Systemd-nspawn

 is [[Article description::a lightweight, loosely -like, OS-level OCI container environment native to .]] Each container exists in its own namespace but within the host's running kernel. Thus, no hardware emulation is taking place and unlike and  non-native CPU instruction sets are not directly supported.

Like a lot of technologies, containerization has trade-offs. A core benefit of containerization is that there is much less overhead than with a traditional virtual machine, so it's possible to spawn a large number of containers much more quickly than a large number of VMs. Unfortunately, though uncommon, exploits leading to container escapes have happened and are more prevalent than VM escapes. Further, any containerized processes that causes a kernel crash will bring down the host system as they share a kernel. Lastly, containers are not, by default, more secure than any other processes on the host system. Hardening containers can be done through a mix of technologies such as cgroups, to constrain resource utilization, and to prevent privilege escalation and enforce access controls.

Installation
In order to use a system must be set to a  that uses the  init system.

Files

 * — the canonical location for container file systems.

To prevent confusion, it is best practice to name the subdirectory holding the container's root file system after the container's hostname.

Service
Assuming a properly structured and syntactically unit file, containers should be discoverable by. The unit file needs to be located at. Thereafter it can be managed like any other service.

Usage
Assuming, for example, a Gentoo root file system exists at that has been extracted from a stage3 tarball for the host's instruction set architecture the following commands should bring the container up:

The handbook can be followed as normal from this point forward excluding unnecessary bits, such as kernel and bootloader configuration. Once done, the container can be used by itself or as an up-to-date template from which other containers can be spawned.The latter case is made easier if the container's root file system is stored on a subvolume.

Can I combine QEMU and to cross-compile binaries?
Yes, follow the instructions to. Make sure the systemd-binfmt service is enabled. Then, start the container as normal:

External resources

 * Rich0's Gentoo Blog: Quick systemd-nsawn guide
 * Systemd-nspawn for fun and… well, mostly for fun