Hi, Vivek Goyal (cc) and I were discussing ways to deliver page cache sharing, POSIX compliance and SELinux support with a single docker graph driver, using existing kernel facilities. We decided to go with a bind-mount technique, and Vivek has posted a first cut here: https://github.com/docker/docker/pull/27364
Testing of the prototype looks like a great improvement: http://developerblog.redhat.com/2016/10/25/docker-project-can-you-have-overlay2-speed-and-density-with-devicemapper-yep/ Assuming this type of feature is merged in a container run-time, what preference would Kube folks have for surfacing this to users ... currently it's a daemon runtime flag that says ... if you use --read-only then you get the shared-rootfs as well. Obviously this requires "12factor-ish" design up front, because you can no longer scribble in the container filesystem in places that are not persistent volumes, but we think read-only container hygiene is well worth the security and performance improvements to be had. https://twitter.com/rhdevelopers/status/790870667008757760
