One way to alleviate the problem at least for netlink library is to create a function which calls runtimeLockOSThread, sets into the required namespace and then opens a netlink socket using only raw syscall apis. One has to be careful in this code path to not invoke go runtime (i.e both socket and setns should be raw syscall apis) and not even trigger any allocations so that go runtime doesn't get a chance a spin a new OS thread. Once a socket is created in the required namespace you can get back to the caller namespace and return the socket fd. Now this socket fd is bound to that namespace and all netlink operations on that socket will happen in the target namespace.

Disclaimer: I am one of the original libnetwork authors and we have been aware of this issue with go for some time now.

>" I've personally built two container runtimes in other languages do to the namespace clumsiness."

Can you share any details on those other container runtimes?

One was a simplified runtime in c, similar to a stripped down version of systemd-nspawn. I can hopefully share the other one in a few weeks. I'm going through an open source approval process for it.

Thanks. It's an interesting topic. I hope you post it on HN then.

I completely agree, and I've been coming up with some ideas (based on runc) to see what sort of improvements can you have if you do a full redesign in a language that isn't as painful as Go to use.

At the moment I'm incredibly busy, but later this year I might be able to start working on that too.