著者

Naoki Matsumoto Akihiro Suda

雑誌

研究報告システムソフトウェアとオペレーティング・システム(OS) (ISSN:21888795)

巻号頁・発行日

vol.2022-OS-156, no.9, pp.1-7, 2022-07-20

---

”Rootless containers” is a concept to run the entire container runtime and containers without the root privileges. It protects the host environment from attackers exploiting container runtime vulnerabilities. However, when rootless containers communicate with external endpoints, the network performance is very low compared to rootful containers because of the overhead of the user-land TCP/IP implementation called ”slirp4netns”. In this paper, we propose ”bypass4netns” that accelerate TCP/IP communications in rootless containers by bypassing slirp4netns. bypass4netns uses sockets allocated on the host. It switches socket file descriptors in containers to the host's socket file descriptors by intercepting syscalls and injecting the file descriptors, using ioctl (SECCOMP_IOCTL_NOTIF_ADDFD). We confirmed that rootless containers with bypass4netns can achieve more than 10 times faster throughput than rootless containers without it.