6285b6c638
This change adds the ability to effectively use the PrivateNetwork functionality systemd provides for services. Now, if enabled, services can be created in a network namespace which isolates it from the reset of the host. Additional options have been added allowing access into the network namespace over ephemeral devices as needed. Highlights: * Isolated private networking for services will sandbox using a stand alone namespace which has no access to anything via the network. * Access into a private namespace can be provided over a single network interface which can be IP'd via local DHCP + NAT or using an upstream DHCP server. * Tests have been added to exercise the new functionality. All of the funcality has been documented in the defaults of this role. Change-Id: I6751765131f32393a1605eb2100bec46199d980a Signed-off-by: Kevin Carter <kevin@cloudnull.com>
21 lines
381 B
Django/Jinja
21 lines
381 B
Django/Jinja
[Match]
|
|
Name=mv-{{ systemd_PrivateNetworkInterface }}
|
|
|
|
[Network]
|
|
DHCPServer=true
|
|
Address={{ systemd_PrivateNetworkLocalDHCPGateway }}
|
|
{% if (systemd_version | int) >= 230 %}
|
|
IPMasquerade=true
|
|
IPForward=true
|
|
{% endif %}
|
|
|
|
[DHCPServer]
|
|
PoolOffset=50
|
|
PoolSize=200
|
|
DefaultLeaseTimeSec=300s
|
|
{% if (systemd_version | int) >= 230 %}
|
|
EmitDNS=true
|
|
EmitNTP=true
|
|
EmitTimezone=true
|
|
{% endif %}
|