What is nspawn.org?

The website nspawn.org is a hub for various images. Basically we take full advantage of mkosi to generate images of several Linux distributions like:

Is this service secure?

Of course we can’t guarantee 100% security, but we do our best, to keep the images as secure as possible. All images are generated by mkosi and the original source of the distribution (pacman, debootstrap, yum/dnf). Furthermore we generate SHA256 checksums for all our images and sign these checksums with our master key. The cool part is, you don’t need to bother about this, because systemd-machined takes care about verifying the checksum and signature for you.

Do I need systemd for nspawn.org?


How does nspawn.org work?

You have two options. The easy way via our wrapper nspawn or the manually way via the machinectl command. If you want to use the wrapper nspawn you can find it here: https://github.com/nspawn/nspawn

Note: We recommend the use of our nspawn wrapper script, it will setup everything including the signing key, and provides a easy command line interface to install containers and images.

If you want to do it manually, here is a short tutorial: First you need to set up your /etc/systemd/import-pubring.gpg keyring file. You can do this via the following command:

sudo gpg --no-default-keyring \
         --keyring=/etc/systemd/import-pubring.gpg \

Second you need to import our master key. The master key has the following key id:

9E31 BD49 63FC 2D19 815F A718 0E2A 1E4B 25A4 25F6

You can either download it manually and import it into your keyring or you search it directly via GPG:

/usr/bin/sudo gpg --no-default-keyring \
         --keyserver=keys.openpgp.org \
         --keyring=/etc/systemd/import-pubring.gpg \
	--search 9E31BD4963FC2D19815FA7180E2A1E4B25A425F6

Don’t forget to trust our master key, after importing it! If everything is set up, you can go and download your first image. You can find a full list of all images here: https://hub.nspawn.org/storage/list.txt

Use machinectl pull-tar or machinectl pull-raw to download the right image (depending on the image type). Right now we only support tar images, due to storage constraints.

sudo machinectl pull-<tar|raw> \

For example:

sudo machinectl pull-tar https://hub.nspawn.org/storage/debian/buster/tar/image.tar.xz

Now you can operate on the imported image as usually via machinectl start , machinectl login , machinectl shell , etc.