On the Way to Safe Containers - Security and Resource Management in LXC and LXD

Explore the intricacies of container security in this 38-minute conference talk by Stephane Graber from Canonical. Delve into the security mechanisms employed by LXC and LXD to provide a VM-like experience for system containers. Learn about user namespaces, AppArmor, seccomp, capabilities, filesystem quotas, qdisc limits, and cgroups restrictions. Understand how these technologies work together to create containers that cannot harm the host, are root-safe, and resist DoS attacks when properly configured. Examine the limitations of current security measures, potential system vulnerabilities, and proposed solutions. Gain insights from Graber's expertise as the technical lead for LXD at Canonical and project leader for LXC and LXD. The talk covers an introduction to LXI, security aspects, resource and global limits, checkpoint restore functionality, and includes a demonstration of container restoration.