Simple experiment with a mini-container and networking: 1) Download the mini-container runtime (https://retis.santannapisa.it/luca/VirTech/Src/mini-container-1.c) and the container's root filesystem (https://retis.santannapisa.it/luca/VirTech/Src/mini-rootfs.tgz) 2) Compile the mini runtime: make mini-container-1 3) Start the mini container: ./mini-container-1 $(pwd)/mini-rootfs.tgz 4) Inside the container, verify that no ethernet interface is present (by typing "ifconfig -a"). All the network interfaces present on you host (try typing "ifconfig -a" on the host) are not visible: this is the power of the network namespace! 5) On the host, create a virtual ethernet pair: sudo ip link add veth0 type veth peer name veth1 Notice that you need "sudo" because "ip" needs the administrator's capabilities to create a virtual ethernet pair and to manipulate network interfaces. 6) Then, move one of the two virtual ethernet endpoints inside the container: sudo ip netns attach testns sudo ip link set veth1 netns testns (here, "" is the process identifier --- PID --- of the shell running in the container, as seen on the host: type "ps ax" on the host to know it --- it should be the first process after "./mini-container-1 /tmp/mini-rootfs.tgz"). + Simple exercize: modify mini-container-1.c to print this PID (or save it in some text file) 7) Configure and bring up the virtual ethernet endpoint which is still visible on the host: sudo ip addr add 10.0.0.1/24 dev veth0 sudo ip link set veth0 up (note: these commands must be executed on the host; also, notice that "10.0.0.1/24" is just an example) 7) Configure and bring up the virtual ethernet endpoint which is visible in the container: ip addr add 10.0.0.2/24 dev veth1 ip link set veth1 up (note: these commands must be executed in the container's shell). Notice that in this case "sudo" is not needed, because inside the container you are root: this is the power of the user namespace!!! At this point the container and the host can communicate through veth1 and veth0. Try pinging 10.0.0.1 from the container, then try bringing the host's veth down and see what happens... Try using netcat (the "nc" command) to send some data from the container to the host and vice-versa. Finally, notice that this solution is not suitable for rootless containers: you need root access to create the vitual ethernet pair and to work on veth0 and veth1. If you want rootless networking for containers, you need something like slirp4netns!