Christian Brauner

Software Engineer @ Canonical

Christian Brauner is a core developer and maintainer of the LXD and LXC projects. He works mostly upstream for Canonical as part of the Ubuntu Server team on the Linux Kernel and lower-level problems. He's been active in the open source community for a long time and is a frequent speaker at various large Linux events; he is also strongly committed to working in the open, and a strong proponent of Free Software.

talkFilesystem mounts in user namespaces

User namespaces have become one of the most important security features for container workloads. But since they can be created by any user on the system they restrict access to a wide range of features including mounting of filesystems. In recent years a lot of work went into making mounts of filesystems from non-initial user namespace safe. Starting with kernel 4.18 it is possible to mount FUSE filesystems in user namespaces. It is expected that overlayfs will follow in future kernel releases. In this talk we will take a closer look at the infrastructure that was added to the kernel, the underlying security mechanisms, and upcoming filesystem that might be available to unprivileged containers in the future.

Meet our international lineup of container experts

Learn about security, orchestration, networking and more