nixos/doc/manual/administration/container-networking.xml at 18.09-beta · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / doc / manual / administration / container-networking.xml
at 18.09-beta 2.2 kB view raw
 1<section  xmlns="http://docbook.org/ns/docbook"
 2          xmlns:xlink="http://www.w3.org/1999/xlink"
 3          xmlns:xi="http://www.w3.org/2001/XInclude"
 4          version="5.0"
 5          xml:id="sec-container-networking">
 6 <title>Container Networking</title>
 7
 8 <para>
 9  When you create a container using <literal>nixos-container create</literal>,
10  it gets it own private IPv4 address in the range
11  <literal>10.233.0.0/16</literal>. You can get the container’s IPv4 address
12  as follows:
13<screen>
14# nixos-container show-ip foo
1510.233.4.2
16
17$ ping -c1 10.233.4.2
1864 bytes from 10.233.4.2: icmp_seq=1 ttl=64 time=0.106 ms
19</screen>
20 </para>
21
22 <para>
23  Networking is implemented using a pair of virtual Ethernet devices. The
24  network interface in the container is called <literal>eth0</literal>, while
25  the matching interface in the host is called
26  <literal>ve-<replaceable>container-name</replaceable></literal> (e.g.,
27  <literal>ve-foo</literal>). The container has its own network namespace and
28  the <literal>CAP_NET_ADMIN</literal> capability, so it can perform arbitrary
29  network configuration such as setting up firewall rules, without affecting or
30  having access to the host’s network.
31 </para>
32
33 <para>
34  By default, containers cannot talk to the outside network. If you want that,
35  you should set up Network Address Translation (NAT) rules on the host to
36  rewrite container traffic to use your external IP address. This can be
37  accomplished using the following configuration on the host:
38<programlisting>
39<xref linkend="opt-networking.nat.enable"/> = true;
40<xref linkend="opt-networking.nat.internalInterfaces"/> = ["ve-+"];
41<xref linkend="opt-networking.nat.externalInterface"/> = "eth0";
42</programlisting>
43  where <literal>eth0</literal> should be replaced with the desired external
44  interface. Note that <literal>ve-+</literal> is a wildcard that matches all
45  container interfaces.
46 </para>
47
48 <para>
49  If you are using Network Manager, you need to explicitly prevent it from
50  managing container interfaces:
51<programlisting>
52networking.networkmanager.unmanaged = [ "interface-name:ve-*" ];
53</programlisting>
54 </para>
55</section>