CLI v1.10.0
Using the CLI
Control the Edera Protect daemon.
protect [OPTIONS] <COMMAND>Subcommands:
zoneManage the zones on Edera Protect.workloadManage the workloads on Edera Protect.imageManage the images on Edera Protect.networkManage the network on Edera Protect.deviceManage the devices on Edera Protect.hostManage the host of Edera Protect.completionOutput shell completion code for the specified shell.
Options:
-c,--connection <CONNECTION>The connection URL to the Edera Protect daemon [default value:unix:///var/lib/edera/protect/daemon.socket].--user-agent <USER_AGENT>User agent to connect to the daemon as [default value:edera-protect-ctl/0.0.1].
zone
Manage the zones on Edera Protect.
protect zone <COMMAND>Subcommands:
attachAttach to the zone console.listList zone information.resolveResolve a zone name to matching zone ids.launchLaunch a new zone.destroyDestroy a zone.suspendSuspend a running zone.resumeResume a suspended zone.forkFork a running zone into a new memory-shared child zone.execExecute a command inside the zone.forgetForget destroyed zones (clear their tombstones).logsView the logs of a zone.metricsRead metrics from the zone.topDashboard for running zones.watchWatch for zone changes.update-resourcesUpdate the available resources to a zone.configure-networkConfigure the network of an external network backend zone.kernel-eventsManage kernel events from zones.
attach
Attach to the zone console.
protect zone attach <ZONE>Arguments:
<ZONE>Zone to attach to, either the name or the uuid.
list
List zone information.
protect zone list [OPTIONS] [ZONE]Arguments:
<ZONE>Limit to a single zone, either the name or the uuid.
Options:
-o,--output <OUTPUT>Output format [default value:table] [possible values:table,json,json-pretty,jsonl,yaml,key-value,simple].-l,--selector <SELECTOR>A selector for filtering the result set. Currently only supports ‘=’ and the ‘status.state’ field. Supported states include ‘creating’, ‘created’, ‘ready’, ‘destroying’, ‘destroyed’, ‘failed’, ‘suspending’, ‘suspended’, ‘resuming’ and ‘forking’, with or without the ‘zone_state_’ prefix. (e.g.--selector status.state=failedor--selector status.state=ZONE_STATE_FAILED).
resolve
Resolve a zone name to matching zone ids.
protect zone resolve [OPTIONS] <NAME>Arguments:
<NAME>The zone name to resolve.
Options:
-f,--firstIf there are multiple matching zones, only print the first zone id.
launch
Launch a new zone.
protect zone launch [OPTIONS]Options:
--pull-overwrite-cacheOverwrite image cache on pull.--pull-updateUpdate image on pull.-n,--name <NAME>Name of the zone.--min-cpus <MIN_CPUS>Minimum vCPUs available for the zone [default value:4].-C,--max-cpus <MAX_CPUS>Maximum vCPUs available for the zone [default value:4].-c,--target-cpus <TARGET_CPUS>Target vCPUs for the zone to use [default value:1].--min-memory <MIN_MEMORY>Minimum memory available to the zone, in megabytes [default value:0].-M,--max-memory <MAX_MEMORY>Maximum memory available to the zone, in megabytes [default value:1024].-m,--target-memory <TARGET_MEMORY>Target memory for the zone to use, in megabytes [default value:1024].--create-scratch-disk <CREATE_SCRATCH_DISK>Create a scratch disk of size, in megabytes.--attach-scratch-disk <ATTACH_SCRATCH_DISK>Attach a host disk as a scratch disk.-D,--device <DEVICE>Devices to request for the zone.-a,--attachAttach to the zone after zone starts, implies –wait.-W,--waitWait for the zone to be ready, implied by –attach.-k,--kernel <KERNEL>OCI kernel image for zone to use.-I,--initrd <INITRD>OCI initrd image for zone to use.-w,--working-directory <WORKING_DIRECTORY>Working directory.--kernel-verboseEnable verbose logging on the kernel.--kernel-cmdline <KERNEL_CMDLINE>Additional kernel cmdline options.--kernel-module <KERNEL_MODULE>Additional kernel modules to load.--kernel-module-parameter <KERNEL_MODULE_PARAMETER>Additional kernel module parameters to add.--kernel-cmdline-append <KERNEL_CMDLINE_APPEND>Additional kernel cmdline options (raw).--assume-network-reservation <ASSUME_NETWORK_RESERVATION>Assume an already allocated network reservation.--retain-network-reservationRetain network reservation after zone destruction.-R,--resource-adjustment-policy <RESOURCE_ADJUSTMENT_POLICY>Resource adjustment policy [possible values:static,dynamic].-V,--virt-backend <VIRT_BACKEND>Virtualization backend [possible values:auto,pv,pvh].-N,--network-backend <NETWORK_BACKEND>Network backend [possible values:default,none,external,passthrough].--numa-nodes <NUMA_NODES>Requested vNUMA node count; 0 (default) lets the daemon pick based on vCPU count and host topology [default value:0].--numa-strategy <NUMA_STRATEGY>Strategy for selecting additional NUMA nodes beyond the seed [default value:compact] [possible values:compact,scatter].-A,--addon <ADDON>Addons for the zone.--sysctl <SYSCTL>sysctl parameters to set on the zone.--control-api-access <CONTROL_API_ACCESS>Enables access to the Control API from inside a zone [possible values:deny,allow].
destroy
Destroy a zone.
protect zone destroy [OPTIONS] [ZONE_IDENTIFIER]Arguments:
<ZONE_IDENTIFIER>Zone to destroy, either the name or the uuid. Optional when--selectoris specified.
Options:
-W,--waitWait for the destruction of the zone to complete.-A,--allDestroy all zones matching the input.-l,--selector <SELECTOR>A selector for filtering the result set. Currently only supports ‘=’ and the ‘status.state’ field. Supported states include ‘creating’, ‘created’, ‘ready’, ‘destroying’, ‘destroyed’, ‘failed’, ‘suspending’, ‘suspended’, ‘resuming’ and ‘forking’, with or without the ‘zone_state_’ prefix. (e.g.--selector status.state=failedor--selector status.state=ZONE_STATE_FAILED).
suspend
Suspend a running zone.
protect zone suspend <ZONE>Arguments:
<ZONE>Zone to suspend, either the name or the uuid.
resume
Resume a suspended zone.
protect zone resume <ZONE>Arguments:
<ZONE>Zone to resume, either the name or the uuid.
fork
Fork a running zone into a new memory-shared child zone.
protect zone fork [OPTIONS] <ZONE>Arguments:
<ZONE>Zone to fork, either the name or the uuid.
Options:
-n,--name <NAME>Name for the forked child zone.
exec
Execute a command inside the zone.
protect zone exec [OPTIONS] <ZONE> [COMMAND]...Arguments:
<ZONE>Zone to exec inside, either the name or the uuid.<COMMAND>Command to run inside the zone.
Options:
-e,--env <ENV>Environment variables.-w,--working-directory <WORKING_DIRECTORY>Working directory.-t,--ttyAllocate tty.--privilegedExecute command with elevated privileges.
forget
Clears the tombstone record for destroyed zones. Tombstones are the in-memory record retained after a zone is destroyed so post-mortem tooling (protect zone logs, debug reports) can still inspect them. They expire automatically after the daemon’s linger window; this command evicts them sooner – most importantly so a new zone can reuse a destroyed zone’s name without ambiguity.
Forgetting a tombstone is low-risk: the live zone is already gone, so the only consequence of being wrong is losing post-mortem visibility into the destroyed zone. That’s why a bare protect zone forget (no arguments) forgets every tombstone – it’s the most common operation (“tidy up”) and has no failure mode worth gating behind a flag.
protect zone forget [OPTIONS] [ZONE]Arguments:
<ZONE>Optional zone name or uuid. If omitted, every tombstone is forgotten. If a name matches multiple tombstones,--allis required to disambiguate.
Options:
-A,--allWhen<ZONE>is a name matching multiple tombstones, forget all of them rather than refusing.
logs
View the logs of a zone.
protect zone logs [OPTIONS] <ZONE>Arguments:
<ZONE>Zone to show logs for, either the name or the uuid.
Options:
-f,--followFollow output from the zone.
metrics
Read metrics from the zone.
protect zone metrics [OPTIONS] <ZONE>Arguments:
<ZONE>Zone to read metrics for, either the name or the uuid.
Options:
-o,--output <OUTPUT>Output format [default value:tree] [possible values:tree,json,json-pretty,yaml,key-value].
top
Dashboard for running zones.
protect zone topwatch
Watch for zone changes.
protect zone watch [OPTIONS]Options:
-o,--output <OUTPUT>Output format [default value:simple] [possible values:simple,json,key-value].
update-resources
Update the available resources to a zone.
protect zone update-resources [OPTIONS] <ZONE>Arguments:
<ZONE>Zone to update resources of, either the name or the uuid.
Options:
--min-cpus <MIN_CPUS>Minimum vCPUs available to the zone (0 means previous value) [default value:0].-C,--max-cpus <MAX_CPUS>Maximum vCPUs available to the zone (0 means previous value) [default value:0].-c,--target-cpus <TARGET_CPUS>Target vCPUs for the zone to use (0 means previous value) [default value:0].--min-memory <MIN_MEMORY>Minimum memory available to the zone, in megabytes (0 means previous value) [default value:0].-M,--max-memory <MAX_MEMORY>Maximum memory available to the zone, in megabytes (0 means previous value) [default value:0].-m,--target-memory <TARGET_MEMORY>Target memory for the zone to use, in megabytes (0 means previous value) [default value:0].-p,--adjustment-policy <ADJUSTMENT_POLICY>Adjustment policy [possible values:static,dynamic].
configure-network
Configure the network of an external network backend zone.
protect zone configure-network [OPTIONS] <ZONE>Arguments:
<ZONE>Zone to update resources of, either the name or the uuid.
Options:
--zone-interface <ZONE_INTERFACE>Zone Network Interface.--zone-ipv4 <ZONE_IPV4>Zone IPv4 Network.--zone-ipv6 <ZONE_IPV6>Zone IPv6 Network.--gateway-ipv4 <GATEWAY_IPV4>Zone Gateway IPv4 Network.--gateway-ipv6 <GATEWAY_IPV6>Zone Gateway IPv6 Network.--zone-mac <ZONE_MAC>Zone MAC Address.--mtu <MTU>Zone MTU.
kernel-events
Manage kernel events from zones.
protect zone kernel-events <COMMAND>Subcommands:
streamStream kernel events from a zone.list-syscallsList all available syscalls.
kernel-events stream
Stream kernel events from a zone.
protect zone kernel-events stream [OPTIONS] <ZONE>Arguments:
<ZONE>Zone to show logs for, either the name or the uuid.
Options:
-e,--enabled-events <ENABLED_EVENTS>Zone event types (syscall ids, etc) to enable notifications for.
kernel-events list-syscalls
List all available syscalls.
protect zone kernel-events list-syscallsworkload
Manage the workloads on Edera Protect.
protect workload <COMMAND>Subcommands:
launchLaunch a new workload.execExecute a command inside the workload.attachAttach to a workload console.resolveResolve a workload name to matching workload ids.startStart a workload.stopStop a workload.destroyDestroy a workload.listList workload information.watchWatch for workload changes.
launch
Launch a new workload.
protect workload launch [OPTIONS] --zone <ZONE> <OCI> [COMMAND]...Arguments:
<OCI>Container image for zone to use.<COMMAND>Command to run the workload.
Options:
--image-format <IMAGE_FORMAT>Image format [default value:squashfs] [possible values:squashfs].--pull-overwrite-cacheOverwrite image cache on pull.--pull-updateUpdate image on pull.-n,--name <NAME>Name of the workload.-W,--waitWait for the workload to be started.-t,--ttyAllocate tty for the workload.-a,--attachAttach to workload console.--disable-all-namespacesDisable all process namespaces.--disable-namespace <DISABLE_NAMESPACE>Process namespaces to disable [possible values:mount,uts,ipc,user,pid,net,cgroup,time].--strict-user-namespaceEnable strictness of user namespaces on the workload.--read-only-rootfsEnable read-only rootfs.--no-new-privsPrevent workload from requesting new privileges after launch.-e,--env <ENV>Environment variables set in the workload.-m,--mounts <MOUNTS>Mount host directories into the workload (in the formsrc=<HOSTDIR>:dst=<WORKLOAD_PATH>[:ro=true]).-b,--block-device <BLOCK_DEVICE>Mount host block device into the workload (in the formsrc=<HOSTDEV>:dst=<WORKLOAD_PATH>[:ro=true]).--cap-add <CAP_ADD>Capabilities to add.--cap-ambient-add <CAP_AMBIENT_ADD>Ambient capabilities to add.--cap-drop <CAP_DROP>Capabilities to drop.--privilegedRun workload with elevated privileges.-w,--working-directory <WORKING_DIRECTORY>Working directory.--user <USER>User name or id.--group <GROUP>Group name or id.-z,--zone <ZONE>Zone to launch on, can be a name or id.--mount-scratch-disk <MOUNT_SCRATCH_DISK>Mount zone scratch disk on a certain directory.--hostname <HOSTNAME>Hostname inside the workload.--pci-device <PCI_DEVICE>PCI devices to attach to the workload.
exec
Execute a command inside the workload.
protect workload exec [OPTIONS] <WORKLOAD> [COMMAND]...Arguments:
<WORKLOAD>Workload to exec inside, either the name or the uuid.<COMMAND>Command to run inside the zone.
Options:
-e,--env <ENV>Environment variables.-w,--working-directory <WORKING_DIRECTORY>Working directory.-t,--ttyAllocate tty.--user <USER>User name or id.--group <GROUP>Group name or id.--privilegedExecute with elevated privileges.
attach
Attach to a workload console.
protect workload attach <WORKLOAD>Arguments:
<WORKLOAD>Workload to attach to, either the name or the uuid.
resolve
Resolve a workload name to matching workload ids.
protect workload resolve [OPTIONS] <NAME>Arguments:
<NAME>The workload name to resolve.
Options:
-f,--firstIf there are multiple matching workloads, only print the first workload id.
start
Start a workload.
protect workload start <WORKLOAD>Arguments:
<WORKLOAD>Workload to start, either the name or the uuid.
stop
Stop a workload.
protect workload stop <WORKLOAD> [TIMEOUT]Arguments:
<WORKLOAD>Workload to stop, either the name or the uuid.<TIMEOUT>How long to wait for the workload to stop (in seconds) before forcibly killing it, default 0.
destroy
Destroy a workload.
protect workload destroy [OPTIONS] [WORKLOAD_IDENTIFIER]Arguments:
<WORKLOAD_IDENTIFIER>Workload to destroy, either the name or the uuid. Optional when--selectoris specified.
Options:
-W,--waitWait for the destruction of the workload to complete.-a,--allDestroy all workloads matching the input.-l,--selector <SELECTOR>A selector for filtering the result set. Currently only supports ‘=’ and the ‘status.state’ field. Supported states include ‘creating’, ‘created’, ‘running’, ‘completed’, ‘destroying’, ‘destroyed’ and ‘failed’, with or without the ‘workload_state_’ prefix. (e.g.--selector status.state=failedor--selector status.state=WORKLOAD_STATE_FAILED).
list
List workload information.
protect workload list [OPTIONS] [WORKLOAD]Arguments:
<WORKLOAD>Limit to a single workload, either the name or the uuid.
Options:
-o,--output <OUTPUT>Output format [default value:table] [possible values:table,json,json-pretty,jsonl,yaml,key-value,simple].-l,--selector <SELECTOR>A selector for filtering the result set. Currently only supports ‘=’ and the ‘status.state’ field. Supported states include ‘creating’, ‘created’, ‘running’, ‘completed’, ‘destroying’, ‘destroyed’ and ‘failed’, with or without the ‘workload_state_’ prefix. (e.g.--selector status.state=failedor--selector status.state=WORKLOAD_STATE_FAILED).
watch
Watch for workload changes.
protect workload watch [OPTIONS]Options:
-o,--output <OUTPUT>Output format [default value:simple] [possible values:simple,json,key-value].
image
Manage the images on Edera Protect.
protect image <COMMAND>Subcommands:
pullPull an image into the cache.importImport an image into the cache.removeRemove an image from the cache.listList cached images.
pull
Pull an image into the cache.
protect image pull [OPTIONS] <IMAGE>Arguments:
<IMAGE>Image name.
Options:
-s,--image-format <IMAGE_FORMAT>Image format [default value:squashfs] [possible values:squashfs,tar,directory].-n,--no-updateDon’t update from registry.-o,--overwrite-cacheOverwrite image cache.-U,--username <USERNAME>Auth username.-P,--password <PASSWORD>Auth password.-T,--registry-token <REGISTRY_TOKEN>Auth registry token.--identity-token <IDENTITY_TOKEN>Auth identity token.
import
Import an image into the cache.
protect image import [OPTIONS] --digest <DIGEST> --image <IMAGE>Options:
-d,--digest <DIGEST>Image digest.-n,--image <IMAGE>Image name.-s,--image-format <IMAGE_FORMAT>Image format [default value:squashfs] [possible values:squashfs,tar,directory].-o,--overwrite-cacheOverwrite image cache.-i <INPUT_FILE>Input image tar [default value:/dev/stdin].
remove
Remove an image from the cache.
protect image remove [OPTIONS] <DIGEST>Arguments:
<DIGEST>Image digest.
Options:
-s,--image-format <IMAGE_FORMAT>Image format [default value:all] [possible values:all,squashfs,tar,directory].
list
List cached images.
protect image list [OPTIONS]Options:
-o,--output <OUTPUT>Output format [default value:table] [possible values:table,json,json-pretty,jsonl,yaml,key-value,simple].
network
Manage the network on Edera Protect.
protect network <COMMAND>Subcommands:
reservationManage network reservations.
reservation
Manage network reservations.
protect network reservation <COMMAND>Subcommands:
createCreate network reservation.destroyDestroy network reservation.listList network reservation information.
reservation create
Create network reservation.
protect network reservation createreservation destroy
Destroy network reservation.
protect network reservation destroy <RESERVATION>Arguments:
<RESERVATION>Reservation to destroy.
reservation list
List network reservation information.
protect network reservation list [OPTIONS]Options:
-o,--output <OUTPUT>Output format [default value:table] [possible values:table,json,json-pretty,jsonl,yaml,key-value,simple].
device
Manage the devices on Edera Protect.
protect device <COMMAND>Subcommands:
listList device information.
list
List device information.
protect device list [OPTIONS]Options:
-o,--output <OUTPUT>Output format [default value:table] [possible values:table,json,json-pretty,jsonl,yaml,key-value,simple].
host
Manage the host of Edera Protect.
protect host <COMMAND>Subcommands:
cpu-topologyDisplay information about the host CPU topology.statusGet information about the host.control-snoopSnoop on the Control API.idm-snoopSnoop on the IDM bus.hv-consoleDisplay hypervisor console output.hv-debug-infoRead hypervisor debug information.
cpu-topology
Display information about the host CPU topology.
protect host cpu-topology [OPTIONS]Options:
-o,--output <OUTPUT>Output format [default value:table] [possible values:table,json,json-pretty,jsonl,yaml,key-value].
status
Get information about the host.
protect host status [OPTIONS]Options:
-o,--output <OUTPUT>Output format [default value:simple] [possible values:simple,json,json-pretty,yaml,key-value].
control-snoop
Snoop on the Control API.
protect host control-snoop [OPTIONS]Options:
-o,--output <OUTPUT>Output format [default value:simple] [possible values:simple,jsonl,key-value].--filter-internalsFilters out user agents matching edera-protect-*, excluding the CLI.
idm-snoop
Snoop on the IDM bus.
protect host idm-snoop [OPTIONS]Options:
-o,--output <OUTPUT>Output format [default value:simple] [possible values:simple,jsonl,key-value].
hv-console
Display hypervisor console output.
protect host hv-consolehv-debug-info
Read hypervisor debug information.
protect host hv-debug-infocompletion
Output shell completion code for the specified shell.
protect completion <SHELL>Arguments:
<SHELL>[possible values:bash,elvish,fish,powershell,zsh].