commit bc69f022cbe8870bf9fac590b4f464ec1a3fc4c1
parent 8886a7543d066c1a9ea5caa48d5ccb745d011970
Author: brendan <brendan@web>
Date: Mon, 9 Mar 2026 10:31:09 +0100
First complete draft
Diffstat:
1 file changed, 61 insertions(+), 1 deletion(-)
diff --git a/eik_containers.mdwn b/eik_containers.mdwn
@@ -14,16 +14,76 @@ __TIP:__ systemd-nspawn images are basically just a normal filesystem tree under
### Run the container manually and set a root password
+For the first spin-up, we should run this manually to set private users/groups and some basic stuff.
+`sudo systemd-nspawn -D /var/lib/machines/my_pmc_container -M my_pmc_container --private-users=pick --private-users-ownership=chown`
+
+Now you're basically chrooted inside the container (but not really properly booted) so set up a few things:
+
+```
+hostname > /etc/hostname
+passwd
+```
+
+You can also create a user or edit any config files that you need for services that will run in the container. When you're done just exit out.
+
+__NOTE:__ if you need to run the container manually again in the future, to set up networking or tweak some settings, use this command since we already have the private users set up and don't need to chown a second time:
+
+`sudo systemd-nspawn -D /var/lib/machines/my_pmc_container -M my_pmc_container --private-users=yes`
### Set up networking
-### Enable the container
+This is the one thing that is slightly fiddly with alpine since it does not magically tie up with systemd on the containing host. We are using a private bridge running on the containing host to route our traffic to the internet. These IP addresses are assigned manually so we should be careful to keep track and not double up by accident. We will use the /etc/hosts file on the containing host as our authoritative record as well as provide us with convenient aliases to proxy or connect via SSH.
+
+Edit /etc/hosts on eik and add a new entry for the container below the last entry with 192.168.0.X:
+
+```
+127.0.0.1 localhost
+193.170.194.218eik
+192.168.0.10 snac
+192.168.0.11 borf
+192.168.0.12 my_pmc_container
+```
+
+Now create an nspawn config file on eik in /etc/systemd/nspawn/my_pmc_container.nspawn
+
+```
+[Exec]
+PrivateUsers=yes
+KillSignal=SIGTERM
+[Network]
+Bridge=bridge0
+```
+
+Now, go inside the container and edit the /etc/network/interfaces file inside the container:
+
+```
+auto host0
+iface host0 inet static
+ address 192.168.0.12/24
+ gateway 192.168.0.1
+```
+
+
+### Start and Enable the container
+
+On eik:
+`sudo machinectl start my_pmc_container`
+
+To enable so that the container always comes up when eik boots:
+`sudo machinectl enable my_pmc_container`
### Connect via ssh
+Note, you may need to tweak the ssh configs on the container to allow root logins or use whatever keys setup you prefer.
+
+`ssh my_user@my_pmc_container`
+
### Optionally - set up an nginx proxy for public service
+prolly best to use proxy_pass my_pmc_container
+
#### References:
1. Much of this document was based on [this blog post](https://quantum5.ca/2025/03/22/whirlwind-tour-of-systemd-nspawn-containers/)
+2. The arch wiki (as ever) has some very good [general docs](https://wiki.archlinux.org/title/Systemd-nspawn) about systemd-nspawn
