Talk: Containers unplugged: understanding user namespaces

User namespaces are at the heart of many interesting technologies that allow isolation and sandboxing of applications, for example running containers without root privileges and sandboxes for web browser plug-ins.

In this presentation, we'll look in detail at user namespaces, building up a basic understanding of what a user namespace is and going on to questions such as: what does being “superuser inside a user namespace” allow you do (and what does it not allow); what is the relationship between user namespaces and other namespace types (PID, UTS, network, etc.); and what are the security implications of user namespaces? We'll also explore some simple shell commands that can be used for creating and experimenting with user namespaces in order to better understand how they work. Along the way, there will hopefully be time for a few live demos. You will likely find it helpful to attend my other presentation, "Linux namespaces", beforehand, but this is not essential.