Am I right that one container needs exactly one namespace, so there is no need for multiple setns calls for one command from LXD client?
I am still trying to figure out how to speedup lxc file copy. https://github.com/lxc/lxd/issues/3317
You need one setns per namespace per container.
For file transfers, you’d need setns of at least USER and MNT + setuid down to root in the container. This can’t be done within the main LXD daemon as setns will affect anything running in the particular thread and so may break other goroutines.
So the only way to do this sanely is to spawn a sub-process which then performs the two setns calls, changes uid/gid to root in the container and then perform the file operation.
This is precisely what LXD does today.