Introduction
Sysbox is an OCI-compatible container runtime developed by Nestybox (acquired by Docker) that allows containers to run system-level software such as systemd, Docker, and Kubernetes without requiring privileged mode. It creates containers that behave like lightweight VMs while retaining the speed and density of standard containers.
What Sysbox Does
- Runs systemd, Docker, Kubernetes, and other system services inside unprivileged containers
- Provides enhanced isolation using Linux user namespaces and file system virtualization
- Eliminates the need for
--privilegedflag when running Docker-in-Docker or nested containers - Virtualizes
/procand/sysfilesystems so containers see their own isolated kernel view - Works as a drop-in OCI runtime alongside runc without modifying existing container images
Architecture Overview
Sysbox consists of two components: sysbox-runc (the OCI runtime) and sysbox-fs (a FUSE-based filesystem handler). When a container starts, sysbox-runc sets up enhanced Linux user namespace mappings that give the container's root user full capabilities within the container while remaining unprivileged on the host. sysbox-fs intercepts and virtualizes accesses to /proc and /sys, presenting container-specific views that allow systemd and other system software to function correctly.
Self-Hosting & Configuration
- Install via
.debpackage on Ubuntu or Debian-based distributions - Configure Docker to use Sysbox by adding it as a runtime in
/etc/docker/daemon.json - Run containers with
--runtime=sysbox-runcflag to enable system container mode - No changes needed to existing container images; standard Ubuntu, Debian, and Fedora images work
- Set as the default runtime in Docker or Kubernetes (via CRI-O) for all containers if desired
Key Features
- Docker-in-Docker without
--privileged, maintaining host security boundaries - Systemd support inside containers for running full Linux distributions with services
- Kubernetes-in-Docker for local K8s cluster testing without VMs
- Automatic UID/GID shifting for secure user namespace isolation
- Compatible with standard Docker and Kubernetes workflows with no image modifications
Comparison with Similar Tools
- runc — Standard OCI runtime; cannot run systemd or Docker inside containers without privileged mode
- Kata Containers — VM-level isolation using hypervisors; Sysbox uses namespaces for lighter weight
- gVisor — Application kernel sandbox; Sysbox runs the full Linux kernel with enhanced namespaces
- Podman — Rootless container engine; Sysbox provides deeper system-container capabilities on Docker
- LXC/LXD — System container platform; Sysbox integrates with Docker and Kubernetes ecosystems
FAQ
Q: Is Sysbox secure without --privileged? A: Yes. Sysbox uses Linux user namespaces so the container root maps to an unprivileged user on the host, maintaining strong isolation boundaries.
Q: Does it work with Kubernetes? A: Yes. Sysbox can be configured as a runtime class in Kubernetes via CRI-O, enabling system containers as pods.
Q: What is the performance overhead?
A: Minimal. The FUSE-based /proc and /sys virtualization adds slight overhead on those filesystem accesses, but general compute and I/O performance is equivalent to runc.
Q: Is Sysbox still maintained after the Docker acquisition? A: Yes. Sysbox Community Edition remains open source under Apache 2.0, and development continues within Docker.