# Nspawn VM example

```systemd
[Network]
		Bridge=vms-priv
[Exec]
		## UID/GID mapping delegation for container
		PrivateUsers=no						# for domain ID's outside nspan 65536 range
		## Capabilities
		Capability=CAP_SYS_ADMIN			# just in case, you can try to remove
		#Capability=all						# allow all CAP's at once (not recommended)
		#Capability=help					# list of all avialable CAP's. run systemd-nspawn --capability=help
		## Limit for max file descriptors
		LimitNOFILE=infinity				# samba-common package change ulimit NOFILE to 16384
											# /etc/security/limits.d/90-samba.conf
											# without this option you can't login to container
		## ability to change system call filter
		SystemCallFilter=@keyring			# allows KEYCTL system calls to work with kernel keyring
											# list of all available syscalls: systemd-analyze syscall-filter
```