rootless: properly support `--net=host` and localhost registries by AkihiroSuda · Pull Request #47103 · moby/moby

AkihiroSuda · 2024-01-18T10:01:26Z

Now dockerd-rootless.sh launches RootlessKit with --detach-netns
so as to run the daemon in the host network namespace.

The libnetwork namespaces are allocated inside the "detached" netns
($ROOTLESSKIT_STATE_DIR/netns) that is associated with slirp4netns,
vpnkit, pasta, etc., as the rootless daemon has no CAP_NET_ADMIN for
the host network namespace.

This will enable:

Accelerated (and deflaked) docker pull, docker push, docker build, etc
Proper support for docker pull 127.0.0.1:.../...
Proper support for dockern run --net=host

See also:

NOTE: libnetwork contains code generated by Claude Code

- What I did

Accelerated (and deflaked) docker pull, docker push, docker build, etc
Proper support for docker pull 127.0.0.1:.../...
Proper support for dockern run --net=host

- How I did it
Execute the rootless daemon in the host network namespace.

Prior to this PR, the daemon was executed in a network namespace created by RootlessKit.

- How to verify it
CI should be green

- Description for the changelog

rootless: Properly support `--net=host` and localhost registries

- A picture of a cute animal (not mandatory but encouraged)
🐧

AkihiroSuda · 2026-04-01T18:03:09Z

Changed the milestone; assuming this is not a breaking change, right?

Assumed so, but Hyrum's Law may potentially apply 🤷‍♂️

thaJeztah · 2026-04-01T21:45:43Z

Yeah, I think we should be able to ignore Hyrum for now; we'll see if there's a large outcry

Oh! Let me put this on the v29.3.2 milestone; I think we'll be renaming that one (easier than "moving")

thaJeztah

🙈 left some comments; let me know what you think. Could also use input from others 😅

thaJeztah · 2026-04-01T22:39:50Z

+			// For rootless + host netns, we can't mount sysfs.
+			// We can't (non-recursively) bind mount /sys, either.
+			//
+			// TODO: consider to just rbind /sys from the host with rro,
+			// when rro is available (kernel >= 5.12, runc >= 1.1).
+			//
+			// Relevant: https://github.com/moby/buildkit/blob/v0.12.4/util/rootless/specconv/specconv_linux.go#L15-L34
+			// https://github.com/containerd/nerdctl/pull/2723


Thanks for the comments with links; always useful as bread-crumb ❤️

Should we create a tracking-ticket for the TODO? (kernel-versions came up recently; we should probably look if we can do feature-detection if we don't have that yet, but also look what distros are still on < v5(.12)

Yes, let's open a tracking ticket when this PR is merged

thaJeztah

LGTM

@vvoland @robmry PTAL

AkihiroSuda · 2026-04-03T17:50:15Z

CI failure is irrelevant:

CI began to fail on 2026-04-03: xargs: unmatched single quote; by default quotes are special to xargs unless you use the -0 option #52300

Now `dockerd-rootless.sh` launches RootlessKit with `--detach-netns` so as to run the daemon in the host network namespace. The libnetwork namespaces are allocated inside the "detached" netns (`$ROOTLESSKIT_STATE_DIR/netns`) that is associated with slirp4netns, vpnkit, pasta, etc., as the rootless daemon has no `CAP_NET_ADMIN` for the host network namespace. This will enable: - Accelerated (and deflaked) `docker pull`, `docker push`, `docker build`, etc - Proper support for `docker pull 127.0.0.1:.../...` - Proper support for `dockern run --net=host` See also: - rootless-containers/rootlesskit PR 379 - containerd/nerdctl PR 2723 NOTE: libnetwork contains code generated by Claude Code Signed-off-by: Akihiro Suda <[email protected]>

vvoland

LGTM, thanks!

AkihiroSuda · 2026-04-25T15:44:23Z

Merged, as the PR has been approved and the master branch is now thawed for v29.5.

Docs PR:

engine/security/rootless: update for Docker Engine v29.5 docker/docs#24645

AkihiroSuda added kind/enhancement Enhancements are not bugs or new features but can improve usability or performance. area/networking Networking impact/changelog area/rootless Rootless Mode labels Jan 18, 2024

AkihiroSuda added this to the 26.0.0 milestone Jan 18, 2024

AkihiroSuda commented Jan 18, 2024

View reviewed changes

Comment thread contrib/dockerd-rootless.sh

AkihiroSuda force-pushed the detach-netns branch 2 times, most recently from 625ffe3 to 9110315 Compare January 18, 2024 13:31

This comment was marked as resolved.

Sign in to view

vvoland modified the milestones: 26.0.0, v-future Feb 26, 2024

AkihiroSuda force-pushed the detach-netns branch 2 times, most recently from c93736a to 0cf5b8d Compare October 21, 2024 12:18

AkihiroSuda mentioned this pull request Oct 21, 2024

update to go1.23.2 #48715

Merged

AkihiroSuda force-pushed the detach-netns branch from 0cf5b8d to b8d5d56 Compare October 21, 2024 15:06

This comment was marked as duplicate.

Sign in to view

This comment was marked as resolved.

Sign in to view

AkihiroSuda force-pushed the detach-netns branch from b8d5d56 to b55597b Compare October 22, 2024 08:48

AkihiroSuda force-pushed the detach-netns branch from b55597b to 78e50bb Compare October 29, 2024 13:20

AkihiroSuda mentioned this pull request Nov 15, 2024

libnet/d/bridge: port mappings: filter by input iface #48721

Merged

AkihiroSuda force-pushed the detach-netns branch from 78e50bb to 09328ff Compare December 2, 2024 18:01

AkihiroSuda force-pushed the detach-netns branch from 09328ff to e140646 Compare January 20, 2025 05:40

This was referenced Oct 31, 2025

Rootless Docker daemon fails to start when DOCKERD_ROOTLESS_ROOTLESSKIT_NET is set to host #51363

Closed

dockerd-rootless.sh: reject DOCKERD_ROOTLESS_ROOTLESSKIT_NET=host #51379

Merged

thaJeztah mentioned this pull request Nov 5, 2025

[28.x backport] dockerd-rootless.sh: reject DOCKERD_ROOTLESS_ROOTLESSKIT_NET=host #51395

Merged

AkihiroSuda mentioned this pull request Mar 12, 2026

--net host does not allow access to open sockets with rootless Docker, except from other containers on the same host #40865

Closed

AkihiroSuda force-pushed the detach-netns branch from e140646 to 138dd4f Compare March 12, 2026 20:16

github-actions Bot added area/security/apparmor area/security area/daemon Core Engine labels Mar 12, 2026

thaJeztah modified the milestones: 29.4.0, 29.3.2 Apr 1, 2026

thaJeztah reviewed Apr 1, 2026

View reviewed changes

vvoland modified the milestones: 29.4.0, 29.5.0 Apr 3, 2026

AkihiroSuda force-pushed the detach-netns branch 3 times, most recently from 662078a to 6ead1b0 Compare April 3, 2026 11:12

github-actions Bot added the platform/windows label Apr 3, 2026

thaJeztah reviewed Apr 3, 2026

View reviewed changes

Comment thread daemon/daemon_unix.go

thaJeztah approved these changes Apr 3, 2026

View reviewed changes

AkihiroSuda force-pushed the detach-netns branch from 6ead1b0 to 920de6a Compare April 5, 2026 22:07

AkihiroSuda mentioned this pull request Apr 7, 2026

engine/security/rootless: update for Docker Engine v29.5 docker/docs#24645

Open

3 tasks

AkihiroSuda removed the platform/windows label Apr 7, 2026

AkihiroSuda requested a review from vvoland April 9, 2026 11:28

vvoland reviewed Apr 9, 2026

View reviewed changes

Comment thread contrib/dockerd-rootless.sh Outdated

Comment thread daemon/libnetwork/internal/nftables/nft_exec_linux.go Outdated

AkihiroSuda force-pushed the detach-netns branch from 920de6a to 84aedb8 Compare April 9, 2026 17:06

github-actions Bot added the platform/windows label Apr 9, 2026

AkihiroSuda mentioned this pull request Apr 9, 2026

Docker: --net=host will be properly supported in Docker v29.5 rootless-containers/rootlesscontaine.rs#82

Open

vvoland approved these changes Apr 10, 2026

View reviewed changes

vvoland removed the platform/windows label Apr 10, 2026

AkihiroSuda requested a review from thaJeztah April 13, 2026 23:35

AkihiroSuda requested a review from vvoland April 24, 2026 22:21

AkihiroSuda merged commit b8dffa4 into moby:master Apr 25, 2026
185 checks passed

AkihiroSuda mentioned this pull request Apr 25, 2026

integration: reduce skip.If(t, testEnv.IsRootless) #52464

Merged

Conversation

AkihiroSuda commented Jan 18, 2024 • edited by vvoland Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

This comment was marked as resolved.

This comment was marked as duplicate.

This comment was marked as resolved.

AkihiroSuda commented Apr 1, 2026

Uh oh!

thaJeztah commented Apr 1, 2026

Uh oh!

thaJeztah left a comment

Choose a reason for hiding this comment

Uh oh!

thaJeztah Apr 1, 2026

Choose a reason for hiding this comment

Uh oh!

AkihiroSuda Apr 3, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

thaJeztah left a comment

Choose a reason for hiding this comment

Uh oh!

AkihiroSuda commented Apr 3, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

Uh oh!

vvoland left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

AkihiroSuda commented Apr 25, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

AkihiroSuda commented Jan 18, 2024 •

edited by vvoland

Loading

AkihiroSuda commented Apr 3, 2026 •

edited

Loading

AkihiroSuda commented Apr 25, 2026 •

edited

Loading