Skip to content

nixos-containers: allow hard-coding container veth MAC address & add IPv6 SLAAC test case #462775

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

nixos-containers: allow hard-coding container veth MAC address & add IPv6 SLAAC test case #462775

wants to merge 2 commits into from

Conversation

@lschuermann
Copy link
Member

@lschuermann lschuermann commented Nov 18, 2025
edited
Loading

This PR adds an option to set the MAC address of the container-side network interface for NixOS containers. It then uses this option in a test case that demonstrates how this can use to assign a stable IPv6 address to a container via stateless auto-configuration.

nixos-containers: allow hard-coding container veth MAC address

When using a NixOS container with privateNetwork = true; (i.e., a veth network device), it automatically gets assigned a random, locally administered unicast MAC address. While this is fine for many purposes, when attaching this container to a larger Layer 2 network where it interacts with other services, like an external DHCP server or IPv6 gateway sending out router advertisements, the MAC address of the container matters.

This commit thus adds a macAddress option to containers. If set, this MAC address will be assigned to the container-side of the veth interface early during container boot (before stage 2 init). This is crucial to ensure that no services run in the container using the prior, random MAC automatically assigned to the veth device. Otherweise, I've had problems using systemd units or the activation scripts to set the address early enough during container boot to use it, for example, for IPv6 SLAAC address assignment.

nixos/tests: add test for NixOS container using IPv6 SLAAC

Finally, the second commit adds a test for a NixOS container being assigned an IPv6 address and route using stateless auto-configuration, using IPv6 router advertisements sent using systemd-networkd by the host.

It exercises the newly added macAddress option for the container, as it relies on the container self-assigning an address in the specific IPv6 prefix based on its stable MAC address. It can also serve as an example for how one may bridge a NixOS container into an existing network, and assign it stable IPv4 / IPv6 addresses via DHCP and RAs.

Things done

  • Built on platform:
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • Tested, as applicable:
    • NixOS tests in nixos/tests.
      Built all container-* tests: nix-build -A nixosTests.containers-bridge -A nixosTests.containers-custom-pkgs -A nixosTests.containers-ephemeral -A nixosTests.containers-extra_veth -A nixosTests.containers-hosts -A nixosTests.containers-imperative -A nixosTests.containers-ip -A nixosTests.containers-ipv6-slaac -A nixosTests.containers-macvlans -A nixosTests.containers-names -A nixosTests.containers-nested -A nixosTests.containers-physical_interfaces -A nixosTests.containers-portforward -A nixosTests.containers-reloadable -A nixosTests.containers-require-bind-mounts -A nixosTests.containers-restart_networking -A nixosTests.containers-tmpfs -A nixosTests.containers-unified-hierarchy
    • Package tests at passthru.tests.
    • Tests in lib/tests or pkgs/test for functions and "core" functionality.
  • Ran nixpkgs-review on this PR. See nixpkgs-review usage.
  • Tested basic functionality of all binary files, usually in ./result/bin/.
  • Nixpkgs Release Notes
    • Package update: when the change is major or breaking.
  • NixOS Release Notes
    • Module addition: when adding a new NixOS module.
    • Module update: when the change is significant.
  • Fits CONTRIBUTING.md, pkgs/README.md, maintainers/README.md and other READMEs.

Add a 👍 reaction to pull requests you find important.

@nixpkgs-ci nixpkgs-ci bot added 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 9.needs: reviewer This PR currently has no reviewers requested and needs attention. 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` 6.topic: nixos-container Imperative and declarative systemd-nspawn containers labels Nov 18, 2025
@lschuermann lschuermann force-pushed the dev/container-mac-address branch from a510b17 to 7fffb0e Compare November 18, 2025 04:53
aleclearmind
aleclearmind reviewed Nov 18, 2025
View reviewed changes
@nixpkgs-ci nixpkgs-ci bot removed the 9.needs: reviewer This PR currently has no reviewers requested and needs attention. label Nov 18, 2025
@lschuermann lschuermann force-pushed the dev/container-mac-address branch 2 times, most recently from 71cf738 to d76b2c4 Compare November 18, 2025 18:52
@lschuermann lschuermann force-pushed the dev/container-mac-address branch from d76b2c4 to f185342 Compare November 18, 2025 18:53
@lschuermann
nixos-containers: allow hard-coding container veth MAC address
a2cd0a2 
When using a NixOS container with `privateNetwork = true;` (i.e., a
veth network device), it automatically gets assigned a random, locally
administered unicast MAC address. While this is fine for many
purposes, when attaching this container to a larger Layer 2 network
where it interacts with other services, like an external DHCP server
or IPv6 gateway sending out router advertisements, the MAC address of
the container matters.

This commit thus adds a `macAddress` option to containers. If set,
this MAC address will be assigned to the container-side of the `veth`
interface very early during container boot (before executing the stage
2 init script). This is crucial to ensure that no services run in the
container using the prior, random MAC automatically assigned to the
`veth` device. Otherweise, I've had problems using systemd units or
the activation scripts to set the address early enough during
container boot to use it, for example, for IPv6 SLAAC address
assignment.
@lschuermann lschuermann force-pushed the dev/container-mac-address branch from f185342 to 6125858 Compare November 18, 2025 19:52
aleclearmind
aleclearmind reviewed Nov 18, 2025
View reviewed changes
@lschuermann lschuermann force-pushed the dev/container-mac-address branch from 6125858 to f82e24c Compare November 19, 2025 15:42
@nixpkgs-ci nixpkgs-ci bot added the 12.approvals: 1 This PR was reviewed and approved by one person. label Nov 19, 2025
@lschuermann
Copy link
Member Author

lschuermann commented Nov 24, 2025

nixpkgs-review result

Generated using nixpkgs-review.

Command: nixpkgs-review pr 462775 --package nixosTests.containers-ipv6-slaac
Commit: f82e24c8189f4594ea3604215071518bda41e81a

x86_64-linux

✅ 1 test built:
  • nixosTests.containers-ipv6-slaac

@lschuermann
Copy link
Member Author

lschuermann commented Nov 24, 2025

Friendly ping on this PR! 😄

@aleclearmind
Copy link

aleclearmind commented Nov 25, 2025

@lschuermann I cannot do anything more than approve it. You'll need to find someone that can merge. AFAIU posting on discourse or on the right matrix channel can help. I just gave me review, cannot help any further as of now.

@lschuermann
nixos/tests: add test for NixOS container using IPv6 SLAAC
dee54f2 
This adds a test for a NixOS container being assigned an IPv6 address
and route using stateless auto-configuration, using IPv6 router
advertisements sent using systemd-networkd by the host.

It exercises the newly added `macAddress` option for the container, as
it relies on the container self-assigning an address in the specific
IPv6 prefix based on its stable MAC address. It can also serve as an
example for how one may bridge a NixOS container into an existing
network, and assign it stable IPv4 / IPv6 addresses via DHCP and RAs.
@lschuermann lschuermann force-pushed the dev/container-mac-address branch from f82e24c to dee54f2 Compare November 26, 2025 18:33
@lschuermann
Copy link
Member Author

lschuermann commented Nov 26, 2025

@lschuermann I cannot do anything more than approve it. You'll need to find someone that can merge. AFAIU posting on discourse or on the right matrix channel can help. I just gave me review, cannot help any further as of now.

@aleclearmind Sorry, I didn't mean to bug you specifically. I guess I don't of a good way to get the attention of a committer on this, as this seems awfully specific for the "PRs ready for review" Discourse thread, and I can't easily tell who's responsible for this subsystem.

I'll go ahead and ping @Ma27 @emilazy @r-vdp who've recently merged substantive PRs to nixos-containers.nix. Hope that's OK!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@aleclearmind aleclearmind aleclearmind approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 6.topic: nixos-container Imperative and declarative systemd-nspawn containers 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. 12.approvals: 1 This PR was reviewed and approved by one person.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lschuermann @aleclearmind