Home > Package & System Management > systemd-nspawn

systemd-nspawn: Lightweight Container Execution

systemd-nspawn, part of the systemd project, is a tool for creating and running isolated Linux container environments without the overhead of virtual machines. It provides stronger isolation than chroot and is lighter than virtual machines, making it useful for setting up test, development, and deployment environments.

Overview

systemd-nspawn runs containers by sharing the host system's kernel while isolating the file system, process tree, and network. This is useful for securely separating development and testing environments or for experimenting with different distribution environments.

Key Features

  • Provides a lightweight container environment
  • Shares host kernel for resource efficiency
  • Isolates file system, processes, and network
  • Offers stronger isolation than chroot
  • Supports systemd-based container booting

Key Options

The main options for systemd-nspawn control the container's behavior, isolation level, network settings, and more.

Basic Container Settings

Network Settings

Resources and Permissions

Generated command:

Try combining the commands.

Description:

`systemd-nspawn` Executes the command.

Combine the above options to virtually execute commands with AI.

Usage Examples

Examples of running various container environments using systemd-nspawn.

Basic Container Execution (bash)

sudo systemd-nspawn -D /var/lib/machines/mycontainer /bin/bash

Starts a container with the specified root file system and executes a bash shell.

systemd Boot Container

sudo systemd-nspawn -b -D /var/lib/machines/mycontainer

Boots systemd as the initial process inside the container, providing a complete system environment.

Network Isolated Container

sudo systemd-nspawn --private-network -D /var/lib/machines/mycontainer /bin/bash

Runs a container without network interfaces, blocking external network access.

Host Path Bind Mount

sudo systemd-nspawn -D /var/lib/machines/mycontainer --bind=/home/user/data:/mnt/data /bin/bash

Mounts the host's /home/user/data directory to /mnt/data inside the container.

Network Connection with Virtual Ethernet

sudo systemd-nspawn -D /var/lib/machines/mycontainer --network-veth /bin/bash

Creates a virtual Ethernet interface between the host and the container for network connectivity.

Installation

systemd-nspawn is part of the `systemd-container` package. It is pre-installed or easily installable on most systemd-based Linux distributions.

Debian/Ubuntu

sudo apt update && sudo apt install systemd-container

Install the systemd-container package using the apt package manager.

Fedora/RHEL/CentOS

sudo dnf install systemd-container

Install the systemd-container package using the dnf package manager.

Arch Linux

sudo pacman -S systemd-container

Install the systemd-container package using the pacman package manager.

Tips & Considerations

Tips and considerations for effectively using systemd-nspawn.

Key Tips

  • **Root Privileges Required**: systemd-nspawn accesses system resources, so it must be run with `sudo` or as root.
  • **Prepare Container Image**: The container's root file system must be prepared beforehand. You can create it using tools like `debootstrap`, `dnf --installroot`, or `pacstrap`.
  • **Understand Network Settings**: `--network-veth` allows communication between the host and container, while `--private-network` isolates the container completely. Choose the appropriate option based on your needs.
  • **Security Considerations**: While systemd-nspawn provides strong isolation, it shares the host kernel, making it potentially more vulnerable than full virtualization solutions like Docker. Exercise caution when running untrusted code.

Same category commands

acl

ACL: Access Control List Management

anacron

anacron: Run periodic commands when the system is not running

ansible

ansible: Remote Server Management and Automation

apropos

apropos: Search Manual Pages

apt

APT (Advanced Package Tool) Command Guide