Introduction

I’ve had a fascination withVirtualizationandContainertechnologies for some time and had settled on using Libvirt and Virtualbox with which to experiment with distributions, technologies and configurations.

Whilst converting my network configuration from Connman to Networkd I stumbled on another container technology which got me interested, namely Systemd-Nspawn. This merely documents my workflow in getting bothArchlinuxandDebiancontainers running and just reflects what is already in the wiki.

Contents

Archlinux Host Wireless Connectivity

Just follow the Archlinux Wiki to configuresystemd-networkd.

The host platform isArchlinux.

host> uname -a
Linux arch 4.1.6-1-ARCH #1 SMP PREEMPT Mon Aug 17 08:52:28 CEST 2015 x86_64 GNU/Linux

Usingsystemd 226.

Internet connectivity exists from the host where the wireless network interface is bothupandroutable.

host> ip link show
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: enp0s25:  mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
    link/ether 00:21:cc:6c:9e:75 brd ff:ff:ff:ff:ff:ff
3: wlp3s0:  mtu 1500 qdisc mq state UP mode DORMANT group default qlen 1000
    link/ether 08:11:96:5e:4b:70 brd ff:ff:ff:ff:ff:ff
host> networkctl

IDX LINK             TYPE               OPERATIONAL SETUP     
  1 lo               loopback           carrier     unmanaged 
  2 enp0s25          ether              off         unmanaged 
  3 wlp3s0           wlan               routable    configured

Ensure that the host has no other network clients working. The likes of the following should not return any processid.

pgrep DHCP
pgrep connman

If that is not the case, learn how to disable the services.

Note yourhostnamevia any of the following commands.

cat /etc/hostname
hostname
hostnamectl

Mine isarch.

Complete the following in the host root shell,su -l.

Rename or deleteresolv.conf, then link.

ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf

Modify thehostsline in /etc/nsswitch.conf.

hosts: files resolve arch

Create anetworkconfiguration.

host-root> cat /etc/systemd/network/wireless.network
[Match]
Name=wlp*

[Network]
DHCP=ipv4
IPForward=ipv4

Notes

  1. Matches all interfaces named starting withwlp.

  2. IPForward, required forsystemd-nspawncontainers. Quoting from themanpage.

    Configures IP forwarding for the network interface. If enabled incoming packets on the network interface will be forwarded to other interfaces according to the routing table.

To checkIP forwarding.

host-root> cat /proc/sys/net/ipv4/ip_forward
1

Since the network interface is wireless, a wireless adapter is required (described in an earlier post).

host-root> cat /etc/wpa_supplicant/wpa_supplicant-wlp3s0.conf 
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel
update_config=1
network={
	ssid="mySSID"
	#psk="password"
	psk=e1c.....74a
}

Ensure service is enabled.

systemctl enable wpa_supplicant@wlp3s0.service

Start/Enablenetworkandresolveservices.

systemctl enable systemd-networkd
systemctl enable systemd-resolved

Pingsomewhere to verify successful connectivity.

Archlinux Guest Container

Follow the Archlinux Wiki.

I have all mycontainerson a/commonpartition.

The following are completed in arootshell,su -l.

ln -s /common/Containers/systemd/archvirt /var/lib/machines/archvirt

The default place to locate machines is under/var/lib/machines.

pacstrapto install the basic system in the container.

pacstrap -i -c -d /var/lib/machines/archvirt base base-devel

Start Archlinux Guest Container Without Network Interface

Start the container, but omitting the-nswitch.

systemd-nspawn -b -D /var/lib/machines/archvirt

The container will see exactly the same network interfaces as the host.ip link showshould be identical on both container and host.pingto affirm internet connectivity.

Start the container:

systemd-nspawn -b -D /var/lib/machines/archvirt -n

Consult themanpage for switch information but,-bboots into a container located in target directory-D. A virtual ethernet interface,vethis automatically created between the host and guest via-n.

Login asroot, to enterguest-container-root.

Establishing wired connectivity. From theguest containerperspective.

guest-container-root> networkctl
IDX LINK             TYPE               OPERATIONAL SETUP     
  1 lo               loopback           n/a         n/a       
  2 host0            ether              n/a         n/a 

Having started the container, from thehostperspective.

host> networkctl

IDX LINK             TYPE               OPERATIONAL SETUP     
  1 lo               loopback           carrier     unmanaged 
  2 enp0s25          ether              off         unmanaged 
  3 wlp3s0           wlan               routable    configured
  4 ve-archvirt      ether              no-carrier  configuring

Note theve-archvirtnetwork interface created (-nswitch) which is notroutable.

guest-container-root.

hostnamectl set-hostname archvirt

Verify.

guest-container-root> hostnamectl

   Static hostname: archvirt
         Icon name: computer-container
           Chassis: container
        Machine ID: ebd7df906e564f4db3e9a909ed60628a
           Boot ID: e911ad59e115445a80e11d4d89563078
    Virtualization: systemd-nspawn
  Operating System: Arch Linux
            Kernel: Linux 4.1.6-1-ARCH
      Architecture: x86-64

Including a network configuration file

My initial reaction to establishing network connectivity was to just follow the Wiki (specifically), with a repeat exercise to what was achieved on the host. The following was undertaken on the container side.

guest-container-root. Removeresolv.confand link.

ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf

Editnsswitch.conf, forhoststo reflect.

hosts: files resolve archvirt

Create the network configuration.

guest-container-root> cat /etc/systemd/network/wired.network
[Match]
Name=host0

[Network]
DHCP=ipv4

Start (and laterenable) thenetworkandresolveservices.

guest-container-root.

systemctl start systemd-networkd.service
systemctl start systemd-resolved.service

Success.

guest-container-root> ping -c 3 bbc.co.uk
PING bbc.co.uk (212.58.244.18) 56(84) bytes of data.
64 bytes from fmt-vip72.telhc.bbc.co.uk (212.58.244.18): icmp_seq=1 ttl=53 time=33.3 ms
64 bytes from fmt-vip72.telhc.bbc.co.uk (212.58.244.18): icmp_seq=2 ttl=53 time=33.5 ms
64 bytes from fmt-vip72.telhc.bbc.co.uk (212.58.244.18): icmp_seq=3 ttl=53 time=32.9 ms

From thehostperspective.

host> networkctl
IDX LINK             TYPE               OPERATIONAL SETUP
  1 lo               loopback           carrier     unmanaged 
  2 enp0s25          ether              off         unmanaged 
  3 wlp3s0           wlan               routable    configured
  4 ve-archvirt      ether              routable    configured

Theve-archvirtinterface is nowroutable.

From theguestperspective.

guest-container-root> networkctl
IDX LINK             TYPE               OPERATIONAL SETUP
  1 lo               loopback           carrier     unmanaged 
  2 host0            ether              routable    configured

Likewise, interfacehost0is nowroutable.

guest-container-root> ip addr show
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: host0@if4:  mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 8a:9b:3c:04:2c:dc brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 169.254.40.57/16 brd 169.254.255.255 scope link host0
       valid_lft forever preferred_lft forever
    inet 10.0.0.2/28 brd 10.0.0.15 scope global dynamic host0
       valid_lft 2844sec preferred_lft 2844sec
    inet6 fe80::889b:3cff:fe04:2cdc/64 scope link 
       valid_lft forever preferred_lft forever

Without a network configuration file

Whilst experimenting with the debian guest container, I’ve realised that the above provisioning ofwired.networkis not necessary as long assystemd-networkdis enabled on the guest.

Ifsystemd-resolvedis enabled then ensure the above link toresolve.confexists, namely:

ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf

Otherwise retainresolve.confbut ensure that a gateway is defined.

guest-container-root> cat /etc/resolv.conf
#
# /etc/resolv.conf
#

#search 
nameserver 192.168.0.1

# End of file

I believe the update tonsswitch.confis not required either. I reverted it back to the original and could still get network connectivity.

guest-container-root> cat /etc/nsswitch.conf
# Begin /etc/nsswitch.conf

passwd: files
group: files
shadow: files

publickey: files

hosts: files dns myhostname
networks: files

protocols: files
services: files
ethers: files
rpc: files

netgroup: files


Evidently my understanding of what the-iswitch onsystemd-nspawnis doing, is lacking.

This post reinforces that if both container and host are usingsystemd-networkd, then no further configuration is required when the virtual ethernet switch is included withsystemd-nspawn.

Configuring the Archlinux Guest Container

Having established network connectivity, complete the configuration.

guest-container-root.

pacman -S rxvt-unicode openssh

addrootpassword.

passwd

anduserand password.

useradd -m -g users -G wheel,network -s /bin/bash ian
passwd ian

Add your own username unless you like the nameian!

Update/etc/sudoers.

## Uncomment to allow members of group wheel to execute any command
%wheel ALL=(ALL) ALL

Create urxvt service.

guest-container-root> cat /etc/systemd/system/urxvtd@.service
[Unit]
Description=RXVT-Unicode Daemon

[Service]
User=%i
ExecStart=/usr/bin/urxvtd -q -o

[Install]
WantedBy=multi-user.target

And start/enable the service (per user).

systemctl enable urxvtd@ian.service

Note that I haveurxvtdon the host. Withouturxvtdon the guest, uponsshing I could not use the backspace. AGooglesearch suggested mirroring the terminal types to resolve the issue.

Start thesshservice.

systemctl enable sshd.service

From the host, we see the port open.

host> nmap 10.0.0.2
Starting Nmap 6.47 ( http://nmap.org ) at 2015-09-27 12:01 BST
Nmap scan report for 10.0.0.2
Host is up (0.00068s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE
22/tcp open  ssh

Nmap done: 1 IP address (1 host up) scanned in 0.15 seconds

Testingsshfrom thehost.

host> ssh ian@10.0.0.2
The authenticity of host '10.0.0.2 (10.0.0.2)' can't be established.
ECDSA key fingerprint is SHA256:1D67mwy7skpq4czqUZi+7qQk+pCK6Z50M2Xoef4NjCk.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.0.2' (ECDSA) to the list of known hosts.
ian@10.0.0.2's password:

Listing the containers.

host> machinectl
MACHINE  CLASS     SERVICE
archvirt container nspawn 

And login

host> machinectl login archvirt

==== AUTHENTICATING FOR org.freedesktop.machine1.login ===
Authentication is required to log into a local container.
Authenticating as: ian
Password: 
==== AUTHENTICATION COMPLETE ===
Connected to machine archvirt. Press ^] three times within 1s to exit session.

Arch Linux 4.1.6-1-ARCH (pts/1)

archvirt login: ian
Password: 
Last login: Sun Sep 27 12:08:05 from 10.0.0.1

Success.

guest-container> uname -a
Linux arch 4.1.6-1-ARCH #1 SMP PREEMPT Mon Aug 17 08:52:28 CEST 2015 x86_64 GNU/Linux

Debian Jessie Guest Container

Enter the root shell on theArchlinuxhost,su -l.

And install via debootstrap.

debootstrap --arch=amd64 jessie /common/Containers/systemd/debian-jessie-virt/

Start Debian Guest Container Without Network Interface

Start the container, but omitting the-nswitch.

systemd-nspawn -b -D /var/lib/machines/debian-jessie-virt

The container will see exactly the same network interfaces as the host.ip link showshould be identical on both container and host.pingto affirm internet connectivity.

At this point I installed some packages, namelydbus, openssh.

Start the container.

systemd-nspawn -b -D /var/lib/machines/debian-jessie-virt -n

Start the container.

systemd-nspawn -D /common/Containers/systemd/debian-jessie-virt/ --network-veth --boot --machine=jessie-virt

Note that switches-n --network-vethand-b --bootare synonymous.

Echoing the conclusion drawn from starting the Archlinux Guest, to get network connectivity via the virtual ethernet created bynspawn

Linkresolv.conf

ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf

Start and enable bothnetworkdandresolvedservices.

systemctl restart systemd-networkd.service systemd-resolved.service
guest-container-root> ip link show
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: host0@if8:  mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
    link/ether 2e:42:5a:ec:47:85 brd ff:ff:ff:ff:ff:ff

From thehostperspective:

host> networkctl

IDX LINK             TYPE               OPERATIONAL SETUP     
  1 lo               loopback           carrier     unmanaged 
  2 wlp3s0           wlan               routable    configured
  3 enp0s25          ether              off         unmanaged 
  8 ve-debian-jess   ether              routable    configured

With thesshservice running on the guest, I can cansshin from the host.

This informative post details bringing up the host and container interfaces manually in lieu ofsystemd-networkd for a virtual ethernet configuration.

#  Add address 10.0.0.1 to ve-debian-tree interface of host system
host$ ip addr add 10.0.0.1/24 broadcast 10.0.0.255 dev ve-debian-tree
host$ ip link set dev ve-debian-tree up

# Add address 10.0.0.2 to host0 interface of guest system
guest$ ip addr add 10.0.0.2/24 broadcast 10.0.0.255 dev host0
guest$ ip link set dev host0 up

Alternatively using macvlan when usingnspawnfor a debian container. Note that the post is also instructive on setting up locale.

apt-get install --no-install-recommends dbus locales
timedatectl set-timezone Europe/London
dpkg-reconfigure locales

A user needs to be added and givensudoprivileges. This post is instructive on these points.