[systemd-commits] 3 commits - man/machinectl.xml man/systemd-nspawn.xml src/import src/machine src/shared
Lennart Poettering
lennart at kemper.freedesktop.org
Thu Jan 22 06:15:25 PST 2015
man/machinectl.xml | 312 ++++++++++++++++++++++++++++++++++++++++++++++-
man/systemd-nspawn.xml | 83 +++++++-----
src/import/import.c | 4
src/machine/machinectl.c | 16 +-
src/shared/import-util.c | 2
src/shared/import-util.h | 2
6 files changed, 372 insertions(+), 47 deletions(-)
New commits:
commit b5b38b41c37dbe1a117af9bf99e94b58ac91239a
Author: Lennart Poettering <lennart at poettering.net>
Date: Thu Jan 22 15:14:23 2015 +0100
machinectl: various minor updates to the --help text
diff --git a/src/machine/machinectl.c b/src/machine/machinectl.c
index fa98d0b..1bda9a0 100644
--- a/src/machine/machinectl.c
+++ b/src/machine/machinectl.c
@@ -2239,18 +2239,18 @@ static int help(int argc, char *argv[], void *userdata) {
" copy-from NAME PATH [PATH] Copy files from a container to the host\n"
" bind NAME PATH [PATH] Bind mount a path from the host into a container\n\n"
"Image Commands:\n"
- " list-images Show available images\n"
+ " list-images Show available container annd VM images\n"
" image-status NAME... Show image details\n"
" show-image NAME... Show properties of image\n"
" clone NAME NAME Clone an image\n"
" rename NAME NAME Rename an image\n"
" read-only NAME [BOOL] Mark or unmark image read-only\n"
" remove NAME... Remove an image\n\n"
- "Transfer Commands:\n"
- " pull-tar URL [NAME] Download a TAR image\n"
- " pull-raw URL [NAME] Download a RAW image\n"
- " pull-dkr REMOTE [NAME] Download a DKR image\n"
- " list-transfers Show list of current downloads\n"
+ "Image Transfer Commands:\n"
+ " pull-tar URL [NAME] Download a TAR container image\n"
+ " pull-raw URL [NAME] Download a RAW container or VM image\n"
+ " pull-dkr REMOTE [NAME] Download a DKR container image\n"
+ " list-transfers Show list of downloads in progress\n"
" cancel-transfer Cancel a download\n"
, program_invocation_short_name);
commit 7f444afa1b62920265fec99a61cb4dc53d521956
Author: Lennart Poettering <lennart at poettering.net>
Date: Thu Jan 22 15:13:53 2015 +0100
import: rename --verify=sum to --verify=checksum
This is how we call it internally, and also a bit more descriptive.
diff --git a/src/import/import.c b/src/import/import.c
index 5b1d0c1..9bd8b77 100644
--- a/src/import/import.c
+++ b/src/import/import.c
@@ -323,8 +323,8 @@ static int help(int argc, char *argv[], void *userdata) {
" -h --help Show this help\n"
" --version Show package version\n"
" --force Force creation of image\n"
- " --verify= Verify downloaded image, one of: 'no', 'sum'\n"
- " 'signature'.\n"
+ " --verify= Verify downloaded image, one of: 'no',\n"
+ " 'checksum', 'signature'.\n"
" --image-root= Image root directory\n"
" --dkr-index-url=URL Specify index URL to use for downloads\n\n"
"Commands:\n"
diff --git a/src/machine/machinectl.c b/src/machine/machinectl.c
index 11b2c00..fa98d0b 100644
--- a/src/machine/machinectl.c
+++ b/src/machine/machinectl.c
@@ -2218,8 +2218,8 @@ static int help(int argc, char *argv[], void *userdata) {
" -o --output=STRING Change journal output mode (short,\n"
" short-monotonic, verbose, export, json,\n"
" json-pretty, json-sse, cat)\n"
- " --verify=MODE Verification mode for downloaded images (no, sum,\n"
- " signature)\n"
+ " --verify=MODE Verification mode for downloaded images (no,\n"
+ " checksum, signature)\n"
" --force Download image even if already exists\n"
" --dkr-index-url=URL Specify the index URL to use for DKR image\n"
" downloads\n\n"
diff --git a/src/shared/import-util.c b/src/shared/import-util.c
index 46671e8..660d92a 100644
--- a/src/shared/import-util.c
+++ b/src/shared/import-util.c
@@ -76,7 +76,7 @@ int import_url_change_last_component(const char *url, const char *suffix, char *
static const char* const import_verify_table[_IMPORT_VERIFY_MAX] = {
[IMPORT_VERIFY_NO] = "no",
- [IMPORT_VERIFY_SUM] = "sum",
+ [IMPORT_VERIFY_CHECKSUM] = "checksum",
[IMPORT_VERIFY_SIGNATURE] = "signature",
};
diff --git a/src/shared/import-util.h b/src/shared/import-util.h
index da87a40..ff155b0 100644
--- a/src/shared/import-util.h
+++ b/src/shared/import-util.h
@@ -27,7 +27,7 @@
typedef enum ImportVerify {
IMPORT_VERIFY_NO,
- IMPORT_VERIFY_SUM,
+ IMPORT_VERIFY_CHECKSUM,
IMPORT_VERIFY_SIGNATURE,
_IMPORT_VERIFY_MAX,
_IMPORT_VERIFY_INVALID = -1,
commit e0ea94c1e2ab3930c85c6057189a2a829a13a800
Author: Lennart Poettering <lennart at poettering.net>
Date: Thu Jan 22 15:12:11 2015 +0100
man: document new download magic
diff --git a/man/machinectl.xml b/man/machinectl.xml
index ff447b6..61ea1c4 100644
--- a/man/machinectl.xml
+++ b/man/machinectl.xml
@@ -197,6 +197,56 @@
<literal>short</literal>.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>--verify=</option></term>
+
+ <listitem><para>When downloading a
+ container or VM image, specify whether
+ the image shall be verified before it
+ is made available. Takes one of
+ <literal>no</literal>,
+ <literal>checksum</literal> and
+ <literal>signature</literal>. If
+ <literal>no</literal> no verification
+ is done. If
+ <literal>checksum</literal> is
+ specified the download is checked for
+ integrity after transfer is complete,
+ but no signatures are verified. If
+ <literal>signature</literal> is
+ specified, the checksum is verified
+ and the images's signature is checked
+ against a local keyring of trustable
+ vendors. It is strongly recommended to
+ set this option to
+ <literal>signature</literal> if the
+ server and protocol support this.
+ Defaults to
+ <literal>signature</literal>.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--force</option></term>
+
+ <listitem><para>When downloading a
+ container or VM image, and a local
+ copy by the specified local machine
+ name already exists, delete it first
+ and replace it by the newly downloaded
+ image.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--dkr-index-url</option></term>
+
+ <listitem><para>Specifies the index
+ server to use for downloading
+ <literal>dkr</literal> images with the
+ <command>pull-dkr</command>. Takes a
+ <literal>http://</literal>,
+ <literal>https://</literal> URL.</para></listitem>
+ </varlistentry>
+
<xi:include href="user-system-options.xml" xpointer="host" />
<xi:include href="user-system-options.xml" xpointer="machine" />
@@ -583,6 +633,215 @@
removed.</para></listitem>
</varlistentry>
+ </variablelist></refsect2>
+
+ <refsect2><title>Image Transfer Commands</title><variablelist>
+
+ <varlistentry>
+ <term><command>pull-tar</command> <replaceable>URL</replaceable> [<replaceable>NAME</replaceable>]</term>
+
+ <listitem><para>Downloads a
+ <filename>.tar</filename> container
+ image from the specified URL, and
+ makes it available under the specified
+ local machine name. The URL must be of
+ type <literal>http://</literal> or
+ <literal>https://</literal>, and must
+ refer to a <filename>.tar</filename>,
+ <filename>.tar.gz</filename>,
+ <filename>.tar.xz</filename> or
+ <filename>.tar.bz2</filename> archive
+ file. If the local machine name is
+ omitted the name it is automatically
+ derived from the last component of the
+ URL, with its suffix removed.</para>
+
+ <para>The image is verified before it
+ is made available, unless
+ <option>--verify=no</option> is
+ specified. Verification is done via
+ SHA256SUMS and SHA256SUMS.gpg files,
+ that need to be made available on the
+ same web server, under the same URL as
+ the <filename>.tar</filename> file,
+ but with the last component (the
+ filename) of the URL replaced. With
+ <option>--verify=checksum</option>
+ only the SHA256 checksum for the file
+ is verified, based on the
+ <filename>SHA256SUMS</filename>
+ file. With
+ <option>--verify=signature</option>
+ the SHA256SUMS file is first verified
+ with detached GPG signature file
+ <filename>SHA256SUMS.gpg</filename>. The
+ public key for this verification step
+ needs to be available in
+ <filename>/usr/lib/systemd/import-pubring.gpg</filename>
+ or
+ <filename>/etc/systemd/import-pubring.gpg</filename>.</para>
+
+ <para>The container image will be
+ downloaded and stored in a read-only
+ subvolume in
+ <filename>/var/lib/machines/</filename>,
+ that is named after the specified URL
+ and its HTTP etag. A writable snapshot
+ is then taken from this subvolume, and
+ named after the specified local
+ name. This behaviour ensures that
+ creating multiple container instances
+ of the same URL is efficient, as
+ multiple downloads are not
+ necessary. In order to create only the
+ read-only image, and avoid creating
+ its writable snapshot, specify
+ <literal>-</literal> as local machine
+ name.</para>
+
+ <para>Note that the read-only
+ subvolume is prefixed with
+ <filename>.tar-</filename>, and
+ is thus now shown by
+ <command>list-images</command>, unless
+ <option>--all</option> is passed.</para>
+
+ <para>Note that pressing C-c during
+ execution of this command will not
+ abort the download. Use
+ <command>cancel-transfer</command>,
+ described below.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>pull-raw</command> <replaceable>URL</replaceable> [<replaceable>NAME</replaceable>]</term>
+
+ <listitem><para>Downloads a
+ <filename>.raw</filename> container or
+ VM disk image from the specified URL,
+ and makes it available under the
+ specified local machine name. The URL
+ must be of type
+ <literal>http://</literal> or
+ <literal>https://</literal>. The
+ container image must either be a
+ <filename>.qcow2</filename> or raw
+ disk image, optionally compressed as
+ <filename>.gz</filename>,
+ <filename>.xz</filename>, or
+ <filename>.bz2</filename>. If the
+ local machine name is omitted the name
+ it is automatically derived from the
+ last component of the URL, with its
+ suffix removed.</para>
+
+ <para>Image verification is identical
+ for raw and tar images (see above).</para>
+
+ <para>If the the downloaded image is
+ in <filename>.qcow2</filename> format
+ it es converted into a raw image file
+ before it is made available.</para>
+
+ <para>Downloaded images of this type
+ will be placed as read-only
+ <filename>.raw</filename> file in
+ <filename>/var/lib/machines/</filename>. A
+ local, writable (reflinked) copy is
+ then made under the specified local
+ machine name. To omit creation of the
+ local, writable copy pass
+ <literal>-</literal> as local machine
+ name.</para>
+
+ <para>Similar to the behaviour of
+ <command>pull-tar</command>, the
+ read-only image is prefixed with
+ <filename>.raw-</filename>, and thus
+ now shown by
+ <command>list-images</command>, unless
+ <option>--all</option> is
+ passed.</para>
+
+ <para>Note that pressing C-c during
+ execution of this command will not
+ abort the download. Use
+ <command>cancel-transfer</command>,
+ described below.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>pull-dkr</command> <replaceable>REMOTE</replaceable> [<replaceable>NAME</replaceable>]</term>
+
+ <listitem><para>Downloads a
+ <literal>dkr</literal> container image
+ and makes it available locally. The
+ remote name refers to a
+ <literal>dkr</literal> container
+ name. If omitted, the local machine
+ name is derived from the
+ <literal>dkr</literal> container
+ name.</para>
+
+ <para>Image verification is not
+ available for <literal>dkr</literal>
+ containers, and thus
+ <option>--verify=no</option> must
+ always be specified with this
+ command.</para>
+
+ <para>This command downloads all
+ (missing) layers for the specified
+ container and places them in read-only
+ subvolumes in
+ <filename>/var/lib/machines/</filename>. A
+ writable snapshot of the newest layer
+ is then created under the specified
+ local machine name. To omit creation
+ of this writable snapshot, pass
+ <literal>-</literal> as local machine
+ name.</para>
+
+ <para>The read-only layer subvolumes
+ are prefixed with
+ <filename>.dkr-</filename>, and thus
+ now shown by
+ <command>list-images</command>, unless
+ <option>--all</option> is
+ passed.</para>
+
+ <para>To specify the
+ <literal>dkr</literal> index server to
+ use for looking up the specified
+ container, use
+ <option>--dkr-index-url=</option>.</para>
+
+ <para>Note that pressing C-c during
+ execution of this command will not
+ abort the download. Use
+ <command>cancel-transfer</command>,
+ described below.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>list-transfers</command></term>
+
+ <listitem><para>Shows a list of
+ container or VM image downloads that
+ are currently in
+ progress.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>cancel-transfers</command> <replaceable>ID</replaceable>...</term>
+
+ <listitem><para>Aborts download of the
+ container or VM image with the
+ specified ID. To list ongoing
+ transfers and their IDs, use
+ <command>list-transfers</command>.
+ </para></listitem>
+ </varlistentry>
</variablelist></refsect2>
@@ -606,7 +865,10 @@
available for control with
<command>machinectl</command>.</para>
- <para>Disk images are understood in three formats:</para>
+ <para>Disk images are understood by
+ <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>
+ and <command>machinectl</command> in three
+ formats:</para>
<itemizedlist>
<listitem><para>A simple directory tree,
@@ -634,6 +896,54 @@
</refsect1>
<refsect1>
+ <title>Examples</title>
+ <example>
+ <title>Download an Ubuntu image and open a shell in it</title>
+
+ <programlisting># machinectl pull-tar https://cloud-images.ubuntu.com/trusty/current/trusty-server-cloudimg-amd64-root.tar.gz
+# systemd-nspawn -M trusty-server-cloudimg-amd64-root</programlisting>
+
+ <para>This downloads and verifies the
+ specified <filename>.tar</filename> image, and
+ then uses
+ <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>
+ to open a shell in it.</para>
+ </example>
+
+ <example>
+ <title>Download a Fedora image, set a root password in it, start it as service</title>
+
+ <programlisting># machinectl pull-raw --verify=no http://ftp.halifax.rwth-aachen.de/fedora/linux/releases/21/Cloud/Images/x86_64/Fedora-Cloud-Base-20141203-21.x86_64.raw.xz
+# systemd-nspawn -M Fedora-Cloud-Base-20141203-21
+# passwd
+# exit
+# machinectl start Fedora-Cloud-Base-20141203-21
+# machinectl login Fedora-Cloud-Base-20141203-21</programlisting>
+
+ <para>This downloads the specified
+ <filename>.raw</filename> image with
+ verification disabled. Then a shell is opened
+ in it and a root password is set. Afterwards
+ the shell is left, and the machine started as
+ system service. With the last command a login
+ prompt into the container is requested.</para>
+ </example>
+
+ <example>
+ <title>Download a Fedora <literal>dkr</literal> image</title>
+
+ <programlisting># machinectl pull-dkr --verify=no mattdm/fedora
+# systemd-nspawn -M fedora</programlisting>
+
+ <para>Downloads a <literal>dkr</literal> image
+ and opens a shell in it. Note that the
+ specified download command might require an
+ index server to be specified with the
+ <literal>--dkr-index-url=</literal>.</para>
+ </example>
+ </refsect1>
+
+ <refsect1>
<title>Exit status</title>
<para>On success, 0 is returned, a non-zero failure
diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml
index b7f3be9..b0f7aa3 100644
--- a/man/systemd-nspawn.xml
+++ b/man/systemd-nspawn.xml
@@ -247,26 +247,43 @@
the root directory for the container
from. Takes a path to a regular file
or to a block device node. The file or
- block device must contain either an
- MBR partition table with a single
- partition of type 0x83 that is marked
- bootable, or a GUID partition table
- with a root partition which is mounted
- as the root directory of the
- container. Optionally, GPT images may
- contain a home and/or a server data
- partition which are mounted to the
- appropriate places in the
- container. All these partitions must
- be identified by the partition types
- defined by the <ulink
- url="http://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/">Discoverable
- Partitions Specification</ulink>. Any
- other partitions, such as foreign
- partitions, swap partitions or EFI
- system partitions are not mounted. May
- not be specified together with
- <option>--directory=</option>,
+ block device must contain either:</para>
+
+ <itemizedlist>
+ <listitem><para>An MBR
+ partition table with a single
+ partition of type 0x83 that is
+ marked
+ bootable.</para></listitem>
+
+ <listitem><para>A GUID
+ partition table (GPT) with a single
+ partition of type
+ 0fc63daf-8483-4772-8e79-3d69d8477de4.</para></listitem>
+
+ <listitem><para>A GUID
+ partition table (GPT) with a
+ marked root partition which is
+ mounted as the root directory
+ of the container. Optionally,
+ GPT images may contain a home
+ and/or a server data partition
+ which are mounted to the
+ appropriate places in the
+ container. All these
+ partitions must be identified
+ by the partition types defined
+ by the <ulink
+ url="http://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/">Discoverable
+ Partitions
+ Specification</ulink>.</para></listitem>
+ </itemizedlist>
+
+ <para>Any other partitions, such as
+ foreign partitions, swap partitions or
+ EFI system partitions are not
+ mounted. May not be specified together
+ with <option>--directory=</option>,
<option>--template=</option> or
<option>--ephemeral</option>.</para></listitem>
</varlistentry>
@@ -412,7 +429,7 @@
<varlistentry>
<term><option>--network-ipvlan=</option></term>
- <listitem><para>Create a
+ <listitem><para>Create an
<literal>ipvlan</literal> interface
of the specified Ethernet network
interface and add it to the
@@ -831,8 +848,18 @@
<refsect1>
<title>Examples</title>
+
+ <example>
+ <title>Download a Fedora image and start a shell in it</title>
+
+ <programlisting># machinectl pull-raw --verify=no http://ftp.halifax.rwth-aachen.de/fedora/linux/releases/21/Cloud/Images/x86_64/Fedora-Cloud-Base-20141203-21.x86_64.raw.xz
+# systemd-nspawn -M Fedora-Cloud-Base-20141203-21</programlisting>
+
+<para>This downloads an image using <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry> and opens a shell in it.</para>
+ </example>
+
<example>
- <title>Boot a minimal Fedora distribution in a container</title>
+ <title>Build and boot a minimal Fedora distribution in a container</title>
<programlisting># yum -y --releasever=21 --nogpg --installroot=/srv/mycontainer --disablerepo='*' --enablerepo=fedora install systemd passwd yum fedora-release vim-minimal
# systemd-nspawn -bD /srv/mycontainer</programlisting>
@@ -867,18 +894,6 @@
</example>
<example>
- <title>Enable Arch Linux container on boot</title>
-
- <programlisting># mv ~/arch-tree /var/lib/machines/arch
-# systemctl enable systemd-nspawn at arch.service
-# systemctl start systemd-nspawn at arch.service</programlisting>
-
- <para>This makes the Arch Linux container part of the
- <filename>multi-user.target</filename> on the host.
- </para>
- </example>
-
- <example>
<title>Boot into an ephemeral <literal>btrfs</literal> snapshot of the host system</title>
<programlisting># systemd-nspawn -D / -xb</programlisting>
More information about the systemd-commits
mailing list