Rootless Docker Networking: Performance Tuning, Source IP Propagation, and Debugging Tips

$ cat /proc/sys/net/ipv4/ping_group_range 1 0 ``` For details, see [Routing ping packets](#routing-ping-packets). #### `IPAddress` shown in `docker inspect` is unreachable This is an expected behavior, as the daemon is namespaced inside RootlessKit's network namespace. Use `docker run -p` instead. #### `--net=host` doesn't listen ports on the host network namespace This is an expected behavior, as the daemon is namespaced inside RootlessKit's network namespace. Use `docker run -p` instead. #### Network is slow Docker with rootless mode uses [slirp4netns](https://github.com/rootless-containers/slirp4netns) as the default network stack if slirp4netns v0.4.0 or later is installed. If slirp4netns is not installed, Docker falls back to [VPNKit](https://github.com/moby/vpnkit). Installing slirp4netns may improve the network throughput. For more information about network drivers for RootlessKit, see [RootlessKit documentation](https://github.com/rootless-containers/rootlesskit/blob/v2.0.0/docs/network.md). Also, changing MTU value may improve the throughput. The MTU value can be specified by creating `~/.config/systemd/user/docker.service.d/override.conf` with the following content: ```systemd [Service] Environment="DOCKERD_ROOTLESS_ROOTLESSKIT_MTU=<INTEGER>" ``` And then restart the daemon: ```console $ systemctl --user daemon-reload $ systemctl --user restart docker ``` #### `docker run -p` does not propagate source IP addresses This is because Docker in rootless mode uses RootlessKit's `builtin` port driver by default, which doesn't support source IP propagation. To enable source IP propagation, you can: - Use the `slirp4netns` RootlessKit port driver - Use the `pasta` RootlessKit network driver, with the `implicit` port driver The `pasta` network driver is experimental, but provides improved throughput performance compared to the `slirp4netns` port driver. The `pasta` driver requires Docker Engine version 25.0 or later. To change the RootlessKit networking configuration: 1. Create a file at `~/.config/systemd/user/docker.service.d/override.conf`. 2. Add the following contents, depending on which configuration you would like to use: - `slirp4netns` ```systemd [Service] Environment="DOCKERD_ROOTLESS_ROOTLESSKIT_NET=slirp4netns" Environment="DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER=slirp4netns" ``` - `pasta` network driver with `implicit` port driver ```systemd [Service] Environment="DOCKERD_ROOTLESS_ROOTLESSKIT_NET=pasta" Environment="DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER=implicit" ``` 3. Restart the daemon: ```console $ systemctl --user daemon-reload $ systemctl --user restart docker ``` For more information about networking options for RootlessKit, see: - [Network drivers](https://github.com/rootless-containers/rootlesskit/blob/v2.0.0/docs/network.md) - [Port drivers](https://github.com/rootless-containers/rootlesskit/blob/v2.0.0/docs/port.md) ### Tips for debugging **Entering into `dockerd` namespaces** The `dockerd-rootless.sh` script executes `dockerd` in its own user, mount, and network namespaces. For debugging, you can enter the namespaces by running `nsenter -U --preserve-credentials -n -m -t $(cat $XDG_RUNTIME_DIR/docker.pid)`.

This section discusses advanced networking configurations for Rootless Docker. It explains how to improve network throughput by adjusting the MTU value using systemd overrides. It also addresses the issue of source IP address propagation with `docker run -p` and provides solutions using the `slirp4netns` port driver or the experimental `pasta` network driver with the `implicit` port driver. Configuration steps for both options are provided, requiring systemd overrides and daemon restarts. Finally, it offers a debugging tip: using `nsenter` to enter the namespaces of the `dockerd` process for deeper inspection.