Run without privileged container
pwFoo opened this issue · 3 comments
--privileged´is needed because of /dev/macvtap0?
RancherVM works fine without it and doesn't need privileged containers.
I read something about performance reasons? Is it really needed or could it changed to run without --privileged?
Could macvtap be the reason of the network issue (#5)?
Maybe You should move back to linux bridge with the master branch and create a macvtap testing branch?
please next time use (or open) other more suitable issue or thread to comment, as last comment is more related with issue #5. Thanks!
actap / macvlan works flawlessly with CentOS base container.
When moving to Alpine we have noticed that there is no connectivity between VM host (Alpine) and VM, so there is no DHCP. More specifically, there is no communication between mcavlan and macvtap devices, but both devices do communicate with external hosts, if their IPs are correctly configured.
The connectivity with outside works in both cases, so it could be possible to use Alpine container with an external DHCP server, or fixed IP in the VM. We have tested the latter succesfully.
Docker run invocation with --privileged is needed because macvlan/macvtap devices are being used as FDs with KVM:
-netdev tap,id=net0,vhost=on,fd=3 3<>/dev/macvtap26c5d3.
Macvlan/vtap devices are used in this container because it improves dramatically network performance compared to bridge devices. Indeed, with macvtap you can archieve near to linerate speed.
I've tried to add all capabilities when running the container without success.
AFAIK there's no way to run the container without privilege mode.
I encourage anyone to reopen this issue if they find any way to run the container without privileged mode Thanks!