@@ -9,7 +9,9 @@

 # External dependencies:

 # * newuidmap and newgidmap needs to be installed.

 # * /etc/subuid and /etc/subgid needs to be configured for the current user.

-# * Either slirp4netns (v0.3+) or VPNKit needs to be installed.

+# * Either one of slirp4netns (v0.3+), VPNKit, lxc-user-nic needs to be installed.

+#   slirp4netns is used by default if installed. Otherwise fallsback to VPNKit.

+#   The default value can be overridden with $DOCKERD_ROOTLESS_ROOTLESSKIT_NET=(slirp4netns|vpnkit|lxc-user-nic)

 #

 # See the documentation for the further information.

@@ -35,24 +37,32 @@ if [ -z $rootlesskit ]; then

 	exit 1

 fi

-net=""

-mtu=""

-if which slirp4netns >/dev/null 2>&1; then

-	if slirp4netns --help | grep -- --disable-host-loopback; then

-		net=slirp4netns

-		mtu=65520

-	else

-		echo "slirp4netns does not support --disable-host-loopback. Falling back to VPNKit."

-	fi

-fi

+: "${DOCKERD_ROOTLESS_ROOTLESSKIT_NET:=}"

+: "${DOCKERD_ROOTLESS_ROOTLESSKIT_MTU:=}"

+net=$DOCKERD_ROOTLESS_ROOTLESSKIT_NET

+mtu=$DOCKERD_ROOTLESS_ROOTLESSKIT_MTU

 if [ -z $net ]; then

-	if which vpnkit >/dev/null 2>&1; then

-		net=vpnkit

-		mtu=1500

-	else

-		echo "Either slirp4netns (v0.3+) or vpnkit needs to be installed"

-		exit 1

+	if which slirp4netns >/dev/null 2>&1; then

+		if slirp4netns --help | grep -- --disable-host-loopback; then

+			net=slirp4netns

+			if [ -z $mtu ]; then

+				mtu=65520

+			fi

+		else

+			echo "slirp4netns does not support --disable-host-loopback. Falling back to VPNKit."

+		fi

 	fi

+	if [ -z $net ]; then

+		if which vpnkit >/dev/null 2>&1; then

+			net=vpnkit

+		else

+			echo "Either slirp4netns (v0.3+) or vpnkit needs to be installed"

+			exit 1

+		fi

+	fi

+fi

+if [ -z $mtu ]; then

+	mtu=1500

 fi

 if [ -z $_DOCKERD_ROOTLESS_CHILD ]; then

@@ -66,7 +76,8 @@ if [ -z $_DOCKERD_ROOTLESS_CHILD ]; then

 	#         (by either systemd-networkd or NetworkManager)

 	# * /run: copy-up is required so that we can create /run/docker (hardcoded for plugins) in our namespace

 	$rootlesskit \

-		--net=$net --mtu=$mtu --disable-host-loopback --port-driver=builtin \

+		--net=$net --mtu=$mtu \

+		--disable-host-loopback --port-driver=builtin \

 		--copy-up=/etc --copy-up=/run \

 		$DOCKERD_ROOTLESS_ROOTLESSKIT_FLAGS \

 		$0 $@

@@ -20,7 +20,6 @@ $ grep ^$(whoami): /etc/subgid

 penguin:231072:65536

 ```

-* Either [slirp4netns](https://github.com/rootless-containers/slirp4netns) (v0.3+) or [VPNKit](https://github.com/moby/vpnkit) needs to be installed. slirp4netns is preferred for the best performance.

 ### Distribution-specific hint

@@ -82,3 +81,12 @@ To route ping packets, you need to set up `net.ipv4.ping_group_range` properly a

 ```console

 $ sudo sh -c "echo 0   2147483647  > /proc/sys/net/ipv4/ping_group_range"

 ```

+

+### Changing network stack

+

+`dockerd-rootless.sh` uses [slirp4netns](https://github.com/rootless-containers/slirp4netns) (if installed) or [VPNKit](https://github.com/moby/vpnkit) as the network stack by default.

+These network stacks run in userspace and might have performance overhead. See [RootlessKit documentation](https://github.com/rootless-containers/rootlesskit/tree/v0.4.0#network-drivers) for further information.

+

+Optionally, you can use `lxc-user-nic` instead for the best performance.

+To use `lxc-user-nic`, you need to edit [`/etc/lxc/lxc-usernet`](https://github.com/rootless-containers/rootlesskit/tree/v0.4.0#--netlxc-user-nic-experimental) and set `$DOCKERD_ROOTLESS_ROOTLESSKIT_NET=lxc-user-nic`.

+

@@ -1,7 +1,7 @@

 #!/bin/sh

-# v0.3.0

-ROOTLESSKIT_COMMIT=70e0502f328bc5ffb14692a7ea41abb77196043b

+# v0.4.0

+ROOTLESSKIT_COMMIT=e92d5e772ee7e103aecf380c5874a40c52876ff0

 install_rootlesskit() {

 	case "$1" in