[systemd-devel] systemd-nspawn

Pascal patatetom at gmail.com
Tue Feb 2 05:06:56 PST 2016


hi it's me again ;-),

with options *network-bridge* or *network-veth*, you « need » to configure
network host card *ve-container at if2* and network container card *host0 at if5*
..

with my request, the idea would be to not disconnect the loopback device
and so, without network configuration, the container could simply
expose network
services throught the host...

instead of the option *port* to run with the option *private-network*, this
could be a new option (lo-network) that doesn't totally disconnect the
network of the two systems, but leaves only loopback device...

regards, lacsaP.

2016-01-25 18:39 GMT+01:00 Pascal <patatetom at gmail.com>:

> hi again,
>
> some calrification : I'm on archlinux and systemd version is
> systemd 228
> +PAM -AUDIT -SELINUX -IMA -APPARMOR +SMACK -SYSVINIT +UTMP +LIBCRYPTSETUP
> +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN
>
> the systemd-nspawn documentation
> <http://www.freedesktop.org/software/systemd/man/systemd-nspawn.html> says
>
> *-p, --port=    If private networking is enabled, maps an IP port on the
> host onto an IP port on the container. Takes a protocol specifier (either
> "tcp" or "udp"), separated by a colon from a host port number in the range
> 1 to 65535, separated by a colon from a container port number in the range
> from 1 to 65535. The protocol specifier and its separating colon may be
> omitted, in which case "tcp" is assumed. The container port number and its
> colon may be omitted, in which case the same port as the host port is
> implied. This option is only supported if private networking is used*,
> such as with --network-veth or --network-bridge=.
>
> with "systemd-nspawn -b -D my_container --private-network --port 1234", *private
> networking is enabled* and
> we could imagine that the port association is done on the loopback
> interface, no ?
>
> it would be good for isolating container without having to set a network
> configuration (bridge or other)...
>
> for example, in my container, I've redis and nodebb, with redis listening
> on 127.0.0.1:6379 and nodebb on 127.0.0.1:4567, and, on my host, nginx
> which listening on 0.0.0.0:80 and act as reverse proxy for nodebb : with  "systemd-nspawn
> -b -D nodebb --private-network --port 4567" and without other network
> setting, I could access nodebb just with "proxy_pass http://127.0.0.1:4567;"
> in nginx.
>
> regards, lacsaP.
>
> 2016-01-25 0:10 GMT+01:00 Pascal <patatetom at gmail.com>:
>
>> hi,
>>
>> I'm discovering and playing with systemd-nspawn and I must say it's
>> pretty cool !
>>
>> I have a question about the --port option : why it doesn't work on the
>> loopback with --private-network option ?
>>
>> eg "systemd-nspawn -b -D my_container --private-network --port 1234"
>> doesn't connect the port 1234 of the loopback host with the port 1234 of
>> the loopback container.
>>
>> regards, lacsaP.
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20160202/a652bde0/attachment-0001.html>


More information about the systemd-devel mailing list