There's no single service option to do this, as far as I know, since it involves a bit more than just making the interface visible.
One method is a pair of 'veth' interfaces – one end stays in the host namespace, one is moved into the container namespace, and you have a virtual Ethernet cable between the two. The host end then usually goes into a bridge, and the host does routing and often NAT (just like it would for full VMs). Something needs to assign internal IP addresses to both interfaces, and something needs to add those NAT rules.
(Another method is to create a 'macvlan' interface off the physical interface and give it to the container, which then gets its own IP address directly from the LAN.)
It would be possible to do this with systemd services (maybe systemd-nspawn to set up namespaces plus networkd to configure the interfaces), but probably far more hacky than using a container runtime that does all such configuration by default.
On Tue, Jan 17, 2023, 22:04 Lucas Eduardo <lucas59356@xxxxxxxxx> wrote:
I am working on a service unit for a DHT crawler.
For some reason, it doesn't work well with the default network settings
because it seems to use a huge amount of traffic for a very small
amount of findings.
The same program works fine via docker, but I want to package it as a
hardened systemd unit.
A difference between the network layout in Docker and the host is that
Docker only exposes the "lo" interface and an upstream one, and the host
exposes everything and I think it's causing some kind of conflict.
How can I implement this Docker behaviour in systemd?
I tried using PrivateNetwork but it kills any Internet access because
only localhost is available.
Is there any not so well known feature to implement this?
I am running systemd 251.7 on NixOS. I already have experience
converting systemd stuff to the way the NixOS module system understands.
Thanks in advance
