
443 lines
22 KiB
Raw Normal View History

<?xml version='1.0'?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"" [
<!ENTITY % entities SYSTEM "custom-entities.ent" >
<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
<refentry id="importctl" conditional='ENABLE_MACHINED'
<refpurpose>Download, import or export disk images</refpurpose>
<arg choice="opt" rep="repeat">OPTIONS</arg>
<arg choice="req">COMMAND</arg>
<arg choice="opt" rep="repeat">NAME</arg>
<para><command>importctl</command> may be used to download, import, and export disk images via
<para><command>importctl</command> operates both on block-level disk images (such as DDIs) as well as
file-system-level images (tarballs). It supports disk images are one of the four following
<listitem><para>VM images or full OS container images, that may be run via
<citerefentry><refentrytitle>systemd-vmspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> or
<citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>, and
managed via
<listitem><para>Portable service images, that may be attached an managed via
<listitem><para>System extension (sysext) images, that may be activated via
<listitem><para>Configuration extension (confext) images, that may be activated via
<para>When images are downloaded or imported they are placed in the following directories, depending on
the <option>--class=</option> parameter:</para>
<title>Classes and Directories</title>
<tgroup cols='2'>
<colspec colname='class' />
<colspec colname='directory' />
<para>The following commands are understood:</para>
<term><command>pull-tar</command> <replaceable>URL</replaceable> [<replaceable>NAME</replaceable>]</term>
<listitem><para>Downloads a <filename>.tar</filename> image from the specified URL, and makes it
available under the specified local name in the image directory for the selected
<option>--class=</option>. The URL must be of type <literal>http://</literal> or
<literal>https://</literal>, and must refer to a <filename>.tar</filename>,
<filename>.tar.gz</filename>, <filename>.tar.xz</filename> or <filename>.tar.bz2</filename> archive
file. If the local image name is omitted, it is automatically derived from the last component of the
URL, with its suffix removed.</para>
<para>The image is verified before it is made available, unless <option>--verify=no</option> is
specified. Verification is done either via an inline signed file with the name of the image and the
suffix <filename>.sha256</filename> or via separate <filename>SHA256SUMS</filename> and
<filename>SHA256SUMS.gpg</filename> files. The signature files need to be made available on the same
web server, under the same URL as the <filename>.tar</filename> file. With
<option>--verify=checksum</option>, only the SHA256 checksum for the file is verified, based on the
<filename>.sha256</filename> suffixed file or the <filename>SHA256SUMS</filename> file. With
<option>--verify=signature</option>, the sha checksum file is first verified with the inline
signature in the <filename>.sha256</filename> file or the detached GPG signature file
<filename>SHA256SUMS.gpg</filename>. The public key for this verification step needs to be available
in <filename>/usr/lib/systemd/import-pubring.gpg</filename> or
<para>If <option>-keep-download=yes</option> is specified the image will be downloaded and stored in
a read-only subvolume/directory in the image directory that is named after the specified URL and its
HTTP etag. A writable snapshot is then taken from this subvolume, and named after the specified local
name. This behavior ensures that creating multiple instances of the same URL is efficient, as
multiple downloads are not necessary. In order to create only the read-only image, and avoid creating
its writable snapshot, specify <literal>-</literal> as local name.</para>
<para>Note that pressing C-c during execution of this command will not abort the download. Use
<command>cancel-transfer</command>, described below.</para>
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
<term><command>pull-raw</command> <replaceable>URL</replaceable> [<replaceable>NAME</replaceable>]</term>
<listitem><para>Downloads a <filename>.raw</filename> disk image from the specified URL, and makes it
available under the specified local name in the image directory for the selected
<option>--class=</option>. The URL must be of type <literal>http://</literal> or
<literal>https://</literal>. The image must either be a <filename>.qcow2</filename> or raw disk
image, optionally compressed as <filename>.gz</filename>, <filename>.xz</filename>, or
<filename>.bz2</filename>. If the local name is omitted, it is automatically derived from the last
component of the URL, with its suffix removed.</para>
<para>Image verification is identical for raw and tar images (see above).</para>
<para>If the downloaded image is in <filename>.qcow2</filename> format it is converted into a raw
image file before it is made available.</para>
<para>If <option>-keep-download=yes</option> is specified the image will be downloaded and stored in
a read-only file in the image directory that is named after the specified URL and its HTTP etag. A
writable copy is then made from this file, and named after the specified local name. This behavior
ensures that creating multiple instances of the same URL is efficient, as multiple downloads are not
necessary. In order to create only the read-only image, and avoid creating its writable copy,
specify <literal>-</literal> as local name.</para>
<para>Note that pressing C-c during execution of this command will not abort the download. Use
<command>cancel-transfer</command>, described below.</para>
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
<term><command>import-tar</command> <replaceable>FILE</replaceable> [<replaceable>NAME</replaceable>]</term>
<term><command>import-raw</command> <replaceable>FILE</replaceable> [<replaceable>NAME</replaceable>]</term>
<listitem><para>Imports a TAR or RAW image, and places it under the specified name in the image
directory for the image class selected via <option>--class=</option>. When
<command>import-tar</command> is used, the file specified as the first argument should be a tar
archive, possibly compressed with xz, gzip or bzip2. It will then be unpacked into its own
subvolume/directory. When <command>import-raw</command> is used, the file should be a qcow2 or raw
disk image, possibly compressed with xz, gzip or bzip2. If the second argument (the resulting image
name) is not specified, it is automatically derived from the file name. If the filename is passed as
<literal>-</literal>, the image is read from standard input, in which case the second argument is
<para>No cryptographic validation is done when importing the images.</para>
<para>Much like image downloads, ongoing imports may be listed with <command>list</command>
and aborted with <command>cancel-transfer</command>.</para>
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
<term><command>import-fs</command> <replaceable>DIRECTORY</replaceable> [<replaceable>NAME</replaceable>]</term>
<listitem><para>Imports an image stored in a local directory into the image directory for the image
class selected via <option>--class=</option> and operates similarly to <command>import-tar</command>
or <command>import-raw</command>, but the first argument is the source directory. If supported, this
command will create a btrfs snapshot or subvolume for the new image.</para>
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
<term><command>export-tar</command> <replaceable>NAME</replaceable> [<replaceable>FILE</replaceable>]</term>
<term><command>export-raw</command> <replaceable>NAME</replaceable> [<replaceable>FILE</replaceable>]</term>
<listitem><para>Exports a TAR or RAW image and stores it in the specified file. The first parameter
should be an image name. The second parameter should be a file path the TAR or RAW
image is written to. If the path ends in <literal>.gz</literal>, the file is compressed with gzip, if
it ends in <literal>.xz</literal>, with xz, and if it ends in <literal>.bz2</literal>, with bzip2. If
the path ends in neither, the file is left uncompressed. If the second argument is missing, the image
is written to standard output. The compression may also be explicitly selected with the
<option>--format=</option> switch. This is in particular useful if the second parameter is left
<para>Much like image downloads and imports, ongoing exports may be listed with
<command>list</command> and aborted with <command>cancel-transfer</command>.</para>
<para>Note that, currently, only directory and subvolume images may be exported as TAR images, and
only raw disk images as RAW images.</para>
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
<listitem><para>Shows a list of image downloads, imports and exports that are currently in
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
<term><command>cancel-transfer</command> <replaceable>ID</replaceable></term>
<listitem><para>Aborts a download, import or export of the image with the specified ID. To list
ongoing transfers and their IDs, use <command>list</command>. </para>
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
<listitem><para>Shows a list of already downloaded/imported images.</para>
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
<para>The following options are understood:</para>
<para>When used with <command>pull-raw</command>, <command>pull-tar</command>,
<command>import-raw</command>, <command>import-tar</command> or <command>import-fs</command> a
read-only image is created.</para>
<xi:include href="version-info.xml" xpointer="v256"/>
<listitem><para>When downloading an image, specify whether the image shall be verified before it is
made available. Takes one of <literal>no</literal>, <literal>checksum</literal> and
<literal>signature</literal>. If <literal>no</literal>, no verification is done. If
<literal>checksum</literal> is specified, the download is checked for integrity after the transfer is
complete, but no signatures are verified. If <literal>signature</literal> is specified, the checksum
is verified and the image's signature is checked against a local keyring of trustable vendors. It is
strongly recommended to set this option to <literal>signature</literal> if the server and protocol
support this. Defaults to <literal>signature</literal>.</para>
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
<listitem><para>When downloading an image, and a local copy by the specified local name already
exists, delete it first and replace it by the newly downloaded image.</para>
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
<listitem><para>When used with the <option>export-tar</option> or <option>export-raw</option>
commands, specifies the compression format to use for the resulting file. Takes one of
<literal>uncompressed</literal>, <literal>xz</literal>, <literal>gzip</literal>,
<literal>bzip2</literal>. By default, the format is determined automatically from the output image
file name passed.</para>
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
<listitem><para>Suppresses additional informational output while running.</para>
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
<xi:include href="user-system-options.xml" xpointer="host" />
<listitem><para>Connect to
running in a local container, to perform the specified operation within the container.</para>
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
<listitem><para>Selects the image class for the downloaded images. This primarily selects the
directory to download into. The <option>--class=</option> switch takes <literal>machine</literal>,
<literal>portable</literal>, <literal>sysext</literal> or <literal>confext</literal> as argument. The
short options <option>-m</option>, <option>-P</option>, <option>-S</option>, <option>-C</option> are
shortcuts for <option>--class=machine</option>, <option>--class=portable</option>,
<option>--class=sysext</option>, <option>--class=confext</option>.</para>
<para>Note that <option>--keep-download=</option> defaults to true for
<option>--class=machine</option> and false otherwise, see below.</para>
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
<listitem><para>Takes a boolean argument. When specified with <command>pull-raw</command> or
<command>pull-tar</command>, selects whether to download directly into the specified local image
name, or whether to download into a read-only copy first of which to make a writable copy after the
download is completed. Defaults to true for <option>--class=machine</option>, false otherwise.</para>
<para>The <option>-N</option> switch is a shortcut for <option>--keep-download=no</option>.</para>
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
<xi:include href="standard-options.xml" xpointer="json" />
<xi:include href="standard-options.xml" xpointer="j" />
<xi:include href="standard-options.xml" xpointer="no-pager" />
<xi:include href="standard-options.xml" xpointer="no-legend" />
<xi:include href="standard-options.xml" xpointer="no-ask-password" />
<xi:include href="standard-options.xml" xpointer="help" />
<xi:include href="standard-options.xml" xpointer="version" />
<example id="example-import-tar">
<title>Download an Ubuntu TAR image and open a shell in it</title>
<programlisting># importctl pull-tar -mN
# systemd-nspawn -M jammy-server-cloudimg-amd64-root</programlisting>
<para>This downloads and verifies the specified <filename>.tar</filename> image, and then uses
<citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> to
open a shell in it.</para>
<example id="example-import-raw">
<title>Download an Ubuntu RAW image, set a root password in it, start
it as a service</title>
<programlisting># importctl pull-raw -mN \ \
# systemd-firstboot --image=/var/lib/machines/jammy.raw --prompt-root-password --force
# machinectl start jammy
# machinectl login jammy</programlisting>
<para>This downloads the specified <filename>.raw</filename> image and makes it available under the
local name <literal>jammy</literal>. Then, a root password is set with
<citerefentry><refentrytitle>systemd-firstboot</refentrytitle><manvolnum>1</manvolnum></citerefentry>. Afterwards
the machine is started as system service. With the last command a login prompt into the container is
<example id="example-export-tar">
<title>Exports a container image as tar file</title>
<programlisting># importctl export-tar -m fedora myfedora.tar.xz</programlisting>
<para>Exports the container <literal>fedora</literal> as an xz-compressed tar file
<filename>myfedora.tar.xz</filename> into the current directory.</para>
<title>Exit status</title>
<para>On success, 0 is returned, a non-zero failure code
<xi:include href="common-variables.xml" />
<title>See Also</title>
<para><simplelist type="inline">
<member><citerefentry project='die-net'><refentrytitle>tar</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
<member><citerefentry project='die-net'><refentrytitle>xz</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
<member><citerefentry project='die-net'><refentrytitle>gzip</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
<member><citerefentry project='die-net'><refentrytitle>bzip2</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>