Creating containers with systemd

systemd-nspawn may be used to run a command or OS in a light-weight namespace container. It is more powerful than chroot

debootstrap is a tool which will install a Debian base system into a subdirectory of another, already installed system. It doesn’t require an installation CD, just access to a Debian repository

sudo su

cd /var/lib/machines

yum install debootstrap

# Sample values.



 Install base system.

$ debootstrap $DISTRO /var/lib/machines/$MACH

 You need dbus for proper integration from the host.

$ chroot /var/lib/machines/$MACH apt install dbus

 Now it is the time to do any other customisation directly on the filesystem (see below).

 Place your customisations in the override file.

$ mkdir -p /etc/systemd/system/systemd-nspawn@$MACH.service.d/

$ echo $CUSTOM > /etc/systemd/system/systemd-nspawn@$MACH.service.d/override.conf

# Reload systemd, and enable and start the container.

$ systemctl daemon-reload 

$ systemctl enable systemd-nspawn@$MACH

$ systemctl start systemd-nspawn@$MACH

# Profit!

$ machinectl shell $MACH /bin/bash

The override file is important if we want to use the containers in the same network namespace as the host.

The default configuration for systemd-nspawn uses the following arguments:

$ grep ExecStart /lib/systemd/system/systemd-nspawn@.service
ExecStart=/usr/bin/systemd-nspawn --quiet --keep-unit --boot --link-journal=try-guest --network-veth -U --settings=override --machine=%i

$ cat /etc/systemd/system/systemd-nspawn@$MACH.service.d/override.conf
ExecStart=/usr/bin/systemd-nspawn --quiet --keep-unit --boot --link-journal=try-guest -U --settings=override --machine=%i

$ cp /etc/hosts /etc/resolv.conf /var/lib/machines/$MACH/etc/

machinectl command to manage the containers

$machinectl list-images

At this point your container is not running, so you can start your container with:

$machinectl start mycontainer

You should then see your container in the list of running containers:

$machinectl list

To invoke a shell to your container simply run:

$machinectl login mycontainer

And just like before you can terminate the connection to the container by hitting Ctrl+ ] three times.

If you are no longer going to use your container you can shut it down with this command:

$machinectl terminate container

Create below in file test_container.service

sudo vi /etc/systemd/system/test_container.service
Description=Test Container

ExecStart=/usr/bin/systemd-nspawn --machine=test_container --directory=/var/lib/machines/my_container -b 


Then run systecmctl start test_container

systemctl status test_container

machinectl list 

machinectl login test_container

Issues encountered

Could not login with command machinectl login mycontainer which throws error so use commands as below

sudo su

systemd-nspawn -M  mycontainer

set password using passwd

this gives console access and then remove or backup /etc/securetty from the container which will allow root login on all ttys.

Once done use command machinectl login mycontainer and then login as root and with the password set before to get shell access to the container

Example 1. Download an Ubuntu image and open a shell in it

# machinectl pull-tar
# systemd-nspawn -M trusty-server-cloudimg-amd64-root

This downloads and verifies the specified .tar image, and then uses systemd-nspawn(1) to open a shell in it.

Example 2. Download a Fedora image, set a root password in it, start it as service

# machinectl pull-raw --verify=no
# systemd-nspawn -M Fedora-Cloud-Base-20141203-21
# passwd
# exit
# machinectl start Fedora-Cloud-Base-20141203-21
# machinectl login Fedora-Cloud-Base-20141203-21

Start nginx inside the container

dnf install nginx
sudo systemctl status nginx
sudo systemctl start nginx

conf file located at nginx.conf under /etc/nginx the conf files are usually under  /etc/nginx/conf.d

install systemd-nspawn on ubuntu or debian

sudo su

apt-get install systemd-container 

machinectl pull-tar --verify=no alp


These writings represent my own personal views alone.
Licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.