Unsharing network namespaces isn’t only for assigning IP addresses; it is also essential to protect abstract UNIX sockets on the host from containerized processes. However, unsharing network namespaces for Rootless Containers isn’t straightforward, because vEth pairs cannot be created across UserNS boundaries without the privilege. LXC uses a SETUID binary called lxc-user-nic for setting up vEth pairs. Other implementations including Docker/Moby and Podman typically use TAP devices instea...
