Before getting into the main subject, there are some points to understand.
In Linux, a process has a ** root directory ** as one of its attributes.
It is usually used in the process to interpret absolute paths starting with
/ and is usually set to the system root directory (
chroot () system call changes the root directory to the specified path.
This makes it possible to limit the files that can be accessed.
systemd-nspawn can be interpreted as an enhanced version of
The difference from
chroot is that
The file system hierarchy, process tree, various IPCs, host names, domains, etc. are completely virtualized and isolated.
It isolates the namespace and can be treated as a lightweight container.
Also, one of the motivations for using
systemd-nspawn is that Linux distributions that use
systemd can be used without thinking.
You can do anything you can in the directory tree of the recreated distribution.
Docker builds a container for each application, while
systemd-nspawn configures one Linux system in the container.
You can build an environment close to VM-type virtualization that allows you to start multiple applications in a container in the same way as a normal Linux environment.
I use Ubuntu, which I usually use, as a host, and create a container environment there using
Linux karkador 5.0.0-37-generic #40~18.04.1-Ubuntu SMP Thu Nov 14 12:06:39 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
debootstrap to prepare the necessary files on the container.
debootstrap is a tool for constructing a minimal directory tree for
debian, the distribution on which Ubuntu is based. This time, I will prepare the one for Ubuntu.
This time, prepare a directory for the container with the name
/ var / lib / machines / ubuntu and install the files there.
# debootstrap --arch=$(dpkg --print-architecture) $(lsb_release -cs) /var/lib/machines/ubuntu http://archive.ubuntu.com/ubuntu
Now the files needed for the container are created
# systemd-nspawn -D /path/to/container
Put it in the root shell of the prepared environment. For the time being, just set the password with
passwd and exit.
You can use
Ctrl]]] to get out of the container.
# systemd-nspawn -b -D /var/lib/machines/ubuntu
Boot the container. That is, start ʻinit` in the container. After the familiar Ubuntu boot screen, a login shell is launched. If you come this far, you can do most of the usual things. The way to exit is the same.
# systemctl start [email protected]
The container is started with. Operations such as automatic startup are performed with ʻenable | disable` as in the other cases.
systemd-nspawn command has a number of options.
For example, the first
-D is an option to make the specified directory the root of the container's file system.
In addition to
systemd-nspawn, there are commands that are convenient for operating containers.
You can change the rules for system calls issued inside the container.
For example, when you do not allow
You can do it with (Note that you can not execute it unless you allow
You can check the details of the specified system call with
systemd-analyze syscall-filter. (Designation in group units, etc.)
systemctl start [email protected]hostname
Containers started with can be operated with the
Show the list of running containers with
machinectl list-images to display a list of container images located in
/ var / lib / machines.
You can also use
machinectl enable | disable to start automatically.
machinectl is a command that combines
systemctl operations around the container and
systemd-nspawn, and most operations can be done with this.
The default is to share the network with the host.
systemd-networkd to a container or host enables a wide range of network settings such as virtual Ethernet links, bridges, and port forwarding.
There are many differences from Docker, and I think it's interesting as a completely different container technology. I would like to operate it a little more and add information such as networks.