[systemd-devel] systemd-nspawn containers

Lennart Poettering lennart at poettering.net
Fri Nov 11 12:52:32 UTC 2016


On Wed, 09.11.16 18:24, MichaƂ Zegan (webczat_200 at poczta.onet.pl) wrote:

> Hello.
> 
> Does systemd-nspawn intent to be a full secure container technology? or
> it maybe already is? what is missing?

I am not sure what "full secure container technology" realls is
supposed to mean.

nspawn right now is great for two things:

a) full OS containers (think VMs, except based on container
   technology. This means that inside the container you have a proper
   PID 1 running, and a network configuration daemon and most other
   things that would run on a normal, physical system, except one
   thing: no device manager, as the kernel does not virtualize
   devices)

b) as a building block for whatever you want it to be. It's a pretty
   generic tool, you can use as base for anything you like. The "rkt"
   container manager makes use of this facet.

There are a number of things nspawn is better at than other container
managers, for example in conjunction with networkd networking happens
pretty much entirely automatically out of the box. It also ships
userns support that is relatively usable without much manual
intervention. OTOH it clearly doesn't do a lot of stuff that other
container managers do and we have no intention to ever do: do IP level
configuration in the manager itself, support for ZFS and other exotic
(possibly out-of-tree) storage technology, and so on.

So it really depends what you mean by "full secure container
technology". We do a lot, we will add more, but there are also things
I don't see on our list at all.

(And "secure" is a difficult thing anyway, currently security of
containers on Linux is pretty limited in general, due to kernel
limitations.)

Lennart

-- 
Lennart Poettering, Red Hat


More information about the systemd-devel mailing list