nixos-containers: add networkNamespace option

NixOS · Nov 26, 2024 · ef844ef · ef844ef
1 parent 470e6e6
commit ef844ef
Showing 1 changed file with 21 additions and 0 deletions.
diff --git a/nixos/modules/virtualisation/nixos-containers.nix b/nixos/modules/virtualisation/nixos-containers.nix
@@ -182,6 +182,7 @@ let
         --setenv HOST_PORT="$HOST_PORT" \
         --setenv PATH="$PATH" \
         ${optionalString cfg.ephemeral "--ephemeral"} \
+        ${optionalString (cfg.networkNamespace != null) "--network-namespace-path ${cfg.networkNamespace}"} \
         ${optionalString (cfg.additionalCapabilities != null && cfg.additionalCapabilities != [])
           ''--capability="${concatStringsSep "," cfg.additionalCapabilities}"''
         } \
@@ -632,6 +633,20 @@ in
               '';
             };
 
+            networkNamespace = mkOption {
+              type = types.nullOr types.path;
+              default = null;
+              description = ''
+                Takes the path to a file representing a kernel network namespace that the container
+                shall run in. The specified path should refer to a (possibly bind-mounted) network
+                namespace file, as exposed by the kernel below /proc/<PID>/ns/net. This makes the
+                container enter the given network namespace. One of the typical use cases is to give
+                a network namespace under /run/netns created by ip-netns(8).
+                Note that this option cannot be used together with other network-related options,
+                such as --private-network or --network-interface=.
+              '';
+            };
+
             interfaces = mkOption {
               type = types.listOf types.str;
               default = [];
@@ -793,6 +808,12 @@ in
     {
       warnings = optional (!config.boot.enableContainers && config.containers != {})
         "containers.<name> is used, but boot.enableContainers is false. To use containers.<name>, set boot.enableContainers to true.";
+
+      assertions = let
+        mapper = name: cfg: optionals (cfg.networkNamespace != null) && (cfg.privateNetwork || (cfg.interfaces != [])))
+          "containers.${name}.networkNamespace is mutally exclusive to containers.${name}.privateNetwork and containers.${name}.interfaces.";
+        )
+      in mkMerge (mapAttrsToList mapper config.containers);
     }
 
     (mkIf (config.boot.enableContainers) (let