%entities; ]> systemd importctl 1 importctl Download, import or export disk images importctl OPTIONS COMMAND NAME importctl may be used to download, import, and export disk images via systemd-importd.service8. importctl operates both on block-level disk images (such as DDIs) as well as file-system-level images (tarballs). It supports disk images are one of the four following classes: VM images or full OS container images, that may be run via systemd-vmspawn1 or systemd-nspawn1, and managed via machinectl1. Portable service images, that may be attached an managed via portablectl1. System extension (sysext) images, that may be activated via systemd-sysext8. Configuration extension (confext) images, that may be activated via systemd-confext8. When images are downloaded or imported they are placed in the following directories, depending on the --class= parameter: Class Directory machine /var/lib/machines/ portable /var/lib/portables/ sysext /var/lib/extensions/ confext /var/lib/confexts/ The following commands are understood: pull-tar URL [NAME] Downloads a .tar image from the specified URL, and makes it available under the specified local name in the image directory for the selected --class=. The URL must be of type http:// or https://, and must refer to a .tar, .tar.gz, .tar.xz or .tar.bz2 archive file. If the local image name is omitted, it is automatically derived from the last component of the URL, with its suffix removed. The image is verified before it is made available, unless --verify=no is specified. Verification is done either via an inline signed file with the name of the image and the suffix .sha256 or via separate SHA256SUMS and SHA256SUMS.gpg files. The signature files need to be made available on the same web server, under the same URL as the .tar file. With --verify=checksum, only the SHA256 checksum for the file is verified, based on the .sha256 suffixed file or the SHA256SUMS file. With --verify=signature, the sha checksum file is first verified with the inline signature in the .sha256 file or the detached GPG signature file SHA256SUMS.gpg. The public key for this verification step needs to be available in /usr/lib/systemd/import-pubring.gpg or /etc/systemd/import-pubring.gpg. If -keep-download=yes is specified the image will be downloaded and stored in a read-only subvolume/directory in the image directory that is named after the specified URL and its HTTP etag. A writable snapshot is then taken from this subvolume, and named after the specified local name. This behavior ensures that creating multiple instances of the same URL is efficient, as multiple downloads are not necessary. In order to create only the read-only image, and avoid creating its writable snapshot, specify - as local name. Note that pressing C-c during execution of this command will not abort the download. Use cancel-transfer, described below. pull-raw URL [NAME] Downloads a .raw disk image from the specified URL, and makes it available under the specified local name in the image directory for the selected --class=. The URL must be of type http:// or https://. The image must either be a .qcow2 or raw disk image, optionally compressed as .gz, .xz, or .bz2. If the local name is omitted, it is automatically derived from the last component of the URL, with its suffix removed. Image verification is identical for raw and tar images (see above). If the downloaded image is in .qcow2 format it is converted into a raw image file before it is made available. If -keep-download=yes is specified the image will be downloaded and stored in a read-only file in the image directory that is named after the specified URL and its HTTP etag. A writable copy is then made from this file, and named after the specified local name. This behavior ensures that creating multiple instances of the same URL is efficient, as multiple downloads are not necessary. In order to create only the read-only image, and avoid creating its writable copy, specify - as local name. Note that pressing C-c during execution of this command will not abort the download. Use cancel-transfer, described below. import-tar FILE [NAME] import-raw FILE [NAME] Imports a TAR or RAW image, and places it under the specified name in the image directory for the image class selected via --class=. When import-tar is used, the file specified as the first argument should be a tar archive, possibly compressed with xz, gzip or bzip2. It will then be unpacked into its own subvolume/directory. When import-raw is used, the file should be a qcow2 or raw disk image, possibly compressed with xz, gzip or bzip2. If the second argument (the resulting image name) is not specified, it is automatically derived from the file name. If the filename is passed as -, the image is read from standard input, in which case the second argument is mandatory. No cryptographic validation is done when importing the images. Much like image downloads, ongoing imports may be listed with list and aborted with cancel-transfer. import-fs DIRECTORY [NAME] Imports an image stored in a local directory into the image directory for the image class selected via --class= and operates similarly to import-tar or import-raw, but the first argument is the source directory. If supported, this command will create a btrfs snapshot or subvolume for the new image. export-tar NAME [FILE] export-raw NAME [FILE] Exports a TAR or RAW image and stores it in the specified file. The first parameter should be an image name. The second parameter should be a file path the TAR or RAW image is written to. If the path ends in .gz, the file is compressed with gzip, if it ends in .xz, with xz, and if it ends in .bz2, with bzip2. If the path ends in neither, the file is left uncompressed. If the second argument is missing, the image is written to standard output. The compression may also be explicitly selected with the --format= switch. This is in particular useful if the second parameter is left unspecified. Much like image downloads and imports, ongoing exports may be listed with list and aborted with cancel-transfer. Note that, currently, only directory and subvolume images may be exported as TAR images, and only raw disk images as RAW images. list-transfer Shows a list of image downloads, imports and exports that are currently in progress. cancel-transfer ID… Aborts a download, import or export of the image with the specified ID. To list ongoing transfers and their IDs, use list. list-images Shows a list of already downloaded/imported images. The following options are understood: --read-only When used with pull-raw, pull-tar, import-raw, import-tar or import-fs a read-only image is created. --verify= When downloading an image, specify whether the image shall be verified before it is made available. Takes one of no, checksum and signature. If no, no verification is done. If checksum is specified, the download is checked for integrity after the transfer is complete, but no signatures are verified. If signature is specified, the checksum is verified and the image's signature is checked against a local keyring of trustable vendors. It is strongly recommended to set this option to signature if the server and protocol support this. Defaults to signature. --force When downloading an image, and a local copy by the specified local name already exists, delete it first and replace it by the newly downloaded image. --format= When used with the export-tar or export-raw commands, specifies the compression format to use for the resulting file. Takes one of uncompressed, xz, gzip, bzip2. By default, the format is determined automatically from the output image file name passed. -q --quiet Suppresses additional informational output while running. -M --machine= Connect to systemd-import.service8 running in a local container, to perform the specified operation within the container. --class= -m -P -S -C Selects the image class for the downloaded images. This primarily selects the directory to download into. The --class= switch takes machine, portable, sysext or confext as argument. The short options -m, -P, -S, -C are shortcuts for --class=machine, --class=portable, --class=sysext, --class=confext. Note that --keep-download= defaults to true for --class=machine and false otherwise, see below. --keep-download= -N Takes a boolean argument. When specified with pull-raw or pull-tar, selects whether to download directly into the specified local image name, or whether to download into a read-only copy first of which to make a writable copy after the download is completed. Defaults to true for --class=machine, false otherwise. The -N switch is a shortcut for --keep-download=no. # importctl pull-tar -mN https://cloud-images.ubuntu.com/jammy/current/jammy-server-cloudimg-amd64-root.tar.xz # systemd-nspawn -M jammy-server-cloudimg-amd64-root This downloads and verifies the specified .tar image, and then uses systemd-nspawn1 to open a shell in it. # importctl pull-raw -mN \ https://cloud-images.ubuntu.com/jammy/current/jammy-server-cloudimg-amd64-disk-kvm.img \ jammy # systemd-firstboot --image=/var/lib/machines/jammy.raw --prompt-root-password --force # machinectl start jammy # machinectl login jammy This downloads the specified .raw image and makes it available under the local name jammy. Then, a root password is set with systemd-firstboot1. Afterwards the machine is started as system service. With the last command a login prompt into the container is requested. # importctl export-tar -m fedora myfedora.tar.xz Exports the container fedora as an xz-compressed tar file myfedora.tar.xz into the current directory. On success, 0 is returned, a non-zero failure code otherwise. systemd1 systemd-importd.service8 systemd-nspawn1 systemd-vmspawn1 machinectl1 portablectl1 systemd-sysext8 systemd-confext8 tar1 xz1 gzip1 bzip21