rootlesskit VS slirp4netns

Yes, from the README:

> Bocker runs as root and among other things needs to make changes to your network interfaces, routing table, and firewall rules. I can make no guarantees that it won't trash your system.

Linux makes it quite hard to run "containers" as an unprivileged user. Not impossible! https://github.com/rootless-containers/rootlesskit is one approach and demonstrates much of the difficulty involved. Networking is perhaps the most problematic. Your choices are either setuid binaries (so basically less-root as opposed to root-less anymore) or usermode networking. slirp4netns is the state of the art here as far as I know, but not without security and performance tradeoffs.

The official docs list some known limitations of rootless Docker, and says that "Host network (docker run --net=host) is also namespaced inside RootlessKit." I don't understand how RootlessKit works, but I am wondering if this means that rootless Docker containers are unable to connect to ports on the host? I also checked the RootlessKit docs but I'm out of my depth there: (https://github.com/rootless-containers/rootlesskit/blob/master/docs/network.md).

Fair Warning: If your app needs to be able to see the user's IP (for throttling, banning, etc.)

Rootless Docker doesn't properly support IPv6 yet with the ability to see the end-users source IP.

* https://github.com/rootless-containers/rootlesskit/issues/25...

There may be some overhead with networking if your application uses a very large amount of bandwidth. See:

https://github.com/rootless-containers/rootlesskit/tree/v0.1...

Otherwise for general dockerized applications, you won't notice any difference.

You may find some quirks, but these can all be worked around easily as described on the rootless docker page.

We run it in production with no issues so far.

Now with Fedora 34 I'm having issues from rootlesskit not being packaged. Got the binaries from https://github.com/rootless-containers/rootlesskit/#setup since that go get command never works. I have installed over 50 packages using go get but rootlesskit ALWAYS fails to compile because of some dependency like google/uuid and different Go versions.

History likes to repeat itself:

https://github.com/rootless-containers/slirp4netns

It should not actually require root anymore - see https://github.com/rootless-containers/slirp4netns

USER root RUN curl -o /var/lib/apt/dazzle-marks/docker.gpg -fsSL https://download.docker.com/linux/ubuntu/gpg \ && apt-key add /var/lib/apt/dazzle-marks/docker.gpg \ && add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" \ && install-packages docker-ce docker-ce-cli containerd.io RUN curl -o /usr/bin/slirp4netns -fsSL https://github.com/rootless-containers/slirp4netns/releases/download/v1.1.12/slirp4netns-$(uname -m) \ && chmod +x /usr/bin/slirp4netns

Podman pods are kind of their own thing, networking wise, being under slirp4netns https://github.com/rootless-containers/slirp4netns

i foud this slirp4netns in the meantime as well. There are a bunch of other problems. with podman. I cannot use nftables and firewalld with systemd+nftables, the mentioned port-"problem" for rootless podman, ipv6 containers and some other stuff that isn't working or very config-heavy. i found a lot of github issues that are actively discussed in the past days regarding some of the mentioned topics on this post. My conclusion is that i will still use docker and will look into this in a year or so... to early imo to really switch to podman because almost no benefits to docker for me. (i want ipv6, rootless containers all the way and full nftable support)