User namespaces are at the heart of many interesting technologies that allow isolation and sandboxing of applications, for example running containers without root privileges and sandboxes for web browser plug-ins. In this presentation, we'll take a closer look at user namespaces, building up a basic understanding of what a user namespace is and going on to questions such as: what does being "superuser inside a user namespace" allow you do (and what does it not allow); what is the relationship between user namespaces and other namespace types (PID, UTS, network, etc.); and what are the security implications of user namespaces? We'll also explore some simple shell commands that can be used for creating and experimenting with user namespaces in order to better understand how they work. We'll conclude with a brief survey of some use cases for user namespaces.
Michael Kerrisk (http://man7.org/) is a trainer, engineer, and author of The Linux Programming Interface, a widely acclaimed book on Linux (and UNIX) system programming. His primary involvement with Linux is in testing, design review, and documentation of kernel-user-space interfaces. After 13 years, 19k commits, 181 releases, and over 400 manual pages written or cowritten, he is still the maintainer of the Linux man-pages project. Michael is a New Zealander, living in Munich, Germany.