gvisor.dev/gvisor@v0.0.0-20240520182842-f9d4d51c7e0f/g3doc/user_guide/networking.md (about)

     1  # Networking
     2  
     3  [TOC]
     4  
     5  gVisor implements its own network stack called netstack. All aspects of the
     6  network stack are handled inside the Sentry — including TCP connection state,
     7  control messages, and packet assembly — keeping it isolated from the host
     8  network stack. Data link layer packets are written directly to the virtual
     9  device inside the network namespace setup by Docker or Kubernetes.
    10  
    11  Configuring the network stack may provide performance benefits, but isn't the
    12  only step to optimizing gVisor performance. See the [Production guide] for more.
    13  
    14  The IP address and routes configured for the device are transferred inside the
    15  sandbox. The loopback device runs exclusively inside the sandbox and does not
    16  use the host. You can inspect them by running:
    17  
    18  ```bash
    19  docker run --rm --runtime=runsc alpine ip addr
    20  ```
    21  
    22  ## Network passthrough
    23  
    24  For high-performance networking applications, you may choose to disable the user
    25  space network stack and instead use the host network stack, including the
    26  loopback. Note that this mode decreases the isolation to the host.
    27  
    28  Add the following `runtimeArgs` to your Docker configuration
    29  (`/etc/docker/daemon.json`) and restart the Docker daemon:
    30  
    31  ```json
    32  {
    33      "runtimes": {
    34          "runsc": {
    35              "path": "/usr/local/bin/runsc",
    36              "runtimeArgs": [
    37                  "--network=host"
    38              ]
    39         }
    40      }
    41  }
    42  ```
    43  
    44  ## Disabling external networking
    45  
    46  To completely isolate the host and network from the sandbox, external networking
    47  can be disabled. The sandbox will still contain a loopback provided by netstack.
    48  
    49  Add the following `runtimeArgs` to your Docker configuration
    50  (`/etc/docker/daemon.json`) and restart the Docker daemon:
    51  
    52  ```json
    53  {
    54      "runtimes": {
    55          "runsc": {
    56              "path": "/usr/local/bin/runsc",
    57              "runtimeArgs": [
    58                  "--network=none"
    59              ]
    60         }
    61      }
    62  }
    63  ```
    64  
    65  ### Disable GSO {#gso}
    66  
    67  If your Linux is older than 4.14.77, you can disable Generic Segmentation
    68  Offload (GSO) to run with a kernel that is newer than 3.17. Add the
    69  `--gso=false` flag to your Docker runtime configuration
    70  (`/etc/docker/daemon.json`) and restart the Docker daemon:
    71  
    72  > Note: Network performance, especially for large payloads, will be greatly
    73  > reduced.
    74  
    75  ```json
    76  {
    77      "runtimes": {
    78          "runsc": {
    79              "path": "/usr/local/bin/runsc",
    80              "runtimeArgs": [
    81                  "--gso=false"
    82              ]
    83         }
    84      }
    85  }
    86  ```