The Sysbox runtime enables the use of secure (rootless) containers for several use cases.
Powerful and Secure CI/CD
Nestybox enables you to empower and secure your CI/CD pipelines.
Many CI/CD frameworks use Docker containers as the unit of job execution. Those jobs very often need to build and run inner container images, resulting in the need for Docker-in-Docker. However, this has up to now required very insecure privileged containers, putting your IT infrastructure at risk.
Sysbox enables you to run Docker-in-Docker securely and easily, integrating with your existing CI tools seamlessly.
More generally, Sysbox allows you to run pretty much any workload inside those job containers, empowering your CI. For example, with Sysbox you can deploy ephemeral Kubernetes clusters inside well secured rootless containers, so you can better test your apps.
It's often useful for software developers to have a dedicated sandbox environment that they can quickly provision and inside of which they can work with containers in isolation.
Typically developers resort to VMs, but these are inefficient, costly, tied to a hypervisor or cloud, and a bit painful to configure.
Docker containers are quickly emerging as an alternative to VMs for running dev environments. However, using containers this way has been a problem because they can't run all workloads that run in VMs (unless you resort to very insecure privileged containers).
Nestybox solves this: it enables you to use secure (rootless) containers that are capable of running most workloads that run in VMs.
And because they are containers, they are very efficient, easy to provision with Docker or Kubernetes, start super quickly, and can easily be deployed on your laptop on in the cloud.
Fast Kubernetes Clusters
Kubernetes-in-Docker (aka KinD) means using Docker containers as Kubernetes nodes (instead of physical hosts or VMs). A cluster is a collection of Docker containers (see figure).
This is very useful for local development, testing, and CI/CD.
Although tools exist to run Kubernetes-in-Docker, these use custom container images and very insecure privileged containers. This removes flexibility and does not isolate the cluster properly (giving the cluster control of the host via "/proc" for example).
Nestybox removes both of these limitations, enabling you to deploy the cluster with simple images, using the configuration you want, and with proper isolation.
With Nestybox, you can deploy a 10-node Kubernetes cluster on a laptop in less than 2 minutes with only 1GB of storage overhead!