docker/containerd in netns

[antage]

Did anyone try to run docker.service/containerd.service with systemd-named-nets in own namespace?

I tried and commands like docker pull works fine but docker run can't start any container.

I hope someone knows a fix.

[Jamesits]

Docker must be able to manage net namespaces to work (unless you start every container with --network=host which I guess is not your use case). Thus Docker daemon itself cannot be in a net namespace.

There are a few workarounds I can think of:

• Set up a HTTP proxy for docker pull, and make all traffic from that proxy go through a net namespace
• Use weird nested namespace implementation, also known as docker-in-docker (one I can think of is https://www.nestybox.com/, but I'm not sure if it works for your use case)

I'll leave this issue open to see if anyone comes with a better idea.