summaryrefslogtreecommitdiffhomepage
path: root/content/docs/user_guide/networking.md
diff options
context:
space:
mode:
Diffstat (limited to 'content/docs/user_guide/networking.md')
-rw-r--r--content/docs/user_guide/networking.md36
1 files changed, 36 insertions, 0 deletions
diff --git a/content/docs/user_guide/networking.md b/content/docs/user_guide/networking.md
new file mode 100644
index 000000000..09d4b9789
--- /dev/null
+++ b/content/docs/user_guide/networking.md
@@ -0,0 +1,36 @@
++++
+title = "Networking"
+weight = 50
++++
+gVisor implements its own network stack called [netstack][netstack]. All aspects
+of the network stack are handled inside the Sentry — including TCP connection
+state, control messages, and packet assembly — keeping it isolated from the host
+network stack. Data link layer packets are written directly to the virtual
+device inside the network namespace setup by Docker or Kubernetes.
+
+A network passthrough mode is also supported, but comes at the cost of reduced
+isolation.
+
+## Enabling network passthrough
+
+For high-performance networking applications, you may choose to disable the user
+space network stack and instead use the host network stack. Note that this mode
+decreases the isolation to the host.
+
+Add the following `runtimeArgs` to your Docker configuration
+(`/etc/docker/daemon.json`) and restart the Docker daemon:
+
+```json
+{
+ "runtimes": {
+ "runsc": {
+ "path": "/usr/local/bin/runsc",
+ "runtimeArgs": [
+ "--network=host"
+ ]
+ }
+ }
+}
+```
+
+[netstack]: https://github.com/google/netstack
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-06 07:07:18 +0000