systemd-nspawn (was Re: What is agetty, and why can't it be stopped?)
On Fri, Jun 07, 2019 at 02:21:52PM -0500, Nicholas Geovanis wrote:
I just learned earlier today of systemd-nspawn as a possible
containerization solution (my mind boggles....).
Yes. Systemd's main job is to spawn sub-processes. A container is
a process run under various constraints. From what I understand nspawn
adds some additional features, but many of the isolation features are
already present in systemd, without nspawn.
Do you know if removing systemd-sysv would undercut nspawn?
I suspect it would not work at all if you were not running systemd as
the init system.
Have you tried nspawn for that containerization? Any strong views?
I haven't tried it at all myself yet. I think it looks like a useful tool and
less invasive than e.g. Docker. You can get many of the isolation features of
containers with systemd's features already, without nspawn. See:
http://0pointer.de/blog/projects/security.html
--
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Jonathan Dowland
⢿⡄⠘⠷⠚⠋⠀ https://jmtd.net
⠈⠳⣄⠀⠀⠀⠀ Please do not CC me, I am subscribed to the list.
Reply to: