Show HN: Rootless Containers/Pods that run systemd, Docker, and even Kubernetes

10 points

5 years ago

Hi HN, this is Cesar and Rodny, developers of an open-source container runtime called Sysbox, and co-founders of a startup called Nestybox (YC S20).

We launched on HN almost a year ago and got excellent feedback then (https://news.ycombinator.com/item?id=24084758).

Happy to say that over the past year, Sysbox has continued to gain traction, particularly for securing containers in production, CI/CD, and containerized dev environments.

We wanted to announce an important new feature: integration between Sysbox and Kubernetes.

As a quick refresher, Sysbox is a "runc" that enhances containers in two key ways:

1) Hardens container isolation (Linux user-namespace on all containers, partial procfs & sysfs virtualization, initial mount locking, and more).

2) Enables containers to run not just microservices, but also system software such as systemd, Docker, K8s, K3s, and more. This enables containers to replace slower/less-efficient VMs in many scenarios.

Prior to Sysbox this required insecure privileged containers, custom images, and special host mounts, or specialized tools like LXD, KinD and Minikube. With Sysbox, the container runtime sets up the container such that it can run the software securely and seamlessly, increasing security and reducing complexity.

Up to recently Sysbox only worked under Docker, but the latest release (v0.4.0) now works under Kubernetes too.

This means you can use Kubernetes to orchestrate pods that are rootless (i.e., root in the container maps to an unprivileged user on the host) and can run not just microservices, but full "VM-like" environments.

For example, you can create a pod that acts as a well isolated dev environment and inside of it run systemd, your favorite editor, plus Docker. Or create several pods that together form another K8s cluster for testing. Or run the K8s.io KinD inside a pod to create an entire K8s cluster inside one pod. Many interesting and powerful combinations are possible.

Sysbox has taken 2-years of very hard work, as it pushes the limits of OS virtualization (uid-shifting, syscall trapping, procfs virtualization, etc.) It was forked from the OCI runc in 2019, so we stand on the shoulders of the developers of that excellent project.

Would love to hear your feedback, if you think this new feature is useful, and for which use-cases. Would also encourage you to try it, we think you'll find it useful.

Thanks! - Cesar & Rodny

Sysbox: https://github.com/nestybox/sysbox Nestybox: https://www.nestybox.com/