Rootless networking: From possible to practical
Emu (Nurin) | Wed 17 Apr 1:30 p.m.–2:15 p.m.
Presented by
-
David Gibson
https://ozlabs.org/~dgibson/
David has had a 20+ year IT career working almost entirely on open source projects. He made his first kernel contributions in 2000 with some work on ramfs, and then the "orinoco" wireless driver while at LinuxCare.
From there he moved to IBM where he worked on the kernel for embedded PowerPC systems. He wrote, and still maintains, the device tree compiler "dtc" to assist with this work, and it has since become a standard tool for ARM as well as PowerPC embedded kernels. From there he moved on to kernel code for POWER server machines and then virtualization. He wrote the "pseries" machine for qemu and was PowerPC target maintainer in qemu for around 5 years.
In 2013 he moved to Red Hat where he again worked on virtualization in qemu and the kernel. He briefly worked on Kata Containers, then became the second major contributor to passt/pasta, a modern userspace networking implementation with applications for virtual machines, containers and running both together in the cloud.
David Gibson
https://ozlabs.org/~dgibson/
Abstract
Containers have become the go to approach for deploying and isolating software. They give the illusion of a full system managed by the
application, while actually allowing a host to run many isolated things. Virtual Machines, which preceded containers and still have uses today, achieve a similar result in a different way.
In both cases the underlying technology (namespaces, CPU virtualisation) can be freely used by a non-privileged user, so in theory it should be best practice to run containers and VMs without root. But, most guests need a network connection to the outside world, and so far that's required one of two choices:
1) The guest can be attached to a network interface routed through the host kernel. That works well, but requires root on the host, or at least some kind of administratively privileged helper infrastructure.
2) Use a "rootless" network. This approach, typically based on libslirp, can be used without administrative assistance, but has poor performance, requires awkward NAT and has other limitations.
So, networking requiring privileged setup has been the norm for all production deployments of both containers and VMs, with rootless networks relegated to "quick and dirty" testing and experimental jobs.
In the last two years, Stefano Brivio and myself have written passt & pasta. While superficially similar to Slirp, these tools are dramatically faster (usually 10 or more times the throughput), don't require NAT and have a generally more modern and robust design. This makes rootless networking practical for production cases, not just experiments and tests.
This talk describes how this can be used to build practical rootless networks today using integration with tools like Podman and libvirt
and examines some of the use cases that this now allows.
Containers have become the go to approach for deploying and isolating software. They give the illusion of a full system managed by the application, while actually allowing a host to run many isolated things. Virtual Machines, which preceded containers and still have uses today, achieve a similar result in a different way. In both cases the underlying technology (namespaces, CPU virtualisation) can be freely used by a non-privileged user, so in theory it should be best practice to run containers and VMs without root. But, most guests need a network connection to the outside world, and so far that's required one of two choices: 1) The guest can be attached to a network interface routed through the host kernel. That works well, but requires root on the host, or at least some kind of administratively privileged helper infrastructure. 2) Use a "rootless" network. This approach, typically based on libslirp, can be used without administrative assistance, but has poor performance, requires awkward NAT and has other limitations. So, networking requiring privileged setup has been the norm for all production deployments of both containers and VMs, with rootless networks relegated to "quick and dirty" testing and experimental jobs. In the last two years, Stefano Brivio and myself have written passt & pasta. While superficially similar to Slirp, these tools are dramatically faster (usually 10 or more times the throughput), don't require NAT and have a generally more modern and robust design. This makes rootless networking practical for production cases, not just experiments and tests. This talk describes how this can be used to build practical rootless networks today using integration with tools like Podman and libvirt and examines some of the use cases that this now allows.