Resolving hostnames with Linux Containers

Apps and Virtualization
1

Hi, I am having difficulties wrapping my head around how to resolve hostnames with the new linux containers.

Ive installed debian, with a linux container. I have the hostname set correctly in the container.

But I am not sure about how the container IP works… It picks an IP off my subnet and I use the Proxy settings to expose them. Ive installed virtualmin, and successfully exposed the administration ip’s through the proxy, so I get how that works, but how am I suppose to direct domain traffic to the VM?

I understand how if I had a separate IP accessible on the same subnet as TrueNAS how this might work… But I am stuck. Help please. (I looked for docs about this, but was not able to find any )

2

To accomplish this, people usually set up a DNS server on their network and configure the DHCP to point clients to it.

3

When creating an instance (Incus container or VMs) on TrueNAS 25.04.0 and later, there are two primary networking options:

  1. Incus Internal Network (incusbr0)
    Instances get IPv4/IPv6 addresses from the Incus managed network. They can communicate with each other via IP or DNS (e.g., debian1 can reach debian2 as debian2.incus).
    To expose services to your LAN, use Incus’ proxy feature to map host ports to instance ports.

  2. macvlan (Bridged to Physical Network)
    Instances get IPs directly from your LAN DHCP server and are fully accessible on the network—no need for port proxies.
    This is ideal if you want the instance to behave like any other device on your local network.

Choose the mode based on whether you want isolation (Incus internal) or direct LAN access (macvlan).

One important note when using macvlan: If you are using a macvlan network, communication between the Incus host and the instances is not possible. Both the host and the instances can talk to the gateway, but they cannot communicate directly. See Macvlan network - Incus documentation

Example: Reverse Proxy as Incus instance

As you can see in the screenshot below, I’ve created two container instances with the Incus managed network and mapped ports 80 and 443 of the host (my TrueNAS server) to the same ports in the instance proxy:

Screenshot 2025-05-04 at 10.33.27
Screenshot 2025-05-04 at 10.33.272368×950 143 KB

When I open prometheus.mydomain.net (an A record pointing to my TrueNAS server), traffic is forwarded to the container via the proxy feature of Incus. As Prometheus is running on the monitoring instance, the reverse proxy installed on the proxy instance forwards this traffic internally to monitoring.incus:9090.

4

Just to clarify, you can get the “best of both worlds” (instances accessible directly from LAN and from the host) by creating a bridge via the TrueNAS UI and configuring Incus to use that bridge (br0) instead of the default Incus bridge (incusbr0).

At the very least, that config works fine for VM instances… I haven’t tried container instances yet.

5

Thanks for all your feedback. I feel so blessed to have so many great guys who jump in to help with such great advice and knowledge. You guys are the best.

It really hits home that my networking knowledge could use some work. I realized that my understanding of the nitty gritty of how DNS really works is limited.

I hope to have this container act as a web server with multiple fully qualified domains. What I am familiar with is pointing the DNS in the domain name provider web interface to the web server via a nameserver or A record, etc. All that stuff you can do in those domain web interfaces. I have Virtualmin installed on the container which takes care of directing traffic to the right place after a request is made to the server.

I was hoping to avoid manually pointing many different ports here and there in an intermediary interface. The Domain Interface needs to be configured, and the container (Virtualmin) needs to be configured, and I was hoping to have something setup that would not require additional configuration for each domain in TrueNAS.

In my case I was gong to use a cloudflare tunnel instead of opening the whole ip up to the internet. Ive used them in the past and they have worked well for me so far.

I found out that DNS is often negotiated over port 53 UDP, but not always. So was unsure how the Incus could work with that in mind, if I could get it to work at all.

From what you’ve all said, I think assigning a NIC and allowing the router to give an IP address would be the way to go. This makes it easy for the cloudflare tunnel to point the domains to a static LAN ip and have the Debian container configured by Virtualmin then handle directing that traffic to the right place, and the right content be served.

I really like the idea of creating a bridge in the truenas UI to make network access accessible from both the LAN and host. An amazing suggestion. Something I never would have thought about.

I am sad to say that I didn’t understand everything maveonair was suggesting. I see the photo of the two instances. One with 80 and 443 forwarded, but am just not sure how that is possible. Every time I try doing something like that it always throws an error, as both 80 and 443 are already in use by the TrueNAS web interface.

I was hoping to get things configured before replying, but seem to have killed my TrueNAS in trying to set up the bridge. I added the nic supplying TrueNAS to a bridge, but it was the only member added to the bridge. I think this is what @bcat suggested. However a while after I saved the network changes I lost connectivity to my TrueNAS server. The container still has connectivity, so the server is still running, but I guess I need to move TrueNAS over to the bridge as well. I need physical access to teh server to do that though, which I dont have right now :frowning:

Anyhow, thanks so much for all your help. I really appreciate it.