I’m interested in this as well. I have a bunch of qemu virtual machine images that I converted to systemd-nspawn containers (i.e. I just copied their root file systems to
/var/lib/machines/<name> and enabled them with
systemctl enable machines.target and
machinectl enable <name>,
machinectl start <name>).
These container images contain full OS images, however (less the kernel which I manually removed from each image). As I understand it, much leaner images can be created using the OCI specification. But I have yet to learn what all that entails.
What I know so far has mostly been gleaned from reading the man page for systemd-nspawn. I found what looks to be a good starting tutorial for OCI images here: Getting Started with Buildah — Project Atomic. But I have not yet completed the tutorial. I think learning systemd-nspawn is still a good start because I think many of the container technologies are really just wrappers around the lower-level systemd-nspawn technology. systemd-nspawn even has a
P.S. It is possible to get the same users and groups from your host system in your NFS container. You can accomplish this with systemd-nspawn simply by bind mounting
/var/lib/sss/mc from your host OS into the same location in your container. I am doing this currently on several of my container images. The tutorial I followed to get this working is here: Authenticating a docker container against host’s UNIX accounts – jhrozek. I have
/etc/systemd/nspawn/<name>.nspawn configuration files on my host system in which I put settings for each container. The ones that use accounts from the host system include the following lines:
P.P.S. You’ll probably also want to run the following to get selinux to cooperate when running systemd-nspawn containers (maybe other container technologies as well):
semanage boolean -m -1 daemons_use_tty
semanage permissive -a container_t
semanage permissive -a systemd_machined_t
I think the first one was to get
machinectl shell <name> to work properly. But I don’t remember for sure. There is also a
machinectl login <name>, but I never use it because I had some problem with it a while back.