Long-Term Supported Versions

    Configuring Networking for a Secure Container

    Configuring Networking for a Secure Container Using CNI

    Container Network Interface (CNI), a project of Cloud Native Computing Foundation (CNCF), consists of a group of specifications and libraries for configuring network interfaces of Linux containers.

    Why is CNI required? There are various container platforms and network solutions (such as flannel and Calico). Manually adapting each new solution to the container platforms requires heavy workloads. With CNI, as long as a new network solution meets the CNI standard, the solution can provide network functions to all container platforms that comply with the CNI specifications.

    CNI plugins are independent executable files invoked by the upper-layer container management platform.

    Enabling CNI for a Secure Container

    Enable the following configuration item in the configuration.toml file:

    # If enabled, the network monitoring process gets started when the
    # sandbox is created. This allows for the detection of some additional
    # network being added to the existing network namespace, after the
    # sandbox has been created.
    # (default: disabled)
    enable_netmon = true
    # Specify the path to the netmon binary.
    path = "/usr/bin/kata-netmon"
    # If enabled, the runtime will not create a network namespace for shim and hypervisor processes.
    # This option may have some potential impacts to your host. It should only be used when you know what you're doing.
    # `disable_new_netns` conflicts with `enable_netmon`
    # `disable_new_netns` conflicts with `internetworking_model=tcfilter` and `internetworking_model=macvtap`. It works only
    # with `internetworking_model=none`. The tap device will be in the host network namespace and can connect to a bridge
    # (like OVS) directly.
    # If you are using docker, `disable_new_netns` only works with `docker run --net=none`
    # (default: false)
    #disable_new_netns = true

    TAP-based Network Support

    The secure container technology is implemented based on VMs. For a physical machine system, a secure container is equivalent to a VM. Therefore, the secure container can connect the VM in the Neutron network to an external network by using the test access point (TAP) technology. You do not need to pay attention to TAP device creation and bridging. You only need to hot plug the specified TAP device (on an existing host) into the VM in the pause container and update the NIC information.

    Bug Catching

    Buggy Content

    Bug Description

    Submit As Issue

    It's a little complicated....

    I'd like to ask someone.


    Just a small problem.

    I can fix it online!

    Bug Type
    Specifications and Common Mistakes

    ● Misspellings or punctuation mistakes;

    ● Incorrect links, empty cells, or wrong formats;

    ● Chinese characters in English context;

    ● Minor inconsistencies between the UI and descriptions;

    ● Low writing fluency that does not affect understanding;

    ● Incorrect version numbers, including software package names and version numbers on the UI.


    ● Incorrect or missing key steps;

    ● Missing prerequisites or precautions;

    ● Ambiguous figures, tables, or texts;

    ● Unclear logic, such as missing classifications, items, and steps.


    ● Technical principles, function descriptions, or specifications inconsistent with those of the software;

    ● Incorrect schematic or architecture diagrams;

    ● Incorrect commands or command parameters;

    ● Incorrect code;

    ● Commands inconsistent with the functions;

    ● Wrong screenshots.

    Risk Warnings

    ● Lack of risk warnings for operations that may damage the system or important data.

    Content Compliance

    ● Contents that may violate applicable laws and regulations or geo-cultural context-sensitive words and expressions;

    ● Copyright infringement.

    How satisfied are you with this document

    Not satisfied at all
    Very satisfied
    Click to create an issue. An issue template will be automatically generated based on your feedback.
    Bug Catching
    编组 3备份