Skip to content
User-mode networking for unprivileged network namespaces
Branch: master
Clone or download
Latest commit a37391c Mar 20, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
benchmarks [EXPERIMENTAL] QMP-like JSON API for exposing node ports Jan 7, 2019
parson [EXPERIMENTAL] QMP-like JSON API for exposing node ports Jan 7, 2019
qemu bump up qemu to 4c76137484878f42a2ce1ae1b888b6a7f66b4053 Mar 9, 2019
qemu_patches bump up qemu to 4c76137484878f42a2ce1ae1b888b6a7f66b4053 Mar 9, 2019
tests api: fix remove_hostfwd and add tests Mar 13, 2019
.gitattributes do commit hash replacement in Makefile.am and improve fallback Oct 29, 2018
.gitignore tests: add test for setting up device Jul 27, 2018
.travis.yml fix issues found by clang-tidy Jul 27, 2018
COPYING correct FSF address Jul 27, 2018
Dockerfile.tests sync with qemu/qemu upstream Mar 7, 2019
MAINTAINERS update docs (including addition of MAINTAINERS) Mar 2, 2019
Makefile.am bump up qemu to 4c76137484878f42a2ce1ae1b888b6a7f66b4053 Mar 9, 2019
README.md Merge pull request #73 from AkihiroSuda/sync-qemu Mar 9, 2019
SECURITY_CONTACTS update docs (including addition of MAINTAINERS) Mar 2, 2019
api.c api: fix remove_hostfwd and add tests Mar 13, 2019
api.h sync with qemu/qemu upstream Mar 7, 2019
autogen.sh build: use GNU autotools Jul 25, 2018
configure.ac v0.3.0-beta.1+dev Mar 13, 2019
main.c sync with qemu/qemu upstream Mar 7, 2019
slirp4netns.1 man: fix description about IPv6 availability Jan 12, 2019
slirp4netns.1.md api: default guest addr to 10.0.2.100 Jan 12, 2019
slirp4netns.c fix comment Mar 20, 2019
slirp4netns.h sync with qemu/qemu upstream Mar 7, 2019

README.md

slirp4netns: User-mode networking for unprivileged network namespaces

slirp4netns provides user-mode networking ("slirp") for unprivileged network namespaces.

Latest stable release: v0.2.X

Motivation

Starting with Linux 3.8, unprivileged users can create network_namespaces(7) along with user_namespaces(7). However, unprivileged network namespaces had not been very useful, because creating veth(4) pairs across the host and network namespaces still requires the root privileges. (i.e. No internet connection)

slirp4netns allows connecting a network namespace to the Internet in a completely unprivileged way, by connecting a TAP device in a network namespace to the usermode TCP/IP stack ("slirp").

Projects using slirp4netns

Quick start

Install from source

Build dependency: glib2-devel (libglib2.0-dev)

$ ./autogen.sh
$ ./configure --prefix=/usr
$ make
$ sudo make install
  • To build slirp4netns as a static binary, please run ./configure with LDFLAGS=-static.
  • If you set --prefix to $HOME, you don't need to run make install with sudo.

Install from binary

RHEL 8 & Fedora (28 or later):

$ sudo dnf install slirp4netns

RHEL/CentOS 7.6

$ sudo curl -o /etc/yum.repos.d/vbatts-shadow-utils-newxidmap-epel-7.repo https://copr.fedorainfracloud.org/coprs/vbatts/shadow-utils-newxidmap/repo/epel-7/vbatts-shadow-utils-newxidmap-epel-7.repo
$ sudo yum install slirp4netns

You might need to enable user namespaces manually:

$ sudo sh -c 'echo "user.max_user_namespaces=28633" > /etc/sysctl.d/userns.conf'
$ sudo sysctl -p /etc/sysctl.d/userns.conf

Arch Linux:

$ sudo pacman -S slirp4netns

You might need to enable user namespaces manually:

$ sudo sh -c "echo 1 > /proc/sys/kernel/unprivileged_userns_clone"

openSUSE Tumbleweed

$ sudo zypper install slirp4netns

openSUSE Leap 15.0

$ sudo zypper addrepo --refresh http://download.opensuse.org/repositories/devel:/kubic/openSUSE_Leap_15.0/devel:kubic.repo
$ sudo zypper install slirp4netns

SUSE Linux Enterprise 15

$ sudo zypper addrepo --refresh http://download.opensuse.org/repositories/devel:/kubic/SLE_15/devel:kubic.repo
$ sudo zypper install slirp4netns

Debian GNU/Linux (10 or later) & Ubuntu (19.04 or later)

$ sudo apt install slirp4netns

NixOS

$ nix-env -i slirp4netns

Gentoo Linux

$ sudo emerge app-emulation/slirp4netns

Slackware

$ sudo sbopkg -i slirp4netns

Void Linux

$ sudo xbps-install slirp4netns

Usage

Terminal 1: Create user/network/mount namespaces

$ unshare --user --map-root-user --net --mount
unshared$ echo $$ > /tmp/pid

Terminal 2: Start slirp4netns

$ slirp4netns --configure --mtu=65520 $(cat /tmp/pid) tap0
starting slirp, MTU=65520
...

Terminal 1: Make sure the tap0 is configured and connected to the Internet

unshared$ ip a
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
3: tap0: <BROADCAST,UP,LOWER_UP> mtu 65520 qdisc fq_codel state UNKNOWN group default qlen 1000
    link/ether c2:28:0c:0e:29:06 brd ff:ff:ff:ff:ff:ff
    inet 10.0.2.100/24 brd 10.0.2.255 scope global tap0
       valid_lft forever preferred_lft forever
    inet6 fe80::c028:cff:fe0e:2906/64 scope link 
       valid_lft forever preferred_lft forever
unshared$ echo "nameserver 10.0.2.3" > /tmp/resolv.conf
unshared$ mount --bind /tmp/resolv.conf /etc/resolv.conf
unshared$ curl https://example.com

See slirp4netns.1.md for further information.

Benchmarks

iperf3 (netns -> host)

Aug 28, 2018, on RootlessKit Travis: https://github.com/rootless-containers/rootlesskit/pull/16

Implementation MTU=1500 MTU=4000 MTU=16384 MTU=65520
vde_plug 763 Mbps Unsupported Unsupported Unsupported
VPNKit 514 Mbps 526 Mbps 540 Mbps Unsupported
slirp4netns 1.07 Gbps 2.78 Gbps 4.55 Gbps 9.21 Gbps

slirp4netns is faster than vde_plug and VPNKit because slirp4netns is optimized to avoid copying packets across the namespaces.

The latest revision of slirp4netns is regularly benchmarked (make benchmark) on Travis: https://travis-ci.org/rootless-containers/slirp4netns

Acknowledgement

You can’t perform that action at this time.