How Nestybox Aims to Disrupt Container Runtimes with Sysbox
The battle to build a better container runtime is on. A startup called Nestybox wants to win it with a runc-based runtime that enables containers essentially to behave just like virtual machines—including full workload isolation and the ability to host “low-level” system software in addition to conventional applications—without actually virtualizing anything.
Here’s a look at what Nestybox is doing, and how its runtime compares to similar frameworks such as LXD and Kata Containers.
Containers vs. Virtual Machines: A Constant Conundrum
To date, deploying an app inside containers has always involved trade-offs. To gain the flexibility and efficiency of containers, your containerized application shares crucial resources with the host system and with other containers. As a result, it lacks true isolation. If something inside your container needs root privileges, it has those privileges on the host system.
It’s also difficult to run software inside a container that requires direct access to low-level system resources. That’s why containers are mostly used to host applications that exist entirely in userland, instead of those that need low-level access.
One way to solve these problems has been to deploy each container inside its own virtual machine. That way, the virtualization layer isolates containers from the host and from each other. It also provides a complete virtual kernel that can be accessed by any low-level software you want to run inside your isolated environment.
But this approach comes with its own trade-off: The virtualization layer adds resource overhead, making workloads less efficient. It also adds more moving parts to your environment, which increases complexity and makes orchestration more difficult.
The Nestybox Approach to Container Isolation: Sysbox
Nestybox, a San Jose, California-based startup founded in June 2019, is working to square the circle. The company is developing a new runtime, which it calls Sysbox, that enables “Docker/OCI-based containers to act as virtual hosts that can run apps as well as low-level system workloads,” such as Kubernetes, systemd or even an instance of Docker itself, according to cofounder Cesar Talledo.
That’s right: Part of the purpose of Sysbox is to let you run Docker, Kubernetes and the like inside a Docker container. And while that’s already possible to do using conventional runtimes, the security and efficiency limitations associated with it make it impractical for large-scale production deployments. Nestybox hopes to remove those limitations. “We want to give users an efficient, easy-to-use, portable, secure way to deploy virtual hosts using Docker, without resorting to resource-hungry VMs or non-Docker compatible solutions such as LXD,” Talledo said.
Sysbox vs. runc
Sysbox is based on runc, the open source, OCI-compliant runtime. But it is different from runc in certain key respects. These include “always using the Linux user namespace, virtualizing portions of the system container’s procfs and sysfs, setting up special mounts, and doing some syscall trapping and emulation,” Talledo said.
Notably, Sysbox also promises full compatibility with Docker CLI tools, and it is “probably 95% OCI-compatible” in its current state of development, Talledo noted.
In the future, the company also may embrace frameworks other than Docker, depending on what developers come to prefer. “We’re not married to Docker. Eventually, we could expand to support other ecosystems,” said cofounder Rodny Molina.
Nestybox vs. LXD and Kata
Nestybox can be compared in some ways to LXD and Kata, two other container runtimes that aim to achieve greater isolation between containers and the host.
But whereas LXD and Kata use virtualization to help provide that isolation, Nestybox does not. There are no virtual machines to manage (not even micro VMs), and there is no associated resource overhead. Nor does Nestybox’s solution require a specialized host kernel.
“We don’t use VMs at all,” Talledo said. “Like LXD, we are pushing the limits of container abstraction. But unlike LXD, we are Docker-compatible.
“LXD is great, but people are already used to Docker,” he added. Nestybox wants to “fill in that gap.”
For now, Nestybox remains a small company. Its development team consists only of its two co-founders, who have spent most of the last year building out their proprietary runtime and validating their proposed use cases with developers. But as I’ve argued before, container runtimes are ripe for disruption, and Nestybox just may be the company that makes runc and other widely used runtimes obsolete.
