Home

Awesome

slirp4netns: User-mode networking for unprivileged network namespaces

slirp4netns provides user-mode networking ("slirp") for unprivileged network namespaces.

<!-- START doctoc generated TOC please keep comment here to allow auto update --> <!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE --> <!-- END doctoc generated TOC please keep comment here to allow auto update -->

Motivation

Starting with Linux 3.8, unprivileged users can create network_namespaces(7) along with user_namespaces(7). However, unprivileged network namespaces had not been very useful, because creating veth(4) pairs across the host and network namespaces still requires the root privileges. (i.e. No internet connection)

slirp4netns allows connecting a network namespace to the Internet in a completely unprivileged way, by connecting a TAP device in a network namespace to the usermode TCP/IP stack ("slirp").

Projects using slirp4netns

Kubernetes distributions:

Container engines:

Tools:

Maintenance policy

VersionStatus
v1.2.x:white_check_mark: Active
v1.1.xEnd of Life (May 2, 2022)
v1.0.xEnd of Life (Jun 2, 2020)
v0.4.xEnd of Life (Sep 30, 2020)
v0.3.xEnd of Life (Mar 31, 2020)
v0.2.xEnd of Life (Aug 30, 2019)
Early versions prior to v0.2.xEnd of Life (Jan 5, 2019)

See https://github.com/rootless-containers/slirp4netns/releases for the releases.

Security advisories

See https://github.com/rootless-containers/slirp4netns/security/advisories for the past security advisories.

:warning: We had been collecting the vulnerabilities of QEMU/libslirp in this slirp4netns repo until the end of 2020, as the slirp4netns releases prior to v1.0.0 were always statically linked with a specific version of QEMU/libslirp. Starting with 2021, the vulnerabilities of libslirp are no longer collected in this slirp4netns repo, as slirp4netns >= v1.0.0 can be linked with an arbitrary version of libslirp.

<details> <summary> Run <code>slirp4netns --version</code> to check the version of the linked libslirp. </summary> <p>
$ slirp4netns --version
slirp4netns version 1.1.8
commit: d361001f495417b880f20329121e3aa431a8f90f
libslirp: 4.4.0
SLIRP_CONFIG_VERSION_MAX: 3
libseccomp: 2.4.3
</p> </details>

Quick start

Install

Statically linked binaries available for x86_64, aarch64, armv7l, s390x, ppc64le, and riscv64: https://github.com/rootless-containers/slirp4netns/releases

Also available as a package on almost all Linux distributions:

e.g.

$ sudo apt-get install slirp4netns

To install slirp4netns from the source, see Install from source.

Usage

Terminal 1: Create user/network/mount namespaces

(host)$ unshare --user --map-root-user --net --mount
(namespace)$ echo $$ > /tmp/pid

In this documentation, we use (host)$ as the prompt of the host shell, (namespace)$ as the prompt of the shell running in the namespaces.

If unshare fails, try the following commands (known to be needed on Debian, Arch, and old CentOS 7.X):

(host)$ sudo sh -c 'echo "user.max_user_namespaces=28633" >> /etc/sysctl.d/userns.conf'
(host)$ [ -f /proc/sys/kernel/unprivileged_userns_clone ] && sudo sh -c 'echo "kernel.unprivileged_userns_clone=1" >> /etc/sysctl.d/userns.conf'
(host)$ sudo sysctl --system

Terminal 2: Start slirp4netns

(host)$ slirp4netns --configure --mtu=65520 --disable-host-loopback $(cat /tmp/pid) tap0
starting slirp, MTU=65520
...

Terminal 1: Make sure the tap0 is configured and connected to the Internet

(namespace)$ ip a
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
3: tap0: <BROADCAST,UP,LOWER_UP> mtu 65520 qdisc fq_codel state UNKNOWN group default qlen 1000
    link/ether c2:28:0c:0e:29:06 brd ff:ff:ff:ff:ff:ff
    inet 10.0.2.100/24 brd 10.0.2.255 scope global tap0
       valid_lft forever preferred_lft forever
    inet6 fe80::c028:cff:fe0e:2906/64 scope link 
       valid_lft forever preferred_lft forever
(namespace)$ echo "nameserver 10.0.2.3" > /tmp/resolv.conf
(namespace)$ mount --bind /tmp/resolv.conf /etc/resolv.conf
(namespace)$ curl https://example.com

Manual

Manual: slirp4netns.1.md

Benchmarks

iperf3 (netns -> host)

Aug 28, 2018, on RootlessKit Travis: https://github.com/rootless-containers/rootlesskit/pull/16

ImplementationMTU=1500MTU=4000MTU=16384MTU=65520
vde_plug763 MbpsUnsupportedUnsupportedUnsupported
VPNKit514 Mbps526 Mbps540 MbpsUnsupported
slirp4netns1.07 Gbps2.78 Gbps4.55 Gbps9.21 Gbps

slirp4netns is faster than vde_plug and VPNKit because slirp4netns is optimized to avoid copying packets across the namespaces.

The latest revision of slirp4netns is regularly benchmarked (make benchmark) on CI.

Install from source

Build dependencies (apt-get):

$ sudo apt-get install libglib2.0-dev libslirp-dev libcap-dev libseccomp-dev

Build dependencies (dnf):

$ sudo dnf install glib2-devel libslirp-devel libcap-devel libseccomp-devel

Installation steps:

$ ./autogen.sh
$ ./configure --prefix=/usr
$ make
$ sudo make install

Acknowledgement

See vendor/README.md.

License

GPL-2.0-or-later