Sysbox integration in progress..

Reply to Sysbox integration in progress.. on Sat, 24 Dec 2022 16:16:33 GMT

girish — Sat, 24 Dec 2022 16:16:33 GMT

@timconsidine Are you asking if we plan to integrate it into Cloudron? There are no plans as such.

Reply to Sysbox integration in progress.. on Sat, 17 Dec 2022 18:55:53 GMT

timconsidine — Sat, 17 Dec 2022 18:55:53 GMT

@girish what is current situation with sysbox and Cloudron ?

Reply to Sysbox integration in progress.. on Tue, 02 Feb 2021 03:45:29 GMT

robi — Tue, 02 Feb 2021 03:45:29 GMT

A community update from TYPO3:

https://gitlab.typo3.org/core-testing/testing-infrastructure/
This is a 'infrastructure as code' repository for a gitlab-runner setup using sysbox, maybe this helps anyone looking into similar things:

bare metal setup with ansible - gitlab-runner with docker executor and sysbox'd test execution in DinD
Hetzner cloud docker+machine - gitlab-runner with docker+machine autoscaling with sysbox on workers

Reply to Sysbox integration in progress.. on Tue, 02 Feb 2021 03:43:20 GMT

robi — Tue, 02 Feb 2021 03:43:20 GMT

From a recent discussion on sharing data between apps, this will be interesting.

On the persistence of Inner container images..

Reply to Sysbox integration in progress.. on Mon, 14 Dec 2020 18:11:52 GMT

girish — Mon, 14 Dec 2020 18:11:52 GMT

@rodny-molina will do. Give me sometime to play around with sysbox before we have a talk, so maybe after your release. I want to give it a try in a couple of our apps to understand how it all fits.

Reply to Sysbox integration in progress.. on Mon, 14 Dec 2020 17:17:23 GMT

Rodny Molina — Mon, 14 Dec 2020 17:17:23 GMT

@girish, right, this 'hitless' scenario is supported by the installer as long as the expected attributes (e.g. bip, address-pools) are already configured in the docker config file. If they are not present and digested by dockerd, then the installer will restart docker.

I understand that you may need more flexibility for Cloudron's specific setup. Can we talk to have these installation details fully understood? (rmolina@nestybox.com).

Reply to Sysbox integration in progress.. on Sun, 13 Dec 2020 22:24:11 GMT

girish — Sun, 13 Dec 2020 22:24:11 GMT

@rodny-molina Having a binary would really help because usually the deb packages have a tendency to restart existing services and also automatically start their own services.

Does the debian package support this scenario - https://github.com/nestybox/sysbox/blob/master/docs/user-guide/install.md#Installing-Sysbox-without-Docker-restart ?

Reply to Sysbox integration in progress.. on Sat, 12 Dec 2020 23:20:28 GMT

Rodny Molina — Sat, 12 Dec 2020 23:20:28 GMT

@girish said in Sysbox integration in progress..:

And is a new release planned soon with the readonly fixes? Would be great if we can also download binaries instead of deb packages.

Forgot to answer this one. Yes, we are about to start working on the next release (ETA ~ 2 weeks). Not sure about the binaries though, will get back to you later on this.

Reply to Sysbox integration in progress.. on Sat, 12 Dec 2020 22:09:48 GMT

Rodny Molina — Sat, 12 Dec 2020 22:09:48 GMT

@girish @mehdi, you can definitely run Sysbox side-by-side along other runtimes such as runc.

Sysbox will exclusively interact with its own containers. You just need to program your orchestrator to make use of Sysbox for those containers for which you want enhanced security or extra functionality.

Ping me if any question.

https://github.com/nestybox/sysbox#using-sysbox

---
Note that if you omit the --runtime option, Docker will use its default runc runtime to launch regular containers (rather than system containers). It's perfectly fine to run system containers launched with Docker + Sysbox alongside regular Docker containers; they won't conflict and can co-exist side-by-side.
---

Reply to Sysbox integration in progress.. on Sat, 12 Dec 2020 21:32:48 GMT

mehdi — Sat, 12 Dec 2020 21:32:48 GMT

@girish I understand that. My point is maybe we should consider putting it in a separate service container, instead of the app itself

Reply to Sysbox integration in progress.. on Sat, 12 Dec 2020 21:20:04 GMT

girish — Sat, 12 Dec 2020 21:20:04 GMT

@mehdi right, I don't want to move everything to sysbox. Just the ones that want it. But I want to know if it's possible to run them both side by side.

Reply to Sysbox integration in progress.. on Sat, 12 Dec 2020 20:41:05 GMT

mehdi — Sat, 12 Dec 2020 20:41:05 GMT

@girish I am not 100% sure it's doable, but instead of running Cloudron apps in sysbox, I think it would make a lot of sense to run a sysbox container as an addon service for apps that need to run docker containers, and run them inside the sysbox addon container.

Reply to Sysbox integration in progress.. on Sat, 12 Dec 2020 20:05:11 GMT

girish — Sat, 12 Dec 2020 20:05:11 GMT

@rodny-molina Sure, it's possible to remove the requirement as more use cases come up. Cloudron is currently targeting installing web apps (SaaS equivalents) and not targeting infrastructure apps/system app. I think CI/CD and Jupyter Hub style apps can find sysbox useful though. BTW, did I understand correctly that I can run sysbox and runc runtimes side by side? It does seem like that but wanted to confirm . And is a new release planned soon with the readonly fixes? Would be great if we can also download binaries instead of deb packages.

Reply to Sysbox integration in progress.. on Sat, 12 Dec 2020 00:54:12 GMT

Rodny Molina — Sat, 12 Dec 2020 00:54:12 GMT

@robi just helped me realize that /run is already bind-mounted as RW, i had missed that. There may be other paths for which RW access is expected though, but i guess that's something that can be evaluated on a per-app basis.

Reply to Sysbox integration in progress.. on Sat, 12 Dec 2020 00:24:27 GMT

Rodny Molina — Sat, 12 Dec 2020 00:24:27 GMT

@girish Question ...

Have you guys considered the option of removing RO requirement for specific applications? I'm talking about system apps such as docker, systemd, k8s, podman, ci/cd tools, legacy-apps, etc. All that (and more) can be potentially offered to Cloudron users. But as you know, this software needs RW access to diverse sections of the rootfs (such as /run) to create pipes/sockets/dirs, etc.

The system container running these special apps is fairly secure by virtue of running within dedicated user-namespaces. Also, it's self-contained, in the sense that when you do a docker-commit you are not only capturing the outer sys-container image, but also the inner docker images; that's to say that you can customize these system-apps to your liking, and reduce instantiation latency to the minimum (no i/o needed to fetch inner images).

Please let me know when have a chance.

Thanks.

Reply to Sysbox integration in progress.. on Sat, 12 Dec 2020 00:23:36 GMT

marcusquinn — Sat, 12 Dec 2020 00:23:36 GMT

@robi Yeah, that's being worked on this weekend. I think it saves on Windows licence costs too compared to muti-VMs.

Reply to Sysbox integration in progress.. on Sat, 12 Dec 2020 00:16:03 GMT

robi — Sat, 12 Dec 2020 00:16:03 GMT

@marcusquinn
But they will run on Windows.
I have experience with this if needed in Windows and in Linux.

Reply to Sysbox integration in progress.. on Fri, 11 Dec 2020 19:59:51 GMT

marcusquinn — Fri, 11 Dec 2020 19:59:51 GMT

Answered my own question; no, Windows containers won't run on Linux: https://stackoverflow.com/questions/42158596/can-windows-containers-be-hosted-on-linux

Reply to Sysbox integration in progress.. on Fri, 11 Dec 2020 19:45:10 GMT

marcusquinn — Fri, 11 Dec 2020 19:45:10 GMT

@atrilahiji for GitLab Runner. I'm curious if it would be possible to run full Windows Server VMs in it too, we have a bunch of use-cases for that.

Reply to Sysbox integration in progress.. on Fri, 11 Dec 2020 17:55:31 GMT

Rodny Molina — Fri, 11 Dec 2020 17:55:31 GMT

@robi thanks for your kind words and for your time answering all my Cloudron questions.

The fix for this issue is in code-review at the moment, should be merged soon.

Reply to Sysbox integration in progress.. on Fri, 11 Dec 2020 17:20:07 GMT

[[global:former-user]] — Fri, 11 Dec 2020 17:20:07 GMT

@mehdi https://forum.cloudron.io/topic/1373/gitlab-runner-for-ci/11?_=1607705685190

I can speak for my use-case. I would absolutely love to see GitLab Runner as an app on here and this would make it possible.

Reply to Sysbox integration in progress.. on Fri, 11 Dec 2020 09:26:22 GMT

robi — Fri, 11 Dec 2020 09:26:22 GMT

@mehdi I did not say I was packaging anything. It's an integration right now and making sure all the apps we have run as expected.

Reply to Sysbox integration in progress.. on Fri, 11 Dec 2020 09:13:01 GMT

mehdi — Fri, 11 Dec 2020 09:13:01 GMT

I must admit, I am still quite skeptical about this...

@robi, I know you wrote at length about what sysbox could do, but I do not really understand what precisely are you trying to package as an app right now, that's possible under sysbox but not under the normal docker runtime?

Reply to Sysbox integration in progress.. on Fri, 11 Dec 2020 04:42:01 GMT

marcusquinn — Fri, 11 Dec 2020 04:42:01 GMT

Awesome stuff - this community rocks!