pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / doc / manual / from_md / administration / container-networking.section.xml
at 23.05-pre 2.2 kB view raw
1<section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-container-networking"> 2 <title>Container Networking</title> 3 <para> 4 When you create a container using 5 <literal>nixos-container create</literal>, it gets it own private 6 IPv4 address in the range <literal>10.233.0.0/16</literal>. You can 7 get the container’s IPv4 address as follows: 8 </para> 9 <programlisting> 10# nixos-container show-ip foo 1110.233.4.2 12 13$ ping -c1 10.233.4.2 1464 bytes from 10.233.4.2: icmp_seq=1 ttl=64 time=0.106 ms 15</programlisting> 16 <para> 17 Networking is implemented using a pair of virtual Ethernet devices. 18 The network interface in the container is called 19 <literal>eth0</literal>, while the matching interface in the host is 20 called <literal>ve-container-name</literal> (e.g., 21 <literal>ve-foo</literal>). The container has its own network 22 namespace and the <literal>CAP_NET_ADMIN</literal> capability, so it 23 can perform arbitrary network configuration such as setting up 24 firewall rules, without affecting or having access to the host’s 25 network. 26 </para> 27 <para> 28 By default, containers cannot talk to the outside network. If you 29 want that, you should set up Network Address Translation (NAT) rules 30 on the host to rewrite container traffic to use your external IP 31 address. This can be accomplished using the following configuration 32 on the host: 33 </para> 34 <programlisting language="bash"> 35networking.nat.enable = true; 36networking.nat.internalInterfaces = [&quot;ve-+&quot;]; 37networking.nat.externalInterface = &quot;eth0&quot;; 38</programlisting> 39 <para> 40 where <literal>eth0</literal> should be replaced with the desired 41 external interface. Note that <literal>ve-+</literal> is a wildcard 42 that matches all container interfaces. 43 </para> 44 <para> 45 If you are using Network Manager, you need to explicitly prevent it 46 from managing container interfaces: 47 </para> 48 <programlisting language="bash"> 49networking.networkmanager.unmanaged = [ &quot;interface-name:ve-*&quot; ]; 50</programlisting> 51 <para> 52 You may need to restart your system for the changes to take effect. 53 </para> 54</section>