Securing Filesystem Images for Unprivileged Containers

Explore the intricacies of securing filesystem images for unprivileged containers in this informative 42-minute conference talk by James Bottomley, a Distinguished Engineer at IBM. Delve into the essential role of User Namespaces in container security, allowing for seemingly privileged execution within containers while maintaining unprivileged status from the host's perspective. Examine the challenges associated with filesystem writes in user namespaces and the impact on sharing images and archives among containers. Compare three proposed mechanisms for addressing these issues: shiftfs, userns portable roots, and filesystem mappings, weighing their advantages and disadvantages. Gain insights from Bottomley's extensive experience as a Linux Kernel maintainer and former Linux Foundation board member as he discusses cutting-edge solutions for enhancing container security and filesystem management.