Comparison: Sysbox and Related Technologies

October 06, 2020

Intro

In the world of cloud native software, things move fast and there are always several alternatives to accomplish a given task, with different trade offs for each.

It’s no surprise then that software engineers often ask us about the differences between Sysbox and related technologies.

This article sheds a bit of light on this. It gives a quick comparison between Sysbox and alternative technologies with the goal of helping you choose the best option based on your particular use case and requirements.

Recall that Sysbox enables Docker and similar tools to deploy “VM-like” containers (aka system containers) capable of running systemd, Docker, K8s, etc., inside the container, with ease and strong isolation from the underlying host (i.e., no privileged containers). This allows you to use containers in new ways, and gives you an easy, fast, and much more efficient alternative to VMs to run the above mentioned software.

As you’ll see, Sysbox is pretty unique: it is (to the best of our knowledge) the only container runtime that enables deployment of “VM-like” containers using Docker (and soon Kubernetes), easily and without resorting to very unsecure privileged containers.

TL;DR

The table below lists the technologies described in this article and how they compare with each other.

The “OCI-based” column indicates if the solution is compatible with the Docker & Kubernetes ecosystem.

The “Container Isolation Strength” column indicates how hard an attacker would need to work to break out of the container. Privileged containers offer weak isolation, containers using the Linux user-namespace offer much stronger isolation, and containers wrapped by VMs offer even stronger isolation.

For a more detailed description of each of these tools, keep reading.

Contents

LXD

LXD is a container manager that enables deployment of “VM-like” containers using the venerable LXC library.

Similarities to Sysbox

Differences from Sysbox

Recommendation

Footloose

Weaveworks Footloose is a tool that creates “VM-like” containers capable of running systemd, ssh, etc. Footloose sits on top of Docker.

Similarities to Sysbox

Differences from Sysbox

Recommendation

K8s.io KinD

The K8s.io KinD tool makes it easy to deploy Kubernetes inside Docker containers. That is, each container acts as a Kubernetes (K8s) node. This is very useful for local testing, CI/CD, development, and learning.

Similarities to Sysbox

Differences from Sysbox

Possible Integration

Given that KinD runs above Docker and Sysbox runs below Docker, it’s possible to integrate KinD with Sysbox. In fact the KinD maintainers have been nice enough to open an issue to investigate a possible integration. This would allow KinD to run without using privileged containers as well as other functional benefits. Refer to the issue for more details.

Recommendation

Kindbox

The Kindbox tool, developed by Nestybox, is at a high level similar to K8s.io KinD: it eases the deployment of K8s inside Docker.

What makes Kindbox different is that it’s designed to leverage the Sysbox runtime, meaning that the K8s cluster will be strongly isolated from the host (no privileged containers) and you can choose any container image for the K8s nodes.

Kindbox is a wrapper around docker run commands to deploy K8s-in-Docker using rootless containers. With Kindbox, you have full control over the container image, you can resize the cluster dynamically, and you can easily modify it to suit your needs.

Here is a video showing how it works.

Similarities to Sysbox

Differences from Sysbox

Recommendation

Rootless Docker

Rootless Docker runs Docker on the host without requiring root privileges. It’s meant to protect the host from Docker itself, by confining it into a sandbox via the Linux user-namespace. The containers generated by the rootless Docker are by extension also confined to that sandbox.

Similarities to Sysbox

Differences from Sysbox

Recommendation

Kata Containers

Kata Containers is a container runtime whose purpose is to improve container isolation by deploying containers inside lightweight virtual machines (VMs).

Similarities to Sysbox

Differences from Sysbox

Recommendation

Ignite

Weaveworks Ignite is a tool that deploys container images inside micro-VMs, using the Firecracker virtual machine monitor. Its purpose is to enable the deployment of workloads inside light & fast VMs using a container-based frontend.

Similarities to Sysbox

Differences from Sysbox

Recommendation

gVisor

gVisor is software that is meant to increase container isolation by reducing the attack surface between the container and the host kernel. It does this by inserting a “user-space kernel” inside each container that prevents direct access between the container and the underlying kernel and instead “funnels” the large kernel API into a reduced set of interactions with the host kernel.

Similarities to Sysbox

Differences from Sysbox

Recommendation

Podman

Podman is a daemonless container engine that provides an alternative to Docker.

Similarities to Sysbox

Differences from Sysbox

Possible Integration

Since Podman is an OCI-based container manager and Sysbox is an OCI-based container runtime, in theory Podman can integrate with Sysbox. We plan to explore this in the future.

Recommendation

Kaniko

Kaniko is a tool that builds container images using a Dockerfile, but without the need for the Docker daemon. Its purpose is to enable users to build Docker images in environments where the Docker daemon can’t run easily or securely (e.g., inside Kubernetes pods).

Similarities to Sysbox

Differences from Sysbox

Recommendation

Conclusion

We hope this article helps you make a decision on the best tool to use for your specific use case around containers.

As you can see, Sysbox is unique in that it’s the only container runtime that enables deployment of “VM-like” containers using Docker (and soon Kubernetes), easily and without resorting to very unsecure privileged containers.

We’ve striven to be fair in our comparison. If you know of any tool we missed, or feel we’ve not done a fair comparison, please add your comments at the end of this blog and we will address them. Thanks! :smiley: