[systemd-devel] [Question] How to make services only see only one external network interface and loopback
Mantas Mikulėnas
grawity at gmail.com
Tue Jan 17 22:04:37 UTC 2023
There's no single service option to do this, as far as I know, since it
involves a bit more than just making the interface visible.
After PrivateNetwork is enabled, the newly created namespaces need to be
explicitly given network access through the host; the same "external"
interface can't exist in two namespaces at once, so in Docker you usually
have a virtual one.
One method is a pair of 'veth' interfaces – one end stays in the host
namespace, one is moved into the container namespace, and you have a
virtual Ethernet cable between the two. The host end then usually goes into
a bridge, and the host does routing and often NAT (just like it would for
full VMs). Something needs to assign internal IP addresses to both
interfaces, and something needs to add those NAT rules.
(Another method is to create a 'macvlan' interface off the physical
interface and give it to the container, which then gets its own IP address
directly from the LAN.)
It would be possible to do this with systemd services (maybe systemd-nspawn
to set up namespaces plus networkd to configure the interfaces), but
probably far more hacky than using a container runtime that does all such
configuration by default.
On Tue, Jan 17, 2023, 22:04 Lucas Eduardo <lucas59356 at gmail.com> wrote:
> I am working on a service unit for a DHT crawler.
>
> For some reason, it doesn't work well with the default network settings
> because it seems to use a huge amount of traffic for a very small
> amount of findings.
>
> The same program works fine via docker, but I want to package it as a
> hardened systemd unit.
>
> A difference between the network layout in Docker and the host is that
> Docker only exposes the "lo" interface and an upstream one, and the host
> exposes everything and I think it's causing some kind of conflict.
>
> How can I implement this Docker behaviour in systemd?
>
> I tried using PrivateNetwork but it kills any Internet access because
> only localhost is available.
>
> Is there any not so well known feature to implement this?
>
> I am running systemd 251.7 on NixOS. I already have experience
> converting systemd stuff to the way the NixOS module system understands.
>
> Thanks in advance
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20230118/ab68d293/attachment.htm>
More information about the systemd-devel
mailing list