<div dir="ltr"><div><div>hi it's me again ;-), </div>with options network-bridge or network-veth, you « need » to configure network host card ve-container@if2 and network container card host0@if5.. with my request, the idea would be to not disconnect the loopback device and so, without network configuration, the container could simply expose network services throught the host... instead of the option port to run with the option private-network, this could be a new option (lo-network) that doesn't totally disconnect the network of the two systems, but leaves only loopback device... </div>regards, lacsaP.<code class=""></code><div><div class="gmail_extra"> </div><div class="gmail_extra"><div class="gmail_quote">2016-01-25 18:39 GMT+01:00 Pascal <<a href="mailto:patatetom@gmail.com" target="_blank">patatetom@gmail.com</a>>: <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><div><div><div><div>hi again, </div>some calrification : I'm on archlinux and systemd version is systemd 228 +PAM -AUDIT -SELINUX -IMA -APPARMOR +SMACK -SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN </div>the systemd-nspawn <a href="http://www.freedesktop.org/software/systemd/man/systemd-nspawn.html" target="_blank">documentation</a> says -p, --port= If private networking is enabled, maps an IP port on the host onto an IP port on the container. Takes a protocol specifier (either "tcp" or "udp"), separated by a colon from a host port number in the range 1 to 65535, separated by a colon from a container port number in the range from 1 to 65535. The protocol specifier and its separating colon may be omitted, in which case "tcp" is assumed. The container port number and its colon may be omitted, in which case the same port as the host port is implied. This option is only supported if private networking is used, such as with --network-veth or --network-bridge=. </div>with "systemd-nspawn -b -D my_container --private-network --port 1234", private networking is enabled and we could imagine that the port association is done on the loopback interface, no ? it would be good for isolating container without having to set a network configuration (bridge or other)... </div>for example, in my container, I've redis and nodebb, with redis listening on <a href="http://127.0.0.1:6379" target="_blank">127.0.0.1:6379</a> and nodebb on 127.0.0.1:4567, and, on my host, nginx which listening on <a href="http://0.0.0.0:80" target="_blank">0.0.0.0:80</a> and act as reverse proxy for nodebb : with "systemd-nspawn -b -D nodebb --private-network --port 4567" and without other network setting, I could access nodebb just with "proxy_pass <a href="http://127.0.0.1:4567" target="_blank">http://127.0.0.1:4567</a>;" in nginx. </div>regards, lacsaP. <div><div class="h5"><div><div><div class="gmail_extra"> <div class="gmail_quote">2016-01-25 0:10 GMT+01:00 Pascal <<a href="mailto:patatetom@gmail.com" target="_blank">patatetom@gmail.com</a>>: <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><div>hi, I'm discovering and playing with systemd-nspawn and I must say it's pretty cool ! I have a question about the --port option : why it doesn't work on the loopback with --private-network option ? </div>eg "systemd-nspawn -b -D my_container --private-network --port 1234" doesn't connect the port 1234 of the loopback host with the port 1234 of the loopback container. </div>regards, lacsaP. </div> </blockquote></div> </div></div></div></div></div></div> </blockquote></div> </div></div></div>