Add ability to run VM like containers in Cloudron via Sysbox
-
Who doesn't want strongly isolated containers without having to run actual VMs?
Nestybox empowers containers to act as virtual servers capable of running the same workloads as VMs (e.g., Systemd, Docker, Kubernetes, and even legacy apps).
​Currently this requires unsecure privileged containers plus complicated Docker images with tricky entrypoints and custom volume mounts.
No more.
Nestybox enables you to do this using:- Simple Docker commands
- Simple Docker images
- Strongly Isolated Containers
- No Hardware Virtualization (VMs)
Use Cases:
Kubernetes-in-Docker- Running Kubernetes clusters inside containers is very useful for development, testing, and CI/CD.
- It avoids the need for heavy and costly VMs or cloud-based clusters.
- There exist a few tools to run Kubernetes-in-Docker. However these use complex container images and very unsecure privileged containers.
- Nestybox fixes this, enabling you to deploy the cluster in containers using strong isolation and very simple container images that you fully control.
Lightweight VM
- Sysbox makes it easy to use containers as lightweight VMs. For example, a container image can include systemd, ssh, a Docker daemon, preloaded inner container images, etc. You have full root access inside the container, but no capabilities outside of it.
- You can pack 2x as many containers as VMs on the same machine and get the same performance. And you can provision them 10x faster than VMs.
Docker-in-Docker
- It's often useful to run Docker inside a container for development, testing, and CI/CD.
- Up to now, the only way to do this was to use very unsecure privileged containers or exposing the host's Docker socket into a container. Neither is ideal.
- Nestybox removes these limitations, enabling you to run Docker inside a container with total isolation from the host.
- You can even preload inner container images into the outer container using a Dockerfile or Docker commit.
Legacy Apps
- With Nestybox, legacy apps may be lift-and-shifted into containers, enabling them to operate within cloud-native frameworks without resorting to VMs. This voids the need for re-architecting such applications.
-
@lonk said in Add ability to run VMs in containers in Cloudron via Sysbox:
No no, I'm asking, what does this give us in a practical sense and how hard would it be to implement do you think?
imho - What I can see down the road is the ability for companies to run some applications without the need to officially packaging the app. This can be useful for in-house apps that use parts of the filesystem that is normally read-only for example.
-
@murgero said in Add ability to run VMs in containers in Cloudron via Sysbox:
isn't that the same thing as engine? Or is docker the engine and containerd is the runtime?
No.
Docker Engine is a product name that usescontainerd
(the container daemon) which relies onrunc
(run container) which is a CLI tool for spawning and running containers according to the OCI specification.All have a different abstraction level.
Therefore
sysbox-runc
is an alternate runc that is more secure and offers all of the above benefits.Docker Engine and containerd don't change, and accept a parameter to specify which runtime (runc) to use.
-
@lonk Let me count the ways.
- It makes Cloudron better in so many ways already described above
- It would let me have a build env in Cloudron
- It would let me have a VDI in Cloudron via Guacamole
- It would speed development
- It would let me run more non-packaged apps more easily
- It would open other opportunities we haven't even explored yet.
-
@robi said in Add ability to run VMs in containers in Cloudron via Sysbox:
@lonk Let me count the ways.
- It makes Cloudron better in so many ways already described above
- It would let me have a build env in Cloudron
- It would let me have a VDI in Cloudron via Guacamole
- It would speed development
- It would let me run more non-packaged apps more easily
- It would open other opportunities we haven't even explored yet.
Okay, perfect, now why do you think the developer's seem opposed (since those are the pros and if there were no cons, fs anyone would do it)? Time and effort switching infrastructures would be my personal guess.