How use systemd-nspawn with --network-veth and --port ( -n and -p)?

Question

I run;

systemd-nspawn -n -p 80:80 -bD /path/to/httpd-container

In the container, httpd works. However, accessing from host, it dose not access. In addition, the below works without network options;

systemd-nspawn -bD /path/to/httpd-container

What do I need to use option -n, --network-veth and -p, --port?

Answer 1

Same question here; in order to help others reproduce from scratch:

Preparation

pull a mundane image from the internet

machinectl pull-raw --verify=no https://download.fedoraproject.org/pub/fedora/linux/releases/25/CloudImages/x86_64/images/Fedora-Cloud-Base-25-1.3.x86_64.raw.xz

Test 1

Run a server inside a container with no networking option

systemd-nspawn -M Fedora-Cloud-Base-25-1.3.x86_64.raw nc -l localhost 10000

in another window

echo hello | nc localhost 10000

works

Test 2

Enabling private networking and port mapping, so that host port 10000 is mapped to container port 20000

systemd-nspawn -M Fedora-Cloud-Base-25-1.3.x86_64.raw --private-network -p 10000:20000 nc -l localhost 20000

but then

echo hello | nc localhost 10000

results in

Ncat: Connection refused.

Why it's wrong

I would almost have expected exactly opposite results; in any case the second test is the use case that I'd like to get to work. I really need my containers to be network-isolated, and need port redirection in any case as all the containers run their service on the same port, which need to be redirected to a range of ports on the host side.

What I've tried

Adding the option --network-interface=eno1 (my public interface) to the mix has not helped

What puzzles me

My host runs fedora25 with selinux disabled; still I can see these messages when firing the container, which I take it are unrelated, but are they ?

mount(/tmp/nspawn-root-tR1Tr0/sys/fs/selinux) failed, ignoring: No such file or directory
mount(/tmp/nspawn-root-tR1Tr0/sys/fs/selinux) failed, ignoring: Invalid argument