Problem/Justification
Improve isolation and security for more intricate docker container (e.g. Docker-in-Docker, systemd, etc.) use. Generally removes the need to run containers with --privileged. Overall it is another mitigation that can be utilize greatly improve security for some uses of docker.
Impact
Advantages:
- Better security
- Increased capabilities for docker containers
Disadvantages:
- None (for users)
- Slight-to-moderate increase to maintenance burden for developers
User Story
Sysbox is a pseduo-official Docker runtime (produced by a subsidiary of Docker).
In their own words, the runtime covers:
- Enhancing the isolation of containerized microservices (root in the container maps to an unprivileged user on the host).
- Enabling a highly capable root user inside the container without compromising host security.
- Securing CI/CD pipelines by enabling Docker-in-Docker (DinD) or Kubernetes-in-Docker (KinD) without insecure privileged containers or host Docker socket mounts.
- Enabling the use of containers as “VM-like” environments for development, local testing, learning, etc., with strong isolation and the ability to run systemd, Docker, IDEs, and more inside the container.
and more.
It is not clear if there is a ready-made Debian 12 package available, which immediately would mean the maintainers would need to build from source, which does increase the maintenance burden a bit, but Debian is supported.
A checkbox right next to the existing “Install NVIDIA Drivers” checkbox in App Settings can be added that would simply enable the sysbox-runc package. Then, users simply need to add:
runtime: sysbox-runc
to their compose files in order to take advantage of the runtime. The runtime is not used by default and therefore does not alter, or otherwise impede the use of standard docker deployments.
It would be further possible to utilize the runtime in official apps where its use makes sense, though of course that’s a more involved decision that’s up to iXsystems.