This talk will cover the differences between application sandboxes and containers. The most well known sandbox is Chrome, for providing \"hard guarantees about what ultimately a piece of code can or cannot do no matter what its inputs are\". At its core, the Linux Chrome sandbox uses namespaces along with seccomp and other native features to provide these guarantees. Containers are composed of the same primitives. What is needed for containers to provide this promise? Can it be done by default? What steps are already being made to get towards containers that actually \"contain\"?
Docker Core Maintainer. Typecasted as the person who runs everything in containers including desktop apps. Loves everything from ldflags hacks to syscalls. Nerd by day, rap battle champion by night.