summary refs log tree commit diff
path: root/nixos/doc/manual/from_md/administration/container-networking.section.xml
blob: 788a2b7b0acbdc5e074437ff5263bfe165a4300c (plain) (blame) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54

<section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-container-networking">
  <title>Container Networking</title>
  <para>
    When you create a container using
    <literal>nixos-container create</literal>, it gets it own private
    IPv4 address in the range <literal>10.233.0.0/16</literal>. You can
    get the container’s IPv4 address as follows:
  </para>
  <programlisting>
# nixos-container show-ip foo
10.233.4.2

$ ping -c1 10.233.4.2
64 bytes from 10.233.4.2: icmp_seq=1 ttl=64 time=0.106 ms
</programlisting>
  <para>
    Networking is implemented using a pair of virtual Ethernet devices.
    The network interface in the container is called
    <literal>eth0</literal>, while the matching interface in the host is
    called <literal>ve-container-name</literal> (e.g.,
    <literal>ve-foo</literal>). The container has its own network
    namespace and the <literal>CAP_NET_ADMIN</literal> capability, so it
    can perform arbitrary network configuration such as setting up
    firewall rules, without affecting or having access to the host’s
    network.
  </para>
  <para>
    By default, containers cannot talk to the outside network. If you
    want that, you should set up Network Address Translation (NAT) rules
    on the host to rewrite container traffic to use your external IP
    address. This can be accomplished using the following configuration
    on the host:
  </para>
  <programlisting language="bash">
networking.nat.enable = true;
networking.nat.internalInterfaces = [&quot;ve-+&quot;];
networking.nat.externalInterface = &quot;eth0&quot;;
</programlisting>
  <para>
    where <literal>eth0</literal> should be replaced with the desired
    external interface. Note that <literal>ve-+</literal> is a wildcard
    that matches all container interfaces.
  </para>
  <para>
    If you are using Network Manager, you need to explicitly prevent it
    from managing container interfaces:
  </para>
  <programlisting language="bash">
networking.networkmanager.unmanaged = [ &quot;interface-name:ve-*&quot; ];
</programlisting>
  <para>
    You may need to restart your system for the changes to take effect.
  </para>
</section>
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-05-06 06:07:43 +0000