Incus: Difference between revisions

← Older editNewer edit →
VisualWikitext
No edit summary
show more restrictive firewall config
(One intermediate revision by one other user not shown)
Line 72: Line 72:


== Networking/Firewall ==
== Networking/Firewall ==
When using Incus on NixOS, nftables is required to ensure broadest compatibility with other services that manage firewall rules from release 24.05. Trying to use iptables will fail eval, and this can be fixed by switching to nftables and for simple firewalls should be a drop-in replacement for iptables.
When using Incus on NixOS, nftables is required to ensure broadest compatibility with other services that manage firewall rules from release 24.05. Trying to use iptables will fail eval, and this can be fixed by switching to nftables and for simple firewalls should be a drop-in replacement for iptables.<syntaxhighlight lang="nix">
networking.nftables.enable = true;
networking.nftables.enable = true;
By default the NixOS firewall will block DHCP requests to the Incus network, meaning instances will not get an IPv4 address. The simplest fix for this is to mark the Incus bridged interface as trusted. This interface name should match the name given during initialization or configured through the incus command line.
</syntaxhighlight>
networking.firewall.trustedInterfaces = [ "incusbr0" ];
By default the NixOS firewall will block DHCP requests to the Incus network, meaning instances will not get an IPv4 address. Ensure you allow 53 for DNS and 67 for DHCPv4 on any Incus bridge network interfaces. This interface name should match the name given during initialization or configured through the incus interfaces.<syntaxhighlight lang="nix">
networking.firewall.interfaces.incusbr0.allowedTCPPorts = [
  53
  67
];
networking.firewall.interfaces.incusbr0.allowedUDPPorts = [
  53
  67
];
</syntaxhighlight>
OR, the entire intreface can be trusted. <syntaxhighlight lang="nix">
networking.firewall.trustedInterfaces = [ "incusbr0" ];
</syntaxhighlight>


== NixOS Instances ==
== NixOS Instances ==
Line 85: Line 97:


A NixOS virtual machine is launched with the following.
A NixOS virtual machine is launched with the following.
  incus launch images:nixos/unstable nixos -c security.secureboot=false
  incus launch --vm images:nixos/unstable nixos -c security.secureboot=false
 
== NixOS Images ==
== NixOS Images ==


Retrieved from "https://wiki.nixos.org/wiki/Incus"