Timeline for How to declare systemd dependency for a nspawn service that depends on WireGuard interfaces?
Current License: CC BY-SA 4.0
5 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| May 1, 2024 at 16:50 | answer | added | Tom Yan | timeline score: 1 | |
| May 1, 2024 at 15:50 | comment | added | Waiho | Move WG interface to different namespace after configured it, is documented in wireguard.com/netns. In my use case, I want to ensure all traffic can only go out via VPN, networkly (not rely on firewall). Abstract out means elegantly. I do not want WG interface creation logic in nspawn's service. Also, I want to handle that nspawn behavior (interface disappear when container fails to start) elegantly. | |
| May 1, 2024 at 10:01 | comment | added | Tom Yan |
abstract out the above two commands using systemd service and dependency write a oneshot service for them?
|
|
| May 1, 2024 at 10:00 | comment | added | Tom Yan |
I think you need to clarify a few things. First of all, is this some quirky (IMO) setup that you are only moving the wg interface into the nspawn while having the tunnel relying on the host's network namespace for the traffics to the peer? (Assuming that's even possible with wg.) Or, does the container have other interface(s) that connects the nspawn to the container host? Besides, is this a "boot mode" nspawn we are talking about? And if you don't want the interface to UP at the host, why would need to ip link add again be a problem? (Aren't you looking for automation for that anyway?)
|
|
| May 1, 2024 at 3:38 | history | asked | Waiho | CC BY-SA 4.0 |