systemd-nspawn: redirect ports and keep internet

Question

I'd like to know how to be able to:

• redirect ports between host and container (like for example forwarding the host 23 port to the container 22 port)
• be able to connect to the internet, for example to install packages

If I just boot using:

sudo systemd-nspawn -b -D debian_master

I can change the port of sshd and then I can connect to it though ssh, and also connect to the internet, but then it's not port forwarding.

I also tried:

sudo bash -c "echo 1 > /proc/sys/net/ipv4/ip_forward"
sudo systemd-nspawn -b -D ./debian_master -n -p 23:22

but then I cannot even connect to the internet.

Here is the result of my ip a command on the container:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: host0@if6: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 72:ba:f6:a1:ca:f0 brd ff:ff:ff:ff:ff:ff link-netnsid 0

Thank you!

-- EDIT --

The host system is debian sid, and the container is a debian stable. To create this container, I just ran:

sudo debootstrap stable debian_master http://deb.debian.org/debian/

and then I edited the password using:

sudo systemd-nspawn -D debian_master
passwd
logout

and then I can try to start it:

sudo systemd-nspawn -b -D debian_master -n -p 22:23

... and get some connection trouble. And it's not a problem of DNS or Firewall, I cannot even ping 8.8.8.8, because I don't even have a local ip (check my ip a above)

I also tried to run systemd-networkd on both host and container, but it does not work:

sudo systemctl enable systemd-networkd
sudo systemctl start systemd-networkd

On the container, I get an error

sudo: unable to resolve host <my host hostname>: Connection refused

-- EDIT 2 --

I progress... I edited on the host side the file /etc/systemd/network/MyDhcp.network like that:

[Match]
Name=en*

[Network]
DHCP=ipv4
IPForward=1
IPMasquerade=yes

and now I've an IP. But I still can't manage to ping 8.8.8.8, maybe it has something to do with packet forwarding...

-- EDIT 3 --

I still progress, now if I create the following file and reboot, I have internet, and even DNS:

$ cat /etc/sysctl.d/ip_forward.conf 
net.ipv4.ip_forward = 1

I also made sure that everything in this comment was right: https://github.com/systemd/systemd/issues/468#issuecomment-117904714 .

Now I manage to connect through the newly created interface, using something like:

ssh [email protected] -p 22

But I don't know why,

ssh root@localhost -p 23

does not work. So what is the meaning of the -p option ? I also tried to run

sudo netstat -antp | grep 23

but nothing interesting is here. As a reminder, here is the command I use:

sudo systemd-nspawn -b -D debian_master -n -p 23:22

Answer 1

Short answer: ssh root@XXX -p 23, where XXX is the public IP address of the host. See iptables -L -t nat for the reason.

Here is a complete howto on how to get there (Ubuntu server 18.04 as host, Debian buster in the container):

apt-get install debian-archive-keyring debootstrap systemd-container
debootstrap --include=systemd-container buster /var/lib/machines/debian
systemd-nspawn -D /var/lib/machines/debian systemctl enable systemd-networkd.service systemd-resolved.service
systemd-nspawn -D /var/lib/machines/debian apt-get install -y openssh-server
systemd-nspawn -D /var/lib/machines/debian mkdir /root/.ssh

Create /etc/systemd/nspawn/debian.nspawn with:

[Network]
Port=tcp:23:22

Then continue:

machinectl start debian
machinectl copy-to debian /root/.ssh/id_rsa.pub /root/.ssh/authorized_keys
ssh -p 23 root@XXX

You should have an SSH connection to the container now.

Answer 2

ssh root@localhost -p 23

does not work, because nspawn ports binding excludes loopback. There is a bug report: https://github.com/systemd/systemd/issues/6106