github.com/rootless-containers/rootlesskit/v2@v2.3.4/docs/network.md (about) 1 ## Network Drivers 2 3 RootlessKit provides several drivers for providing network connectivity: 4 5 * `--net=host`: use host network namespace (default) 6 * `--net=pasta`: use [pasta](https://passt.top/passt/) (experimental) 7 * `--net=slirp4netns`: use [slirp4netns](https://github.com/rootless-containers/slirp4netns) (recommended) 8 * `--net=vpnkit`: use [VPNKit](https://github.com/moby/vpnkit) 9 * `--net=lxc-user-nic`: use `lxc-user-nic` (experimental) 10 11 [Benchmark: iperf3 from the child to the parent (Mar 8, 2020)](https://github.com/rootless-containers/rootlesskit/runs/492498728): 12 13 | Driver | MTU=1500 | MTU=65520 14 |---------------------------------------|------------|------------- 15 |`slirp4netns` | 1.06 Gbps | 7.55 Gbps 16 |`slirp4netns` (with sandbox + seccomp) | 1.05 Gbps | 7.21 Gbps 17 |`vpnkit` | 0.60 Gbps |(Unsupported) 18 |`lxc-user-nic` | 31.4 Gbps | 30.9 Gbps 19 |(rootful veth) | (38.7 Gbps)| (40.8 Gbps) 20 21 ### `--net=host` (default) 22 23 `--net=host` does not isolate the network namespace from the host. 24 25 Pros: 26 * No performance overhead 27 * Supports ICMP Echo (`ping`) when `/proc/sys/net/ipv4/ping_group_range` is configured 28 29 Cons: 30 * No permission for network-namespaced operations, e.g. creating iptables rules, running `tcpdump` 31 32 To route ICMP Echo packets (`ping`), you need to write the range of GIDs to [`net.ipv4.ping_group_range`](http://man7.org/linux/man-pages/man7/icmp.7.html). 33 34 ```console 35 $ sudo sh -c "echo 0 2147483647 > /proc/sys/net/ipv4/ping_group_range" 36 ``` 37 38 ### `--net=slirp4netns` (recommended) 39 40 `--net=slirp4netns` isolates the network namespace from the host and launch [slirp4netns](https://github.com/rootless-containers/slirp4netns) for providing usermode networking. 41 42 Pros: 43 * Possible to perform network-namespaced operations, e.g. creating iptables rules, running `tcpdump` 44 * Supports ICMP Echo (`ping`) when `/proc/sys/net/ipv4/ping_group_range` is configured 45 * Supports hardening using mount namespace and seccomp (`--slirp4netns-sandbox=auto`, `--slirp4netns-seccomp=auto`, since RootlessKit v0.7.0, slirp4netns v0.4.0) 46 * Supports IPv6 routing (`--ipv6`) 47 48 Cons: 49 * Extra performance overhead (but still faster than `--net=vpnkit`) 50 * Supports only TCP, UDP, and ICMP Echo packets 51 52 53 To use `--net=slirp4netns`, you need to install slirp4netns v0.4.0 or later. 54 55 ```console 56 $ sudo dnf install slirp4netns 57 ``` 58 59 or 60 61 ```console 62 $ sudo apt-get install slirp4netns 63 ``` 64 65 If binary package is not available for your distribution, install from the source: 66 67 ```console 68 $ git clone https://github.com/rootless-containers/slirp4netns 69 $ cd slirp4netns 70 $ ./autogen.sh && ./configure && make 71 $ cp slirp4netns ~/bin 72 ``` 73 74 The network is configured as follows by default: 75 * IP: 10.0.2.100/24 76 * Gateway: 10.0.2.2 77 * DNS: 10.0.2.3 78 79 The network configuration can be changed by specifying custom CIDR, e.g. `--cidr=10.0.3.0/24` (requires slirp4netns v0.3.0+). 80 81 Specifying `--copy-up=/etc` is highly recommended unless `/etc/resolv.conf` on the host is statically configured. Otherwise `/etc/resolv.conf` in the RootlessKit's mount namespace will be unmounted when `/etc/resolv.conf` on the host is recreated, typically by NetworkManager or systemd-resolved. 82 83 It is also highly recommended to specyfy`--disable-host-loopback`. Otherwise ports listening on 127.0.0.1 in the host are accessible as 10.0.2.2 in the RootlessKit's network namespace. 84 85 Example session: 86 87 ```console 88 $ rootlesskit --net=slirp4netns --copy-up=/etc --disable-host-loopback bash 89 rootlesskit$ ip a 90 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 91 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 92 inet 127.0.0.1/8 scope host lo 93 valid_lft forever preferred_lft forever 94 inet6 ::1/128 scope host 95 valid_lft forever preferred_lft forever 96 2: tap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 65520 qdisc fq_codel state UP group default qlen 1000 97 link/ether 46:dc:8d:09:fd:f2 brd ff:ff:ff:ff:ff:ff 98 inet 10.0.2.100/24 scope global tap0 99 valid_lft forever preferred_lft forever 100 inet6 fe80::44dc:8dff:fe09:fdf2/64 scope link 101 valid_lft forever preferred_lft forever 102 ootlesskit$ ip r 103 default via 10.0.2.2 dev tap0 104 10.0.2.0/24 dev tap0 proto kernel scope link src 10.0.2.100 105 rootlesskit$ cat /etc/resolv.conf 106 nameserver 10.0.2.3 107 rootlesskit$ curl https://www.google.com 108 <!doctype html><html ...>...</html> 109 ``` 110 111 Starting with RootlessKit v0.7.0 + slirp4netns v0.4.0, `--slirp4netns-sandbox=auto/true/false` (enables mount namespace) and `--slirp4netns-seccomp=auto/true/false` (enables seccomp rules) can be used to harden the slirp4netns process. 112 113 ### `--net=vpnkit` 114 115 `--net=vpnkit` isolates the network namespace from the host and launch [VPNKit](https://github.com/moby/vpnkit) for providing usermode networking. 116 117 Pros: 118 * Possible to perform network-namespaced operations, e.g. creating iptables rules, running `tcpdump` 119 120 Cons: 121 * Extra performance overhead 122 * Supports only TCP and UDP packets. No support for ICMP Echo (`ping`) unlike `--net=slirp4netns`, even if `/proc/sys/net/ipv4/ping_group_range` is configured. 123 * No support for IPv6. 124 125 To use `--net=vpnkit`, you need to install VPNkit. 126 127 ```console 128 $ git clone https://github.com/moby/vpnkit.git 129 $ cd vpnkit 130 $ make 131 $ cp vpnkit.exe ~/bin/vpnkit 132 ``` 133 134 The network is configured as follows by default: 135 * IP: 192.168.65.3/24 136 * Gateway: 192.168.65.1 137 * DNS: 192.168.65.1 138 139 As in `--net=slirp4netns`, specifying `--copy-up=/etc` and `--disable-host-loopback` is highly recommended. 140 If `--disable-host-loopback` is not specified, ports listening on 127.0.0.1 in the host are accessible as 192.168.65.2 in the RootlessKit's network namespace. 141 142 ### `--net=pasta` (experimental) 143 144 `--net=pasta` (since RootlessKit v2.0, EXPERIMENTAL) uses [pasta (passt)](https://passt.top/passt/). 145 `--net=pasta` is expected to be used in conjunction with `--port-driver=implicit`. 146 147 > **Note** 148 > `--net=pasta` needs [pasta (passt)](https://passt.top/passt/) `2023_06_25.32660ce` or later. 149 > Using `2023_12_04.b86afe3` or later is highly recommended. 150 > 151 > Currently, this doesn't work with some Ubuntu versions of the passt 152 > package: 153 > - `passt-0.0~git20230627.289301b-1` (Ubuntu 23.10) 154 > - `passt-0.0~git20240220.1e6f92b-1` (Ubuntu 24.04) 155 > due to a missing `usr.bin.pasta` AppArmor profile, see: 156 > https://bugs.launchpad.net/ubuntu/+source/passt/+bug/2077158 157 > 158 > Workaround: set the `kernel.apparmor_restrict_unprivileged_userns` 159 > sysctl to `0`, or (preferred) add the AppArmor profile from 160 > upstream, or from Debian packages, or from Ubuntu > 24.10. 161 162 163 Pros: 164 * Possible to perform network-namespaced operations, e.g. creating iptables rules, running `tcpdump` 165 * Supports ICMP Echo (`ping`) when `/proc/sys/net/ipv4/ping_group_range` is configured 166 * TCP port forwarding (`--port-driver=implicit`) is very fast 167 * TCP port forwarding (`--port-driver=implicit`) can retain source IP addresses 168 169 Cons: 170 * Lacks API for explicit port forwarding (`rootlessctl (list-ports|add-ports|remove-ports)`) 171 172 The network configuration for pasta is similar to slirp4netns. 173 As in `--net=slirp4netns`, specifying `--copy-up=/etc` and `--disable-host-loopback` is highly recommended. 174 175 ### `--net=lxc-user-nic` (experimental) 176 177 `--net=lxc-user-nic` isolates the network namespace from the host and launch [`lxc-user-nic(1)`](https://linuxcontainers.org/lxc/manpages/man1/lxc-user-nic.1.html) SUID binary for providing kernel-mode NAT. 178 179 Pros: 180 * The least performance overhead 181 * Possible to perform network-namespaced operations, e.g. creating iptables rules, running `tcpdump` 182 * Supports ICMP Echo (`ping`) without `/proc/sys/net/ipv4/ping_group_range` configuration 183 184 Cons: 185 * Less secure 186 * Needs `/etc/lxc/lxc-usernet` configuration 187 * No support for IPv6. 188 * No support for `--detach-netns` 189 190 To use `lxc-user-nic`, you need to install `liblxc-common` package: 191 ```console 192 $ sudo apt-get install liblxc-common 193 ``` 194 195 You also need to set up [`/etc/lxc/lxc-usernet`](https://linuxcontainers.org/lxc/manpages/man5/lxc-usernet.5.html): 196 ``` 197 # USERNAME TYPE BRIDGE COUNT 198 penguin veth lxcbr0 1 199 ``` 200 201 The `COUNT` value needs to be increased to run multiple RootlessKit instances with `--net=lxc-user-nic` simultaneously. 202 203 It may take a few seconds to configure the interface using DHCP. 204 205 If you start and stop RootlessKit too frequently, you might use up all available DHCP addresses. 206 You might need to reset `/var/lib/misc/dnsmasq.lxcbr0.leases` and restart the `lxc-net` service. 207 208 Currently, the MAC address is always set to a random address. 209 210 ## IPv6 211 212 The `--ipv6` flag (since v0.14.0, EXPERIMENTAL) enables IPv6 routing for slirp4netns network driver. 213 This flag is unrelated to port forwarding. 214 215 ## Detaching network namespace 216 The `--detach-netns` flag (since v2.0.0) detaches network namespaces into `$ROOTLESSKIT_STATE_DIR/netns` 217 and executes the child command in the host's network namespace. 218 219 The child command can enter `$ROOTLESSKIT_STATE_DIR/netns` by itself to create nested network namespaces.