Update RootlessKit (3.0.0)

AkihiroSuda · AkihiroSuda · commit 0888d0a13067 · 2026-04-06T08:27:08.000+09:00
- slirp4netns is no longer needed as gvisor-tap-vsock is now embedded in RootlessKit.
  slirp4netns is still used when installed.
- The `builtin` port driver can now correctly propagate the source IP.

Signed-off-by: Akihiro Suda &lt;akihiro.suda.cz@hco.ntt.co.jp&gt;
diff --git a/Dockerfile b/Dockerfile
@@ -28,8 +28,7 @@ ARG STARGZ_SNAPSHOTTER_VERSION=v0.18.1@BINARY
 # Extra deps: Encryption
 ARG IMGCRYPT_VERSION=v2.0.2@6892f4df2405cd15acbefd1dca970f53ba38bfda
 # Extra deps: Rootless
-ARG ROOTLESSKIT_VERSION=v2.3.6@BINARY
-ARG SLIRP4NETNS_VERSION=v1.3.3@BINARY
+ARG ROOTLESSKIT_VERSION=v3.0.0-beta.0@BINARY
 # Extra deps: bypass4netns
 ARG BYPASS4NETNS_VERSION=v0.4.2@aa04bd3dcc48c6dae6d7327ba219bda8fe2a4634
 # Extra deps: FUSE-OverlayFS
@@ -194,14 +193,6 @@ RUN git clone --quiet --depth 1 --branch "${IMGCRYPT_VERSION%%@*}" https://githu
   git-checkout-tag-with-hash.sh "${IMGCRYPT_VERSION}" && \
   CGO_ENABLED=0 make && DESTDIR=/out make install && \
   echo "- imgcrypt: ${IMGCRYPT_VERSION%%@*}" >> /out/share/doc/nerdctl-full/README.md
-ARG SLIRP4NETNS_VERSION
-RUN SLIRP4NETNS_VERSION=${SLIRP4NETNS_VERSION%%@*}; \
-  fname="slirp4netns-$(cat /target_uname_m)" && \
-  curl -o "${fname}" -fsSL --retry 5 --retry-delay 5 --retry-max-time 120 --connect-timeout 20 --proto '=https' --tlsv1.2 "https://github.com/rootless-containers/slirp4netns/releases/download/${SLIRP4NETNS_VERSION}/${fname}" && \
-  grep "${fname}" "/SHA256SUMS.d/slirp4netns-${SLIRP4NETNS_VERSION}" | sha256sum -c && \
-  mv "${fname}" /out/bin/slirp4netns && \
-  chmod +x /out/bin/slirp4netns && \
-  echo "- slirp4netns: ${SLIRP4NETNS_VERSION}" >> /out/share/doc/nerdctl-full/README.md
 ARG BYPASS4NETNS_VERSION
 COPY --from=build-bypass4netns /out/${TARGETARCH:-amd64}/* /out/bin/
 RUN echo "- bypass4netns: ${BYPASS4NETNS_VERSION%%@*}" >> /out/share/doc/nerdctl-full/README.md
@@ -256,7 +247,6 @@ RUN --mount=type=secret,id=github_token,env=GITHUB_TOKEN \
 
 RUN echo "" >> /out/share/doc/nerdctl-full/README.md && \
   echo "## License" >> /out/share/doc/nerdctl-full/README.md && \
-  echo "- bin/slirp4netns:    [GNU GENERAL PUBLIC LICENSE, Version 2](https://github.com/rootless-containers/slirp4netns/blob/${SLIRP4NETNS_VERSION%%@*}/COPYING)" >> /out/share/doc/nerdctl-full/README.md && \
   echo "- bin/fuse-overlayfs: [GNU GENERAL PUBLIC LICENSE, Version 2](https://github.com/containers/fuse-overlayfs/blob/${FUSE_OVERLAYFS_VERSION%%@*}/COPYING)" >> /out/share/doc/nerdctl-full/README.md && \
   echo "- bin/{runc,bypass4netns,bypass4netnsd}: Apache License 2.0, statically linked with libseccomp ([LGPL 2.1](https://github.com/seccomp/libseccomp/blob/main/LICENSE), source code available at https://github.com/seccomp/libseccomp/)" >> /out/share/doc/nerdctl-full/README.md && \
   echo "- bin/tini: [MIT License](https://github.com/krallin/tini/blob/${TINI_VERSION%%@*}/LICENSE)" >> /out/share/doc/nerdctl-full/README.md && \
@@ -390,5 +380,7 @@ CMD ["/test-integration-rootless.sh", "./hack/test-integration.sh"]
 FROM test-integration-rootless AS test-integration-rootless-port-slirp4netns
 COPY ./Dockerfile.d/home_rootless_.config_systemd_user_containerd.service.d_port-slirp4netns.conf /home/rootless/.config/systemd/user/containerd.service.d/port-slirp4netns.conf
 RUN chown -R rootless:rootless /home/rootless/.config
+RUN apt-get update -qq && apt-get install -qq --no-install-recommends \
+  slirp4netns
 
 FROM base AS demo
diff --git a/Dockerfile.d/SHA256SUMS.d/rootlesskit-v2.3.6 b/Dockerfile.d/SHA256SUMS.d/rootlesskit-v2.3.6
diff --git a/Dockerfile.d/SHA256SUMS.d/rootlesskit-v3.0.0-beta.0 b/Dockerfile.d/SHA256SUMS.d/rootlesskit-v3.0.0-beta.0
@@ -0,0 +1,6 @@
+db73b5d1e8ae3f46c9613ac9eb5bfc2f1fb30fd2de04ed3af6f9f5758549d4ef  rootlesskit-aarch64.tar.gz
+6ecf3229e591fe4546af1f108650e7f5028bc207110169f343cfb32e018396e3  rootlesskit-armv7l.tar.gz
+220aa1b46969bf0d29b6bb68d0e9ec7f721237d4690069527c82b8ff0d212582  rootlesskit-ppc64le.tar.gz
+ddd23d643fa4db4b1196026e65a95bbe3ae3d7ba485a4718b8164d2cd17f631b  rootlesskit-riscv64.tar.gz
+31cc838d515e3a1622c4322d2d417d3e602b825af62d66e34d0366b4582f6758  rootlesskit-s390x.tar.gz
+f43c5c82f279820fa85fcf0e2d238d066460bfebe0f7488f5ec6b963f6406009  rootlesskit-x86_64.tar.gz
diff --git a/Dockerfile.d/SHA256SUMS.d/slirp4netns-v1.3.3 b/Dockerfile.d/SHA256SUMS.d/slirp4netns-v1.3.3
diff --git a/README.md b/README.md
@@ -134,9 +134,8 @@ In addition to containerd, the following components should be installed:
   - v1.1.0 or later is highly recommended.
 - [BuildKit](https://github.com/moby/buildkit) (OPTIONAL): for using `nerdctl build`. BuildKit daemon (`buildkitd`) needs to be running. See also [the document about setting up BuildKit](./docs/build.md).
   - v0.11.0 or later is highly recommended. Some features, such as pruning caches with `nerdctl system prune`, do not work with older versions.
-- [RootlessKit](https://github.com/rootless-containers/rootlesskit) and [slirp4netns](https://github.com/rootless-containers/slirp4netns) (OPTIONAL): for [Rootless mode](./docs/rootless.md)
-  - RootlessKit needs to be v0.10.0 or later. v2.0.0 or later is recommended.
-  - slirp4netns needs to be v0.4.0 or later. v1.1.7 or later is recommended.
+- [RootlessKit](https://github.com/rootless-containers/rootlesskit) (OPTIONAL): for [Rootless mode](./docs/rootless.md)
+  - RootlessKit needs to be v0.10.0 or later. v3.0.0 or later is recommended.
 
 These dependencies are included in `nerdctl-full-<VERSION>-<OS>-<ARCH>.tar.gz`, but not included in `nerdctl-<VERSION>-<OS>-<ARCH>.tar.gz`.
 
diff --git a/docs/faq.md b/docs/faq.md
@@ -311,9 +311,9 @@ See also:
 - https://rootlesscontaine.rs/getting-started/containerd/
 
 ### `nerdctl run -p <PORT>` does not propagate source IP
-Expected behavior with the default `rootlesskit` port driver.
+Make sure that nerdctl is running with RootlessKit v3.0 or later.
 
-The solution is to change the port driver to `slirp4netns` (sacrifices performance).
+For older version of RootlessKit, change the port driver to `slirp4netns` (sacrifices performance).
 
 See https://rootlesscontaine.rs/getting-started/containerd/#changing-the-port-forwarder .
 
diff --git a/docs/rootless.md b/docs/rootless.md
@@ -153,9 +153,9 @@ More detail is available at [https://github.com/rootless-containers/bypass4netns
 Rootless containerd recognizes the following environment variables to configure the behavior of [RootlessKit](https://github.com/rootless-containers/rootlesskit):
 
 * `CONTAINERD_ROOTLESS_ROOTLESSKIT_STATE_DIR=DIR`: the rootlesskit state dir. Defaults to `$XDG_RUNTIME_DIR/containerd-rootless`.
-* `CONTAINERD_ROOTLESS_ROOTLESSKIT_NET=(slirp4netns|vpnkit|lxc-user-nic)`: the rootlesskit network driver. Defaults to "slirp4netns" if slirp4netns (>= v0.4.0) is installed. Otherwise defaults to "vpnkit".
-* `CONTAINERD_ROOTLESS_ROOTLESSKIT_MTU=NUM`: the MTU value for the rootlesskit network driver. Defaults to 65520 for slirp4netns, 1500 for other drivers.
-* `CONTAINERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER=(builtin|slirp4netns)`: the rootlesskit port driver. Defaults to "builtin" (this driver does not propagate the container's source IP address and always uses 127.0.0.1. Please check [Port Drivers](https://github.com/rootless-containers/rootlesskit/blob/master/docs/port.md#port-drivers) for more details).
+* `CONTAINERD_ROOTLESS_ROOTLESSKIT_NET=(slirp4netns|vpnkit|pasta|gvisor-tap-vsock|lxc-user-nic)`: the rootlesskit network driver. Defaults to "slirp4netns" if slirp4netns (>= v0.4.0) is installed. Otherwise defaults to "gvisor-tap-vsock".
+* `CONTAINERD_ROOTLESS_ROOTLESSKIT_MTU=NUM`: the MTU value for the rootlesskit network driver. Defaults to 65520 or 1500, depending on the network driver.
+* `CONTAINERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER=(builtin|slirp4netns|implicit|gvisor-tap-vsock)`: the rootlesskit port driver. Defaults to "builtin".
 * `CONTAINERD_ROOTLESS_ROOTLESSKIT_SLIRP4NETNS_SANDBOX=(auto|true|false)`: whether to protect slirp4netns with a dedicated mount namespace. Defaults to "auto".
 * `CONTAINERD_ROOTLESS_ROOTLESSKIT_SLIRP4NETNS_SECCOMP=(auto|true|false)`: whether to protect slirp4netns with seccomp. Defaults to "auto".
 * `CONTAINERD_ROOTLESS_ROOTLESSKIT_DETACH_NETNS=(auto|true|false)`: whether to launch rootlesskit with the "detach-netns" mode.
diff --git a/extras/rootless/containerd-rootless-setuptool.sh b/extras/rootless/containerd-rootless-setuptool.sh
@@ -104,7 +104,6 @@ cmd_entrypoint_check() {
 	init
 	INFO "Checking RootlessKit functionality"
 	if ! rootlesskit \
-		--net=slirp4netns \
 		--disable-host-loopback \
 		--copy-up=/etc --copy-up=/run --copy-up=/var/lib \
 		true; then
diff --git a/extras/rootless/containerd-rootless.sh b/extras/rootless/containerd-rootless.sh
@@ -28,14 +28,13 @@
 # External dependencies:
 # * newuidmap and newgidmap needs to be installed.
 # * /etc/subuid and /etc/subgid needs to be configured for the current user.
-# * RootlessKit (>= v0.10.0) needs to be installed. RootlessKit >= v2.0.0 is recommended.
-# * Either one of slirp4netns (>= v0.4.0), VPNKit, lxc-user-nic needs to be installed. slirp4netns >= v1.1.7 is recommended.
+# * RootlessKit (>= v0.10.0) needs to be installed. RootlessKit >= v3.0.0 is recommended.
 #
 # Recognized environment variables:
 # * CONTAINERD_ROOTLESS_ROOTLESSKIT_STATE_DIR=DIR: the rootlesskit state dir. Defaults to "$XDG_RUNTIME_DIR/containerd-rootless".
-# * CONTAINERD_ROOTLESS_ROOTLESSKIT_NET=(slirp4netns|vpnkit|lxc-user-nic): the rootlesskit network driver. Defaults to "slirp4netns" if slirp4netns (>= v0.4.0) is installed. Otherwise defaults to "vpnkit".
-# * CONTAINERD_ROOTLESS_ROOTLESSKIT_MTU=NUM: the MTU value for the rootlesskit network driver. Defaults to 65520 for slirp4netns, 1500 for other drivers.
-# * CONTAINERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER=(builtin|slirp4netns): the rootlesskit port driver. Defaults to "builtin".
+# * CONTAINERD_ROOTLESS_ROOTLESSKIT_NET=(slirp4netns|vpnkit|pasta|gvisor-tap-vsock|lxc-user-nic): the rootlesskit network driver. Defaults to "slirp4netns" if slirp4netns (>= v0.4.0) is installed. Otherwise defaults to "gvisor-tap-vsock".
+# * CONTAINERD_ROOTLESS_ROOTLESSKIT_MTU=NUM: the MTU value for the rootlesskit network driver. Defaults to 65520 or 1500, depending on the network driver.
+# * CONTAINERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER=(builtin|slirp4netns|implicit|gvisor-tap-vsock): the rootlesskit port driver. Defaults to "builtin".
 # * CONTAINERD_ROOTLESS_ROOTLESSKIT_SLIRP4NETNS_SANDBOX=(auto|true|false): whether to protect slirp4netns with a dedicated mount namespace. Defaults to "auto".
 # * CONTAINERD_ROOTLESS_ROOTLESSKIT_SLIRP4NETNS_SECCOMP=(auto|true|false): whether to protect slirp4netns with seccomp. Defaults to "auto".
 # * CONTAINERD_ROOTLESS_ROOTLESSKIT_DETACH_NETNS=(auto|true|false): whether to launch rootlesskit with the "detach-netns" mode.
@@ -89,16 +88,20 @@ if [ -z "$_CONTAINERD_ROOTLESS_CHILD" ]; then
 				if [ -z "$mtu" ]; then
 					mtu=65520
 				fi
+				CONTAINERD_ROOTLESS_ROOTLESSKIT_FLAGS="--slirp4netns-sandbox=\"${CONTAINERD_ROOTLESS_ROOTLESSKIT_SLIRP4NETNS_SANDBOX}\" $CONTAINERD_ROOTLESS_ROOTLESSKIT_FLAGS"
+				CONTAINERD_ROOTLESS_ROOTLESSKIT_FLAGS="--slirp4netns-seccomp=\"${CONTAINERD_ROOTLESS_ROOTLESSKIT_SLIRP4NETNS_SECCOMP}\" $CONTAINERD_ROOTLESS_ROOTLESSKIT_FLAGS"
 			else
-				echo "slirp4netns found but seems older than v0.4.0. Falling back to VPNKit."
+				echo "slirp4netns found but seems older than v0.4.0. Falling back to other drivers."
 			fi
 		fi
 		if [ -z "$net" ]; then
 			if command -v vpnkit >/dev/null 2>&1; then
 				net=vpnkit
 			else
-				echo "Either slirp4netns (>= v0.4.0) or vpnkit needs to be installed"
-				exit 1
+				net=gvisor-tap-vsock
+				if [ -z "$mtu" ]; then
+					mtu=65520
+				fi
 			fi
 		fi
 	fi
@@ -148,8 +151,6 @@ if [ -z "$_CONTAINERD_ROOTLESS_CHILD" ]; then
 	exec rootlesskit \
 		--state-dir="$CONTAINERD_ROOTLESS_ROOTLESSKIT_STATE_DIR" \
 		--net="$net" --mtu="$mtu" \
-		--slirp4netns-sandbox="$CONTAINERD_ROOTLESS_ROOTLESSKIT_SLIRP4NETNS_SANDBOX" \
-		--slirp4netns-seccomp="$CONTAINERD_ROOTLESS_ROOTLESSKIT_SLIRP4NETNS_SECCOMP" \
 		--disable-host-loopback --port-driver="$CONTAINERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER" \
 		--copy-up=/etc --copy-up=/run --copy-up=/var/lib \
 		--propagation=rslave \
diff --git a/go.mod b/go.mod
@@ -55,7 +55,7 @@ require (
 	github.com/opencontainers/runtime-spec v1.3.0
 	github.com/pelletier/go-toml/v2 v2.3.0
 	github.com/rootless-containers/bypass4netns v0.4.2 //gomodjail:unconfined
-	github.com/rootless-containers/rootlesskit/v2 v2.3.6 //gomodjail:unconfined
+	github.com/rootless-containers/rootlesskit/v3 v3.0.0-beta.0 //gomodjail:unconfined
 	github.com/spf13/cobra v1.10.2 //gomodjail:unconfined
 	github.com/spf13/pflag v1.0.10 //gomodjail:unconfined
 	github.com/vishvananda/netlink v1.3.1 //gomodjail:unconfined
diff --git a/go.sum b/go.sum
@@ -275,8 +275,8 @@ github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0t
 github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
 github.com/rootless-containers/bypass4netns v0.4.2 h1:JUZcpX7VLRfDkLxBPC6fyNalJGv9MjnjECOilZIvKRc=
 github.com/rootless-containers/bypass4netns v0.4.2/go.mod h1:iOY28IeFVqFHnK0qkBCQ3eKzKQgSW5DtlXFQJyJMAQk=
-github.com/rootless-containers/rootlesskit/v2 v2.3.6 h1:m/26nAx0DbHZYaM46+uoQjfpu9G77QLzWj2jz25chO8=
-github.com/rootless-containers/rootlesskit/v2 v2.3.6/go.mod h1:pv+RESmjRmeUIOsEWOT1f8560CrdaQrDW0YsF4K5kAY=
+github.com/rootless-containers/rootlesskit/v3 v3.0.0-beta.0 h1:BvDDYccKpLwmkU6OFTTWjSCJexRsX3vm8VNz917vKCg=
+github.com/rootless-containers/rootlesskit/v3 v3.0.0-beta.0/go.mod h1:oQzTSEo6ZBlbpvA0HVbi98bXUB24CQkpT2+BSAfLS/g=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/santhosh-tekuri/jsonschema/v6 v6.0.1 h1:PKK9DyHxif4LZo+uQSgXNqs0jj5+xZwwfKHgph2lxBw=
 github.com/santhosh-tekuri/jsonschema/v6 v6.0.1/go.mod h1:JXeL+ps8p7/KNMjDQk3TCwPpBy0wYklyWTfbkIzdIFU=
diff --git a/pkg/bypass4netnsutil/bypass.go b/pkg/bypass4netnsutil/bypass.go
@@ -25,7 +25,7 @@ import (
 
 	b4nnapi "github.com/rootless-containers/bypass4netns/pkg/api"
 	"github.com/rootless-containers/bypass4netns/pkg/api/daemon/client"
-	rlkclient "github.com/rootless-containers/rootlesskit/v2/pkg/api/client"
+	rlkclient "github.com/rootless-containers/rootlesskit/v3/pkg/api/client"
 
 	"github.com/containerd/errdefs"
 	"github.com/containerd/go-cni"
diff --git a/pkg/ocihook/ocihook.go b/pkg/ocihook/ocihook.go
@@ -33,7 +33,7 @@ import (
 	types100 "github.com/containernetworking/cni/pkg/types/100"
 	"github.com/opencontainers/runtime-spec/specs-go"
 	b4nndclient "github.com/rootless-containers/bypass4netns/pkg/api/daemon/client"
-	rlkclient "github.com/rootless-containers/rootlesskit/v2/pkg/api/client"
+	rlkclient "github.com/rootless-containers/rootlesskit/v3/pkg/api/client"
 
 	"github.com/containerd/go-cni"
 	"github.com/containerd/log"
diff --git a/pkg/ocihook/rootless_linux.go b/pkg/ocihook/rootless_linux.go
@@ -19,7 +19,7 @@ package ocihook
 import (
 	"context"
 
-	rlkclient "github.com/rootless-containers/rootlesskit/v2/pkg/api/client"
+	rlkclient "github.com/rootless-containers/rootlesskit/v3/pkg/api/client"
 
 	"github.com/containerd/go-cni"
 
diff --git a/pkg/ocihook/rootless_other.go b/pkg/ocihook/rootless_other.go
@@ -22,7 +22,7 @@ import (
 	"context"
 	"fmt"
 
-	rlkclient "github.com/rootless-containers/rootlesskit/v2/pkg/api/client"
+	rlkclient "github.com/rootless-containers/rootlesskit/v3/pkg/api/client"
 
 	"github.com/containerd/go-cni"
 )
diff --git a/pkg/rootlessutil/port_linux.go b/pkg/rootlessutil/port_linux.go
@@ -20,8 +20,8 @@ import (
 	"context"
 	"net"
 
-	"github.com/rootless-containers/rootlesskit/v2/pkg/api/client"
-	"github.com/rootless-containers/rootlesskit/v2/pkg/port"
+	"github.com/rootless-containers/rootlesskit/v3/pkg/api/client"
+	"github.com/rootless-containers/rootlesskit/v3/pkg/port"
 
 	"github.com/containerd/errdefs"
 	"github.com/containerd/go-cni"
diff --git a/pkg/rootlessutil/rootlessutil_linux.go b/pkg/rootlessutil/rootlessutil_linux.go
@@ -24,7 +24,7 @@ import (
 	"strconv"
 
 	"github.com/containernetworking/plugins/pkg/ns"
-	"github.com/rootless-containers/rootlesskit/v2/pkg/api/client"
+	"github.com/rootless-containers/rootlesskit/v3/pkg/api/client"
 )
 
 func IsRootless() bool {
diff --git a/pkg/rootlessutil/rootlessutil_other.go b/pkg/rootlessutil/rootlessutil_other.go
@@ -25,7 +25,7 @@ package rootlessutil
 import (
 	"fmt"
 
-	"github.com/rootless-containers/rootlesskit/v2/pkg/api/client"
+	"github.com/rootless-containers/rootlesskit/v3/pkg/api/client"
 )
 
 // Always returns false on non-Linux platforms.
