bypass4netns: Accelerating TCP/IP Communications in Rootless Containers
Naoki Matsumoto, Akihiro Suda
TL;DR
The paper tackles the network performance bottleneck of rootless containers by introducing bypass4netns, a Seccomp Notify based socket switching mechanism that grafts container sockets onto host sockets to bypass slow rootless networking paths. It combines an eBPF driven socket behavior analysis, dynamic policy aware switching, and a VXLAN-free multi-node strategy to achieve substantial throughput gains while maintaining compatibility with existing applications. The authors implement bypass4netns and demonstrate up to roughly 30x performance improvements on common benchmarks like iperf3 and Redis, as well as compatibility with statically linked binaries, without requiring root privileges. The work has practical implications for deploying high-performance rootless containers and outlines pathways for Kubernetes integration and improved policy control, with ongoing work to address Seccomp Notify reliability and broader ecosystem integration.
Abstract
"Rootless containers" is a concept to run the entire container runtimes and containers without the root privileges. It protects the host environment from attackers exploiting container runtime vulnerabilities. However, when rootless containers communicate with external endpoints, the network performance is low compared to rootful containers because of the overhead of rootless networking components. In this paper, we propose bypass4netns that accelerates TCP/IP communications in rootless containers by bypassing slow networking components. bypass4netns uses sockets allocated on the host. It switches sockets in containers to the host's sockets by intercepting syscalls and injecting the file descriptors using Seccomp. Our method with Seccomp can handle statically linked applications that previous works could not handle. Also, we propose high-performance rootless multi-node communication. We confirmed that rootless containers with bypass4netns achieve more than 30x faster throughput than rootless containers without it. In addition, we evaluated performance with applications and it showed large improvements on some applications.