Network namespace separation

[spanezz]

I think it would be desirable to enable network namespace separation (--network-veth or similar options of systemd-nspawn), however doing this in a convenient way seems to be nontrivial.

OS images generally need to connect to the outside network, to download dependencies and perform system upgrades. There may be an argument for configuring some images for allowing outside connections only during maintenance, and not on ephemeral containers, and there are important use cases in which an ephemeral container needs outside network.

There is the need of running web servers in the container and accessing them from the outside (#14), like, for example, testing a Django web application.

There is the need of keeping container startup time low, so that for example a simple monci run doesn't need to wait on DHCP every time.

There is the need of keeping complexity of configuration low, to avoid having the correct setup of a bridge network interface as a prerequisite for setting up Moncic-CI, or to avoid having to implement risky fiddling with the system network configuration in Moncic-CI.

I have no good solutions for thid in mind, and I'm opening the issue to track ideas as they come