I have three Ethernet interfaces, namely eth[0…2]. eth0 is connected to my VPN router and eth1 and eth2 are connected to my public facing router. eth0 is the standard interface that I normally let my Linux instance use. I now want to set up a container that hijacks (makes unavailable to the host) eth1 or eth2 in order to run various services that need to be reachable from WAN through a Wireguard tunnel.

I am aware that the man pages for systemd-nspawn say that it is primarily meant to be a test environment and not a secure container. Does anybody have experience with and/or opinions on this? Should I just learn how to use Docker?

For now, I am only asking about any potential security implications, since I don’t understand how container security works “under the hood”. The network portion of the setup would be something like:

Enabling forwarding kernel parameters on the host

Booting the container with systemd-nspawn -b -D [wherever/I/put/the/container] --network-interface=[eth1 or 2]

Then, managing the container’s network with networkd config files, including enabling IPForward and IPMasquerade

Then, configuring wireguard according their official guides or, for instance, the Arch wiki.

Any and all input would be appreciated! 😊

  • a_fancy_kiwi@lemmy.world
    4·
    17 days ago

    Should I just learn how to use Docker?

    Yes. I put off learning it for so long and now can’t imagine self-hosting anything without it. I think all you have to do is set a static IP to the NIC from your router and then specify the IP and port in a docker-compose.yml file:

    Ex: IP-address:external-port:container-port

    services:
    app-name:
        ports
            - 192.168.1.42:3000:3000
      • a_fancy_kiwi@lemmy.world
        5·
        17 days ago

        You might come across docker run commands in tutorials. Ignore those. Just focus on learning docker compose. With docker compose, the run command just goes into a yaml file so it’s easier to read and understand what’s going on. Don’t forget to add your user to the docker group so you aren’t having to type sudo for every command.

        Commands you’ll use often:

        docker compose up - runs container

        docker compose up -d - runs container in headless mode

        docker compose down - shuts down container

        docker compose pull - pulls new images

        docker image list - lists all images

        docker ps - lists running containers

        docker image prune -a - deletes images not being used by containers to free up space