[bboreham]

> likely makes certain assumptions about how runc sets up containers

Nope. CNI takes as parameters a “container ID” (any string) and a network namespace path. No knowledge is needed or implied about how those things fit with actual containers.

[cyphar]

There are some circumstances where that might not work as seamlessly as possible (such as with user namespaces -- runc and LXC set those up slightly differently and run hooks in slightly different orders and contexts) but it wouldn't be too hard to get it to work. I did a quick search, and it turns out that making CNI work under LXC did require some patches (though I'm not sure if they were CNI or LXC patches -- the blog post doesn't link to either) but they were all merged a bit less than 2 years ago[1].

[1]: https://s3hh.wordpress.com/2017/10/19/cni-for-lxc/