Several new kernel features are under development which will improve the container experience. We will go over these features, explain how they benefit containers, and demonstrate each.
Several new kernel features are under development which, if successful will improve the container experience. These include cgroup namespaces, loopback namespaces, fuse mounts in unprivileged containers, targeted file capabilities, stacked apparmor profiles, and udev message namespacing. These would allow containers without a "true" root user to create and mount filesystems, use file capabilities to reduce the root privilege used in the container, better virtualize cgroup usage, protect containers from their own workloads using apparmor, and better delegate hotplugged devices to containers.
In this talk we'll go over these features and their current status (at the time of FOSDEM).
Speakers: Serge Hallyn