Hello,
I would like to create a systemd container using the --network-bridge option to systemd-nspawn and fixed addresses.
Previously I used lxc containers but I'm afraid adding lxc support is quite a large task.
My previous setup includes:
- static ip addresses per container (set using LXC, but /etc/network/interface will do),
- different hostname for each of the containers,
- configuration of a bind zone for my local container network,
- configuration of the firewall using ferm,
- proxy from host to containers using nginx.
If I understand correctly, alias or ipv4 are propagated to the host and are not part of the container definition, is that right?
I am also not sure about the setting of the hostname.
Do you have some hints about how this could be done?
I'd also like to use systemd-nspawn with its own network in the container. Have not worked through all the necessary config, which seems fairly complicated on the systemd side. Examples of how to do that with propellor would be great to have!
(There's a partial example in the haddock for Systemd.publish, which uses networkd to auto-configure a private network, but IIRC that is missing some routing/masqerading to let the container access the internet.)
As for
aliasandipv4properties, when used in a container, their info does get propagated out to the info of the host as of propellor 4.8.1. That was done because it's sometimes useful to have analiasbe part of a container's configuration and get the DNS server automatically configured with that alias pointing at the host(s) that have the container.I agree it does not make sense for
ipv4/ipv6used in a container to propagate out. I've changed propellor to not do that any longer, and allow controlling whether any given DNS info should propagate or not.As for the hostname, it's not currently part of the Info system, and so there's no risk of a container overriding its Host's name. Things like Hostname.sane that look at the hostname will see the parent host's name. Hostname.setTo should work in a container to give it its own name. (At some point it would probably be worth moving hostnames into Info to avoid the extra complication..)
If you use networkd, things are quite simple, you can use
--network-zone=somethingand it will create a bridge, add the host interface to it and add an interface in the container. Default networkd configuration will choose an IP network for the zone (it use the interface name to recognize what must be done), use DHCP in the container, handle DHCP request on host and route packets to the external interface. The bridge is automatically removed when all containers are shut down.Without networkd, you can create a bridge on the host in
/etc/network/interface:Then use the
--network-bridge=br0option. It will add the host interface automatically to the bridge and you need a way to configure the containers interface, either using networkd or the traditional ifupdown.Thanks for the change, I will try to come with a working configuration then try to see what can be improved from there.
I tried to revert resolvConfed, but it seems to be ignored:
When it spins, there are two lines, one with, one without:
And it is included in the systemd service file.
@Nicolas, the reason it appears twice is that resolveConfed is added by default, and then you added it again reverted. That display could certianly be improved, perhaps by having it look to see if there's a resolveConfed setting before adding in the default one.
As to why reverting it didn't work, that was a Info ordering bug, which I've now fixed.