Rootless container network behavior
As we saw in the previous sections, Podman relies on CNI plugins or Netavark for containers running as root and has the privileges to alter network configurations in the host network namespace. For rootless containers, Podman uses the slirp4netns
project, which allows you to create container network configurations without the need for root privileges; the network interfaces are created inside a rootless network namespace where the standard user has sufficient privileges. This approach allows you to transparently and flexibly manage rootless container networking.
In the previous sections, we saw how container network namespaces can be connected to a bridge using a veth pair. Being able to create a veth pair in the host network namespace requires root privileges that are not allowed for standard users.
In the simplest scenario, slirp4netns
aims to overcome these privilege limitations by allowing a tap device to be created that's attached...