Configs2026年7月16日·1 分钟阅读

Sysbox — Run System-Level Workloads Securely Inside Containers

An OCI container runtime by Nestybox that enables running systemd, Docker, and Kubernetes inside containers without privileged mode, providing VM-like isolation with container efficiency.

Agent 就绪

先审查再安装

这个资产需要先审查。复制的指令会要求 Agent dry-run、列出写入项,确认后再继续。

Needs Confirmation · 64/100策略:需确认
Agent 入口
任意 MCP/CLI Agent
类型
Skill
安装
Single
信任
信任等级:Established
入口
Sysbox
先审查命令
npx -y tokrepo@latest install 0d36d32f-80d1-11f1-9bc6-00163e2b0d79 --target codex

先 dry-run,确认写入项后再运行此命令。

Introduction

Sysbox is an OCI-compatible container runtime developed by Nestybox (acquired by Docker) that allows containers to run system-level software such as systemd, Docker, and Kubernetes without requiring privileged mode. It creates containers that behave like lightweight VMs while retaining the speed and density of standard containers.

What Sysbox Does

  • Runs systemd, Docker, Kubernetes, and other system services inside unprivileged containers
  • Provides enhanced isolation using Linux user namespaces and file system virtualization
  • Eliminates the need for --privileged flag when running Docker-in-Docker or nested containers
  • Virtualizes /proc and /sys filesystems so containers see their own isolated kernel view
  • Works as a drop-in OCI runtime alongside runc without modifying existing container images

Architecture Overview

Sysbox consists of two components: sysbox-runc (the OCI runtime) and sysbox-fs (a FUSE-based filesystem handler). When a container starts, sysbox-runc sets up enhanced Linux user namespace mappings that give the container's root user full capabilities within the container while remaining unprivileged on the host. sysbox-fs intercepts and virtualizes accesses to /proc and /sys, presenting container-specific views that allow systemd and other system software to function correctly.

Self-Hosting & Configuration

  • Install via .deb package on Ubuntu or Debian-based distributions
  • Configure Docker to use Sysbox by adding it as a runtime in /etc/docker/daemon.json
  • Run containers with --runtime=sysbox-runc flag to enable system container mode
  • No changes needed to existing container images; standard Ubuntu, Debian, and Fedora images work
  • Set as the default runtime in Docker or Kubernetes (via CRI-O) for all containers if desired

Key Features

  • Docker-in-Docker without --privileged, maintaining host security boundaries
  • Systemd support inside containers for running full Linux distributions with services
  • Kubernetes-in-Docker for local K8s cluster testing without VMs
  • Automatic UID/GID shifting for secure user namespace isolation
  • Compatible with standard Docker and Kubernetes workflows with no image modifications

Comparison with Similar Tools

  • runc — Standard OCI runtime; cannot run systemd or Docker inside containers without privileged mode
  • Kata Containers — VM-level isolation using hypervisors; Sysbox uses namespaces for lighter weight
  • gVisor — Application kernel sandbox; Sysbox runs the full Linux kernel with enhanced namespaces
  • Podman — Rootless container engine; Sysbox provides deeper system-container capabilities on Docker
  • LXC/LXD — System container platform; Sysbox integrates with Docker and Kubernetes ecosystems

FAQ

Q: Is Sysbox secure without --privileged? A: Yes. Sysbox uses Linux user namespaces so the container root maps to an unprivileged user on the host, maintaining strong isolation boundaries.

Q: Does it work with Kubernetes? A: Yes. Sysbox can be configured as a runtime class in Kubernetes via CRI-O, enabling system containers as pods.

Q: What is the performance overhead? A: Minimal. The FUSE-based /proc and /sys virtualization adds slight overhead on those filesystem accesses, but general compute and I/O performance is equivalent to runc.

Q: Is Sysbox still maintained after the Docker acquisition? A: Yes. Sysbox Community Edition remains open source under Apache 2.0, and development continues within Docker.

Sources

讨论

登录后参与讨论。
还没有评论,来写第一条吧。

相关资产