Containers are ever popular, and are increasingly presented as an alternative to virtual machines. However, there are some obvious gaps in the API available to containers vs. what's available to root on the host. For example, containers cannot safely load kernel modules, or mount arbitrary filesystems. In this talk, Tycho will present a kernel patchset in development for passing syscalls off to a userspace handler, which can perform actions on behalf of the task that performed the syscall. For example, if a container tries to load a kernel module, the userspace daemon might check that the module is in a whitelist, and load the host's version of the module instead. The container is safely allowed to load kernel modules, whereas before it was not. Linux Australia: http://mirror.linux.org.au/pub/linux.conf.au/2019/c1/Tuesday/Forwarding_syscalls_to_userspace.webm YouTube: https://www.youtube.com/watch?v=sqvF_Mdtzgg