First, it’s not possible to setup user namespaces in pure Go.

That’s interesting!

The creation of a user namespace systematically fails with EINVAL if the program is threaded, and there is no way to unshare the user namespace before Go creates a thread.

So now I have my next experiment, trying if something like LockOSThread actually helps creating user namespaces or there’s more magic involved.