machinectl(images) - phpMan

MACHINECTL(1)                     machinectl                     MACHINECTL(1)

NAME
       machinectl - Control the systemd machine manager
SYNOPSIS
       machinectl [OPTIONS...] {COMMAND} [NAME...]
DESCRIPTION
       machinectl may be used to introspect and control the state of the
       systemd(1) virtual machine and container registration manager systemd-
       machined.service(8).
OPTIONS
       The following options are understood:
       -p, --property=
           When showing machine or image properties, limit the output to
           certain properties as specified by the argument. If not specified,
           all set properties are shown. The argument should be a property
           name, such as "Name". If specified more than once, all properties
           with the specified names are shown.
       -a, --all
           When showing machine or image properties, show all properties
           regardless of whether they are set or not.
           When listing VM or container images, do not suppress images
           beginning in a dot character (".").
       -l, --full
           Do not ellipsize process tree entries.
       --no-ask-password
           Do not query the user for authentication for privileged operations.
       --kill-who=
           When used with kill, choose which processes to kill. Must be one of
           leader, or all to select whether to kill only the leader process of
           the machine or all processes of the machine. If omitted, defaults
           to all.
       -s, --signal=
           When used with kill, choose which signal to send to selected
           processes. Must be one of the well-known signal specifiers, such as
           SIGTERM, SIGINT or SIGSTOP. If omitted, defaults to SIGTERM.
       --mkdir
           When used with bind creates the destination directory before
           applying the bind mount.
       --read-only
           When used with bind applies a read-only bind mount.
       -n, --lines=
           When used with status, controls the number of journal lines to
           show, counting from the most recent ones. Takes a positive integer
           argument. Defaults to 10.
       -o, --output=
           When used with status, controls the formatting of the journal
           entries that are shown. For the available choices, see
           journalctl(1). Defaults to "short".
       --verify=
           When downloading a container or VM image, specify whether the image
           shall be verified before it is made available. Takes one of "no",
           "checksum" and "signature". If "no" no verification is done. If
           "checksum" is specified the download is checked for integrity after
           transfer is complete, but no signatures are verified. If
           "signature" is specified, the checksum is verified and the images's
           signature is checked against a local keyring of trustable vendors.
           It is strongly recommended to set this option to "signature" if the
           server and protocol support this. Defaults to "signature".
       --force
           When downloading a container or VM image, and a local copy by the
           specified local machine name already exists, delete it first and
           replace it by the newly downloaded image.
       -H, --host=
           Execute the operation remotely. Specify a hostname, or a username
           and hostname separated by "@", to connect to. The hostname may
           optionally be suffixed by a container name, separated by ":", which
           connects directly to a specific container on the specified host.
           This will use SSH to talk to the remote machine manager instance.
           Container names may be enumerated with machinectl -H HOST.
       -M, --machine=
           Execute operation on a local container. Specify a container name to
           connect to.
       --no-pager
           Do not pipe output into a pager.
       --no-legend
           Do not print the legend, i.e. column headers and the footer with
           hints.
       -h, --help
           Print a short help text and exit.
       --version
           Print a short version string and exit.
COMMANDS
       The following commands are understood:
   Machine Commands
       list
           List currently running (online) virtual machines and containers. To
           enumerate container images that can be started, use list-images
           (see below).
       status NAME...
           Show terse runtime status information about one or more virtual
           machines and containers, followed by the most recent log data from
           the journal. This function is intended to generate human-readable
           output. If you are looking for computer-parsable output, use show
           instead. Note that the log data shown is reported by the virtual
           machine or container manager, and frequently contains console
           output of the machine, but not necessarily journal contents of the
           machine itself.
       show NAME...
           Show properties of one or more registered virtual machines or
           containers or the manager itself. If no argument is specified,
           properties of the manager will be shown. If an NAME is specified,
           properties of this virtual machine or container are shown. By
           default, empty properties are suppressed. Use --all to show those
           too. To select specific properties to show, use --property=. This
           command is intended to be used whenever computer-parsable output is
           required. Use status if you are looking for formatted
           human-readable output.
       start NAME...
           Start a container as a system service, using systemd-nspawn(1).
           This starts systemd-nspawn@.service, instantiated for the specified
           machine name, similar to the effect of systemctl start on the
           service name.  systemd-nspawn looks for a container image by the
           specified name in /var/lib/machines/ (and other search paths, see
           below) and runs it. Use list-images (see below), for listing
           available container images to start.
           Note that systemd-machined.service(8) also interfaces with a
           variety of other container and VM managers, systemd-nspawn is just
           one implementation of it. Most of the commands available in
           machinectl may be used on containers or VMs controlled by other
           managers, not just systemd-nspawn. Starting VMs and container
           images on those managers requires manager-specific tools.
           To interactively start a container on the command line with full
           access to the container's console, please invoke systemd-nspawn
           directly. To stop a running container use machinectl poweroff, see
           below.
       login NAME
           Open an interactive terminal login session to a container. This
           will create a TTY connection to a specific container and asks for
           the execution of a getty on it. Note that this is only supported
           for containers running systemd(1) as init system.
           This command will open a full login prompt on the container, which
           then asks for username and password. Use systemd-run(1) with the
           --machine= switch to invoke a single command, either interactively
           or in the background within a local container.
       enable NAME..., disable NAME...
           Enable or disable a container as a system service to start at
           system boot, using systemd-nspawn(1). This enables or disables
           systemd-nspawn@.service, instantiated for the specified machine
           name, similar to the effect of systemctl enable or systemctl
           disable on the service name.
       poweroff NAME...
           Power off one or more containers. This will trigger a reboot by
           sending SIGRTMIN+4 to the container's init process, which causes
           systemd-compatible init systems to shut down cleanly. This
           operation does not work on containers that do not run a
           systemd(1)-compatible init system, such as sysvinit. Use terminate
           (see below) to immediately terminate a container or VM, without
           cleanly shutting it down.
       reboot NAME...
           Reboot one or more containers. This will trigger a reboot by
           sending SIGINT to the container's init process, which is roughly
           equivalent to pressing Ctrl+Alt+Del on a non-containerized system,
           and is compatible with containers running any system manager.
       terminate NAME...
           Immediately terminates a virtual machine or container, without
           cleanly shutting it down. This kills all processes of the virtual
           machine or container and deallocates all resources attached to that
           instance. Use poweroff to issue a clean shutdown request.
       kill NAME...
           Send a signal to one or more processes of the virtual machine or
           container. This means processes as seen by the host, not the
           processes inside the virtual machine or container. Use --kill-who=
           to select which process to kill. Use --signal= to select the signal
           to send.
       bind NAME PATH [PATH]
           Bind mounts a directory from the host into the specified container.
           The first directory argument is the source directory on the host,
           the second directory argument the source directory on the host.
           When the latter is omitted the destination path in the container is
           the same as the source path on the host. When combined with the
           --read-only switch a ready-only bind mount is created. When
           combined with the --mkdir switch the destination path is first
           created before the mount is applied. Note that this option is
           currently only supported for systemd-nspawn(1) containers.
       copy-to NAME PATH [PATH]
           Copies files or directories from the host system into a running
           container. Takes a container name, followed by the source path on
           the host and the destination path in the container. If the
           destination path is omitted the same as the source path is used.
       copy-from NAME PATH [PATH]
           Copies files or directories from a container into the host system.
           Takes a container name, followed by the source path in the
           container the destination path on the host. If the destination path
           is omitted the same as the source path is used.
   Image Commands
       list-images
           Show a list of locally installed container and VM images. This
           enumerates all raw disk images and container directories and
           subvolumes in /var/lib/machines/ (and other search paths, see
           below). Use start (see above) to run a container off one of the
           listed images. Note that by default containers whose name begins
           with a dot (".") are not shown. To show these too, specify --all.
           Note that a special image ".host" always implicitly exists and
           refers to the image the host itself is booted from.
       image-status NAME...
           Show terse status information about one or more container or VM
           images. This function is intended to generate human-readable
           output. Use show-image (see below) to generate computer-parsable
           output instead.
       show-image NAME...
           Show properties of one or more registered virtual machine or
           container images, or the manager itself. If no argument is
           specified, properties of the manager will be shown. If an NAME is
           specified, properties of this virtual machine or container image
           are shown. By default, empty properties are suppressed. Use --all
           to show those too. To select specific properties to show, use
           --property=. This command is intended to be used whenever
           computer-parsable output is required. Use image-status if you are
           looking for formatted human-readable output.
       clone NAME NAME
           Clones a container or disk image. The arguments specify the name of
           the image to clone and the name of the newly cloned image. Note
           that plain directory container images are cloned into subvolume
           images with this command. Note that cloning a container or VM image
           is optimized for btrfs file systems, and might not be efficient on
           others, due to file system limitations.
       rename NAME NAME
           Renames a container or disk image. The arguments specify the name
           of the image to rename and the new name of the image.
       read-only NAME [BOOL]
           Marks or (unmarks) a container or disk image read-only. Takes a VM
           or container image name, followed by a boolean as arguments. If the
           boolean is omitted, positive is implied, i.e. the image is marked
           read-only.
       remove NAME...
           Removes one or more container or disk images. The special image
           ".host", which refers to the host's own directory tree may not be
           removed.
   Image Transfer Commands
       pull-tar URL [NAME]
           Downloads a .tar container image from the specified URL, and makes
           it available under the specified local machine name. The URL must
           be of type "http://" or "https://", and must refer to a .tar,
           .tar.gz, .tar.xz or .tar.bz2 archive file. If the local machine
           name is omitted the name it is automatically derived from the last
           component of the URL, with its suffix removed.
           The image is verified before it is made available, unless
           --verify=no is specified. Verification is done via SHA256SUMS and
           SHA256SUMS.gpg files, that need to be made available on the same
           web server, under the same URL as the .tar file, but with the last
           component (the filename) of the URL replaced. With
           --verify=checksum only the SHA256 checksum for the file is
           verified, based on the SHA256SUMS file. With --verify=signature the
           SHA256SUMS file is first verified with detached GPG signature file
           SHA256SUMS.gpg. The public key for this verification step needs to
           be available in /usr/lib/systemd/import-pubring.gpg or
           /etc/systemd/import-pubring.gpg.
           The container image will be downloaded and stored in a read-only
           subvolume in /var/lib/machines/, that is named after the specified
           URL and its HTTP etag. A writable snapshot is then taken from this
           subvolume, and named after the specified local name. This behaviour
           ensures that creating multiple container instances of the same URL
           is efficient, as multiple downloads are not necessary. In order to
           create only the read-only image, and avoid creating its writable
           snapshot, specify "-" as local machine name.
           Note that the read-only subvolume is prefixed with .tar-, and is
           thus now shown by list-images, unless --all is passed.
           Note that pressing C-c during execution of this command will not
           abort the download. Use cancel-transfer, described below.
       pull-raw URL [NAME]
           Downloads a .raw container or VM disk image from the specified URL,
           and makes it available under the specified local machine name. The
           URL must be of type "http://" or "https://". The container image
           must either be a .qcow2 or raw disk image, optionally compressed as
           .gz, .xz, or .bz2. If the local machine name is omitted the name it
           is automatically derived from the last component of the URL, with
           its suffix removed.
           Image verification is identical for raw and tar images (see above).
           If the the downloaded image is in .qcow2 format it es converted
           into a raw image file before it is made available.
           Downloaded images of this type will be placed as read-only .raw
           file in /var/lib/machines/. A local, writable (reflinked) copy is
           then made under the specified local machine name. To omit creation
           of the local, writable copy pass "-" as local machine name.
           Similar to the behaviour of pull-tar, the read-only image is
           prefixed with .raw-, and thus now shown by list-images, unless
           --all is passed.
           Note that pressing C-c during execution of this command will not
           abort the download. Use cancel-transfer, described below.
       list-transfers
           Shows a list of container or VM image downloads that are currently
           in progress.
       cancel-transfers ID...
           Aborts download of the container or VM image with the specified ID.
           To list ongoing transfers and their IDs, use list-transfers.
FILES AND DIRECTORIES
       Machine images are preferably stored in /var/lib/machines/, but are
       also searched for in /usr/local/lib/machines/ and /usr/lib/machines/.
       For compatibility reasons the directory /var/lib/container/ is
       searched, too. Note that images stored below /usr are always considered
       read-only. It is possible to symlink machines images from other
       directories into /var/lib/machines/ to make them available for control
       with machinectl.
       Disk images are understood by systemd-nspawn(1) and machinectl in three
       formats:
       o   A simple directory tree, containing the files and directories of
           the container to boot.
       o   A subvolume (on btrfs file systems), which are similar to the
           simple directories, described above. However, they have additional
           benefits, such as efficient cloning and quota reporting.
       o   "Raw" disk images, i.e. binary images of disks with a GPT or MBR
           partition table. Images of this type are regular files with the
           suffix ".raw".
       See systemd-nspawn(1) for more information on image formats, in
       particular it's --directory= and --image= options.
EXAMPLES
       Example 1. Download an Ubuntu image and open a shell in it
           # machinectl pull-tar https://cloud-images.ubuntu.com/trusty/current/trusty-server-cloudimg-amd64-root.tar.gz
           # systemd-nspawn -M trusty-server-cloudimg-amd64-root
       This downloads and verifies the specified .tar image, and then uses
       systemd-nspawn(1) to open a shell in it.
       Example 2. Download a Fedora image, set a root password in it, start it
       as service
           # machinectl pull-raw --verify=no http://ftp.halifax.rwth-aachen.de/fedora/linux/releases/21/Cloud/Images/x86_64/Fedora-Cloud-Base-20141203-21.x86_64.raw.xz
           # systemd-nspawn -M Fedora-Cloud-Base-20141203-21
           # passwd
           # exit
           # machinectl start Fedora-Cloud-Base-20141203-21
           # machinectl login Fedora-Cloud-Base-20141203-21
       This downloads the specified .raw image with verification disabled.
       Then a shell is opened in it and a root password is set. Afterwards the
       shell is left, and the machine started as system service. With the last
       command a login prompt into the container is requested.
EXIT STATUS
       On success, 0 is returned, a non-zero failure code otherwise.
ENVIRONMENT
       $SYSTEMD_PAGER
           Pager to use when --no-pager is not given; overrides $PAGER.
           Setting this to an empty string or the value "cat" is equivalent to
           passing --no-pager.
       $SYSTEMD_LESS
           Override the default options passed to less ("FRSXMK").
       $SYSTEMD_PAGERSECURE
           Takes a boolean argument. When true, the "secure" mode of the pager
           is enabled; if false, disabled. If $SYSTEMD_PAGERSECURE is not set
           at all, secure mode is enabled if the effective UID is not the same
           as the owner of the login session, see geteuid(2) and
           sd_pid_get_owner_uid(3). In secure mode, LESSSECURE=1 will be set
           when invoking the pager, and the pager shall disable commands that
           open or create new files or start new subprocesses. When
           $SYSTEMD_PAGERSECURE is not set at all, pagers which are not known
           to implement secure mode will not be used. (Currently only less(1)
           implements secure mode.)
           Note: when commands are invoked with elevated privileges, for
           example under sudo(8) or pkexec(1), care must be taken to ensure
           that unintended interactive features are not enabled. "Secure" mode
           for the pager may be enabled automatically as describe above.
           Setting SYSTEMD_PAGERSECURE=0 or not removing it from the inherited
           environment allows the user to invoke arbitrary commands. Note that
           if the $SYSTEMD_PAGER or $PAGER variables are to be honoured,
           $SYSTEMD_PAGERSECURE must be set too. It might be reasonable to
           completly isable the pager using --no-pager instead.
SEE ALSO
       systemd-machined.service(8), systemd-nspawn(1), systemd.special(7)

systemd 219                                                      MACHINECTL(1)