[systemd-devel] systemd-nspawn and IPv6

Kai Krakow hurikhan77 at gmail.com
Mon Apr 27 14:06:46 PDT 2015 

Lennart Poettering <lennart at poettering.net> schrieb:

> On Mon, 27.04.15 20:17, Kai Krakow (hurikhan77 at gmail.com) wrote:
> 
>> Tomasz Torcz <tomek at pipebreaker.pl> schrieb:
>> 
>> >> Well, would that enable automatic, correcting routing between the
>> >> container and the host's external network? That's kinda what this all
>> >> is about...
>> > 
>> > If you have radvd running, it should.  By the way, speaking of NAT
>> > in context of IPv6 is a heresy.
>> 
>> Why? It's purpose here is not saving some addresses (we have many in
>> IPv6), it's purpose is to have security and containment. The services
>> provided by the container - at least in my project - are meant to be seen
>> as a service of the host (as Lennart pointed out as a possible
>> application in another post). I don't want the containers being
>> addressable/routable from outside in. And putting a firewall in place to
>> counterfeit this is just security by obscurity: Have one configuration
>> problem and your firewall is gone and the container publicly available.
>> 
>> The whole story would be different if I'd setup port forwarding
>> afterwards to make services from the containers available - but that
>> won't be the case.
> 
> Sidenote: systemd-nspawn already covers that for ipv4: use the --port=
> switch (or -p).

Yes, I know... And I will certainly find a use-case for that. :-)

But the general design of my project is to put containers behind a reverse 
proxy like nginx or varnish, setup some caching and waf rules, and 
dynamically point incoming web requests to the right container servicing the 
right environment. :-)

I will probably pull performance data through such a port forwarding. But 
for now the testbed is only my desktop system, some months will pass before 
deploying this on a broader basis, it will certainly not start with IPv6 
support (but it will be kept in mind), and I still have a lot of ideas to 
try out.

I even won't need to have IPv6 pass into the host from external networks 
because a proxy will sit inbetween. But it would be nice if containers could 
use IPv6 from inside without having to worry about packets could pass in 
through a public routing rule. I don't like pulling up a firewall before 
everything is settled, tested, and secured. A firewall is only the last 
resort barrier. The same holds true for stuff like fail2ban or denyhosts.

For the time being, I should simply turn off IPv6 inside the container. 
However, I didn't figure out how to prevent systemd-network inside the 
container from doing that.

-- 
Replies to list only preferred.

More information about the systemd-devel mailing list