I have three Ethernet interfaces, namely eth[0…2]. eth0 is connected to my VPN router and eth1 and eth2 are connected to my public facing router. eth0 is the standard interface that I normally let my Linux instance use. I now want to set up a container that hijacks (makes unavailable to the host) eth1 or eth2 in order to run various services that need to be reachable from WAN through a Wireguard tunnel.
I am aware that the man pages for systemd-nspawn say that it is primarily meant to be a test environment and not a secure container. Does anybody have experience with and/or opinions on this? Should I just learn how to use Docker?
For now, I am only asking about any potential security implications, since I don’t understand how container security works “under the hood”. The network portion of the setup would be something like:
Enabling forwarding kernel parameters on the host
Booting the container with systemd-nspawn -b -D [wherever/I/put/the/container] --network-interface=[eth1 or 2]
Then, managing the container’s network with networkd config files, including enabling IPForward and IPMasquerade
Then, configuring wireguard according their official guides or, for instance, the Arch wiki.
Any and all input would be appreciated! 😊
Since you are not tied to docker yet, I’d recommend going with podman instead.
They are practically the same and most (all?) docker commands work on podman too, but podman is more modern (second generation advantage) and has a better reputation.
As for passing a network interface to a container, it’s doable and IIRC it boils down to changing the namespace on the interface.
Unless you have specific reasons to do that, I’d say it’s much easier to just forward ports from the host to containers the “normal” way.
There’s no limit to how many different IPs you can assign to a host (you don’t need a separate interface for each one) and you can use a given port on different IPs for different things .
For example, I run soft-serve (a git server) as a container. The host has one “management” IP (92.168.10.243) where openssh listens on port 22 and another IP (192.168.10.98) whose port 22 is forwarded to the soft-serve container via
podman run [...] -p 192.168.10.98:22:22).Thank you for the suggestion on Podman! The thing is, since the VPN is running on one of my routers (connected to eth0), and since I want the public facing interfaces (1 and 2) not to use that router, I’m going to make use of one of those two extra interfaces anyway. Either way, good advice in adding multiple addresses to the same interface!