pyrox.dev
1<section xmlns="http://docbook.org/ns/docbook"
2 xmlns:xlink="http://www.w3.org/1999/xlink"
3 xmlns:xi="http://www.w3.org/2001/XInclude"
4 version="5.0"
5 xml:id="sec-container-networking">
6
7
8<title>Container Networking</title>
9
10<para>When you create a container using <literal>nixos-container
11create</literal>, it gets it own private IPv4 address in the range
12<literal>10.233.0.0/16</literal>. You can get the container’s IPv4
13address as follows:
14
15<screen>
16# nixos-container show-ip foo
1710.233.4.2
18
19$ ping -c1 10.233.4.2
2064 bytes from 10.233.4.2: icmp_seq=1 ttl=64 time=0.106 ms
21</screen>
22
23</para>
24
25<para>Networking is implemented using a pair of virtual Ethernet
26devices. The network interface in the container is called
27<literal>eth0</literal>, while the matching interface in the host is
28called <literal>ve-<replaceable>container-name</replaceable></literal>
29(e.g., <literal>ve-foo</literal>). The container has its own network
30namespace and the <literal>CAP_NET_ADMIN</literal> capability, so it
31can perform arbitrary network configuration such as setting up
32firewall rules, without affecting or having access to the host’s
33network.</para>
34
35<para>By default, containers cannot talk to the outside network. If
36you want that, you should set up Network Address Translation (NAT)
37rules on the host to rewrite container traffic to use your external
38IP address. This can be accomplished using the following configuration
39on the host:
40
41<programlisting>
42networking.nat.enable = true;
43networking.nat.internalInterfaces = ["ve-+"];
44networking.nat.externalInterface = "eth0";
45</programlisting>
46where <literal>eth0</literal> should be replaced with the desired
47external interface. Note that <literal>ve-+</literal> is a wildcard
48that matches all container interfaces.</para>
49
50</section>