slirp4netns provides user-mode networking ("slirp") for unprivileged network namespaces.
Starting with Linux 3.8, unprivileged users can create network_namespaces(7) along with user_namespaces(7).
However, unprivileged network namespaces had not been very useful, because creating veth(4) pairs across the host and network namespaces still requires the root privileges. (i.e. No internet connection)
slirp4netns allows connecting a network namespace to the Internet in a completely unprivileged way, by connecting a TAP device in a network namespace to the usermode TCP/IP stack ("slirp").
Kubernetes distributions:
Container engines:
- Podman
- Buildah
- ctnr (via slirp-cni-plugin)
- Docker & Moby (optionally, via RootlessKit)
Tools:
| Version | Status |
|---|---|
| v0.4.x | A ✅ (will be demoted to B after the release of v0.5.0) |
| v0.3.x | B ✅ (will be demoted to C after the release of v0.5.0) |
| v0.2.x | C |
| Early versions prior to v0.2.x | D |
- A: Actively maintained. Patch releases for security fixes and other bug fixes are planned.
- B: Patch releases for security fixes are planned.
- C: No additional release is planned. However, anybody can still open PR for security fixes in the
release/x.ybranch. - D: Not maintained. Distributors can continue to distribute this version, but they should apply security fixes by themselves.
See https://github.com/rootless-containers/slirp4netns/releases for the releases.
See https://github.com/rootless-containers/slirp4netns/security/advisories for the past security advisories.
Build dependencies:
glib2-devel(libglib2.0-dev)libcap-devel(libcap-dev)libseccomp-devel(libseccomp-dev)
Install steps:
$ ./autogen.sh
$ ./configure --prefix=/usr
$ make
$ sudo make install- To build
slirp4netnsas a static binary, please run./configurewithLDFLAGS=-static. - If you set
--prefixto$HOME, you don't need to runmake installwithsudo.
RHEL 8 & Fedora (28 or later):
$ sudo dnf install slirp4netns$ sudo yum install slirp4netns$ sudo curl -o /etc/yum.repos.d/vbatts-shadow-utils-newxidmap-epel-7.repo https://copr.fedorainfracloud.org/coprs/vbatts/shadow-utils-newxidmap/repo/epel-7/vbatts-shadow-utils-newxidmap-epel-7.repo
$ sudo yum install slirp4netnsYou might need to enable user namespaces manually:
$ sudo sh -c 'echo "user.max_user_namespaces=28633" > /etc/sysctl.d/userns.conf'
$ sudo sysctl -p /etc/sysctl.d/userns.conf$ sudo pacman -S slirp4netnsYou might need to enable user namespaces manually:
$ sudo sh -c "echo 1 > /proc/sys/kernel/unprivileged_userns_clone"$ sudo zypper install slirp4netns$ sudo zypper addrepo --refresh http://download.opensuse.org/repositories/devel:/kubic/openSUSE_Leap_15.0/devel:kubic.repo
$ sudo zypper install slirp4netns$ sudo zypper addrepo --refresh http://download.opensuse.org/repositories/devel:/kubic/SLE_15/devel:kubic.repo
$ sudo zypper install slirp4netns$ sudo apt install slirp4netns$ nix-env -i slirp4netns$ sudo emerge app-emulation/slirp4netns$ sudo sbopkg -i slirp4netns$ sudo xbps-install slirp4netnsTerminal 1: Create user/network/mount namespaces
$ unshare --user --map-root-user --net --mount
unshared$ echo $$ > /tmp/pidTerminal 2: Start slirp4netns
$ slirp4netns --configure --mtu=65520 --disable-host-loopback $(cat /tmp/pid) tap0
starting slirp, MTU=65520
...Terminal 1: Make sure the tap0 is configured and connected to the Internet
unshared$ ip a
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
3: tap0: <BROADCAST,UP,LOWER_UP> mtu 65520 qdisc fq_codel state UNKNOWN group default qlen 1000
link/ether c2:28:0c:0e:29:06 brd ff:ff:ff:ff:ff:ff
inet 10.0.2.100/24 brd 10.0.2.255 scope global tap0
valid_lft forever preferred_lft forever
inet6 fe80::c028:cff:fe0e:2906/64 scope link
valid_lft forever preferred_lft forever
unshared$ echo "nameserver 10.0.2.3" > /tmp/resolv.conf
unshared$ mount --bind /tmp/resolv.conf /etc/resolv.conf
unshared$ curl https://example.comSee slirp4netns.1.md for further information.
Aug 28, 2018, on RootlessKit Travis: rootless-containers/rootlesskit#16
| Implementation | MTU=1500 | MTU=4000 | MTU=16384 | MTU=65520 |
|---|---|---|---|---|
| vde_plug | 763 Mbps | Unsupported | Unsupported | Unsupported |
| VPNKit | 514 Mbps | 526 Mbps | 540 Mbps | Unsupported |
| slirp4netns | 1.07 Gbps | 2.78 Gbps | 4.55 Gbps | 9.21 Gbps |
slirp4netns is faster than vde_plug and VPNKit because slirp4netns is optimized to avoid copying packets across the namespaces.
The latest revision of slirp4netns is regularly benchmarked (make benchmark) on Travis: https://travis-ci.org/rootless-containers/slirp4netns
See vendor/README.md.
