> Perhaps you might read a bit about CPU VT extensions, No Execute Bits, and similar hardware security technologies. Use your imagination a bit, and you can probably converge on a few key concepts that will significantly extend the usefulness of Linux Containers.
This is the most interesting part. Anyone want to guess? I'm having a hard time - from a hardware perspective contained processes are currently no different from any other processes, taking advantage of the standard user/kernel divide that hardware has supported for decades; they're merely namespaced differently by the kernel. How do you inject hardware into that?
I was going to guess they were using the improved support for things like shadow pagetables to help with live migration - but I'm not sure why they couldn't just do that with the existing user/kernel divide, as you say.
Another possibility that occurs to me is that you might use the VT-d device-side stuff to provide some restricted directed access to containers (as you can for full VMs). I'm struggling to think of a device where that would be a significant improvement on what was already available, though...
This is the most interesting part. Anyone want to guess? I'm having a hard time - from a hardware perspective contained processes are currently no different from any other processes, taking advantage of the standard user/kernel divide that hardware has supported for decades; they're merely namespaced differently by the kernel. How do you inject hardware into that?