[systemd-devel] systemd-nspawn and IPv6

Kai Krakow hurikhan77 at gmail.com
Mon Apr 27 11:08:08 PDT 2015 

Lennart Poettering <lennart at poettering.net> schrieb:

> On Sun, 26.04.15 16:50, Kai Krakow (hurikhan77 at gmail.com) wrote:
> 
>> Hello!
>> 
>> I've successfully created a Gentoo container on top of a Gentoo host. I
>> can start the container with machinectl. I can also login using SSH. So
>> mission almost accomblished (it should become a template for easy vserver
>> cloning).
>> 
>> But from within the IPv6-capable container I cannot access the IPv6
>> outside world. Name resolution via IPv6 fails, as does pinging to IPv6.
>> It looks like systemd-nspawn does only setup IPv4 routes to access
>> outside my gateway boundary. IPv6 does not work.
> 
> Well, networkd on the host automatically sets up IPv4 masquerading for
> each container. We simply don't do anything equivalent for IPv6
> currently.

So it was a good idea to ask before poking around... ;-)

> Ideally we wouldn't have to do NAT for IPv6 to make this work, and
> instead would pass on some ipv6 subnet we acquired from uplink without
> NAT to each container, but we currently don't have infrastructure for
> that in networkd, and I am not even sure how this could really work,
> my ipv6-fu is a bit too limited...
> 
> or maybe we should do ipv6 nat after all, under the logic that
> containers are just an implementation detail of the local host rather
> than something to be made visible to the outside world. however code
> for this exists neither.

Well, my expectation would be to have NAT for IPv6 here. Why should be NAT 
IPv4 private addresses by default but not IPv6 private addresses?

The obvious would be that "it just works." If I wanted routable IPv4, I'd 
configure that. If I wanted routable IPv6, I'd do that, too. But it'd be 
pretty surprising to have IPv4 NAT but IPv6 public access if radvd 
propagated a routable address. This could also become a security problem by 
surprise.

So I suggest, by default both protocols should behave the same.

For my project IPv6 is currently no requirement but it's a future 
improvement plan. I just wanted to test it out. So currently I could resort 
back to switch off IPv6 in the container, tho it's also not obvious how to 
do it. It's probably done by means of putting some config in 
/etc/systemd/network within the container.

> Or in other words: ipv6 setup needs some manual networking setup on
> the host.

Or there... Any pointers?

Thanks,
Kai

-- 
Replies to list only preferred.

More information about the systemd-devel mailing list