mirror of
https://github.com/jpetazzo/container.training.git
synced 2026-05-14 04:46:39 +00:00
76 lines
1.3 KiB
Markdown
76 lines
1.3 KiB
Markdown
# Rootless Networking
|
|
|
|
The "classic" approach for container networking is `veth` + bridge.
|
|
|
|
Pros:
|
|
|
|
- good performance
|
|
|
|
- easy to manage and understand
|
|
|
|
- flexible (possibility to use multiple, isolated bridges)
|
|
|
|
Cons:
|
|
|
|
- requires root access on the host to set up networking
|
|
|
|
---
|
|
|
|
## Rootless options
|
|
|
|
- Locked down helpers
|
|
|
|
- daemon, scripts started through sudo...
|
|
|
|
- used by some desktop virtualization platforms
|
|
|
|
- still requires root access at some point
|
|
|
|
- Userland networking stacks
|
|
|
|
- true solution that does not require root privileges
|
|
|
|
- lower performance
|
|
|
|
---
|
|
|
|
## Userland stacks
|
|
|
|
- [SLiRP](https://en.wikipedia.org/wiki/Slirp)
|
|
|
|
*the OG project that inspired the other ones!*
|
|
|
|
- [VPNKit](https://github.com/moby/vpnkit)
|
|
|
|
*introduced by Docker Desktop to play nice with enterprise VPNs*
|
|
|
|
- [slirp4netns](https://github.com/rootless-containers/slirp4netns)
|
|
|
|
*slirp adapted for network namespaces, and therefore, containers; better performance*
|
|
|
|
- [passt and pasta](https://passt.top/)
|
|
|
|
*more modern approach; better support for inbound traffic; IPv6...)*
|
|
|
|
---
|
|
|
|
## Passt/Pasta
|
|
|
|
- No dependencies
|
|
|
|
- NAT (like slirp4netns) or no-NAT (for e.g. KubeVirt)
|
|
|
|
- Can handle inbound traffic dynamically
|
|
|
|
- No dynamic memory allocation
|
|
|
|
- Good security posture
|
|
|
|
- IPv6 support
|
|
|
|
- Reasonable performance
|
|
|
|
---
|
|
|
|
## Demo?
|