Provided by: virt-sandbox_0.5.1+git20160404-1_amd64 bug


       virt-sandbox - Run cmd under a virtual machine sandbox


       virt-sandbox [OPTIONS...] COMMAND

       virt-sandbox [OPTIONS...] -- COMMAND [CMDARG1 [CMDARG2 [...]]]


       Run the "cmd"  application within a tightly confined virtual machine. The default sandbox
       domain only allows applications the ability to read and write stdin, stdout and any other
       file descriptors handed to it. It is not allowed to open any other files.


       -c URI, --connect=URI
               Set the libvirt connection URI, defaults to qemu:///session if omitted.
               Alternatively the "LIBVIRT_DEFAULT_URI" environment variable can be set, or the
               config file "/etc/libvirt/libvirt.conf" can have a default URI set.  Currently
               only the QEMU and LXC drivers are supported.

       -n NAME, --name=NAME
               Set the unique name for the sandbox. This defaults to sandbox but this will need
               to be changed if more than one sandbox is to be run concurrently. This is used as
               the name of the libvirt virtual machine or container.

       -r DIR, --root DIR
               Use DIR as the root directory of the sandbox, instead of inheriting the host's
               root filesystem.

               NB. "DIR" must contain a matching install of the libvirt-sandbox package. This
               restriction may be lifted in a future version.

       --env key=value
               Sets up a custom environment variable on a running sandbox.

       --disk TYPE:TAGNAME=SOURCE,format=FORMAT
               Sets up a disk inside the sandbox by using SOURCE with a symlink named as TAGNAME
               and type TYPE and format FORMAT. Example:
               file:cache=/var/lib/sandbox/demo/tmp.qcow2,format=qcow2 Format is an optional

                   Type parameter can be set to "file".

                   TAGNAME will be created under /dev/disk/by-tag/TAGNAME. It will be linked to
                   the device under /dev

                   Source parameter needs to point a file which must be a one of the valid domain
                   disk formats supported by qemu.

                   Format parameter must be set to the same disk format as the file passed on
                   source parameter.  This parameter is optional and the format can be guessed
                   from the image extension

       -m TYPE:DST=SRC, --mount TYPE:DST=SRC
               Sets up a mount inside the sandbox at DST backed by SRC. The meaning of SRC
               depends on the value of "TYPE" specified:

                   If TYPE is host-bind, then SRC is interpreted as the path to a directory on
                   the host filesystem. If "SRC" is the empty string, then a temporary (empty)
                   directory is created on the host before starting the sandbox and deleted
                   afterwards. The "--include" option is useful for populating these temporary
                   directories with copies of host files.

                   If TYPE is host-image, then SRC is interpreted as the path to a disk image
                   file on the host filesystem. The image should be formatted with a filesystem
                   that can be auto-detected by the sandbox, such as ext3, ext4, etc. The disk
                   image itself should be a raw file, not qcow2 or any other special format

                   If TYPE is guest-bind, then SRC is interpreted as the path to another
                   directory in the container filesystem.

               ram If TYPE is ram, then SRC is interpreted as specifying the size of the RAM disk
                   in bytes. The suffix K, KiB, M, MiB, G, GiB can used to alter the units from
                   bytes to a coarser level.

               Some examples

                -m host-bind:/tmp=/var/lib/sandbox/demo/tmp
                -m host-image:/=/var/lib/sandbox/demo.img
                -m guest-bind:/home=/tmp/home
                -m ram:/tmp=500M

       -I HOST-PATH, --includefile=HOST-PATH
               Copy all files listed in inputfile into the appropriate temporary sandbox

               Add a network interface to the sandbox. NETWORK-OPTIONS is a set of key=val pairs,
               separated by commas. The following options are valid

                   Configure the network interface using dhcp. This key takes no value.  No other
                   keys may be specified. eg

                     -N dhcp,source=default
                     --network dhcp,source=lan

                   where 'source' is the name of any libvirt virtual network.

                   Set the name of the network to connect the interface to. "NETWORK" is the name
                   of any libvirt virtual network. See also virsh net-list

                   Set the MAC address of the network interface, where each NN is a pair of hex

                   Configure the network interface with the static IPv4 or IPv6 address IP-
                   ADDRESS. The PREFIX value is the length of the network prefix in IP-ADDRESS.
                   The optional BROADCAST parameter specifies the broadcast address. Some


                   Configure the network interface with the static IPv4 or IPv6 route IP-NETWORK.
                   The PREFIX value is the length of the network prefix in IP-NETWORK. The
                   GATEWAY parameter specifies the address of the gateway for the route. Some


               Use alternative security options. SECURITY-OPTIONS is a set of key=val pairs,
               separated by commas. The following options are valid for SELinux

                   Dynamically allocate an SELinux label, using the default base context.  The
                   default base context is system_u:system_r:svirt_lxc_net_t:s0 for LXC,
                   system_u:system_r:svirt_t:s0 for KVM, system_u:system_r:svirt_tcg_t:s0 for

                   Dynamically allocate an SELinux label, using the base context
                   USER:ROLE:TYPE:LEVEL, instead of the default base context.

                   To set a completely static label. For example,

                   Inherit the context from the process that is executing virt-sandbox.

               Specify the kernel version to run for machine based sandboxes. If omitted,
               defaults to match the current running host version.

               Specify the path to the kernel binary. If omitted, defaults to

               Specify the path to the kernel module base directory. If omitted, defaults to
               "/lib/modules". The suffix "$KERNEL-VERSION/kernel" will be appended to this path
               to locate the modules.

       -p, --privileged
               Retain root privileges inside the sandbox, rather than dropping privileges to
               match the current user identity.

       -S USER, --switchto=USER
               Switch to the given user inside the sandbox and setup $HOME accordingly.

       -l, --shell
               Launch an interactive shell on a secondary console device

       -V, --version
               Display the version number and exit

       -v, --verbose
               Display verbose progress information

       -d, --debug
               Display debugging information

       -h, --help
               Display help information


       Run an interactive shell under LXC, replace $HOME with the contents of $HOME/scratch

         # mkdir $HOME/scratch
         # echo "hello" > $HOME/scratch/foo
         # echo "sandbox" > $HOME/scratch/bar
         # virt-sandbox -c lxc:/// -m host-bind:$HOME=$HOME/scratch -i $HOME/scratch/foo -i $HOME/scratch/bar /bin/sh

       Convert an OGG file to WAV inside QEMU

         # virt-sandbox -c qemu:///session  -- /usr/bin/oggdec -Q -o - - < somefile.ogg > somefile.wav


       sandbox(8), virsh(1)


       Daniel P. Berrange <>


       Copyright (C) 2011 Daniel P. Berrange <> Copyright (C) 2011-2012 Red Hat,


       virt-sandbox is distributed under the terms of the GNU LGPL v2+.  This is free software;
       see the source for copying conditions.  There is NO warranty; not even for MERCHANTABILITY