[Backport release-24.11] nixos-containers: add networkNamespace option (#367659)

2025-07-14 06:00:33 +03:00 · 2025-01-01 16:55:39 +01:00 · 2025-01-01 16:55:39 +01:00 · 798e6f4dde
commit 798e6f4dde
parent 1a2a5340fd 9bec4f1c52
2 changed files with 31 additions and 0 deletions
--- a/nixos/modules/virtualisation/nixos-containers.nix
+++ b/nixos/modules/virtualisation/nixos-containers.nix
@ -134,6 +134,10 @@ let
        extraFlags+=("--network-bridge=$HOST_BRIDGE")
      fi

+      if [ -n "$NETWORK_NAMESPACE_PATH" ]; then
+        extraFlags+=("--network-namespace-path=$NETWORK_NAMESPACE_PATH")
+      fi
+
      extraFlags+=(${lib.escapeShellArgs (mapAttrsToList nspawnExtraVethArgs cfg.extraVeths)})

      for iface in $INTERFACES; do
@ -632,6 +636,20 @@ in
              '';
            };

+            networkNamespace = mkOption {
+              type = types.nullOr types.path;
+              default = null;
+              description = ''
+                Takes the path to a file representing a kernel network namespace that the container
+                shall run in. The specified path should refer to a (possibly bind-mounted) network
+                namespace file, as exposed by the kernel below /proc/<PID>/ns/net. This makes the
+                container enter the given network namespace. One of the typical use cases is to give
+                a network namespace under /run/netns created by ip-netns(8).
+                Note that this option cannot be used together with other network-related options,
+                such as --private-network or --network-interface=.
+              '';
+            };
+
            interfaces = mkOption {
              type = types.listOf types.str;
              default = [];
@ -793,6 +811,11 @@ in
    {
      warnings = optional (!config.boot.enableContainers && config.containers != {})
        "containers.<name> is used, but boot.enableContainers is false. To use containers.<name>, set boot.enableContainers to true.";
+
+      assertions = let
+        mapper = name: cfg: optional (cfg.networkNamespace != null && (cfg.privateNetwork || cfg.interfaces != []))
+          "containers.${name}.networkNamespace is mutally exclusive to containers.${name}.privateNetwork and containers.${name}.interfaces.";
+      in mkMerge (mapAttrsToList mapper config.containers);
    }

    (mkIf (config.boot.enableContainers) (let
@ -897,6 +920,9 @@ in
                  LOCAL_ADDRESS6=${cfg.localAddress6}
                ''}
              ''}
+              ${optionalString (cfg.networkNamespace != null) ''
+                NETWORK_NAMESPACE_PATH=${cfg.networkNamespace}
+              ''}
              INTERFACES="${toString cfg.interfaces}"
              MACVLANS="${toString cfg.macvlans}"
              ${optionalString cfg.autoStart ''
--- a/nixos/tests/containers-restart_networking.nix
+++ b/nixos/tests/containers-restart_networking.nix
@ -39,6 +39,11 @@ import ./make-test-python.nix (
          }
        ];

+        networking.interfaces.eth1 = {
+          ipv4.addresses = lib.mkForce [ ];
+          ipv6.addresses = lib.mkForce [ ];
+        };
+
        specialisation.eth1.configuration = {
          networking.bridges.br0.interfaces = [ "eth1" ];
          networking.interfaces = {