Room 3

10:20 - 11:20 (UTC+02)

Talk (60 min)

The Building Blocks of Linux Containers and Sandboxes - Part I

More than a decade ago, work started on various Linux kernel features that allow processes to be isolated and contained. By now, these features- namespaces, cgroups (control groups), and seccomp (secure computing) have reached a level of maturity such that they are used in a wide variety of tools, such as Podman, Docker, LXC, Firejail, Flatpack, and various web browsers.

In this presentation, I'll provide a high-level view of each of these technologies and explain their role in securing applications, limiting resource consumption, and virtualizing the environment seen by running processes.

Michael Kerrisk

Michael Kerrisk is a trainer, author, and programmer who has a passion for investigating and explaining software systems. He is the author of "The Linux Programming Interface", a widely acclaimed book on Linux (and UNIX) system programming. He has been actively involved in the Linux development community since 2000, operating mainly in the area of testing, design review, and documentation of kernel-user-space interfaces. Since 2004, he has maintained the Linux "man-pages" project, which provides the primary documentation for Linux system calls and C library functions. Michael is a New Zealander, living in Munich, Germany, from where he operates a training business ( providing low-level Linux programming courses in Europe, North America, and occasionally further afield.