systemd-detect-virt - Man Page

Detect execution in a virtualized environment

Examples (TL;DR)

Synopsis

systemd-detect-virt [Options...]

Description

systemd-detect-virt detects execution in a virtualized environment. It identifies the virtualization technology and can distinguish full machine virtualization from container virtualization. systemd-detect-virt exits with a return value of 0 (success) if a virtualization technology is detected, and non-zero (error) otherwise. By default, any type of virtualization is detected, and the options --container and --vm can be used to limit what types of virtualization are detected.

When executed without --quiet will print a short identifier for the detected virtualization technology. The following technologies are currently identified:

Table 1. Known virtualization technologies (both VM, i.e. full hardware virtualization, and container, i.e. shared kernel virtualization)

TypeIDProduct
VMqemuQEMU software virtualization, without KVM
kvmLinux KVM kernel virtual machine, in combination with QEMU. Not used for other virtualizers using the KVM interfaces, such as Oracle VirtualBox or Amazon EC2 Nitro, see below.
amazonAmazon EC2 Nitro using Linux KVM
zvms390 z/VM
vmwareVMware Workstation or Server, and related products
microsoftHyper-V, also known as Viridian or Windows Server Virtualization
oracleOracle VM VirtualBox (historically marketed by innotek and Sun Microsystems), for legacy and KVM hypervisor
powervmIBM PowerVM hypervisor — comes as firmware with some IBM POWER servers
xenXen hypervisor (only domU, not dom0)
bochsBochs Emulator
umlUser-mode Linux
parallelsParallels Desktop, Parallels Server
bhyvebhyve, FreeBSD hypervisor
qnxQNX hypervisor
acrnACRN hypervisor[1]
appleApple virtualization framework[2]
sreLMHS SRE hypervisor[3]
googleGoogle Compute Engine[4]
ContaineropenvzOpenVZ/Virtuozzo
lxcLinux container implementation by LXC
lxc-libvirtLinux container implementation by libvirt
systemd-nspawnsystemd's minimal container implementation, see systemd-nspawn(1)
dockerDocker container manager
podmanPodman[5] container manager
rktrkt app container runtime
wslWindows Subsystem for Linux[6]
prootproot[7] userspace chroot/bind mount emulation
pouchPouch[8] Container Engine

If multiple virtualization solutions are used, only the "innermost" is detected and identified. That means if both machine and container virtualization are used in conjunction, only the latter will be identified (unless --vm is passed).

Windows Subsystem for Linux is not a Linux container, but an environment for running Linux userspace applications on top of the Windows kernel using a Linux-compatible interface. WSL is categorized as a container for practical purposes. Multiple WSL environments share the same kernel and services should generally behave like when being run in a container.

When executed with --cvm, instead of printing the virtualization technology, it will display the confidential virtual machine technology, if any. The following technologies are currently identified:

Table 2. Known confidential virtualization technologies

ArchIDTechnology
x86_64sevAMD Secure Encrypted Virtualization
sev-esAMD Secure Encrypted Virtualization - Encrypted State
sev-snpAMD Secure Encrypted Virtualization - Secure Nested Paging
tdxIntel Trust Domain Extensions
s390xprotvirtIBM Protected Virtualization (Secure Execution)

Options

The following options are understood:

-c,  --container

Only detects container virtualization (i.e. shared kernel virtualization).

-v,  --vm

Only detects hardware virtualization.

-r,  --chroot

Detect whether invoked in a chroot(2) environment. In this mode, no output is written, but the return value indicates whether the process was invoked in a chroot() environment or not.

Added in version 228.

--private-users

Detect whether invoked in a user namespace. In this mode, no output is written, but the return value indicates whether the process was invoked inside of a user namespace or not. See user_namespaces(7) for more information.

Added in version 232.

--cvm

Detect whether invoked in a confidential virtual machine. The result of this detection may be used to disable features that should not be used in confidential VMs. It must not be used to release security sensitive information. The latter must only be released after attestation of the confidential environment.

Added in version 254.

-q,  --quiet

Suppress output of the virtualization technology identifier.

--list

Output all currently known and detectable container and VM environments.

Added in version 239.

--list-cvm

Output all currently known and detectable confidential virtualization technologies.

Added in version 254.

-h,  --help

Print a short help text and exit.

--version

Print a short version string and exit.

Exit Status

If a virtualization technology is detected, 0 is returned, a non-zero code otherwise.

See Also

systemd(1), systemd-nspawn(1), chroot(2), namespaces(7)

Notes

  1. ACRN hypervisor
    https://projectacrn.org
  2. Apple virtualization framework
    https://developer.apple.com/documentation/virtualization
  3. LMHS SRE hypervisor
    https://www.lockheedmartin.com/en-us/products/Hardened-Security-for-Intel-Processors.html
  4. Google Compute Engine
    https://cloud.google.com/compute
  5. Podman
    https://podman.io
  6. Windows Subsystem for Linux
    https://docs.microsoft.com/en-us/windows/wsl/about
  7. proot
    https://proot-me.github.io/
  8. Pouch
    https://github.com/alibaba/pouch

Referenced By

org.freedesktop.systemd1(5), systemd.directives(7), systemd.generator(7), systemd.index(7), systemd.unit(5), udev(7).

systemd 256.7