05.02.2026 15:37, Miroslav Špehar wrote:
Thank you for the reply.
Setting up the ip in the container is what i have problem with. The
idea was that it can be done from outside, so only one binary can be
running inside. If this is not possible and it needs to be done from
some tool inside, then probably i have to run it with Boot=yes, which
is not really what i would like.
Sure, it is possible
bor@ThinkPad-E16-Gen3:~$ sudo systemd-nspawn -nD /var/tmp/debian-tree
Spawning container debian-tree on /var/tmp/debian-tree.
Press Ctrl-] three times within 1s to kill container.
root@debian-tree:~# ps -ef
UID PID PPID C STIME TTY TIME CMD
root 1 0 0 21:59 pts/0 00:00:00 -bash
root 247 1 0 22:06 pts/0 00:00:00 ps -ef
root@debian-tree:~#
further on host
bor@ThinkPad-E16-Gen3:~$ machinectl show -p Leader --value debian-tree
16488
bor@ThinkPad-E16-Gen3:~$ sudo nsenter -t 16488 -n ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode
DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: host0@if9: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode
DEFAULT group default qlen 1000
link/ether 76:09:4e:40:23:2f brd ff:ff:ff:ff:ff:ff link-netnsid 0
bor@ThinkPad-E16-Gen3:~$ sudo nsenter -t 16488 -n ip link set up dev host0
bor@ThinkPad-E16-Gen3:~$ sudo nsenter -t 16488 -n ip addr add
192.168.1.1/24 dev host0
bor@ThinkPad-E16-Gen3:~$ sudo nsenter -t 16488 -n ip route add default
via 192.168.1.254 dev host0
bor@ThinkPad-E16-Gen3:~$ sudo nsenter -t 16488 -n ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: host0@if9: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue
state DOWN group default qlen 1000
link/ether 76:09:4e:40:23:2f brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 192.168.1.1/24 scope global host0
valid_lft forever preferred_lft forever
bor@ThinkPad-E16-Gen3:~$
The interface is down because the host part is not connected to anything.
I watched yesterday a fosdem video from Lennart regarding nspawn
containers and he hinted that things about networking should improve;
it was in the context of network namespaces.
BR, Miroslav.
On Thu, Jan 29, 2026 at 3:27 PM Andrei Borzenkov <[email protected]> wrote:
29.01.2026 15:39, Miroslav Špehar wrote:
Hi all,
How can i set the ip of an nspawn container which has Boot=no in .nspawn file?
I am not even sure if this is a good idea, its just something im
trying to do and failing.
The idea is to run a binary like stalwart mail server in the nspawn
container, but have the container run only that binary (musl binary).
Since id like to avoid having a shell and other binaries / processes
in the container, i would resort to having Boot=no in the .nspawn
file.
Also, i would like that nspawn doesnt open ports on the host itself,
id rather have it manually forwarded by nftables on host, which means
no Port= option in .nspawn.
Does any of this make sense?
That's what --network-veth and related is for. You need interface inside
your container for your application and you need something to forward to
on the host side. You still need to setup interface inside the container
with the correct address and other parameters, so you will need at least
those programs plus something to invoke them.
You would *still* need this even when using --port, because --port
option simply forwards packets between host and container, but for this
it needs the interface into the container.
