-
Integrates with OCI compatible container managers and orchestrators (e.g., Docker and Kubernetes).
-
Sysbox is ~90% OCI-compatible. See here for more on this.
-
Installs easily on Docker hosts or Kubernetes clusters.
-
For Kubernetes clusters, installation is done via a daemonset.
-
See here for more.
-
Always enables the Linux user-namespace on all containers:
- Root user in the system container has all capabilities inside container only, but zero privileges on the host.
-
The procfs and sysfs exposed in the container are fully namespaced.
-
Programs running inside the system container (e.g., Docker, Kubernetes, etc) are limited to using the resources given to the system container itself.
-
The system container's initial mounts are immutable (can't be changed from inside the container, even though processes in the container can setup other mounts).
-
See the security section of the User Guide for details.
-
Run Systemd inside a Docker container or K8s pod easily, without complex container configurations.
-
Enables you to containerize apps that rely on Systemd (e.g., legacy apps).
-
Run Docker inside a container or pod, easily without insecure privileged containers and without mounting the host's Docker socket.
-
Full isolation between the Docker inside the container and the Docker on the host.
-
The inner Docker container images can live ephemerally inside the container or be cached on the host.
-
Use containers as Kubernetes nodes, instead of more expensive VMs.
-
Containers are properly isolated (via the Linux user namespace) and run Kubernetes natively (as a VM or regular host would); no custom Docker images or tricky entrypoints needed.
-
Deploy directly with
docker runcommands for full flexibility, or using a higher level tool (e.g., such as kindbox). -
Alternatively, run the K8s.io KinD tool inside a Sysbox container to containerize and entire Kubernetes cluster for local testing, and with proper isolation.
-
Kubernetes nodes running within system containers can be interconnected through CNI's capable of enforcing network policies in a cluster. This is the case of WeaveNet and Calico CNIs, which offer network features that are more advanced than other more simplistic CNIs (e.g. Flannel).
-
WeaveNet and Calico CNI's are currently supported only as part of the Sysbox-EE product offering.
-
K3s clusters can be deployed within system containers to offer a lighter alternative to K8s deployments without the limitations of the rootless-k3s deployment approach.
-
As it is the case with K8s-in-Docker solutions, K3s nodes hosted within a system container are properly isolated through the diverse security mechanisms offered by the Sysbox runtime. In other words, Sysbox is not relying on
privilegedcontainers as other K3s-in-Docker solutions do.
-
Deploy RKE and RKE2 clusters within Sysbox-powered docker containers or K8s pods for extra security and isolation.
-
The Canal CNI utilized by both RKE and RKE2 is currently only supported as part of the Sysbox-EE product offering.
-
Run buildx and/or buildkit inside Docker containers or K8s pods for extra security and performance.
-
Avoid the limitations associated with running Buildkit in secure environments (i.e., buildkit-rootless) without the need to resort to
privilegedcontainers.
-
Sysbox uses host resources optimally and starts containers in a few seconds.
-
Runs with performance equivalent to the OCI runc.
-
See here for a detailed performance analysis.
- You can create a system container image that includes inner container images using a simple Dockerfile or via Docker commit. See here for more.
Please see our Roadmap for a list of features we are working on.