How it works

Docker Sandoxing


Docker as lightweight VM 

GitHub Site

Blog Site

Intro Slides

About Us

Contact Info


© 2020, Nestybox, Inc.


Use Docker containers beyond micro-service applications with the
Sysbox Container Runtime.

Docker Sandboxing

It's often useful for software developers to have a sandboxed Docker environment, inside of which they can play around with containers in total isolation from the rest of the system.

The Sysbox runtime enables you to do this easily and securely, without using unsecure privileged containers.

The sandboxed Docker instance can store its images in persistent or non-persistent storage, you decide. 

You can even create a snapshot of the Docker sandbox that includes all inner container images. Or you can build a Docker sandbox that comes pre-loaded with inner container images, using a Dockerfile.

Docker-in-Docker for CI/CD

In CI/CD pipelines, the need to run Docker-in-Docker arises often. 

This need arises because many CI/CD frameworks use Docker containers as the unit of job execution, and the jobs increasingly consist of building or deploying Docker containers. 

Up to now, this has required the use of Docker privileged containers (which are very unsecure and put the host at risk), or an alternative scheme that connects a Docker instance in the container to the Docker on the host, causing context-related problems.

In some cases these jobs are spawned in dedicated VMs, creating unnecessary complexity and overhead, reducing agility.

The Sysbox container runtime solves this problem, by supporting Docker-in-Docker securely and in total isolation from the host, thereby voiding the need for privileged containers, solving context-related problems, and avoiding VMs in CI/CD pipelines.


Containers as light-weight VMs

The Sysbox runtime enables you to launch Docker containers that act as full OS environments.

For example, you can deploy a Docker container image that includes Systemd, Docker, inner container images, ssh, and your choice of apps, in seconds.

This allows you to use the container as a light-weight VM in many respects, but much more easily, efficiently, and with the strong isolation provided by the Sysbox runtime.

You can choose which portions of the container's filesystem are persistent, and can use Docker volumes (or any other Docker storage plugin) as persistent storage.