<html> <head> <base href="https://bugs.freedesktop.org/" /> </head> <body> <div> <a class="bz_bug_link bz_status_NEW " title="NEW - systemd-nspawn --network-bridge breaks networking in container's host" href="https://bugs.freedesktop.org/show_bug.cgi?id=85464#c5">Comment # 5</a> on <a class="bz_bug_link bz_status_NEW " title="NEW - systemd-nspawn --network-bridge breaks networking in container's host" href="https://bugs.freedesktop.org/show_bug.cgi?id=85464">bug 85464</a> from <a class="email" href="mailto:edt@aei.ca" title="Ed Tomlinson <edt@aei.ca>"> Ed Tomlinson</a> <pre>btw in <a href="show_bug.cgi?id=85464#c2">comment 2</a> it should have read --network-interface=eth1 When using network-interface I configure eth0 in the kvm host, and pass eth1 to the nspawn dev and configure it there. When dev is active I see the problem. Another observation. If I create three interfaces when starting kvm eg. -netdev bridge,id=hn0 -device virtio-net-pci,netdev=hn0,id=nic0 \ -netdev bridge,id=hn1 -device virtio-net-pci,netdev=hn1,id=nic1 \ -netdev bridge,id=hn2 -device virtio-net-pci,netdev=hn2,id=nic2 \ and pass eth1 to nspanw dev and pass eth2 to nspawn prd and configure all interfaces on the same network then communication (as root) is possible prd, host & grover or btween dev, host & grover but not between dev & prd. Think in all cases I am seeing some side effects of network namespaces. In any case it makes isolation of the interfaces networks used by dev & prd almost useless. I realize that nspawn is not a security solution and that its isolation very probably can be easily hacked. However, it would be nice to be able to partition the networks - it makes the setup of programs running in them simpler. Ed</pre> </div> <hr> You are receiving this mail because: <ul> <li>You are the QA Contact for the bug.</li> <li>You are the assignee for the bug.</li> </ul> </body> </html>