The PubSub+ software event broker can run as either a rootful or rootless container. Because unprivileged users cannot create networking interfaces on the host, whether the container is running as a root or a non-root user is the most important consideration for networking. This determines the networking mode that cannot be used. Other factors that influence networking are the number of clients that need to connect to the container, whether containers need to communicate with each other, and what security constraints there are in the environment.
The following sections describes the networking modes that are supported by PubSub+ software event broker containers and provides some links to additional information that may be helpful:
Solace does not support the use of HTTP_PROXY or HTTPS_PROXY environment variables in PubSub+ software event broker containers. Do not use these variables in your PubSub+ software event broker containers.
Rootful Mode
Rootful mode is the default for most container runtimes , and in this mode, most container runtimes (including Docker and Podman) create a bridge network by default. The container runtime creates an interface for the container on an internal bridge network, which is then connected to other networks (or the Internet) using Network Address Translation (NAT). Unless otherwise specified, all containers in the host connect to that bridge network. With bridge networking, you have to provide a mapping of the ports between the containers and the host.
Because the containers all connect to the same network, you must configure your port mappings so that they don't collide in the host port space.
Another option for rootful containers is host networking. For this network mode, you specify the --network=host flag when you start the container. All container ports are exposed on the host. Host mode removes network isolation between the container and the host, and uses the host’s networking directly.
Because it doesn't require network address translation (NAT), host mode networking can optimize performance when a container needs to handle a large range of ports.
Rootless Mode
For rootless Podman, the default network configuration is slirp4netns. The slirp4netnspackage provides user-mode networking for non-root users. It creates a tunnel from the host into the container to forward traffic. With slirp4netns, containers are completely isolated from each other. There is no virtual network, so in order to communicate with each other, containers can use port mappings with the host system, or they can be put into a Pod where they share the same network namespace.
Podman supports two port handlers:
-
port_handler=rootlesskit: Userootlesskitfor port forwarding. This is the default port handler.We recommend using the
slirp4netnsport handler, which is not the default (that is, you must specifyport_handler=slirp4netnswhen you create the container). This is because the PubSub+ event broker requires knowledge of source IP addresses, butrootlesskitchanges the source IP address of incoming packets to an IP address in the container network namespace (usually 10.0.2.100). port_handler=slirp4netns: Use theslirp4netnsport forwarding. This port handler preserves the correct source IP address.
Due to a known issue in Podman v4.0.2, event broker redundancy does not come up successfully for rootless container deployments when the redundancy service ports have been mapped in ranges using the slirp4netns port handler. This issue has been fixed in Podman v4.0.3.
Podman also supports host mode (--net=host) with rootless containers. Note that with a rootless container running with host network mode, subsequent podman exec commands to that container will not join the host network namespace because it is owned by root.
Summary of Supported Networking Options
The following table lists the networking options for rootful and rootless mode that are supported by PubSub+ software event broker containers.
| Mode | Supported Network-Driver | Details |
|---|---|---|
| Rootful |
|
The default network mode for most runtimes in rootful mode, including Docker and Podman. |
|
|
Removes network isolation between the container and the host, and uses the host’s networking directly. Support is provided for only one physical interface per container. For best performance, use of the |
|
| Rootless |
|
Removes network isolation between the container and the host, and uses the host’s networking directly. Note: The host mode gives the container full access to local system services such as D-bus and is therefore considered insecure. |
slirp4netns
|
Provides user-mode networking for unprivileged network namespaces. This is the default for rootless Podman. |
Next Steps
For more information about container networking with Podman, see:
- Basic Networking Guide for Podman
- Configuring container networking with Podman (Red Hat documentation)
- Shortcomings of Rootless Podman
For more information about container networking with Docker, see:
- Networking overview (Docker documentation)
For a detailed discussion about rootless containers in general, see: