When showing Nix or NixOS to newcomers, the first instinct is often to run the NixOS Docker image on Docker or Podman. This week we’re having a look at how to do the same with systemd’s systemd-nspawn facility via the machinectl command. This has huge benefits to both trying out NixOS and also professionally using it like a sidecar VM, as we shall see. If you’re using Ubuntu, Debian, Fedora, Rocky Linux, or similar, jump right in!
In this tutorial-like article, we learned, how to quickly run a nearly full instance of NixOS on any GNU/Linux distribution that uses systemd (e.g. Ubuntu, Debian, Fedora, Rocky Linux, etc…).
This NixOS instance can be configured to our needs and also be run like a sidecar to our normal host system. systemd can treat it like a system service that boots up by default with the host system, using machinectl enable nixos.
Finally someone taking advantage of what systemd has to offer instead of bitching around.
You can declare containers when building a nixos system, and it also uses systemd-nspawn
TIL, thanks!
That is pretty cool.
But its also another example of systemd doing stuff other services already did (see lxc).
And?
Their complaint was that people bitch about systemd. The issue people have is that systemd does too much.
LXC is way more resource intensive and actually systemd had containers for a very long time… not to forget that if you use those you don’t need to install one more thing :)
And systemd is far more resources intensive than runit. Wasn’t really the point.
Kind of nice to not have a bug in my container service possibly have access to pid 1.
systemd manages cgroups, a very well standardized kernel interface for process management, which I would say is something init should be able to do. The gap between that, and a container is mostly semantic.
Personally I’d like my container/vm/chroot handled by something detached from pid 1. I get that much of the overal systemd project is separate blocks of code but it’s the fact they are bound together that it becomes an issue. I would have loved for the systemd team yo first publish a set of APIs that all their components would us and allow the same integration while being completely different projects.
Yeah the preference is yours, at the end of the day, I don’t think it matters what tools you use as long as it works.
Worth noting is that a process not managed by pid 1 isn’t really a thing you want generally. If you use systemd to start the docker daemon, which then starts your container, its still managed by pid 1 eventually. Perhaps you prefer the tooling and interface of docker more than machinectl, or maybe podman just isnt working for you, they’re all just tools to interact with kernel namespaces and cgroups. For doing a little dabbling in another distro, installing docker is pretty heavy vs what the article is talking about.
That would be true if other systems and services depend on them. Would have been nice to come out with a standard and designed systemd around that standard. Then you pick the tool you want that follows the standard rather than be tied into systemd.
I would disagree. A compromised Docker doesn’t mean i have access to things managed by PID1. The entire control model is based around moving your publicly available services further away from something with the highest level of access. Be it users or processes.