Esta página se muestra en inglés. Una traducción al español está en curso.
ConfigsJul 16, 2026·3 min de lectura

Sysbox — Run System-Level Workloads Securely Inside Containers

An OCI container runtime by Nestybox that enables running systemd, Docker, and Kubernetes inside containers without privileged mode, providing VM-like isolation with container efficiency.

Listo para agents

Instalación con revisión previa

Este activo requiere revisión. El prompt copiado pide dry-run, muestra escrituras y continúa solo tras confirmación.

Needs Confirmation · 64/100Política: confirmar
Superficie agent
Cualquier agent MCP/CLI
Tipo
Skill
Instalación
Single
Confianza
Confianza: Established
Entrada
Sysbox
Comando con revisión previa
npx -y tokrepo@latest install 0d36d32f-80d1-11f1-9bc6-00163e2b0d79 --target codex

Primero dry-run, confirma las escrituras y luego ejecuta este comando.

Introduction

Sysbox is an OCI-compatible container runtime developed by Nestybox (acquired by Docker) that allows containers to run system-level software such as systemd, Docker, and Kubernetes without requiring privileged mode. It creates containers that behave like lightweight VMs while retaining the speed and density of standard containers.

What Sysbox Does

  • Runs systemd, Docker, Kubernetes, and other system services inside unprivileged containers
  • Provides enhanced isolation using Linux user namespaces and file system virtualization
  • Eliminates the need for --privileged flag when running Docker-in-Docker or nested containers
  • Virtualizes /proc and /sys filesystems so containers see their own isolated kernel view
  • Works as a drop-in OCI runtime alongside runc without modifying existing container images

Architecture Overview

Sysbox consists of two components: sysbox-runc (the OCI runtime) and sysbox-fs (a FUSE-based filesystem handler). When a container starts, sysbox-runc sets up enhanced Linux user namespace mappings that give the container's root user full capabilities within the container while remaining unprivileged on the host. sysbox-fs intercepts and virtualizes accesses to /proc and /sys, presenting container-specific views that allow systemd and other system software to function correctly.

Self-Hosting & Configuration

  • Install via .deb package on Ubuntu or Debian-based distributions
  • Configure Docker to use Sysbox by adding it as a runtime in /etc/docker/daemon.json
  • Run containers with --runtime=sysbox-runc flag to enable system container mode
  • No changes needed to existing container images; standard Ubuntu, Debian, and Fedora images work
  • Set as the default runtime in Docker or Kubernetes (via CRI-O) for all containers if desired

Key Features

  • Docker-in-Docker without --privileged, maintaining host security boundaries
  • Systemd support inside containers for running full Linux distributions with services
  • Kubernetes-in-Docker for local K8s cluster testing without VMs
  • Automatic UID/GID shifting for secure user namespace isolation
  • Compatible with standard Docker and Kubernetes workflows with no image modifications

Comparison with Similar Tools

  • runc — Standard OCI runtime; cannot run systemd or Docker inside containers without privileged mode
  • Kata Containers — VM-level isolation using hypervisors; Sysbox uses namespaces for lighter weight
  • gVisor — Application kernel sandbox; Sysbox runs the full Linux kernel with enhanced namespaces
  • Podman — Rootless container engine; Sysbox provides deeper system-container capabilities on Docker
  • LXC/LXD — System container platform; Sysbox integrates with Docker and Kubernetes ecosystems

FAQ

Q: Is Sysbox secure without --privileged? A: Yes. Sysbox uses Linux user namespaces so the container root maps to an unprivileged user on the host, maintaining strong isolation boundaries.

Q: Does it work with Kubernetes? A: Yes. Sysbox can be configured as a runtime class in Kubernetes via CRI-O, enabling system containers as pods.

Q: What is the performance overhead? A: Minimal. The FUSE-based /proc and /sys virtualization adds slight overhead on those filesystem accesses, but general compute and I/O performance is equivalent to runc.

Q: Is Sysbox still maintained after the Docker acquisition? A: Yes. Sysbox Community Edition remains open source under Apache 2.0, and development continues within Docker.

Sources

Discusión

Inicia sesión para unirte a la discusión.
Aún no hay comentarios. Sé el primero en compartir tus ideas.

Activos relacionados