Description
Issue Description
I'm encountering unexpectedly high CPU load from pasta and rootlessport when running certain network operations.
Scenario 1 – Downloading large files:
Downloading Hetzner test files (although any large file download should do) from within a rootless container.
Scenario 2 – Wireguard VPN server:
Hosting a Wireguard server in a rootless container using the docker.io/linuxserver/wireguard image.
Steps to reproduce the issue
Steps to reproduce the issue:
Scenario 1:
- Run rootless container and download the test file to tmpfs:
podman container run \ --interactive \ --tty --rm \ --tmpfs /mnt \ --workdir /mnt \ debian /bin/bash -c 'apt update && apt install -y wget && wget https://ash-speed.hetzner.com/10GB.bin' - Monitor download speed reported by
wgetand CPU usage reported byhtop.
If Hetzner's Ashburn datacenter is far from you, check their other locations and modify the URL's subdomain as needed.
Scenario 2:
- Create a custom network.
podman network create testnet - Spawn a Wireguard server in a rootless container.
podman container run \ --deattach \ --rm \ --cap-add NET_RAW \ --cap-add NET_ADMIN \ --sysctl net.ipv4.conf.all.forwarding=1 \ --env PEERS=1 \ --network=testnet \ --publish 51820:51820/udp \ docker.io/linuxserver/wireguard - Install the client profile on a separate device using either the QR code provided in the server container's log or the
peer1.conffile stored within the container itself. - Run a speedtest first with multiple connections and then with only a single connection enabled.
- Observe CPU load via
htop.
Describe the results you received
Scenario 1:
When downloading Hetzner test files with wget in a rootless container I reach consistent download speeds of around ~43MiB/s, but htop reports the pasta process using ~40-43% CPU load.
Scenario 2:
Running a network speedtest on the client using results in extremely slow network speeds reported on the client and very high CPU load on the server. htop shows 90-100% CPU load from the pasta process and 10-17% CPU load from several rootlessport processes.
Wireguard's poor performance renders it essentially unusable. I was told the CPU load is unexpectedly high and that I should raise a bug report here. Please let me know if what I am encountering is actually to be expected from rootless containers.
Describe the results you expected
I expected less severe CPU load from the rootless networking backend and better performance/network speeds via the Wireguard VPN tunnel.
podman info output
host:
arch: amd64
buildahVersion: 1.37.1
cgroupControllers:
- cpu
- memory
- pids
cgroupManager: systemd
cgroupVersion: v2
conmon:
package: conmon-1:2.1.12-1
path: /usr/bin/conmon
version: 'conmon version 2.1.12, commit: e8896631295ccb0bfdda4284f1751be19b483264'
cpuUtilization:
idlePercent: 96.76
systemPercent: 2.25
userPercent: 0.99
cpus: 4
databaseBackend: sqlite
distribution:
distribution: arch
version: unknown
eventLogger: journald
freeLocks: 2046
hostname: fern
idMappings:
gidmap:
- container_id: 0
host_id: 1003
size: 1
- container_id: 1
host_id: 100000
size: 65536
- container_id: 65537
host_id: 165536
size: 65536
uidmap:
- container_id: 0
host_id: 1001
size: 1
- container_id: 1
host_id: 100000
size: 65536
- container_id: 65537
host_id: 165536
size: 65536
kernel: 6.10.5-arch1-1
linkmode: dynamic
logDriver: journald
memFree: 15708397568
memTotal: 16651931648
networkBackend: netavark
networkBackendInfo:
backend: netavark
dns:
package: aardvark-dns-1.12.1-1
path: /usr/lib/podman/aardvark-dns
version: aardvark-dns 1.12.1
package: netavark-1.12.2-1
path: /usr/lib/podman/netavark
version: netavark 1.12.2
ociRuntime:
name: crun
package: crun-1.16.1-1
path: /usr/bin/crun
version: |-
crun version 1.16.1
commit: afa829ca0122bd5e1d67f1f38e6cc348027e3c32
rundir: /run/user/1001/crun
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
os: linux
pasta:
executable: /usr/bin/pasta
package: passt-2024_08_14.61c0b0d-1
version: |
pasta 2024_08_14.61c0b0d
Copyright Red Hat
GNU General Public License, version 2 or later
<https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
remoteSocket:
exists: false
path: /run/user/1001/podman/podman.sock
rootlessNetworkCmd: pasta
security:
apparmorEnabled: false
capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
rootless: true
seccompEnabled: true
seccompProfilePath: /etc/containers/seccomp.json
selinuxEnabled: false
serviceIsRemote: false
slirp4netns:
executable: ""
package: ""
version: ""
swapFree: 6442446848
swapTotal: 6442446848
uptime: 0h 31m 3.00s
variant: ""
plugins:
authorization: null
log:
- k8s-file
- none
- passthrough
- journald
network:
- bridge
- macvlan
- ipvlan
volume:
- local
registries: {}
store:
configFile: /home/containers/.config/containers/storage.conf
containerStore:
number: 1
paused: 0
running: 1
stopped: 0
graphDriverName: overlay
graphOptions: {}
graphRoot: /storage/containers/storage
graphRootAllocated: 6001156685824
graphRootUsed: 94199808
graphStatus:
Backing Filesystem: btrfs
Native Overlay Diff: "true"
Supports d_type: "true"
Supports shifting: "false"
Supports volatile: "true"
Using metacopy: "false"
imageCopyTmpDir: /var/tmp
imageStore:
number: 3
runRoot: /run/user/1001/containers
transientStore: false
volumePath: /storage/containers/storage/volumes
version:
APIVersion: 5.2.1
Built: 1723672228
BuiltTime: Wed Aug 14 17:50:28 2024
GitCommit: d0582c9e1e6c80cc08c3f042b91993c853ddcbc6
GoVersion: go1.23.0
Os: linux
OsArch: linux/amd64
Version: 5.2.1Podman in a container
No
Privileged Or Rootless
Rootless
Upstream Latest Release
Yes
Additional environment details
Running a fresh Arch installation on an Intel NUC5i7RYH, which is connected to my home's router via ethernet. No other services or containers running during testing.
Additional information
The experience I described above is consistent.
Activity