Rootless Containers Rootless Containers
Rootless Containers / How it works / Network Namespaces / Outgoing connections Edit this page

Outgoing connections

Unsharing network namespaces isn’t only for assigning IP addresses; it is also essential to protect abstract UNIX sockets on the host from containerized processes.

However, unsharing network namespaces for Rootless Containers isn’t straightforward, because vEth pairs cannot be created across UserNS boundaries without the privilege.

LXC uses a SETUID binary called lxc-user-nic for setting up vEth pairs.

Other implementations including Docker/Moby and Podman typically use TAP devices instead of vEth pairs, and run a usermode network stack called slirp, which translates Ethernet packets to unprivileged socket system calls.

SETUID binary

LXC uses a SETUID binary called lxc-user-nic for setting up vEth pairs.

Executing lxc-user-nic needs configuration per user to be added in /etc/lxc/lxc-usernet.

lxc-user-nic is also experimentally supported by RootlessKit which is used by several projects including Docker/Moby and BuildKit.

slirp

Several slirp implementations are used by Rootless Containers:

slirp4netns is known to have significantly better throughput than VPNKit.

Docker/Moby uses slirp4netns by default when slirp4netns is installed. Otherwise falls back to VPNKit.

Podman only supports slirp4netns.