20
Pros and cons on - and alternatives to - running three separate servers on one single Linux instance using systemd-nspawn (programming.dev)
submitted 1 day ago* (last edited 1 day ago) by emotional_soup_88@programming.dev to c/linux@lemmy.ml
17 comments fedilink hide all child comments

I have three Ethernet interfaces, namely eth[0...2]. eth0 is connected to my VPN router and eth1 and eth2 are connected to my public facing router. eth0 is the standard interface that I normally let my Linux instance use. I now want to set up a container that hijacks (makes unavailable to the host) eth1 or eth2 in order to run various services that need to be reachable from WAN through a Wireguard tunnel.

I am aware that the man pages for systemd-nspawn say that it is primarily meant to be a test environment and not a secure container. Does anybody have experience with and/or opinions on this? Should I just learn how to use Docker?

For now, I am only asking about any potential security implications, since I don't understand how container security works "under the hood". The network portion of the setup would be something like:

Enabling forwarding kernel parameters on the host

Booting the container with systemd-nspawn -b -D [wherever/I/put/the/container] --network-interface=[eth1 or 2]

Then, managing the container's network with networkd config files, including enabling IPForward and IPMasquerade

Then, configuring wireguard according their official guides or, for instance, the Arch wiki.

Any and all input would be appreciated! 😊

you are viewing a single comment's thread
view the rest of the comments
[-] a_fancy_kiwi@lemmy.world 7 points 1 day ago* (last edited 1 day ago)

Should I just learn how to use Docker?

Yes. I put off learning it for so long and now can’t imagine self-hosting anything without it. I think all you have to do is set a static IP to the NIC from your router and then specify the IP and port in a docker-compose.yml file:

Ex: IP-address:external-port:container-port

services:
    app-name:
        ports
            - 192.168.1.42:3000:3000
[-] emotional_soup_88@programming.dev 1 points 1 day ago

Sweet! I'll start reading up on Docker, especially as it sounds like it has become an integral part of your self-hosting. :)

[-] a_fancy_kiwi@lemmy.world 6 points 23 hours ago

You might come across docker run commands in tutorials. Ignore those. Just focus on learning docker compose. With docker compose, the run command just goes into a yaml file so it’s easier to read and understand what’s going on. Don’t forget to add your user to the docker group so you aren’t having to type sudo for every command.

Commands you’ll use often:

docker compose up - runs container

docker compose up -d - runs container in headless mode

docker compose down - shuts down container

docker compose pull - pulls new images

docker image list - lists all images

docker ps - lists running containers

docker image prune -a - deletes images not being used by containers to free up space

[-] emotional_soup_88@programming.dev 2 points 23 hours ago

Thanks! What a sweet little handbook for getting started! :D

load more comments (6 replies)
this post was submitted on 04 Feb 2026
20 points (95.5% liked)

Linux

62340 readers
1534 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 6 years ago
MODERATORS
AgreeableLandscape@lemmy.ml
nooter692@lemmy.ml
MarcellusDrum@lemmy.ml
cypherpunks@lemmy.ml
cyclohexane@lemmy.ml
d3Xt3r@lemmy.nz