From ef47155cdf9cb8f02ed1eb73792b6f30f025f667 Mon Sep 17 00:00:00 2001 From: librelad Date: Tue, 26 May 2026 23:28:05 +0100 Subject: [PATCH] feat(rootless): make pasta the actual default in network_rootless MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The installer (rootless_docker.sh:123) already defaulted CFG_ROOTLESS_NET to pasta when unset — but the bundled configs/network/network_rootless shipped CFG_ROOTLESS_NET=slirp4netns with a description warning about the AppArmor caveat. That made the WebUI Config page surface slirp4netns as the selected option even though the install script preferred pasta if unset, and the warning told users they'd have to hand-relax the AppArmor profile if they switched. Both are now obsolete: - CFG_ROOTLESS_NET=pasta is now the explicit default in the bundled config (matches the installer's implicit default). - Description drops the AppArmor manual-fix warning since the installer applies the local override automatically (installRootlessApparmorForPasta, shipped in the previous commit). Dropdown order swapped too — pasta now top of the list as the recommended option, slirp4netns kept as 'legacy fallback'. The live install on this box already runs pasta (manually flipped during debugging); the CFG file was synced to match so a future rootless reinstall doesn't revert. Signed-off-by: librelad --- configs/network/network_rootless | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configs/network/network_rootless b/configs/network/network_rootless index 5067a20..45bd106 100644 --- a/configs/network/network_rootless +++ b/configs/network/network_rootless @@ -2,4 +2,4 @@ # Rootless Networking - Network stack and behaviour for rootless Docker **ADVANCED** # ================================================================================ -CFG_ROOTLESS_NET=slirp4netns # Rootless Network Driver - Network stack for rootless Docker; slirp4netns (default): reliable everywhere; pasta: faster and preserves the real client source IP BUT on Debian the shipped passt AppArmor profile denies the ptrace it needs to open the container netns, so the daemon won't start unless that profile is relaxed. The matching rootlesskit port driver is selected automatically. **ADVANCED** [slirp4netns:slirp4netns (default, reliable)|pasta:Pasta (faster, needs AppArmor override)] +CFG_ROOTLESS_NET=pasta # Rootless Network Driver - Network stack for rootless Docker. pasta (default): actively maintained, preserves the real client source IP on inbound connections, lower idle CPU; slirp4netns: legacy fallback, maintenance-only upstream. The matching rootlesskit port driver is selected automatically. On Debian, the installer also applies the local AppArmor override pasta needs (see scripts/docker/install/rootless/rootless_apparmor.sh) so this is a single-toggle switch. **ADVANCED** [pasta:Pasta (default, actively maintained)|slirp4netns:slirp4netns (legacy fallback)]