Comment 17 for bug 2056555

@milev-philip:

containers are a difficult case. Unfortunately containers share the same kernel as the host. An application running in the container (docker image) can use unprivileged user namespaces to compromise not just the container but the host as well.

There is the ability to turn the restriction off at the host. See the 24.04 release notes https://discourse.ubuntu.com/t/ubuntu-24-04-lts-noble-numbat-release-notes/39890#unprivileged-user-namespace-restrictions

Container managers can also be modified to understand and disable the restriction for the container (lxd is doing this). But as noted above when this is done the container can be used to compromise the host, via a kernel exploit.