Filesystem mounts in user namespaces - Christian Brauner

User namespaces have become one of the most important security features for container workloads. But since they can be created by any user on the system they restrict access to a wide range of features including mounting of filesystems. In recent years a lot of work went into making mounts of filesystems from non-initial user namespace safe. Starting with kernel 4.18 it is possible to mount FUSE filesystems in user namespaces. It is expected that overlayfs will follow in future kernel releases. In this talk we will take a closer look at the infrastructure that was added to the kernel, the underlying security mechanisms, and upcoming filesystem that might be available to unprivileged containers in the future. Christian Brauner is a core developer and maintainer of the LXD and LXC projects. He works mostly upstream for Canonical as part of the Ubuntu Server team on the Linux Kernel and lower-level problems. He's been active in the open source community for a long time and is a frequent speaker at various large Linux events; he is also strongly committed to working in the open, and a strong proponent of Free Software. http://container.camp/ @containercamp

Join Today
Container Images Considered Harmful - Aleksa Sarai (SUSE)
▶︎

Container Images Considered Harmful - Aleksa Sarai (SUSE)

Containers unplugged: Linux namespaces - Michael Kerrisk
▶︎

Containers unplugged: Linux namespaces - Michael Kerrisk

eBPF: Unlocking the Kernel [OFFICIAL DOCUMENTARY]
▶︎

eBPF: Unlocking the Kernel [OFFICIAL DOCUMENTARY]

Mounting Filesystems in Linux! (Linux+ Objective 1.3.3)
▶︎

Mounting Filesystems in Linux! (Linux+ Objective 1.3.3)

Linux Namespaces | TatOG Explains
▶︎

Linux Namespaces | TatOG Explains

Turing Award Winner: Disagreeing with Google, Postgres, Future Problems | Mike Stonebraker
▶︎

Turing Award Winner: Disagreeing with Google, Postgres, Future Problems | Mike Stonebraker

The Route To Rootless Containers - Claudia Beresford (Pivotal)
▶︎

The Route To Rootless Containers - Claudia Beresford (Pivotal)

Linux Container Primitives: cgroups, namespaces, and more!
▶︎

Linux Container Primitives: cgroups, namespaces, and more!

Seeing is Believing: Debugging with Ephemeral Containers - Aaron Alpar, Kasten
▶︎

Seeing is Believing: Debugging with Ephemeral Containers - Aaron Alpar, Kasten

Linux File System Structure Explained: From / to /usr | Linux Basics
▶︎

Linux File System Structure Explained: From / to /usr | Linux Basics

Container Security Fundamentals - Linux Namespaces (Part 1): The Mount Namespace
▶︎

Container Security Fundamentals - Linux Namespaces (Part 1): The Mount Namespace

The FULL VIDEO of Trump they didn’t want released
▶︎

The FULL VIDEO of Trump they didn’t want released

🔥 FUSE - what? why? where? | Eva Osherovsky
▶︎

🔥 FUSE - what? why? where? | Eva Osherovsky

Billionaire's WARNING: I'm SELLING. The Crash Is Already Here!
▶︎

Billionaire's WARNING: I'm SELLING. The Crash Is Already Here!

Gerlof Langeveld - Practical use of Linux capabilities (Full Talk) , at the ORNL CentOS Dojo
▶︎

Gerlof Langeveld - Practical use of Linux capabilities (Full Talk) , at the ORNL CentOS Dojo

How Docker Works - Intro to Namespaces
▶︎

How Docker Works - Intro to Namespaces

mounting and unmounting disks/partitions - Linux Command Line tutorial for forensics - 15
▶︎

mounting and unmounting disks/partitions - Linux Command Line tutorial for forensics - 15

Creator of C++: Bell Labs, Negative Overhead Abstraction, Mistakes | Bjarne Stroustrup
▶︎

Creator of C++: Bell Labs, Negative Overhead Abstraction, Mistakes | Bjarne Stroustrup

Container Security Fundamentals - Linux Capabilities (Part 1)
▶︎

Container Security Fundamentals - Linux Capabilities (Part 1)

SDC2020: Tracing and Visualizing File System Internals with eBPF Superpowers
▶︎

SDC2020: Tracing and Visualizing File System Internals with eBPF Superpowers