Container Networking

The PubSub+ software event broker can run as either a rootful or rootless container. Because unprivileged users cannot create networking interfaces on the host, whether the container is running as a root or a non-root user is the most important consideration for networking. This determines the networking mode that can be used. Other factors that influence networking are the number of clients that need to connect to the container, whether containers need to communicate with each other, and what security constraints there are in the environment.

This section discusses the networking modes that are supported by PubSub+ software event broker containers and provides some links to additional information that may be helpful.

Rootful Mode

Rootful mode is the default for most container runtimes , and in this mode, most container runtimes (including Docker and Podman) create a bridge network by default. The container runtime creates an interface for the container on an internal bridge network, which is then connected to other networks (or the Internet) using Network Address Translation (NAT). Unless otherwise specified, all containers in the host connect to that bridge network. With bridge networking, you have to provide a mapping of the ports between the containers and the host.

Because the containers all connect to the same network, you must configure your port mappings so that they don't collide in the host port space.

Another option for rootful containers is host networking. For this network mode, you specify the --network=host flag when you start the container. All container ports are exposed on the host. Host mode removes network isolation between the container and the host, and uses the host’s networking directly.

Because it doesn't require network address translation (NAT), host mode networking can optimize performance when a container needs to handle a large range of ports.

Rootless Mode

For rootless Podman, the default network configuration is slirp4netns. The slirp4netnspackage provides user-mode networking for non-root users. It creates a tunnel from the host into the container to forward traffic. With slirp4netns, containers are completely isolated from each other. There is no virtual network, so in order to communicate with each other, containers can use port mappings with the host system, or they can be put into a Pod where they share the same network namespace.

Podman supports two port handlers:

  • port_handler=rootlesskit: Use rootlesskit for port forwarding. This is the default port handler.

    We recommend using the slirp4netns port handler, which is not the default (that is, you must specify port_handler=slirp4netns when you create the container). This is because the PubSub+ event broker requires knowledge of source IP addresses, but rootlesskit changes the source IP address of incoming packets to an IP address in the container network namespace (usually

  • port_handler=slirp4netns: Use the slirp4netns port forwarding. This port handler preserves the correct source IP address.

Due to a known issue in Podman v4.0.2, event broker redundancy does not come up successfully for rootless container deployments when the redundancy service ports have been mapped in ranges using the slirp4netns port handler. This issue has been fixed in Podman v4.0.3.

Podman also supports host mode (--net=host) with rootless containers. Note that with a rootless container running with host network mode, subsequent podman exec commands to that container will not join the host network namespace because it is owned by root.


The following table lists the networking options for rootful and rootless mode that are supported by PubSub+ containers.

Mode Supported Network-Driver Details


The default network mode for most runtimes in rootful mode, including Docker and Podman.


Removes network isolation between the container and the host, and uses the host’s networking directly.

Support is provided for only one physical interface per container.

For best performance, use of the host network driver is recommended wherever possible, especially in use cases with large numbers of client connections.



Removes network isolation between the container and the host, and uses the host’s networking directly.

Note: The host mode gives the container full access to local system services such as D-bus and is therefore considered insecure.


Provides user-mode networking for unprivileged network namespaces. This is the default for rootless Podman.

Next Steps

For more information about container networking with Podman, see:

For more information about container networking with Docker, see:

For a detailed discussion about rootless containers in general, see: