[systemd-devel] systemd-nspawn trouble

Lennart Poettering lennart at poettering.net
Mon Apr 27 07:40:14 PDT 2015


On Sat, 25.04.15 00:14, Tobias Hunger (tobias.hunger at gmail.com) wrote:

> Hello,
> 
> sorry (again) for the delay. I unfortunately can not check into this
> as often as I would like:-(
> 
> Lennart: Thank you for that patch, that does indeed fix my issue with
> read-only machine images.
> 
> The networking issue does work better when iptables are used. All I
> needed to do was to make sure that packages from the VM are not
> getting dropped in the forwarding chain. Is there a way for me to do
> that automatically as interfaces to containers are created? I do not
> want to just accept every machine talking to everything else.
> Paranoia:-)

This is currently not supported, but I figure we could add that. Added
to the TODO list.

> What I noticed though is that the VM has the google nameservers set
> up. That came as a bit of a surprise: I had expected either the host
> to be the only DNS server register (providing a DNS proxy) or at least
> that the nameservers of the host will also be set in the VM. Is that a
> know issue or are my expectations wrong?

When you use the word "vm" you refer to "container"?

(So far i used the name "vm" for full machine virtualization such as
kvm or virtualbox, and "container" for same-kernel virtualization,
such as nspawn).

networkd does not proxy DNS. however, networkd does forward DNS
configuration it learnt via DHCP. Also, nspawn by default actually
copies /etc/resolv.conf from the host into the container at boot,
though we probably should stop doing that...

What does "networkctl status -a" say when run in the container?

Lennart

-- 
Lennart Poettering, Red Hat


More information about the systemd-devel mailing list