Cette page est affichée en anglais. Une traduction française est en cours.
ConfigsJul 16, 2026·3 min de lecture

Sysbox — Run System-Level Workloads Securely Inside Containers

An OCI container runtime by Nestybox that enables running systemd, Docker, and Kubernetes inside containers without privileged mode, providing VM-like isolation with container efficiency.

Prêt pour agents

Installation avec revue préalable

Cet actif nécessite une revue. Le prompt copié demande un dry-run, affiche les écritures, puis continue seulement après confirmation.

Needs Confirmation · 64/100Policy : confirmer
Surface agent
Tout agent MCP/CLI
Type
Skill
Installation
Single
Confiance
Confiance : Established
Point d'entrée
Sysbox
Commande avec revue préalable
npx -y tokrepo@latest install 0d36d32f-80d1-11f1-9bc6-00163e2b0d79 --target codex

Dry-run d'abord, confirmez les écritures, puis lancez cette commande.

Introduction

Sysbox is an OCI-compatible container runtime developed by Nestybox (acquired by Docker) that allows containers to run system-level software such as systemd, Docker, and Kubernetes without requiring privileged mode. It creates containers that behave like lightweight VMs while retaining the speed and density of standard containers.

What Sysbox Does

  • Runs systemd, Docker, Kubernetes, and other system services inside unprivileged containers
  • Provides enhanced isolation using Linux user namespaces and file system virtualization
  • Eliminates the need for --privileged flag when running Docker-in-Docker or nested containers
  • Virtualizes /proc and /sys filesystems so containers see their own isolated kernel view
  • Works as a drop-in OCI runtime alongside runc without modifying existing container images

Architecture Overview

Sysbox consists of two components: sysbox-runc (the OCI runtime) and sysbox-fs (a FUSE-based filesystem handler). When a container starts, sysbox-runc sets up enhanced Linux user namespace mappings that give the container's root user full capabilities within the container while remaining unprivileged on the host. sysbox-fs intercepts and virtualizes accesses to /proc and /sys, presenting container-specific views that allow systemd and other system software to function correctly.

Self-Hosting & Configuration

  • Install via .deb package on Ubuntu or Debian-based distributions
  • Configure Docker to use Sysbox by adding it as a runtime in /etc/docker/daemon.json
  • Run containers with --runtime=sysbox-runc flag to enable system container mode
  • No changes needed to existing container images; standard Ubuntu, Debian, and Fedora images work
  • Set as the default runtime in Docker or Kubernetes (via CRI-O) for all containers if desired

Key Features

  • Docker-in-Docker without --privileged, maintaining host security boundaries
  • Systemd support inside containers for running full Linux distributions with services
  • Kubernetes-in-Docker for local K8s cluster testing without VMs
  • Automatic UID/GID shifting for secure user namespace isolation
  • Compatible with standard Docker and Kubernetes workflows with no image modifications

Comparison with Similar Tools

  • runc — Standard OCI runtime; cannot run systemd or Docker inside containers without privileged mode
  • Kata Containers — VM-level isolation using hypervisors; Sysbox uses namespaces for lighter weight
  • gVisor — Application kernel sandbox; Sysbox runs the full Linux kernel with enhanced namespaces
  • Podman — Rootless container engine; Sysbox provides deeper system-container capabilities on Docker
  • LXC/LXD — System container platform; Sysbox integrates with Docker and Kubernetes ecosystems

FAQ

Q: Is Sysbox secure without --privileged? A: Yes. Sysbox uses Linux user namespaces so the container root maps to an unprivileged user on the host, maintaining strong isolation boundaries.

Q: Does it work with Kubernetes? A: Yes. Sysbox can be configured as a runtime class in Kubernetes via CRI-O, enabling system containers as pods.

Q: What is the performance overhead? A: Minimal. The FUSE-based /proc and /sys virtualization adds slight overhead on those filesystem accesses, but general compute and I/O performance is equivalent to runc.

Q: Is Sysbox still maintained after the Docker acquisition? A: Yes. Sysbox Community Edition remains open source under Apache 2.0, and development continues within Docker.

Sources

Fil de discussion

Connectez-vous pour rejoindre la discussion.
Aucun commentaire pour l'instant. Soyez le premier à partager votre avis.

Actifs similaires