On Running systemd-nspawn Containers (2022)

I used nspawn to get a system running in the most ridiculous way.<p>A debian aarch64 vm on kvm starting a systemd-nspawn for an unpacked raspberry pi 3 iso.<p>It works way too well judging by how ridiculous it was.<p>Still saved me a few days instead of setting things up myself.<p>I actually liked how easy it is to spin up nspawn as a systemd service<p><pre><code> [Unit] Description=Raspberry Image Machine After=multi-user.target [Service] Type=simple User=root ExecStart=&#x2F;usr&#x2F;bin&#x2F;systemd-nspawn -D &#x2F;mnt&#x2F; &#x2F;sbin&#x2F;init [Install] WantedBy=multi-user.target</code></pre>

I&#x27;ve used lots of different container-types over the years to replace VMs with lightweight containers, but right now I&#x27;m running systemd-nspawn, and I really, really like it.<p>The way it integrates with systemd, both inside and outside the container makes it a no-brainer for app-isolation when the app in question is a bit too complex for just being a service-unit in itself, and you don&#x27;t want to lose observability by hiding everything behind some obscure docker wall.<p>The way everything integrates into systemctl and you can get aggregated stats for your entire machine and all its sub-containers... Amazingly nice.<p>I just can&#x27;t imagine any better way of managing containers on a Linux system than this.<p>Only thing I would complain about is the name. They really could have come up with something a bit more catchy or self-descriptive. This is probably the only systemd type service which does not immediately shout out what its about, so most people are probably not even aware that systemd can manage containers for you.

&gt; Unfortunately, though, most developers don’t even know that there are options outside of Docker, or that they’re not as “convenient”.<p>&gt; Hopefully, this article has disabused some of that notion.<p>If that was the goal, it seems terribly complicated when compared with podman.

Used nomad in my homelab to run nspawn containers with nspawn driver[1]<p>Surprisingly simple and low footprint solution and genuinely pleasant to work with, since it is very similiar to managing a Systemd service.<p>[1]<a href="https:&#x2F;&#x2F;github.com&#x2F;JanMa&#x2F;nomad-driver-nspawn">https:&#x2F;&#x2F;github.com&#x2F;JanMa&#x2F;nomad-driver-nspawn</a>

I use nspawn but many of the helpers featured here are new, so I appreciate this article. I&#x27;ve only ever booted from directories rather than images, and wasn&#x27;t aware that an image could mount its own partitions, even swap!<p>Also I&#x27;m a little unclear on the security implications of &quot;--private-users=id&quot;. Yes the user IDs are the same, but it is technically running in a separate user namespace. In terms of security is this mode equivalent to privileged containers, or is it safer?

Redhat&#x27;s Leapp, for upgrading between major releases of RHEL, uses systemd-nspawn to create a container where it can test installing the packages without interfering with the running OS.

It&#x27;s really one of those little gems not very many people know about or use, but it seems from the responses that is changing.<p>As Brendan Gregg said: &quot;Containers are just processes, cgroups, and namespaces.&quot;

On an unrelated note, is there a way to share some negative feedback on systemd projects without incurring significant hit to karma?

Nspawn would be perfect if it exposed the full suite of service file security and resource control features. Due to their absence, I&#x27;ve been exploding containers into directories and writing my own service units to manage the pseudocontainers.

There are lot of ridiculous things in systemd (I&#x27;ll avoid mentioning specific things to avoid a flame war), but auto containerization of services is by far the most useful thing they&#x27;ve ever come out with. It&#x27;s a far easier workflow than docker or anything else and is built in &quot;for free&quot;

I discovered a similar project to run Docker containers as user without being root:<p><a href="https:&#x2F;&#x2F;github.com&#x2F;mtseet&#x2F;proot-docker">https:&#x2F;&#x2F;github.com&#x2F;mtseet&#x2F;proot-docker</a>

I recently ran into them and honestly they seem unnecessarily complicated compared to using Podman and OCI images.

systemd-nspawn is great! It&#x27;s well integrated with the init system, works as expected.

This is very interesting! I only heard about systemd-nspawn last night.

Does breaking out of the container give you root?

I love nspawn; it’s the best.