container.training/slides/containers/Rootless_Networking.md

Rootless Networking

The "classic" approach for container networking is veth + bridge.

Pros:

• good performance

• easy to manage and understand

• flexible (possibility to use multiple, isolated bridges)

Cons:

• requires root access on the host to set up networking

---

Rootless options

• Locked down helpers

  • daemon, scripts started through sudo...

  • used by some desktop virtualization platforms

  • still requires root access at some point

• Userland networking stacks

  • true solution that does not require root privileges

  • lower performance

---

Userland stacks

• SLiRP

  the OG project that inspired the other ones!

• VPNKit

  introduced by Docker Desktop to play nice with enterprise VPNs

• slirp4netns

  slirp adapted for network namespaces, and therefore, containers; better performance

• passt and pasta

  more modern approach; better support for inbound traffic; IPv6...)

---

Passt/Pasta

• No dependencies

• NAT (like slirp4netns) or no-NAT (for e.g. KubeVirt)

• Can handle inbound traffic dynamically

• No dynamic memory allocation

• Good security posture

• IPv6 support

• Reasonable performance

---

Demo?