There are many ways to do this and you may get spoiled for choice.
One way is to create a container that has no network connectivity. At all.
First, create a copy of the default profile and edit it to remove the networking. Subsequently, launch a container with that profile.
for an unprivileged container, users are entirely container specific at least on lxd, so when an user is created in a container, it does not exist in the host (it’s possible to create a host user with same username and password of course, but it’s a separate user nonetheless). I think it’s the same on plain lxc.
It can be applied to as many containers are you wish.
Consider though that you need to specify a different port (like 2222) for each container.
It is not clear what you want to achieve at the end (is it for educational purposes?).
You can create also a nested container (lxc launch ubuntu:18.04 mycontainer -c security.nesting=true) which will allow you to create nested containers inside mycontainer).
Then, run sudo lxd init inside mycontainer to create many more containers.
To provide access into those nested containers, see also https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Proxies_and_Jump_Hosts
You’re right, I’m trying to make this a little clearer. I’m building a dev stack for a university project.
In the end, we want to be able to spawn X containers, on which a web server can run, the http traffic is then forwarded to a central Nginx, which is connected with a public IP address.
But so that we can access the individual containers, we would like to be able to access the individual containers without opening additional public IP addresses or additional ports.
To do this, we have tried several ways, such as routing SSH traffic over the Nginx, but the SSH protocol does not provide SNI, so matching was not possible.
Then we tested an SSH multiplexer, but it didn’t work the way it was supposed to.
I hope something is clearer now what we want to do.
Do you have requirements on the authentication ? I can see a childishly easy to do that using password authentication, but it may be an impossibility for you.
ATM I can’t see a really easy way to do it with key auth.
But here is the childishly easy way with password auth.
Create a special container in LXD, let’s call it grasshopper. Grasshopper will be the entry point.
The port 22 on the host will be redirected to the port 22 on grasshopper. Grasshopper will be setup on ssh with only one user, let’s call it grasshopper and access will be granted with a key for easy automation (the key will be the same for all students)
When logged in, the user grasshopper will have a special login with a script only running ssh and disconnecting after the session is finished. When running this secondary ssh session, the students will be inside the lxd network and as such will be able to connect to any container with its name. So if student John Doe as access to container named ‘student4235’, he will be able to ssh as ‘user@student4235’.
Routing and firewalling of the lxd network can easily be setup on the host to block any access to the host from the internal lxd network (except dns, the containers need access to the dnsmasq instance that is providing them their address)
That’s all. All that would be necessary for each student
setup the initial password on the container
give the password and the container name to the student
provide some way to setup the hop connexion to the lxd host port 22 using user ‘grasshopper’ with the key provided on some internal web server.