Video recording and post production done by OpenStack Foundation.
It is not generally considered safe to run untrusted code in a container as uid 0. You might have seen that in fine print at the bottom of a slide deck after being blown away by the long list of reasons that containers are totally awesome.
Luckily, that fine print is now a historical artifact.
User Namespaces are a feature added to the linux kernel in version 3.13. They allow for the root user inside the container to be an unprivileged user outside. This allows running of init or other process that expect to be run as root without risk.
The talk will describe how to use user namespaces and other linux security tools such as seccomp and LSM to safely run untrusted code inside a container. It will also discuss how techniques are used by the granite nova driver to provide secure containers via openstack compute api.