passt & pasta: Modern unprivileged networking for containers and VMs
Clarendon Room A | Tue 14 Mar 4:40 p.m.–5:25 p.m.
Presented by
-
David Gibson
https://ozlabs.org/~dgibson/
David has had a 20+ year IT career working almost entirely on open source projects. He made his first kernel contributions in 2000 with some work on ramfs, and then the "orinoco" wireless driver while at LinuxCare.
From there he moved to IBM where he worked on the kernel for embedded PowerPC systems. He wrote, and still maintains, the device tree compiler "dtc" to assist with this work, and its since become a standard tool for ARM as well as PowerPC embedded kernels. From there he moved on to kernel code for POWER server machines and then virtualization. He wrote the "pseries" machine for qemu and was PowerPC target maintainer in qemu for around 5 years.
In 2013 he moved to Red Hat where he again worked on virtualization in qemu and the kernel. He briefly worked on Kata Containers, then became the second major contributor to passt/pasta, a modern userspace networking implementation with applications for virtual machines, containers and running both together in the cloud.
David Gibson
https://ozlabs.org/~dgibson/
Abstract
It was the dawn of personal internet access; the mid-90s. Lots of university students and staff had dial-up shell accounts, but dial-up PPP was still hard to come by. So, Slirp was born: a way to fake Layer 2 network connectivity - SLIP or PPP - by translating frames to Layer 4 network operations - ordinary socket calls which could be made by an unprivileged user. It was a useful hack that had its day, then quickly become obsolete as commercial ISPs became common and cheap. Or did it..?
It turns out there are modern cases where Slirp is still used:
* QEMU's "-net user" mode is based on Slirp; it's not much used in production VMs, but it's extremely convenient when developing or experimenting, because it requires neither raised privilege nor configuration.
* slirp4netns uses Slirp to connect a network namespace with a tuntap device to the host's network, and forms the basis of networking for rootless container runtimes.
* KubeVirt runs virtual machines inside Kubernetes pods, and needs to connect the VM's virtual NIC to the pod's network, ideally without requiring the configuration of special privileges on the cluster.
But, despite its uses, Slirp is a very old, very clunky, and difficult to maintain codebase with a poor track record on security and resource leaks. passt (Plug a Simple Socket Transport) is a completely new implementation of the Slirp concept: it connects a Layer 2 network transport (e.g. QEMU's "-net socket" protocol) to regular Layer 4 socket calls. pasta (Pack a Subtle Tap Abstraction) is a variant which connects a tuntap device in a network namespace (such as a container) instead of a VM.
This talk will discuss the uses for passt, the basics of its implementation, and some future plans. We'll also look at some design decisions we've made to help keep it simpler and more secure than Slirp (for example, minimizing the use of NAT, and using no dynamic memory allocation). There will be demonstrations. The project is in its early days, but we think it's already useful and and we'd love to have more users and contributors.
passt was originally authored by Stefano Brivio, and in the past six months I've become the second major contributor.
YouTube: https://www.youtube.com/watch?v=QMUEtEt1i3I
LA Archive: http://mirror.linux.org.au/pub/everythingopen/2023/clarendon_room_a/Tuesday/passt_pasta_Modern_unprivileged_networking_for_containers_and_VMs.webm
It was the dawn of personal internet access; the mid-90s. Lots of university students and staff had dial-up shell accounts, but dial-up PPP was still hard to come by. So, Slirp was born: a way to fake Layer 2 network connectivity - SLIP or PPP - by translating frames to Layer 4 network operations - ordinary socket calls which could be made by an unprivileged user. It was a useful hack that had its day, then quickly become obsolete as commercial ISPs became common and cheap. Or did it..? It turns out there are modern cases where Slirp is still used: * QEMU's "-net user" mode is based on Slirp; it's not much used in production VMs, but it's extremely convenient when developing or experimenting, because it requires neither raised privilege nor configuration. * slirp4netns uses Slirp to connect a network namespace with a tuntap device to the host's network, and forms the basis of networking for rootless container runtimes. * KubeVirt runs virtual machines inside Kubernetes pods, and needs to connect the VM's virtual NIC to the pod's network, ideally without requiring the configuration of special privileges on the cluster. But, despite its uses, Slirp is a very old, very clunky, and difficult to maintain codebase with a poor track record on security and resource leaks. passt (Plug a Simple Socket Transport) is a completely new implementation of the Slirp concept: it connects a Layer 2 network transport (e.g. QEMU's "-net socket" protocol) to regular Layer 4 socket calls. pasta (Pack a Subtle Tap Abstraction) is a variant which connects a tuntap device in a network namespace (such as a container) instead of a VM. This talk will discuss the uses for passt, the basics of its implementation, and some future plans. We'll also look at some design decisions we've made to help keep it simpler and more secure than Slirp (for example, minimizing the use of NAT, and using no dynamic memory allocation). There will be demonstrations. The project is in its early days, but we think it's already useful and and we'd love to have more users and contributors. passt was originally authored by Stefano Brivio, and in the past six months I've become the second major contributor. YouTube: https://www.youtube.com/watch?v=QMUEtEt1i3I LA Archive: http://mirror.linux.org.au/pub/everythingopen/2023/clarendon_room_a/Tuesday/passt_pasta_Modern_unprivileged_networking_for_containers_and_VMs.webm