RFE: Provide rootless facilities for VMs & containers network configuration
High level goal:
Provide host network access to containers and VMs through ad-hoc network interfaces/namespace & routing.
The administration/service must permit rootless setup & operations.
Other features to consider:
- basic DHCP/NDP should offer automated configuration for VM/containers
- port mapping/redirection (host to guest) (for users of port > 1024)
- interfaces might be able to talk to each other
- additional private networks and network restrictions might be out of scope
More complex scenarios can be handled by existing or future extensions or alternatives (without or in cooperation with NM).
Current solutions and limitations:
In general, VMs NIC talk layer 2/ethernet, with a backend or a FD (vhost may handle TAP fd on kernel side), while containers use or join a network NS.
Today, slirp (or similar) is often used to provide rootless access to host network. It is easy to setup and a portable solution (qemu -net user, podman/rootlesskit etc). However, it also has a number of limitations and security implications and it will never compete with an OS-level networking stack, for feature and performance. VM talks to slirp API directly, containers setup a TAP in container NS.
Other rootless VM solution involve bridge and TAP device, created by qemu-bridge-helper for VM (using also libvirt virtnetworkd).
Other container solution involve veth pair of interfaces for containers (lxc-user-nic, systemd-networkd).
The "default" libvirt network configuration closely matches the expectations listed above, by using a NATed bridge.
Proposal:
NM (as the defacto Linux network manager) could provide a go-to solution for setting up basic VM/containers network. (rootless & rootfull).
Notes:
Slirp-based solution will exist for a long time, not only it offers different tradeoffs, since the whole guest-visible network stack can be tweaked and very low privileges are required, but it is also a portable solution.
RHEL/CoreOS and Ubuntu are currently using NetworkManager (systemd-networkd seems default in Ubuntu Server at this time)
This proposal will inevitably conflict with existing solutions, but could also simplify some of their task.
See also:
- libvirt network configuration & daemon
- podman run --network manual
- lxc-user-nic manual
- systemd-nspawn networking options & systemd-networkd