On Running systemd-nspawn Containers

I’d like to talk more about a container technology that I really like that I touched upon in a previous article: systemd-nspawn.

systemd-nspawn is a container manager that allows you to run a full operating system or a command in a directory tree. Conceptually, it is similar to the venerable chroot, but it is much more secure.

While chroots do perform filesystem isolation, they don’t provide any of the security benefits that cgroups and namespaces provide. Additionally, they’re not easy to setup, unless, of course, you’re using a tool like debootstrap or pacstrap.

systemd-nspawn, on the other hand, gives you as much security and configuration as you would want and expect and is as easily configurable as better-known tools like Docker (although it operates at a lower-level).

To create a container, systemd-nspawn expects a root filesystem and optionally a JSON container configuration file, which of course brings to mind an OCI runtime bundle, because systemd-nspawn is fully OCI compliant. Those familiar with tools like runc will be familiar with this requirement.

Leave a Comment