diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml
index 51db003a67..eb411102bc 100644
--- a/man/systemd-nspawn.xml
+++ b/man/systemd-nspawn.xml
@@ -238,6 +238,15 @@
together with , .
+
+
+
+ Takes the path to an OCI runtime bundle to invoke, as specified in the OCI Runtime Specification. In
+ this case no .nspawn file is loaded, and the root directory and various settings are read
+ from the OCI runtime JSON data (but data passed on the command line takes precedence).
+
+
@@ -952,6 +961,16 @@
make them read-only, using .
+
+
+
+ Make the specified path inaccessible in the container. This over-mounts the specified path
+ (which must exist in the container) with a file node of the same type that is empty and has the most
+ restrictive access mode supported. This is an effective way to mask files, directories and other file system
+ objects from the container payload. This option may be used more than once in case all specified paths are
+ masked.
+
+
@@ -1084,6 +1103,42 @@
same as the one reported on the host.
+
+ MODE
+
+ Configures how to set up standard input, output and error output for the container payload, as
+ well as the /dev/console device for the container. Takes one of
+ , , or . If
+ a pseudo-TTY is allocated and made available as /dev/console
+ in the container. It is then bi-directionally connected to the standard input and output passed to
+ systemd-nspawn. is similar but only the output of the container
+ is propagated and no input from the caller is read. In mode a pseudo TTY is allocated,
+ but it is not connected anywhere. Finally, in mode no pseudo TTY is allocated, but the
+ passed standard input, output and error output file descriptors are passed on — as they are — to the container
+ payload. In this mode /dev/console will not exist in the container. Note that in this mode
+ the container payload generally cannot be a full init system as init systems tend to require
+ /dev/console to be available. On the other hand, in this mode container invocations can be
+ used within shell pipelines. This is because intermediary pseudo TTYs do not permit independent bidirectional
+ propagation of the end-of-file (EOF) condition, which is necessary for shell pipelines to work
+ correctly.
+
+ Note that the mode should be used carefully, as passing arbitrary file descriptors
+ to less trusted container payloads might open up unwanted interfaces for access by the container payload. For
+ example, if a passed file descriptor refers to a TTY of some form, APIs such as TIOCSTI
+ may be used to synthesize input that might be used for escaping the container. Hence mode
+ should only be used if the payload is sufficiently trusted or when the standard input/output/error output file
+ descriptors are known safe, for example pipes. Defaults to if
+ systemd-nspawn is invoked from a terminal, and
+ otherwise.
+
+
+
+
+
+
+ Equivalent to .
+
+
diff --git a/man/systemd.nspawn.xml b/man/systemd.nspawn.xml
index 39e1d6fe73..1485a26f02 100644
--- a/man/systemd.nspawn.xml
+++ b/man/systemd.nspawn.xml
@@ -425,6 +425,17 @@
is privileged (see above).
+
+ Inaccessible=
+
+ Masks the specified file or directly in the container, by over-mounting it with an empty file
+ node of the same type with the most restrictive access mode. Takes a file system path as arugment. This option
+ may be used multiple times to mask multiple files or directories. This option is equivalent to the command line
+ switch , see
+ systemd-nspawn1 for details
+ about the specific options supported. This setting is privileged (see above).
+
+
Overlay=OverlayReadOnly=