[systemd-devel] nspawn: how to allow containers to connect to a specific host's port and prevent all the rest ?
fme at odoo.com
Tue Mar 7 09:02:50 UTC 2017
I would like to constraint the network in the containers I spawn using
What I'd like to achieve is the following:
- prevent the containers to use the network interfaces of the host
- make one exception and allow the containers to connect (tcp) to a
specific port bound on the host's loopback device
The option --private-network allows me to achieve the first goal, once I
use this option the container is "network isolated".
Then, reading the man page, I though that using --port would allow the
container to connect to a host specific port so here's what I've been
trying so far:
On the host I run netcat so I can check connections on the guest:
root at host # netcat -l -p 1234
>From the host, I can telnet to localhost 1234 without problem.
Then I run the container like this:
root at host # systemd-nspawn -M test --private-network --port 1234
But from the container I can't connect back to the host
root at test # telnet localhost 1234
telnet: Unable to connect to remote host: Connection refused
So I guess I've been using the --port option in an inappropriate way
thinking it would map a host port to the container loopback interface.
I checked the other networking options but I could not find something
suitable for my use case.
Any idea about how I could allow the container to connect to a specific
port on the host but forbid all the rest ?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the systemd-devel