pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / doc / manual / administration / container-networking.xml
at 17.09-beta 2.0 kB view raw
1<section xmlns="http://docbook.org/ns/docbook" 2 xmlns:xlink="http://www.w3.org/1999/xlink" 3 xmlns:xi="http://www.w3.org/2001/XInclude" 4 version="5.0" 5 xml:id="sec-container-networking"> 6 7 8<title>Container Networking</title> 9 10<para>When you create a container using <literal>nixos-container 11create</literal>, it gets it own private IPv4 address in the range 12<literal>10.233.0.0/16</literal>. You can get the container’s IPv4 13address as follows: 14 15<screen> 16# nixos-container show-ip foo 1710.233.4.2 18 19$ ping -c1 10.233.4.2 2064 bytes from 10.233.4.2: icmp_seq=1 ttl=64 time=0.106 ms 21</screen> 22 23</para> 24 25<para>Networking is implemented using a pair of virtual Ethernet 26devices. The network interface in the container is called 27<literal>eth0</literal>, while the matching interface in the host is 28called <literal>ve-<replaceable>container-name</replaceable></literal> 29(e.g., <literal>ve-foo</literal>). The container has its own network 30namespace and the <literal>CAP_NET_ADMIN</literal> capability, so it 31can perform arbitrary network configuration such as setting up 32firewall rules, without affecting or having access to the host’s 33network.</para> 34 35<para>By default, containers cannot talk to the outside network. If 36you want that, you should set up Network Address Translation (NAT) 37rules on the host to rewrite container traffic to use your external 38IP address. This can be accomplished using the following configuration 39on the host: 40 41<programlisting> 42networking.nat.enable = true; 43networking.nat.internalInterfaces = ["ve-+"]; 44networking.nat.externalInterface = "eth0"; 45</programlisting> 46where <literal>eth0</literal> should be replaced with the desired 47external interface. Note that <literal>ve-+</literal> is a wildcard 48that matches all container interfaces.</para> 49 50<para>If you are using Network Manager, you need to explicitly prevent 51it from managing container interfaces: 52 53<programlisting> 54networking.networkmanager.unmanaged = [ "interface-name:ve-*" ]; 55</programlisting> 56</para> 57 58</section>