[systemd-devel] systemd-nspawn and IPv6
Kai Krakow
hurikhan77 at gmail.com
Mon Apr 27 11:17:03 PDT 2015
Tomasz Torcz <tomek at pipebreaker.pl> schrieb:
>> Well, would that enable automatic, correcting routing between the
>> container and the host's external network? That's kinda what this all
>> is about...
>
> If you have radvd running, it should. By the way, speaking of NAT
> in context of IPv6 is a heresy.
Why? It's purpose here is not saving some addresses (we have many in IPv6),
it's purpose is to have security and containment. The services provided by
the container - at least in my project - are meant to be seen as a service
of the host (as Lennart pointed out as a possible application in another
post). I don't want the containers being addressable/routable from outside
in. And putting a firewall in place to counterfeit this is just security by
obscurity: Have one configuration problem and your firewall is gone and the
container publicly available.
The whole story would be different if I'd setup port forwarding afterwards
to make services from the containers available - but that won't be the case.
Each container has to be in it's own private network (on grouped into a
private network with selected other containers). Only gateway services on
the host system (like a web proxy) are allowed to talk to the containers.
--
Replies to list only preferred.
More information about the systemd-devel
mailing list