systemd-named-netns icon indicating copy to clipboard operation
systemd-named-netns copied to clipboard
verified publisher icon Jamesits

docker/containerd in netns

Open antage opened this issue 3 years ago • 1 comments

Did anyone try to run docker.service/containerd.service with systemd-named-nets in own namespace?

I tried and commands like docker pull works fine but docker run can't start any container.

I hope someone knows a fix.

antage avatar Apr 04 '22 21:04 antage

Docker must be able to manage net namespaces to work (unless you start every container with --network=host which I guess is not your use case). Thus Docker daemon itself cannot be in a net namespace.

There are a few workarounds I can think of:

  • Set up a HTTP proxy for docker pull, and make all traffic from that proxy go through a net namespace
  • Use weird nested namespace implementation, also known as docker-in-docker (one I can think of is https://www.nestybox.com/, but I'm not sure if it works for your use case)

I'll leave this issue open to see if anyone comes with a better idea.

Jamesits avatar Apr 05 '22 03:04 Jamesits