Nesting (was: Easier container security with entitlements)

It's one of the reasons I have always preferred running Docker containers inside OpenVZ containers, because I really want to separate the two conflicting angles: The developer specifying what he needs via Docker and the operator specifying what he's willing to give via OpenVZ.

Security and resources should be negotiated, especially since they may be dynamic and de-coupled in terms of life-cycle. And of course they should also be understandable, but that's unlikely to become easier going forward, because differentiation of security and resources can only get worse (more complex) in these days of special function units, storage and fabric classes.

Entitlements or 'credits' also make sense when it comes to resources: You give workloads credits to spend on resources such as CPU, accellerators, network, storage or memory which they can then choose to spend according to the value of what they are computing and the current cost of those resources, which are sure to become ever more dynamic as well in these days of Lambda and clouds.

In both cases nesting allows a top-down budget or entitlement approach which is as detailed as it needs to be and as abstract as it can be for the current nesting level, instead of trying to nail everything at one flat layer, where it's complexity overwhelms both the developer and the operator.