man: update the nspawn man page, and document what kind of dissection features we now support

2016-12-07 18:36:08 +01:00 · 2016-12-07 18:36:08 +01:00 · 58abb66f4b
parent 4623e8e6ac
commit 58abb66f4b
1 changed files with 17 additions and 0 deletions
--- a/man/systemd-nspawn.xml
+++ b/man/systemd-nspawn.xml
@ -235,16 +235,33 @@
          identified by the partition types defined by the <ulink
          url="http://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/">Discoverable
          Partitions Specification</ulink>.</para></listitem>
+
+          <listitem><para>No partition table, and a single file system spanning the whole image.</para></listitem>
        </itemizedlist>

        <para>On GPT images, if an EFI System Partition (ESP) is discovered, it is automatically mounted to
        <filename>/efi</filename> (or <filename>/boot</filename> as fallback) in case a directory by this name exists
        and is empty.</para>

+        <para>Partitions encrypted with LUKS are automatically decrypted. Also, on GPT images dm-verity data integrity
+        hash partitions are set up if the root hash for them is specified using the <option>--root-hash=</option>
+        option.</para>
+
        <para>Any other partitions, such as foreign partitions or swap partitions are not mounted. May not be specified
        together with <option>--directory=</option>, <option>--template=</option>.</para></listitem>
      </varlistentry>

+      <varlistentry>
+        <term><option>--root-hash=</option></term>
+
+        <listitem><para>Takes a data integrity (dm-verity) root hash specified in hexadecimal. This option enables data
+        integrity checks using dm-verity, if the used image contains the appropriate integrity data (see above). The
+        specified hash must match the root hash of integrity data, and is usually at least 256bits (and hence 64
+        hexadecimal characters) long (in case of SHA256 for example). If this option is not specified, but a file with
+        the <filename>.roothash</filename> suffix is found next to the image file, bearing otherwise the same name the
+        root hash is read from it and automatically used.</para></listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><option>-a</option></term>
        <term><option>--as-pid2</option></term>