[systemd-devel] Security and technical differences between systemd-nspawn and OpenVZ / LXC

Paulo Coghi - Coghi IT paulocoghi at gmail.com
Thu Jul 6 15:04:40 UTC 2023 

Hello Systemd Devel team,

I've been using OpenVZ for 11 years in production without the security
problems I faced with LXC. But as a non-official mainstream library of
Linux kernel, there is always a gap. Virtuozzo is working on OpenVZ 9 with
kernel 5.14 now, but it is still not released.

Systemd-nspawn seems promising, and I would like to cordially ask a few
questions.

1. Does systemd-nspawn officially support system containers?
I would like to not conclude it myself, but it seems so, after reading the
official documentation.

2. The "experience" inside a system container is similar to a VM, like on
OpenVZ?
On OpenVZ containers, except for kernel related activities (like adding
kernel modules), everything is identical to a virtual machine, with the
"root" user from the container being able to manage everything, like adding
new users, changing firewall rules, installing multiple services (web
servers, databases), managing cron jobs, etc.

3. Security - Can those OS containers be used in production, with multiple
containers from multiple owners inside the same host?
On LXC, for example, there are vulnerabilities that can be exploited,
allowing a container user to escape to the host. On OpenVZ, it seems that
his was already addressed more than a decade ago.
Does systemd-nspawn provide such security, not allowing a "container user"
to escape to the host?

4. Storage and Inodes
On OpenVZ, we could create "virtualized" file systems, like ploop, which
avoids consuming inodes on the host's file system, while lightweight enough
to provide near-native performance.
Is there any approach to have similar benefits through systemd-nspawn?

I really hope to use systemd-nspawn as our new system container manager!

Off-topic: If all answers are positive, is there any interest by the
systemd team on an MVP of an open source manager for systemd-nspawn, like
Proxmox was to OpenVZ/LXC?

Kind regards,
Paulo Coghi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20230706/01efb955/attachment.htm>

More information about the systemd-devel mailing list