Fork of https://github.com/rootless-containers/slirp4netns to support the specific requirements of ctrtool containers.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 
Peter H. Jin 03594e53c5 PJTL-CTRTOOL: Set mode=0755 when creating sandbox tmpfs 3 weeks ago
.github/workflows v1.1.8 4 months ago
benchmarks benchmark: Enable benchmark duration adjustment 5 months ago
tests Add the --macaddress option to specify the MAC address of the tap interface. 2 months ago
vendor vendor: update parson 1 year ago
.clang-format build-sys: replace vendoring, and link with the system libslirp 1 year ago
.gitattributes do commit hash replacement in Makefile.am and improve fallback 3 years ago
.gitignore .gitignore: add .vagrant 5 months ago
COPYING correct FSF address 3 years ago
Dockerfile.artifact CI: bump libslirp to v4.4.0 4 months ago
Dockerfile.buildtests Fix CI 2 months ago
Dockerfile.tests CI: bump libslirp to v4.4.0 4 months ago
MAINTAINERS remove unused script: hack/release.sh 11 months ago
Makefile.am Add the --macaddress option to specify the MAC address of the tap interface. 2 months ago
README.md PJTL-CTRTOOL: Don't change effective user or group IDs 3 weeks ago
SECURITY_CONTACTS update docs (including addition of MAINTAINERS) 2 years ago
Vagrantfile Vagrantfile: change VirtualBox itself's slirp CIDR 5 months ago
api.c api.c: remove unused variable 5 months ago
api.h add SPDX-License-Identifier headers 2 years ago
autogen.sh build: use GNU autotools 3 years ago
configure.ac v1.1.9+dev 2 months ago
main.c PJTL-CTRTOOL: Don't change effective user or group IDs 3 weeks ago
sandbox.c PJTL-CTRTOOL: Set mode=0755 when creating sandbox tmpfs 3 weeks ago
sandbox.h split slirp4netns.c; no substantial code change 2 years ago
seccomparch.h seccomp: install filter for non-native archs as well 11 months ago
seccompfilter.c move seccomp rules to seccompfilter_rules.h 5 months ago
seccompfilter.h add --enable-seccomp 2 years ago
seccompfilter_rules.h seccompfilter_rules.h: remove SLIRP4NETNS_SECCOMPFILTER_RULES_H 5 months ago
slirp4netns.1 Add the --macaddress option to specify the MAC address of the tap interface. 2 months ago
slirp4netns.1.md Add the --macaddress option to specify the MAC address of the tap interface. 2 months ago
slirp4netns.c support slirp configuration v2 and v3 12 months ago
slirp4netns.h Add the --macaddress option to specify the MAC address of the tap interface. 2 months ago
vendor.sh vendor: update parson 1 year ago

README.md

Peterjin.org notice

This is a fork of https://github.com/rootless-containers/slirp4netns to support the specific requirements of ctrtool containers. The following changes have been made:

  • When using --enable-sandbox, the user and group ID will not switch. This is because slirp4netns will run in the container itself, which has the equivalent of --net=host set.

slirp4netns: User-mode networking for unprivileged network namespaces

slirp4netns provides user-mode networking ("slirp") for unprivileged network namespaces.

Motivation

Starting with Linux 3.8, unprivileged users can create network_namespaces(7) along with user_namespaces(7). However, unprivileged network namespaces had not been very useful, because creating veth(4) pairs across the host and network namespaces still requires the root privileges. (i.e. No internet connection)

slirp4netns allows connecting a network namespace to the Internet in a completely unprivileged way, by connecting a TAP device in a network namespace to the usermode TCP/IP stack ("slirp").

Projects using slirp4netns

Kubernetes distributions:

Container engines:

Tools:

Maintenance policy

Version Status
v1.1.x Active
v1.0.x End of Life (Jun 2, 2020)
v0.4.x End of Life (Sep 30, 2020)
v0.3.x End of Life (Mar 31, 2020)
v0.2.x End of Life (Aug 30, 2019)
Early versions prior to v0.2.x End of Life (Jan 5, 2019)

See https://github.com/rootless-containers/slirp4netns/releases for the releases.

See https://github.com/rootless-containers/slirp4netns/security/advisories for the past security advisories.

Quick start

Install

Statically linked binaries available for x86_64, aarch64, armv7l, s390x, and ppc64le: https://github.com/rootless-containers/slirp4netns/releases

Also available as a package on almost all Linux distributions:

e.g.

$ sudo apt-get install slirp4netns

To install slirp4netns from the source, see Install from source.

Usage

Terminal 1: Create user/network/mount namespaces

(host)$ unshare --user --map-root-user --net --mount
(namespace)$ echo $$ > /tmp/pid

In this documentation, we use (host)$ as the prompt of the host shell, (namespace)$ as the prompt of the shell running in the namespaces.

If unshare fails, try the following commands (known to be needed on Debian, Arch, and old CentOS 7.X):

(host)$ sudo sh -c 'echo "user.max_user_namespaces=28633" >> /etc/sysctl.d/userns.conf'
(host)$ [ -f /proc/sys/kernel/unprivileged_userns_clone ] && sudo sh -c 'echo "kernel.unprivileged_userns_clone=1" >> /etc/sysctl.d/userns.conf'
(host)$ sudo sysctl --system

Terminal 2: Start slirp4netns

(host)$ slirp4netns --configure --mtu=65520 --disable-host-loopback $(cat /tmp/pid) tap0
starting slirp, MTU=65520
...

Terminal 1: Make sure the tap0 is configured and connected to the Internet

(namespace)$ ip a
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
3: tap0: <BROADCAST,UP,LOWER_UP> mtu 65520 qdisc fq_codel state UNKNOWN group default qlen 1000
    link/ether c2:28:0c:0e:29:06 brd ff:ff:ff:ff:ff:ff
    inet 10.0.2.100/24 brd 10.0.2.255 scope global tap0
       valid_lft forever preferred_lft forever
    inet6 fe80::c028:cff:fe0e:2906/64 scope link 
       valid_lft forever preferred_lft forever
(namespace)$ echo "nameserver 10.0.2.3" > /tmp/resolv.conf
(namespace)$ mount --bind /tmp/resolv.conf /etc/resolv.conf
(namespace)$ curl https://example.com

Manual

Manual: slirp4netns.1.md

Benchmarks

iperf3 (netns -> host)

Aug 28, 2018, on RootlessKit Travis: https://github.com/rootless-containers/rootlesskit/pull/16

Implementation MTU=1500 MTU=4000 MTU=16384 MTU=65520
vde_plug 763 Mbps Unsupported Unsupported Unsupported
VPNKit 514 Mbps 526 Mbps 540 Mbps Unsupported
slirp4netns 1.07 Gbps 2.78 Gbps 4.55 Gbps 9.21 Gbps

slirp4netns is faster than vde_plug and VPNKit because slirp4netns is optimized to avoid copying packets across the namespaces.

The latest revision of slirp4netns is regularly benchmarked (make benchmark) on CI.

Install from source

Build dependencies (apt-get):

$ sudo apt-get install libglib2.0-dev libslirp-dev libcap-dev libseccomp-dev

Build dependencies (dnf):

$ sudo dnf install glib2-devel libslirp-devel libcap-devel libseccomp-devel

Installation steps:

$ ./autogen.sh
$ ./configure --prefix=/usr
$ make
$ sudo make install
  • libslirp needs to be v4.1.0 or later.
  • To build slirp4netns as a static binary, run ./configure with LDFLAGS=-static.
  • If you set --prefix to $HOME, you don't need to run make install with sudo.

Acknowledgement

See vendor/README.md.

License

GPL-2.0-or-later