github.com/SagerNet/gvisor@v0.0.0-20210707092255-7731c139d75c/g3doc/user_guide/networking.md

github.com/SagerNet/gvisor@v0.0.0-20210707092255-7731c139d75c/g3doc/user_guide/networking.md (about)

     1  # Networking
     2  
     3  [TOC]
     4  
     5  gVisor implements its own network stack called netstack. All aspects of the
     6  network stack are handled inside the Sentry — including TCP connection state,
     7  control messages, and packet assembly — keeping it isolated from the host
     8  network stack. Data link layer packets are written directly to the virtual
     9  device inside the network namespace setup by Docker or Kubernetes.
    10  
    11  The IP address and routes configured for the device are transferred inside the
    12  sandbox. The loopback device runs exclusively inside the sandbox and does not
    13  use the host. You can inspect them by running:
    14  
    15  ```bash
    16  docker run --rm --runtime=runsc alpine ip addr
    17  ```
    18  
    19  ## Network passthrough
    20  
    21  For high-performance networking applications, you may choose to disable the user
    22  space network stack and instead use the host network stack, including the
    23  loopback. Note that this mode decreases the isolation to the host.
    24  
    25  Add the following `runtimeArgs` to your Docker configuration
    26  (`/etc/docker/daemon.json`) and restart the Docker daemon:
    27  
    28  ```json
    29  {
    30      "runtimes": {
    31          "runsc": {
    32              "path": "/usr/local/bin/runsc",
    33              "runtimeArgs": [
    34                  "--network=host"
    35              ]
    36         }
    37      }
    38  }
    39  ```
    40  
    41  ## Disabling external networking
    42  
    43  To completely isolate the host and network from the sandbox, external networking
    44  can be disabled. The sandbox will still contain a loopback provided by netstack.
    45  
    46  Add the following `runtimeArgs` to your Docker configuration
    47  (`/etc/docker/daemon.json`) and restart the Docker daemon:
    48  
    49  ```json
    50  {
    51      "runtimes": {
    52          "runsc": {
    53              "path": "/usr/local/bin/runsc",
    54              "runtimeArgs": [
    55                  "--network=none"
    56              ]
    57         }
    58      }
    59  }
    60  ```
    61  
    62  ### Disable GSO {#gso}
    63  
    64  If your Linux is older than 4.14.17, you can disable Generic Segmentation
    65  Offload (GSO) to run with a kernel that is newer than 3.17. Add the
    66  `--gso=false` flag to your Docker runtime configuration
    67  (`/etc/docker/daemon.json`) and restart the Docker daemon:
    68  
    69  > Note: Network performance, especially for large payloads, will be greatly
    70  > reduced.
    71  
    72  ```json
    73  {
    74      "runtimes": {
    75          "runsc": {
    76              "path": "/usr/local/bin/runsc",
    77              "runtimeArgs": [
    78                  "--gso=false"
    79              ]
    80         }
    81      }
    82  }
    83  ```
    84