diff options
| author | Mikey Ariel <mariel@redhat.com> | 2014-08-24 19:18:18 +0200 |
|---|---|---|
| committer | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2014-08-26 19:03:49 +0200 |
| commit | a099ca45054940b63b1615920de158ebafb25ea8 (patch) | |
| tree | 52907df9dc996cbab14885c8eab72b473086126a /nixos/doc/manual/administration/container-networking.xml | |
| parent | 8707a070baca84d881a7e03e04a44374d8cc05e1 (diff) | |
| download | nixlib-a099ca45054940b63b1615920de158ebafb25ea8.tar nixlib-a099ca45054940b63b1615920de158ebafb25ea8.tar.gz nixlib-a099ca45054940b63b1615920de158ebafb25ea8.tar.bz2 nixlib-a099ca45054940b63b1615920de158ebafb25ea8.tar.lz nixlib-a099ca45054940b63b1615920de158ebafb25ea8.tar.xz nixlib-a099ca45054940b63b1615920de158ebafb25ea8.tar.zst nixlib-a099ca45054940b63b1615920de158ebafb25ea8.zip | |
Chunk NixOS manual
[Squashed commits to make git blame etc. more likely to work. -ED]
Diffstat (limited to 'nixos/doc/manual/administration/container-networking.xml')
| -rw-r--r-- | nixos/doc/manual/administration/container-networking.xml | 50 |
1 files changed, 50 insertions, 0 deletions
diff --git a/nixos/doc/manual/administration/container-networking.xml b/nixos/doc/manual/administration/container-networking.xml new file mode 100644 index 000000000000..adea3e69840d --- /dev/null +++ b/nixos/doc/manual/administration/container-networking.xml @@ -0,0 +1,50 @@ +<section xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="sec-container-networking"> + + +<title>Container Networking</title> + +<para>When you create a container using <literal>nixos-container +create</literal>, it gets it own private IPv4 address in the range +<literal>10.233.0.0/16</literal>. You can get the container’s IPv4 +address as follows: + +<screen> +$ nixos-container show-ip foo +10.233.4.2 + +$ ping -c1 10.233.4.2 +64 bytes from 10.233.4.2: icmp_seq=1 ttl=64 time=0.106 ms +</screen> + +</para> + +<para>Networking is implemented using a pair of virtual Ethernet +devices. The network interface in the container is called +<literal>eth0</literal>, while the matching interface in the host is +called <literal>ve-<replaceable>container-name</replaceable></literal> +(e.g., <literal>ve-foo</literal>). The container has its own network +namespace and the <literal>CAP_NET_ADMIN</literal> capability, so it +can perform arbitrary network configuration such as setting up +firewall rules, without affecting or having access to the host’s +network.</para> + +<para>By default, containers cannot talk to the outside network. If +you want that, you should set up Network Address Translation (NAT) +rules on the host to rewrite container traffic to use your external +IP address. This can be accomplished using the following configuration +on the host: + +<programlisting> +networking.nat.enable = true; +networking.nat.internalInterfaces = ["ve-+"]; +networking.nat.externalInterface = "eth0"; +</programlisting> +where <literal>eth0</literal> should be replaced with the desired +external interface. Note that <literal>ve-+</literal> is a wildcard +that matches all container interfaces.</para> + +</section> \ No newline at end of file |