[systemd-devel] systemd-nspawn

Pascal patatetom at gmail.com
Mon Jan 25 09:39:55 PST 2016 

hi again,

some calrification : I'm on archlinux and systemd version is
systemd 228
+PAM -AUDIT -SELINUX -IMA -APPARMOR +SMACK -SYSVINIT +UTMP +LIBCRYPTSETUP
+GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN

the systemd-nspawn documentation
<http://www.freedesktop.org/software/systemd/man/systemd-nspawn.html> says

*-p, --port=    If private networking is enabled, maps an IP port on the
host onto an IP port on the container. Takes a protocol specifier (either
"tcp" or "udp"), separated by a colon from a host port number in the range
1 to 65535, separated by a colon from a container port number in the range
from 1 to 65535. The protocol specifier and its separating colon may be
omitted, in which case "tcp" is assumed. The container port number and its
colon may be omitted, in which case the same port as the host port is
implied. This option is only supported if private networking is used*, such
as with --network-veth or --network-bridge=.

with "systemd-nspawn -b -D my_container --private-network --port
1234", *private
networking is enabled* and
we could imagine that the port association is done on the loopback
interface, no ?

it would be good for isolating container without having to set a network
configuration (bridge or other)...

for example, in my container, I've redis and nodebb, with redis listening
on 127.0.0.1:6379 and nodebb on 127.0.0.1:4567, and, on my host, nginx
which listening on 0.0.0.0:80 and act as reverse proxy for nodebb :
with  "systemd-nspawn
-b -D nodebb --private-network --port 4567" and without other network
setting, I could access nodebb just with "proxy_pass http://127.0.0.1:4567;"
in nginx.

regards, lacsaP.

2016-01-25 0:10 GMT+01:00 Pascal <patatetom at gmail.com>:

> hi,
>
> I'm discovering and playing with systemd-nspawn and I must say it's
> pretty cool !
>
> I have a question about the --port option : why it doesn't work on the
> loopback with --private-network option ?
>
> eg "systemd-nspawn -b -D my_container --private-network --port 1234"
> doesn't connect the port 1234 of the loopback host with the port 1234 of
> the loopback container.
>
> regards, lacsaP.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20160125/1839091e/attachment-0001.html>

More information about the systemd-devel mailing list