distrobuilder VS sysbox

Working with legacy applications that needed full system access taught me that a different way to do containerization is by using LXC/LXD. The focus in system containers, rather than application containers, can be thought of like a light VM rather than what most consider the typical container.

LXC provides system-level containerization, offering a different approach focused on creating environments that more closely resemble traditional virtual machines.

Linux Container Daemon (LXD) is a container and virtual machine manager developed by Canonical. It provides flexibility by offering a single process for multiple containers. It connects to the Linux container library (LXC) using a REST API. It is an add-on to LXC, providing more features and functionalities.

Docker introduced their new container technology at PyCon 2013. At this time, Docker containers were just a wrapper for Linux Containers but this fundamentally changed the landscape of computing (more on this later).

LXC

which is what docker/podman/containerd use. If you want full system emulation look into LXC/LXD.

LXD is a manager for Linux Containers (LXC), which lets me spin up a kind-of lightweight VM for any distro, instantly. I use it to run proprietary software isolated from the rest of my system (such as Steam); disposable environments for trying stuff out, and running software that doesn't jive well with Nixos.

Check this thread on linuxcontainers LXD forum. Half way down Simos points to the eventual solution:

Moreover, you might benefit from taking a look at sysbox, a VM-like container runtime that provides a more secure environment. Sysbox is worth it, especially if the main app is running in a container, which means that you'll be running Docker in Docker.

You are probably referring to Sysbox (https://github.com/nestybox/sysbox), which I believe will meet your requirements (systemd, inner containers, security, etc).

Btw, Sysbox is already supported in Docker-Desktop (business tier only), so you can easily do what you want with this instruction:

$ docker run -it --rm -e SYSBOX_SYSCONT_MODE=TRUE nestybox/ubuntu-focal-systemd-docker:latest bash

Disclaimer: I'm Sysbox's co-creator and currently working for Docker.

One project in this space that looked quite promising to me is sysbox[0]. I've used them once for a gitlab runner set-up similar to what is described in their blog[1].

It's currently working great and I have not had any major crashes/incidents for at least the past 8 months.

[0]: https://github.com/nestybox/sysbox

[1]: https://blog.nestybox.com/2020/10/21/gitlab-dind.html

Today, things are very different. Docker-in-Docker has a more secure and safe approach with rootless containers and freemium tools like sysbox. Tools like sysbox let you run Docker-in-Docker without the -privileged flag and optimizes specific scenarios, like running multiple nodes of a Kubernetes cluster as ordinary containers.

Right now I am going with sysbox rootless containers. https://github.com/nestybox/sysbox

We’ve been using Sysbox (https://github.com/nestybox/sysbox) for our Buildkite based CI/CD setup, allows docker-in-docker without privileged containers. Paired with careful IAM/STS design we’ve ended up with isolated job containers with their own IAM roles limited to least-privilege.

A good alternative to the VM approach is to use Kubernetes + Sysbox (a next-gen "runc", free, open-source).