picnoir
/
Systemd
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

man: document new download magic

This commit is contained in:
Lennart Poettering 2015-01-22 15:12:11 +01:00
parent 838d5f0298
commit e0ea94c1e2
2 changed files with 360 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

312
man/machinectl.xml
View File

@ -197,6 +197,56 @@
<literal>short</literal>.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--verify=</option></term>
<listitem><para>When downloading a
container or VM image, specify whether
the image shall be verified before it
is made available. Takes one of
<literal>no</literal>,
<literal>checksum</literal> and
<literal>signature</literal>. If
<literal>no</literal> no verification
is done. If
<literal>checksum</literal> is
specified the download is checked for
integrity after transfer is complete,
but no signatures are verified. If
<literal>signature</literal> is
specified, the checksum is verified
and the images's signature is checked
against a local keyring of trustable
vendors. It is strongly recommended to
set this option to
<literal>signature</literal> if the
server and protocol support this.
Defaults to
<literal>signature</literal>.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--force</option></term>
<listitem><para>When downloading a
container or VM image, and a local
copy by the specified local machine
name already exists, delete it first
and replace it by the newly downloaded
image.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--dkr-index-url</option></term>
<listitem><para>Specifies the index
server to use for downloading
<literal>dkr</literal> images with the
<command>pull-dkr</command>. Takes a
<literal>http://</literal>,
<literal>https://</literal> URL.</para></listitem>
</varlistentry>
<xi:include href="user-system-options.xml" xpointer="host" />
<xi:include href="user-system-options.xml" xpointer="machine" />
@ -583,6 +633,215 @@
removed.</para></listitem>
</varlistentry>
</variablelist></refsect2>
<refsect2><title>Image Transfer Commands</title><variablelist>
<varlistentry>
<term><command>pull-tar</command> <replaceable>URL</replaceable> [<replaceable>NAME</replaceable>]</term>
<listitem><para>Downloads a
<filename>.tar</filename> container
image from the specified URL, and
makes it available under the specified
local machine name. The URL must be of
type <literal>http://</literal> or
<literal>https://</literal>, and must
refer to a <filename>.tar</filename>,
<filename>.tar.gz</filename>,
<filename>.tar.xz</filename> or
<filename>.tar.bz2</filename> archive
file. If the local machine name is
omitted the name it is automatically
derived from the last component of the
URL, with its suffix removed.</para>
<para>The image is verified before it
is made available, unless
<option>--verify=no</option> is
specified. Verification is done via
SHA256SUMS and SHA256SUMS.gpg files,
that need to be made available on the
same web server, under the same URL as
the <filename>.tar</filename> file,
but with the last component (the
filename) of the URL replaced. With
<option>--verify=checksum</option>
only the SHA256 checksum for the file
is verified, based on the
<filename>SHA256SUMS</filename>
file. With
<option>--verify=signature</option>
the SHA256SUMS file is first verified
with detached GPG signature file
<filename>SHA256SUMS.gpg</filename>. The
public key for this verification step
needs to be available in
<filename>/usr/lib/systemd/import-pubring.gpg</filename>
or
<filename>/etc/systemd/import-pubring.gpg</filename>.</para>
<para>The container image will be
downloaded and stored in a read-only
subvolume in
<filename>/var/lib/machines/</filename>,
that is named after the specified URL
and its HTTP etag. A writable snapshot
is then taken from this subvolume, and
named after the specified local
name. This behaviour ensures that
creating multiple container instances
of the same URL is efficient, as
multiple downloads are not
necessary. In order to create only the
read-only image, and avoid creating
its writable snapshot, specify
<literal>-</literal> as local machine
name.</para>
<para>Note that the read-only
subvolume is prefixed with
<filename>.tar-</filename>, and
is thus now shown by
<command>list-images</command>, unless
<option>--all</option> is passed.</para>
<para>Note that pressing C-c during
execution of this command will not
abort the download. Use
<command>cancel-transfer</command>,
described below.</para></listitem>
</varlistentry>
<varlistentry>
<term><command>pull-raw</command> <replaceable>URL</replaceable> [<replaceable>NAME</replaceable>]</term>
<listitem><para>Downloads a
<filename>.raw</filename> container or
VM disk image from the specified URL,
and makes it available under the
specified local machine name. The URL
must be of type
<literal>http://</literal> or
<literal>https://</literal>. The
container image must either be a
<filename>.qcow2</filename> or raw
disk image, optionally compressed as
<filename>.gz</filename>,
<filename>.xz</filename>, or
<filename>.bz2</filename>. If the
local machine name is omitted the name
it is automatically derived from the
last component of the URL, with its
suffix removed.</para>
<para>Image verification is identical
for raw and tar images (see above).</para>
<para>If the the downloaded image is
in <filename>.qcow2</filename> format
it es converted into a raw image file
before it is made available.</para>
<para>Downloaded images of this type
will be placed as read-only
<filename>.raw</filename> file in
<filename>/var/lib/machines/</filename>. A
local, writable (reflinked) copy is
then made under the specified local
machine name. To omit creation of the
local, writable copy pass
<literal>-</literal> as local machine
name.</para>
<para>Similar to the behaviour of
<command>pull-tar</command>, the
read-only image is prefixed with
<filename>.raw-</filename>, and thus
now shown by
<command>list-images</command>, unless
<option>--all</option> is
passed.</para>
<para>Note that pressing C-c during
execution of this command will not
abort the download. Use
<command>cancel-transfer</command>,
described below.</para></listitem>
</varlistentry>
<varlistentry>
<term><command>pull-dkr</command> <replaceable>REMOTE</replaceable> [<replaceable>NAME</replaceable>]</term>
<listitem><para>Downloads a
<literal>dkr</literal> container image
and makes it available locally. The
remote name refers to a
<literal>dkr</literal> container
name. If omitted, the local machine
name is derived from the
<literal>dkr</literal> container
name.</para>
<para>Image verification is not
available for <literal>dkr</literal>
containers, and thus
<option>--verify=no</option> must
always be specified with this
command.</para>
<para>This command downloads all
(missing) layers for the specified
container and places them in read-only
subvolumes in
<filename>/var/lib/machines/</filename>. A
writable snapshot of the newest layer
is then created under the specified
local machine name. To omit creation
of this writable snapshot, pass
<literal>-</literal> as local machine
name.</para>
<para>The read-only layer subvolumes
are prefixed with
<filename>.dkr-</filename>, and thus
now shown by
<command>list-images</command>, unless
<option>--all</option> is
passed.</para>
<para>To specify the
<literal>dkr</literal> index server to
use for looking up the specified
container, use
<option>--dkr-index-url=</option>.</para>
<para>Note that pressing C-c during
execution of this command will not
abort the download. Use
<command>cancel-transfer</command>,
described below.</para></listitem>
</varlistentry>
<varlistentry>
<term><command>list-transfers</command></term>
<listitem><para>Shows a list of
container or VM image downloads that
are currently in
progress.</para></listitem>
</varlistentry>
<varlistentry>
<term><command>cancel-transfers</command> <replaceable>ID</replaceable>...</term>
<listitem><para>Aborts download of the
container or VM image with the
specified ID. To list ongoing
transfers and their IDs, use
<command>list-transfers</command>.
</para></listitem>
</varlistentry>
</variablelist></refsect2>
@ -606,7 +865,10 @@
available for control with
<command>machinectl</command>.</para>
<para>Disk images are understood in three formats:</para>
<para>Disk images are understood by
<citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>
and <command>machinectl</command> in three
formats:</para>
<itemizedlist>
<listitem><para>A simple directory tree,
@ -633,6 +895,54 @@
<option>--image=</option> options.</para>
</refsect1>
<refsect1>
<title>Examples</title>
<example>
<title>Download an Ubuntu image and open a shell in it</title>
<programlisting># machinectl pull-tar https://cloud-images.ubuntu.com/trusty/current/trusty-server-cloudimg-amd64-root.tar.gz
# systemd-nspawn -M trusty-server-cloudimg-amd64-root</programlisting>
<para>This downloads and verifies the
specified <filename>.tar</filename> image, and
then uses
<citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>
to open a shell in it.</para>
</example>
<example>
<title>Download a Fedora image, set a root password in it, start it as service</title>
<programlisting># machinectl pull-raw --verify=no http://ftp.halifax.rwth-aachen.de/fedora/linux/releases/21/Cloud/Images/x86_64/Fedora-Cloud-Base-20141203-21.x86_64.raw.xz
# systemd-nspawn -M Fedora-Cloud-Base-20141203-21
# passwd
# exit
# machinectl start Fedora-Cloud-Base-20141203-21
# machinectl login Fedora-Cloud-Base-20141203-21</programlisting>
<para>This downloads the specified
<filename>.raw</filename> image with
verification disabled. Then a shell is opened
in it and a root password is set. Afterwards
the shell is left, and the machine started as
system service. With the last command a login
prompt into the container is requested.</para>
</example>
<example>
<title>Download a Fedora <literal>dkr</literal> image</title>
<programlisting># machinectl pull-dkr --verify=no mattdm/fedora
# systemd-nspawn -M fedora</programlisting>
<para>Downloads a <literal>dkr</literal> image
and opens a shell in it. Note that the
specified download command might require an
index server to be specified with the
<literal>--dkr-index-url=</literal>.</para>
</example>
</refsect1>
<refsect1>
<title>Exit status</title>

83
man/systemd-nspawn.xml
View File

@ -247,26 +247,43 @@
the root directory for the container
from. Takes a path to a regular file
or to a block device node. The file or
block device must contain either an
MBR partition table with a single
partition of type 0x83 that is marked
bootable, or a GUID partition table
with a root partition which is mounted
as the root directory of the
container. Optionally, GPT images may
contain a home and/or a server data
partition which are mounted to the
appropriate places in the
container. All these partitions must
be identified by the partition types
defined by the <ulink
url="http://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/">Discoverable
Partitions Specification</ulink>. Any
other partitions, such as foreign
partitions, swap partitions or EFI
system partitions are not mounted. May
not be specified together with
<option>--directory=</option>,
block device must contain either:</para>
<itemizedlist>
<listitem><para>An MBR
partition table with a single
partition of type 0x83 that is
marked
bootable.</para></listitem>
<listitem><para>A GUID
partition table (GPT) with a single
partition of type
0fc63daf-8483-4772-8e79-3d69d8477de4.</para></listitem>
<listitem><para>A GUID
partition table (GPT) with a
marked root partition which is
mounted as the root directory
of the container. Optionally,
GPT images may contain a home
and/or a server data partition
which are mounted to the
appropriate places in the
container. All these
partitions must be identified
by the partition types defined
by the <ulink
url="http://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/">Discoverable
Partitions
Specification</ulink>.</para></listitem>
</itemizedlist>
<para>Any other partitions, such as
foreign partitions, swap partitions or
EFI system partitions are not
mounted. May not be specified together
with <option>--directory=</option>,
<option>--template=</option> or
<option>--ephemeral</option>.</para></listitem>
</varlistentry>
@ -412,7 +429,7 @@
<varlistentry>
<term><option>--network-ipvlan=</option></term>
<listitem><para>Create a
<listitem><para>Create an
<literal>ipvlan</literal> interface
of the specified Ethernet network
interface and add it to the
@ -831,8 +848,18 @@
<refsect1>
<title>Examples</title>
<example>
<title>Boot a minimal Fedora distribution in a container</title>
<title>Download a Fedora image and start a shell in it</title>
<programlisting># machinectl pull-raw --verify=no http://ftp.halifax.rwth-aachen.de/fedora/linux/releases/21/Cloud/Images/x86_64/Fedora-Cloud-Base-20141203-21.x86_64.raw.xz
# systemd-nspawn -M Fedora-Cloud-Base-20141203-21</programlisting>
<para>This downloads an image using <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry> and opens a shell in it.</para>
</example>
<example>
<title>Build and boot a minimal Fedora distribution in a container</title>
<programlisting># yum -y --releasever=21 --nogpg --installroot=/srv/mycontainer --disablerepo='*' --enablerepo=fedora install systemd passwd yum fedora-release vim-minimal
# systemd-nspawn -bD /srv/mycontainer</programlisting>
@ -866,18 +893,6 @@
boots an OS in a namespace container in it.</para>
</example>
<example>
<title>Enable Arch Linux container on boot</title>
<programlisting># mv ~/arch-tree /var/lib/machines/arch
# systemctl enable systemd-nspawn@arch.service
# systemctl start systemd-nspawn@arch.service</programlisting>
<para>This makes the Arch Linux container part of the
<filename>multi-user.target</filename> on the host.
</para>
</example>
<example>
<title>Boot into an ephemeral <literal>btrfs</literal> snapshot of the host system</title>