sysbox
dind
Our great sponsors
sysbox | dind | |
---|---|---|
22 | 3 | |
2,517 | 2,307 | |
3.5% | - | |
8.6 | 0.0 | |
9 days ago | almost 6 years ago | |
Shell | Shell | |
Apache License 2.0 | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
sysbox
-
Podman Desktop: A Free OSS Alternative to Docker Desktop
You are probably referring to Sysbox (https://github.com/nestybox/sysbox), which I believe will meet your requirements (systemd, inner containers, security, etc).
Btw, Sysbox is already supported in Docker-Desktop (business tier only), so you can easily do what you want with this instruction:
$ docker run -it --rm -e SYSBOX_SYSCONT_MODE=TRUE nestybox/ubuntu-focal-systemd-docker:latest bash
Disclaimer: I'm Sysbox's co-creator and currently working for Docker.
- Sysbox: VM-Like Containers
- What companies are using golang and have source code in github?
-
SELinux is unmanageable; just turn it off if it gets in your way
One project in this space that looked quite promising to me is sysbox[0]. I've used them once for a gitlab runner set-up similar to what is described in their blog[1].
It's currently working great and I have not had any major crashes/incidents for at least the past 8 months.
[0]: https://github.com/nestybox/sysbox
[1]: https://blog.nestybox.com/2020/10/21/gitlab-dind.html
-
Jenkins in Docker: Running Docker in a Jenkins container
Today, things are very different. Docker-in-Docker has a more secure and safe approach with rootless containers and freemium tools like sysbox. Tools like sysbox let you run Docker-in-Docker without the -privileged flag and optimizes specific scenarios, like running multiple nodes of a Kubernetes cluster as ordinary containers.
-
Run untrusted code in sandbox
Right now I am going with sysbox rootless containers. https://github.com/nestybox/sysbox
-
Real-world stories of how we’ve compromised CI/CD pipelines
We’ve been using Sysbox (https://github.com/nestybox/sysbox) for our Buildkite based CI/CD setup, allows docker-in-docker without privileged containers. Paired with careful IAM/STS design we’ve ended up with isolated job containers with their own IAM roles limited to least-privilege.
-
Individual Docker Desktops vs hosting on a server?
A good alternative to the VM approach is to use Kubernetes + Sysbox (a next-gen "runc", free, open-source).
- Sysbox now works on K8s v1.21
-
Does running a container with privileged mode turn on allow code to escape into the Host ?
But nowadays there is an option to run such software in containers securely. It's called Sysbox, and it's a new "runc" (the piece of software that creates the containers). I am one of the developers, so I am biased, but I think you'll find it helpful.
dind
-
SELinux is unmanageable; just turn it off if it gets in your way
> ...anything that expects to be managing docker inside docker.
Now that's an interesting problem to have!
If you trust those tools and don't have untrusted users or untrusted code, you can sometimes just mount /var/run/docker.sock and use the VM/VPS/server's Docker directly. It is actually the approach that was used by excellent tools like Portainer, though it's also really risky as well.
Alternatively, you can try to just run Docker in Docker (DinD), which is a bit more tricky and the opinions there are split about whether to do it and when to do it: https://github.com/jpetazzo/dind
Of course, someone might also jump in and suggest that Docker is architecturally problematic (i don't care much, just want my containers to run, then again; i don't deal with untrusted code or any sort of multitenancy) and you should use Podman or another set of technologies, which is interesting advice but would necessitate other approaches.
In short, like with most technologies: Docker and OCI container in general get more messy as your requirements become more advanced. For the problems that they do solve easily (app packaging), they are pretty good, though!
- Docker in docker situation running into errors
-
Weird question: Is it possible to run docker inside of a docker instance?
Yes, that cal docker in docker, for do it you need share the master's partition, please check https://github.com/jpetazzo/dind
What are some alternatives?
kata-containers - Kata Containers is an open source project and community working to build a standard implementation of lightweight Virtual Machines (VMs) that feel and perform like containers, but provide the workload isolation and security advantages of VMs. https://katacontainers.io/
refpolicy - SELinux Reference Policy v2
containerd - An open and reliable container runtime
firejail - Linux namespaces and seccomp-bpf sandbox
gvisor - Application Kernel for Containers
systemd - The systemd System and Service Manager
gatekeeper - 🐊 Gatekeeper - Policy Controller for Kubernetes
discovery-engine - Discover least permissive security posture, Network Microsegmentation, and Application behaviour based on visibility/observability data emitted from policy engines..
snekbox - Easy, safe evaluation of arbitrary Python code
libdropprivs - Example code (will be library) for dropping privileges
vm2 - Advanced vm/sandbox for Node.js
cascade - A high level language for SELinux policy