depot/third_party/nixpkgs/nixos/doc/manual/administration/container-networking.section.md
Default email 88abffb7d2 Project import generated by Copybara.
GitOrigin-RevId: bc9b956714ed6eac5f8888322aac5bc41389defa
2021-09-18 12:52:07 +02:00

1.6 KiB

Container Networking

When you create a container using nixos-container create, it gets it own private IPv4 address in the range 10.233.0.0/16. You can get the container's IPv4 address as follows:

# nixos-container show-ip foo
10.233.4.2

$ ping -c1 10.233.4.2
64 bytes from 10.233.4.2: icmp_seq=1 ttl=64 time=0.106 ms

Networking is implemented using a pair of virtual Ethernet devices. The network interface in the container is called eth0, while the matching interface in the host is called ve-container-name (e.g., ve-foo). The container has its own network namespace and the CAP_NET_ADMIN capability, so it can perform arbitrary network configuration such as setting up firewall rules, without affecting or having access to the host's network.

By default, containers cannot talk to the outside network. If you want that, you should set up Network Address Translation (NAT) rules on the host to rewrite container traffic to use your external IP address. This can be accomplished using the following configuration on the host:

networking.nat.enable = true;
networking.nat.internalInterfaces = ["ve-+"];
networking.nat.externalInterface = "eth0";

where eth0 should be replaced with the desired external interface. Note that ve-+ is a wildcard that matches all container interfaces.

If you are using Network Manager, you need to explicitly prevent it from managing container interfaces:

networking.networkmanager.unmanaged = [ "interface-name:ve-*" ];

You may need to restart your system for the changes to take effect.