systemd-nspawn may be used to run a command or OS in a light-weight namespace container. In many ways it is similar to chroot, but more powerful since it fully virtualizes the file system hierarchy, as well as the process tree, the various IPC subsystems and the host and domain name.
This mechanism is also similar to LXC, but is much simpler to configure and most of the necessary software is already installed on contemporary Debian systems.
The host (i.e. the system hosting one or more containers) needs to have the systemd-container package installed.
$ apt-get install systemd-container
$ echo 'kernel.unprivileged_userns_clone=1' >/etc/sysctl.d/nspawn.conf $ systemctl restart systemd-sysctl.service
Creating a Debian Container
Each guest OS should also have the systemd-container package installed. A suitable guest OS installation may created using the debootstrap or cdebootstrap tools. For example, to create a new guest OS called debian:
$ debootstrap --include=systemd-container stable /var/lib/machines/debian I: Target architecture can be executed I: Retrieving InRelease I: Checking Release signature ...
After debootstrap finishes, it is necessary to login to the newly created container and make some changes to allow root logins:
$ systemd-nspawn -D /var/lib/machines/debian -U --machine debian Spawning container buster on /var/lib/machines/debian. Press ^] three times within 1s to kill container. Selected user namespace base 818610176 and range 65536. # set root password root@debian:~# passwd New password: Retype new password: passwd: password updated successfully # allow login via local tty root@debian:~# echo 'pts/1' >> /etc/securetty # logout from container root@debian:~# logout Container debian exited successfully.
Booting a Container
Once it has been setup, it is possible to boot a container using an instantiated systemd.service:
# The part after the @ must match the container name used in the previous step $ systemctl start systemd-nspawn@debian
Checking Container State
To check the state of containers, use one of the following commands:
$ machinectl list MACHINE CLASS SERVICE OS VERSION ADDRESSES debian container systemd-nspawn debian 10 - # or $ systemctl status systemd-nspawn@debian ● firstname.lastname@example.org - Container debian Loaded: loaded (/lib/systemd/system/systemd-nspawn@.service; disabled; vendor preset: enabled) Active: active (running) since ...
Logging into a Container
To login to a running container:
$ machinectl login debian Connected to machine debian. Press ^] three times within 1s to exit session. Debian GNU/Linux 10 debian pts/0 debian login:
Stopping a Container
To stop a running container from the host, do:
$ systemctl stop systemd-nspawn@debian
Alternatively, you can stop the container from within the guest OS by running e.g. halt:
$ machinectl login debian Connected to machine debian. Press ^] three times within 1s to exit session. Debian GNU/Linux 10 debian pts/0 debian login: root Password: <something> Last login: Wed Jan 22 21:53:00 CET 2020 on pts/1 Linux debian 5.4.0-3-amd64 #1 SMP Debian 5.4.13-1 (2020-01-19) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. root@debian:~# halt ... Machine debian terminated
The host communicates with the guest container using a virtual interface named ve-<container_name>@if<X> while the guest uses a virtual interface named host@if<Y> for the same purposes:
$ ip a show dev ve-debian 77: ve-debian@if2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000 link/ether ... brd ff:ff:ff:ff:ff:ff link-netnsid 1
Enable and start systemd-networkd.service on the host and in the container to automatically provision the virtual link via DHCP with routing onto host's external network interfaces.
Alternatively the interfaces can be configured manually, e.g. to setup IP forwarding, masquerading, etc.