nordic-dev.net/nixpkgs
nordic-dev.net/nixpkgs
2
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-02-22 03:53:47 +00:00
Code Issues Packages Projects Releases Wiki Activity

nixos-containers: add networkNamespace option

Browse Source 
(cherry picked from commit e65d6fba75)
This commit is contained in:
Nico Felbinger 2024-11-26 18:41:42 +01:00 committed by github-actions[bot]
parent 63e085d7fb
commit 7e1a2f351d
1 changed files with 26 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
nixos/modules/virtualisation/nixos-containers.nix
View File

@ -134,6 +134,10 @@ let
extraFlags+=("--network-bridge=$HOST_BRIDGE") extraFlags+=("--network-bridge=$HOST_BRIDGE")
fi fi
if [ -n "$NETWORK_NAMESPACE_PATH" ]; then
extraFlags+=("--network-namespace-path=$NETWORK_NAMESPACE_PATH")
fi
extraFlags+=(${lib.escapeShellArgs (mapAttrsToList nspawnExtraVethArgs cfg.extraVeths)}) extraFlags+=(${lib.escapeShellArgs (mapAttrsToList nspawnExtraVethArgs cfg.extraVeths)})
for iface in $INTERFACES; do for iface in $INTERFACES; do
@ -632,6 +636,20 @@ in
''; '';
}; };
networkNamespace = mkOption {
type = types.nullOr types.path;
default = null;
description = ''
Takes the path to a file representing a kernel network namespace that the container
shall run in. The specified path should refer to a (possibly bind-mounted) network
namespace file, as exposed by the kernel below /proc/<PID>/ns/net. This makes the
container enter the given network namespace. One of the typical use cases is to give
a network namespace under /run/netns created by ip-netns(8).
Note that this option cannot be used together with other network-related options,
such as --private-network or --network-interface=.
'';
};
interfaces = mkOption { interfaces = mkOption {
type = types.listOf types.str; type = types.listOf types.str;
default = []; default = [];
@ -793,6 +811,11 @@ in
{ {
warnings = optional (!config.boot.enableContainers && config.containers != {}) warnings = optional (!config.boot.enableContainers && config.containers != {})
"containers.<name> is used, but boot.enableContainers is false. To use containers.<name>, set boot.enableContainers to true."; "containers.<name> is used, but boot.enableContainers is false. To use containers.<name>, set boot.enableContainers to true.";
assertions = let
mapper = name: cfg: optional (cfg.networkNamespace != null && (cfg.privateNetwork || cfg.interfaces != []))
"containers.${name}.networkNamespace is mutally exclusive to containers.${name}.privateNetwork and containers.${name}.interfaces.";
in mkMerge (mapAttrsToList mapper config.containers);
} }
(mkIf (config.boot.enableContainers) (let (mkIf (config.boot.enableContainers) (let
@ -897,6 +920,9 @@ in
LOCAL_ADDRESS6=${cfg.localAddress6} LOCAL_ADDRESS6=${cfg.localAddress6}
''} ''}
''} ''}
${optionalString (cfg.networkNamespace != null) ''
NETWORK_NAMESPACE_PATH=${cfg.networkNamespace}
''}
INTERFACES="${toString cfg.interfaces}" INTERFACES="${toString cfg.interfaces}"
MACVLANS="${toString cfg.macvlans}" MACVLANS="${toString cfg.macvlans}"
${optionalString cfg.autoStart '' ${optionalString cfg.autoStart ''