VIRT-SANDBOX.C(1) Virtualization Support VIRT-SANDBOX.C(1)NAMEvirt-sandbox - Run cmd under a virtual machine sandbox
SYNOPSISvirt-sandbox [OPTIONS...] COMMAND [CMDARG1 [CMDARG2 [...]]]
virt-sandbox [OPTIONS...] -S
DESCRIPTION
Run the "cmd" application within a tightly confined virtual machine.
The default sandbox domain only allows applications the ability to read
and write stdin, stdout and any other file descriptors handed to it. It
is not allowed to open any other files.
OPTIONS-c URI, --connect=URI
Set the libvirt connection URI, defaults to qemu:///session if
omitted. Currently only the QEMU and LXC drivers are supported.
-n NAME, --name=NAME
Set the unique name for the sandbox. This defaults to sandbox
but this will need to be changed if more than one sandbox is to
be run concurrently. This is used as the name of the libvirt
virtual machine or container.
-m TYPE:DST=SRC, --mount TYPE:DST=SRC
Sets up a mount inside the sandbox at DST backed by SRC. The
meaning of SRC depends on the value of "TYPE" specified:
host-bind
If TYPE is host-bind, then SRC is interpreted as the path
to a directory on the host filesystem. If "SRC" is the
empty string, then a temporary (empty) directory is created
on the host before starting the sandbox and deleted
afterwards. The "--include" option is useful for populating
these temporary directories with copies of host files.
host-image
If TYPE is host-image, then SRC is interpreted as the path
to a disk image file on the host filesystem. The image
should be formatted with a filesystem that can be auto-
detected by the sandbox, such as ext3, ext4, etc. The disk
image itself should be a raw file, not qcow2 or any other
special format
guest-bind
If TYPE is guest-bind, then SRC is interpreted as the path
to another directory in the container filesystem.
ram If TYPE is ram, then SRC is interpreted as specifying the
size of the RAM disk in bytes. The suffix K, KiB, M, MiB,
G, GiB can used to alter the units from bytes to a coarser
level.
Some examples
-m host-bind:/tmp=/var/lib/sandbox/demo/tmp
-m host-image:/=/var/lib/sandbox/demo.img
-m guest-bind:/home=/tmp/home
-m ram:/tmp=500M
-I HOST-PATH, --includefile=HOST-PATH
Copy all files listed in inputfile into the appropriate
temporary sandbox directories.
-N NETWORK-OPTIONS, --network NETWORK-OPTIONS
Add a network interface to the sandbox. NETWORK-OPTIONS is a
set of key=val pairs, separated by commas. The following
options are valid
dhcp
Configure the network interface using dhcp. This key takes
no value. No other keys may be specified. eg
-N dhcp,source=default
--network dhcp,source=lan
where 'source' is the name of any libvirt virtual network.
source=NETWORK
Set the name of the network to connect the interface to.
"NETWORK" is the name of any libvirt virtual network. See
also virsh net-list
mac=NN:NN:NN:NN:NN:NN
Set the MAC address of the network interface, where each NN
is a pair of hex digits.
address=IP-ADDRESS/PREFIX%BROADCAST
Configure the network interface with the static IPv4 or
IPv6 address IP-ADDRESS. The PREFIX value is the length of
the network prefix in IP-ADDRESS. The optional BROADCAST
parameter specifies the broadcast address. Some examples
address=192.168.122.1/24
address=192.168.122.1/24%192.168.122.255
address=2001:212::204:2/64
route=IP-NETWORK/PREFIX%GATEWAY
Configure the network interface with the static IPv4 or
IPv6 route IP-NETWORK. The PREFIX value is the length of
the network prefix in IP-NETWORK. The GATEWAY parameter
specifies the address of the gateway for the route. Some
examples
route=192.168.122.255/24%192.168.1.1
-s SECURITY-OPTIONS, --security=SECURITY-OPTIONS
Use alternative security options. SECURITY-OPTIONS is a set of
key=val pairs, separated by commas. The following options are
valid for SELinux
dynamic
Dynamically allocate an SELinux label, using the default
base context. The default base context is
system_u:system_r:svirt_lxc_net_t:s0 for LXC,
system_u:system_r:svirt_t:s0 for KVM,
system_u:system_r:svirt_tcg_t:s0 for QEMU.
dynamic,label=USER:ROLE:TYPE:LEVEL
Dynamically allocate an SELinux label, using the base
context USER:ROLE:TYPE:LEVEL, instead of the default base
context.
static,label=USER:ROLE:TYPE:LEVEL
To set a completely static label. For example,
static,label=system_u:system_r:svirt_t:s0:c412,c355
-p, --privileged
Retain root privileges inside the sandbox, rather than dropping
privileges to match the current user identity.
-l, --shell
Launch an interactive shell on a secondary console device
-V, --version
Display the version number and exit
-v, --verbose
Display verbose progress information
-d, --debug
Display debugging information
-h, --help
Display help information
EXAMPLES
Run an interactive shell under LXC, replace $HOME with the contents of
$HOME/scratch
# mkdir $HOME/scratch
# echo "hello" > $HOME/scratch/foo
# echo "sandbox" > $HOME/scratch/bar
# virt-sandbox-c lxc:/// -m host-bind:$HOME=$HOME/scratch -i $HOME/scratch/foo -i $HOME/scratch/bar /bin/sh
Convert an OGG file to WAV inside QEMU
# virt-sandbox-c qemu:///session -- /usr/bin/oggdec -Q -o - - < somefile.ogg > somefile.wav
SEE ALSOsandbox(8), virsh(1)AUTHORS
Daniel P. Berrange <dan@berrange.com>
COPYRIGHT
Copyright (C) 2011 Daniel P. Berrange <dan@berrange.com> Copyright (C)
2011-2012 Red Hat, Inc.
LICENSEvirt-sandbox is distributed under the terms of the GNU LGPL v2+. This
is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE
libvirt-sandbox-0.5.0 2013-10-03 VIRT-SANDBOX.C(1)
