2020-04-28 05:24:58 +00:00
|
|
|
# Networking
|
2019-11-18 21:40:27 +00:00
|
|
|
|
2020-04-30 01:54:48 +00:00
|
|
|
[TOC]
|
|
|
|
|
2019-03-30 02:40:11 +00:00
|
|
|
gVisor implements its own network stack called [netstack][netstack]. All aspects
|
|
|
|
of the network stack are handled inside the Sentry — including TCP connection
|
|
|
|
state, control messages, and packet assembly — keeping it isolated from the host
|
|
|
|
network stack. Data link layer packets are written directly to the virtual
|
|
|
|
device inside the network namespace setup by Docker or Kubernetes.
|
|
|
|
|
2019-04-03 19:18:46 +00:00
|
|
|
The IP address and routes configured for the device are transferred inside the
|
|
|
|
sandbox. The loopback device runs exclusively inside the sandbox and does not
|
|
|
|
use the host. You can inspect them by running:
|
2019-03-30 02:40:11 +00:00
|
|
|
|
2019-04-03 19:18:46 +00:00
|
|
|
```bash
|
|
|
|
docker run --rm --runtime=runsc alpine ip addr
|
|
|
|
```
|
|
|
|
|
|
|
|
## Network passthrough
|
2019-03-30 02:40:11 +00:00
|
|
|
|
|
|
|
For high-performance networking applications, you may choose to disable the user
|
2020-05-12 19:55:23 +00:00
|
|
|
space network stack and instead use the host network stack, including the
|
|
|
|
loopback. Note that this mode decreases the isolation to the host.
|
2019-03-30 02:40:11 +00:00
|
|
|
|
|
|
|
Add the following `runtimeArgs` to your Docker configuration
|
|
|
|
(`/etc/docker/daemon.json`) and restart the Docker daemon:
|
|
|
|
|
|
|
|
```json
|
|
|
|
{
|
|
|
|
"runtimes": {
|
|
|
|
"runsc": {
|
|
|
|
"path": "/usr/local/bin/runsc",
|
|
|
|
"runtimeArgs": [
|
|
|
|
"--network=host"
|
|
|
|
]
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
```
|
|
|
|
|
2019-04-03 01:03:01 +00:00
|
|
|
## Disabling external networking
|
|
|
|
|
2020-05-12 19:55:23 +00:00
|
|
|
To completely isolate the host and network from the sandbox, external networking
|
|
|
|
can be disabled. The sandbox will still contain a loopback provided by netstack.
|
2019-04-03 01:03:01 +00:00
|
|
|
|
|
|
|
Add the following `runtimeArgs` to your Docker configuration
|
|
|
|
(`/etc/docker/daemon.json`) and restart the Docker daemon:
|
|
|
|
|
|
|
|
```json
|
|
|
|
{
|
|
|
|
"runtimes": {
|
|
|
|
"runsc": {
|
|
|
|
"path": "/usr/local/bin/runsc",
|
|
|
|
"runtimeArgs": [
|
|
|
|
"--network=none"
|
|
|
|
]
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
```
|
|
|
|
|
2019-04-16 22:44:35 +00:00
|
|
|
### Disable GSO {#gso}
|
|
|
|
|
2019-11-18 21:40:27 +00:00
|
|
|
If your Linux is older than 4.14.17, you can disable Generic Segmentation
|
|
|
|
Offload (GSO) to run with a kernel that is newer than 3.17. Add the
|
|
|
|
`--gso=false` flag to your Docker runtime configuration
|
|
|
|
(`/etc/docker/daemon.json`) and restart the Docker daemon:
|
2019-04-16 22:44:35 +00:00
|
|
|
|
2020-05-12 19:55:23 +00:00
|
|
|
> Note: Network performance, especially for large payloads, will be greatly
|
|
|
|
> reduced.
|
2019-04-16 22:44:35 +00:00
|
|
|
|
|
|
|
```json
|
|
|
|
{
|
|
|
|
"runtimes": {
|
|
|
|
"runsc": {
|
|
|
|
"path": "/usr/local/bin/runsc",
|
|
|
|
"runtimeArgs": [
|
|
|
|
"--gso=false"
|
|
|
|
]
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
```
|
|
|
|
|
2019-03-30 02:40:11 +00:00
|
|
|
[netstack]: https://github.com/google/netstack
|