github.com/rootless-containers/rootlesskit/v2@v2.3.4/docs/port.md

github.com/rootless-containers/rootlesskit/v2@v2.3.4/docs/port.md (about)

     1  # Port Drivers
     2  
     3  To the ports in the network namespace to the host network namespace, `--port-driver` needs to be specified.
     4  
     5  The default value is `none` (do not expose ports).
     6  
     7  | `--port-driver`      |  Throughput | Source IP
     8  |----------------------|-------------|----------
     9  | `slirp4netns`        | 6.89 Gbps   | Propagated
    10  | `socat` (Deprecated) | 7.80 Gbps   | Always 127.0.0.1
    11  | `builtin`            | 30.0 Gbps   | Always 127.0.0.1
    12  
    13  ([Benchmark: iperf3 from the parent to the child (Mar 8, 2020)](https://github.com/rootless-containers/rootlesskit/runs/492498728))
    14  
    15  The `builtin` driver is fast, but be aware that the source IP is not propagated and always set to 127.0.0.1.
    16  
    17  For [`pasta`](./network.md) networks, the `implicit` port driver is the best choice.
    18  
    19  * To be documented: [`bypass4netns`](https://github.com/rootless-containers/bypass4netns) for native performance.
    20  
    21  ### Exposing ports
    22  For example, to expose 80 in the child as 8080 in the parent:
    23  
    24  ```console
    25  $ rootlesskit --state-dir=/run/user/1001/rootlesskit/foo --net=slirp4netns --disable-host-loopback --copy-up=/etc --port-driver=builtin bash
    26  rootlesskit$ rootlessctl --socket=/run/user/1001/rootlesskit/foo/api.sock add-ports 0.0.0.0:8080:80/tcp
    27  1
    28  rootlesskit$ rootlessctl --socket=/run/user/1001/rootlesskit/foo/api.sock list-ports
    29  ID    PROTO    PARENTIP   PARENTPORT    CHILDPORT    
    30  1     tcp      0.0.0.0    8080          80
    31  rootlesskit$ rootlessctl --socket=/run/user/1001/rootlesskit/foo/api.sock remove-ports 1
    32  1
    33  ```
    34  
    35  You can also expose ports using `socat` and `nsenter` instead of RootlessKit's port drivers.
    36  ```console
    37  $ pid=$(cat /run/user/1001/rootlesskit/foo/child_pid)
    38  $ socat -t -- TCP-LISTEN:8080,reuseaddr,fork EXEC:"nsenter -U -n -t $pid socat -t -- STDIN TCP4\:127.0.0.1\:80"
    39  ```
    40  
    41  ### Exposing privileged ports
    42  To expose privileged ports (< 1024), add `net.ipv4.ip_unprivileged_port_start=0` to `/etc/sysctl.conf` (or `/etc/sysctl.d`) and run `sudo sysctl --system`.
    43  
    44  If you are using `builtin` driver, you can expose the privileged ports without changing the sysctl value, but you need to set `CAP_NET_BIND_SERVICE` on `rootlesskit` binary.
    45  
    46  ```console
    47  $ sudo setcap cap_net_bind_service=ep $(pwd rootlesskit)
    48  ```
    49  
    50  ### Note about IPv6
    51  
    52  Specifying `0.0.0.0:8080:80/tcp` may cause listening on IPv6 as well as on IPv4.
    53  Same applies to `[::]:8080:80/tcp`.
    54  
    55  This behavior may sound weird but corresponds to [Go's behavior](https://github.com/golang/go/commit/071908f3d809245eda42bf6eab071c323c67b7d2),
    56  so this is not a bug.
    57  
    58  To specify IPv4 explicitly, use `tcp4` instead of `tcp`, e.g., `0.0.0.0:8080:80/tcp4`.
    59  To specify IPv6 explicitly, use `tcp6`, e.g., `[::]:8080:80/tcp6`.
    60  
    61  The `tcp4` and `tcp6` forms were introduced in RootlessKit v0.14.0.
    62  The `tcp6` is currently supported only for `builtin` port driver.