Does "containerized socket activation" improve network performance?

[eriksjolund]

A reflection regarding using podman and socket activation:

The data communication in a "socket activated" socket does not go through slirp4netns when running rootless Podman.
Hopefully this means better network performance (throughput and latency).

I haven't done any benchmarking to verify this theory yet.

[eriksjolund]

I did a test with
https://github.com/eriksjolund/socket-activate-httpd

Test: download an ISO file (736 MB) 13 times

socket activation	download time
enabled	10 seconds
disabled	18 seconds

Technical details

Hardware

Computer: MacBook Pro (13-inch, M1, 2020)
OS: Monterey 12.3.1

Installation

I booted up a Fedora CoreOS image with QEMU and installed the systemd user service.
Downloading was performed inside the Fedora CoreOS VM.

time curl  127.0.0.1:8080/file.iso -o /dev/null --next  127.0.0.1:8080/file.iso -o /dev/null ...

The big ISO file was bind-mounted into the container by adding
-v /home/core/file.iso:/var/www/html/file.iso:Z
to the podman run command in /home/core/.config/systemd/user/httpd.service
To perform the download test without socket activation, I removed --network=none and added -p 8080:8080.
I also changed
Listen 127.0.0.1:8080
to
Listen 0.0.0.0:8080
and added
ServerName localhost:8080
to /etc/httpd/conf/httpd.conf. (I'm not sure that both modifications are needed though).

[Luap99]

I would recommend to use iperf3 to benchmark network performance because downloading a file has a bottle necks such as the underlying filesystem speed.

But I guess the application has to support socket activation which is not the case for iperf, esnet/iperf#1171

[Luap99]

Yes I think socket activation provides a better network bandwidth than slirp4netns.
The reason is simple, with socket activation systemd opens the socket in the host network namespace and then passes the fd down ito the container. Therefore all connections using this socket should have the same network performance as other applications on the host. There is no extra process involved.

However network bandwidth is not everything, some applications require low latency. Waiting for the container to start takes time which can be problematic.

Also often your application still requires extra outgoing connections so you still would need slirp4netns for that.

Also take a look at https://github.com/rootless-containers/bypass4netns which also opens sockets on the host namespace to improve speed.