></term> 295 <term><varname>LimitCORE=</varname></term> 296 <term><varname>LimitRSS=</varname></term> 297 <term><varname>LimitNOFILE=</varname></term> 298 <term><varname>LimitAS=</varname></term> 299 <term><varname>LimitNPROC=</varname></term> 300 <term><varname>LimitMEMLOCK=</varname></term> 301 <term><varname>LimitLOCKS=</varname></term> 302 <term><varname>LimitSIGPENDING=</varname></term> 303 <term><varname>LimitMSGQUEUE=</varname></term> 304 <term><varname>LimitNICE=</varname></term> 305 <term><varname>LimitRTPRIO=</varname></term> 306 <term><varname>LimitRTTIME=</varname></term> 307 308 <listitem><para>Configures various types of resource limits applied to containers. This is equivalent to the 309 <option>--rlimit=</option> command line switch, and takes the same arguments. See 310 <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> for 311 details.</para></listitem> 312 </varlistentry> 313 314 <varlistentry> 315 <term><varname>OOMScoreAdjust=</varname></term> 316 317 <listitem><para>Configures the OOM score adjustment value. This is equivalent to the 318 <option>--oom-score-adjust=</option> command line switch, and takes the same argument. See 319 <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> for 320 details.</para></listitem> 321 </varlistentry> 322 323 <varlistentry> 324 <term><varname>CPUAffinity=</varname></term> 325 326 <listitem><para>Configures the CPU affinity. This is equivalent to the <option>--cpu-affinity=</option> command 327 line switch, and takes the same argument. See 328 <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> for 329 details.</para></listitem> 330 </varlistentry> 331 332 <varlistentry> 333 <term><varname>Hostname=</varname></term> 334 335 <listitem><para>Configures the kernel hostname set for the container. This is equivalent to the 336 <option>--hostname=</option> command line switch, and takes the same argument. See 337 <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> for 338 details.</para></listitem> 339 </varlistentry> 340 341 <varlistentry> 342 <term><varname>ResolvConf=</varname></term> 343 344 <listitem><para>Configures how <filename>/etc/resolv.conf</filename> in the container shall be handled. This is 345 equivalent to the <option>--resolv-conf=</option> command line switch, and takes the same argument. See 346 <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> for 347 details.</para></listitem> 348 </varlistentry> 349 350 <varlistentry> 351 <term><varname>Timezone=</varname></term> 352 353 <listitem><para>Configures how <filename>/etc/localtime</filename> in the container shall be handled. This is 354 equivalent to the <option>--timezone=</option> command line switch, and takes the same argument. See 355 <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> for 356 details.</para></listitem> 357 </varlistentry> 358 359 <varlistentry> 360 <term><varname>LinkJournal=</varname></term> 361 362 <listitem><para>Configures how to link host and container journal setups. This is equivalent to the 363 <option>--link-journal=</option> command line switch, and takes the same parameter. See 364 <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> for 365 details.</para></listitem> 366 </varlistentry> 367 368 <varlistentry> 369 <term><varname>SuppressSync=</varname></term> 370 371 <listitem><para>Configures whether to suppress disk synchronization for the container payload. This 372 is equivalent to the <option>--suppress-sync=</option> command line switch, and takes the same 373 parameter. See 374 <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> 375 for details.</para></listitem> 376 </varlistentry> 377 378 </variablelist> 379 </refsect1> 380 381 <refsect1> 382 <title>[Files] Section Options</title> 383 384 <para>Settings files may include a [Files] 385 section, which carries various parameters configuring the file 386 system of the container:</para> 387 388 <variablelist class='nspawn-directives'> 389 390 <varlistentry> 391 <term><varname>ReadOnly=</varname></term> 392 393 <listitem><para>Takes a boolean argument, which defaults to off. If 394 specified, the container will be run with a read-only file 395 system. This setting corresponds to the 396 <option>--read-only</option> command line 397 switch.</para></listitem> 398 </varlistentry> 399 400 <varlistentry> 401 <term><varname>Volatile=</varname></term> 402 403 <listitem><para>Takes a boolean argument, or the special value 404 <literal>state</literal>. This configures whether to run the 405 container with volatile state and/or configuration. This 406 option is equivalent to <option>--volatile=</option>, see 407 <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> 408 for details about the specific options 409 supported.</para></listitem> 410 </varlistentry> 411 412 <varlistentry> 413 <term><varname>Bind=</varname></term> 414 <term><varname>BindReadOnly=</varname></term> 415 416 <listitem><para>Adds a bind mount from the host into the 417 container. Takes a single path, a pair of two paths separated 418 by a colon, or a triplet of two paths plus an option string 419 separated by colons. This option may be used multiple times to 420 configure multiple bind mounts. This option is equivalent to 421 the command line switches <option>--bind=</option> and 422 <option>--bind-ro=</option>, see 423 <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> 424 for details about the specific options supported. This setting 425 is privileged (see above).</para></listitem> 426 </varlistentry> 427 428 <varlistentry> 429 <term><varname>BindUser=</varname></term> 430 431 <listitem><para>Binds a user from the host into the container. This option is equivalent to the 432 command line switch <option>--bind-user=</option>, see 433 <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> 434 for details about the specific options supported. This setting is privileged (see 435 above).</para></listitem> 436 </varlistentry> 437 438 <varlistentry> 439 <term><varname>TemporaryFileSystem=</varname></term> 440 441 <listitem><para>Adds a <literal>tmpfs</literal> mount to the 442 container. Takes a path or a pair of path and option string, 443 separated by a colon. This option may be used multiple times to 444 configure multiple <literal>tmpfs</literal> mounts. This 445 option is equivalent to the command line switch 446 <option>--tmpfs=</option>, see 447 <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> 448 for details about the specific options supported. This setting 449 is privileged (see above).</para></listitem> 450 </varlistentry> 451 452 <varlistentry> 453 <term><varname>Inaccessible=</varname></term> 454 455 <listitem><para>Masks the specified file or directory in the container, by over-mounting it with an empty file 456 node of the same type with the most restrictive access mode. Takes a file system path as argument. This option 457 may be used multiple times to mask multiple files or directories. This option is equivalent to the command line 458 switch <option>--inaccessible=</option>, see 459 <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> for details 460 about the specific options supported. This setting is privileged (see above).</para></listitem> 461 </varlistentry> 462 463 <varlistentry> 464 <term><varname>Overlay=</varname></term> 465 <term><varname>OverlayReadOnly=</varname></term> 466 467 <listitem><para>Adds an overlay mount point. Takes a colon-separated list of paths. This option may be used 468 multiple times to configure multiple overlay mounts. This option is equivalent to the command line switches 469 <option>--overlay=</option> and <option>--overlay-ro=</option>, see 470 <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> for details 471 about the specific options supported. This setting is privileged (see above).</para></listitem> 472 </varlistentry> 473 474 <varlistentry> 475 <term><varname>PrivateUsersOwnership=</varname></term> 476 477 <listitem><para>Configures whether the ownership of the files and directories in the container tree 478 shall be adjusted to the UID/GID range used, if necessary and user namespacing is enabled. This is 479 equivalent to the <option>--private-users-ownership=</option> command line switch. This option is 480 privileged (see above).</para></listitem> 481 </varlistentry> 482 483 </variablelist> 484 </refsect1> 485 486 <refsect1> 487 <title>[Network] Section Options</title> 488 489 <para>Settings files may include a [Network] 490 section, which carries various parameters configuring the network 491 connectivity of the container:</para> 492 493 <variablelist class='nspawn-directives'> 494 495 <varlistentry> 496 <term><varname>Private=</varname></term> 497 498 <listitem><para>Takes a boolean argument, which defaults to off. If 499 enabled, the container will run in its own network namespace 500 and not share network interfaces and configuration with the 501 host. This setting corresponds to the 502 <option>--private-network</option> command line 503 switch.</para></listitem> 504 </varlistentry> 505 506 <varlistentry> 507 <term><varname>VirtualEthernet=</varname></term> 508 509 <listitem><para>Takes a boolean argument. Configures whether to create a virtual Ethernet connection 510 (<literal>veth</literal>) between host and the container. This setting implies 511 <varname>Private=yes</varname>. This setting corresponds to the <option>--network-veth</option> command line 512 switch. This option is privileged (see above). This option is the default if the 513 <filename>systemd-nspawn@.service</filename> template unit file is used.</para></listitem> 514 </varlistentry> 515 516 <varlistentry> 517 <term><varname>VirtualEthernetExtra=</varname></term> 518 519 <listitem><para>Takes a colon-separated pair of interface names. Configures an additional virtual 520 Ethernet connection (<literal>veth</literal>) between host and the container. The first specified 521 name is the interface name on the host, the second the interface name in the container. The latter 522 may be omitted in which case it is set to the same name as the host side interface. This setting 523 implies <varname>Private=yes</varname>. This setting corresponds to the 524 <option>--network-veth-extra=</option> command line switch, and maybe be used multiple times. It is 525 independent of <varname>VirtualEthernet=</varname>. Note that this option is unrelated to the 526 <varname>Bridge=</varname> setting below, and thus any connections created this way are not 527 automatically added to any bridge device on the host side. This option is privileged (see 528 above).</para></listitem> 529 </varlistentry> 530 531 <varlistentry> 532 <term><varname>Interface=</varname></term> 533 534 <listitem><para>Takes a space-separated list of interfaces to 535 add to the container. This option corresponds to the 536 <option>--network-interface=</option> command line switch and 537 implies <varname>Private=yes</varname>. This option is 538 privileged (see above).</para></listitem> 539 </varlistentry> 540 541 <varlistentry> 542 <term><varname>MACVLAN=</varname></term> 543 <term><varname>IPVLAN=</varname></term> 544 545 <listitem><para>Takes a space-separated list of interfaces to 546 add MACLVAN or IPVLAN interfaces to, which are then added to 547 the container. These options correspond to the 548 <option>--network-macvlan=</option> and 549 <option>--network-ipvlan=</option> command line switches and 550 imply <varname>Private=yes</varname>. These options are 551 privileged (see above).</para></listitem> 552 </varlistentry> 553 554 <varlistentry> 555 <term><varname>Bridge=</varname></term> 556 557 <listitem><para>Takes an interface name. This setting implies 558 <varname>VirtualEthernet=yes</varname> and 559 <varname>Private=yes</varname> and has the effect that the 560 host side of the created virtual Ethernet link is connected to 561 the specified bridge interface. This option corresponds to the 562 <option>--network-bridge=</option> command line switch. This 563 option is privileged (see above).</para></listitem> 564 </varlistentry> 565 566 <varlistentry> 567 <term><varname>Zone=</varname></term> 568 569 <listitem><para>Takes a network zone name. This setting implies <varname>VirtualEthernet=yes</varname> and 570 <varname>Private=yes</varname> and has the effect that the host side of the created virtual Ethernet link is 571 connected to an automatically managed bridge interface named after the passed argument, prefixed with 572 <literal>vz-</literal>. This option corresponds to the <option>--network-zone=</option> command line 573 switch. This option is privileged (see above).</para></listitem> 574 </varlistentry> 575 576 <varlistentry> 577 <term><varname>Port=</varname></term> 578 579 <listitem><para>Exposes a TCP or UDP port of the container on 580 the host. This option corresponds to the 581 <option>--port=</option> command line switch, see 582 <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> 583 for the precise syntax of the argument this option takes. This 584 option is privileged (see above).</para></listitem> 585 </varlistentry> 586 </variablelist> 587 </refsect1> 588 589 <refsect1> 590 <title>See Also</title> 591 <para> 592 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, 593 <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>, 594 <citerefentry><refentrytitle>systemd.directives</refentrytitle><manvolnum>7</manvolnum></citerefentry> 595 </para> 596 </refsect1> 597 598</refentry> 599