Ski supports two ways of networking:
-
The original Socket Filtering or Berkeley Packet Filter (BPF) based networking that requires a distinct physical network interface for communication between the Ski instance and the host and network. Always enabled, unless explicitly disabled by using
--disable-netdevor--enable-tuntapin the configure step. -
The newer TUN/TAP based networking that can work with a virtual TAP device, similar to QEMU/KVM. Only enabled with
--enable-tuntapin the configure step.
Ski auto-ups the respective physical device on the host before use. The physical device on the host mustn't have an IP address configured. An IP address is configured for the emulated interface in the Ski instance though. For this type of networking Ski has to run under the root account or needs the capabilities CAP_NET_ADMIN and CAP_NET_RAW. Set these with setcap 'cap_net_raw=ep cap_net_admin=ep' ski. In the latter case Ski can run under an ordinary user account.
network
+------------|----------------------------|----------------+
| host | | |
| | | |
| +---------+-----------+ +------------+-------------+ |
| | host main interface | | other physical interface | |
| +---------------------+ +------------+-------------+ |
| | |
| +---------+---------+ |
| | | | |
| | +-------+-------+ | |
| | | Ski interface | | |
| | +---------------+ | |
| | | |
| | Ski instance | |
| +-------------------+ |
| |
+----------------------------------------------------------+
| What | IP address/metmask |
|---|---|
| network | 172.16.0.0/16 |
| host | 172.16.0.2/16 |
| Ski instance | 172.16.0.3/16 |
When the used TAP device on the host was not pre-created before launching the Ski instance using it, a TAP interface is created automatically (requires Ski to run as root or have CAP_NET_ADMIN set). When pre-created before launch of Ski, Ski can run and make use of it as ordinary user w/o the need for any capabilities.
To allow network communication the usual setup includes a host-local bridge which bridges the main network interface of the host with the TAP device that is used by a Ski instance. The bridge has an IP address configured for communications with other networked hosts. The bridged interfaces don't have an IP address configured on the host. An IP address is configured for the emulated interface in the Ski instance though, which in this case is the other end of the TAP device on the host.
network
+------------|-----------------+
| host | |
| | |
| +---------+-----------+ |
| | host main interface | |
| +-----+--------+------+ |
| | bridge | |
| +-----+--------+------+ |
| | TAP device | |
| +---------+-----------+ |
| | |
| | |
| +---------+---------+ |
| | | | |
| | +-------+-------+ | |
| | | Ski interface | | |
| | +---------------+ | |
| | | |
| | Ski instance | |
| +-------------------+ |
| |
+------------------------------+
| What | IP address/metmask |
|---|---|
| network | 172.16.0.0/16 |
| host | 172.16.0.2/16 |
| Ski instance | 172.16.0.3/16 |
NOTE: In the TUN/TAP case make sure that the TAP device on the host is always up before it is used inside Ski. Otherwise the Ski instance will crash on first use. Ski does not auto-up the TAP device on the host in this case, as it would then need to always run as root or with the respective capabilities to do that and then loose the ability to be ran under an ordinary user account.